Privacy Policy

Legal Name: 9403-3974 Québec Inc.
Operating As: Bio-Sol
Trademark: BIO-SOL® (Canadian Trademark Registration #TMA1321657)

Business Address:
78 Authier Street East
St-Alphonse-de-Granby, Quebec
Canada J0E 2A0

Contact Information:
Phone: 1-800-378-6132
Email: [email protected]
Website: www.bio-sol.ca

Privacy Contact Person:
Jean-Sébastien Gagné
Phone: 1-800-378-6132
Email: [email protected]

About Us:
Founded in 1992, Bio-Sol specializes in biological wastewater treatment products for septic systems. We serve residential and commercial customers across Canada with environmentally-friendly solutions for septic system maintenance.

Quebec Business Number (NEQ): 1174797903

This Privacy Policy applies to:

• Our website (www.bio-sol.ca)
• Online purchases and orders
• Phone and email orders
• Customer accounts
• Newsletter subscriptions
• Contact form submissions
• AI-powered septic system analysis tool
• Customer support interactions
• All other interactions with Bio-Sol

We comply with:

• Quebec Bill 25 (Law 25) - Act respecting the protection of personal information in the private sector
• PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
• CASL - Canadian Anti-Spam Legislation
• Consumer Protection Act (Quebec)
• All applicable Canadian and Quebec privacy laws

This Privacy Policy is available in both English and French. In case of any discrepancy between the English and French versions, the French version shall prevail in Quebec.

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email if you have an account with us
• Display a prominent notice on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Continued use of our website or services after changes take effect constitutes acceptance of the updated Privacy Policy.

If you have questions about this Privacy Policy or concerns about how we handle your personal information, please contact us:

Jean-Sébastien Gagné
Bio-Sol
78 Authier Street East
St-Alphonse-de-Granby, Quebec, Canada J0E 2A0

Phone: 1-800-378-6132
Email: [email protected]
Contact Form: Available on our website

We will respond to your request within 30 days as required by Quebec Bill 25.

We collect personal information directly from you when you interact with our website, create an account, place an order, contact us, or use our services.

8.1 ACCOUNT INFORMATION

When you create a customer account, we collect:

Required Information:

• Full name (first and last name)
• Email address
• Password (encrypted and never stored in plain text)
• Phone number

Optional Information:

• Secondary phone number
• Communication preferences (call availability, preferred contact times)
• Preferred language (English or French)

Purpose: To create and manage your account, process orders, provide customer support, and communicate with you about your orders and our services.

8.2 ORDER AND PURCHASE INFORMATION

When you place an order (online, by phone, or by email), we collect:

Billing Information:

• Full name
• Billing address (street, city, province, postal code)
• Email address
• Phone number
• Payment method type (credit card, PayPal, e-transfer)

Shipping Information:

• Recipient name
• Shipping address (street, city, province, postal code)
• Phone number (for delivery)
• Delivery instructions (if provided)

Order Details:

• Products ordered
• Quantities
• Prices
• Order total
• Order date and time
• Order status
• Tracking numbers

Purpose: To process and fulfill your order, arrange shipping, provide order updates, handle returns/refunds, maintain order history, and comply with legal obligations (accounting, tax reporting).

8.3 PAYMENT INFORMATION

Credit/Debit Card Payments (Online - Stripe):

• Card number, expiry date, CVV (processed securely by Stripe - we do NOT store full card details)
• Cardholder name
• Billing address

Credit/Debit Card Payments (Phone - Helcim):

• Card number, expiry date, CVV (processed securely by Helcim)
• Helcim customer unique code (if you choose to save your card)

PayPal:

• PayPal email address
• Transaction ID

E-Transfer (Interac):

• Email address used for e-transfer
• Transfer reference number

Saved Payment Methods:

• If you choose to save your payment method for future orders, we store a tokenized payment method (NOT your actual card number)
• Last 4 digits of card
• Card brand (Visa, Mastercard, Amex)
• Expiry month/year

Chargeback Defense Consent:

• We require your consent to use your order information to defend against fraudulent chargebacks
• This includes sharing order details, delivery confirmation, and communications with payment processors

Purpose: To process payments securely, save payment methods (with your consent), handle refunds, prevent fraud, and defend against fraudulent chargebacks.

Important: We are PCI-DSS compliant. Full card details are processed by certified payment processors (Stripe, Helcim, PayPal) and are never stored on our servers.

8.4 SEPTIC SYSTEM INFORMATION

When you use our AI-powered septic system analysis tool, contact us for advice, or consult with our team, we may collect:

System Details:

• Type of septic system (conventional, advanced, commercial, RV)
• Year of installation
• Year you became the owner/operator
• System components (tank size, leach field type)
• Mandatory pumping requirements (yes/no)
• Last pumping date

Property Information:

• Number of people using the system
• Household size
• Property type (residential, commercial, cottage, RV)
• Soil type (if known)
• Water softener presence (yes/no)

Problem Description:

• Symptoms and issues you're experiencing
• How long problems have persisted
• Urgency level
• Previous treatments attempted
• Other relevant details

Monthly Maintenance:

• Current maintenance routine (if any)
• Products used (if any)

Photos/Files (Optional):

• Photos of your septic system, problems, or property
• System diagrams or documentation
• Uploaded via AI chat or email

Purpose: To analyze your septic system situation, provide personalized product recommendations, deliver consultations, create custom maintenance calendars, and provide ongoing support.

8.5 CONTACT FORM AND INQUIRIES

When you contact us via our website contact form, email, or phone, we collect:

• Your name
• Email address
• Phone number (if provided)
• Subject of inquiry
• Message content
• Any attachments you send (photos, documents)

Purpose: To respond to your questions, provide customer support, address concerns, and improve our services.

8.6 AI CHAT CONVERSATIONS

When you use our AI-powered septic system analysis chat, we collect:

• Full chat conversation history
• Questions you ask
• Answers provided by the AI
• Information you share about your septic system
• Timestamp of each message
• Your account ID (if you're logged in) or session ID (if guest)

AI Service Provider: OpenAI (ChatGPT)

Important Notes:

• Chat data is sent to OpenAI (US-based company) for AI processing
• OpenAI may use conversations to improve their AI models (per OpenAI's privacy policy)
• Do NOT share credit card numbers, passwords, or highly sensitive personal information in the chat
• We store chat history in our database for your reference and to improve our services
• If you're logged in, chat history is linked to your account and visible in your account dashboard

Purpose: To provide AI-powered septic system analysis, save your conversation history for future reference, improve our AI recommendations, and provide better customer service.

8.7 NEWSLETTER SUBSCRIPTIONS

When you subscribe to our newsletter, we collect:

• Email address (required)
• Subscription date and time
• IP address (for CASL compliance record-keeping)
• Source page (where you signed up)

Email Marketing Service: Omnisend (US-based)

Purpose: To send you marketing emails (newsletters, promotions, product updates), maintain CASL compliance records, and manage subscription preferences.

You can unsubscribe at any time by clicking the "Unsubscribe" link in any marketing email.

8.8 TECHNICAL INFORMATION (AUTOMATICALLY COLLECTED)

When you visit our website, we automatically collect certain technical information:

IP ADDRESS (PROMINENTLY DISCLOSED):

• Your Internet Protocol (IP) address
• Used for: Security, fraud prevention, analytics, approximate location, and service delivery
• Retention: 2 years, then deleted or anonymized
• Shared with: Google Analytics, Omnisend, OpenAI (via API calls), hosting provider (Render.com)

Browser and Device Information:

• Browser type and version (Chrome, Firefox, Safari, etc.)
• Operating system (Windows, Mac, iOS, Android)
• Device type (desktop, mobile, tablet)
• Screen resolution
• Preferred language (from Accept-Language header - used for language detection)

Website Usage Information:

• Pages visited
• Date and time of visits
• Time spent on pages
• Referring website (where you came from)
• Links clicked
• Search queries on our website
• Products viewed

Purpose: To improve website functionality, analyze user behavior, detect fraud, prevent abuse, optimize content, and deliver a better user experience.

8.9 COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar technologies. See our Cookie Policy (Section 12) for complete details.

Brief summary:

• Essential cookies (required for website functionality)
• Analytics cookies (Google Analytics, Meta Pixel - with consent)
• Shopping cart cookies (to remember your cart items)
• Authentication cookies (to keep you logged in)
• Language preference cookies

YouTube Video Embeds:

• We embed YouTube videos (testimonials) on our website
• YouTube (Google) may set cookies and track views when you watch videos
• See YouTube Privacy Policy: https://policies.google.com/privacy

8.10 MARKETING AND ADVERTISING DATA

Google Ads and Facebook Ads Tracking:

• GLID (Google Click ID) - tracks which ad brought you to our site
• Facebook Pixel data - tracks conversions and ad performance
• Ad campaign source, medium, and campaign name
• Conversion events (e.g., purchased product, signed up for newsletter)

Retention: 2 years, then deleted or anonymized

Purpose: To measure advertising effectiveness, optimize ad campaigns, retarget interested customers, and improve marketing ROI.

8.11 REVIEWS AND TESTIMONIALS

Endorsal Review Platform:

• When you submit a review through Endorsal (third-party review platform)
• Your review, name, and any information you provide are stored on Endorsal's servers
• We display approved reviews on our website
• By submitting a review, you consent to us using it for marketing purposes (website, social media, advertising)

To remove a review: Contact us at [email protected] or 1-800-378-6132

Endorsal Privacy Policy: https://endorsal.io/privacy/

8.12 PHONE CALL DATA

When you call us at 1-800-378-6132:

• Phone number (caller ID)
• Date and time of call
• Call duration
• Call notes (information discussed)
• Verbal consent ("Loi 25 consent") - Before collecting detailed personal information about your septic system, we ask for your verbal consent as required by Quebec Bill 25

Call Recording:

• We do NOT currently record phone calls

Purpose: To provide customer support, process phone orders, maintain call history for reference, and comply with Quebec Bill 25 consent requirements.

8.13 MAINTENANCE CALENDARS

Custom Maintenance Calendars (PDF):

• Your name
• Septic system information (type, size, household size)
• Recommended treatment schedule
• Product recommendations

Storage: Stored on Cloudinary (cloud storage service)

Retention: Available in your account dashboard; deleted upon account deletion

Purpose: To provide you with a personalized maintenance schedule, help you maintain your septic system, and track your treatment history.

8.14 REMINDER PREFERENCES

If you opt in to reminders:

• Reminder frequency (monthly, bi-monthly, quarterly)
• Reminder method (email or SMS)
• Treatment schedule

For SMS Reminders:

• Mobile phone number
• Carrier information
• SMS consent timestamp

Purpose: To send you maintenance reminders, help you stay on schedule, and improve septic system care.

We share your personal information with trusted third-party service providers to deliver our services, process payments, ship orders, and improve your experience.

