EasyMark is a marketing-automation product made by SZTek Inc., an Ontario company. We collect the information you give us when you create an account and use the product (your name, business details, billing info, the content you ask us to generate, and how you use the app). We use it to run the product for you and to bill you. We share it only with the suppliers we need to deliver the service (listed below), with the channels you tell us to publish to, and with regulators when the law requires. We do not sell your personal information. You can ask for a copy, ask us to delete it, withdraw your consent, or complain to the Quebec privacy regulator at any time. AI plays a real role in the product — we explain where and how, and you can ask for a human to review any automated decision that affects you.

1. Who we are and how to contact us

This Privacy Policy describes how SZTek Inc., a corporation incorporated under the laws of Ontario, Canada with its head office at Vaughan, Ontario, L6A 3A1, Canada, doing business as EasyMark ("SZTek", "EasyMark", "we", "us", "our"), collects, uses, communicates, retains, and protects personal information when an individual interacts with the EasyMark platform, the marketing websites at easymark.ca, the in-product application, the public APIs, and any related services (collectively, the "Service"). For purposes of the Act respecting the protection of personal information in the private sector (Quebec Law 25), SZTek is the enterprise responsible for the personal information described in this Policy. The person responsible for the protection of personal information within SZTek (the "Privacy Officer") is Zafer Khan. The Privacy Officer may be contacted at privacy@easymark.ca or by post at SZTek Inc., Attention: Privacy Officer, Vaughan, Ontario, L6A 3A1, Canada (head-office address current as of the effective date; refer to the most recent version of this Policy for the up-to-date address). Where these Terms refer to "you," they refer to the individual whose personal information is being processed. Where you are acting on behalf of a customer organization that has its own customers or contacts (a "business-to-business" relationship), this Policy describes the personal information SZTek processes about you directly; the personal information you upload, generate, or process about your own customers and contacts through the Service is governed by the Service Agreement between you and SZTek, by any Data Processing Addendum SZTek offers, and by your own privacy commitments to those individuals, with respect to which SZTek acts as a service provider on your documented instructions and is not the enterprise responsible under Law 25.

2. Purposes of processing

SZTek collects, uses, and communicates personal information for the specific purposes listed in this Section 2. Each purpose stands on its own. Where Law 25 requires separate consent for a given purpose, that consent is obtained separately at the relevant point in the user journey (typically at account creation, at the moment of enabling a feature, or at the moment of connecting a third-party channel). Withdrawing consent for one purpose does not, by itself, withdraw consent for any other purpose, and SZTek will, where technically and contractually feasible, continue to provide the parts of the Service whose primary purpose does not depend on the withdrawn consent. The purposes are:

(a) Account creation and management — to verify your identity, provision your account, maintain your security settings, enforce role-based access within your organization, and communicate with you about your account. Lawful basis: performance of contract; legitimate interest in account security.

(b) Service delivery — to operate the marketing-automation workflows you configure, to schedule and publish content to the channels you have connected, and to maintain the audit logs that allow you to review what the Service did on your behalf. Lawful basis: performance of contract.

(c) AI content generation — to generate marketing content, images, video, audio, and recommendations using artificial-intelligence models (whether platform-managed, customer-supplied through "BYO-AI," or both, as described in the Terms of Service §7). Prompts, briefs, brand assets, and resulting outputs are transmitted to the AI provider you have configured (or to the platform-managed provider during the Trial period or where you have opted in to platform-managed AI). Lawful basis: performance of contract; separate purpose disclosure at the moment of model selection.

(d) Billing and subscription management — to charge the payment method you have authorized, to issue receipts and invoices, to manage Subscription, 5-Year Access, Lifetime Deal (where applicable), Credit-package, and pay-as-you-go billing, and to recover unpaid amounts. Lawful basis: performance of contract; legal obligation (tax-record retention).

(e) Customer support and account correspondence — to respond to your support requests, to investigate issues you report, and to communicate operational matters such as outages, security incidents, and service changes. Lawful basis: performance of contract; legitimate interest in providing support.

