Privacy Policy

1. Context

 

Groupe API is a corporation and therefore a legal entity registered in the Quebec business registry, which is sometimes required to handle personal information as part of its commercial activities.

 

This policy aims to ensure the protection of personal information and to govern how Groupe API collects, uses, discloses, retains, and destroys personal information, or otherwise manages it. Additionally, it aims to inform all interested parties about how Groupe API processes their personal information. This also applies to the processing of personal information collected by Groupe API through technological means.

 

2. Application and Definitions

 

This policy applies to Groupe API, including its directors, employees, consultants, volunteers, and anyone else providing services on behalf of Groupe API. It also applies to Groupe API’s website and all websites controlled and maintained by Groupe API.

 

It covers all types of personal information managed by Groupe API, whether it be information about its current or potential clients, consultants, employees, members, or any other individuals (such as visitors to its websites).

 

For the purposes of this policy, personal information is any information about an individual that allows for their direct or indirect identification. For example, this could include a person’s name, address, email address, phone number, gender, or banking information, health information, ethnic origin, language, etc.

 

Sensitive personal information is information for which there is a high degree of reasonable expectation of privacy, such as health information, banking information, biometric information, sexual orientation, ethnic origin, political opinions, religious or philosophical beliefs, etc.

 

Generally, a person’s business or professional contact information does not constitute personal information, such as a person’s name, title, business address, email address, or phone number at work. More specifically, for the purposes of the Act respecting the protection of personal information in the private sector of Quebec, and as of September 22, 2023, sections 3 (collection, use, disclosure), 4 (retention and destruction), and 6 (data security) do not apply to information about a person relating to the performance of a function in a company, such as their name, title, position, as well as the address, email address, and phone number of their workplace.

 

The same paragraphs also do not apply to personal information that is publicly available under the law, and this is effective from the time this policy comes into force.

 

3. Collection, Use, and Disclosure

 

In its activities, Groupe API may collect various types of information for different purposes. The types of information that Groupe API might collect, their usage (or intended purpose), and the means by which the information is collected are indicated in Annex A of this policy. Groupe API will also inform the concerned individuals, at the time of collecting personal information, about any additional information collected, the purposes for which they are collected, and the means of collection, in addition to other information to be provided as required by law. Groupe API applies the following general principles regarding the collection, use, and disclosure of personal information:

 

Consent:

 

Generally, Groupe API collects personal information directly from the concerned individual and with their consent, except as provided by law. Consent may be implied in certain situations, for example, when the person decides to provide their personal information after being informed by this policy about the use and disclosure for the purposes indicated herein (see Annex A for more details). Thus, this policy and the information it contains can be consulted by the concerned person at the time of collecting personal information.

 

Normally, Groupe API must also obtain the consent of the concerned person before collecting their personal information from third parties, before disclosing it to third parties, or for any secondary use of it. However, Groupe API may act without consent in certain cases provided by law and under the conditions set by it. The main situations where Groupe API can act without consent are indicated in the relevant sections of this policy.

 

Collection:

 

In all cases, Groupe API only collects information if it has a valid reason to do so. Moreover, the collection will be limited only to the necessary information needed to fulfill the intended purpose.

 

Please note that Groupe API’s sales are not intended for minors, and more generally, Groupe API does not intentionally obtain personal information about minors (in these cases, the information cannot be collected from them without the consent of a parent or guardian).

 

Collection from third parties :

 

Groupe API may collect personal information from third parties. Unless an exception is provided by law, Groupe API will ask for the consent of the concerned person before collecting personal information about them from a third party. In cases where such information is not collected directly from the person but from another organization, the concerned person may ask Groupe API for the source of the collected information. In certain situations, Groupe API may also collect personal information from third parties, without the consent of the concerned person, if it has a serious and legitimate interest in doing so and a) if the collection is in the interest of the person and it is not possible to do it in a timely manner from them, or b) if this collection is necessary to ensure that the information is accurate. Also, Groupe API may collect personal information, indirectly, by using, among others:

• Eventbrite. Eventbrite has its own terms and privacy policy, which can be consulted for more information.
• Smartsheet, Smartsheet has its own  terms and privacy policy, which can be consulted for more information.
• Microsoft, Microsoft has its own terms and privacy policy, which can be consulted for more information.

This collection through third parties may be necessary to use certain services or programs, or to otherwise do business with Groupe API. When required, Groupe API will collect the consent of the person at the appropriate time.

