Privacy policy

ORYX Gestion Inc. (hereinafter "ORYX", "we", "our" or "us") places the utmost importance on the protection of your personal information. This privacy policy (the "Policy") explains clearly and transparently how we collect, use, disclose, retain and protect your personal information when you interact with:

— Our website oryxgestion.com and all of its subdomains

— Our registration forms, including our launch list

— Our professional services, where applicable

— Our ORYX SAAS platform (hereinafter the "Platform")

— Any communication with our team (email, phone, forms)

This Policy is drafted in accordance with: Quebec's Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1), as amended by Law 25; Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); the European Union's General Data Protection Regulation (GDPR), where applicable; and the California Consumer Privacy Act (CCPA), where applicable, for California residents.

By accessing our site or using our services, you acknowledge that you have read, understood and accepted the practices described in this Policy.

In accordance with Law 25, ORYX has designated a person responsible for the protection of personal information.

— Name: Anthony Payeur, CEO

— Title: Privacy Officer

— Email: admin@oryxgestion.com

— Mailing address: ORYX Gestion Inc., 408-100 Louis-Lévesque Avenue, Otterburn Park, Quebec J3H 0S1, Canada

For any question, access or correction request, or complaint regarding the processing of your personal information, you may contact this person at the address above.

Information you provide directly. When joining the launch list: full name, professional email address, company name, number of employees, intended plan (based on your team size) and, optionally, a description of your operational challenges. When requesting a consultation: full name, email address, phone number (optional), company name and a description of your project. In email communications: the content of your messages, your email address and any other information you choose to share. For purchases and Platform subscriptions: billing data (name, billing address); payment information is processed by our payment processor Stripe — we do not have access to your full card number.

Information collected automatically when you visit: technical data (IP address, browser type and version, operating system, screen resolution), browsing data (pages viewed, visit duration, referral source, journey on the site) and cookies (see section 7).

Information from third parties: authentication platforms (if you sign in via Google, Microsoft or another provider), analytics tools, social networks (if you interact with our posts) and your collaborators if they invite you to use the Platform.

Special categories: we do not intentionally collect sensitive personal information (racial origin, political opinions, religious beliefs, health data, sexual orientation) or information about minors under 14. If we learn that such data was collected in error, we will delete it without delay.

We use your personal information only for legitimate, clearly defined purposes:

— Registering you on the launch list and keeping you informed of the launch (consent)

— Offering you early access to the Platform (performance of contract)

— Responding to your consultation requests (pre-contractual measures)

— Providing our services if you are a client (performance of contract)

— Processing your payments and invoicing our services (performance of contract and tax obligations)

— Sending you our newsletter and development updates (consent)

— Improving our services and website (legitimate interest, anonymized data)

— Securing our site and preventing fraud (legitimate interest)

— Meeting our legal, tax and accounting obligations (legal obligation)

We do not process your information for purposes incompatible with those described above without obtaining your prior consent.

Subprocessors and service providers. We use carefully selected subprocessors, bound by strict contractual data-protection obligations:

— Vercel — website hosting (United States / Europe)

— Stripe — payment processing (United States / Canada)

— Tally / MailerLite — forms and newsletter (Europe)

— Google Workspace — professional email and collaboration (Canada / United States)

— Cal.com / TidyCal — consultation booking (United States)

— Plausible / Google Analytics — web traffic analytics (Europe / United States)

As the ORYX Platform evolves, we will update this section with the complete list of subprocessors involved in its operation (cloud services, AI providers, etc.).

Legal disclosures. We may disclose your information to comply with a legal obligation, court order or valid government request; to protect our rights, property or safety, or that of our users; in the context of judicial or regulatory proceedings; or in the event of a merger, acquisition or asset transfer, subject to equivalent protection of the information.

No sale of personal information. ORYX does not sell, rent or trade your personal information to third parties for marketing purposes.

Some of our subprocessors may process your information outside Quebec and Canada (notably in the United States and Europe). To ensure an adequate level of protection, we implement:

— Standard contractual clauses (SCC) approved by the European Commission, where applicable

— Privacy impact assessments (PIA) compliant with Law 25 before any transfer outside Quebec

— Appropriate technical and organizational measures (encryption, access controls)

You may contact us for more information about the safeguards in place for international transfers.

A cookie is a small text file stored on your device when you visit a website. It allows the site to recognize your device and remember certain information.