(f) Fraud detection and abuse prevention — to detect and prevent fraudulent account creation, abuse of the Trial period (including automated tooling, account farming, and resale of platform-managed AI output as described in the Terms of Service §7.3), payment fraud, and abuse of the Service against third parties. Lawful basis: legitimate interest of SZTek in protecting the Service, its customers, and third parties.

(g) Direct marketing about EasyMark — to send commercial-electronic messages about EasyMark features, offers, and educational content, only where you have given express consent under the Canadian Anti-Spam Legislation (CASL) or where an exception under CASL applies. Lawful basis: express consent; CASL business-relationship exception where applicable. You may withdraw this consent at any time without affecting the other purposes.

(h) Product analytics and improvement — to measure feature adoption, to detect bugs, to prioritize the product roadmap, and to improve safety and accuracy of AI outputs. Where feasible, we perform this analysis on aggregated or de-identified data. Lawful basis: legitimate interest of SZTek in improving the Service.

(i) Compliance, audit, and legal proceedings — to comply with applicable law, including tax and accounting recordkeeping; to respond to lawful requests from regulators, courts, or law-enforcement authorities; to enforce the Terms of Service; and to establish, exercise, or defend legal claims. Lawful basis: legal obligation; legitimate interest in defending legal claims, subject to applicable law.

SZTek does not sell personal information for monetary consideration and does not disclose personal information for purposes incompatible with those listed in this Section 2 without your separate consent or another lawful basis. SZTek reserves the right, in its sole discretion, to refine the descriptions of the purposes above where doing so increases clarity for users; any addition of a new purpose requires renewed consent or another lawful basis where the law so provides.

3. Categories of personal information collected

SZTek collects the following categories of personal information. The categories are illustrative, not exhaustive; SZTek may collect additional information of similar type and sensitivity where reasonably necessary to operate the Service.

(a) Account-identification data — given name and surname; preferred display name; e-mail address (used as the account identifier); hashed password; second-factor authentication enrolment (TOTP secret hash, recovery-code hashes, optionally a phone number where you have enabled SMS-based second factor); preferred locale and time zone.

(b) Organizational and role data — the name of the customer organization, your job title or role, the workspace and role assignments within EasyMark, and the audit-log entries describing actions taken on your account.

(c) Billing and tax data — billing name; billing postal address; tax-registration number (GST / HST / QST, VAT, or other) where you have supplied one; payment-method metadata returned by Stripe (last four digits of card, card brand, expiry month/year, payment-method identifier); transaction history (invoices, receipts, refunds, chargebacks, credit notes). Full payment-card numbers, security codes (CVV), and bank-account credentials are collected directly by Stripe and are never received or stored by SZTek.

(d) Business-context content you supply to the Service — brand assets (logos, color palettes, tone-of-voice descriptors); brand briefs and product descriptions; uploaded documents that inform AI generation; saved prompts and templates; campaign briefs.

(e) Channel-connection credentials and metadata — OAuth access tokens and refresh tokens for the third-party channels you connect (currently including Meta / Facebook / Instagram, Google Business Profile and Google Ads, LinkedIn, X / Twitter, TikTok where supported, e-mail providers, and others SZTek may add); channel-account identifiers, page identifiers, account names; permission scopes granted; token-rotation and refresh metadata.

(f) AI prompts, generated outputs, and AI metadata — the prompts you submit (whether typed, voice-dictated, or assembled by the platform from brand context); the outputs generated by AI models; metadata about each generation (model name and version, modality, token counts where available, cost where applicable, timing, error states).

(g) Audience and contact-list content you upload — names, e-mail addresses, telephone numbers, and other contact attributes of your customers and prospects that you upload, import, or connect through the Service for the purpose of running campaigns. You are the controller of this content under Law 25 and PIPEDA, and SZTek processes it on your documented instructions as described in Clause 1 and in any Data Processing Addendum.