 

Detention and Use:

 

Groupe API ensures that the information it holds is up-to-date and accurate at the time of its use to make a decision related to the concerned person.

 

Groupe API can only use a person’s personal information for the reasons indicated herein or for any other reasons provided at the time of collection. As soon as Groupe API wants to use this information for another reason or purpose, new consent must be obtained from the concerned person, which must be obtained explicitly if it concerns sensitive personal information. However, in certain cases provided by law, Groupe API may use the information for secondary purposes without the consent of the person, e.g.:

 

• when such use is clearly to the benefit of this person;
• when it is necessary to prevent or detect fraud;
• when it is necessary to assess or improve protective and security measures.

 

Limited Access. Groupe API implements electronic measures to limit access to personal information only to employees and people within its organization who are qualified to know and for whom this information is necessary in the performance of their duties. Groupe API will ask for the consent of the person before granting access to any other person.

 

Communication:

 

Generally, and unless an exception is indicated in this policy or otherwise provided by law, Groupe API will obtain the consent of the concerned person before communicating their personal information to a third party. Moreover, when consent is required and when it concerns sensitive personal information, Groupe API must obtain the explicit consent of the person before communicating the information.

 

However, the communication of personal information to third parties is sometimes necessary. Thus, personal information may be communicated to third parties without the consent of the concerned person in certain cases, including, but not limited to, the following:

 

• Groupe API may communicate personal information, without the consent of the concerned person, to a public organization (such as the government) which, through one of its representatives, collects it in the exercise of its powers or the implementation of a program under its management.
• Personal information may be transmitted to its service providers to whom it is necessary to communicate the information, without the consent of the person. For example, these service providers may be manufacturers, subcontractors of Groupe API designated for the execution of mandates, event organizers, or non-profit foundations in the case of non-confidential donations.
• The suppliers of Groupe API must notify the responsible person for the protection of personal information of Groupe API (indicated in this policy) of any breach or attempted breach of the confidentiality obligations concerning the communicated personal information and must allow this responsible person to carry out any verification related to this confidentiality.
• If necessary for the conclusion of a commercial transaction, Groupe API could also communicate personal information, without the consent of the concerned person, to the other party of the transaction and subject to the conditions provided by law.

 

Communication Outside Quebec: It is possible that the personal information held by Groupe API may be communicated outside of Quebec, for example, when Groupe API deals with subcontractors located outside of the province or when direct delivery is required by the client and the original manufacturer is located in another province or country.

 

Additional Information on Used Technologies:

 

Use of Connection Cookies:

 

Connection cookies are data files transmitted to a visitor’s computer by their web browser when visiting a site and can have several uses.

Websites controlled by Groupe API use connection cookies, among others:

• To remember visitors’ settings and preferences, for example for language choice and to enable tracking of the current session.
• For statistical purposes to understand visitor behavior, content viewed, and to allow website improvement.

Websites controlled by Groupe API use the following types of cookies:

• Session cookies: These are temporary cookies kept in memory only for the duration of the website visit.
• Persistent cookies: They are kept on the computer until they expire and will be retrieved on the next website visit.

Certain connection cookies may be disabled by default, and visitors can choose to activate these functions or not when consulting Groupe API’s websites.

 

It is also possible to activate and deactivate the use of connection cookies by changing the preferences in the settings of the browser used.

 

Use of Google Analytics

 

Some Groupe API sites (notably, www.goupeapi.com) use Google Analytics to enable its continuous improvement. Google Analytics allows analyzing how a visitor interacts with a Groupe API website. Google Analytics uses connection cookies to generate statistical reports on visitor behavior on these websites.

 

Information from Google Analytics will never be shared by Groupe API with third parties.

 

It is possible to install a browser add-on to disable Google Analytics.

 

Other Technological Means Used

 

Groupe API also collects personal information through technological means like integrated web forms on a website controlled by Groupe API (for example, its contact form and its newsletter subscription form), online questionnaires on its platforms and applications, and other platforms or form tools (e.g., Microsoft Forms and Smartsheet).

 

If Groupe API collects personal information by offering a technological product or service that has privacy settings, Groupe API must ensure that these settings offer the highest level of privacy by default (connection cookies are not covered).

 

4. Retention and Destruction of Personal Information

 

Unless a minimum retention period is required by applicable law or regulation, Groupe API will retain personal information only for the duration necessary to achieve the purposes for which they were collected.

