Privacy Policy

Privacy Policy

This policy applies to the websites operated by Vooban Inc., including without limitation vooban.com and morphe.vooban.com.

Vooban is a corporation organized under the laws of the Province of Québec, with its head office located at 510-1015 avenue Wilfrid-Pelletier, Québec, QC, G1W 0C4.

We process your personal information in accordance with the Act respecting the protection of personal information in the private sector (RLRQ, c. P-39.1, commonly known as "Law 25"), the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") where applicable, and any other applicable law.

1. Person in charge of the protection of personal information
In accordance with section 3.1 of Law 25, Vooban has designated a person in charge of the protection of personal information:

·       Samuel Bonneau, CISO at Vooban

·       Email: Samuel.bonneau@vooban.com

·       Phone: 418-800-0027 #501

·       Mailing address: 510-1015 avenue Wilfrid-Pelletier, Québec, QC, G1W 0C4.

For any question regarding this policy, the exercise of your rights or our personal information protection practices, you may contact this person.

For visitors located in the European Union, this person also acts as the main point of contact for matters relating to the GDPR.

2. Scope
This policy covers:

·       The corporate website vooban.com and all its subdomains (blog, case studies, campaign pages, etc.)

·       The Morphe by Vooban platform accessible at morphe.vooban.com

·       Marketing communications, newsletters and events organized by Vooban

·       Any interaction with our forms, demos, webinars or online tools

Certain services may have specific annexes (see section 17 for Morphe).

3. Personal information we collect
We collect the following categories of personal information:

3.1 Information you provide to us
·       Identification: first and last name, job title, employer, industry

·       Contact information: email address, phone number, mailing address

·       Communication content: messages sent through forms, email, or demo requests

·       Registrations: webinars, newsletters, events, content downloads

·       Morphe account: login credentials, user profile, settings

3.2 Information collected automatically
·       Technical data: IP address, browser type and version, operating system, device identifiers, language

·       Browsing data: pages viewed, visit duration, referring source, navigation path, date and time

·       Cookies and similar technologies: see section 11

3.3 Information obtained from third parties
We may receive information from:

·       B2B data enrichment providers (e.g., Apollo) for commercial qualification purposes

·       Advertising platforms (LinkedIn, Google, Meta) for measurement purposes

·       Event partners or organizers when you register for a joint event

3.4 Sensitive information
We do not knowingly collect sensitive personal information (ethnic origin, political opinions, health data, etc.). If you share such information through a free-text field, it will be handled with particular care and deleted as soon as practicable.

3.5 Information concerning minors
Our Services are not intended for individuals under 14 years of age. We do not knowingly collect personal information about minors. If you are under 18, you must obtain the consent of a parent or guardian before providing us with any personal information.

4. Purposes and legal bases of processing
We process your personal information for the purposes set out below. For each purpose, we identify the categories of data involved and the applicable legal basis under the GDPR.

Responding to your inquiries (contact forms, demo requests, commercial questions). We process your identification data, contact information and the content of your message. Legal basis: pre-contractual measures taken at your request, or our legitimate interest in responding to those who reach out to us.

Providing and operating the Morphe platform. We process your account data, the content you generate within the platform and the technical data necessary for the service to function. Legal basis: performance of the service agreement that binds us to the Client or to you.

Sending our newsletter and marketing communications. We process your contact information and your areas of interest. Legal basis: your consent, which you may withdraw at any time via the unsubscribe link included in every email.

Personalizing our communications and our website. We process your browsing data and your areas of interest. Legal basis: our legitimate interest in providing a relevant experience, and for non-essential cookies, your consent.

Measuring the performance of our marketing campaigns. We process your browsing data and interaction events. Legal basis: your consent, collected via the analytics and marketing cookie banner.

Ensuring security, preventing fraud and maintaining our Services. We process technical data and access logs. Legal basis: our legitimate interest in protecting our systems, our users and our data.

Complying with legal and accounting obligations. We process the data required depending on the nature of the obligation (invoices, contracts, registers, etc.). Legal basis: legal obligations to which Vooban is subject.

Asserting, exercising or defending our rights. We process relevant data depending on the context (correspondence, contracts, logs, etc.). Legal basis: our legitimate interest in protecting our rights, including in the context of pre-litigation or judicial proceedings.

Analyzing and improving our Services. We process aggregated or pseudonymized data as well as browsing data. Legal basis: our legitimate interest in evolving the quality of our products and services.

In Québec, the processing of your personal information is based, as the case may be, on your consent, on the necessity of performing a contract with you, on compliance with a legal obligation, or on Vooban's legitimate interest where that interest does not infringe on your rights.

You may withdraw your consent at any time (see section 9).

5. Automated decisions and use of artificial intelligence
In accordance with section 12.1 of Law 25 and article 22 of the GDPR:

·       Vooban website (vooban.com): we do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. We may use analytics tools to segment our audiences for marketing purposes, with no significant impact on you.

