Privacy Policy

01 Introduction

Ordira ("Company", "we", "us", or "our") is committed to protecting your privacy and safeguarding your Personal Information. This Privacy Policy explains how we collect, use, disclose, and protect your Personal Information when you use our software as a service platform (the "Service").

We are a Canadian company with our principal place of business in the Province of Quebec. We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), Canada's Anti-Spam Legislation (CASL), and other applicable privacy laws.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. This Privacy Policy is incorporated into and forms part of our Terms and Conditions.

02 Definitions

• "Personal Information" means information about an identifiable individual, excluding business contact information used solely for business communications.
• "Sensitive Personal Information" means Personal Information that, due to its nature or context, requires a higher level of protection, including financial information, health information, and biometric data.
• "Processing" means any operation performed on Personal Information, including collection, use, storage, disclosure, modification, and destruction.
• "Consent" means voluntary agreement to the collection, use, or disclosure of Personal Information for specified purposes.
• "Third-Party Service Provider" means a company or individual engaged by us to perform services on our behalf that may involve access to Personal Information.

03 Privacy Officer

In accordance with PIPEDA and Quebec's Law 25, we have designated a Privacy Officer who is responsible for our compliance with privacy laws and for handling all privacy-related inquiries and complaints. Our Privacy Officer can be contacted at:

04 Information We Collect

4.1 Information You Provide Directly

When you register for an account, subscribe to our Service, or interact with us, you may provide the following information:

• Account Information: Full legal name, email address, and password
• Business Information: Business name, business number/registration number, business address, and mailing address
• Payment Information: Credit card details, billing address, and transaction history (processed securely through Stripe)
• Profile Information: Profile picture, company logo, job title, and preferences
• Communication Data: Messages, support requests, feedback, and correspondence with us
• User Content: Any data, files, or content you upload or create using the Service

4.2 Information Collected Automatically

When you access or use our Service, we automatically collect certain information:

• Device Information: Device type, operating system, browser type and version, unique device identifiers
• Log Data: IP address, access times, pages viewed, actions taken, referring URLs
• Usage Data: Features used, frequency of use, performance data, error reports
• Location Data: General geographic location based on IP address (we do not collect precise GPS location)

4.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. These include:

• Essential Cookies: Required for the Service to function properly (authentication, security, preferences)
• Analytics Cookies: Help us understand how users interact with the Service to improve functionality
• Preference Cookies: Remember your settings and preferences for a personalized experience

In compliance with Quebec's Law 25, we obtain explicit consent before deploying non-essential cookies or tracking technologies. You can manage your cookie preferences through our cookie consent banner or your browser settings.

05 Purposes for Collection, Use, and Disclosure

In accordance with PIPEDA's requirement to identify purposes, we collect, use, and disclose your Personal Information for the following purposes:

5.1 Service Provision

• Creating and managing your account
• Providing access to the Service and its features
• Processing subscriptions and payments
• Delivering customer support and responding to inquiries

5.2 Communication

• Sending transactional emails (account confirmations, billing notices, security alerts)
• Providing service updates and platform notifications
• Sending marketing communications (with your express consent, in compliance with CASL)

5.3 Service Improvement

• Analyzing usage patterns to improve the Service
• Developing new features and functionality
• Conducting research and analytics
• Personalizing your experience

5.4 Security and Compliance

• Protecting against fraud, unauthorized access, and security threats
• Enforcing our Terms and Conditions
• Complying with legal obligations and responding to lawful requests
• Conducting privacy impact assessments as required by Law 25

5.5 Business Operations

• Maintaining business records for accounting and tax purposes
• Managing vendor and partner relationships
• Facilitating corporate transactions (mergers, acquisitions, or sale of assets)

06 Consent

6.1 Types of Consent

We obtain consent for the collection, use, and disclosure of your Personal Information in the following ways:

• Express Consent: Required for Sensitive Personal Information, marketing communications, and any collection, use, or disclosure outside your reasonable expectations. We obtain express consent through clear affirmative actions such as checking a box or clicking a button.
• Implied Consent: May be relied upon for routine business activities where you would reasonably expect the processing, such as using your email to send account-related notifications.

6.2 Meaningful Consent

In accordance with PIPEDA and Law 25, consent is only valid if it is reasonable to expect that you understand the nature, purpose, and consequences of the collection, use, or disclosure of your Personal Information. We provide clear, plain-language explanations of our privacy practices to ensure meaningful consent.

6.3 Withdrawing Consent

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, you may contact our Privacy Officer or use the unsubscribe mechanism in our communications. We will inform you of the implications of withdrawing consent, which may include the inability to provide certain services.

6.4 Consent for Marketing (CASL Compliance)

In compliance with Canada's Anti-Spam Legislation (CASL), we obtain express consent before sending commercial electronic messages. All marketing emails include our business name, mailing address, and a functioning unsubscribe mechanism. Unsubscribe requests are processed within 10 business days.

07 Disclosure of Personal Information

We may disclose your Personal Information to the following categories of recipients:

7.1 Third-Party Service Providers

We engage trusted third-party service providers to perform functions on our behalf:

• Stripe, Inc.: Payment processing services. Stripe's privacy policy is available at stripe.com/privacy
• MongoDB Atlas: Cloud database hosting and storage services. MongoDB's privacy policy is available at mongodb.com/legal/privacy-policy
• Email Service Providers: For sending transactional and marketing communications
• Analytics Providers: For understanding usage patterns and improving the Service

All third-party service providers are contractually bound to protect your Personal Information and may only use it for the purposes specified in our agreements with them.

