TERMS OF USE AND PRIVACY POLICY

McGinnis & Associé — CRM Investigation Platform

Version: 1.0
Effective date: January 1, 2026
Last updated: April 23, 2026

Platform presentation and operator
Scope of application
Definitions
Acceptance of terms
Platform access and account management
Nature of services offered
Personal information collected
Purposes of personal information processing
Legal basis for processing
Data retention and destruction
Hosting and cloud infrastructure
Third-party services and subcontractors
Security of personal information
Transfer of personal information outside Québec
Rights of data subjects
Privacy incidents
Cookies and tracking technologies
Intellectual property
Liability and limitations
Amendments to the terms
Governing law and jurisdiction
Contact and privacy officer

1. PLATFORM PRESENTATION AND OPERATOR

This platform, referred to as "Polaris CRM Investigation" or simply "the Platform", is operated by:

McGinnis & Associé
698 Patricia Street
St-Amable (Québec), Canada J0L 1N0
General email: info@mgassocie.com
Website: https://crm.mgassocie.com

hereinafter referred to as "McGinnis & Associé", "we", "our" or "us".

The Platform is a customer relationship management (CRM) system for internal and professional use, designed for the management of investigation mandates. It is hosted on Amazon Web Services (AWS) cloud infrastructure on Canadian territory.

2. SCOPE OF APPLICATION

These terms of use and privacy policy (hereinafter the "Terms") apply to:

Any authorized user accessing the Platform (employees, agents, managers, information technology personnel);
Any client or subject whose personal information is processed in the context of a service request submitted to McGinnis & Associé;
Any interaction with the Platform, whether direct (connection to the CRM) or indirect (submission of a pre-employment or investigation request through an authorized principal).

These Terms comply with the following laws:

Act to modernize legislative provisions respecting the protection of personal information (Law 25, Québec, R.S.Q., c. P-39.1, as amended);
Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5, Canada);
Privacy Act (federal, S.C. 1980-81-82-83, c. 111, applicable to the federal public sector);
Canadian Cybersecurity Act (Bill C-26, to the extent applicable);
Guidelines of the Commission d'accès à l'information (CAI) of Québec;
General Data Protection Regulation (GDPR) of the European Union, to the extent that EU residents may be concerned.

3. DEFINITIONS

For the purposes of these Terms, the following terms have the meanings set out below:

"Media Data": Audiovisual files (videos, photographs, audio recordings, etc.) uploaded to the Platform in connection with an investigation mandate or a pre-employment request.
"Text Data": Information entered into the Platform's forms, including but not limited to: names, contact details, investigation notes, reports, and any other information recorded in the platform's secure database.
"Platform": The entire Polaris CRM Investigation system, including the web interface, the REST API, the messaging modules, the file upload system and the associated database.
"Personal Information": Any information concerning a natural person that directly or indirectly allows that person to be identified, within the meaning of Law 25 and PIPEDA.
"Sensitive Personal Information": Personal information which, by its nature — including medical information, criminal records, biometric data, and ethnic origin — requires special protection due to the serious harm its disclosure could cause.
"Subcontractor": Any third party that processes personal information on behalf of McGinnis & Associé in connection with the provision of technology services.
"Institutional Partner": Any public or private body (police forces, courts, credit agencies, specialized firms) to whom McGinnis & Associé communicates personal information strictly within the legal execution of a mandate.
"User": Any person holding an active and authorized account on the Platform.
"Subject": Any natural person who is the object of an investigation mandate or a background check processed by the Platform.

4. ACCEPTANCE OF TERMS

Accessing the Platform constitutes full and unconditional acceptance of these Terms. Any user who does not accept these Terms must immediately cease using the Platform and contact McGinnis & Associé to deactivate their account.

Internal users (employees and agents) confirm their acceptance upon account creation and upon any significant update to these Terms.

Subjects whose information is processed are informed of these Terms through the principal who submitted the service request, in accordance with the transparency obligations set out in Law 25.

5. PLATFORM ACCESS AND ACCOUNT MANAGEMENT

5.1 User Accounts

The Platform is restricted-access. All accounts must be created and authorized by a designated administrator of McGinnis & Associé. There is no public self-registration mechanism.

5.2 Authentication and Session Security

Protection against bot attacks and automated submissions via Google reCAPTCHA v3.