(h) Service-usage telemetry — page-view and feature-interaction events; in-product navigation; clicks; performance metrics; error reports; agent-action logs describing which automated agents acted on your behalf.

(i) Technical and device data — IP address; user-agent string and derived browser, operating system, and device-type values; device-fingerprint metadata derived from non-PII signals (used only for the fraud-detection purpose described in Clause 3§2(f)); referrer URL; cookie identifiers (described in detail in the Cookie Policy).

(j) Support correspondence — the content of support tickets, e-mail exchanges, in-product chat messages, screen recordings or screenshots you voluntarily attach, and metadata about the support interaction (timestamps, agent identifiers, resolution status).

SZTek does not intentionally collect sensitive personal information as defined under Law 25 (such as health, biometric, sexual orientation, religious belief, political opinion, racial or ethnic origin, or judicial-record information) and asks that you do not upload such information into the Service. Where sensitive personal information is incidentally present in content you provide, SZTek processes it only as part of the broader content stream and applies the same protections as for other personal information; it does not derive separate insights from it. The Service is intended for businesses and adult professionals and is not directed at children; SZTek does not knowingly collect personal information from individuals below the age of majority in their jurisdiction.

4. Consent — how we obtain it, how you withdraw it

SZTek seeks your consent at the moment a given category of personal information is collected for a given purpose, in accordance with the consent requirements of Quebec Law 25 and PIPEDA. Consent is manifest, free, enlightened, and given for specific purposes.

(a) At account creation (Onboarding Step 5). During account creation, you are asked to accept the Terms of Service, this Privacy Policy, and the Cookie Policy. Acceptance is recorded in the legal_acceptances table together with the version number of each document. Acceptance covers the purposes described in Clauses 3§2(a) through 3§2(c) and the strictly-necessary cookie processing described in the Cookie Policy. Acceptance does not, by itself, authorize direct marketing under Clause 3§2(g); a separate marketing-consent checkbox is presented at account creation and is unchecked by default.

(b) At the moment of feature enablement. Where a feature triggers a new processing purpose (for example, connecting a new third-party channel under Clause 3§2(b), uploading a contact list under Clause 3§5(g), or opting in to platform-managed AI billing under the Terms of Service §7.6), the in-product flow presents a specific, plain-language consent prompt and records your response with a timestamp and the feature identifier.

(c) Withdrawal of consent. You may withdraw consent for any purpose at any time, subject to applicable legal restrictions. Withdrawal is exercised through the account settings (where a self-service mechanism is offered) or by writing to privacy@easymark.ca. Withdrawal takes effect within a reasonable time, and in any event within the time period required by Law 25. Withdrawing consent for a purpose required to deliver the core Service (such as Clauses 3§2(a) and (b)) may require terminating your account; SZTek will, on request and subject to applicable law, provide the data-export described in Clause 13 before the account is closed.

(d) Manner of consent. Consent is express where the law so requires (including for direct marketing under CASL and for the collection of any information categorized as sensitive under Law 25). For purposes that are reasonably necessary to perform the contract or to operate the Service, consent is recorded at acceptance of the Terms of Service together with this Policy. For purposes resting on legitimate interest (such as fraud detection under Clause 3§2(f) and product analytics under Clause 3§2(h)), SZTek relies on a documented legitimate-interest assessment and provides you with a means to object where the law so allows.

(e) Children. The Service is not directed at, and SZTek does not knowingly collect personal information from, individuals below the age of majority in their jurisdiction. If you become aware that an individual below the age of majority has provided personal information to SZTek, please contact privacy@easymark.ca and SZTek will, where required, delete the information.

5. Retention of personal information

SZTek retains personal information only for the time necessary to fulfill the purposes for which it was collected, plus any additional period required or permitted by law. Retention is governed by the categories below; on expiry of the applicable retention period, SZTek deletes or anonymizes the personal information through automated processes documented in the audit logs.

