Privacy Policy – Bill 25 Project

This privacy policy describes how personal information is collected, used, retained and protected in connection with the use of the loi25.certi360.com website, hereinafter referred to as the Bill 25 Project.

The Bill 25 Project is an experimental technical tool, separate from the main site www.certi360.com, whose activity consists of analyzing, for informational and technical purposes, publicly observable elements of a website provided by the user, particularly in relation to transparency obligations under Bill 25.

1. Personal Information Protection Officer

Officer: Patrick Boucher
Address: 4593 Autoroute 440 O, Laval (Quebec) H7P 0J7
Email: rp@certi360.com

The Officer may be contacted for any questions regarding this policy or to exercise rights under the Act respecting the protection of personal information in the private sector (Bill 25).

2. Nature and Limitations of the Bill 25 Project

The Bill 25 Project analyzes exclusively information publicly accessible on the Internet from a domain name or URL voluntarily submitted by the user, who declares and assumes being authorized to submit this domain for analysis.

The tool performs no intrusive analysis, does not attempt to bypass access controls and does not allow assessment of internal processes, governance, organizational or contractual measures of an organization.

The results produced are technical, indicative, contextual and non-exhaustive. They do not constitute legal advice, certification or attestation of compliance with Bill 25.

3. Personal Information Collected

The collection of personal information is based on the user's implied consent when using the service, or on other grounds permitted by law when required.

In connection with the use of the Bill 25 Project, the following information may be collected:

• User's IP address
• Browser type (User-Agent)
• Domain name or URL submitted for analysis
• Detailed results of analyses performed
• Metadata associated with scans (scan identifier, date and time of creation, start and end)
• List of analysis modules executed

When voluntarily submitting comments or suggestions, the following information may be collected:

• Email address (optional)
• Message submitted by the user

General access to the service and one-off analyses do not require a user account. However, an account may optionally be created when a user wants regular monitoring, scan history, or more advanced management features (team console).

When creating or using a team account, the following information may also be collected:

• User email address
• Technical authentication identifiers (e.g. WebAuthn / passkey credentials)
• Team name or label, monitored domains, and notification preferences
• Analysis history linked to the account

Analyses may produce technical screenshots (e.g. observed consent banner) and other artifacts stored with scan results, for the period stated in section 8.

4. Collection Methods

Information is collected:

• When a user voluntarily submits a domain or URL
• Through HTTP headers and technical logs automatically generated by the server
• Through the site's feedback form, when used (local logging and, where applicable, email delivery)

5. Cookies and local storage

The Bill 25 Project does not use cookies for tracking, advertising, marketing, or behavioral analysis of visitors to loi25.certi360.com.

Only cookies strictly necessary for secure operation are used:

• X-CSRF-Token: protection against cross-site request forgery (CSRF), set when interacting with the API (e.g. starting an analysis, sending feedback). Maximum duration of about one hour; does not contain personally identifiable information by itself.
• loi25_team_session: team console session, only when a user signs in. Maximum duration of about six hours; security attributes (HttpOnly, Secure in production).

No advertising, social media, or behavioral analytics cookies are set by the service.

Preferences may be stored locally in the browser (localStorage) without being sent to the server:

• Display language
• Selected analysis modules
• Mobile display preference

This data stays on the user's device and can be removed through browser settings.

6. Similar technologies

The service does not use tracking pixels, ad tags, or browser profiling techniques for marketing purposes on loi25.certi360.com.

Analyses requested by the user target third-party websites; any trackers observed on those sites belong to them and are described in the technical report. They are not cookies set by the Bill 25 Project on the loi25.certi360.com visitor's device.

7. Purposes of Collection

The information collected is used exclusively to:

• Execute analyses requested by the user
• Apply scan rate limiting mechanisms by IP address
• Ensure the security, stability and integrity of the service
• Produce technical statistics and monitoring
• Detect and prevent abuse
• Comply with applicable legal obligations

No information is used for marketing, profiling or advertising purposes.

8. Information Retention

Data associated with scans (results, metadata, technical screenshots from the analysis) is retained for a limited period:

• Standard scans: maximum retention of 7 days, followed by automatic deletion or expiration
• Scans accessible via a sharing link: maximum retention of 7 days. These links are based on a unique scan identifier and are considered secret by URL. They are not publicly indexed and are only accessible to people with the link.

Team account and invitation data is retained while the account or team is active, then deleted or anonymized according to operational needs and legal obligations.

Feedback messages are kept in local technical logs for as long as needed for handling and follow-up, in addition to any email delivery described in section 10.

Other technical logs are retained for as long as needed for security, diagnostics, and service operations.

9. Subcontracting and cloud services

The Bill 25 Project uses third-party services strictly for hosting, security, technical operations, and certain analysis functions, including:

• OVHcloud — hosting of the site, scans, team accounts, and technical logs on servers located in Montreal (Quebec, Canada)
• Proton messaging service for feedback emails
• IP geolocation service (ip-api.com), used in a limited way to obtain the country associated with an IP address in a technical context (e.g. statistics or logging)
• OVHcloud AI Endpoints (European Union, including France) for automated analysis of privacy policy text from submitted sites (public page extract), under the provider's applicable GDPR framework

These providers may process certain personal information (e.g. IP addresses, logs, text extracts submitted for analysis) only to the extent necessary to provide their services.

