| Document Code | LUSTRUM-POL-CONF-001 |
|---|---|
| Version | v1.0 |
| Effective Date | 2026-04-20 |
| Last Revised | 2026-04-20 |
| Classification | Public |
| Publication URL | https://lustrum.ca/confidentialite |
| Person in Charge of the Protection of Personal Information | Jean-François Leclerc |
| Privacy Contact Email | privacy@lustrum.ca |
1. Preamble and Applicable Legal Framework
This policy describes Lustrum's (hereinafter, the "firm") practices regarding the collection, use, retention, communication, and destruction of personal information in connection with the operation of the lustrum.ca website and related services.
It is drafted in accordance with the following legal frameworks:
- Quebec — Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1, hereinafter the "Private Sector Privacy Act"), as amended, including by An Act to modernize legislative provisions as regards the protection of personal information.
- Canada — Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, hereinafter "PIPEDA"), subsidiarily, for activities extending beyond Quebec's intraprovincial scope or involving an interprovincial or international dimension.
The Commission d'accès à l'information du Québec (CAI) is the primary oversight authority for the firm's activities governed by Quebec law.
2. Person in Charge of the Protection of Personal Information
In accordance with section 3.1 of the Private Sector Privacy Act, the person in charge of the protection of personal information for the firm is:
- Name: Jean-François Leclerc
- Title: Founder and Person in Charge of the Protection of Personal Information
- Dedicated Email: privacy@lustrum.ca
- Target Response Time: 30 days from receipt of an admissible request, subject to any exception provided by law
The firm has established governance policies and practices relating to personal information in accordance with section 3.2 of the Private Sector Privacy Act. This policy constitutes the public-facing privacy component applicable to the website.
Any request relating to this policy, to the exercise of your rights (section 8), or to the filing of a complaint must be directed to the privacy contact email above.
3. Personal Information Processed
3.1 Information Not Actively Collected Through the Website
The website includes none of the following:
- collection forms (contact, quote request, registration, newsletter subscription)
- non-essential cookies set by the website
- third-party traffic analytics tools (Google Analytics, Meta Pixel, LinkedIn Insight, Hotjar, HubSpot, or equivalents)
- tracking, profiling, or targeted advertising scripts
- tools using technological means to identify, locate, or profile individuals within the meaning of section 8.1 of the Private Sector Privacy Act
- requests for access to browser APIs (geolocation, microphone, camera, notifications)
- persistent local storage mechanisms for tracking purposes
3.2 Technical Information Processed by the Infrastructure Provider (Cloudflare)
The website is delivered through the infrastructure of Cloudflare, Inc. ("Cloudflare"). On each visit, Cloudflare may process, for content delivery, caching, security, and operational logging purposes, the following technical information:
- IP address
- browser user agent (
User-Agent) - requested page and related technical metadata (URL, method, referrer, timestamp)
- network security and filtering data (e.g., bot detection, DDoS protection, firewall events)
- network error reports, where enabled by the browser or the infrastructure
Cloudflare acts as a service provider within the meaning of section 18.3 of the Private Sector Privacy Act, to the extent that such processing is necessary for the hosting, security, and delivery of the website and is subject to appropriate contractual safeguards.
Retention period: retention periods vary depending on the Cloudflare functions enabled, the logs concerned, and the applicable service plan.
3.3 Fonts
The website uses self-hosted fonts on the firm's own infrastructure. No request to a third-party font service is triggered during the normal loading of website pages.
Accordingly, the firm does not use Google Fonts or any equivalent service in third-party hosted mode and does not communicate technical information to any third party for that purpose.
3.4 Information Processed in Connection with Email Communications
Email addresses under the @lustrum.ca domain are hosted on Microsoft 365, operated by Microsoft Corporation. When an individual corresponds with the firm:
- Information Processed: email address, message content, any attachments, and transmission/header metadata
- Purposes: processing the request, conducting the business relationship, managing a mandate, and retaining relevant communications
- Legal Basis: processing necessary to manage the business relationship and, where applicable, consent arising from the individual's initiation of the communication
- Retention Period:
- emails relating to a mandate: duration of the mandate, followed by retention in accordance with the applicable records schedule
- prospecting emails with no further action: retained only for the period necessary to follow up, then deleted or administratively archived in accordance with the applicable records schedule
- emails relating to the exercise of a statutory right: retained for the period necessary to process the request, document the response, and protect the firm's legal position
3.5 Minors and Vulnerable Individuals
The lustrum.ca website is not directed to minors. The firm engages exclusively in professional services directed at organizations and does not knowingly collect personal information concerning minors.
Should a parent, guardian, or any person with legal authority become aware that a minor has transmitted personal information to the firm, notably by email, that person may request the deletion of such information by writing to privacy@lustrum.ca. The request will be handled with the same diligence as any request referred to in section 8.
The firm also pays particular attention to personal information that may relate to individuals in a situation of vulnerability, within the meaning of the guidance issued by the Commission d'accès à l'information du Québec, and applies a level of protection proportionate to the sensitivity of such information.