 

Personal information used by Groupe API to make a decision about a person must be kept for at least one year following the decision in question or even seven years after the end of the fiscal year in which the decision was made if it has tax implications, for example, the circumstances of an employment termination.

 

At the end of the retention period or when the personal information is no longer necessary, Groupe API will ensure:

1. to destroy them; or
2. to anonymize them (i.e., they no longer allow, in an irreversible way, to identify the person and it is no longer possible to establish a link between the person and the personal information) for use for serious and legitimate purposes.

The destruction of information by Groupe API must be done securely, to ensure the protection of this information.

 

This section may be supplemented by any policy or procedure adopted by Groupe API concerning the retention and destruction of personal information, as applicable. Please contact the person responsible for the protection of personal information of Groupe API (indicated in this policy) for more information.

 

5. Responsibilities of Groupe API

 

In general, Groupe API is responsible for protecting the personal information it holds.

 

The person responsible for the protection of personal information at Groupe API is the Director of Operations of the organization. This person is generally responsible for ensuring compliance with applicable legislation concerning the protection of personal information. The responsible person must approve policies and practices governing the governance of personal information. More specifically, this person is in charge of implementing this policy and ensuring that it is known, understood, and applied. In the absence or inability to act of this responsible person, the President of Groupe API will assume the functions of the responsible person for the protection of personal information.

 

The members of Groupe API’s staff who have access to personal information or are otherwise involved in managing it must ensure their protection and comply with this policy.

 

The roles and responsibilities of Groupe API’s employees throughout the lifecycle of personal information may be specified by any other policy of Groupe API in this regard, as applicable.

 

6. Data Security

 

Groupe API commits to implementing reasonable security measures to ensure the protection of the personal information it manages. The security measures in place correspond, among other things, to the purpose, quantity, distribution, medium, and sensitivity of the information. Thus, this means that information that can be classified as sensitive (see the definition provided in section 2) must be subject to more significant security measures and be better protected. In particular, and in accordance with what was previously mentioned regarding limited access to personal information, Groupe API must put in place necessary measures to impose constraints on the rights of use of its information systems so that only employees who need to have access are authorized to do so.

 

7. Rights of access, Rectification, and Withdrawal of Consent

 

To exercise their rights of access, rectification, or withdrawal of consent, the concerned individual must submit a written request to this effect to the person responsible for personal information protection at Groupe API, at the email address indicated in the following section.

 

Subject to certain legal restrictions, concerned individuals can request access to their personal information held by Groupe API and ask for its correction if it is inaccurate, incomplete, or ambiguous. They can also demand the cessation of the dissemination of personal information about them or the deindexing of any hyperlink attached to their name allowing access to this information through technological means, when the dissemination of this information contravenes the law or a judicial order. They can do the same, or demand the reindexing of the hyperlink allowing access to this information, when certain conditions provided by law are met.

 

The person responsible for personal information protection at Groupe API must respond in writing to these requests within 30 days from the date of receipt of the request. Any refusal must be motivated and accompanied by the legal provision justifying the refusal. In such cases, the response must indicate the legal remedies and the deadline for exercising them. The officer must assist the applicant in understanding the refusal if necessary.

 

Subject to applicable legal and contractual restrictions, concerned individuals may withdraw their consent to the communication or use of the collected information.

 

They may also ask Groupe API what personal information has been collected about them, the categories of people at Groupe API who have access to it, and its duration of retention.

 

8. Complaint Processing Procedure

 

Reception

 

Any person wishing to make a complaint regarding the implementation of this policy or, more generally, the protection of their personal information by Groupe API, must do so in writing by addressing the person responsible for personal information protection at Groupe API, to the email address indicated in the following section. The individual must provide their name, contact details for reaching them, including a phone number, as well as the subject and reasons for their complaint, providing enough detail so that it can be assessed by Groupe API. If the complaint made is not sufficiently precise, the person responsible for personal information protection may request any additional information they deem necessary to evaluate the complaint.

 

Processing

 

Groupe API commits to handling all received complaints confidentially.

 

Within 30 days following the receipt of the complaint or following the receipt of all additional information deemed necessary and required by the person responsible for personal information protection at Groupe API to process it, they must evaluate it and provide a motivated written response by email to the complainant. This evaluation aims to determine whether the handling of personal information by Groupe API complies with this policy, any other policy and practice in place within the organization, and applicable legislation or regulation.

