Privacy policy.

1. Our commitment

io4 Technologies inc. (“io4”, “we”, “our”) places fundamental importance on protecting the privacy and confidentiality of the personal information entrusted to it.

This policy describes, in clear and accessible terms, how we collect, use, disclose, retain and protect your personal information when you interact with our website (www.io4tech.com), our consulting services, our communications or any other point of contact with io4.

This policy is written in accordance with Québec's Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, hereinafter “Law 25”) and, where applicable, the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5).

2. Privacy Officer

In accordance with section 3.1 of Law 25, io4 Technologies inc. has designated a Privacy Officer (the person in charge of the protection of personal information), responsible for ensuring compliance with and the implementation of personal- information protection obligations.

3. Scope

This policy applies to all personal information collected by io4 Technologies inc. in connection with:

• your browsing on the www.io4tech.com Site and its subdomains
• your use of the contact, assessment-request or booking forms
• your request to download a white paper, guide or resource
• your sign-up to a notification list (webinars, resources)
• your application to a position posted on the Careers page
• the delivery of Microsoft, Azure, Copilot or cybersecurity consulting services
• your exchanges by phone, email or in meetings with our experts
• your participation in an event, workshop or webinar organized by io4

It does not cover the privacy practices of third parties to which we may direct hyperlinks (partner sites, Microsoft documentation, press articles). We invite you to review their own policies.

4. Personal information collected

We limit collection to the personal information necessary for the purposes described in section 5. The following categories may be collected, depending on your interactions:

5. Purposes of processing

Your personal information is processed only for specific, explicit and legitimate purposes:

Your information is never used for purposes incompatible with those for which it was collected without your prior consent, except as provided by law.

6. Consent

In accordance with Law 25, your consent to the collection and processing of your personal information is clear, free, informed and given for specific purposes. It is requested separately from any other information and on a granular basis for distinct purposes (for example, consent to receive marketing communications is separate from the consent needed to process a contact request).

You can withdraw your consent at any time, free of charge and without justification, by writing to our Privacy Officer. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Depending on the purpose, withdrawing consent may prevent us from continuing to provide you with certain services.

7. Recipients and subcontractors

Your personal information is accessible only to the people who need it for the stated purposes, following the principle of least privilege:

• Authorized personnel of io4 Technologies inc. (experts, executives, administrative team) bound by a contractual confidentiality obligation
• Technical subcontractors acting on behalf of io4, under a contract ensuring a level of protection equivalent to Law 25
• Competent public authorities where required by law (CAI, courts, tax authorities, law enforcement on a legal basis)

Main subcontractors:

Each subcontractor is bound to io4 by a written agreement governing confidentiality, security, retention period and the return or destruction of data at the end of the relationship.

We never sell or rent your personal information to third parties for commercial purposes.

8. Disclosure of information outside Québec (article 17)

In accordance with article 17 of Law 25, we inform you that some of your personal information may be disclosed or hosted outside Québec:

• Within Canada: primary hosting on Microsoft Azure Canada Central (Toronto, Ontario) and Canada East (Québec) infrastructure, along with the associated geo-redundant backup.
• In the United States: the Site's application hosting (Vercel), certain transactional email services and certain CRM modules may process data in the United States or through operators with U.S. facilities.

Before any disclosure outside Québec, io4 carries out a privacy impact assessment (PIA) that takes into account:

• the adequacy of the legal protection offered in the destination jurisdiction,
• the contractual measures imposed on the recipient (confidentiality clauses, audit, return, destruction),
• the technical measures in place (encryption at rest and in transit, access controls, logging, segmentation, data segregation),
• the sensitivity of the information disclosed and the purposes pursued.

Disclosure outside Québec is carried out only if the PIA concludes that protection is equivalent. To obtain the summary of a PIA on a specific processing activity, you may write to the Privacy Officer.

9. Automated decisions and artificial intelligence

In accordance with article 12.1 of Law 25 (in force since 22 September 2023), we inform you that:

• No decision concerning an identifiable person (hiring, evaluation, refusal of service, individualized pricing) is made by io4 Technologies on an exclusively automated basis. Any significant decision involves qualified human intervention.
• Our experts use artificial-intelligence tools (notably Microsoft 365 Copilot) for internal productivity — drafting, summarizing, document research. These uses never result in an automated decision concerning you.
• If, as part of a future mandate, io4 were to implement a system making decisions exclusively through automated processing about you, you would be informed beforehand and would have the right to request review of the decision by a natural person.