5.3 Role-Based Access Restrictions

Access to data is strictly limited based on the role assigned to each user (role-based access control — RBAC). Sensitive text data is only accessible to authorized managers and IT personnel who have undergone a background check (backcheck).

5.4 Reserved for Professional Use

The Polaris CRM Investigation Platform is strictly for professional use, reserved exclusively for authorized employees, agents, investigators and partners of McGinnis & Associé. It is not intended for the general public or minors. Any unauthorized access is strictly prohibited and subject to legal action.

6. NATURE OF SERVICES OFFERED

The Platform offers the following services exclusively within the scope of McGinnis & Associé's professional mandates:

Management of investigation files and background checks;
Management of investigation mandates;
Processing of pre-employment requests (identity verification, background checks, employer references);

7. PERSONAL INFORMATION COLLECTED

7.1 Automatically Collected Data

IP address and browsing data (via Google Analytics 4);
Session data;
Connection and activity logs (application logs);
Debugging and performance data;
Anti-bot verification data (Google reCAPTCHA v3).

7.2 Data Not Collected

McGinnis & Associé does NOT collect:

Credit card data or payment information directly on the Platform;
Automated biometric data;
Real-time geolocation data of Platform users;
Data for advertising or commercial profiling purposes.

8. PURPOSES OF PERSONAL INFORMATION PROCESSING

The personal information collected is used exclusively for the following purposes:

Fulfillment of the mandate entrusted by the client (investigation, verification, surveillance);
Communication with clients regarding the progress of mandates;
Administrative and accounting management of files;
Improvement and maintenance of the Platform (anonymized and aggregated data only);
Compliance with applicable legal obligations;
Platform security and fraud prevention.

McGinnis & Associé formally commits to NOT:

Sell, rent, assign or monetize personal information to third parties for commercial purposes;
Use personal information for targeted advertising purposes;
Display any advertising on the Platform; it is designed solely to provide relevant and useful information in the context of client service requests;
Share personal information with unauthorized third parties without express consent or legal obligation.

9. LEGAL BASIS FOR PROCESSING

The processing of personal information is based on the following legal grounds, in accordance with Law 25 and PIPEDA:

CONSENT: When the subject or principal has given their explicit consent for the collection and processing of their information in the context of a service request;
CONTRACT PERFORMANCE: When processing is necessary for the performance of the service contract entered into between McGinnis & Associé and the client principal;
LEGAL OBLIGATION: When processing is required to comply with an applicable legal obligation, including an order from a competent court, a request from a law enforcement body having jurisdiction, or any other requirement under federal or provincial law;
LEGITIMATE PURPOSES: In accordance with Law 25, for purposes of IT security, fraud prevention and service improvement, to the extent provided and permitted by applicable law.

Consent may be withdrawn at any time [see section 15], subject to legal retention obligations.

10. DATA RETENTION AND DESTRUCTION

10.1 Media Data (Audiovisual Files)

Media files (photos, videos, audio recordings) uploaded in connection with an investigation mandate or a pre-employment request are retained for a maximum period of THIRTY (30) DAYS following the closure of the file or the finalization of the request processing.

Upon expiry of this period, media files are destroyed in a secure and irreversible manner, so that they cannot be reconstituted, in accordance with section 23 of Law 25.

10.2 Text Data and Files

Text data (file information, reports, client data, verification results) is retained in a secure database hosted on certified cloud infrastructure (Canada) for a maximum period of FIVE (5) YEARS following the closure of the file, in order to meet applicable legal, regulatory and accounting obligations.

Upon expiry of this five-year period, text data is destroyed in a secure manner, unless a legal obligation (e.g., ongoing court proceedings) requires extended retention.

Access to this data is strictly limited to authorized managers and IT personnel who have undergone a background check (backcheck), in accordance with the internal access control policy.

10.3 System Logs and Browsing Data

Application logs and browsing data collected via Google Analytics 4 are retained for a maximum period of THIRTEEN (13) MONTHS, in accordance with the standard retention settings of Google Analytics 4, then anonymized or automatically deleted.

10.4 Destruction Method

Data destruction is carried out by:

Secure deletion of files from the platform's server;
Database record purge with irreversibility confirmation;
Revocation and deletion of affected database backups.