 

If the complaint cannot be processed within this period, the complainant must be informed of the reasons justifying the extension of the deadline, the progress of the processing of their complaint, and the reasonable time needed to provide a definitive response.

 

Groupe API must create a separate file for each of the complaints addressed to it. Each file contains the complaint, the analysis and documentation supporting its evaluation, as well as the response sent to the person originating the complaint.

 

It is also possible to file a complaint with the Commission d’accès à l’information du Québec or any other personal information protection oversight body responsible for enforcing the law concerned by the subject of the complaint.

 

However, Groupe API invites all interested parties to first address its personal information protection officer and to wait for the completion of the processing by Groupe API.

 

9. Approval & Contact information

 

This policy is approved by the person responsible for personal information protection at Groupe API, whose business contact details are as follows:

 

Personal Information Protection Officer: 

 

Marc-André Beaulieu

 

Président, Directeur Général

 

6103-1751 Richardson, Montréal, Qc, H3K 1G5

 

514-564-9881

 

For any request, question, or comment regarding this policy, please communicate with the officer through the contact form on the Groupe API website: (https://www.groupeapi.com/en/contact-us/)

 

10. Publication and modifications

 

This policy is published on the Groupe API website, as well as on all websites controlled and maintained by Groupe API, to which this policy applies, particularly regarding personal information collected there. This policy is also disseminated by any means suitable to reach the concerned persons.

Groupe API must also do the same for any modifications to this policy, which must also be subject to a notice to inform the concerned persons.

*Notes: Please note that the use of the masculine gender is intended to lighten this policy and facilitate its reading.

Versions and modifications table

 

Version	In effect since	Changements depuis la dernière version
1.0	28 août 2023	N/A
2.0

 

Annex A

 

Here is a non-exhaustive list of the types of information that Groupe API might collect, their use, or the intended purpose, as well as the means by which the information is collected. This includes, but is not limited to, the following elements.

Please note that most of the personal information managed by Groupe API is personal information of employees and job applicants . As for the other categories of individuals indicated in the table below, the information provided is, in most cases, of a professional or business nature (see section #2 on professional contact details). It should be noted that in most cases, Groupe API also collects the professional title/position of individuals, the name of the organization, and/or the organization’s address.

 

Relationship with Groupe API.	Type of Personal Information	End of Collection / Uses	How to Collect Information (Means)
Customers	name phone number email banking information (when required) Credit card information language Postal code	establish and manage customer relationships (and obtain a means of communication) enable products and services sales transactions collect information with regards to future or on-going projects (such as layout info) register clients to events organized by Groupe API know the preferred language of communication ensure payment of costs related products and services Voluntary registration to the Groupe API newsletter Communicate offers and validate customer satisfaction with regards to products and services sold	by means of web forms integrated into a website controlled by Groupe API questionnaires accessible online on its platforms and applications, and other technological platforms or forms tools by e-mail (directly or through a document or other type of form attached) By phone with third parties (e.g., , Eventbrite, Smartsheet, Plutoo for payments)
Job applicants and employees	name phone number email banking information social insurance number date of birth address resumes family situation and partner insurance coverage Insurance beneficiaries Salary information Information relative to performance evaluations	managing communications with the candidate or employee ensure the operation of the payroll system ensure the setup and validity of the collective insurances Ensure the communication or legally required information to fiscal authorities (provincial and federal government) Manage career evolution and performance of employees	by email by phone via the insurance website via the payroll system by means of web forms integrated into a website controlled by Groupe API questionnaires accessible online on its platforms and applications, and other technological platforms or forms tools (e.g. Microsoft Forms and smartsheet)
Products and Service providers	name phone number email banking information language	management of mandates payment of invoices, know the languages in which they can provide services	by means of web forms integrated into a website controlled by Groupe API questionnaires accessible online on its platforms and applications, and other technological platforms or forms tools (e.g. Microsoft Forms and smartsheet) by email
Groupe API network (ecosystem actors such as designers, architects and general contractors)	name phone number email bank details (where necessary) language	future communications registration to activities and trainings organized by Groupe API the constitution of data banks for future communications and business development know the preferred language of communication	by means of web forms integrated into a website controlled by Groupe API questionnaires accessible online on its platforms and applications, and other technological platforms or forms tools (e.g. Microsoft Forms and smartsheet) with third parties (e.g., Eventbrite)