10. Retention period and destruction

We retain your personal information only for as long as necessary for the stated purposes, or for the minimum period required by law:

At the end of the retention period, personal information is either securely destroyed (logical and physical deletion of the media) or irreversibly anonymized where it is retained in aggregate form for statistical purposes.

11. Security measures

io4 Technologies, as a Microsoft Solutions Partner specialized in cybersecurity, implements rigorous technical and organizational measures to protect your personal information against unauthorized access, loss, alteration or disclosure:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
• Mandatory multi-factor authentication for all access to systems containing personal information
• Access controls based on the principle of least privilege, reviewed quarterly
• Microsoft Defender XDR for incident detection and response (endpoint, identity, email)
• Microsoft Purview for classification, labeling and data-loss prevention (DLP)
• Conditional Access and Privileged Identity Management (PIM) for administrative accounts
• Centralized logging and retention of audit logs for a minimum of 12 months
• Encrypted geo-redundant backups in Canada
• Mandatory annual training in cybersecurity and personal-information protection for all staff
• A signed contractual confidentiality commitment from every employee and every subcontractor
• A documented privacy impact assessment (PIA) procedure for any new processing activity
• An incident response plan with a CAI and affected-individual notification procedure

Despite these measures, no information system can guarantee absolute security. In the event of an incident, we apply the procedure described in section 12.

12. Privacy incidents

Any privacy incident (unauthorized access, use, disclosure or loss of personal information) is recorded in an internal register kept by the Privacy Officer.

When an incident presents a risk that serious injury could be caused to the individuals concerned, io4 proceeds without delay to:

• notify the Commission d'accès à l'information (CAI);
• individually notify the affected individuals, except in exceptional circumstances;
• implement mitigation, remediation and prevention measures.

13. Your rights

Subject to the exceptions provided by law, you have the following rights regarding your personal information:

14. How to exercise your rights

To exercise one of these rights, send your written request to io4 Technologies inc.'s Privacy Officer:

To protect your personal information, we may ask you to confirm your identity before acting on your request (for example, by replying from the email address used at the time of collection).

We respond to your request within a maximum of 30 days of receiving it. If we cannot act on your request, we will explain the reasons and indicate the available remedies.

For the right to portability, the computerized information is provided to you in a structured, commonly used format (for example JSON or CSV), or can be transferred directly to a designated third party, subject to technical feasibility.

Exercising your rights is free of charge. However, if a request is manifestly abusive or repetitive, we may charge reasonable minimal fees or decline to act on it, explaining the reasons to you.

15. Recourse to the Commission d'accès à l'information

If you are not satisfied with how our Privacy Officer handled your request, or if you believe your rights have not been respected, you may file a complaint with the Commission d'accès à l'information du Québec (CAI):

Where PIPEDA applies (interprovincial commercial activities), you may also contact the Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca.

16. Cookies

The Site uses cookies and similar technologies to ensure it works properly, measure its audience and, if you consent, improve your experience.

In accordance with the CAI's position, non-essential cookies are disabled by default and are only activated after your explicit consent (opt-in). You can change your preferences at any time from the cookie management banner.

You can also configure your browser to block or delete cookies, bearing in mind that this may affect how some parts of the Site work.

17. Information concerning minors

The Site and services of io4 Technologies inc. are intended for a professional audience (businesses, public bodies, nonprofits) and are not aimed at minors under 14 years of age.

We do not knowingly collect personal information concerning minors under 14. If you believe that a minor has provided us with personal information without the required authorization, please contact our Privacy Officer immediately so that we can delete it.

18. Policy updates

This policy may be amended to reflect changes in our practices, the technologies used or the applicable legal framework. The date of the last update appears at the top of this page.

In the event of a substantial change affecting your rights, we will inform you by an appropriate means (notice on the Site, email if you are subscribed to a list, a request for new consent where applicable) before the changes take effect.

We recommend that you review this page periodically.

19. Contact us

For any question, concern or request relating to this policy or the protection of your personal information: