Privacy Policy – Bill 25 Project

This privacy policy describes how personal information is collected, used, retained and protected in connection with the use of the loi25.certi360.com website, hereinafter referred to as the Bill 25 Project.

The Bill 25 Project is an experimental technical tool, separate from the main site www.certi360.com, whose activity consists of analyzing, for informational and technical purposes, publicly observable elements of a website provided by the user, particularly in relation to transparency obligations under Bill 25.

1. Personal Information Protection Officer

Officer: Patrick Boucher
Address: 4593 Autoroute 440 O, Laval (Quebec) H7P 0J7
Email: rp@certi360.com

The Officer may be contacted for any questions regarding this policy or to exercise rights under the Act respecting the protection of personal information in the private sector (Bill 25).

2. Nature and Limitations of the Bill 25 Project

The Bill 25 Project analyzes exclusively information publicly accessible on the Internet from a domain name or URL voluntarily submitted by the user, who declares and assumes being authorized to submit this domain for analysis.

The tool performs no intrusive analysis, does not attempt to bypass access controls and does not allow assessment of internal processes, governance, organizational or contractual measures of an organization.

The results produced are technical, indicative, contextual and non-exhaustive. They do not constitute legal advice, certification or attestation of compliance with Bill 25.

3. Personal Information Collected

The collection of personal information is based on the user's implied consent when using the service, or on other grounds permitted by law when required.

In connection with the use of the Bill 25 Project, the following information may be collected:

• User's IP address
• Browser type (User-Agent)
• Domain name or URL submitted for analysis
• Detailed results of analyses performed
• Metadata associated with scans (scan identifier, date and time of creation, start and end)
• List of analysis modules executed

When voluntarily submitting comments or suggestions, the following information may be collected:

• Email address (optional)
• Message submitted by the user

No user account is created to access the service.

4. Collection Methods

Information is collected:

• When a user voluntarily submits a domain or URL
• Through HTTP headers and technical logs automatically generated by the server
• Through the site's feedback form, when used

5. Cookies and Local Storage

The Bill 25 Project uses only technical mechanisms essential to the operation and security of the service.

A security cookie is used:

• X-CSRF-Token: CSRF (Cross-Site Request Forgery) protection cookie, with a maximum duration of one hour, containing no personally identifiable information.

Data may be stored locally in the user's browser (localStorage) to improve the user experience:

• Test selection preferences
• Progress bar display state

This data remains exclusively on the user's device and is never transmitted to the server.

6. Cookies and Similar Technologies

The Bill 25 Project does not use cookies in the execution of the web page and the loi25.certi360.com tool for tracking, advertising, marketing or behavioral analysis purposes.

The only cookie mechanism used is a technical security cookie strictly necessary for the secure operation of the service:

• X-CSRF-Token: CSRF (Cross-Site Request Forgery) protection cookie, used solely to secure requests submitted by the user. This cookie contains no personally identifiable information and automatically expires after one hour of inactivity.

No other type of cookie is used, including:

• No tracking or tracing cookies
• No advertising cookies
• No marketing cookies
• No behavioral analysis cookies
• No social media cookies
• No content sharing cookies

The service does not use technologies similar to cookies (such as tracking pixels, web beacons, browser fingerprinting) for user tracking or profiling purposes.

The only data stored locally is kept in the browser's localStorage (user interface preferences) and is never transmitted to the server. This data can be deleted at any time by the user through their browser settings.

7. Purposes of Collection

The information collected is used exclusively to:

• Execute analyses requested by the user
• Apply scan rate limiting mechanisms by IP address
• Ensure the security, stability and integrity of the service
• Produce technical statistics and monitoring
• Detect and prevent abuse
• Comply with applicable legal obligations

No information is used for marketing, profiling or advertising purposes.

8. Information Retention

Data associated with scans is retained for limited periods:

• Standard scans: maximum retention of 30 days, followed by automatic deletion
• Scans accessible via a sharing link: maximum retention of 30 days. These links are based on a unique scan identifier and are considered secret by URL. They are not publicly indexed and are only accessible to people with the link.

Technical logs are retained for the duration necessary for security, diagnostics and service operations.

9. Subcontracting and Cloud Services

The Bill 25 Project uses third-party cloud services strictly for hosting and technical logging purposes, including infrastructure and logging providers.

These providers may process certain personal information, such as IP addresses and technical logs, only to the extent necessary to provide their services.

