Privacy Policy

1. Introduction
   BEFORE USING THE WEBSITE AND OUR APPLICATIONS, PLEASE READ OUR PRIVACY POLICY CAREFULLY (the “Policy“). This Policy addresses the protection of Personal Information (hereinafter defined) by AGENDRIX INC., doing business as AGENDRIX (hereinafter referred to as “Agendrix” or “we“).We take special care to protect your Personal Information (as defined below) collected through our website www.agendrix.com and our applications (hereinafter collectively referred to as “Applications“) and through the Agendrix Products (hereinafter collectively referred to as, with the Applications, the “Platform“).

   However, this Policy applies, in its entirety, only to Personal Information of the Applications users (hereinafter: “you“). Its purpose is to explain how we collect, use and disclose your Personal Information.

   If you are an Authorized User of a Customer, any section of this Policy is applicable to you only where it specifically provides that it applies to such users. Each Customer is responsible for complying with the legal obligations applicable to persons who collect Personal Information about others and, in this respect, is responsible for obtaining valid consent for its collection, disclosure and use. In addition, the Customer shall be responsible for establishing its own privacy policy, determining the safeguards applicable to Personal Information and providing the persons concerned by such information with the means to exercise their rights.

   In addition, this Policy does not apply to Personal Information about our employees, and Personal Information about our Subprocessors (as those terms are defined in Section 6 of this Policy).

   Lastly, this Policy aims to comply with Canadian and Quebec laws relating to the protection of Personal Information and, where applicable, the General Data Protection Regulation (“GDPR“).

   For the purposes of this Policy, the following definitions shall apply:

   1. “Account Administrator“: member of an Organization to which the Organization grants the right to administer the account, which right includes the following prerogatives:
      1. amendment of the User Account information;
      2. addition of Authorized Users and their User Profiles;
      3. amendment of payment information;
      4. performance of any operation related to the business relationship of the Organisation with Agendrix.
   2. “Agendrix Products” means:
      1. the Agendrix solutions, software as a service for the management of work schedules and communication among Authorized Users, including planning, time clocking (fixed and mobile time clocks), time (attendance) sheets, instant and deferred messaging services as well as the distribution/coordination of services on-site and at a client’s premises and the Photo Punch service  associated with the time clocks when an Organization subscribes for that functionality;
      2. the Agendrix solutions offered in whole or in part as mobile apps for smartphones or tablets;
      3. any other solution providing new functionalities which may be added in the form of a module to the solutions listed in (1) and (2); and
      4. support for Authorized Users and related maintenance provided by Agendrix.
   3. “Authorized User“: member of a Customer, Organization or Affiliate which an Account Administrator authorizes to use the Agendrix Products after the Customer has paid all related charges. An Authorized User may be a member of several Customers, Organizations or Affiliates, as the case may be.
   4. “Customer“: an Organization designated on the registration form who has received an email confirming the order of Agendrix Products.
   5. “Organization“: a person who carries on a business, limited partnership, limited liability company, partnership, union, employer organization, sole proprietorship, business corporation or company (with or without share capital), legal person, cooperative, trust, unincorporated association, joint venture, non-profit or not-for-profit organization, government authority or any other entity, regardless its legal form, incorporation status or the jurisdictions in which it operates, carrying on an organized activity of any nature whatsoever and which uses the Agendrix Products. An Authorized User who manages the schedules of other Authorized Users is considered an Organization.
   6. “Personal Information“: any information pertaining to a natural person which directly or indirectly allows the person to be identified. For the purposes of this Policy, Personal Information corresponds to “personal data” within the meaning of the GDPR.
   7. “User Profile“: all Personal Information concerning an Authorized User transcribed in an intelligible and structured manner which is accessible and modifiable via the Platform.
2. Personal Information We Collect
   We collect only the Personal Information about you that is necessary to establish, manage and maintain our relationship with you. This collection is limited, in most cases, to the following Personal Information:
   1. Last name, First name;
   2. Date of birth;
   3. Email address, mailing address, phone numbers;
   4. Banking information, if applicable; and
   5. Cookies (see Section 9 of this Policy for more details). We may collect Personal Information through the Applications, when you sign a contract or, more broadly, when you interact with one of our employees or representatives by email, telephone or in person.Personal Information that is entered by Authorized Users in their User Profiles is the responsibility of their Organizations.
3. Your Consent
   Your consent to the collection, use or disclosure of your Personal Information must be freely given, unambiguous, and informed. It must be given for specific purposes. Our policies and contracts are written in plain language to make it easier for you to understand the nature, purposes and consequences of the collection, use and disclosure of your Personal Information.Depending on the nature and sensitivity of your Personal Information, your consent may be explicit (such consent may be given verbally, in writing or electronically) or implied (when you voluntarily provide Personal Information, for instance).

