Data privacy and security policy

1. Purpose of the Policy

1.1 Legislative framework

In accordance with the Act respecting the protection of personal information in the private sector (RLRQ c. P-39.1) of Québec, as amended by the Act to modernize legislative provisions as regards the protection of personal information (“Law 25”) and, where required, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), notably for data processing carried out in a federal or interprovincial commercial context. Accordingly, Spiria (hereinafter collectively referred to as “we”, “us” or “our”) implements measures to protect your personal information.

1.2 Objectives of the Policy

This privacy policy (hereinafter the “Policy”) governs Spiria’s privacy practices regarding the respect of personal information that you voluntarily share with us when visiting Spiria’s website at https://www.spiria.com/ (hereinafter the “Site”), when communicating with us via social media, or when you contact us by any other means of your choice (e.g.: telephone, email, etc.). This Policy is primarily intended to inform you about:

• The personal information we collect from you and for what purposes;
• How we use your personal information;
• To whom we may disclose your personal information;
• What choices are available to you regarding the collection, use, and disclosure of your personal information;
• What types of security procedures are in place to protect your personal information;
• Your rights regarding the respect of your personal information (right of access, rectification, and withdrawal of consent);
• The retention and destruction of your personal information; and
• How to contact us if you have questions, comments, or a formal complaint.

2. What personal information do we collect and by what means?

2.1 Personal information collected from Clients and Visitors

When you communicate with Spiria, whether through our Site, by email, by telephone, or via electronic forms, you may provide us with certain personal information. This data may be collected:

• Voluntarily, when you fill out a form, download resources, participate in a webinar, or communicate directly with us;
• Automatically, when you browse our Site, notably through cookies or similar technologies.
  ‍

The table below presents the main types of personal information we collect, along with the means by which this information is collected.
‍

2.2 Personal information collected from Candidates

When you apply for a job at Spiria, whether in response to a specific posting or as part of a spontaneous application, you provide us with certain personal information. This information is collected:

• Through electronic forms available on our Site;
• By sending an email directly to Spiria;
• Or through any other communication related to your application.
  ‍

For transparency, please note that Spiria also uses third-party platforms specialized in recruitment management, as specified in the table: List of third parties to whom personal information may be disclosed, to process, store, and manage applications. These service providers act as processors for Spiria and are bound by contractual commitments to protect your personal information. The table below sets out the types of personal information collected.
‍

2.3 Personal information collected through third-party cookies

When you browse our Site, cookies may be placed on your device. These cookies make it possible to collect certain technical, analytical, or behavioral information in order to:

• Ensure the proper functioning and security of the Site;
• Assess and improve the performance of the Site;
• Personalize your browsing experience or our marketing communications;
• Analyze browsing behaviors for statistical or advertising purposes.
  ‍

Some cookies are considered essential to the functionality of the Site, while others, considered non-essential (e.g.: analytical or advertising cookies) and which are only used with your consent. Some of these cookies are operated by third-party providers, who may process the data collected for their own purposes, in accordance with their respective policies. We invite you to consult our table: List of cookies offered or used by third parties for more details on the types of cookies used, their purposes, and the providers involved.

Disclosure outside Québec. Some of the cookies used and personal information collected on our Site may result in the transmission of this information to jurisdictions outside Québec, notably to the United States and the rest of Canada, when such cookies are operated by technology providers whose servers are located abroad.

Visitors from the United States. Your personal information may be processed in both Canada and the United States, under a protection regime that may differ from that in force in your State.

Visitors from the European Economic Area (EEA) and the United Kingdom. Your personal information may be transferred and processed in Canada and the United States, in accordance with Canadian laws and contractual commitments entered into with our service providers.

Table of cookies offered or used by third parties. For more details on the purposes and uses of personal information by these third parties, please consult our table: List of cookies offered or used by third parties below.