The Bill 25 Project does not allow these providers to use the information for their own commercial or advertising purposes.

10. Transfers of Personal Information Outside Quebec

Certain personal information may be transferred, hosted or processed outside Quebec, as part of the use of cloud services essential to the operation of the Bill 25 Project.

Nature of transfers and location:

• Event and security monitoring logs (hosted in the United States): This data, which includes IP addresses, HTTP requests, browsing metadata and technical logs, is currently hosted on a logging platform located in the United States. These transfers are made exclusively for monitoring, security, technical diagnostics and abuse prevention purposes.
• Emails (hosted in the European Zone): Emails received through the contact or suggestions form are hosted on an email platform located in the European Zone. This data includes the sender's email address (if provided) and the message content voluntarily submitted by the user.

Countries and regions concerned:

• United States of America (technical logs)
• European Zone / European Union (emails)

Legal basis and safeguards:

Transfers outside Quebec are made in compliance with Bill 25 requirements, including:

• Data transferred is limited to what is strictly necessary to ensure service security and operation
• Service providers are contractually bound to protect information in accordance with applicable security standards
• Data is not used for commercial, advertising or profiling purposes by providers
• Technical and organizational security measures are in place (encryption in transit and at rest, strict access controls, access logging)

Rights and remedies:

Any person whose personal information is transferred outside Quebec retains all rights provided by Bill 25, including the right of access, rectification and withdrawal of consent, where applicable.

For any questions regarding transfers outside Quebec or to exercise your rights, please contact the Personal Information Protection Officer at: rp@certi360.com.

11. Access to Information

Personal information is not communicated to third parties for commercial or advertising purposes.

Access to data is strictly limited to the Personal Information Protection Officer.

12. Sharing with Third Parties

The Bill 25 Project does not share personal information with third parties for commercial, advertising or marketing purposes.

Collected data is stored exclusively on Bill 25 Project systems and in technical event logs, only for the following purposes:

• Ensure service security and integrity
• Detect and prevent abuse, attacks or fraudulent use
• Maintain technical stability and service availability
• Perform diagnostics and technical problem resolution

The only situations where information may be communicated to third parties are:

• When required by law or court order
• To technical infrastructure providers (hosting, logging) who process data only to provide their services, in accordance with sections 9 and 10

No data is sold, rented or transferred to third parties for commercial purposes.

13. Minors and Vulnerable Persons

The Bill 25 Project is a technical information site accessible to the general public. It is not specifically aimed at minors and does not collect information to identify users' age.

The service does not require account creation and does not request information that directly identifies a minor. The only data collected is technical (IP address, browser type) and does not allow determining whether the user is a minor or not.

If a minor uses the service, the same protections and security measures apply to their data. Parents or guardians may exercise rights under Bill 25 on behalf of a minor by contacting the Personal Information Protection Officer.

The Bill 25 Project does not specifically target vulnerable persons and does not use manipulation or persuasion techniques to encourage use of the service.

14. Automated Decisions and Profiling

The Bill 25 Project is a technical information site that provides automated website analyses. These analyses are purely technical and informational.

No automated decision producing legal or significant effects is made from collected personal information. The service does not make decisions about users, their rights, obligations or personal situation.

No profiling is performed. The Bill 25 Project does not analyze user behavior, does not create individual profiles and does not use collected data to evaluate, predict or influence a person's characteristics, preferences or behavior.

The only automated uses of data are:

• Technical execution of analyses requested by the user
• Application of scan rate limiting mechanisms by IP address to preserve service stability
• Automatic detection of abuse or suspicious activities for service security

These technical mechanisms produce no effect on users' rights or personal situation.

15. Your Rights (Bill 25)

In accordance with Bill 25, any person may:

• Request access to personal information concerning them
• Request rectification of inaccurate information
• Request deletion or cessation of disclosure when provided by law

Any request must be sent by email to: rp@certi360.com.

16. Security Measures

Reasonable security measures are implemented to protect information, including:

• Restricted access controls
• Access logging and monitoring
• Rate limiting and abuse detection mechanisms
• Application and server security measures

17. Privacy Incidents

In the event of a privacy incident involving personal information, measures will be taken to limit impacts, ensure event traceability and comply with notification obligations under Bill 25, where applicable.

18. Policy Modifications

This policy may be modified to reflect the evolution of the Bill 25 Project, its features or applicable legal obligations.

The most recent version is always published on the loi25.certi360.com website.