(a) Active account data (account-identification, organizational, channel-credential, business-context content, AI prompts and outputs) — retained for the duration of the active account relationship. On account closure (whether initiated by you or by SZTek), this data is retained for an additional thirty (30) days to allow recovery in case of accidental deletion, then permanently deleted or anonymized, subject to subsections (e) and (f) below.

(b) Billing and tax data — retained for seven (7) years from the end of the fiscal year of the relevant transaction, in compliance with Canadian tax-records retention requirements. After the retention period, the data is deleted; aggregated and de-identified statistics may be retained indefinitely.

(c) Channel-OAuth tokens — retained for the lifetime of the active channel connection. On disconnection (whether triggered by you, by the channel provider, or by token expiry), tokens are deleted within forty-eight (48) hours.

(d) Service-usage telemetry and technical data (Clauses 3§5(h) and (i)) — retained in identifiable form for twelve (12) months, then aggregated, de-identified, or deleted. Aggregated statistics may be retained indefinitely.

(e) Audit logs — retained for seven (7) years for the categories required by SOC 2-aligned operational practice, Law 25 incident-response requirements, and Canadian tax-records retention. The audit-log retention period extends past account closure.

(f) Records of legal-document acceptance (legal_acceptances) — retained for seven (7) years after the closure of the account that gave the acceptance, in order to demonstrate the lawful basis of past processing.

(g) Support correspondence — retained for three (3) years from the date of last interaction.

(h) Backups — retained on a rolling basis and overwritten in the ordinary course. Personal information present in backups is governed by the retention periods above; where a deletion request requires removal from backups, SZTek will remove the personal information from backups when those backups are next rotated, and in any event within ninety (90) days, subject to applicable law.

(i) Anonymization as an alternative to deletion. Where SZTek's legitimate interests in product analytics, fraud-pattern research, or AI-model evaluation justify retention of data in a form that no longer identifies an individual, SZTek may anonymize personal information at the end of the applicable retention period instead of deleting it. Anonymized data is no longer subject to this Policy.

SZTek reserves the right, in its sole discretion and subject to applicable law, to retain personal information for longer than the periods above where required to comply with a legal obligation, to respond to a regulator request, to investigate a security or fraud incident, or to establish, exercise, or defend a legal claim.

6. Your rights and how to exercise them

Subject to verification of your identity and to the exceptions provided by applicable law, you have the following rights with respect to personal information that SZTek holds about you. The rights apply individually; exercising one does not waive the others.

(a) Right of access. You may obtain confirmation that SZTek processes personal information about you and obtain a copy of that information, together with the categories of recipients, the retention periods, and the purposes of processing. Most account-level data is available in the in-product account settings; for the full record, write to privacy@easymark.ca.

(b) Right to rectification. You may correct inaccurate or incomplete personal information at any time through the account settings or by writing to the Privacy Officer.

(c) Right to data portability. You may obtain a copy of the personal information you have provided to SZTek in a structured, commonly used, and machine-readable format (for example, JSON or CSV), and, where technically feasible, request that SZTek transmit that information directly to another organization. The portability right is offered per Law 25 Article 27.

(d) Right to deletion. You may request the deletion of personal information SZTek holds about you. SZTek will honor the request subject to the retention obligations described in Clause 5 and subject to applicable legal exceptions. Account deletion requests are processed through the dedicated in-product flow (which writes to the account_deletion_requests queue) or by writing to privacy@easymark.ca.

(e) Right to de-indexation and cessation of dissemination. Under Law 25 Article 28.1, you may request that SZTek cease disseminating personal information about you, or that hyperlinks to that information be de-indexed, where the dissemination causes you serious harm and the conditions of Article 28.1 are met. Requests are handled by the Privacy Officer.

(f) Right to withdraw consent. As described in Clause 4§4(c), you may withdraw your consent for any purpose at any time, subject to applicable legal restrictions.

(g) Right to object to processing based on legitimate interest. For purposes resting on SZTek's legitimate interest (such as fraud detection under Clause 3§2(f) and product analytics under Clause 3§2(h)), you may object on grounds related to your particular situation. SZTek will weigh your objection against its documented legitimate-interest assessment and respond.

