NOTICE OF COLLECTION OF PERSONAL INFORMATION Creditbook 2026-05-25

 

 

 

NOTICE OF COLLECTION OF PERSONAL INFORMATION

 

Purpose of Collection

The purpose of this Notice of Collection of Personal Information is to inform you of our collection, use, and potential disclosure of certain of your personal information if you provide us with information concerning you as a natural person that allows you to be identified, directly or indirectly, all in accordance with applicable privacy laws, including the Act Respecting the Protection of Personal Information in the Private Sector.

When you register, submit an application, or activate a subscription with us, our company may collect certain personal information concerning you through our online forms or digital platform for purposes related to:

  • Processing your registration application with us;
  • Performing the service agreement between us, including to:
  • Open your file within our system;
  • Process your service request and provide the requested services;
  • Manage your client account and maintain our contractual relationship and your subscription;
  • Invoice services rendered and process your payments;
  • Communicate with you regarding the services you requested;
  • Providing the services you requested, including with respect to the information necessary for such services or the performance of the agreement entered into with you;
  • Managing our customer relationship with you;
  • Improving our services, including conducting analyses relating to the use of our services or systems;
  • Training our personnel or ensuring quality control of our services;
  • Preventing and detecting fraud or improving the protection and security measures of our systems, including to:
  • Verify your identity and prevent fraud;
  • Ensure the security of our information systems and protect your personal information;
  • Detect and prevent fraudulent or unauthorized activities;
  • Comply with our anti-money laundering obligations;
  • Other purposes related to our legal or regulatory obligations, including to:
  • Comply with our tax and accounting obligations;
  • Respond to requests from competent regulatory authorities;
  • Retain records required by law for the prescribed retention periods;
  • Marketing communications, including to:
  • Inform you of our new services and promotions by email;
  • Send you our monthly newsletter regarding our services;
  • Contact you by telephone to offer complementary services.

Nature of the Information Collected

The types of personal information we may collect from you include the following, it being understood that our company collects, uses, and discloses to third parties information that may be considered sensitive because it relates to the credit records of the individuals concerned, including financial information such as credit scores, payment history, outstanding debts, as well as personal information such as contact details or identity-related information, which may more specifically include:

  • First name, last name, address, telephone number, email address, date of birth, payment information, information relating to your financial and professional situation, etc.

Mandatory or Optional Nature

The collection of certain personal information is mandatory for your registration with us and for the provision of the requested service, which is the subject of the application you are completing. Refusal to provide such information will result in the inability to complete your registration, process your request, or provide the services for which you are applying with us.

The collection of other information is optional and is intended to personalize your experience and send you marketing communications.

Third Parties for Whom the Information Is Collected

Your personal information is collected on behalf of our own company and, where applicable, on behalf of the following third parties: lenders and creditor partners of our company, technology service providers, financial institutions, cloud service providers, payment processors, business partners, identity or credit verification agencies, professional advisors, auditors, regulatory authorities, and other service providers necessary for the company’s operations, etc.

Disclosure of Your Personal Information

Our company may disclose your personal information to the following categories of third parties, to the extent necessary for the purposes described herein: lender business partners and creditor partners of our company, technology service providers, financial institutions, etc.

Any disclosure of personal information will be carried out in accordance with the purposes for which it was collected and applicable legal requirements. Where applicable, disclosure of your information to the third parties identified above is necessary to provide services, comply with legal and regulatory obligations, prevent fraud, perform identity or creditworthiness verifications, process payments, ensure system security, or support the company’s business operations.

Disclosure Outside Québec

Your personal information may need to be disclosed outside Québec, to other provinces or elsewhere in Canada. When your personal information is disclosed outside Québec, our company ensures that it receives adequate protection by conducting privacy impact assessments and entering into written agreements with the foreign organizations receiving the information regarding the appropriate safeguards they must implement and maintain.

In this regard, please note that personal information disclosed outside Québec may be subject to the laws of other jurisdictions where it is transferred, including laws regarding access by local authorities.

Retention Period

Your personal information will be retained for the period necessary for the purposes for which it was collected, in accordance with legal and regulatory obligations, namely: for the duration of your subscription and for a period of seven (7) years following its termination. Upon expiration of this period, personal information is securely destroyed and deleted or irreversibly anonymized.

Security Measures

Our company aims to protect the personal information we collect, use, retain, and disclose by implementing reasonable and appropriate security measures in accordance with applicable privacy laws, including the Act Respecting the Protection of Personal Information in the Private Sector. These security measures are designed to protect your personal information against loss, theft, unauthorized access, disclosure, copying, use, modification, or destruction and include appropriate physical, technical, and administrative safeguards considering the sensitivity, purpose, quantity, distribution, and medium of the personal information.

We have implemented technical security measures including:

  1. Encryption of sensitive personal information during transmission and storage;
  2. The use of firewalls and intrusion detection and prevention systems to protect our computer networks;
  3. The installation and regular updating of antivirus and anti-malware software on all our systems;
  4. Multi-factor authentication for access to systems containing personal information;
  5. Network segmentation to limit access to personal information only to systems requiring such access;
  6. Continuous monitoring of our information systems to detect suspicious or unauthorized activities;
  7. Regular and secure backups of personal information to ensure recovery in the event of an incident.