Important Notes:

• Some third-party services are US-based, which means your data may be transferred outside of Canada
• Each service provider has its own privacy policy governing how they use your data
• We only share the minimum information necessary for each service
• We require third-party providers to protect your information

9.1 EMAIL SERVICE PROVIDER

SendGrid (Twilio)

Purpose: Send ALL transactional and marketing emails

Types of Emails:

• Order confirmations
• Shipping notifications
• Password reset emails
• Account verification emails
• Customer support responses
• Newsletter and promotional emails
• Maintenance reminders

Data Shared with SendGrid:

• Your email address
• Your name
• Email subject and content
• Order details (in order confirmation emails)
• Personalization data (name, product info)

SendGrid Tracking:

• Email open tracking - Invisible pixel detects when you open emails
• Click tracking - Tracks which links you click in emails
• IP address - Collected when you open emails or click links

Location: US-based (cross-border data transfer)

Privacy Policy: https://www.twilio.com/legal/privacy

Data Processing Agreement: In place (business agreement with SendGrid)

Why We Use SendGrid: Reliable email delivery, high deliverability rates, detailed analytics to improve communications

Your Rights:

• You can unsubscribe from marketing emails anytime (unsubscribe link in every email)
• Transactional emails (order confirmations) cannot be unsubscribed (required for service)

9.2 PAYMENT PROCESSORS

We use multiple payment processors to give you payment flexibility. We do NOT store your full credit card details - they are processed securely by PCI-DSS certified processors.

Stripe (Online Checkout)

Purpose: Process credit/debit card payments for online orders

Data Shared with Stripe:

• Card details (number, expiry, CVV)
• Cardholder name
• Billing address
• Email address
• Order amount
• Order ID
• IP address (for fraud detection)

Data NOT Shared: Septic system information, chat history, marketing preferences

Location: US-based (cross-border data transfer)

Privacy Policy: https://stripe.com/privacy

Security: PCI-DSS Level 1 certified (highest security standard)

Tokenization: If you save your card, only a secure token is stored (not actual card number)

Fraud Detection: Stripe uses machine learning to detect fraudulent transactions

Helcim (Phone Orders)

Purpose: Process credit/debit card payments for phone orders (keyed transactions)

Data Shared with Helcim:

• Card details (number, expiry, CVV - entered by our staff during phone order)
• Cardholder name
• Billing address
• Order amount
• Customer unique code (if you choose to save your card for future orders)

Saved Card Option:

• When ordering by phone, you can choose to save your card with Helcim
• Helcim generates a unique customer code
• We store this code in our CRM (Pipedrive) to process future orders faster
• You can request removal of saved card anytime

Location: Canada-based (Alberta) - NO cross-border transfer

Privacy Policy: https://www.helcim.com/privacy/

Security: PCI-DSS Level 1 certified

PayPal

Purpose: Process PayPal payments for online orders

Data Shared with PayPal:

• Your PayPal email address
• Order amount
• Shipping address
• Order ID

Privacy: PayPal does NOT share your financial details with us (you log in to PayPal separately)

Location: US-based (cross-border data transfer)

Privacy Policy: https://www.paypal.com/privacy

9.3 CUSTOMER RELATIONSHIP MANAGEMENT (CRM)

Pipedrive CRM

Purpose: Manage customer relationships, track orders, store customer information, manage sales pipeline

CRITICAL: Pipedrive stores EXTENSIVE personal information about customers

Data Shared with Pipedrive:

Basic Contact Information:

• Full name (first and last)
• Email address
• Phone number (primary and secondary)
• Preferred language (English/French)
• Communication preferences (call availability, preferred times)
• "S'adresser à" (how to address you)

Addresses:

• Primary address (street, city, province, postal code)
• Shipping address (if different)
• Address details/instructions

Order Information:

• Order history
• Products purchased
• Order dates
• Order amounts
• Payment method type
• Helcim customer unique code (if saved)

Septic System Information:

• Type of septic system
• Year of installation
• Year you became owner
• System components and details
• Number of people using system
• Soil type
• Water softener presence
• Mandatory pumping requirements
• Last pumping date
• Problems and symptoms
• Problem description (detailed notes)
• How long problems have persisted
• Urgency level
• Treatment history
• Treatment success evaluation
• Monthly maintenance routine

Marketing Information:

• Marketing channel (how you found us)
• Referral source (who referred you)
• First contact method
• GLID (Google Click ID) - ad tracking
• Affiliate information (if applicable)

Quebec Bill 25 Compliance:

• "Loi 25" consent field - Records your verbal consent given over the phone to collect and store detailed personal information

Internal Notes:

• Customer service notes
• Follow-up notes
• Quotes/estimates sent
• Renewal reminder notes
• Other communications and interactions

Location: US and EU (cross-border data transfer)

Privacy Policy: https://www.pipedrive.com/en/privacy

Data Processing Agreement: In place (business agreement with Pipedrive)

Retention: Data retained as long as customer relationship exists, plus legally required retention periods for financial/tax records

Your Rights: You can request access to, correction of, or deletion of your information stored in Pipedrive by contacting us

9.4 SHIPPING AND DELIVERY

Canada Post (Primary Carrier)

Purpose: Ship and deliver your orders

Data Shared with Canada Post:

• Recipient name
• Shipping address (street, city, province, postal code)
• Phone number
• Package weight and dimensions
• Tracking number
• Delivery signature (if requested - additional fee)

Location: Canada-based - NO cross-border transfer

Privacy Policy: https://www.canadapost-postescanada.ca/privacy/

Tracking: You receive tracking information by email; Canada Post may send delivery notifications

Shiptime & Alternative Carriers

Purpose: Multi-carrier shipping management and alternative carriers (UPS, FedEx, Purolator, etc.)

Data Shared:

• Same information as Canada Post (name, address, phone, package details)
• Specific carrier depends on your location, request, or availability

Shiptime Location: Canada-based

Alternative Carriers: May be US-based (UPS, FedEx) - potential cross-border transfer

Why Alternative Carriers:

• Remote locations not served by Canada Post
• Express shipping requests
• Customer-requested specific carrier
• Better rates/service for certain locations

Additional Fees: May apply for specific carrier requests or signature confirmation

AddressComplete (Canada Post Address Validation)

Purpose: Validate and autocomplete addresses during checkout

Data Shared:

• Partial address as you type
• Selected full address

How It Works:

• When you start typing an address, AddressComplete suggests valid addresses
• Reduces shipping errors and ensures accurate delivery
• No personal information stored (only used for real-time validation)

Location: Canada-based (Canada Post service)

Privacy: Address validation requests are temporary and not stored

9.5 CLOUD STORAGE

Cloudinary

Purpose: Store and deliver customer files (maintenance calendars PDFs, shipping labels, images)

Data Stored on Cloudinary:

• Custom maintenance calendar PDFs (contains your name, septic system info, treatment schedule)
• Shipping labels (contains shipping address)
• Product images
• Uploaded images (if you send us photos of your septic system)

Location: US-based (cross-border data transfer)

Privacy Policy: https://cloudinary.com/privacy

Security: Files are stored securely with access controls; only accessible via unique URLs

Retention: Files retained as long as your account exists; deleted upon account deletion

9.6 ARTIFICIAL INTELLIGENCE (AI) PROCESSING

OpenAI (ChatGPT API)

Purpose: Power our AI-powered septic system analysis chat tool

IMPORTANT DISCLOSURE:

Data Shared with OpenAI:

• Your chat messages (questions you ask)
• Septic system information you provide in chat
• Property information you share
• Problem descriptions
• Context about Bio-Sol products and services (from our database)

Data NOT Shared: Email address, phone number, payment information, account password

How OpenAI Uses Data:

• Processes your messages to generate AI responses
• May use conversations to improve AI models (per OpenAI's data usage policy)
• Stores conversations on OpenAI servers

Location: US-based (cross-border data transfer)

Privacy Policy: https://openai.com/privacy/

AI LIMITATIONS DISCLAIMER:

We are NOT responsible for:

• Incorrect AI recommendations or advice
• Misinterpretation of information you provide
• AI errors or inaccuracies
• Reliance on AI advice without professional consultation

The AI tool is for informational purposes only. Always consult with our team for professional advice, and follow your local regulations first.

Data Retention:

• We store your chat history in our database for your reference (visible in your account dashboard)
• OpenAI retains data per their retention policy (30 days for API data as of their current policy)

Your Control:

• Do NOT share highly sensitive information (credit cards, passwords, etc.) in the AI chat
• You can delete your chat history from your account dashboard
• Contact us to request full deletion of AI chat data

9.7 EMAIL MARKETING PLATFORM

Omnisend

Purpose: Manage email marketing campaigns, newsletters, and automated email sequences

Data Shared with Omnisend:

• Email address
• Name (first and last)
• Subscription date
• IP address (for CASL compliance)
• Marketing consent status
• Email engagement data (opens, clicks)
• Order history (for personalized recommendations)
• Cart abandonment data (for cart recovery emails)

Email Types:

• General newsletters (bi-weekly, may vary)
• Promotional emails (sales, special offers)
• Cart abandonment reminders (if you leave items in cart)
• Product recommendations
• Maintenance reminders (if opted in)
• Automated sequences (e.g., ebook download follow-ups, quote request follow-ups)

Email Frequency:

• General Newsletters: Approximately bi-weekly (every 2 weeks), may vary based on content availability
• Promotional Emails: Occasional (sales, seasonal promotions)
• Automated Sequences: If you enter an automation (ebook download, quote request), you may receive multiple emails related to that specific interest
• Cart Reminders: If you abandon your shopping cart
• Reminders: Based on your selected frequency (monthly, bi-monthly, quarterly - if opted in)

Location: US-based (cross-border data transfer)

Privacy Policy: https://www.omnisend.com/privacy/

Unsubscribe: Click "Unsubscribe" link in any marketing email (required by CASL)

9.8 ANALYTICS AND ADVERTISING

Google Analytics

Purpose: Analyze website traffic, user behavior, and improve website performance

Data Collected:

• IP address (anonymized option available)
• Pages visited
• Time spent on site
• Browser and device information
• Geographic location (city/region level)
• Referral source
• Search queries on our site

E-commerce Tracking:

• Products viewed
• Products added to cart
• Purchases completed
• Order values
• Conversion rates

Location: US-based (Google/Alphabet - cross-border data transfer)

Privacy Policy: https://policies.google.com/privacy

Data Retention: We configure Google Analytics to retain data for 26 months

Opt-Out: Use Google Analytics Opt-Out Browser Add-On: https://tools.google.com/dlpage/gaoptout

Google Ads

Purpose: Track advertising performance, measure conversions, retarget interested customers

Data Collected:

• GLID (Google Click ID) - tracks which ad you clicked
• Conversion events (purchase, newsletter signup)
• IP address
• Cookie IDs

Remarketing: We may show you Bio-Sol ads on other websites if you visited our site

Location: US-based (Google/Alphabet)

Privacy Policy: https://policies.google.com/privacy

Opt-Out: Google Ads Settings: https://adssettings.google.com/

Meta Pixel (Facebook Ads)

Purpose: Track advertising performance on Facebook and Instagram, measure conversions, retarget customers

Data Collected:

• Facebook Pixel ID
• Conversion events (purchase, add to cart)
• IP address
• Browser and device information

Remarketing: We may show you Bio-Sol ads on Facebook and Instagram

Location: US-based (Meta Platforms)

Privacy Policy: https://www.facebook.com/privacy/policy/

Opt-Out: Facebook Ad Preferences: https://www.facebook.com/ads/preferences/

Other Advertising Platforms

We may use additional advertising platforms, including:

• LinkedIn Ads
• Twitter/X Ads
• TikTok Ads
• Pinterest Ads
• Reddit Ads

Note: If we add new advertising platforms, we will update this Privacy Policy and notify you of changes.