(h) Right to information about automated decision-making. As described in Clause 15 below, you may request the principal factors and parameters of automated decisions that produce legal or similarly significant effects on you, and you may request human review.

(i) Right to file a complaint. You may file a complaint with the Commission d'accès à l'information du Québec (CAI), with the Office of the Privacy Commissioner of Canada (OPC), or with any other competent regulatory authority. SZTek asks that you contact the Privacy Officer first so that SZTek can address your concern directly; this is a courtesy, not a precondition.

Response timeline. SZTek responds to verifiable rights requests within thirty (30) days of receipt, except where Law 25 or PIPEDA provides for a different timeline or where additional time is reasonably required given the complexity of the request, in which case SZTek will notify you of the extension and the reason for it. No fee is charged for a first reasonable request in a twelve-month period; SZTek may charge a reasonable fee for further or manifestly unfounded or excessive requests, subject to applicable law, and any such fee is disclosed before SZTek proceeds.

Identity verification. SZTek requires verification of your identity proportionate to the sensitivity of the request and the sensitivity of the personal information concerned, to prevent fraudulent requests against your account.

7. Third parties to whom we communicate personal information

SZTek communicates personal information to the categories of third parties listed below, each for the specific purposes indicated and subject to written commitments that those parties protect the personal information at a level of protection equivalent to that provided by SZTek. SZTek maintains a current list of its sub-processors and major third-party recipients and updates it as the list changes.

(a) Payment processor — Stripe, Inc. (United States). Receives billing and tax data (Clause 3§5(c)) for the purpose of processing payments, managing subscriptions, and recovering unpaid amounts. Stripe is subject to its own privacy notice and to contractual protections SZTek maintains with it.

(b) AI providers — OpenAI (United States), Anthropic (United States), Fal.ai (United States), Kling AI / Kuaishou (international), ElevenLabs (United States), Stability AI (United States), and other AI providers SZTek may add or substitute. Receive AI prompts and supporting context (Clause 3§5(d) and (f)) for the purpose of generating AI Output. Where you have configured BYO-AI credentials, prompts and outputs are transmitted to the provider whose credentials you have configured under your own agreement with that provider; SZTek is not responsible for that provider's processing.

(c) Channel APIs — Meta Platforms (United States/Ireland), Google (United States/Ireland), LinkedIn Corporation (United States/Ireland), X Corp. (United States), TikTok / ByteDance (international), e-mail-delivery providers, and other publishing channels you choose to connect. Receive channel-OAuth tokens and the content you instruct SZTek to publish (Clause 3§5(e) and AI output) for the purpose of publishing on your behalf.

(d) Cloud hosting — Oracle Corporation, Canada Cloud Region (primary, Montréal and Toronto). Hosts the bulk of the Service infrastructure and processes personal information at SZTek's direction for the purpose of providing the underlying compute, storage, and networking.

(e) E-mail delivery — providers SZTek selects from time to time (current providers listed in the sub-processor list). Receives the e-mail-address category of personal information for the purpose of transactional and (where consented) marketing e-mail delivery.

(f) Analytics and observability — providers SZTek selects from time to time (currently Plausible Analytics, self-hosted on Oracle Cloud Infrastructure (Canada region) — a cookieless, privacy-preserving analytics platform that does not set any third-party tracking cookies and does not require a consent banner under Quebec Law 25 or PIPEDA. SZTek does not use Google Analytics, Meta Pixel, or any cross-site advertising tracker on the in-product application). Receive de-identified or aggregated telemetry where possible; where personal information is received, it is processed only for the analytics and observability purposes described in Clause 3§2(h).

(g) Professional advisors and insurers — receive personal information only when necessary for legal, accounting, audit, or insurance purposes, under confidentiality.

(h) Successors in a corporate transaction — in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, where the recipient agrees to honor the commitments in this Policy; SZTek will notify you of the change to the extent required by law.