   Generally, we will seek your consent, except where otherwise required or permitted by law. If you are an Authorized User, our Terms and Conditions require your Organization to obtain your consent, and we presume that it is acting within the limits set by law. In the event that you witness or experience a breach in this regard, you may notify us using the contact information provided at the end of the Policy.

   By using the Applications, you consent to the use of your Personal Information in accordance with this Policy.

4. Security and Governance
   Cybersecurity is a priority for us. As such, we have adopted policies and practices to guide our governance of Personal Information. These policies and practices provide for the following:
   1. The framework applicable to the use, communication, retention and destruction of such information;
   2. The roles and responsibilities of our employees throughout the life cycle of the information;
   3. A process for handling complaints concerning the protection of the information. These policies and practices are as follows:
   4. Personal Information Management Policy: this policy establishes the categorization of the information according to its sensitivity, as well as the obligation we impose on ourselves to keep a record of all the types of use, communication, retention, destruction and any other type of operation we perform on the information;
   5. Information Security Policy: this policy establishes all our processes to protect the confidentiality, integrity and availability of the information and systems we possess;
   6. Subprocessor Management Policy: this policy sets out how we select our Subprocessors (as defined in Section 6), and the security requirements they must establish before receiving Personal Information. In addition to these administrative measures, we implemented physical and technological measures that are reasonable taking into consideration the sensitivity, use, quantity, distribution and media of the Personal Information.We take all reasonable steps to minimize the risk of a confidentiality breach. For instance:
   7. We apply the principles of maximum protection by default: we ensure that, by default, the Platform settings have the highest level of privacy, without you being required to do anything specific. Please note that cookies are not automatically disabled. However, you can do so by following the instructions in Section 9 of this Policy;
   8. When the use or disclosure of Personal Information is necessary for a modification to the Platform or the deployment of new features, we conduct a privacy impact assessment, the results of which guide us in determining the appropriate set of measures to be implemented. The provisions of this section apply to Personal Information held by us about both Applications users and Authorized Users of our Customers.Security at Agendrix
5. Use of Personal Information
   Personal Information of the Applications users and of the Authorized Users of our Customers is used only for the following purposes:
   1. Provide the Platform and ensure its security and optimal operation. The Platform allows for the management of work schedules, including planning, communications, time keeping (fixed and mobile time clocks), time sheets (attendance sheets), as well as the dispatch and coordination of field and customer services. It also allows for the management of other information related to work attendance.
   2. Identify an Applications user or an Authorized User and ensure the authenticity of the identification.
   3. Offer technical support.
   4. Offer training.
   5. If applicable, allow an Applications user or an Authorized User to perform operations on the Platform.
   6. From time to time, send newsletters and other promotional communications regarding our products, services, updates, news, tips & tricks and special offers. Each Agendrix employee who uses Personal Information is bound by confidentiality obligations and has received appropriate training. In addition, he or she may only access Personal Information that is necessary for the performance of his or her duties. In the event of a breach, our governance policies and practices (see Section 4) provide for sanctions.We only use Personal Information for the purposes stated above except where we are permitted by law, in very limited circumstances, to do so without your consent. Our Customers have the right to access the Personal Information they collect about their Authorized Users. To learn more, please review our Terms and Conditions and Acceptable Use Policy, pursuant to which they are required to implement security measures.