9.9 REVIEW PLATFORM

Endorsal

Purpose: Collect, manage, and display customer reviews and testimonials

How It Works:

• We send review requests to customers via Endorsal
• You submit your review on Endorsal's platform (not our website)
• Reviews are stored on Endorsal's servers
• We display approved reviews on our website

Data Shared with Endorsal:

• Your email address (to send review request)
• Your name
• Order information (optional - to verify purchase)

Data You Provide in Review:

• Your name (or anonymous)
• Review text
• Rating (star rating)
• Photos/videos (if you choose to upload)

MARKETING CONSENT:

By submitting a review through Endorsal, you consent to Bio-Sol using your review for marketing purposes, including:

• Displaying on our website
• Sharing on social media (Facebook, LinkedIn, Twitter/X)
• Using in advertising materials
• Featuring in email newsletters
• Including in promotional content

To Remove a Review: Contact us at [email protected] or 1-800-378-6132

Location: US-based (cross-border data transfer)

Privacy Policy: https://endorsal.io/privacy/

9.10 HOSTING AND INFRASTRUCTURE

Render.com (Web Hosting)

Purpose: Host our website, database, and backend services

Data Stored on Render:

• ALL data collected on our website (accounts, orders, chat history, etc.)
• PostgreSQL database (contains all customer information)
• Redis cache (temporary session data)
• Server logs (IP addresses, requests, errors)

Location: Oregon, USA (cross-border data transfer)

Privacy Policy: https://render.com/privacy

Security: SOC 2 Type II certified, encrypted data storage, regular backups

Data Protection: Render does NOT access or use your data; they only provide infrastructure

AWS S3 (Database Backups)

Purpose: Secure storage of daily database backups

Data Stored on AWS S3:

• Full PostgreSQL database backups (all customer information)
• Backup frequency: Daily
• Backup retention: Stored for disaster recovery and data protection
• Encrypted at rest

Location: Oregon, USA (cross-border data transfer)

Privacy Policy: https://aws.amazon.com/privacy/

Security:

• Enterprise-grade security and encryption
• Access restricted to authorized personnel only
• Encrypted in transit and at rest
• Industry-leading infrastructure security standards

Data Protection: AWS does NOT access or use your data; they only provide secure storage infrastructure

9.11 ACCOUNTING SOFTWARE

QuickBooks

Purpose: Accounting, invoicing, tax reporting

Data Shared:

• Customer name
• Email address
• Billing address
• Order amounts
• Invoice details
• Payment dates
• Tax information

Data NOT Shared:

• Septic system details
• AI chat history
• Marketing preferences
• Detailed browsing data

Location: US-based (Intuit - cross-border transfer)

Privacy Policy: https://www.intuit.com/privacy/

Why We Use It: Required for proper accounting, tax compliance, and financial record-keeping.

9.12 BOT PROTECTION

reCAPTCHA (Google)

Purpose: Prevent spam, bot abuse, and fraudulent form submissions

What reCAPTCHA Collects:

• IP address
• Browser information
• Mouse movements and interaction patterns
• Cookies

Where It's Used:

• Contact forms
• Newsletter signup
• Account registration
• Checkout process

Data Shared with Google:

• Interaction data (clicks, mouse movements)
• Browser and device information
• IP address

Location: US-based (Google - cross-border transfer)

Privacy Policy: https://policies.google.com/privacy

Why We Use It: To protect our website and customers from spam, fake accounts, and fraudulent transactions.

We share your personal information in the following situations:

10.1 Service Providers (Detailed in Section 9)

To deliver our services, process payments, ship orders, send emails, store data, and improve your experience. See Section 9 above for the complete list of third-party service providers.

10.2 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or government authority.

10.3 Business Transfers

If Bio-Sol is sold, merged, or acquired, your personal information may be transferred to the new owner (you will be notified).

10.4 Fraud Prevention

We may share information with fraud detection services, payment processors, and law enforcement to prevent fraud and protect our business.

10.5 With Your Consent

We may share your information for other purposes with your explicit consent.

10.6 Publicly Displayed Information

• Customer reviews (with your consent via Endorsal)
• Testimonials (with your explicit permission)

IMPORTANT: Many of our service providers are based in the United States, which means your personal information may be transferred, stored, and processed outside of Canada.

Services Involving Cross-Border Transfer:

• SendGrid (email) - US
• Stripe (payments) - US
• PayPal (payments) - US
• Pipedrive (CRM) - US/EU
• Cloudinary (storage) - US
• OpenAI (AI chat) - US
• Omnisend (marketing) - US
• Google (Analytics, Ads) - US
• Meta/Facebook (Ads) - US
• Endorsal (reviews) - US
• Render.com (hosting, database) - US (Oregon)
• AWS S3 (database backups) - US (Oregon)

Services Based in Canada (NO Cross-Border Transfer):

• Helcim (payment processing) - Canada
• Canada Post (shipping) - Canada
• AddressComplete (address validation) - Canada
• Shiptime (shipping management) - Canada

Legal Protections:

• US companies may be subject to US laws (e.g., PATRIOT Act, CLOUD Act)
• US government agencies may access data stored in the US
• We use contracts and data processing agreements to protect your information
• Service providers are required to maintain security and confidentiality

Your Consent: By using our services, you consent to cross-border transfer of your personal information to the United States and other countries where our service providers operate.

We use cookies and similar technologies to improve your experience, remember your preferences, analyze website usage, and deliver personalized content and advertising.

12.1 WHAT ARE COOKIES?

Cookies are small text files stored on your device (computer, phone, tablet) by your web browser when you visit a website. Cookies help websites remember your actions and preferences over time.

Similar Technologies:

• Local Storage: Stores data in your browser (e.g., shopping cart items)
• Session Storage: Temporary storage cleared when you close your browser
• Pixels/Tags: Invisible images that track activity (e.g., email opens, page visits)

12.2 TYPES OF COOKIES WE USE

We use four main categories of cookies:

12.2.1 ESSENTIAL COOKIES (ALWAYS ACTIVE)

Purpose: Required for website functionality - cannot be disabled

What They Do:

• Keep you logged in to your account
• Remember items in your shopping cart
• Maintain security and prevent fraud
• Enable checkout and payment processing
• Remember your language preference (English or French)
• Process your cookie consent choices

Examples:

• connect.sid - Session authentication token
• biosol_cart - Shopping cart identifier
• biosol_locale - Language preference (en/fr)
• biosol_cookie_consent - Your cookie preferences

Duration: Session cookies (deleted when you close browser) or up to 1 year for persistent preferences

Legal Basis: Necessary for providing services you requested

These cookies cannot be disabled - they are required for the website to function properly.

12.2.2 ANALYTICS COOKIES (REQUIRES CONSENT)

Purpose: Help us understand how visitors use our website and improve performance

Service: Google Analytics 4 with Google Consent Mode v2

What They Track:

• Pages you visit
• Time spent on each page
• How you navigate through the site
• What you click on
• Where you came from (referral source)
• Your approximate location (city/region)
• Device type and browser
• Search queries on our site

E-commerce Analytics:

• Products viewed
• Products added to cart
• Cart abandonment
• Purchases completed
• Revenue generated

Examples:

• _ga - Google Analytics ID (2 years)
• _gid - Google Analytics session ID (24 hours)
• _gat - Google Analytics throttle request (1 minute)

Duration: 24 hours to 2 years

Privacy: We configure Google Analytics to anonymize IP addresses (when possible)

Opt-Out:

• Decline analytics cookies in our cookie banner
• Use Google Analytics Opt-Out Add-On: https://tools.google.com/dlpage/gaoptout

Third-Party: Google Analytics (US-based) - See Privacy Policy: https://policies.google.com/privacy

12.2.3 ADVERTISING & MARKETING COOKIES (REQUIRES CONSENT)

Purpose: Deliver personalized ads, measure advertising effectiveness, and retarget interested customers

Services: Google Ads, Meta Pixel (Facebook/Instagram), Omnisend, other ad platforms

What They Track:

• Which ads you clicked to reach our site (ad tracking)
• Conversion events (purchases, signups)
• Products you viewed
• Whether you completed a purchase
• Create advertising profiles for retargeting

Examples:

Google Ads:

• _gcl_au - Google Ads conversion tracking
• test_cookie - Check if cookies are enabled

Meta Pixel (Facebook):

• _fbp - Facebook Pixel ID (90 days)
• fr - Facebook advertising cookie

Omnisend:

• omnisend-form-* - Form tracking
• omnisendContactID - Contact identification

Duration: 90 days to 2 years

Retargeting: These cookies allow us to show you Bio-Sol ads on other websites, Facebook, Instagram, and Google properties

Opt-Out:

• Decline advertising cookies in our cookie banner
• Google Ads Settings: https://adssettings.google.com/
• Facebook Ad Preferences: https://www.facebook.com/ads/preferences/
• Digital Advertising Alliance Opt-Out: https://youradchoices.ca/

Third-Parties: Google (US), Meta/Facebook (US), Omnisend (EU)

12.2.4 FUNCTIONAL COOKIES (OPTIONAL, REQUIRES CONSENT)

Purpose: Remember your preferences and enhance your experience

What They Do:

• Remember your preferred currency or units
• Save your zip code for shipping estimates
• Remember form inputs to save you time
• Display content tailored to your location

Examples:

• preferred_zip - Your saved postal code for shipping calculator
• dismissed_banner - Remember if you dismissed promotional banners

Duration: 30 days to 1 year

Opt-Out: Decline functional cookies in our cookie banner (may reduce functionality)

12.3 THIRD-PARTY COOKIES

Some cookies are set by third-party services embedded on our website:

YouTube Video Embeds

Purpose: Display customer testimonial videos

Cookies Set by YouTube:

• VISITOR_INFO1_LIVE - Measures bandwidth
• YSC - Stores unique user ID for tracking
• PREF - Stores video preferences
• CONSENT - Stores cookie consent status

Privacy Concern: YouTube (owned by Google) tracks video views and may use data for advertising

Solution: We use YouTube Privacy-Enhanced Mode (youtube-nocookie.com) when possible to reduce tracking

Privacy Policy: https://policies.google.com/privacy

Opt-Out: Decline advertising cookies in our cookie banner

12.4 LOCAL STORAGE (BROWSER STORAGE)

We use your browser's local storage to store data locally on your device:

What We Store:

• Shopping cart contents (so you don't lose items if you close the browser)
• Recently viewed products
• UI preferences (e.g., sidebar collapsed/expanded)
• Temporary data for forms (so you don't lose progress)

Duration: Persists until manually cleared or replaced

Privacy: Local storage data never leaves your device unless you sync across devices

Clear Local Storage: Browser Settings → Clear Browsing Data → Cookies and Site Data

12.5 EMAIL TRACKING

SendGrid Email Tracking:

When we send you emails (order confirmations, newsletters), SendGrid may include:

Open Tracking:

• Invisible 1x1 pixel image
• Detects when you open the email
• Captures your IP address and timestamp

Click Tracking:

• Links in emails are redirected through SendGrid
• Tracks which links you click
• Captures timestamp and IP address

Purpose: Measure email effectiveness, improve email content, understand customer engagement

Opt-Out:

• Email clients may block tracking pixels (e.g., Apple Mail Privacy Protection)
• You can disable images in your email client
• Unsubscribe from marketing emails (transactional emails still sent)

12.6 HOW TO CONTROL COOKIES

You have several ways to control cookies:

Option 1: Our Cookie Consent Banner

When you first visit our website, you'll see a cookie consent banner with options to:

• Accept all cookies
• Reject non-essential cookies (only essential cookies will be set)
• Customize your preferences (choose which categories to allow)

To Change Your Preferences Later:

• Click the "Cookie Settings" link in our website footer
• Re-open the cookie consent banner to adjust settings

Option 2: Browser Settings

All browsers allow you to control cookies:

Google Chrome: Settings → Privacy and Security → Cookies and other site data
Choose: Allow all, Block third-party, or Block all cookies

Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
Choose: Standard, Strict, or Custom blocking

Safari: Preferences → Privacy → Cookies and website data
Enable "Block all cookies" or "Prevent cross-site tracking"

Microsoft Edge: Settings → Privacy, search, and services → Cookies
Choose: Block all, Block third-party, or Allow all

Clear Existing Cookies:

• Chrome: Settings → Privacy → Clear browsing data → Cookies
• Firefox: Settings → Privacy → Clear Data → Cookies
• Safari: Preferences → Privacy → Manage Website Data → Remove All
• Edge: Settings → Privacy → Clear browsing data → Cookies

Option 3: Opt-Out Tools

• Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
• Google Ads Personalization: https://adssettings.google.com/
• Facebook Ad Preferences: https://www.facebook.com/ads/preferences/
• Digital Advertising Alliance (Canada): https://youradchoices.ca/

12.7 IMPACT OF BLOCKING COOKIES

If you block or delete cookies, some features may not work properly:

Essential Cookies Blocked:

• Cannot stay logged in to your account
• Shopping cart will not work
• Cannot complete checkout
• Website may display errors
• Language preference not saved

Analytics Cookies Blocked:

• Website works normally
• We cannot analyze usage to improve the site
• Cannot measure what content is most helpful

Advertising Cookies Blocked:

• Website works normally
• You may still see ads, but they won't be personalized
• We cannot measure ad effectiveness
• Cannot retarget interested customers

Functional Cookies Blocked:

• Website works normally
• Preferences not saved (e.g., must re-enter postal code each time)
• Some convenience features may not work

12.8 DO NOT TRACK (DNT) SIGNALS

Some browsers offer a "Do Not Track" (DNT) setting that sends a signal to websites requesting not to be tracked.

Current Status: We do NOT currently respond to DNT signals, as there is no industry standard for how to handle them.

Alternative: Use our cookie consent banner to decline analytics and advertising cookies for similar effect.

12.9 COOKIE DURATION SUMMARY

Essential (session)Until browser closedNo Essential (persistent)Up to 1 yearNo Analytics24 hours to 2 yearsYes Advertising90 days to 2 yearsYes Functional30 days to 1 yearYes YouTubeVariesYes (block videos)

12.10 CHANGES TO COOKIE POLICY

We may update our use of cookies as we implement new features or services. When we make significant changes:

• Update this Cookie Policy
• Display a notice on our website
• Request updated consent if required by law

12.11 QUESTIONS ABOUT COOKIES

For questions about our cookie usage, contact us:

Jean-Sébastien Gagné
Phone: 1-800-378-6132
Email: [email protected]

We use your personal information to provide our services, improve your experience, comply with legal obligations, and communicate with you.

13.1 TO PROVIDE OUR SERVICES

Order Processing and Fulfillment:

• Process your orders
• Arrange shipping and delivery
• Generate shipping labels
• Provide tracking information
• Send order confirmations and updates
• Handle returns and refunds
• Process exchanges

Account Management:

• Create and maintain your customer account
• Authenticate your identity when you log in
• Remember your preferences and settings
• Display your order history
• Save your shipping addresses and payment methods (with consent)
• Enable password reset functionality

Payment Processing:

• Process payments securely through our payment processors
• Verify payment information
• Prevent fraud and unauthorized transactions
• Issue refunds when applicable
• Defend against fraudulent chargebacks (with your consent)

Customer Support:

• Respond to your questions and inquiries
• Provide technical support
• Resolve issues and complaints
• Follow up on service requests
• Maintain customer service records

AI-Powered Septic System Analysis:

• Analyze your septic system situation
• Provide personalized product recommendations
• Generate custom advice based on your specific needs
• Save your chat history for future reference
• Improve AI responses over time

Maintenance Calendars:

• Create custom maintenance schedules
• Provide personalized treatment plans
• Generate PDF calendars
• Track your treatment history
• Send maintenance reminders (if opted in)

13.2 TO COMMUNICATE WITH YOU

Transactional Emails (REQUIRED - Cannot Opt-Out):

• Order confirmations
• Shipping notifications
• Delivery confirmations
• Password reset emails
• Account verification emails
• Payment receipts
• Return/refund notifications
• Customer support responses

These emails are essential to providing our services and cannot be unsubscribed from.

Marketing Emails (OPTIONAL - Can Opt-Out):

• Newsletters (bi-weekly, may vary based on content)
• Promotional offers and sales
• New product announcements
• Seasonal promotions
• Educational content (septic system care tips)
• Cart abandonment reminders
• Product recommendations
• Ebook downloads and related content
• Quote request follow-ups
• Automated email sequences (if you entered an automation)

Email Frequency:

• General newsletters: Approximately bi-weekly (every 2 weeks)
• Frequency may vary based on content availability
• Typically no more than 1-2 emails per month
• Automated sequences: May receive multiple emails if you request specific content (ebook, quote, etc.)

You can unsubscribe from marketing emails anytime by clicking "Unsubscribe" in any marketing email.

Maintenance Reminders (OPTIONAL - If Opted In):

• Reminders to add Bio-Sol products to your septic system
• Based on your selected frequency (monthly, bi-monthly, quarterly)
• SMS reminders (with separate opt-in)

Phone Calls:

• Follow up on orders
• Provide consultations on septic system issues
• Answer questions about products
• Process phone orders
• Request verbal consent for data collection (Quebec Bill 25 - "Loi 25")
• Customer satisfaction follow-ups

We do NOT record phone calls at this time.

13.3 TO IMPROVE OUR SERVICES

Website Analytics:

• Understand how visitors use our website
• Identify popular products and pages
• Find and fix technical issues
• Optimize website performance
• Improve navigation and user experience
• Test new features and designs

Product Development:

• Understand customer needs and preferences
• Develop new products based on customer feedback
• Improve existing products
• Identify trends in septic system issues

AI Improvement:

• Analyze AI chat conversations to improve recommendations
• Train AI models for better accuracy
• Identify common questions and issues
• Enhance AI responses over time

Service Quality:

• Monitor customer satisfaction
• Identify areas for improvement
• Train staff based on customer interactions
• Improve response times

13.4 FOR MARKETING AND ADVERTISING

Email Marketing:

• Send newsletters and promotional offers
• Announce new products and sales
• Share educational content about septic system care
• Recover abandoned shopping carts
• Recommend products based on purchase history
• Send automated email sequences based on your interests

Advertising:

• Display Bio-Sol ads on Google, Facebook, Instagram, and other platforms
• Retarget website visitors with relevant ads
• Measure advertising effectiveness
• Optimize ad campaigns for better results
• Track which ads lead to purchases (conversion tracking)

Personalization:

• Show you relevant products based on your browsing history
• Customize email content based on your interests
• Provide personalized product recommendations
• Display targeted offers and promotions

You can opt out of marketing emails by clicking "Unsubscribe" in any marketing email.

You can opt out of personalized advertising using:

• Google Ads Settings: https://adssettings.google.com/
• Facebook Ad Preferences: https://www.facebook.com/ads/preferences/
• Our cookie consent banner (decline advertising cookies)

13.5 FOR LEGAL AND SECURITY PURPOSES

Compliance with Laws:

• Comply with Quebec Bill 25 (Law 25), PIPEDA, CASL, and other privacy laws
• Respond to legal requests (court orders, subpoenas)
• Meet tax and accounting obligations (CRA, Revenu Québec)
• Maintain financial records as required by law
• Report suspicious activity to authorities if required

Fraud Prevention and Security:

• Detect and prevent fraudulent transactions
• Identify suspicious account activity
• Protect against unauthorized access
• Prevent spam and abuse
• Defend against chargebacks
• Monitor for security threats
• Investigate potential violations of our Terms of Use

Business Protection:

• Enforce our Terms of Use and other agreements
• Protect our intellectual property (Bio-Sol trademark, content)
• Defend against legal claims
• Resolve disputes

13.6 FOR INTERNAL OPERATIONS

Customer Relationship Management:

• Maintain customer records in our CRM (Pipedrive)
• Track customer interactions and history
• Manage sales pipeline
• Coordinate between sales, support, and fulfillment teams
• Provide context for customer service representatives

Accounting and Finance:

• Generate invoices and receipts
• Track revenue and expenses
• Prepare financial statements
• Process payroll (for affiliate/referral programs if applicable)
• Integrate with accounting software (QuickBooks)

Inventory Management:

• Track product availability
• Forecast demand
• Manage reordering
• Optimize inventory levels

Business Analytics:

• Measure business performance
• Identify growth opportunities
• Analyze sales trends
• Evaluate marketing ROI
• Make data-driven business decisions

13.7 WITH YOUR CONSENT

We may use your personal information for other purposes with your explicit consent, such as:

• Featuring your testimonial on our website or marketing materials
• Using your photos in promotional content
• Sharing your success story (anonymized or with attribution)
• Participating in case studies
• Including you in video testimonials

You can withdraw consent anytime by contacting us.

13.8 AUTOMATED DECISION-MAKING

AI-Powered Recommendations:

• We use AI (OpenAI ChatGPT) to provide automated product recommendations based on the information you provide about your septic system
• These are suggestions only - you are NOT bound by AI recommendations
• AI may make errors or misinterpret information
• Always verify recommendations with our team or consult a professional

Fraud Detection:

• Payment processors (Stripe, Helcim) use automated fraud detection to flag suspicious transactions
• May result in declined transactions if flagged as high-risk
• You can contact us if you believe a transaction was incorrectly flagged

Email Personalization:

• Omnisend uses automated algorithms to personalize email content and timing
• Based on your behavior (e.g., products viewed, cart abandonment)
• You can opt out by unsubscribing from marketing emails

13.9 LEGAL BASIS FOR PROCESSING (QUEBEC BILL 25 / PIPEDA)

We process your personal information based on the following legal grounds:

Contract Performance:

• Processing orders, shipping products, providing customer support
• Necessary to fulfill our contract with you

Consent:

• Marketing emails (you opt in by subscribing)
• Cookies (non-essential - you consent via cookie banner)
• Reviews and testimonials (you consent by submitting)
• AI chat (you consent by using the tool)
• Saved payment methods (you consent by checking the box)

Legal Obligation:

• Tax reporting, accounting records, responding to legal requests
• Required by Canadian and Quebec law

Legitimate Interests:

• Fraud prevention, security, website analytics, business operations
• Balanced against your privacy rights

Vital Interests:

• Emergency situations (rarely applicable)

13.10 DATA MINIMIZATION

We only collect personal information that is necessary and relevant for the purposes described above.

Examples:

• We ask for your phone number to contact you about orders (necessary)
• We do NOT ask for your social insurance number (not necessary)
• We collect septic system details to provide recommendations (relevant)
• We do NOT ask about your political views (not relevant)

If you believe we're collecting unnecessary information, please contact us.

We retain your personal information only as long as necessary for the purposes described in this Privacy Policy, or as required by law.

14.1 ACCOUNT INFORMATION

While Account Is Active:

• Retained as long as your account exists
• You can delete your account anytime (contact us)

After Account Deletion:

• Some information must be retained for legal/financial reasons (see below)
• Marketing preferences removed immediately
• AI chat history deleted (unless part of order records)
• Saved payment methods deleted
• Login credentials deleted

14.2 ORDER AND TRANSACTION RECORDS

Retention Period: 7 YEARS (Canadian tax law requirement)

What We Keep:

• Order details (products, quantities, prices)
• Invoices and receipts
• Payment records (transaction IDs, payment method type)
• Shipping addresses
• Customer name and contact information
• Date and time of transactions

Why So Long:

• Required by Canada Revenue Agency (CRA) and Revenu Québec
• Necessary for tax audits, financial reporting, and accounting
• Protects against disputes, warranty claims, and legal issues

After 7 Years:

• Order records deleted or anonymized
• Personal identifiers removed
• Only aggregate statistical data retained (no personal info)

IMPORTANT: Even if you request account deletion, we MUST keep order records for 7 years as required by law.

14.3 PAYMENT INFORMATION

Tokenized Payment Methods:

• Retained until you remove the saved payment method
• Deleted immediately upon account deletion
• Can be removed anytime from your account settings

Payment Transaction Records:

• Transaction IDs and dates: 7 years (tax law)
• Chargeback defense records: 7 years or until dispute resolved
• Full card numbers: NEVER stored (handled by payment processors)

14.4 MARKETING AND COMMUNICATION DATA

Newsletter Subscriptions:

• Retained until you unsubscribe
• Deleted immediately upon unsubscribe request
• Unsubscribe records kept indefinitely (to honor your preference)

Email Consent Logs:

• CASL compliance records: 3 years after consent withdrawal
• Includes: IP address, timestamp, consent method, source

Marketing Analytics:

• GLID (Google Click ID): 2 years, then deleted or anonymized
• Facebook Pixel data: 2 years, then deleted or anonymized
• Campaign attribution data: 2 years, then deleted or anonymized

14.5 SEPTIC SYSTEM INFORMATION

Stored in CRM (Pipedrive):

• Retained as long as customer relationship exists
• Used for ongoing support and consultations
• Deleted upon account deletion request (except order-related details kept for 7 years)

AI Chat History:

• Retained in your account dashboard until deleted by you
• Can be deleted anytime from your account settings
• Automatically deleted upon account deletion
• OpenAI retention: 30 days (per OpenAI's API data policy as of current policy)

Maintenance Calendars:

• Stored on Cloudinary until account deletion
• Available for download in your account dashboard
• Deleted upon account deletion request

14.6 WEBSITE USAGE AND ANALYTICS

Google Analytics:

• Configured for 26 months retention
• After 26 months, data automatically deleted by Google
• Aggregated data may be retained longer (no personal identifiers)

Server Logs (IP Addresses):

• Retained for 2 years for security and fraud prevention
• After 2 years, deleted or anonymized
• Used for: Fraud detection, security monitoring, abuse prevention

Session Data (Redis Cache):

• 24 hours or until session ends
• Automatically deleted after expiry

14.7 CUSTOMER SUPPORT AND COMMUNICATIONS

Contact Form Submissions:

• Retained for 2 years or until issue resolved
• Longer if related to ongoing support or product issues
• Deleted upon request (unless related to active order/warranty)

Phone Call Records:

• Call notes and summaries: 2 years
• Related to orders: 7 years (part of transaction record)
• Call recordings: N/A - We do NOT record calls

"Loi 25" Verbal Consent Records:

• Documented in CRM: 3 years after consent withdrawal
• Includes: Date, time, staff member, consent granted

14.8 REVIEWS AND TESTIMONIALS

Endorsal Reviews:

• Retained indefinitely on Endorsal platform (unless you request removal)
• Displayed on our website until removed
• Can be removed anytime upon request (contact us)

Video Testimonials:

• Retained on YouTube/video platforms until removed
• Can request removal anytime (we'll remove from our platforms)

14.9 COOKIES

Cookie Duration by Type:

Session cookies Until browser closed Essential (persistent) Up to 1 year Analytics (Google Analytics) 24 hours to 2 years Advertising (Google, Facebook) 90 days to 2 years Functional 30 days to 1 year YouTube Varies by cookie

To Delete Cookies:

• Clear your browser's cookies/cache
• Adjust cookie settings in our cookie banner

14.10 INACTIVE ACCOUNTS

Definition: Accounts with no activity (login, order, communication) for 3 years

What We Do:

• Send email notification before deletion (30 days notice)
• Allow you to keep account active by logging in
• If no response, account marked for deletion after 3 years plus 30 days

What Gets Deleted:

• Login credentials
• Saved addresses (non-order-related)
• Saved payment methods
• AI chat history
• Maintenance calendars

What Gets Retained:

• Order records (7 years from order date - legal requirement)
• Transaction records (7 years - legal requirement)

14.11 DATA RETENTION SUMMARY TABLE

Account information Until deletion requested Consent/Contract Order records 7 years Legal obligation (tax law) Payment transactions 7 years Legal obligation Saved payment methods Until removed or account deleted Consent Newsletter subscriptions Until unsubscribe Consent Email consent logs 3 years after withdrawal Legal obligation (CASL) GLID & ad tracking 2 years, then deleted/anonymized Legitimate interest Server logs (IP addresses) 2 years Legitimate interest (security) Google Analytics 26 months Consent (analytics cookies) AI chat history Until deleted by user or account deletion Consent Septic system info (CRM) Until account deletion (except order-related: 7 years) Consent/Contract Contact form submissions 2 years or until resolved Legitimate interest Phone call notes 2 years (or 7 years if order-related) Legitimate interest/Legal obligation Reviews (Endorsal) Indefinitely (until removal requested) Consent (marketing) Cookies Varies (see cookie table above) Consent/Legitimate interest

We take data security seriously and implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

15.1 TECHNICAL SECURITY MEASURES

Encryption:

• HTTPS/TLS encryption for all website traffic (encrypted data in transit)
• Database encryption for sensitive data at rest
• Password hashing (bcrypt) - passwords never stored in plain text
• Tokenized payment methods - full card details never stored

Access Controls:

• Role-based access - employees only access data needed for their job
• Strong authentication - secure passwords, session management
• API authentication - secure tokens for third-party integrations
• Principle of least privilege - minimal necessary access granted

Infrastructure Security:

• SOC 2 Type II certified hosting (Render.com - Oregon, USA)
• Firewalls to block unauthorized access
• Regular security updates and patches
• DDoS protection to prevent service disruption
• Automated backups - daily database backups stored on AWS S3 (Oregon, USA) with encryption

Payment Security:

• PCI-DSS Level 1 certified payment processors (Stripe, Helcim, PayPal)
• Tokenization - card details never touch our servers
• Fraud detection - automated screening for suspicious transactions
• 3D Secure authentication for card payments (when applicable)

Monitoring and Logging:

• Security monitoring - 24/7 automated threat detection
• Activity logs - track access and changes
• Anomaly detection - identify unusual behavior
• Incident response - procedures for security breaches

15.2 ORGANIZATIONAL SECURITY MEASURES

Employee Training:

• Privacy and security training for all staff
• Confidentiality agreements signed by employees
• Regular updates on security best practices

Data Handling Procedures:

• Documented procedures for handling personal information
• Secure disposal of paper records (shredding)
• Secure deletion of digital records (not just "deleted")
• Incident response plan for data breaches

Third-Party Vendor Management:

• Vendor security assessments before engagement
• Data processing agreements with all vendors
• Regular vendor compliance reviews
• Contractual obligations to protect data

Physical Security:

• Secure office premises
• Restricted access to areas with customer records
• Secure storage of paper documents (locked cabinets)

15.3 LIMITATIONS OF SECURITY

IMPORTANT DISCLAIMER:

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your personal information.

Risks Beyond Our Control:

• Hacking, cyberattacks, or security breaches (despite our protections)
• Third-party service provider breaches (e.g., Stripe, Google, Render.com)
• Insider threats (malicious employees - we screen and train, but risk exists)
• Lost or stolen devices (your computer, phone with saved passwords)
• Phishing attacks targeting you directly
• Weak passwords or password reuse (your responsibility)

Your Responsibility:

• Use a strong, unique password for your Bio-Sol account
• Do NOT share your password with anyone
• Enable two-factor authentication (if/when available)
• Log out of your account on shared computers
• Keep your devices secure (antivirus, firewall, updates)
• Be cautious of phishing emails - we will NEVER ask for your password via email
• Report suspicious activity immediately (contact us if you suspect unauthorized access)

15.4 THIRD-PARTY SECURITY

Our third-party service providers maintain their own security measures:

• Stripe: PCI-DSS Level 1, SOC 2, ISO 27001
• Helcim: PCI-DSS Level 1
• PayPal: PCI-DSS Level 1, extensive fraud protection
• Render.com: SOC 2 Type II, encrypted storage, regular backups
• Google (Analytics, Ads): ISO 27001, SOC 2/3, extensive security infrastructure
• Cloudinary: SOC 2, GDPR compliant
• OpenAI: SOC 2 Type II, data encryption
• Pipedrive: ISO 27001, SOC 2, GDPR compliant
• Omnisend: GDPR compliant, data encryption
• SendGrid: SOC 2, ISO 27001

Each service provider's security details are available in their respective security/privacy policies.

15.5 DATA BREACH NOTIFICATION

In the unlikely event of a data breach:

Our Response:

1. Immediately investigate and contain the breach
2. Assess what data was affected
3. Notify affected customers within 72 hours (as required by Quebec Bill 25)
4. Notify privacy regulators (Office of the Privacy Commissioner of Canada, Commission d'accès à l'information du Québec)
5. Implement measures to prevent future breaches
6. Provide support and guidance to affected customers

What We'll Tell You:

• What happened (nature of the breach)
• What data was affected
• When it occurred
• What we're doing about it
• What you should do (e.g., change password, monitor accounts)
• How to contact us for more information

Your Rights:

• You have the right to file a complaint with privacy regulators
• You may have legal recourse depending on the nature of the breach

15.6 SECURITY CONTACT

To report a security issue or suspected breach:

Urgent Security Contact:
Email: [email protected] (Subject: "SECURITY ISSUE")
Phone: 1-800-378-6132 (ask for Jean-Sébastien Gagné)

For non-urgent security questions:
Email: [email protected]
Phone: 1-800-378-6132

Under Quebec Bill 25 (Law 25) and PIPEDA (Canadian federal privacy law), you have important rights regarding your personal information.

16.1 RIGHT TO ACCESS (SEE YOUR INFORMATION)

What It Means:
You have the right to know what personal information we have about you.

What You Can Request:

• Copy of your personal information we store
• Categories of information collected
• Sources of information
• Purposes for which we use your information
• Third parties we've shared your information with

How to Request:

1. Contact Jean-Sébastien Gagné
2. Phone: 1-800-378-6132
3. Email: [email protected]
4. Mail: Bio-Sol, 78 Authier Street East, St-Alphonse-de-Granby, Quebec, Canada J0E 2A0
5. Contact Form: Available on our website (specify "Data Access Request")

Response Time: Within 30 days of your request (Quebec Bill 25 requirement)

Verification: We'll verify your identity before providing information (to protect your privacy)

Cost: FREE for your first request; reasonable fee may apply for excessive or repetitive requests

Format: Digital copy (PDF) sent via encrypted email, or physical copy by mail upon request

16.2 RIGHT TO CORRECTION (FIX ERRORS)

What It Means:
You have the right to correct inaccurate or incomplete personal information.

Examples:

• Correct misspelled name
• Update old address
• Fix incorrect phone number
• Update septic system information

How to Request:

• Self-Service: Update most information in your account settings (name, email, addresses, phone)
• Contact Us: For information you cannot update yourself (e.g., order records, CRM data)

Response Time: Within 30 days (we'll make corrections or explain why we can't)

Verification: We may require proof to verify corrections (e.g., utility bill for address correction)

16.3 RIGHT TO DELETION (ERASE YOUR INFORMATION)

What It Means:
You have the right to request deletion of your personal information in certain circumstances.

What Can Be Deleted:

• Your account and login credentials
• Saved payment methods
• Marketing preferences
• AI chat history
• Maintenance calendars
• Septic system information (non-order-related)
• Newsletter subscription

What CANNOT Be Deleted (Legal Requirements):

• Order records and transaction history (7 years - tax law requirement)
• Payment transaction records (7 years - financial/legal requirement)
• Invoices and receipts (7 years - accounting requirement)
• Records related to warranty, returns, or disputes (until resolved, then legal retention period)
• Information needed for legal claims or defense

How to Request Account Deletion:

1. Contact Jean-Sébastien Gagné
2. Phone: 1-800-378-6132
3. Email: [email protected]
4. Clearly state: "I request deletion of my account and personal information"

Response Time: Within 30 days

What Happens:

1. We verify your identity
2. We delete all deletable information
3. We explain what must be retained and why (legal obligations)
4. We send confirmation of deletion
5. Your account is permanently closed

IMPORTANT: Account deletion is permanent and irreversible. You will lose:

• Order history access
• Saved addresses and payment methods
• Maintenance calendars
• AI chat history
• Account benefits

16.4 RIGHT TO DATA PORTABILITY (GET YOUR DATA)

What It Means:
You have the right to receive your personal information in a structured, commonly used format, and transfer it to another service.

What You Can Export:

• Account information (name, email, phone, addresses)
• Order history (products, dates, amounts)
• Septic system information
• Maintenance calendars
• AI chat history
• Communication preferences

Format: JSON, CSV, or PDF (your choice)

How to Request:

• Contact us: [email protected] or 1-800-378-6132
• Specify "Data Portability Request" and preferred format

Response Time: Within 30 days

Cost: FREE

16.5 RIGHT TO WITHDRAW CONSENT (OPT-OUT)

What It Means:
If we process your information based on consent, you can withdraw that consent anytime.

What You Can Withdraw Consent For:

Marketing Emails:

• Click "Unsubscribe" in any marketing email
• Update preferences in your account settings
• Contact us to opt out
• Transactional emails (order confirmations) cannot be opted out (required for service)

Cookies:

• Adjust settings in our cookie consent banner (footer link: "Cookie Settings")
• Decline non-essential cookies (analytics, advertising, functional)
• Clear cookies in your browser settings

Saved Payment Methods:

• Remove from your account settings
• Contact us to remove Helcim customer code (phone orders)

AI Chat Data Sharing:

• Stop using AI chat tool
• Delete existing chat history from account dashboard
• Contact us to request full deletion of AI data

Maintenance Reminders:

• Unsubscribe from reminder emails
• Update preferences in account settings

SMS Reminders:

• Reply "STOP" to any SMS
• Update preferences in account settings

Reviews/Testimonials:

• Contact us to remove your review from our website, marketing materials, AND the Endorsal platform
• We will handle the removal process from all locations

Consequences of Withdrawal:

• Some services may no longer be available (e.g., cannot use account without authentication cookies)
• We'll explain any impact before processing your request

16.6 RIGHT TO OBJECT (REFUSE PROCESSING)

What It Means:
You can object to certain types of processing, especially for marketing and automated decision-making.

What You Can Object To:

Marketing and Advertising:

• Email marketing (unsubscribe)
• Personalized advertising (opt out of ad cookies)
• Profiling for marketing purposes

Automated Decision-Making:

• Request human review of AI recommendations
• Consult with our team instead of relying on AI chat
• Request manual processing of orders flagged by fraud detection

How to Object:

• Email: [email protected]
• Phone: 1-800-378-6132
• Specify what processing you object to and why

Response Time: Within 30 days

16.7 RIGHT TO RESTRICT PROCESSING (LIMIT USE)

What It Means:
In certain situations, you can request that we limit how we use your information.

When You Can Request Restriction:

• You contest the accuracy of information (restrict use until verified)
• Processing is unlawful but you don't want data deleted
• We no longer need the data, but you need it for legal claims
• You've objected to processing (restrict while we review objection)

How to Request:

• Contact us: [email protected] or 1-800-378-6132
• Explain why you're requesting restriction

What Happens:

• We'll mark your data as restricted
• We'll only use it for limited purposes (e.g., legal claims, with your consent)
• We'll notify you before lifting restriction

16.8 RIGHT TO COMPLAIN (FILE A COMPLAINT)

What It Means:
If you're not satisfied with how we handle your personal information or respond to your requests, you can file a complaint with privacy regulators.

How to Complain to Us First:

Step 1: Contact Our Privacy Officer

• Jean-Sébastien Gagné
• Phone: 1-800-378-6132
• Email: [email protected]
• Mail: Bio-Sol, Attn: Privacy Complaint, 78 Authier Street East, St-Alphonse-de-Granby, Quebec, Canada J0E 2A0

Step 2: We Investigate

• We'll acknowledge your complaint within 5 business days
• We'll investigate and respond within 30 days
• We'll explain our findings and any corrective actions

Step 3: Still Not Satisfied?

• You can escalate to privacy regulators (see below)

File a Complaint with Privacy Regulators:

For Quebec Residents:

Commission d'accès à l'information du Québec (CAI)
Website: https://www.cai.gouv.qc.ca/
Phone: 1-888-528-7741 (toll-free in Quebec)
Email: [email protected]
Mail:
Commission d'accès à l'information du Québec
525, boul. René-Lévesque Est, bureau 1.20
Québec (Québec) G1R 5S9

For Canadian Residents (Federal):

Office of the Privacy Commissioner of Canada (OPC)
Website: https://www.priv.gc.ca/
Phone: 1-800-282-1376 (toll-free in Canada)
Email: [email protected]
Online Complaint: https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/
Mail:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3

Note: Filing a complaint with regulators is free and does NOT require a lawyer.

16.9 RIGHT TO BE INFORMED (TRANSPARENCY)

What It Means:
You have the right to clear, transparent information about how we collect and use your personal information.

How We Comply:

• This Privacy Policy explains our practices in detail
• Cookie banner discloses tracking technologies
• Account creation explains what data we collect
• Checkout clearly shows data sharing (payment processors, shipping)
• AI chat tool includes disclaimer about OpenAI data sharing
• We notify you of significant changes to this Privacy Policy

16.10 RIGHT TO NOT BE DISCRIMINATED AGAINST

What It Means:
We will NOT discriminate against you for exercising your privacy rights.

We Will NOT:

• Deny you service
• Charge you different prices
• Provide lower quality service
• Retaliate in any way

You Can:

• Exercise any of your privacy rights without fear of consequences
• Opt out of marketing while still receiving service
• Request data deletion while still placing orders (order data retained per legal requirements)

16.11 HOW TO EXERCISE YOUR RIGHTS

Contact Information:

Privacy Contact Person:
Jean-Sébastien Gagné

Contact Methods:

• Phone: 1-800-378-6132 (Monday-Friday, 9:00 AM - 4:30 PM EST; call center available outside business hours)
• Email: [email protected] (24/7 - we respond within 1 business day)
• Contact Form: Available on our website (specify "Privacy Request")
• Mail: Bio-Sol, Attn: Privacy Rights Request, 78 Authier Street East, St-Alphonse-de-Granby, Quebec, Canada J0E 2A0

What to Include in Your Request:

1. Your full name
2. Email address associated with your account (for verification)
3. Phone number (optional, for follow-up)
4. Specific right you're exercising (access, correction, deletion, etc.)
5. Details of your request (what data, what correction, etc.)
6. Preferred response method (email, phone, mail)

Identity Verification:

• We'll verify your identity before processing requests (to protect your privacy)
• May require: Account password, order number, or government-issued ID (for sensitive requests)

Response Time:

• 30 days from receipt of verified request (Quebec Bill 25 requirement)
• May extend by 30 additional days if complex (we'll notify you)

Cost:

• FREE for most requests
• Reasonable fee may apply for:
  • Excessive or repetitive requests
  • Large volumes of data export
  • Physical mail copies (postage cost)

Language:

• Requests and responses available in English or French (your choice)

16.12 MINORS (CHILDREN UNDER 18)

Our Policy:

• Our products and services are intended for adults aged 18 and older (homeowners, business owners, property managers)
• We do NOT knowingly collect personal information from children under 13
• Teens 13-17 should have parental consent before creating accounts

If We Discover:

• If we learn we've collected information from a child under 13 without parental consent, we'll delete it immediately

Parents:

• If you believe your child has provided us information, contact us immediately: [email protected] or 1-800-378-6132

16.13 SUMMARY OF RIGHTS

Access See what info we have Contact us: [email protected] Correction Fix inaccurate info Account settings or contact us Deletion Delete your info (with exceptions) Contact us (7-year retention for orders) Portability Get your data in usable format Contact us Withdraw Consent Opt out of marketing, cookies, etc. Unsubscribe, cookie settings, contact us Object Refuse certain processing Contact us Restrict Limit use of your info Contact us Complain File privacy complaint Us first, then CAI or OPC Be Informed Clear info about practices This Privacy Policy No Discrimination Equal service regardless of rights Automatic (we don't discriminate)

Response Time: 30 days for all requests

Contact: Jean-Sébastien Gagné, [email protected], 1-800-378-6132

17.1 AGE RESTRICTION

Intended Audience:
Our website, products, and services are intended for adults aged 18 and older (homeowners, business owners, property managers, RV owners).

We Do NOT Target Children:

• Our products are for septic system maintenance (adult responsibility)
• Our website content is written for adult audiences
• We do NOT knowingly market to children

17.2 CHILDREN UNDER 13

COPPA Compliance (US Standard Adopted):

We do NOT knowingly collect personal information from children under 13 years old without verified parental consent.

If We Discover:

• If we learn that we've inadvertently collected personal information from a child under 13
• We will delete that information immediately
• We will close any account created by a child under 13

Parents/Guardians:

• If you believe your child under 13 has provided us with personal information, please contact us immediately:
  • Email: [email protected]
  • Phone: 1-800-378-6132
• We will promptly delete the information and close any associated account

17.3 TEENS (13-17 YEARS OLD)

Parental Consent Recommended:

• Teens aged 13-17 should obtain parental consent before:
  • Creating an account
  • Making purchases
  • Using our AI chat tool
  • Subscribing to our newsletter

Parent/Guardian Responsibilities:

• Monitor your teen's online activity
• Review this Privacy Policy with your teen
• Contact us if you have concerns about your teen's use of our services

17.4 AGE VERIFICATION

How We Verify Age:

• We do NOT actively verify age during account creation
• We rely on users to accurately represent their age
• Our Terms of Use require users to be 18 years of age or older (or have parental consent)

If Suspected Minor:

• If we have reason to believe an account belongs to a minor, we may:
  • Request age verification
  • Request parental consent
  • Suspend or terminate the account if verification is not provided

18.1 GEOGRAPHIC SCOPE

Primary Service Area:
We primarily serve customers in Canada (all provinces).

Shipping:

• Canada: We ship to all Canadian provinces
• International: We do NOT currently ship internationally
• Note: We currently ship within Canada only. If we expand to international shipping, this Privacy Policy will be updated accordingly.