(i) Regulators, courts, and law-enforcement authorities — where required by applicable law, by court order, or by a lawful and binding regulatory request, or where reasonably necessary to investigate fraud, security incidents, or threats to people or property, in each case to the extent and in the manner permitted by applicable law and at SZTek's sole discretion in determining whether the request meets these conditions.

SZTek does not sell personal information for monetary consideration. SZTek does not communicate personal information to data brokers or advertising networks except as described above where you have configured the channel connection yourself. The current Sub-Processor List is published at https://easymark.ca/en/sub-processors and is updated as third parties are added or removed; you are encouraged to consult it for the current list. SZTek reserves the right, in its sole discretion, to substitute equivalent providers within a given category, in which case the list is updated and continued use of the Service after the update constitutes acceptance of the substitution to the extent permitted by applicable law.

8. Trans-border data transfers and Quebec-resident posture

Several of the recipients listed in Clause 7 operate, or process personal information, outside the Province of Quebec — including in the United States, the European Union, the United Kingdom, and other jurisdictions. Pursuant to Article 17 of Quebec Law 25, before communicating personal information outside Quebec, SZTek conducts a privacy impact assessment that considers, among other factors: (a) the sensitivity of the personal information; (b) the purposes for which the personal information is being communicated; (c) the protection measures, including contractual measures, that would apply to the information in the destination jurisdiction; and (d) the legal framework applicable in the destination jurisdiction, including the personal-information-protection principles applicable there. Where the assessment concludes that the personal information will receive an adequate level of protection in the destination jurisdiction (whether by virtue of the legal framework, contractual measures, or a combination), SZTek proceeds with the communication; where the assessment does not so conclude, SZTek does not communicate the personal information outside Quebec, or it communicates only after additional safeguards have been put in place.

Contractual safeguards. SZTek's contracts with sub-processors and third-party recipients include commitments to: (i) process the personal information only on SZTek's documented instructions or on the documented instructions of SZTek's customers (as applicable to the role); (ii) protect the personal information at a level of protection equivalent to that provided by SZTek; (iii) notify SZTek of any confidentiality incident without unreasonable delay; (iv) submit to reasonable audit and inspection rights; and (v) return or destroy the personal information at the end of the contractual relationship, subject to legal-retention exceptions.

Your acknowledgment. By using the Service, you acknowledge that personal information about you may be communicated to and processed in the jurisdictions described in Clause 7, and that the laws of those jurisdictions may differ from those of Quebec, including the powers of public authorities in those jurisdictions to access personal information. SZTek's contractual safeguards do not, and cannot, override the legal regime of the destination jurisdiction; they reduce, but do not eliminate, this consideration. Where you are unwilling to accept the trans-border processing described in this Section, your alternative is to not use the Service; SZTek will, at your request and before termination, provide the data-export described in Clause 11(c).

9. Automated decision-making and AI-assisted processing

Several functions of the Service involve automated processing of personal information that may produce effects on you. Under Article 12.1 of Quebec Law 25, SZTek describes those functions below and informs you of your right to request information about the principal factors and parameters of decisions made about you on this basis, and to request human review.

(a) AI advisor and content-generation agents. The Service uses AI models to generate marketing content, summaries, recommendations, and to translate or rewrite content. These outputs are decision-supports that you, the user, review and approve before they are published or actioned. They are not, in themselves, decisions taken by SZTek about you that produce legal or similarly significant effects on you.

(b) Optimization and scheduling agents. The Service uses automated processing to optimize the timing, channel allocation, and budget allocation of marketing campaigns you have configured. These optimizations operate within parameters you set and are subject to your approval at the configuration stage; they are not decisions taken by SZTek about you.