The Bill 25 Project does not allow these providers to use the information for their own commercial or advertising purposes.

10. Transfers of Personal Information Outside Quebec

Primary hosting for the Bill 25 Project is in Quebec (Montreal, OVHcloud). Scan results, team accounts, and most technical logs are therefore hosted in Quebec.

Some information may still be processed outside Quebec when a specialized subprocessor is required, as described below.

Nature of processing and location:

• Primary hosting (Quebec): Service operational data (scans, metadata, technical screenshots, team accounts, application logs) hosted by OVHcloud in Montreal (Quebec, Canada).
• Emails (Proton): Feedback emails go through a messaging platform located in Switzerland / the European Zone. This includes the sender's email address (if provided) and the message voluntarily submitted by the user.
• IP geolocation (ip-api.com): Limited requests to an external service to determine the country associated with an IP address (technical context only).
• Artificial intelligence analysis (OVHcloud AI Endpoints): Text extracted from a public privacy policy and request metadata needed for the call are processed by OVHcloud on capacity located in the European Union (including France), under the GDPR. In its current configuration, the Bill 25 Project does not use a US-based AI inference provider for this function.

Location:

• Quebec, Canada (Montreal) — primary service hosting (OVHcloud)
• European Union (including France) — AI inference (OVHcloud AI Endpoints, outside Quebec)
• Switzerland / European Zone — feedback emails (Proton, outside Quebec)
• Other countries — only when an occasional technical subprocessor requires it (e.g. IP geolocation request to ip-api.com)

Legal basis and safeguards:

Transfers outside Quebec are made in compliance with Bill 25 requirements, including:

• Data transferred is limited to what is strictly necessary to ensure service security and operation
• Service providers are contractually bound to protect information in accordance with applicable security standards
• Data is not used for commercial, advertising or profiling purposes by providers
• Technical and organizational security measures are in place (encryption in transit and at rest, strict access controls, access logging)

Rights and remedies:

Any person whose personal information is transferred outside Quebec retains all rights provided by Bill 25, including the right of access, rectification and withdrawal of consent, where applicable.

For any questions regarding transfers outside Quebec or to exercise your rights, please contact the Personal Information Protection Officer at: rp@certi360.com.

11. Access to information

Personal information is not communicated to third parties for commercial or advertising purposes.

Access to data is limited to the Personal Information Protection Officer and authorized Certi360 personnel who need it to operate, secure, or support the service, under confidentiality obligations.

12. Sharing with Third Parties

The Bill 25 Project does not share personal information with third parties for commercial, advertising or marketing purposes.

Collected data is stored exclusively on Bill 25 Project systems and in technical event logs, only for the following purposes:

• Ensure service security and integrity
• Detect and prevent abuse, attacks or fraudulent use
• Maintain technical stability and service availability
• Perform diagnostics and technical problem resolution

The only situations where information may be communicated to third parties are:

• When required by law or court order
• To technical infrastructure providers (hosting, logging) who process data only to provide their services, in accordance with sections 9 and 10

No data is sold, rented or transferred to third parties for commercial purposes.

13. Minors and Vulnerable Persons

The Bill 25 Project is a technical information site accessible to the general public. It is not specifically aimed at minors and does not collect information to identify users' age.

The service does not require account creation for general use, although an optional account may exist for some regular-monitoring features. It does not request information that directly identifies a minor. The data collected automatically is mainly technical (IP address, browser type) and does not allow determining whether the user is a minor or not.

If a minor uses the service, the same protections and security measures apply to their data. Parents or guardians may exercise rights under Bill 25 on behalf of a minor by contacting the Personal Information Protection Officer.

The Bill 25 Project does not specifically target vulnerable persons and does not use manipulation or persuasion techniques to encourage use of the service.

14. Automated Decisions and Profiling

The Bill 25 Project is a technical information site that provides automated website analyses. These analyses are purely technical and informational.

No automated decision producing legal or significant effects is made from collected personal information. The service does not make decisions about users, their rights, obligations or personal situation.

No profiling is performed. The Bill 25 Project does not analyze user behavior, does not create individual profiles and does not use collected data to evaluate, predict or influence a person's characteristics, preferences or behavior.

The only automated uses of data are:

• Technical execution of analyses requested by the user
• Application of scan rate limiting mechanisms by IP address to preserve service stability
• Automatic detection of abuse or suspicious activities for service security

These technical mechanisms produce no effect on users' rights or personal situation.

15. Your rights (Bill 25)

In accordance with Bill 25, any person may, as applicable:

• Request access to personal information concerning them
• Request rectification of inaccurate information
• Request deletion or cessation of disclosure when provided by law
• Withdraw consent when processing is based on consent
• Request portability of personal information when applicable

Any request must be sent by email to: rp@certi360.com.

16. Security Measures

Reasonable security measures are implemented to protect information, including:

• Restricted access controls
• Access logging and monitoring
• Rate limiting and abuse detection mechanisms
• Application and server security measures

17. Privacy Incidents

In the event of a privacy incident involving personal information, measures will be taken to limit impacts, ensure event traceability and comply with notification obligations under Bill 25, where applicable.

18. Policy Modifications

This policy may be modified to reflect the evolution of the Bill 25 Project, its features or applicable legal obligations.

The most recent version is always published on the loi25.certi360.com website.