18.2 CANADIAN PRIVACY LAWS

Laws We Comply With:

• Quebec Bill 25 (Law 25) - Act respecting the protection of personal information in the private sector
• PIPEDA - Personal Information Protection and Electronic Documents Act (Federal Canada)
• CASL - Canadian Anti-Spam Legislation
• Consumer Protection Act (Quebec)

For Quebec Residents:

• Quebec Bill 25 provides you with enhanced privacy rights
• See Section 16 (Your Rights) for detailed information

For Other Canadian Residents:

• PIPEDA provides you with privacy rights similar to Quebec Bill 25
• See Section 16 (Your Rights) for detailed information

18.3 CROSS-BORDER DATA TRANSFERS

IMPORTANT: Many of our service providers are based in the United States, which means your personal information may be transferred, stored, and processed outside of Canada.

US-Based Services:

• SendGrid (email)
• Stripe (payments)
• PayPal (payments)
• Pipedrive (CRM) - US/EU
• Cloudinary (storage)
• OpenAI (AI chat)
• Omnisend (email marketing)
• Google (Analytics, Ads)
• Meta/Facebook (Ads)
• Endorsal (reviews)
• Render.com (hosting, database - Oregon, USA)
• AWS S3 (database backups - Oregon, USA)

Legal Implications:

• US PATRIOT Act - US government may access data stored in US
• US CLOUD Act - US government may request data from US companies
• US Privacy Laws - Different from Canadian laws (generally less protective)
• US Court Orders - US companies may be compelled to disclose data

How We Protect Your Data:

• Data processing agreements with all US-based vendors
• Vendors contractually required to protect your data
• Vendors must comply with applicable privacy laws
• We limit data sharing to only what's necessary
• We monitor vendor compliance and security practices

Your Consent:

• By using our services, you consent to cross-border transfer of your personal information to the United States
• If you do NOT consent, please do NOT use our services

18.4 INTERNATIONAL VISITORS

If You Visit Our Website from Outside Canada:

Data Collection:

• We may still collect your information (IP address, browsing data) as described in this Privacy Policy
• We do NOT currently ship products internationally
• You may browse our website and use informational features (e.g., read FAQs, blog posts)

Privacy Rights:

• You may have privacy rights under your local laws (e.g., GDPR in EU, CCPA in California)
• We primarily comply with Canadian privacy laws
• Contact us if you wish to exercise rights under your local laws: [email protected]

Disclaimer:

• Our services are NOT designed or intended for international users
• We make NO representations that our services comply with laws outside of Canada
• Use at your own risk if accessing from outside Canada

18.5 EUROPEAN UNION (GDPR)

EU/EEA Residents:

While we do NOT actively target EU/EEA residents, if you visit our website from the EU/EEA:

GDPR Rights (Similar to Quebec Bill 25):

• Right to access, correction, deletion, portability, restriction, objection
• See Section 16 (Your Rights) for how to exercise these rights

Legal Basis for Processing:

• Consent (marketing, cookies, optional features)
• Contract performance (order processing, account management)
• Legal obligation (tax, accounting, legal requirements)
• Legitimate interests (fraud prevention, security, analytics)

EU Data Processing:

• Some of our vendors (Pipedrive, Google, Cloudinary) have EU operations
• Data may be stored in EU data centers in some cases
• Cross-border transfers covered by Standard Contractual Clauses (SCCs) or adequacy decisions

EU Data Protection Officer:

• We do NOT have a dedicated EU Data Protection Officer (DPO)
• Contact our Privacy Officer: Jean-Sébastien Gagné, [email protected]

EU Supervisory Authority:

• You may file a complaint with your local data protection authority
• Find yours: https://edpb.europa.eu/about-edpb/board/members_en

18.6 CALIFORNIA (CCPA/CPRA)

California Residents:

While we do NOT actively target California residents, if you visit our website from California:

CCPA Rights (Similar to Quebec Bill 25):

• Right to know what personal information we collect
• Right to deletion
• Right to opt out of "sale" of personal information
• Right to non-discrimination

Do We "Sell" Your Information?

• We do NOT sell your personal information for money
• However, sharing data with advertising partners (Google Ads, Facebook Pixel) may be considered a "sale" under broad CCPA definition
• You can opt out by declining advertising cookies in our cookie banner

How to Exercise CCPA Rights:

• Contact us: [email protected] or 1-800-378-6132
• See Section 16 (Your Rights) for detailed instructions

19.1 DO NOT TRACK (DNT)

What It Is:
Some web browsers have a "Do Not Track" (DNT) setting that sends a signal to websites requesting not to be tracked.

Our Response:
We do NOT currently respond to DNT signals, as there is no industry standard for how websites should interpret and respond to DNT.

Alternative:
Use our cookie consent banner to decline analytics and advertising cookies for similar effect.

19.2 GLOBAL PRIVACY CONTROL (GPC)

What It Is:
Global Privacy Control (GPC) is a newer privacy signal that allows users to automatically opt out of data sharing/selling.

Our Response:
We do NOT currently respond to GPC signals.

Note:
We may implement GPC support as it becomes more widely adopted in the future.

Alternative:
Use our cookie consent banner to decline advertising cookies and opt out of data sharing with advertising partners.

20.1 MERGER, ACQUISITION, OR SALE

What Happens to Your Data:

If Bio-Sol is involved in a merger, acquisition, sale of assets, bankruptcy, or other business transaction:

Your Personal Information May Be Transferred:

• Your account information
• Order history and transaction records
• Customer data in our CRM (Pipedrive)
• All data described in this Privacy Policy

Your Rights:

• You'll be notified of any business transfer (via email and website notice)
• The new owner will be bound by this Privacy Policy (or you'll be notified of a new policy)
• You can delete your account before the transfer (order records retained per legal requirements)
• You can opt out of marketing under the new owner

Due Diligence:

• Potential buyers may review customer data during due diligence
• We'll require buyers to sign confidentiality agreements

20.2 BANKRUPTCY OR LIQUIDATION

If Bio-Sol Ceases Operations:

Data Handling:

• Customer data may be treated as a business asset
• May be sold or transferred to another company
• We'll make reasonable efforts to notify you

Your Options:

• Request data deletion before closure (if possible)
• Opt out of marketing from any successor company
• Contact regulators if you have concerns

21.1 EXTERNAL LINKS

What This Means:
Our website may contain links to third-party websites (social media, YouTube, blogs, resources).

We Are NOT Responsible For:

• Privacy practices of third-party websites
• Content on third-party websites
• Security of third-party websites
• How third-party websites collect or use your information

Your Responsibility:

• Read the privacy policy of any website you visit
• Understand what data they collect before providing personal information
• Be cautious of phishing sites or fraudulent websites

Third-Party Links We May Include:

• Social media (Facebook, LinkedIn, Twitter/X)
• YouTube (testimonial videos)
• Review platforms (Endorsal)
• Educational resources (septic system articles, government sites)
• Partner websites (if applicable)

21.2 SOCIAL MEDIA

Our Social Media Presence:

• Facebook: https://www.facebook.com/biosolentreprise/
• LinkedIn: https://ca.linkedin.com/company/bio-sol
• Twitter/X: https://x.com/biosolqcca

What Happens When You Interact:

• Social media platforms (Meta/Facebook, LinkedIn, X/Twitter) collect your information per their own privacy policies
• We may see your public profile information if you follow, like, or comment
• We do NOT have access to your private social media data

Privacy Policies:

• Facebook/Meta: https://www.facebook.com/privacy/policy/
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Twitter/X: https://twitter.com/en/privacy

21.3 EMBEDDED CONTENT

YouTube Videos:

• We embed YouTube videos (testimonials) on our website
• YouTube sets cookies and tracks views (per YouTube's privacy policy)
• We use "Privacy-Enhanced Mode" when possible to reduce tracking
• YouTube Privacy Policy: https://policies.google.com/privacy

Other Embedded Content:

• Maps (Google Maps - if implemented)
• Social media widgets (Facebook, LinkedIn, Twitter - if implemented)
• Each service has its own privacy policy

Your Control:

• Decline advertising cookies to block some third-party tracking
• Use browser extensions to block trackers
• Avoid clicking on embedded content if you don't want to be tracked

22.1 AI-POWERED RECOMMENDATIONS

What We Do:

• Use OpenAI (ChatGPT) to analyze your septic system information and provide product recommendations

How It Works:

• You provide information about your septic system (type, age, problems, etc.)
• AI analyzes your input and compares to Bio-Sol's product database
• AI generates personalized recommendations

IMPORTANT LIMITATIONS:

• AI recommendations are informational only, NOT professional advice
• AI may make errors or misinterpret information
• AI cannot account for all factors (local regulations, unique situations, physical damage)
• Always verify recommendations with our team or a professional
• Follow local regulations first (see Terms of Use for full disclaimer)

Your Rights:

• Request human review of AI recommendations (contact our team)
• Consult with our staff instead of using AI chat
• Not bound by AI recommendations
• Delete AI chat history anytime

We Are NOT Responsible For:

• Incorrect AI recommendations
• Misinterpretation of your input
• Reliance on AI advice without professional consultation
• Results or outcomes from following AI recommendations

22.2 FRAUD DETECTION

What We Do:

• Use automated fraud detection through our payment processors (Stripe, Helcim)

How It Works:

• Payment processors analyze transaction patterns, IP addresses, device fingerprints, and other data
• Transactions flagged as "high risk" may be declined or require additional verification

Impact:

• Your transaction may be declined if flagged as potentially fraudulent
• You may be asked to provide additional verification (e.g., verify identity, contact bank)

Your Rights:

• Request manual review if your transaction was incorrectly declined
• Contact us to process order via alternative method (phone, e-transfer)
• Contact your bank to verify transaction

We Are NOT Responsible For:

• Payment processor fraud detection decisions
• False positives (legitimate transactions flagged as fraud)
• Delays due to fraud checks

22.3 EMAIL PERSONALIZATION

What We Do:

• Use Omnisend to automatically personalize email content and timing

How It Works:

• Omnisend analyzes your behavior (products viewed, cart abandonment, purchase history)
• Automatically sends personalized emails (cart reminders, product recommendations)
• Optimizes email send time based on when you're most likely to open emails

Impact:

• You receive more relevant emails
• Emails may be sent at different times for different customers

Your Rights:

• Unsubscribe from marketing emails anytime
• Opt out of personalized advertising (decline advertising cookies)

22.4 NO OTHER AUTOMATED DECISIONS

We Do NOT Use Automated Decision-Making For:

• Credit decisions (we don't offer credit)
• Employment decisions (not applicable)
• Denying service or access
• Pricing or discounts (same prices for all customers)
• Account termination (manual review required)

All Significant Decisions Involve Human Review.

23.1 ACCESSIBLE PRIVACY POLICY

How to Access This Privacy Policy:

• Website: Available at www.bio-sol.ca/privacy-policy
• Languages: English and French
• Format: HTML (web page), PDF download available
• Print: You can print this policy from your browser

Accessibility Features:

• Clear headings and structure
• Plain language (where possible)
• Table of contents for easy navigation
• Compatible with screen readers

23.2 ALTERNATIVE FORMATS

If you need this Privacy Policy in an alternative format:

• Large print
• Audio recording
• Braille
• Other accessible format

Contact us:

• Phone: 1-800-378-6132
• Email: [email protected]

We'll provide the policy in your requested format within a reasonable timeframe (usually 5-10 business days).

