Privacy Policy
AlloTech.AI respects your privacy and is committed to protecting your personal information under Law 25 and PIPEDA.
Effective date: April 17, 2026
1. Information We Collect
1.1 Information you provide directly
- Contact information: name, email address, phone number
- Business information: company name, industry, size, project description
- Account data: login credentials if you access a client portal
- Communications: messages, support requests, form submissions, emails
- Billing information: invoice name, billing address (payment processed by third-party providers — we do not store card numbers)
1.2 Information collected automatically
- Usage data: pages visited, time spent, click patterns, referral source
- Device & browser data: IP address, browser type, operating system, screen resolution
- Cookies and similar technologies (see Section 6)
- Analytics data: collected via privacy-respecting analytics tools
1.3 Information from third parties
- Information you authorize through social platforms or CRM integrations
- Referral information from partners
2. How We Use Your Information
We use collected information strictly for the following purposes:
- Service delivery: provide, configure, and operate AI systems, workflows, and services
- Client communication: respond to inquiries, send project updates, follow up on requests
- Billing & contracts: process payments, issue invoices, manage agreements
- System improvement: analyze usage to improve platform performance and UX
- Marketing communications: send newsletters, product updates, or promotions — only with your explicit consent
- Legal compliance: meet regulatory obligations under Law 25, PIPEDA, and applicable law
- Security: detect, investigate, and prevent fraud or unauthorized access
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Consent: for marketing emails, newsletters, and cookies (you can withdraw at any time)
- Contract performance: to deliver services you have requested
- Legitimate interest: for analytics, security monitoring, and service improvement
- Legal obligation: to comply with Canadian and Quebec law
4. Data Storage & Security
All data is stored on secure, encrypted infrastructure. We implement industry-standard technical and organizational measures, including:
- TLS/HTTPS encryption in transit; AES-256 encryption at rest
- Access controls and role-based permissions (principle of least privilege)
- Regular vulnerability assessments using open-source tools (OpenVAS, Wazuh, Lynis)
- Intrusion detection and 24/7 monitoring via Suricata / SIEM
- Incident response plan with breach notification procedures
5. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information. We may share data only with:
- Service providers: cloud hosting, analytics, email platforms — under strict data processing agreements
- Payment processors: Helcim (Canadian, PCI-DSS Level 1 certified) — subject to PCI-DSS compliance
- Legal authorities: when required by law, court order, or regulatory request
- Business transfers: in the event of merger, acquisition, or asset sale — you will be notified
All third-party processors are bound by confidentiality obligations and may not use your data for their own purposes.
6. Cookies & Tracking
Types of cookies we use
- Essential cookies: required for the site to function (session, security) — no consent required
- Analytics cookies: measure traffic and behavior — require consent
- Preference cookies: remember language and display settings — require consent
- Marketing cookies: only if applicable, with explicit consent
You can manage or withdraw cookie consent at any time through your browser settings or our cookie preference center. Disabling analytics cookies does not affect your ability to use our services.
7. AI Systems & Data Processing
AlloTech.AI builds and deploys AI systems for clients. With respect to AI and data:
- Client data isolation: each client's data is processed in isolated environments — never shared between clients
- No model training on your data: your business data is not used to train third-party AI models
- Open-source tools: we prioritize open-source AI models (LLaMA, Mistral) that run on private infrastructure when privacy is critical
- Human oversight: AI-generated outputs that affect client decisions are subject to human review
- Data minimization: AI systems are configured to process only the minimum data required for the task
8. Automated Decisions & Profiling
In accordance with Law 25, we must inform you if your personal information is used to render a decision based exclusively on automated processing or if we use technology that allows you to be identified, located, or profiled.
- No Automated Decisions: We do not use your personal data to render decisions based exclusively on automated processing that produce legal or similarly significant effects. All critical decisions involve human review.
- No Profiling: We do not construct comprehensive profiles of your behavior across third-party websites to evaluate your personal characteristics without your explicit, opt-in consent.