2.3.1 List of cookies offered or used by third parties
‍

2.4 Use of Artificial Intelligence (AI)

Spiria may use certain features integrating artificial intelligence (AI) technologies as part of its operations, digital services, or platforms. These technologies may be used to:

• Improve system security (e.g.: automated detection of abnormal activities or cyber threats),
• Optimize the user experience (e.g.: suggestions, adaptive interface),
• Increase operational efficiency (e.g.: search, writing, translation, automated content generation or trend analysis),
• Support our recruitment processes (e.g.: pre-screening of applications, CV analysis, drafting), under the supervision and validation of a human recruiter,
• Or support our secure software development processes.
  ‍

When AI is used, Spiria undertakes to:

• Not use automated decision-making systems that have legal or significant effects without your explicit consent or outside the applicable legal framework;
• Disclose only what is strictly necessary;
• Limit the use of AI to legitimate business purposes.

2.5 For what purposes do we collect your personal information?

We may collect your personal information for the following purposes:

Purposes related to candidate management:

• To evaluate any application submitted in response to one of our job postings or as part of a spontaneous application;
• To communicate with you if, for example, we wish to offer you a job or obtain more information regarding your application;
• To conduct background checks or verify professional references, subject to prior consent;
• To carry out statistical and marketing analyses to identify the channels or platforms through which applications are received (e.g.: LinkedIn, Indeed, Website, etc.), in order to optimize recruitment.
  

Purposes related to client relationship and service management:

• To promote the services offered by Spiria, namely the design and development of digital products addressing complex business challenges;
• To send information, updates, newsletters, and relevant content to professional contacts;
• To personalize our marketing communications according to the needs, preferences, and interests of professional contacts;
• To open a client file containing information related to the requested Services, for billing purposes, and information enabling us to better serve you. For example, your client account may contain the following information:
  
  • Name of the contact person;
  • Professional title and role;
  • Professional email address;
  • Billing address;
  • Service requirements;
  • Delivery schedule for the software or services.
• To manage Client orders and deliver the Services;
• To process billing, using the banking information you provide, for Services delivered by Spiria;
• To validate your identity when you visit Spiria’s offices or when you contact us;
• To prevent fraud.
  ‍

Purposes related to the promotion of Spiria’s services:

• To identify and contact potential or existing businesses in order to present the Services offered by Spiria;
• To promote Spiria’s Services and expertise through targeted marketing or promotional initiatives;
• To maintain engagement with prospects and nurture potential business relationships (lead nurturing), notably through content or communications tailored to their interests;
• To conclude contracts with potential or existing client businesses;
• To conduct satisfaction or feedback follow-ups in order to improve the overall client experience and the quality of the Services;
• To analyze Spiria’s performance, assess the results of marketing campaigns, and make strategic decisions accordingly;
• To promote the Website.
  ‍

Legal and regulatory purposes:

• To comply with applicable legal and regulatory requirements;
• To protect your rights (for example, ensuring that unauthorized third parties do not access your personal information);
• To protect the rights, interests, or property of Spiria, its clients, employees, or partners, particularly in the context of legal actions, investigations, or administrative proceedings;
• To ensure compliance with our contractual or professional obligations, including record-keeping, audits, or inspections.
  ‍

Purposes related to the security and performance of the Website:

• To protect Spiria’s and the Website’s property or security (for example, we may use your personal information in the context of a dispute with Spiria or to identify and block access to our Site by bots);
• To obtain or create statistics to evaluate the Site’s performance;
• To ensure the functionality of the Site;
• To facilitate the use of our Site and to improve and measure its performance;
• To identify the most visited pages of the Site in order to measure their performance, assess interest in them, and evaluate the interest of our potential clientele in our Services;
• To evaluate the effectiveness of the Site in acquiring and retaining Visitors;
• To send informational communications about Spiria’s Services and activities;
• To disclose your information for the purposes and entities identified in the table: List of cookies offered or used by third parties.

2.5.1 New purposes (if applicable)

If we plan to use your personal information for substantial or new purposes that are incompatible with those described in this Policy, we will inform you in advance. If required by law, we will then seek your explicit consent before proceeding.

