Policy and Practices Governing the Protection of Personal Information

(Privacy Policy)

1. Introduction

Protecting personal information is a priority for ELYS Inc.
In compliance with Quebec’s Act to modernize legislative provisions as regards the protection of personal information (“Law 25”), this policy sets out our governance practices and the measures we have implemented to safeguard the information entrusted to our company.

2. Scope

This policy applies to all services provided by ELYS Inc., including:

  • the company’s website (which uses only strictly necessary cookies),

  • billing and payment activities,

  • development of client IT infrastructure (e.g., websites, email accounts, payment platforms).

3. Person Responsible for the Protection of Personal Information

In compliance with Law 25, ELYS Inc. has appointed a person responsible for the protection of personal information.
For any questions or requests regarding your personal information, please contact:

Responsible person: Linda Ross, CEO
Email: info@elys.ca
Phone: 1-866-378-ELYS

4. Collection and Use of Personal Information

  • Website: no personal information is collected. Only strictly necessary cookies are used.

  • Transactions: the personal information required for payment (name, contact details, billing information) is collected solely through the secure payment platform Stripe.
    Note: ELYS Inc. has chosen not to store full payment card numbers in Stripe after a transaction is completed.

  • IT development projects: during a mandate, the data linked to created systems (websites, emails, payments, etc.) remain the property of ELYS Inc. until the final product is delivered to the client.

5. Retention and Destruction

  • Information related to transactions is retained for the legally required period for accounting and tax purposes (maximum of 5 years after the last transaction), and then securely destroyed.

  • Upon request from the client, information may be deleted earlier, once payment has been processed.

6. Disclosure of Personal Information

Personal information is never sold or shared with third parties, except:

  • with service providers essential to our operations (e.g., Stripe for payment processing),

  • when required by law or a competent authority.

While our website does not use tracking or performance cookies, please be aware that third-party services, such as social media platforms, may append tracking parameters to URLs when our content is shared. These parameters are used for tracking and analytics purposes by the third-party services. We do not control or endorse these third-party tracking practices. If you have concerns about third-party tracking, we recommend adjusting your privacy settings on the relevant platforms and using privacy-focused tools to manage your online activity. For more information about third-party tracking, please contact the respective service providers directly.

Any disclosure of information outside Quebec complies with the obligations set out under Law 25.

7. Security Measures

ELYS Inc. applies safeguards appropriate to the sensitivity of the information processed, including:

  • two-factor authentication for access to third-party platforms,

  • access restricted only to authorized employees in secure premises,

  • work devices protected with passwords, antivirus, and firewalls,

  • software and operating systems kept up to date,

  • continuous staff awareness and training on privacy and security best practices.

8. Your Rights

In compliance with Law 25, you have the following rights:

  • access your personal information,

  • request correction or deletion,

  • withdraw your consent to its use,

  • request portability of your personal information,

  • request cessation of dissemination or de-indexation of information about you.

9. Incident Management

In the event of a confidentiality incident that may cause serious harm:

  • ELYS Inc. will immediately take measures to mitigate risks,

  • the Commission d’accès à l’information and affected individuals will be notified as required by law,

  • a registry of incidents will be maintained.

10. Updates

This policy may be updated to reflect legal, technological, or organizational changes. The date of the latest update will be indicated below.

Last updated: November 13, 2025