      This section applies to Personal Information that we hold about both Applications users and Authorized Users of our Customers.

1. Disclosure of Your Personal Information

To Whom?

We may disclose Personal Information to third parties in specific circumstances permitted by law. The following section summarizes these circumstances and the steps we take to protect such information.

Service providers, agents, Subprocessors (“Subprocessors”)

We may enter into contracts with Subprocessors to provide a service to our Customers, such as a Platform feature. These Subprocessors may also provide a service to you directly on our behalf.

We believe in transparency and maintain an up-to-date list of Subprocessors to whom Personal Information we hold is disclosed.

The contract requires Subprocessors to:

1. Use only Personal Information that is necessary for providing the service.
2. Refrain from disclosing or communicating Personal Information without our consent.
3. Implement rigorous security measures.
4. Allow us to audit these measures.
5. Notify us immediately of a confidentiality incident.
6. Destroy Personal Information at the end of a contract.

Another party in a Business Transaction

We may enter into a contract with a third party for the purpose of a Business Transaction. Such a transaction is defined as the disposition or lease of all or part of our business or its assets, a change in our legal structure by merger or otherwise, the obtaining of a loan or other form of financing or a security interest taken to secure any of our obligations (“Business Transaction”).

The contract requires the other party to:

1. Use Personal Information only for the purposes of entering into the Business Transaction.
2. Implement rigorous security measures.
3. Refrain from disclosing or communicating Personal Information without our consent.
4. Notify us immediately of a confidentiality incident.
5. Destroy Personal Information if the Business Transaction is not entered into or the Personal Information is no longer necessary for entering into the Business Transaction.

Legitimate authorities

In order to comply with a court order or decision, including a valid search warrant, or an order or decision of a regulatory authority, we may be required to provide Personal Information.

These authorities are required by their governing laws to establish measures to respect and preserve the confidentiality of your Personal Information.

We inform Customers of any requests from legitimate authorities to access Personal Information about their Authorized Users, unless otherwise stated by said legitimate authorities or provided by law. We decline to provide access where the request is not legally binding.

Our legal counsel

In order to defend or enforce our rights, we may, in certain circumstances, disclose your Personal Information.

Both the law and the retainer agreements we sign require our lawyers to protect the confidentiality of all our communications with them.

Where?

In the course of providing our services, we may disclose Personal Information outside Quebec, including in the following regions:

1. Canada;
2. Europe;
3. United States.

Personal Information is securely stored at Amazon Web Services (AWS) on servers located in Canada or the European Union. All Personal Information is encrypted on storage media.

Before disclosing Personal Information outside of Quebec, we conduct a privacy impact assessment that considers the sensitivity of the information, the purpose for which it will be used, the safeguards that will be provided, and the applicable legislation in the jurisdiction where the Personal Information will be disclosed.

Such disclosures will only be made if the assessment demonstrates that the Personal Information will be adequately protected. In addition, such disclosure will be subject to a written agreement that is based on all the findings of the assessment.

This section applies to Personal Information that we hold about both Applications users and Authorized Users of our Customers.

1. Retention
   We retain Personal Information about you only as long as necessary to fulfill the purpose for which it was collected, to comply with legal retention requirements, and as long as necessary to protect our legitimate business interests. We reserve the right to establish Personal Information destruction policies from time to time. If you request the destruction of your Personal Information, we will use reasonable efforts to comply with your request as soon as possible. Your User Account is deleted within 90 days following your request, although for technical reasons, some traces of your use may remain in our systems, including in connection logs and in backup copies for 12 months.In addition, we ensure that temporary files created during the collection, use, or disclosure of Personal Information are properly deleted as soon as they are no longer required.

   Please note that concerning Authorized Users of our Customers, they may have the right to retain certain information despite your request to delete it. Please contact your Organization’s Privacy Officer for more information on this issue.