11. HOSTING AND CLOUD INFRASTRUCTURE

11.1 Amazon Web Services (AWS) — Canada

The Platform's entire infrastructure is hosted on Amazon Web Services (AWS) on Canadian territory, ensuring that data remains in Canada under normal operations.

11.2 AWS Privacy Policy

Hosting with AWS is subject to the Amazon Web Services privacy policy, available at: https://aws.amazon.com/privacy/. AWS acts as a data processor on behalf of McGinnis & Associé and is bound by a Data Processing Agreement (DPA) compliant with Canadian requirements.

12. THIRD-PARTY SERVICES AND SUBCONTRACTORS

McGinnis & Associé uses the following third-party services and institutional partners in the operation of the Platform and the execution of mandates. Each party acts as a legally authorized subcontractor or partner and is subject to contractual or legal obligations for the protection of personal information.

12.1 Google Analytics 4 (Google LLC)

Purpose: Collection and analysis of Platform usage metrics (number of visits, pages viewed, session duration, etc.) for service improvement purposes only.

Data transmitted: IP address (anonymized), browsing data, anonymous session identifiers.

Location: Google servers (potentially outside Canada — United States). See section 14 for applicable contractual guarantees.

Privacy policy: https://policies.google.com/privacy

Opt-out: Users can disable Google Analytics by installing the Google Analytics Opt-out Add-on: https://tools.google.com/dlpage/gaoptout

12.2 Google reCAPTCHA v3 (Google LLC)

Purpose: Protection against automated submissions (bots) on Platform forms. Google reCAPTCHA v3 transparently analyzes user browsing behavior to assign a risk score, without any visible interaction.

Data transmitted: IP address, browsing behavior data, existing Google cookies in the browser.

Important note (reCAPTCHA v3): Unlike version v2, reCAPTCHA v3 operates in the background without any visible user action. Behavioral data may be transmitted to Google servers (United States) upon each loading of a protected page.

Privacy policy: https://policies.google.com/privacy
Terms of service: https://policies.google.com/terms

12.3 Institutional Partners and Verification Bodies

Exclusively within the scope of its professional mandates (background checks, investigations, pre-employment), McGinnis & Associé may be required to communicate personal information to the following bodies and partners, depending on the nature of the mandate and applicable legal authorizations:

A) LAW ENFORCEMENT AGENCIES

McGinnis & Associé cooperates with Canadian law enforcement agencies within the legal framework of its mandates, including:

Sûreté du Québec (SQ);
Royal Canadian Mounted Police (RCMP);
Municipal police services (e.g., SPVM, SPAL, and any other municipal police force authorized in Canada);
Canadian Military Police;
Any other Canadian federal, provincial or municipal law enforcement body having jurisdiction in the context of the relevant mandate.

The communication of personal information to these bodies is only carried out upon presentation of a legal warrant, a court order from a competent tribunal, or in cases expressly provided for by law.

B) COURTS AND JUDICIAL AUTHORITIES

McGinnis & Associé may be required to communicate information to the following judicial authorities, in strict compliance with applicable legal procedures:

Civil Division;
Criminal and Penal Division;
Municipal Division;
Specialized courts (e.g., Administrative Tribunal of Québec);
Federal Court of Canada;
Any other competent court or judicial body in Canada.

C) CREDIT REPORTING AGENCIES

In the context of credit verification mandates, McGinnis & Associé may consult records at the following agencies, with the subject's express consent where required by law:

Transunion Canada;
Equifax Canada.

These agencies are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and their own privacy policies:
https://www.transunion.ca/en/privacy
https://www.consumer.equifax.ca/personal/privacy/

D) SPECIALIZED BACKGROUND CHECK FIRMS

McGinnis & Associé may engage specialized companies for criminal record checks, court record searches, professional reference checks and employment history verifications, including but not limited to any accredited service provider legally operating in this field in Canada (e.g., Backcheck, Sterling, or certified equivalent).

These providers must have signed a Data Processing Agreement compliant with Law 25 before any communication of personal information.

IMPORTANT — Principles governing all such communications:

No communication is made without a valid legal basis (consent, legal obligation or mandate execution);
Only the strictly necessary information is transmitted (data minimization principle);
Each communication is recorded in the Platform's internal processing activity register (audit trail).