4. Purposes of Processing
In accordance with the principles of necessity and purpose limitation, the information described in section 3 is processed solely for the following purposes:
- Technical delivery of the website: page rendering, caching, performance optimization, and service continuity
- Infrastructure security: detection, prevention, and blocking of abuse, attacks, or malicious use
- Minimal operational logging: technical diagnostics, maintenance of service integrity, and incident investigation
- Professional correspondence: processing requests sent by email and carrying out mandates
- Compliance with legal obligations: responding to legally valid requests from competent authorities and complying with obligations applicable to the firm
None of these purposes includes targeted advertising, commercial profiling, data sales, or the training of artificial intelligence models using the personal information so processed.
In accordance with section 8 of the Private Sector Privacy Act, this policy informs individuals of the purposes of processing, the means used, their rights of access and rectification, their right to withdraw consent where consent is the applicable basis, the third parties that may receive the information, and the possibility of communication outside Quebec.
5. Communication to Third Parties
Personal information processed by the firm is communicated only to the following third parties, strictly within the scope of the purposes set out in section 4:
| Third Party | Role | Location of Processing | Framework |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure, content delivery, application and network security | Multi-region, depending on the provider's architecture | Standard contractual framework of the provider |
| Microsoft Corporation | Hosting and processing of professional email communications | Primarily according to tenant geography and Microsoft 365 service terms | Data Protection Addendum / Microsoft contractual terms |
No commercial disclosure to third parties is carried out. Personal information is neither sold, nor rented, nor exchanged for prospecting purposes.
The firm may also communicate certain information where required by law or where a competent authority submits a legally valid request.
6. Communication Outside Quebec
Certain processing activities may involve the communication of, or access to, personal information outside Quebec. In accordance with section 17 of the Private Sector Privacy Act, the firm carries out, where required before any such communication, a privacy impact assessment taking into account, in particular:
- the sensitivity of the information concerned
- the purposes for which it is to be used
- the applicable contractual, organizational, and technical safeguards
- the legal framework applicable in the destination jurisdiction
Communication outside Quebec is maintained only where the assessment concludes that the personal information will receive adequate protection, having regard in particular to generally recognized privacy principles. Where required, the firm implements an appropriate written framework with the service provider concerned.
7. Security Safeguards
In accordance with section 10 of the Private Sector Privacy Act, the firm implements reasonable security safeguards proportionate to the sensitivity of the information, the purposes for which it is used, its quantity, distribution, and medium. These safeguards include, in particular:
- encryption in transit for the website and publicly exposed services
- network and application protection measures through the selected infrastructure
- access control based on need-to-know and the principle of least privilege
- multi-factor authentication for relevant administrative access
- logging and monitoring of necessary technical and authentication events
- privacy incident management and maintenance of a register where required by law
In the event of a confidentiality incident presenting a risk of serious injury, the firm will apply the notification mechanisms prescribed by law.
8. Rights of Individuals
Subject to the conditions, limits, and exceptions provided by law, any individual concerned has, in particular, the following rights:
| Right | Primary Legal Basis | General Terms | Usual Timeframe |
|---|---|---|---|
| Right of Access | s. 27, Private Sector Privacy Act | Obtain confirmation of the existence of personal information concerning them and, where applicable, gain access to it | 30 days |
| Right to Rectification | s. 28, Private Sector Privacy Act | Have inaccurate, incomplete, or equivocal information corrected, or have information collected or retained contrary to law deleted | 30 days |
| Right to Data Portability | s. 27, Private Sector Privacy Act, as applicable | Obtain communication of computerized personal information collected from the individual in a structured, commonly used technological format, subject to the limits provided by law | 30 days |
| Right to Withdraw Consent | s. 8, Private Sector Privacy Act, depending on the applicable legal basis | Withdraw consent where processing is based on consent, subject to applicable legal and contractual obligations | Within a reasonable time |
| Rights Relating to Decisions Based Exclusively on Automated Processing | Applicable provisions of the Private Sector Privacy Act | Be informed of such a decision and request, where applicable, the information and intervention provided by law | Not applicable under the firm's current practices |
How to Exercise These Rights
Any request must be sent to privacy@lustrum.ca. The firm may require information reasonably necessary to verify the requester's identity before communicating, rectifying, or deleting personal information.
Access to personal information is provided free of charge, subject to the reasonable transcription, reproduction, or transmission fees permitted by law, which will be disclosed in advance if applicable.
Any refusal will be reasoned and will indicate, where applicable, the remedies available.
9. Cookies
The lustrum.ca website sets no non-essential cookies and uses no third-party advertising or analytics tracking mechanisms.
Should this practice change, this policy will be updated before any such mechanism is activated, and the firm will implement the notice and, where applicable, consent measures required by applicable law.
10. Changes to This Policy
This policy may be amended to reflect changes in the firm's practices, website functionality, or the applicable legal framework. Any material change will be brought to the attention of individuals by an appropriate means, including publication on the website.
11. Complaint to a Competent Authority
Any individual who believes that the firm has failed to comply with its obligations regarding the protection of personal information may file a complaint with the competent authorities:
- Quebec — Commission d'accès à l'information du Québec (CAI) — www.cai.gouv.qc.ca
- Canada — Office of the Privacy Commissioner of Canada, where applicable — www.priv.gc.ca
The firm nevertheless encourages any individual to first submit a direct complaint to it, in order to allow for a diligent and documented resolution.
Policy adopted by Lustrum.