Privacy Policy

QreativeLab inc. (hereinafter "QreativeLab", "we" or "our") is committed to protecting the privacy and personal information of its users, clients and visitors. This privacy policy explains our practices regarding the collection, use, disclosure and protection of your personal information, in accordance with Quebec's Act respecting the protection of personal information in the private sector (Law 25). QreativeLab is a company established in Quebec, Canada, and operates the website qreativelab.io.

In accordance with section 3.1 of Law 25, QreativeLab has designated a person responsible for the protection of personal information. This person ensures compliance with the law and handles requests and complaints related to the protection of personal information.

• Officer: Maxime Noiseux, Founder and CEO
• Email: maxime@qreativelab.io
• Address: Quebec, Canada
• You may contact the officer for any question, access request, rectification, deletion or complaint.

We only collect personal information necessary for the purposes determined at or before the time of collection. The types of information collected vary based on your interaction with our services:

• Identification information: first name, last name, email address (contact form and chat)
• Professional information: company name, position (if voluntarily provided)
• Technical information collected automatically: IP address, browser type and version, operating system, device used, screen resolution
• Usage information (with consent only): pages visited, session duration, browsing path, site interactions
• Communication information: content of messages sent through the contact form or AI chat
• Cookies and identifiers: session identifiers, language preferences, consent choices (see Cookies section)

Your personal information is used only for the purposes for which it was collected. We never use your data for purposes other than those listed below without first obtaining your consent:

• Respond to your contact and service inquiries
• Send you a confirmation email following a contact message
• Power the AI chat experience on our contact page (messages are processed by the Anthropic API — see Sharing section)
• Measure and improve our site performance (with consent — Vercel Analytics)
• Detect and fix technical errors (Sentry — error reports and, with consent, Session Replay)
• Ensure the security and availability of our systems
• Comply with our legal and regulatory obligations

In accordance with Law 25, we obtain your manifest, free and informed consent before collecting, using or disclosing your personal information for non-essential purposes. On your first visit, a cookie consent banner presents clear and equivalent options to accept or refuse analytical cookies. Strictly necessary cookies (language, session) do not require consent. You can change your preferences at any time through the cookie management button in the site footer.

• Necessary cookies: enabled by default (site operation, language preferences, consent choice)
• Analytical cookies: disabled by default, enabled only with your explicit consent
• Consent is stored in a local cookie (cookie_consent) with a 365-day duration
• You can withdraw your consent at any time — analytical services stop immediately
• Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal

We never sell your personal information. We only share it with service providers (subprocessors) necessary for operating our website. Each subprocessor is bound by contractual confidentiality and security obligations. Here is the complete list of our subprocessors and the data they process:

• Vercel Inc. (United States) — Web hosting and CDN. Data processed: HTTP requests, IP address, pages visited. Servers: CDN edge in Toronto (Canada) and origin at us-east-1 (Virginia, USA). With consent: performance analytics (Vercel Analytics, Speed Insights). Policy: vercel.com/legal/privacy-policy
• Neon Inc. (United States) — PostgreSQL database. Data processed: no user personal data is stored in the database on this showcase website. Servers: us-east-1 (Virginia, USA). Access is encrypted via TLS 1.3 and data at rest is encrypted with AES-256. Data Processing Agreement (DPA) in effect. Policy: neon.tech/privacy
• Resend Inc. (United States) — Email delivery service. Data processed: email address, name, message content (contact form and welcome email). Servers: us-east-1 (USA). Policy: resend.com/legal/privacy-policy
• Functional Software Inc. / Sentry (United States) — Error monitoring. Data processed without consent (legitimate interest): technical error reports. With analytical consent: Session Replay (session recording). Servers: us-east-1 (USA). Policy: sentry.io/privacy
• Anthropic PBC (United States) — Artificial intelligence for the contact page chat. Data processed: chat messages, first name (if provided). Data is not used to train AI models. Policy: anthropic.com/privacy
• We may also disclose your information if required by law, court order or legal obligation.