13. SECURITY OF PERSONAL INFORMATION

McGinnis & Associé implements appropriate technical and organizational security measures to protect personal information against unauthorized access, disclosure, alteration or destruction, including:

13.1 Organizational Measures

Data access restricted to authorized employees only who have a legitimate need in the context of their duties;
Mandatory background check (backcheck) for all personnel with access to sensitive data;
Employee training on personal information protection;
Strong password policy and periodic renewal;
Access and modification logging (audit trail).

13.2 User Responsibility

Every authorized user is responsible for the confidentiality of their login credentials. Sharing credentials with a third party is strictly prohibited. Any security incident (loss, theft, unauthorized use of an account) must be reported immediately to the Privacy Officer (info@mgassocie.com).

14. TRANSFER OF PERSONAL INFORMATION OUTSIDE QUÉBEC

In accordance with section 17 of Law 25, before communicating personal information outside Québec, McGinnis & Associé conducts or has conducted a Privacy Impact Assessment (PIA) to ensure that the information receives adequate protection.

14.1 Identified and Confirmed Transfers

GOOGLE Analytics 4 (CONFIRMED): Anonymized or pseudonymized browsing data is transmitted to Google LLC servers (United States) for Platform metrics analysis. These transfers are governed by Google's Standard Contractual Clauses (SCCs) and Google's privacy policy (https://policies.google.com/privacy). IP addresses are anonymized before transmission.
GOOGLE reCAPTCHA v3 (CONFIRMED): Behavioral data is transmitted to Google servers (United States) for anti-bot protection. These transfers are governed by Google's policies.
MICROSOFT Office 365 (CONFIRMED): Metadata and content of transactional emails transit through Microsoft Corporation's infrastructure. Microsoft has contractually committed to complying with Canadian data protection requirements for its enterprise customers (https://privacy.microsoft.com/en-ca/privacystatement).
AWS (INFRASTRUCTURE): Operational data is hosted on Canadian territory. McGinnis & Associé ensures that all automated backups remain on Canadian territory at all times.

14.2 Contractual Guarantees

McGinnis & Associé ensures that any transfer outside Québec is governed by contractual guarantees equivalent to the requirements of Law 25, in particular through the conclusion of Data Processing Agreements (DPAs) compliant with each relevant subcontractor.

14.3 Right to Withdraw Regarding Transfers

Individuals may object to transfers outside Québec for analysis purposes (Google Analytics) by using the Google Analytics opt-out extension or by exercising their rights as described in section 15.

15. RIGHTS OF DATA SUBJECTS

In accordance with Law 25 (arts. 27 to 40) and PIPEDA, every person whose personal information is processed by McGinnis & Associé has the following rights:

RIGHT OF ACCESS: Obtain confirmation that personal information about you is held, and receive a copy within thirty (30) days;
RIGHT TO RECTIFICATION: Have inaccurate, incomplete or ambiguous information corrected;
RIGHT TO PORTABILITY: Receive the personal information concerning you in a structured, commonly used technological format (Law 25, art. 27, applicable since September 2023);
RIGHT TO ERASURE ("right to be forgotten"): Request the deletion of your personal information when its retention is no longer necessary for the purposes for which it was collected, subject to legal retention obligations (5 years for text data, 30 days for media data);
RIGHT TO WITHDRAW CONSENT: Withdraw your consent to the processing of your personal information, which may result in the inability to provide certain services;
RIGHT TO FILE A COMPLAINT: File a complaint with the Privacy Officer of McGinnis & Associé, or with the Commission d'accès à l'information of Québec (CAI):
Website: https://www.cai.gouv.qc.ca
Phone: 1 888 528-7741.

To exercise these rights, please submit a formal request through the dedicated form accessible at the following address:

McGinnis & Associé — Privacy Requests
698 Patricia Street, St-Amable (Québec) J0L 1N0
Email: info@mgassocie.com

McGinnis & Associé commits to responding within thirty (30) days of receiving the request, in accordance with Law 25.

16. PRIVACY INCIDENTS

In accordance with articles 3.5 to 3.8 of Law 25, McGinnis & Associé maintains a complete register of privacy incidents as well as a logging system (logs) enabling the production of a detailed report of any incident that occurs on the Platform. This register is accessible upon request from the Commission d'accès à l'information (CAI).

