Privacy Policy

Last updated: January 29, 2026 — Québec (Canada) Jurisdiction

1. Scope

This Privacy Policy describes how the Company collects, uses, stores, discloses, and protects personal and business data processed through the Service.

2. Categories of Data Processed

Account and identification data (name, email, role, organization);
Authentication and access data;
Business and financial data uploaded by users;
Metadata, logs, and usage analytics;
API-derived market and benchmark data.

The Company does not intentionally collect consumer personal data.

3. Purpose of Processing

Data is processed to:

Provide and operate the Service;
Generate analytics, projections, and outputs;
Maintain security, compliance, and auditability;
Improve product performance and reliability;
Comply with legal obligations.

4. Legal Bases for Processing

Personal information is processed based on one or more of the following legal bases, as recognized under Québec Law 25 and PIPEDA:

Execution of a contract or pre-contractual measures;
Legitimate business purposes consistent with the reasonable expectations of professionals and enterprises;
Explicit or implied consent, where required;
Compliance with legal and regulatory obligations.

5. Data Retention and Destruction

Personal information is retained only for the duration necessary to fulfill identified purposes, comply with legal obligations, and satisfy professional or regulatory record keeping requirements.

In accordance with Québec Law 25:

Retention periods are documented internally;
Personal information is securely destroyed or anonymized when no longer required;
Deletion requests are processed in accordance with Company’s documented DSAR procedures, subject to legal holds.

6. Data Sharing

Data may be shared with:

Cloud infrastructure and security providers;
Analytics and monitoring vendors;
Regulatory or legal authorities when required.

No data is sold.

7. Cross-Border Processing and Data Localization

Personal information and business data may be processed, stored, or accessed outside Québec or Canada, including in jurisdictions where the Company or its service providers operate.

Before transferring personal information outside Québec, the Company conducts a privacy impact assessment where required and implements appropriate contractual, organizational, and technical safeguards in accordance with Québec Law 25.

8. Security Measures

Security controls include:

Encryption at rest and in transit;
Role-based access controls and least-privilege principles;
Monitoring, logging, and incident response procedures;
Secure development, deployment, and change-management practices.

9. Individual Rights, Complaints, and Automated Processing

Individuals whose personal information is processed by the Company may exercise the following rights, subject to applicable law:

Withdraw consent, where applicable;
Right of access to personal information;
Right correction of inaccurate or incomplete information;
Right to data portability, where required by law;
Right to deletion or anonymization, subject to legal retention requirements.

To exercise these rights, individuals may contact the Company’s Privacy Officer. The Company may request additional information to verify the individual’s identity before responding. If a request cannot be fulfilled, the Company will provide an explanation. Requests are handled in accordance with the Company’s documented Data Subject Access Request (DSAR) procedures, and responses are provided within thirty (30) days, unless an extension is permitted by applicable law.

The Service uses automated processing and proprietary algorithms to generate analytics, projections, and valuation-related outputs. Such processing is intended to support professional analysis only and does not constitute automated decision-making producing legal or similarly significant effects. Where required by law, individuals may request a high-level explanation of the logic involved in such processing, subject to the protection of Company’s trade secrets and intellectual property.

Individuals may submit complaints regarding the handling of personal information to the Privacy Officer. If concerns remain unresolved, individuals may also contact the Commission d’accès à l’information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC), as applicable.

10. Cookies and Tracking Technologies

The Service uses cookies and similar technologies that are necessary for core functionality, security, authentication, and performance monitoring. Cookies may be session-based or persistent.

Users may manage or disable cookies through their browser settings. Please note that disabling certain cookies may affect the availability or functionality of specific features of the Service. The Service does not use cookies for targeted advertising or behavioral profiling.

11. Updates and Modifications

The Company may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, business practices, or the evolution of the Service. Where changes are material, the Company will provide notice through the Service or by other reasonable means.

Continued access to or use of the Service following the effective date of an updated Privacy Policy constitutes acceptance of the revised policy.

12. Contact and Privacy Officer

In accordance with Québec’s Act respecting the protection of personal information in the private sector (Law 25), the Company has designated a Privacy Officer responsible for overseeing the protection of personal information.

Privacy Officer: Chief Technology Officer, Clervue Inc.
Email: contact@clervue.ca

If an individual is not satisfied with the Company’s response, they may contact the Commission d’accès à l’information du Québec (CAI) or the Office of the Privacy Commissioner of Canada (OPC).