2. Your Rights
   ALL REQUESTS FROM AUTHORIZED USERS SHOULD BE DIRECTED TO THE PRIVACY OFFICER OF THEIR ORGANIZATION. EXCEPT TO INFORM YOU OF THE SOURCE OF SUCH PERSONAL INFORMATION, WE DO NOT RESPOND TO SUCH REQUESTS AS WE LIMIT THEIR USE TO THAT WHICH IS NECESSARY TO FULFILL THE CONTRACT WITH OUR CUSTOMERS AND DELETE THEM AS INSTRUCTED BY THEM. YOU CAN DIRECTLY MAKE CHANGES TO YOUR USER PROFILE WHEN AUTHORIZED BY YOUR ORGANIZATION. For Applications users who are not Authorized Users of an Organization, you have the following rights:
   1. The right to be informed of the types of operations carried out on your Personal Information, including its use or disclosure (“processing” as defined in the GDPR). This is what this Policy is meant to achieve.
   2. The right to access your Personal Information by logging into the Platform and to obtain more details on how we conduct these operations. You may also exercise this right by sending an email to the email address provided at the end of this Policy with the subject line “Access to my personal data“.
   3. In some cases, you may object to, restrict or withdraw your consent to such operations by giving reasonable notice using the email address provided at the end of this Policy with the subject line “Objection, Restriction or Withdrawal (as applicable) of Consent“.
      Please note that if you choose to withdraw your consent, you may no longer be able to use the Applications.
   4. The right to have your Personal Information corrected if it is inaccurate or misleading and to have it completed if it is incomplete by sending an email to the email address provided at the end of this Policy with the subject line “Changing My Personal Information“.
   5. The right to have your Personal Information deleted subject to our legal obligations.
   6. The right to obtain your Personal Information in a commonly used digital form.
   7. The right to be informed of a confidentiality incident involving your Personal Information that may cause you serious harm. We maintain a register of all confidentiality incidents and assess the harm they may cause. For greater clarity, if a confidentiality incident affects a Customer’s Authorized Users, the Customer remains responsible for notifying you. However, please be assured that we will inform the Customer of such a situation as soon as possible. We will respond to any request within 30 days of receipt, except where the law permits an extension of that time. If we refuse to provide or correct the information, we will provide you with the reasons for the refusal, the applicable sections of the law and information about your remedies, all subject to the limitations of the law.If we refuse to rectify your Personal Information, we will allow you to place comments in your file in respect of the Personal Information for which rectification has been refused. We will also retain the Personal Information that has been the subject of an access request for as long as necessary to allow you to exhaust any recourse provided by law.
3. Cookies
   1. Definition
      A cookie is a small text sent by a server to your browser, which it will send back the next time it connects to servers sharing the same domain name. If you wish, you can set your browser to notify you when you receive cookies or to refuse them. You do not need to accept cookies to visit our Applications. However, if you refuse them, you could be unable to use some of their features.
   2. Types of cookies used by Agendrix
      Technical cookies: Technical cookies are used throughout the browsing experience to facilitate the use of the Applications. For example: a technical cookie may be used to remember your username to facilitate your login or to remember your preferences or options you have chosen. Analytical cookies: These cookies are anonymous and are used to collect statistics on the use of the Applications.Advertising cookies: These cookies may be added by the Applications or by other sites serving advertisements. These cookies collect information anonymously and build up your visitor profile.
4. Privacy Officer
   The Privacy Officer at Agendrix is Charles Vallières. This function corresponds to that of the Data Protection Officer (DPO) under the GDPR. If you have any questions or requests regarding the Policy, you can send an email to the following address: [email protected].
5. Changes
   Agendrix reserves the right to change the content of this Policy at any time. Any changes will be posted on our Platform and brought to your attention when you log in. We recommend that you print a copy of this Policy for your records and review this section of our Platform periodically.

The Privacy Policy was last amended on December 12, 2022.