Privacy Policy
1. Introduction
HEP recognizes the importance of personal data protection and is committed to processing it in a responsible, transparent and secure manner. This policy sets out the rules we follow for collecting, using, sharing, protecting and retaining personal information, taking into account international standards of data protection. It applies to all personal data that we process, whether in the context of our online presence (website, forms, cookies), our commercial exchanges, or the internal management of our staff and suppliers. It aims to ensure that the fundamental rights to privacy and data protection of all data subjects are respected.
2. Definitions
-
Personal data: any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier (name, number, location data, etc.).
-
Processing: any operation or set of operations relating to personal data, regardless of the process used (collection, recording, organization, storage, modification, extraction, consultation, use, communication, erasure, etc.).
-
Data controller: entity that determines the purposes and means of processing.
-
Processor: natural or legal person processing data on behalf of the controller.
-
Data subject: individual whose data is processed.
-
Consent: freely given, specific, informed and unambiguous indication by which the data subject agrees to the processing of his or her personal data.
3. Scope
This policy applies to all entities, employees, partners and subcontractors of HEP involved in the processing of personal data. It covers: - Data collected on our websites and applications (via forms, cookies, analysis tools). - Data processed in the context of our customer services or commercial activities. - HR and administrative data related to employees and collaborators. - Data transfers between countries, including to providers located outside of Canada or the European Union. The obligations described apply regardless of the medium or method used (electronic, paper, verbal, etc.).
4. Principles applicable to data processing We commit to respecting the following principles: - Lawfulness, loyalty and transparency: processing operations are based on a clear legal basis, explained in an understandable way to the persons concerned. - Purpose limitation: the data are collected for specific, explicit and legitimate purposes, and are not subsequently used in a way that is incompatible with these purposes. - Minimization of data: only the strictly necessary data are collected. - Accuracy: data is kept up to date; errors are corrected without delay. - Limitation of storage: the data are not kept beyond the duration necessary for the pursued purposes. - Integrity and confidentiality: adequate security measures protect data against unauthorized access or loss. - Accountability: we are able to demonstrate our compliance at any time.
5. Rights of data subjects
Any person whose data is processed by IN-NOVA has fundamental rights which they may exercise at any time, subject to applicable legal or contractual obligations. Recognised rights include: - The right of access: to obtain confirmation that data is being processed, to access such data and to receive a copy thereof. - The right of rectification: to have inaccurate or incomplete data corrected. - The right to erasure (right to be forgotten): request the deletion of data under certain conditions (e.g. withdrawal of consent, obsolete data, unlawful processing). - The right to limitation: temporarily restrict processing in certain cases (e.g. verification of correctness). - The right to object: to oppose a processing for legitimate reasons, notably in case of commercial prospecting. - The right to portability: receive data in a structured format or request its direct transmission to a third party. Requests can be addressed to our Data Protection Officer at the following address: edi@in-nova.ca | Phone: +1 514 532-1029 A response will be provided within 30 days, unless special circumstances.
6. Information security
HEP applies technical and organizational security measures in line with industry best practices. These measures are intended to prevent unauthorized access, use, loss or disclosure of data. Among the protections in place: - Strong authentication and access management according to the principle of least privilege; - Encryption of data in transit (HTTPS protocol, SSL) and, if applicable, at rest; - Regular backups with secure off-site storage; - Logging of access to critical systems; - Vulnerability tests and periodic security audits; - Ongoing training of staff in cybersecurity and confidentiality. Any incident is documented and managed according to a rigorous protocol, with notification to the persons concerned and to the authorities if necessary.
7. International transfers
HEP may be required to transfer certain personal data to partners or service providers located outside the country of residence of the persons concerned. These transfers are made only when: - The recipient country ensures an adequate level of protection recognised by the competent authorities; - Standard contractual clauses or equivalent undertakings have been put in place; - Explicit consent has been obtained, when required; - Appropriate security measures are guaranteed. We ensure that these transfers comply with the legal, contractual and ethical requirements applicable to our activities.
8. Subcontracting
Any processor accessing personal data on behalf of HEP is contractually bound to adhere to strict confidentiality and security commitments. Before any collaboration, HEP: - Assesses the compliance capabilities of the provider; - Formalizes the security commitments in a written contract; - Defines the purposes, categories of data, retention periods and responsibilities; - Ensures the geographical location of the processing; Subcontractors are subject to audits and must report any data breach or non-compliance without delay.
9. Incident management
In the event of a security incident involving personal data (loss, leak, unauthorized access, etc.), HEP applies a structured response procedure:
1. Detection and reporting of the incident to the responsible team;
2. Contention, cause analysis and impact assessment;
3. Immediate remediation and documentation;
4. Notification to authorities and concerned persons if the incident presents a risk;
5. Update of preventive and corrective measures. All steps are mapped and an incident log is maintained in accordance with regulatory requirements.