We have implemented physical security measures including:

  1. Access control to our premises through access card systems, entry codes, or security guard monitoring;
  2. Restricting access to areas where personal information is stored to authorized employees only;
  3. The use of video surveillance systems in sensitive areas;
  4. Secure locking of cabinets, filing systems, and other physical containers containing documents with personal information;
  5. Secure destruction of physical documents containing personal information through shredders meeting security standards;
  6. Protection of our servers and computer equipment in secure rooms with restricted and controlled access;
  7. Strict policies regarding the removal of documents or devices containing personal information from our premises.

We have implemented administrative security measures including:

  1. The adoption and implementation of written policies and procedures regarding personal information protection;
  2. The appointment of a Privacy Officer responsible for overseeing compliance with our legal obligations;
  3. Regular and mandatory training for all employees, representatives, and subcontractors regarding personal information protection and information security practices;
  4. The implementation of access controls based on the need-to-know and least privilege principles, limiting access to personal information only to employees who require it to perform their duties;
  5. The obligation for all employees, representatives, and subcontractors to sign confidentiality agreements;
  6. Conducting privacy impact assessments for projects presenting a high risk to privacy;
  7. Maintaining a confidentiality incident register;
  8. Regular review and updating of our security measures to address evolving threats and technologies;
  9. Conducting due diligence reviews of our suppliers and subcontractors to ensure they provide sufficient guarantees regarding personal information protection.

The security measures we implement are proportionate and adapted to the sensitivity of the personal information collected, the purpose for which it is used, its quantity, its distribution, and the medium on which it is stored. We provide enhanced protection for sensitive personal information, such as financial information, health information, biometric data, and any other information whose disclosure could cause serious harm to the individual concerned.

We regularly assess the effectiveness of our security measures and update them according to evolving risks, available technologies, and industry best practices. We periodically conduct security audits, vulnerability tests, and incident simulation exercises to identify potential weaknesses and proactively address them.

When we disclose personal information to third parties, including service providers, subcontractors, or business partners, we ensure by contract that such third parties implement security measures equivalent to or greater than ours to protect personal information against loss, theft, unauthorized access, and disclosure. We also require these third parties to promptly notify us of any confidentiality incident likely to present a risk of serious harm.

Despite the security measures we implement, no system is entirely foolproof and confidentiality incidents may occur, including unauthorized access to, use of, or disclosure of personal information, or loss of personal information, as defined under the Act Respecting the Protection of Personal Information in the Private Sector.

In the event of a confidentiality incident presenting a risk of serious harm to affected individuals, we undertake to:

  1. Record the incident in our confidentiality incident register;
  2. Notify the Commission d’accès à l’information du Québec within the time prescribed by law;
  3. Notify affected individuals where required by law;
  4. Take all reasonable measures to reduce the risk of harm and prevent recurrence of such incidents.

Your Rights Regarding Your Personal Information

For informational purposes, you have the right to access the personal information we have collected concerning you, as well as the right to request correction in the event such information is inaccurate, incomplete, or ambiguous. Where applicable, you may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice.

Withdrawal of your consent will result in the cessation of the use of your personal information and its destruction within thirty (30) days, subject to applicable legal retention obligations.

Our Privacy Policy

We invite you to review our privacy policy, as published online on our website, which complements this notice of collection and provides additional information regarding our company’s practices.

Person Responsible for the Protection of Personal Information

Our company has appointed a Privacy Officer responsible for ensuring compliance with laws such as the Act Respecting the Protection of Personal Information in the Private Sector, including ensuring the protection of your personal information and responding to requests from individuals concerned, where applicable.

To exercise your rights or for any questions regarding the protection of your personal information, please contact our Privacy Officer using the following contact information:

  • Name: Lloyd Evetts
  • Title: Privacy Officer
  • Address: 1641A Autoroute 440 Jean Noël Lavoie, Laval, Québec, H7L 3W3
  • Email: [email protected]

Additional Information Available Upon Request

Upon request, our company will provide you with the following information:

  • The categories of persons within our company who have access to personal information;
  • The retention period applicable to each category of information;
  • The complete contact details of our Privacy Officer.

Remedies

If you believe that your rights regarding the protection of your personal information have not been respected, we invite you to contact us in order to discuss the matter and attempt to reach a solution. If we are unable to resolve the issue to your satisfaction, you may file a complaint with the Commission d’accès à l’information du Québec, which can be contacted at the following coordinates:

Commission d’accès à l’information du Québec
525 René-Lévesque East Boulevard, Suite 1.20
Québec City, Québec G1R 5S9
Telephone: 1.888.528.7741
Website: www.cai.gouv.qc.ca

Amendments to this Notice

This Notice of Collection of Personal Information may be amended periodically to reflect legislative, regulatory, or organizational changes. In the event of a significant amendment, we undertake to proactively inform affected individuals.

Such notification will be provided through our website, in a section dedicated to the privacy policy, and, where applicable, through any other means deemed appropriate to reach affected individuals, such as email or public notice.

We encourage you to regularly review our privacy policy in order to remain informed of updates.

(Notice of Collection of Personal Information revised on May 1, 2026.)