Privacy Policies

Last Updated: September 22, 2023

Privacy Policy and Personal Information Governance Practices

Propair Inc. is committed to protecting all personal information collected and used in the management of its operations.

PURPOSE OF THE POLICY

This privacy policy establishes the principles and guidelines governing how Propair manages and processes confidential information. As a company concerned with the well-being of its employees, clients, suppliers, and third parties, we recognize the importance of maintaining accurate, complete, and confidential records to ensure effective human resource management and comply with legal obligations related to information privacy.

This policy applies to all employees, contractors, and any other stakeholders who, in the course of their duties, may have access to information that may be confidential. Its aim is to establish high standards of security and confidentiality to protect personal information and promote transparency and integrity in records management.

Propair is committed to complying with the Act respecting the protection of personal information in the private sector and to taking proactive measures to prevent any unauthorized access, disclosure, or misuse of information contained in its records. Efficient record management promotes informed decision-making, transparent communication, and a relationship of trust between the company and its employees, clients, and suppliers.

We encourage all stakeholders who access information in the course of their duties to read this policy, comply with it, and report any violations or concerns regarding confidentiality.

This policy is subject to biannual review to ensure alignment with technological advancements, legal requirements, and best practices in data privacy.

---

SCOPE OF THE POLICY

This privacy policy applies to all activities related to the collection, use, processing, storage, and sharing of personal information within Propair. It covers all stakeholders, including employees, clients, suppliers, business partners, shareholders, regulatory bodies, and the public.

Personal information covered by this policy includes all identifying data, financial details, health records, personal preferences, and any other private information that can be used to identify or characterize an individual. This also includes sensitive information that must be protected under applicable data protection laws and regulations.

The privacy policy applies to all departments, services, and subsidiaries of the company, whether local or international. It is binding on all company employees, regardless of their position, as well as on any third-party service providers handling personal information on behalf of the company.

The principles outlined in this policy apply to all stages of the personal data lifecycle, including collection, storage, use, transmission, retention, and destruction. This also covers all media used to store personal information, whether physical or electronic.

The privacy policy is reviewed regularly to reflect technological changes, regulatory updates, and evolving best practices in data protection.

By adopting this privacy policy, the company affirms its commitment to the protection of personal data, the preservation of stakeholder trust, and compliance with its legal obligations regarding privacy.

---

DEFINITIONS

• Personal Information: Refers to any information about a natural person that allows them to be identified. Such information is confidential and, with certain exceptions, cannot be disclosed without the individual’s consent.

• Confidential Information: Refers to sensitive, private, or restricted information or data. Unauthorized disclosure may result in adverse consequences for the individuals concerned or the organization holding the information.

---

RESPONSIBLE PERSON

The person responsible for access to documents and protection of personal information must ensure compliance with the Access to Information Act at all times. This individual reports directly to the company president, who formally delegates this responsibility in writing.

Required qualifications include:

• Direct connection to the company’s administrative and human resources departments.

• Competence and knowledge in handling complaints.

• Understanding of the policies and procedures related to this law.

• Availability to carry out the role effectively.

• Mandatory completion of a course on the responsibilities of this position.

The designated person must ensure the company has the necessary resources and implements appropriate measures to comply with all legal requirements.

This role is strategic, as it ensures the respect of the right to information and privacy recognized by the Charter of Human Rights and Freedoms. Specific responsibilities include:

• Recording all communications in response to incidents involving personal information.

• Participating in the assessment of harm from such incidents.

• Approving policies and practices related to personal data governance.

• Managing access and rectification requests.

• Supporting individuals who request explanations for denied access.

• Managing posthumous information disclosures when appropriate.

• Conducting Privacy Impact Assessments (PIA) for systems involving personal data.

• Suggesting data protection measures at all project stages.

• Handling written requests related to:

  • Ceasing the dissemination of personal data

  • De-indexing links tied to personal data

  • Data portability (from 2024 onward)

---

PURPOSES OF DATA COLLECTION

Our privacy policy outlines standards for collecting, using, disclosing, and retaining your personal data. It also explains how we protect it and your rights to access it.

---

PERSONAL INFORMATION

Personal information refers to any information, or combination of information, that relates to a natural person and can be used to identify them. However, an individual’s name, job title, business address, business phone number, and professional email are not considered personal information.

All personal information must be protected regardless of format—written, visual, digital, audio, or otherwise.