2.6 Collection and use of personal information for profiling and identification purposes

Authorization for the collection of personal information for profiling purposes. Due to the use of the cookies mentioned above, we use Visitors’ personal information for profiling and identification purposes. The collection and use of personal information for profiling and identification are disabled by default. You may enable these functions by authorizing the collection of personal information for profiling and identification through the pop-up window presented when you access our Site. You may also authorize this function in our privacy settings.

2.7 To whom do we disclose personal information?

2.7.1 List of third parties to whom personal information may be disclosed
‍

Communication outside Québec. As a result, the personal information we collect may be disclosed, stored, or processed outside your province, state, or country of residence, including:

• In Canada (including outside Québec);
• In the United States;
• In the European Economic Area (EEA) or the United Kingdom, where Spiria or its service providers have facilities, servers, or partners in these territories.
  ‍

Before carrying out such a transfer, Spiria ensures that there is a local personal data protection law in place to safeguard your information. Where required, Spiria implements appropriate contractual agreements or uses other recognized mechanisms (for example, standard contractual clauses, specific contractual obligations, confidentiality undertakings) to protect your personal information transferred outside your jurisdiction of residence.

Cookies. Information collected through the cookies mentioned in the above List of cookies offered or used by third parties is disclosed to the entities and for the purposes identified in this Policy.

Disclosures without consent permitted by law. In certain cases, applicable legislation authorizes or may require us to disclose your personal information without obtaining your prior consent. This may include, for example, situations related to legal, regulatory, or security requirements, or for the prevention of fraud or unlawful acts.

3. Consent

By accessing our Site, contacting us, or voluntarily providing us with personal information, you consent to its collection, use, and disclosure for the purposes described in this Policy (see sections 2 and 3), subject to your rights described below.

3.1 The type of consent required depends on the context

3.1.1 Implied Consent

When you voluntarily provide us with your information to receive a service or response (e.g.: submitting a contact form or CV), you implicitly consent to the use of this information strictly to respond to your request.

3.1.2 Explicit Consent

For certain uses — such as sending newsletters, profiling, background checks, or any other processing not essential to the delivery of the service — clear and prior consent will be requested from you, via a form, checkbox, or cookie management banner.

3.1.3 Withdrawal of consent

You may withdraw your consent to the collection of your personal information at any time, subject to legal or contractual restrictions. To do so, you may refuse or modify your consent to cookies directly through the preference management banner available on our Site. This withdrawal will only have prospective effect, meaning it will prevent the collection of new data from the moment of your choice.

3.1.4 Cases where consent is not required

In certain cases, when the Law allows us to collect, use, or disclose your information without your consent, notably:

• When required by law or court order;
• When a contract binds us to you, for the management of the contractual relationship or the performance of agreed obligations;
• In an emergency, when a person’s life, health, or safety is threatened;
• To prevent or detect fraud or illegal activity;
• To comply with tax, accounting, or audit obligations required by law;
• To disclose information to a lawyer or in the context of judicial or pre-litigation proceedings, when necessary to protect our rights or those of a third party;
• For scientific, historical, or statistical research purposes, subject to conditions provided by law;
• When the information has been made publicly available by the individual concerned, within the limits permitted by law.

4. How long do we retain personal information?

Personal information is destroyed once the purposes for which it was collected have been fulfilled, unless the law requires a retention period. In accordance with our secure personal information retention and destruction procedures, we retain personal information only for as long as necessary to achieve the purposes identified in this Policy, to support our operations and business needs, and to comply with our legal obligations. After this period, personal information will be securely and confidentially destroyed. For example, Candidate files submitted through our electronic application forms are retained only for a period of 24 months, during which we keep your job application in order to contact you if your profile interests us, or if a position opens that matches your qualifications.