Cookies we use:

— Essential cookies — site operation (security, session) — duration: session or up to 1 year

— Analytics cookies — understanding how you use our site — duration: up to 24 months

— Preference cookies — remembering your choices (language, etc.) — duration: up to 12 months

We do not use third-party advertising cookies or profiling cookies for targeted advertising without your explicit consent.

You may refuse or accept cookies, change your preferences at any time via your browser settings, or disable all cookies (this may affect how the site works).

We keep your personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a legal obligation requires otherwise:

— Launch list data: until you unsubscribe, or 3 years after last contact

— Client data (services): 7 years after the end of the contract (accounting and tax obligations)

— Platform usage data: for the duration of the subscription, then 90 days after termination

— Billing data: 7 years (Canadian tax obligations)

— Communication data (emails): 3 years

— Browsing data and cookies: per the durations in section 7

At the end of these periods, your information is deleted or irreversibly anonymized.

In accordance with applicable laws, you have the following rights regarding your personal information:

— Right of access: obtain confirmation that we process information about you and receive a copy

— Right of rectification: have inaccurate, incomplete or ambiguous information corrected

— Right to deletion (right to be forgotten): request deletion of your information when it is no longer necessary

— Right to portability: receive your information in a structured, commonly used format, or request its direct transfer

— Right to withdraw consent: withdraw your consent at any time, without affecting the lawfulness of prior processing

— Right to de-indexing: request the de-indexing of a hyperlink giving access to information about you where its dissemination causes you serious harm (Law 25)

— Right to object: object to processing based on our legitimate interest, on grounds relating to your particular situation

— Right to information about automated decisions: be informed if a decision about you is based on automated processing, know the main factors involved and have it reviewed by a person

To exercise any of these rights, write to our privacy officer: admin@oryxgestion.com. We will respond within a maximum of 30 days of receiving your request (extendable for complex requests, with notice). Reasonable proof of identity may be required to process your request securely.

ORYX implements technical and organizational measures to protect your personal information against loss, unauthorized access, disclosure, alteration or destruction.

Technical measures:

— Encryption of data in transit (HTTPS/TLS) and at rest

— Strong authentication for administrator access

— Firewalls, monitoring and intrusion detection

— Regular, encrypted backups

— Security updates applied promptly

Organizational measures:

— Access to information limited to staff with a legitimate need (least-privilege principle)

— Ongoing team training on the protection of personal information

— Confidentiality commitments signed by all our employees and subprocessors

— Internal procedures for handling privacy incidents

No method of electronic transmission or storage is completely secure. While we implement reasonable protections, we cannot guarantee absolute security.

In the event of a privacy incident presenting a risk of serious harm (loss, unauthorized access or disclosure of personal information), in accordance with Law 25 and the GDPR, we undertake to:

— Notify the Commission d'accès à l'information du Québec and any other applicable competent authority without delay

— Notify the individuals concerned as soon as possible

— Keep a register of incidents as required by law

— Implement the corrective measures necessary to limit the consequences and prevent recurrence

Our services are intended for businesses and professionals. We do not knowingly collect personal information about children under 14 (Quebec) or under 13 (United States, COPPA). If you are a parent or guardian and believe your child has provided us with information, contact us immediately at admin@oryxgestion.com and we will delete it.

We may modify this Policy from time to time to reflect changes in our practices, applicable laws or our services. The date of the last update is shown at the top of this page. For substantial changes, we will notify you by email (if you are registered) or by a notice on our site before the changes take effect. Your continued use of our services after the publication of changes constitutes your acceptance of the updated Policy.

If you believe your rights have not been respected or you are dissatisfied with our handling of a request, you have the right to file a complaint with the following authorities:

— In Quebec: Commission d'accès à l'information du Québec (CAI) — www.cai.gouv.qc.ca — 1-888-528-7741

— In Canada (federal): Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca — 1-800-282-1376

— In Europe: the data protection authority of your country of residence, or the CNIL in France — www.cnil.fr

For any question, comment or request regarding this Privacy Policy or our personal information protection practices:

ORYX Gestion Inc.

Attention: Anthony Payeur, Privacy Officer

Address: ORYX Gestion Inc., 408-100 Louis-Lévesque Avenue, Otterburn Park, Quebec J3H 0S1, Canada

Email: admin@oryxgestion.com

Website: oryxgestion.com

ORYX Gestion Inc. is incorporated under the laws of Quebec, Canada.

This Privacy Policy does not constitute legal advice. ORYX reserves the right to modify it at any time. For complex or contentious questions, we recommend consulting a qualified legal advisor.