---

USE OF SENSITIVE PERSONAL INFORMATION

Sensitive personal information we collect is used for the following purposes:

• To respond to your requests and provide the information you seek

• To manage your medical file as an employee, due to the nature of our operations

---

CONSENT

We will request your written consent before collecting, using, or disclosing your personal information for stated purposes. We will also seek your consent before any new use or if the original purpose for data collection changes.

We use your data solely for the purposes for which it was collected and retain it only as long as necessary to deliver the requested service.

However, we may collect, use, or disclose your information without consent where permitted or required by law—particularly for legal, medical, or security reasons.

---

LIMITATIONS ON COLLECTION, USE, AND DISCLOSURE

We collect personal information mainly to confirm identity, create employee files, and comply with legal obligations (e.g., tax reporting). Access is restricted to authorized individuals for legitimate work-related purposes.

---

DISCLOSURE OF PERSONAL INFORMATION

We do not sell, trade, or rent your personal data. Disclosure may only occur when:

• Necessary to provide services or products you requested

• Required by law or legal process

• Needed to protect our rights or the safety of users

---

DATA RETENTION

We retain your personal information only as long as necessary for its intended purpose, then destroy it per applicable laws and internal retention policies, ensuring confidentiality throughout the process.

---

ACCURACY

We strive to keep personal data accurate and up to date for its intended use. We do not routinely update personal data unless necessary. Accuracy depends partly on the information you provide when giving consent.

---

ACCOUNTABILITY

We are responsible for all personal information in our possession or entrusted to third parties. These third parties are held to strict confidentiality standards.

Our Privacy Officer oversees the implementation and compliance of this policy. Staff are trained on our data protection policies and procedures.

---

SECURITY MEASURES

We maintain robust security measures to keep your data confidential and safe from unauthorized access, loss, or misuse. These include:

• Organizational controls: Access restriction, data backups

• Technological controls: Password protection, firewalls, encryption

---

ACCESS TO PERSONAL INFORMATION

Only authorized personnel may access your personal information, and only if it is necessary for their job functions.

---

REQUESTS FOR ACCESS OR MODIFICATION

You have the right to know whether we hold personal data about you, to view it, and to request corrections. We will respond within a reasonable timeframe, and may charge a nominal processing fee.

We may deny access in limited cases, such as when it involves third parties, legal privilege, prohibitive costs, or information related to fraud investigations.

Medical information may only be disclosed through a designated healthcare professional.

Requests for access or corrections should be sent to:

Chief Privacy Officer
Email TBD
(819) 762-0811

---

DE-INDEXING

You have the right to request de-indexing, which means unlinking your name from certain data across our systems. Data will not be deleted but will no longer be associated with your identity. Use form FOR-83123 to submit a request.

---

RIGHT TO WITHDRAW

You may generally withdraw your consent to data use or disclosure at any time. However, doing so may limit the services or benefits we can offer.

---

PRIVACY INCIDENTS

a. Definitions:
A “privacy incident” means:

• Unauthorized access, use, or disclosure of personal data

• Loss of personal data

• Any breach of data protection

b. Actions to Take:
In the event of an incident, Propair Inc. must:

• Assess the affected data

• Take steps to reduce the risk of harm and prevent future incidents

c. Notification:
If the incident poses a risk of serious harm, within 48 hours, we must:

• Notify the Commission d’accès à l’information

• Notify affected individuals

• Notify any third parties who may help reduce the risk (with limited disclosure)

d. Risk Assessment:
We must evaluate:

• Sensitivity of the data

• Likely consequences

• Probability of misuse

e. Incident Register:
Propair Inc. keeps a register of all privacy incidents.

---

COMPLAINTS AND QUESTIONS

All complaints or concerns regarding personal data should be addressed to the Privacy Officer. All complaints will be investigated. If warranted, we will adjust our practices or policies.

---

TRAINING AND AWARENESS

Propair promotes best practices and awareness through:

• Informing staff

• Displaying the Privacy Officer’s contact info

• Awareness efforts such as training sessions, team reminders, action plans, internal logs

---

ENFORCEMENT

If you believe the company has failed to uphold these principles, please notify our Privacy Officer. We will investigate and take corrective measures as needed. Please indicate “Privacy Concern” in the subject line.

---

POLICY UPDATES

This policy must be reviewed every three years and updated following any major changes in legislation or regulatory requirements.
Last updated: September 22, 2023