You have the right to obtain information about the personal information used to make a decision, the principal factors that led to that decision, and to have the information used corrected. You may also request human intervention.

6. Disclosure to third parties and processors
We never sell your personal information.

We may disclose your information to:

6.1 Our service providers and processors
We rely on service providers acting as processors, contractually bound to confidentiality and security obligations consistent with sections 18.3 and 17 of Law 25 and article 28 of the GDPR. Main categories:

·       Hosting and infrastructure: Amazon Web Services, Microsoft Azure, Google Cloud Platform (jurisdictions: Canada, United States, European Union depending on the service)

·       CRM and marketing automation: HubSpot (United States)

·       Web analytics: Google Analytics 4 (United States)

·       Advertising: Google Ads, LinkedIn Ads, Meta Ads (United States)

·       Communication: Slack, Microsoft 365, Gmail (United States)

·       Videoconferencing and webinars: Zoom, Teams, Google Meet (United States)

·       AI models (Morphe): Anthropic, OpenAI (United States), and other providers listed in the Morphe Annex

A complete and up-to-date list of our processors is available upon request at confidentialite@vooban.com.

6.2 Legally required disclosures
·       Where required by law

·       In connection with ongoing or imminent judicial proceedings

·       To enforce our rights, prevent fraud or protect the security of our Services

·       To any competent public authority (Commission d'accès à l'information, law enforcement, etc.) upon legitimate request

6.3 Corporate transactions
In the event of a merger, acquisition, asset sale or reorganization, your personal information may be transferred to the successor entity. You will be informed.

6.4 With your consent
In any other case, we obtain your prior consent.

7. Transfers of personal information outside Québec and the European Union
Some of our processors are located outside Québec, notably in the United States and in the European Union.

7.1 Privacy impact assessment (Law 25, section 17)
Before any transfer outside Québec, Vooban carries out a privacy impact assessment that considers:

·       The sensitivity of the information

·       The purposes for which it will be used

·       The contractual and technical protective measures in place

·       The legal framework applicable in the destination jurisdiction

Transfers are made only where the assessment demonstrates adequate protection. A summary description of these assessments is available upon request.

7.2 GDPR safeguards
For visitors located in the European Union, transfers outside the EEA rely on one of the following mechanisms:

·       Adequacy decisions of the European Commission (notably the EU-US Data Privacy Framework where applicable)

·       Standard Contractual Clauses adopted by the European Commission

·       Supplementary technical and organizational measures where required

You may obtain a copy of the applicable safeguards by writing to confidentialite@vooban.com.

8. Retention periods
This Section describes our data retention policies and procedures, designed to help us comply with our legal obligations concerning the retention and deletion of personal information.

Personal information that we process for any purpose will not be retained for longer than is necessary for that purpose or those purposes.

Notwithstanding the other provisions of this Section, we will retain documents (including electronic documents) containing personal data:

Where we are required to do so by law;

Where we believe that the documents may be relevant to any ongoing or potential judicial proceedings; and

To establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and credit risk reduction).

9. Your rights
Subject to the conditions provided by law, you have the following rights:

·       Right of access: obtain confirmation that we process your information and obtain a copy

·       Right to rectification: correct inaccurate, incomplete or ambiguous information

·       Right to erasure (right to be forgotten): request the deletion of your information

·       Right to portability: receive your information in a structured, commonly used and machine-readable format (Law 25 s. 27, GDPR art. 20)

·       Right to restriction of processing (GDPR)

·       Right to object: object to processing, in particular for direct marketing purposes

·       Right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before the withdrawal

·       Right to cessation of dissemination and de-indexing (Law 25)

·       Rights relating to automated decisions: obtain information, request human intervention, contest the decision

·       Right to lodge a complaint with the competent supervisory authority (see section 16)

9.1 How to exercise your rights
Send your request to confidentialite@vooban.com, specifying:

·       Your identity (we may request reasonable proof of identity)

·       The nature of your request

·       The information concerned where possible

We respond within a maximum of 30 days (Law 25) or one month (GDPR), with the possibility of a reasoned extension. Our service is free, unless the request is manifestly unfounded, excessive or repetitive.

10. Confidentiality incidents
In accordance with sections 3.5 to 3.8 of Law 25 and articles 33 and 34 of the GDPR:

·       We maintain a register of confidentiality incidents

·       In the event of an incident presenting a risk of serious injury, we notify without delay the Commission d'accès à l'information du Québec, the competent European supervisory authority where applicable, and the individuals concerned

·       We take reasonable measures to reduce the risk of injury and to prevent a similar incident from recurring

11. Cookies and similar technologies
11.1 What is a cookie
A cookie is a small file placed on your device by a website. It allows preferences to be stored, audience to be measured, or targeted advertising to be displayed. We also use similar technologies: pixels, web beacons, local storage.