Some of our subprocessors are located in the United States. In accordance with section 17 of Law 25, before any transfer of personal information outside Quebec, we conduct a privacy impact assessment (PIA) to ensure the information will receive adequate protection. The following measures are in place:

• Data Processing Agreements (DPA) with each subprocessor located outside Quebec
• Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
• Data access limited according to the principle of least privilege
• Assessment of applicable legal frameworks and security certifications (SOC 2 Type II) of each subprocessor
• American subprocessors provide protection deemed adequate under Law 25, as determined by our privacy impact assessment
• Canadian servers (Vercel CDN in Toronto) used as priority when possible to minimize cross-border transfers

We retain your personal information only as long as necessary to fulfill the purposes for which it was collected, or to comply with our legal obligations. Here are the retention periods by data type:

• Contact messages (form): 24 months after the last exchange, then deleted
• Emails sent via Resend: per Resend's retention policy, maximum 30 days in their systems
• Analytical data (Vercel Analytics): aggregated and anonymized, retained 12 months
• Error reports (Sentry): 90-day retention
• Session Replays (Sentry): 30-day retention
• Consent cookies: 365 days (renewed on each preference change)
• Technical logs (server logs): 30 days maximum
• At expiry of these periods, data is securely deleted or irreversibly anonymized

We implement robust technical and organizational security measures to protect your personal information. These measures are proportional to data sensitivity and aligned with industry best practices:

• Encryption in transit: TLS 1.3 for all communications (mandatory HTTPS, HSTS enabled)
• Encryption at rest: AES-256 for data stored in the database (Neon.tech)
• Access control: principle of least privilege, API keys with regular rotation
• Secure infrastructure: hosting on Vercel (SOC 2 certified) and Neon database (SOC 2 certified)
• Attack protection: rate limiting, input validation, security headers (CSP, X-Frame-Options, HSTS)
• Continuous monitoring: real-time error detection via Sentry
• Secrets management: no secrets in source code, secured environment variables
• Regular assessment: security review of infrastructure and dependencies

In accordance with Law 25, you have extensive rights regarding your personal information. You may exercise these rights at any time by contacting our Privacy Officer:

• Right of access (s. 27): obtain confirmation that we hold information about you, and a copy thereof
• Right to rectification (s. 28): have inaccurate, incomplete or ambiguous information corrected
• Right to deletion: request the deletion of your information when collection or retention is no longer justified
• Right to portability (s. 27): receive your information in a structured, commonly used technological format
• Right to withdraw consent: withdraw your consent to analytical cookies via the button in the footer, or for any other purpose by contacting us
• Right to file a complaint: if you believe your rights are not being respected, you may file a complaint with the Commission d'acces a l'information du Quebec (CAI) — www.cai.gouv.qc.ca
• We respond to all requests within 30 days of receipt

Our site uses cookies and similar technologies. We distinguish two categories of cookies, in accordance with Law 25:

• Necessary cookies (no consent required): language preference (next-locale), consent choice (cookie_consent), session identifier. These cookies are essential for site operation.
• Analytical cookies (with consent): Vercel Analytics (performance measurement, pages visited, session duration), Vercel Speed Insights (loading performance), Sentry Session Replay (session recording for error diagnostics). These cookies are activated only with your explicit consent.
• No advertising, remarketing or profiling cookies are used on this site.
• You can manage your preferences via the consent banner displayed on your first visit or through the cookie management button in the footer.
• Refusing analytical cookies does not affect your browsing experience in any way.

In the event of a confidentiality incident involving your personal information, we apply a rigorous protocol in accordance with sections 3.5 and following of Law 25:

• Notification to the Commission d'acces a l'information du Quebec (CAI) within 72 hours of becoming aware of an incident presenting a risk of serious harm
• Notification without delay to affected individuals when the incident presents a risk of serious harm
• Maintenance of a register of all confidentiality incidents, including those not presenting serious risk
• Risk assessment based on the sensitivity of the information, anticipated consequences and likelihood of malicious use
• Implementation of corrective measures to prevent incident recurrence

We reserve the right to modify this privacy policy. Any changes will be posted on this page with the update date. Substantial changes will be communicated by email to affected individuals or by a prominent notice on our site. The current version is always the one published on this page.

For any question, access request, rectification, deletion, portability or complaint regarding this policy or your personal information:

• Officer: Maxime Noiseux, Founder and CEO
• Email: maxime@qreativelab.io
• Company: QreativeLab inc., Quebec, Canada
• Response time: maximum 30 days following receipt of your request
• If you are not satisfied with our response, you may contact the Commission d'acces a l'information du Quebec (CAI): www.cai.gouv.qc.ca