(c) Trial-period fraud-detection automation. During the Trial period described in the Terms of Service §7, SZTek uses automated processing to detect abuse patterns, including account-creation anomalies, device-fingerprint-level deduplication, IP-level rate-limiting, behavioral throttling, and other measures referenced in the Terms of Service §7.3. These automated assessments may result in SZTek throttling, suspending, or (where the Terms of Service §7.7 self-limitation does not apply) revoking your access to platform-managed AI services during the Trial. This category of automated processing produces effects on you within the meaning of Law 25 Article 12.1. You may request that SZTek provide information about the principal factors and parameters used in the automated assessment, and request human review of any throttle, suspension, or revocation decision, by contacting privacy@easymark.ca. SZTek will provide a human review and a written response within a reasonable time. The specific thresholds, rate limits, fingerprint windows, and behavioral parameters of the fraud-detection automation are not publicly disclosed in order to preserve their effectiveness against abuse; SZTek will, on a request under Article 12.1, provide the principal factors and parameters of the assessment to the extent consistent with the integrity of the fraud-detection system, exercising its sole discretion in balancing the two interests subject to applicable law.

(d) Payment-fraud screening. Stripe applies automated fraud screening to transactions processed through the Service. The screening is operated by Stripe under its own terms; where a screening decision results in the rejection of a payment, you may request human review by Stripe directly. SZTek will assist you in escalating to Stripe on request.

(e) No fully-automated adverse account actions. SZTek does not, as of the effective date of this Policy, employ fully-automated decision-making to take final adverse actions against your account (such as permanent account termination, refund-recapture, or post-Trial recovery of platform-managed AI cost) without human review. Where the Terms of Service §7.3 contemplates such actions, the Terms of Service §7.7 self-limitation applies pending Canadian counsel sign-off, and SZTek operationally enforces only the soft paths (throttle and suspend-with-support-contact).

10. Security and confidentiality-incident notification

SZTek maintains administrative, technical, and physical safeguards designed to protect personal information against loss, theft, unauthorized access, communication, alteration, or destruction. The safeguards are reasonable in light of the sensitivity of the personal information and current industry practice, and include: (a) encryption of personal information in transit (TLS 1.3 or successor) and at rest (AES-256 or equivalent); (b) role-based access controls with least-privilege provisioning and multi-factor authentication required for staff access to systems holding personal information; (c) audit logging of access and modifications to personal information; (d) tenant isolation in shared infrastructure; (e) vendor security assessments before engagement and periodically thereafter; (f) incident-response procedures; (g) staff training on personal-information protection. No method of transmission or storage is perfectly secure, and SZTek cannot guarantee absolute security.

Confidentiality-incident notification. Where a confidentiality incident involving personal information SZTek holds presents a risk of serious injury to one or more individuals, SZTek will, in accordance with Quebec Law 25 (Articles 3.5 and 3.6) and PIPEDA (Section 10.1) and with the timelines those statutes prescribe: (i) notify the Commission d'accès à l'information du Québec (CAI); (ii) notify the affected individuals; and (iii) notify the Office of the Privacy Commissioner of Canada where PIPEDA so requires. SZTek will maintain a register of all confidentiality incidents and will, on request, provide it to a regulator in accordance with applicable law. The factors SZTek considers in assessing the risk of serious injury include the sensitivity of the personal information involved, the apparent or anticipated use of the personal information, the number of individuals affected, and other factors set out in Law 25 and its regulations.

Document Information. This document is AI-drafted (v1.0 onward). Substantive obligations and bilingual parity are under review by Canadian legal counsel. Document version: v2.0. Effective date: [TBD at publish time by SZTek]. Last counsel review: Pending.

Changes to this Policy. SZTek may update this Policy from time to time. Material changes will be communicated through in-product notice, e-mail, or the websites at least thirty (30) days before they take effect, and (per the re-consent mechanism described in the Terms of Service Section 23) acceptance of the new version is requested on next login. Non-material changes (corrections of typographical errors, clarifications that do not alter substantive obligations) take effect on posting. The "Effective" date appears at the top of this page. After Canadian counsel sign-off, the wording "under review by Canadian legal counsel" is replaced by a version-stamped "reviewed by Canadian legal counsel on [date]" and a new document version (v2.1+) is seeded.