5. How do we protect your personal information?

Protection measures. We adopt physical, technological, and administrative safeguards to protect your personal information and reduce the risks of unauthorized and/or unlawful access, use, disclosure, and destruction. In particular, we:

• Minimization: consciously limit the personal information we collect. We only collect the personal information necessary to achieve the purposes identified in Section 2, What personal information do we collect and by what means?
• Security screening: perform a security screening process before authorizing any of our employees or representatives to access or process your personal information;
• Device encryption: use encrypted hard drives on all our computers containing personal information;
• Internal confidentiality undertakings: require each of our authorized employees with access to your personal information to sign a confidentiality agreement;
• External confidentiality undertakings: require, when personal information is disclosed to persons or entities external to Spiria, that confidentiality commitments be put in place to protect such information;
• Training: ensure that each of our authorized employees with access to your personal information receives adequate privacy and personal data protection training, and provide annual training to maintain this level of awareness;
• Access limitation: restrict access to your personal information to authorized employees and representatives who require such access in order to fulfill one or more of the purposes listed in Sections 2.5 For what purposes do we collect your personal information?, and 2.7, To whom do we disclose personal information?
• Retention schedule: maintain a retention matrix defined in our internal policies to ensure that your personal information is destroyed once its purposes are fulfilled or upon the expiry of any applicable legal retention period;
• Destruction protocol: ensure the secure destruction of hard drives and computers owned by Spiria;
• Minimization of physical data: ensure that paper documents containing personal information are created only when there is a genuine business need, and we avoid creating them otherwise;
• Confidentiality incident register. We maintain a register of confidentiality incidents in compliance with applicable law. In the event of a confidentiality incident that presents a risk of serious harm to you, we will take the necessary measures to notify you, in compliance with applicable legislation.
  ‍

No absolute guarantee. While we implement rigorous security measures to protect your personal information, it is important to remember that no technological system is completely free of risk, whether in the context of Internet transmission or electronic storage. If you have reason to believe that a security incident may have compromised your personal information, we encourage you to notify us without delay by email to dpo@spiria.com.

6. Visitor choices

Modification of our privacy settings in the pop-up window. All Visitors may also choose, through our pop-up window, the privacy settings that best suit their needs.

Modification of cookie settings in your web browser. You can manage the processing of your personal information through cookies by adjusting your browser settings. For more information on how to modify your browser settings, you may refer to the documentation provided by your browser. For example, you may consult the instructions here (if you use Google Chrome), here (if you use Mozilla Firefox), or here (if you use Microsoft Edge). However, refusing to accept cookies may limit your access to certain features of our Site.

7. How to withdraw your consent to disclosure or use

Your right to withdraw consent to disclosure or use. You may, at any time, withdraw or modify your consent to the use or disclosure of your personal information, subject to applicable law and your contractual obligations. To do so, you may refuse or adjust your consent to cookies through the preference management banner displayed on our Site. This withdrawal applies only prospectively, meaning it will prevent the collection of new data but does not automatically result in the deletion of personal information already collected (please refer to the procedure in Section 9.1 Procedure for requesting access, rectification, and withdrawal of consent). However, if you withdraw your consent to certain uses or disclosures of your personal information, we may no longer be able to provide certain services, or the quality of our services may be affected.

8. How to access your personal information

Scope of the right of access. You have a right of access to your personal information. As such, you may ask us to:

• Inform you of the existence of any personal information concerning you in Spiria’s systems or in third-party systems, depending on the request received;
• Provide you with a copy of the personal information concerning you;
• Allow you, once we have validated your identity, to review the personal information we retain about you by providing you with a digital copy; and
• As of September 22, 2024 only, request that we communicate any information collected from you (excluding personal information created or inferred from your personal information) in a structured, commonly used technological format. You may also request that we transmit your personal information to any person or entity legally authorized to collect it.
  ‍

Applicable reasonable fees. Reasonable fees may be charged for the transcription, reproduction, or transmission of your personal information. We will inform you of these fees before proceeding with any transcription, reproduction, or transmission.

Applicable procedure. Any access request must be addressed to our Privacy Officer according to the procedure identified in Section 9.1, Procedure for requesting access, rectification, and withdrawal of consent. Please note that the law may prevent us from accepting an access request for various reasons. Since some personal information may be hosted or processed in the systems of third-party technology providers (for example, recruitment or application management platforms), Spiria may depend on the technical availability or terms of use of these third-party platforms to process certain access, disclosure, or transmission requests. We commit to working reasonably with such providers to respond to your request, within the limits permitted by law.