In the event of a privacy incident presenting a risk of serious harm to one or more individuals:

McGinnis & Associé will notify the Commission d'accès à l'information (CAI) as soon as possible following the discovery of the incident, in accordance with the Regulation respecting privacy incidents under Law 25 ;
The individuals concerned will be notified as soon as possible, with a description of the incident and the measures taken;
The incident will be recorded in the privacy incident register maintained by the Privacy Officer;
The full incident report (logs, timeline, affected data, corrective measures) may be provided to any competent authority upon formal request;
Corrective measures will be implemented without delay.

17. COOKIES AND TRACKING TECHNOLOGIES

17.1 Types of Cookies Used

The Platform uses the following categories of cookies:

ESSENTIAL COOKIES (strictly necessary)

Session management cookies: Maintaining the user's authenticated session. These cookies are essential for the Platform to function and cannot be disabled.
Security cookies: Protection against cross-site request forgery (CSRF) attacks.

PERFORMANCE AND ANALYTICS COOKIES

Google Analytics 4 cookies (_ga, _gid, _ga_*): Collection of anonymized statistical data on Platform usage.

SECURITY COOKIES

Google reCAPTCHA v3 cookies: Transparent behavioral analysis for anti-bot verification across all protected pages.

17.2 Cookie Management

Users can manage their non-essential cookie preferences through their browser settings. Disabling essential cookies will result in the inability to use the Platform.

17.3 Cookie Retention Period

Session cookies: Duration of the session (deleted upon browser closure or after 24 hours of inactivity);
Google Analytics (_ga): 2 years;
Google Analytics (_gid): 24 hours.

18. INTELLECTUAL PROPERTY

All elements constituting the Platform — including source code, graphical interfaces, databases, logos, trademarks and any original content — are the exclusive property of McGinnis & Associé and are protected by Canadian and Québec laws on copyright and intellectual property, in particular the Copyright Act (R.S.C. 1985, c. C-42).

Any unauthorized reproduction, distribution, modification or use of all or part of the Platform is strictly prohibited.

19. LIABILITY AND LIMITATIONS

19.1 Limitation of Liability

To the extent permitted by applicable law, McGinnis & Associé shall not be held liable for indirect, incidental, special or consequential damages resulting from the use of or inability to use the Platform, including data losses resulting from a technical failure beyond its control.

19.2 Service Availability

McGinnis & Associé commits to maintaining the Platform available to the extent reasonably possible, but does not guarantee uninterrupted availability. Service interruptions may occur for maintenance, update or force majeure reasons.

19.3 Accuracy of Information

The user is responsible for the accuracy of the information they enter into the Platform. McGinnis & Associé cannot be held responsible for the consequences arising from inaccurate information provided by the user or the principal.

20. AMENDMENTS TO THE TERMS

McGinnis & Associé reserves the right to modify these Terms at any time. Users will be notified of any significant changes by email (via Microsoft Office 365) and/or by a notice posted on the Platform.

The version in force is the one accessible on the Platform or transmitted upon request to the Privacy Officer. Continued use of the Platform after notification of changes constitutes acceptance of the new terms.

21. GOVERNING LAW AND JURISDICTION

These Terms are governed by and construed in accordance with the laws of the province of Québec and the federal laws of Canada applicable therein.

Any dispute relating to the interpretation or application of these Terms shall be subject to the exclusive jurisdiction of the courts of the province of Québec, judicial district of Longueuil (registered office located in St-Amable, Québec, J0L 1N0).

In matters of personal information protection, complaints may also be addressed to:

Commission d'accès à l'information du Québec (CAI)
2045 Marly Street, Suite 200
Québec (Québec) G1V 4P1
Phone: 1 888 528-7741
Website: https://www.cai.gouv.qc.ca

Office of the Privacy Commissioner of Canada (OPC)
30 Victoria Street
Gatineau (Québec) K1A 1H3
Phone: 1 800 282-1376
Website: https://www.priv.gc.ca

22. CONTACT AND PRIVACY OFFICER

In accordance with section 3.1 of the Act respecting the protection of personal information in the private sector of Québec (as amended by Law 25), McGinnis & Associé has designated the following Privacy Officer (PO):

McGinnis & Associé
698 Patricia Street
St-Amable (Québec) J0L 1N0
Email: info@mgassocie.com

For any questions regarding these Terms, the protection of your personal information, or to exercise your rights (section 15), please contact the Privacy Officer at the above address or use the dedicated online form.