23.3 ACCESSIBILITY ASSISTANCE

If you need help exercising your privacy rights:

• We offer assistance by phone: 1-800-378-6132
• Our staff can help you complete requests
• We provide service in English and French
• We'll accommodate your needs to the best of our ability

24.1 PRIVACY CONTACT

For All Privacy Matters:

Privacy Contact Person:
Jean-Sébastien Gagné

Contact Methods:

Phone:
1-800-378-6132
Monday-Friday, 9:00 AM - 4:30 PM EST
(Call center available outside business hours)

Email:
[email protected]
(We respond within 2 business day)

Contact Form:
Available on our website: www.bio-sol.ca/contact-us
(Specify "Privacy Request" in subject)

Mail:
Bio-Sol
Attn: Jean-Sébastien Gagné - Privacy Requests
78 Authier Street East
St-Alphonse-de-Granby, Quebec
Canada J0E 2A0

Languages:
Service available in English and French

24.2 WHAT YOU CAN CONTACT US ABOUT

Privacy Rights Requests:

• Access your personal information
• Correct inaccurate information
• Delete your account/information
• Export your data (portability)
• Withdraw consent
• Object to processing
• Restrict processing
• File a privacy complaint

Privacy Questions:

• How we use your information
• Who we share information with
• Data retention periods
• Security measures
• Third-party services
• Cookie policy

Security Issues:

• Report suspected data breach
• Report unauthorized account access
• Report security vulnerabilities
• For urgent security issues, email with subject: "SECURITY ISSUE"

Policy Questions:

• Clarification on policy terms
• Translation assistance (English/French)
• Alternative format requests
• Accessibility assistance

24.3 RESPONSE TIME

We Are Committed to:

• Acknowledge your request within 5 business days
• Respond fully within 30 days (Quebec Bill 25 requirement)
• Notify you if we need an extension (complex requests may require additional 30 days)
• Explain if we cannot fulfill your request and why

Response Format:

• Email (default)
• Phone call (upon request)
• Mail (upon request)
• In-person meeting (by appointment, for complex matters)

24.4 IDENTITY VERIFICATION

To Protect Your Privacy:

Before processing privacy requests, we'll verify your identity to ensure we're disclosing information to the right person.

Verification Methods:

• Account login (for account holders)
• Email confirmation (sent to email on file)
• Phone verification (call-back to number on file)
• Order number and billing address (for recent customers)
• Government-issued ID (for sensitive requests like deletion)

Why We Verify:

• Prevent unauthorized access to your information
• Comply with privacy laws (protect personal information)
• Ensure accuracy of responses

If You Cannot Verify:

• We'll work with you to find an alternative verification method
• We may deny requests if identity cannot be verified (to protect your privacy)

25.1 HOW WE UPDATE THIS POLICY

We May Update This Privacy Policy When:

• We add new features or services
• We change how we collect or use information
• We add or change third-party service providers
• Laws or regulations change
• Best practices evolve

Types of Changes:

Minor Changes:

• Clarifications or formatting improvements
• Correcting typos or broken links
• Adding examples or explanations
• No material impact on your privacy

Material Changes:

• New types of data collection
• New ways of using your information
• New third-party services that receive your data
• Changes to your privacy rights
• Significant changes to data retention or security

25.2 HOW WE NOTIFY YOU

For ALL Changes:

• Update "Last Updated" date at the top of this policy
• Post updated policy on our website

For Material Changes:

• Email notification to all account holders (30 days before taking effect)
• Prominent website banner announcing changes
• Highlight changes in the notification (what's new)
• Request renewed consent if required by law (e.g., new cookies, new data uses)

Your Options:

• Review changes before they take effect
• Contact us if you have questions or concerns
• Delete your account if you don't agree with changes (order records retained per legal requirements)
• Opt out of new optional features (e.g., new marketing channels)

25.3 EFFECTIVE DATE OF CHANGES

When Changes Take Effect:

• Material Changes: 30 days after notification (gives you time to review)
• Minor Changes: Immediately upon posting (clarifications only, no impact on privacy)

Continued Use Constitutes Acceptance:

• By continuing to use our services after changes take effect, you accept the updated Privacy Policy
• If you don't agree, stop using our services and contact us about account deletion

25.4 ARCHIVED VERSIONS

Previous Versions:

• We maintain archived versions of previous Privacy Policies
• Available upon request: [email protected]

Why This Matters:

• You can see how our practices have evolved over time
• Useful for understanding how your data was handled at a specific point in time

26.1 APPLICABLE LAW

This Privacy Policy Is Governed By:

• Quebec Bill 25 (Law 25) - Act respecting the protection of personal information in the private sector
• PIPEDA - Personal Information Protection and Electronic Documents Act (Canada)
• Laws of the Province of Quebec
• Laws of Canada

In Case of Conflict:

• If there's a conflict between this Privacy Policy and applicable law, the law prevails
• We'll update this policy to reflect legal requirements

26.2 JURISDICTION (WHERE DISPUTES ARE RESOLVED)

Courts of Quebec:

• Any legal dispute related to this Privacy Policy shall be resolved in the courts of Quebec, Canada
• Specifically, the judicial district of Bedford (or the district where Bio-Sol is located)

Why Quebec:

• Bio-Sol is a Quebec-based company
• Subject to Quebec privacy laws
• Most convenient forum for our operations

Your Rights:

• You may still file complaints with privacy regulators (CAI, OPC) regardless of jurisdiction clause
• Consumer protection laws may provide additional rights

27.1 OFFICIAL VERSIONS

This Privacy Policy Is Available In:

• English - www.bio-sol.ca/en/privacy-policy
• French - www.bio-sol.ca/fr/politique-de-confidentialite

In Case of Discrepancy:

• In Quebec, if there's any difference between the English and French versions, the French version prevails (Quebec language laws)
• Outside Quebec, the English version may apply

27.2 TRANSLATION DISCLAIMER

Professional Translation:

• Both English and French versions are professionally prepared
• We strive for accuracy in both languages

If You Notice Errors:

• Contact us if you notice translation errors or discrepancies
• Email: [email protected]
• We'll review and correct as needed

If Any Part Is Invalid:

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court or regulatory authority:

• Only that provision is invalid (not the entire policy)
• Rest of the policy remains in full effect
• Invalid provision will be replaced with a valid provision that achieves the same intent

Example:

• If a specific data retention period is found to violate law, only that retention period changes
• Rest of the policy (data collection, your rights, security, etc.) remains valid

No Waiver of Rights:

If we do NOT enforce a provision of this Privacy Policy in a specific instance, it does NOT mean we waive our right to enforce it in the future.

Example:

• If we don't immediately delete data after retention period expires in one case, it doesn't mean we've abandoned our retention policy
• We may still enforce proper data retention in all other cases

This Privacy Policy:

• Represents our complete privacy practices
• Supersedes any prior privacy statements, notices, or policies
• Works together with our Terms of Use (separate document)

Terms of Use:

• See our Terms of Use for other important terms (returns, warranties, liability, etc.)
• Privacy Policy and Terms of Use together form the complete agreement

Relationship:

• This Privacy Policy focuses on privacy and data protection
• Terms of Use covers service terms, product disclaimers, legal terms
• Both are binding when you use our services

31.1 HEADINGS

Section Headings:

• Headings and subheadings are for convenience only
• Do NOT limit or define the content of sections
• Used for navigation and readability

31.2 DEFINITIONS

Key Terms Used in This Policy:

"We," "Us," "Our," "Bio-Sol":
Refers to 9403-3974 Québec Inc., operating as Bio-Sol

"You," "Your":
Refers to the user, customer, or visitor using our website or services

"Personal Information":
Information that identifies you or can be used to identify you (name, email, address, phone, IP address, etc.)

"Services":
Our website, products, customer support, AI chat tool, and all other offerings

"Account":
Your customer account on our website (if you create one)

"Order":
Any purchase of products from Bio-Sol (online, phone, email, in-person)

"Third-Party":
Any company or service provider other than Bio-Sol (e.g., Stripe, Google, Omnisend)

"Cookie":
Small text file stored on your device by your web browser

"Processing":
Any operation performed on personal information (collection, storage, use, disclosure, deletion, etc.)

"Consent":
Your agreement to allow us to collect or use your personal information for a specific purpose

31.3 EXAMPLES

Illustrative Only:

• Examples provided throughout this policy (marked with "e.g.," "such as," "for example") are illustrative, not exhaustive
• Just because something isn't listed as an example doesn't mean it's not covered by the policy

32.1 RELATED POLICIES

Other Important Documents:

• Terms of Use: www.bio-sol.ca/terms-of-use
• Cookie Policy: Included in Section 12 of this Privacy Policy
• Return Policy: See FAQ or Terms of Use

32.2 PRIVACY EDUCATION

Learn More About Privacy:

Canadian Resources:

• Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca/
• Commission d'accès à l'information du Québec: https://www.cai.gouv.qc.ca/

Your Privacy Rights:

• PIPEDA Summary: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/
• Quebec Bill 25 Info: https://www.cai.gouv.qc.ca/loi-25/

Privacy Tips:

• Use strong, unique passwords
• Enable two-factor authentication (when available)
• Be cautious of phishing emails
• Review privacy policies before sharing personal information
• Regularly review your account security settings

33.1 BY USING OUR SERVICES, YOU ACKNOWLEDGE:

• You have read and understood this Privacy Policy
• You agree to the collection, use, and disclosure of your personal information as described
• You consent to cross-border data transfers to the United States (where applicable)
• You understand your privacy rights and how to exercise them
• You understand that some information must be retained for 7 years (tax law)
• You can withdraw consent or delete your account anytime (subject to legal retention)
• You have the right to file a complaint with privacy regulators if dissatisfied

33.2 IF YOU DO NOT AGREE:

• Do NOT use our website or services
• Do NOT create an account
• Do NOT place orders
• Do NOT provide personal information

Contact us if you have questions or concerns: [email protected] or 1-800-378-6132

34.1 OUR COMMITMENT

We Are Committed To:

• Transparency - Clear communication about our privacy practices
• Security - Protecting your information with industry-standard measures
• Respect - Honoring your privacy rights and preferences
• Compliance - Following Canadian and Quebec privacy laws
• Accountability - Taking responsibility for data protection
• Continuous Improvement - Regularly reviewing and updating our practices

34.2 YOUR TRUST

We Value Your Trust:

Your privacy is important to us. We handle your personal information with care and respect. If you have any questions, concerns, or feedback about our privacy practices, please don't hesitate to contact us.

Thank you for choosing Bio-Sol.

Privacy Contact Person: Jean-Sébastien Gagné

Phone: 1-800-378-6132
Email: [email protected]
Website: www.bio-sol.ca
Mail: Bio-Sol, 78 Authier Street East, St-Alphonse-de-Granby, Quebec, Canada J0E 2A0

Languages: English and French
Response Time: 30 days
Office Hours: Monday-Friday, 9:00 AM - 4:30 PM EST

DOCUMENT INFORMATION

Document Title: Privacy Policy
Version: 1.0
Last Updated: 2026-01-15
Effective Date: 2026-01-15
Next Review Date: 2027-01-15
Language: English (French version available)
Format: Web page (www.bio-sol.ca/privacy-policy)
Alternative Formats: Available upon request
Governing Law: Quebec and Canadian law
Company: Bio-Sol (9403-3974 Québec Inc.)
NEQ: 1174797903
Contact: [email protected] | 1-800-378-6132