Policies and practices governing the protection of personal information

1. Prospecting information (requests for demos and discovery meetings)

1.1. Information designation

• Company name
• Contact name
• Contact person’s position in the company
• Contact email
• Company/contact telephone number
• Financial system used by the company

1.2.Retention and destruction of information

The information is stored in Calendly, an external tool, as well as in an internal calendar. The information is also entered into our internal customer relationship management system.

Calendar events in Calendly and the internal calendar are deleted one (1) year after the meeting with the customer, and information in the customer relationship management system is destroyed seven (7) years after the meeting. Please note that if the company becomes a Loginnove customer following the meeting, the procedure in the “Customer Information” section will apply.

1.3. Staff roles and responsibilities

• Collected by the sales department, which is responsible for making the various entries in the company’s internal computerized systems
• Consulted only by sales staff for appointment setting and meeting preparation.

2. Customer information

2.1. Information designation

• Company name
• Company telephone number
• Company address
• Resource person(s)
• Contact telephone number
• Contact email address
• Credit card information
• Access to support infrastructure (VPN, SMTP, incoming email, shared folders)
• Access to financial and/or management systems
• Proposal documents
• Functional analysis documents
• Source code for custom applications
• Viridem data (hosted)

2.2. Retention and destruction of information

Customer information is kept for as long as the customer is active with Loginnove. The above information is deleted/destroyed seven (7) years after the end of the customer’s activity.

Exceptions :

• Credit card information: information is kept only as long as is necessary to configure payments in the third-party “Stripe” system used for credit card payments. Credit card information is no longer accessible once entered in Stripe.
• Proposal documents, functional analysis and custom application source code: these are kept on file on our internal servers for future reference for support and/or improvements. These documents will only be removed/provided at the customer’s written request.
• Hosted Viridem data: virtual machines are deactivated and made inaccessible as soon as the customer closes the account. The data will then be transmitted and destroyed only upon written request from the customer, otherwise, it will be destroyed after 3 months.

2.3. Staff roles and responsibilities

Billing Information

• Collected by the administrative department, which is responsible for making the various entries in the company’s internal computerized systems.
• Consulted only by administrative and sales staff for billing and communications purposes, and will be destroyed by the latter also after the stipulated retention period.

Information about access and data contained in Viridem and custom applications

• Collected by the technical support team, who are responsible for entering the information into our secure access retention system.
• Consulted only by the Professional Services team, who will need them to conduct initial configurations as well as for product evolution over time, and by the Technical Support team to respond to any customer needs.
• The technical support team is responsible for deleting this information after the specified retention period.

Information on the proposal and functional analysis documents

• Created and updated by the sales and development department
• Accessible through the sales, development and quality assurance team.
• The development team is responsible for destroying documents if required.

Source code

• The source code is designed and updated solely by the development team.
• Accessible only to the development team
• The development team is also responsible for destroying or transferring source code when required.

3. Supplier/partner information

3.1. Information designation

• Company name
• Company telephone number
• Company address
• Resource person(s)
• Contact telephone number
• Contact email address
• Banking information
• Contractual agreement

3.2. Retention and destruction of information

Supplier/partner information is kept for as long as the supplier/partner is active with Loginnove. The above information is deleted/destroyed seven (7) years after the end of the activity with the supplier/partner.

Exceptions :

• Banking information: information is removed from our systems as soon as the agreement with the supplier/partner is terminated.

3.3. Staff roles and responsibilities

Contact and banking information

• Collected by the administrative department, which is responsible for making the various entries in the company secure internal computerized systems.
• Consulted exclusively by administrative staff.
• Destroyed by administrative staff after the scheduled retention period.

Contractual agreements

• Created and updated by the Business Development Department.
• Consulted by management, business development and administrative staff.
• Destroyed by administrative staff after the stipulated retention period.

4. Employee information

4.1. Information designation

• First and last name
• Address
• Personal email address
• Personal telephone number
• Social insurance number
• Date of birth
• Bank details for payroll deposits
• Known allergies
• Gender
• Civil status
• Emergency contacts
• Salary
• Disciplinary notices
• Notes to the file
• Employment contract
• Curriculum Vitae
• Criminal record check results

4.2. Retention and destruction of information

Employee information is retained for as long as the employee is employed by Loginnove. The above information is deleted/destroyed seven (7) years following the end of the employee’s employment.

Exceptions: none

4.3. Roles and responsibilities of employees

Information (all)

• Collected by the Human Resources department, which is responsible for making the various entries in the company secure internal computerized systems.
• Consulted exclusively by human resources staff and management.
• Destroyed by human resources staff after the stipulated retention period.

5. General policy

The information collected is not sold, given, exchanged or shared with any third party, except Loginnove’s partners who are contractually bound to the company and who are obliged to respect the confidentiality agreement as well as all the rules surrounding Law 25.

Partners are external companies that offer their professional services exclusively to integrate the Viridem solution.

All access information is stored in a tool accessible internally only or via VPN. Access includes mandatory two-factor authentication for all employees. This tool makes it possible to control users’ access to different information according to their role within the company.

All internal tools containing sensitive or non-sensitive information feature mandatory two-factor authentication where available.

6. Complaint handling procedure

All complaints should be addressed to confidentialite@viridem.ca and should contain the following minimum information:

• Full name and contact details of the person filing the complaint
• Full name and contact details of the person who identified the incident (if different)
• Circumstances of the incident
• Information requested
• Date of incident if known

Upon receipt of a complaint, an acknowledgement of receipt is returned to the sender and will then be processed within a maximum of 15 working days to enable the committee to investigate, analyze, document, implement emergency corrective measures if required and finally respond to the complainant by email.

For security and confidentiality reasons, it is important never to include the information in question in email communications.

7. Termination of distribution of information

If you wish to stop the distribution of your personal and confidential information, you can contact Loginnove’s confidential information manager at confidentialite@viridem.ca.

The request must be made directly by the individual concerned. If the request concerns an organization, the request must be made by a person who holds the required authority to make such a request. The request must contain the following information:

• Full name and contact details of the applicant
• Name and contact details of the organization, if applicable
• Information requested
• Reason for a termination request
• Target platform(s)
• Requested termination date

An acknowledgement of receipt will be sent within minutes of receipt of the request.

The request will then be processed as quickly as possible by our internal team to ensure that dissemination of the information ceases on the date indicated. If the termination request is to take effect as soon as possible, every effort will be made to remove the information as quickly as possible.

Once completed, the requestor will receive an email confirmation that the termination request has been conducted.

Termination requests are kept in an internal register.