You have the right to object to any profiling or automated decision-making. Please see Section 11 to exercise your rights.
9. Data Retention Policy
We retain personal information only as long as necessary for its original purpose or as required by law. The table below sets out our specific retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| Client project data | Duration + 3 years | Contract & accounting |
| Contact form submissions | 12 months | Follow-up & CRM |
| Analytics data | 13 months (rolling) | Performance analysis |
| Marketing consent records | Until withdrawal + 3 years | CASL compliance evidence |
| Billing & invoice records | 7 years | Canadian tax law (CRA) |
| Security & audit logs | 12 months | Incident investigation |
| AI training data (client) | Duration of contract only | Privacy by design |
| Support communications | 24 months | Quality & dispute resolution |
At the end of each retention period, data is securely deleted using industry-standard deletion methods, or anonymized so it can no longer be linked to an individual. Backup copies are purged within 90 days of the active data deletion.
10. Incident Response Process
AlloTech.AI maintains a documented Incident Response Plan (IRP) to handle privacy and security incidents in accordance with Law 25 and PIPEDA requirements.
Step-by-step process
Detection
Security monitoring systems (Wazuh, Suricata, SIEM) detect anomalies or breaches in real time. Staff may also report suspected incidents.
Containment (within 1 hour)
Isolate affected systems to prevent further unauthorized access. Preserve forensic evidence. Activate the incident response team.
Assessment (within 24 hours)
Determine the nature, scope, and severity of the incident. Identify what data was affected and how many individuals are impacted.
Notification (within 72 hours)
Notify the Commission d'accès à l'information (CAI) if the incident presents a risk of serious harm. Notify affected individuals as soon as reasonably possible.
Remediation
Apply patches, update access controls, reset credentials, and close the vulnerability. Document all actions taken.
Post-incident review
Conduct a root-cause analysis within 30 days. Update security controls and the IRP. File a full incident report in the internal incident register.
11. Your Rights (Law 25 / PIPEDA)
Under Quebec's Law 25 and Canada's PIPEDA, you have the right to:
- Access: request a copy of the personal information we hold about you
- Correction: request correction of inaccurate or incomplete information
- Deletion: request erasure of your data (subject to legal retention obligations)
- De-indexing: request the cessation of dissemination of your personal information or the de-indexing of any hyperlink attached to your name
- Portability: receive your data in a structured, commonly used technological format
- Withdrawal of consent: opt out of any processing based on consent at any time
- Objection to Profiling: object to your personal information being used for profiling or automated decision-making purposes
- Complaint: lodge a complaint with the Commission d'accès à l'information (CAI) — cai.gouv.qc.ca
To exercise any of these rights, contact our Privacy Officer (Section 14). We will respond within 30 days.
12. Children's Privacy
Our services are intended for businesses and are not directed to individuals under the age of 14. We do not knowingly collect personal information from minors. If we become aware that a minor has submitted personal data, we will delete it promptly.
13. Email Consent
We comply with Canada's Anti-Spam Legislation (CASL). All commercial electronic messages include an unsubscribe mechanism. Consent records are stored with timestamp, source, and language for compliance purposes. No form on this website has pre-checked consent boxes.
14. Privacy Officer (Responsable de la protection des renseignements personnels)
In accordance with Quebec's Law 25, AlloTech.AI has designated Salim Boudehb (President / CEO) as the Privacy Officer (RPRP). This officer is responsible for overseeing data protection compliance, handling access requests, managing incident notifications, and maintaining this Privacy Policy.
Salim Boudehb — Privacy Officer (RPRP)
Responsible for: Law 25 compliance, PIPEDA, data subject requests, incident management, and the confidentiality incident register.
Response time: within 30 calendar days · Available in French and English
The Privacy Officer also maintains our internal Privacy Impact Assessment (PIA) register and reviews new projects for privacy risks before deployment.
15. Policy Updates
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be posted on this page with an updated effective date. For significant changes affecting your rights, we will notify you by email or via a prominent notice on our website.
Continued use of our services after the effective date constitutes acceptance of the updated policy.