11.2 Categories of cookies used
Category
Purpose
Consent required
Strictly necessary
Site functioning, security, load balancing
No
Preferences
Remember your choices (language, region)
Yes
Analytics
Measure audience (Google Analytics, etc.)
Yes
Marketing and targeted advertising
Google Ads, LinkedIn Insight Tag, Meta Pixel, retargeting
Yes
A detailed list of the cookies set is available via the Cookie Preferences Center accessible at the bottom of each page.

11.3 Managing your consent
On your first visit, a banner allows you to accept, refuse or configure non-essential cookies. You may change your preferences at any time via the "Cookie Preferences" link in the footer.

You may also configure your browser to block or delete cookies. Please note that this may affect site functionality.

Useful links for major browsers:

·       Chrome: https://support.google.com/chrome/answer/95647

·       Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop

·       Safari: https://support.apple.com/guide/safari/sfri11471/mac

·       Edge: https://support.microsoft.com/en-us/microsoft-edge

12. Security
We implement reasonable technical and organizational measures to protect your personal information against loss, unauthorized access, disclosure, alteration and destruction, including:

·       Encryption in transit (TLS) and at rest where relevant

·       Access controls based on the principle of least privilege

·       Multi-factor authentication for sensitive access

·       Access logging and monitoring

·       Regular staff training on the protection of personal information

·       Periodic security audits and assessments

·       Incident response plan

No measure is infallible. You acknowledge that the transmission of information over the Internet involves a residual risk.

13. Links to third-party websites
Our Services may contain links to third-party websites or services. This policy does not apply to those websites. We invite you to consult their own policies.

14. Changes to this policy
We may update this policy to reflect changes to our practices, our Services or legal requirements. The version in force is always the one published on this page.

In the event of a substantial change, we will inform you by appropriate means (notice on the site, email) before its entry into force. If we wish to use your information for a new purpose not contemplated at the time of collection, we will obtain your consent where required by law.

15. How to contact us
For any question, request or complaint:

Vooban Inc.
Person in charge of the protection of personal information
510-1015 avenue Wilfrid-Pelletier
Québec, Canada
Email: confidentialite@vooban.com
Phone: 844-800-0027

16. Supervisory authorities
If you believe your rights are not being respected, you may lodge a complaint with:

17. Annex: Morphe by Vooban
This annex supplements the policy for users of the Morphe platform (morphe.vooban.com). In the event of any inconsistency with the main policy regarding the Morphe platform, this annex prevails.

17.1 Nature of Morphe
Morphe is an AI-powered knowledge capture and management platform, intended for professional use by organizations and their authorized users.

17.2 Roles and responsibilities
·       For content submitted by Clients to the platform: Vooban acts as a service provider (Law 25) or processor (GDPR art. 28) on behalf of the Client (the user organization). The Client is the controller and determines the purposes of processing. The terms are governed by the service agreement and the data processing addendum (DPA) between Vooban and the Client.

·       For individual user account data and browsing on morphe.vooban.com: Vooban acts as the controller, in accordance with this policy.

17.3 Use of AI models
Content processing by Morphe may involve:

·       Language models hosted by Vooban or by third-party providers (notably Anthropic, OpenAI, and other providers specified in the Client agreement)

·       Vectorization (embeddings), indexing and semantic search operations

·       Summarization, classification and automated extraction operations

Model training: Vooban and its AI subprocessors do not use Client content to train general AI models. Contractual agreements with our AI providers explicitly provide for this restriction. Any exception would be subject to the Client's explicit consent.

17.4 Data residency and transfers
Platform production data is hosted by default [in Canada / in the United States / in the EU based on your actual configuration]. Certain AI inference operations may involve transfers to the United States and other jurisdictions depending on the selected providers. Applicable safeguards are described in section 7.

17.5 Retention and deletion of Morphe content
·       Content submitted to Morphe is retained for the duration of the contract with the Client

·       Upon termination, content is deleted within 90 days, unless otherwise instructed by the Client

·       Individual users may request the deletion of their account; the deletion of personal content depends on the parameters defined by the responsible Client

·       Backups are retained for a maximum of 35 days and then deleted through a rotation cycle

17.6 Morphe-specific security
In addition to the measures described in section 12:

·       Logical isolation of data between Clients (multi-tenant architecture)

·       Encryption at rest with keys managed by Vooban (Client-managed keys option available on certain plans)

·       Periodic security audits

17.7 Rights of Morphe users
Requests to exercise rights relating to content submitted to the platform by a Client organization must be addressed to that organization. Vooban will support the Client in accordance with its contractual obligations.

Requests relating to the Morphe user account itself (settings, profile) may be sent directly to confidentialite@vooban.com.