9. How to rectify your personal information

Scope of the right of rectification. You may submit a rectification request to ask us to correct your personal information in the following circumstances:

• Your personal information is inaccurate;
• Your personal information is incomplete;
• Your personal information is ambiguous;
• The collection, disclosure, or retention of your personal information was not authorized by law.
  ‍

Destruction of personal information. You may also request, as part of a rectification request, that we destroy any personal information collected or retained if its collection, disclosure, or retention was not authorized by law.

Delivery of a copy or certificate. If we grant your rectification request, you may ask us to provide you with a copy of any personal information that has been modified or added, or, as the case may be, a certificate confirming the deletion of personal information.

Applicable procedure. Any rectification request must be addressed to our Privacy Officer in accordance with the procedure identified in Section 9.1, Procedure for requesting access, rectification, and withdrawal of consent. Please note that the law may prevent us from accepting a rectification request for various reasons.

9.1 Procedure for requesting access, rectification, and withdrawal of consent

Procedure. To be considered, all requests under Sections 7 to 10 must be addressed in writing to Vincent Huard, Vice-President of Operations and Privacy Officer of Spiria by sending an email to dpo@spiria.com.

Obligation to prove your identity. You must prove your identity by presenting two valid pieces of photo identification before we can accept your request.

Response timelines. We are legally required to respond (whether granting or denying) to any access or rectification request within 30 days of its receipt and the confirmation of your identity. We may refuse any request in accordance with applicable personal information protection laws.

10. Complaint Procedure

Complaint procedure. You may file a complaint regarding our governance or personal information protection practices with Vincent Huard, Vice-President of Operations and Privacy Officer of Spiria, by email at dpo@spiria.com.

Duty to assist or inquiries. You may also contact our Privacy Officer if you have questions about your rights of access, rectification, or withdrawal of consent. You may also request their assistance in clarifying your access, rectification, or withdrawal of consent requests, or, where applicable, to better understand the reasons for a refusal regarding any of these requests.

11. Confidential reporting of serious misconduct (whistleblower)

Spiria values ethics, transparency, and respect for its commitments to employees, partners, clients, and the public. To this end, a confidential and secure mechanism is available to anyone wishing to report conduct that is serious or contrary to the law, ethics, or Spiria’s internal policies.

Reports may concern, for example: fraud, conflicts of interest, human rights violations, breaches of security or personal information protection, or any other serious act affecting Spiria’s integrity.

Reports can be submitted completely anonymously or confidentially via a secure platform accessible at the following address: https://whistleblowersoftware.com/secure/spiria

This channel is independent of ordinary communication channels. If you wish, it allows you to follow up on your report and communicate with those responsible for handling it, while preserving your anonymity. Spiria is committed to protecting any person who makes a report in good faith from any form of retaliation or harm.

12. Access to the inbox dpo@spiria.com

Please note that the email address dpo@spiria.com is not accessed exclusively by the Privacy Officer. This inbox is also accessible to certain duly authorized Spiria staff members who require access as part of their duties, in order to ensure proper follow-up, proactive monitoring, and compliance with the timelines prescribed by applicable legislation. All access to this inbox is managed in accordance with Spiria’s principles of confidentiality and personal information security.

13. Updates to this Policy

Possible modifications. We may modify this Policy from time to time. We will notify you of any changes to this Policy by indicating, at the beginning of the document, the date of the latest revisions. If we have your email address, we may also send you a notice identifying any modifications to this Policy.

Consent to modifications. Your consent through the corresponding pop-up window and your continued use of the Site, or the fact that you provide us with personal information following the posting of modifications to this Policy, constitutes your acceptance of the modifications to this Policy, subject to the provisions of applicable law.

14. Attention regarding third-party websites

Disclaimer of responsibility. This Site may contain links to websites or services operated by third parties. These third-party sites are independent of Spiria and are governed by their own privacy policies and terms of use. Spiria expressly disclaims any responsibility regarding the collection, use, disclosure, or retention of your personal information by these third-party sites or services. Clicking on a link to an external site is entirely at your discretion and at your own risk. We recommend that you carefully read the privacy policies and terms of use of any third-party site before providing them with your information.