7.2 Legal and Regulatory Disclosure

We may disclose your Personal Information when required or permitted by law, including:

• To comply with legal obligations, court orders, or government requests
• To protect the rights, property, or safety of the Company, our users, or the public
• To enforce our Terms and Conditions
• To detect, prevent, or address fraud, security, or technical issues

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your Personal Information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your Personal Information and any choices you may have regarding your information.

7.4 With Your Consent

We may disclose your Personal Information to other parties with your express consent or at your direction.

08 Data Storage and International Transfers

8.1 Data Storage Location

Your Personal Information is stored using MongoDB Atlas cloud database services. Data may be stored on servers located in Canada and/or the United States. We prioritize Canadian data centres where available.

8.2 International Transfers

When we transfer Personal Information outside of Canada, we ensure that appropriate safeguards are in place to protect your information in accordance with PIPEDA and Law 25. This may include contractual obligations on the recipient to provide a comparable level of protection.

8.3 Privacy Impact Assessments

In compliance with Quebec's Law 25, we conduct Privacy Impact Assessments before transferring Personal Information outside Quebec, implementing new information systems, or undertaking any project involving Personal Information that may present privacy risks.

8.4 Foreign Government Access

Please be aware that Personal Information stored outside of Canada may be accessible to foreign governments, courts, or law enforcement agencies under the laws of those jurisdictions. By using our Service, you consent to this potential access.

09 Data Retention

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention practices are as follows:

• Account Information: Retained for the duration of your account and for 30 days following account closure to facilitate any requests for data recovery
• Transaction Records: Retained for 7 years to comply with tax and accounting requirements
• Communication Records: Retained for 3 years for customer service and legal purposes
• Log Data: Retained for 12 months for security and performance analysis
• Marketing Consent Records: Retained for the duration of consent and 3 years following withdrawal to demonstrate CASL compliance

When Personal Information is no longer required, we securely destroy, erase, or anonymize it in accordance with our data destruction policies.

10 Security Safeguards

We implement appropriate technical, administrative, and physical safeguards to protect your Personal Information against unauthorized access, disclosure, modification, or destruction. Our security measures include:

10.1 Technical Safeguards

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms including password hashing
• Regular security assessments and vulnerability testing
• Firewalls and intrusion detection systems
• Regular software updates and security patches

10.2 Administrative Safeguards

• Privacy and security training for employees
• Access controls limiting data access to authorized personnel
• Confidentiality agreements with employees and contractors
• Regular review of security policies and procedures

10.3 Physical Safeguards

• Secure data centre facilities with restricted access
• Environmental controls and redundancy measures

10.4 Privacy by Default

In compliance with Quebec's Law 25, we implement privacy by default settings, meaning that the most privacy-protective settings are applied automatically when you create an account or access new features.

11 Data Breach Notification

In the event of a security breach involving Personal Information that creates a real risk of significant harm to individuals, we will:

• Notify affected individuals as soon as feasible, describing the nature of the breach, the information involved, and steps taken to mitigate harm
• Report the breach to the Office of the Privacy Commissioner of Canada
• For Quebec residents, report the breach to the Commission d'acces a l'information du Quebec
• Maintain a record of all breaches for at least 5 years
• Take appropriate measures to prevent future breaches

12 Your Privacy Rights

Under PIPEDA, Quebec's Law 25, and other applicable privacy laws, you have the following rights regarding your Personal Information:

12.1 Right of Access

You have the right to request access to the Personal Information we hold about you, including information about how it has been used and to whom it has been disclosed. We will respond to access requests within 30 days.

12.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete Personal Information. You may update most account information directly through your account settings.

12.3 Right to Erasure (Right to be Forgotten)

Under Law 25, you have the right to request the deletion of your Personal Information, subject to certain exceptions (such as legal retention requirements). You may also request de-indexation of hyperlinks attached to your name that provide access to information that violates your right to privacy.

12.4 Right to Data Portability

You have the right to receive your Personal Information in a structured, commonly used, and machine-readable format, and to have it transferred to another organization where technically feasible.

12.5 Right to Withdraw Consent

You may withdraw consent for the collection, use, or disclosure of your Personal Information at any time, subject to legal or contractual restrictions.

12.6 Right to Object to Automated Decision-Making

Under Law 25, you have the right to be informed when a decision about you is made exclusively through automated processing, to request information about how the decision was made, and to have the decision reviewed by a person.

12.7 Exercising Your Rights

To exercise any of these rights, please contact our Privacy Officer using the contact information provided in Section 3. We may require verification of your identity before processing your request. We will respond to requests within 30 days, or inform you if additional time is required.

13 Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect Personal Information from children. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact our Privacy Officer. If we discover that we have collected Personal Information from a child, we will take steps to delete that information promptly.

14 Third-Party Links and Services

Our Service may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites you visit. This Privacy Policy applies only to our Service.

15 Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by:

• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date at the top of this policy
• Sending you an email notification for significant changes

We will provide at least 30 days' notice before material changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

16 Complaints and Dispute Resolution

If you have concerns or complaints about our privacy practices, we encourage you to first contact our Privacy Officer. We will investigate and attempt to resolve your complaint within 30 days.

If you are not satisfied with our response, you have the right to file a complaint with the appropriate privacy regulator:

• Office of the Privacy Commissioner of Canada: priv.gc.ca | 1-800-282-1376
• Commission d'acces a l'information du Quebec: cai.gouv.qc.ca | 1-888-528-7741

17 Language

This Privacy Policy is drafted in English. A French version may be made available upon request. In the event of any inconsistency between the English and French versions, the English version shall prevail.

La presente politique de confidentialite est redigee en anglais. Une version francaise peut etre fournie sur demande. En cas d'incompatibilite entre les versions anglaise et francaise, la version anglaise prevaudra.

18 Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at: