1. Introduction

Capsule Quest Corp. ("we", "us", "our") operates the C-Quest mobile application (the "Service"). This Privacy Policy is a comprehensive document that explains how we collect, use, disclose, and safeguard your information when you use our Service. It also outlines your privacy rights under:

• General Data Protection Regulation (GDPR) (EU 2016/679)
• California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
• California Online Privacy Protection Act (CalOPPA)
• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Quebec's Act Respecting the Protection of Personal Information in the Private Sector

By accessing or using the Service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use immediately.

2. Detailed Definitions

2.1 Key Terms

• Account: Your unique user profile for the C-Quest Service.
• Company (Data Controller): Capsule Quest Corp., 4303 Avenue des Erables, Montreal QC, H2H 2C6 Canada.
• Data Processor: Third parties that process data on our behalf (e.g., Resend, Google Places).
• Personal Data: Any information relating to an identifiable individual, including:
  • Identifiers: Work email, first/last name, work phone number
  • Commercial information: Service usage records
  • Sensory data: Pictures captured via device camera (with explicit consent)
  • Network activity: IP address, device identifiers, browsing history
• Service: The C-Quest web/mobile applications and related services.
• You: The user (individual or entity) accessing the Service.

2.2 Legal Frameworks

• GDPR: Applies to EU/EEA users. We act as Data Controller.
• CCPA/CPRA: Grants specific rights to California residents.
• CalOPPA: Requires transparency about tracking practices.
• PIPEDA: Governs data protection for Canadian users.

3. Comprehensive Data Collection Practices

3.1 Data You Provide

We collect when you:

• Register an account: Work email, name, phone number
• Use camera features: Pictures (with granular permissions)
• Contact support: Communication content
• Participate in surveys: Optional demographic data

3.2 Automated Data Collection

Through cookies and similar technologies:

• Device Information: Hardware model, OS version, unique device identifiers
• Usage Analytics: Feature usage frequency, session duration, error logs
• Location Data: Approximate location derived from IP (not precise GPS)
• Network Data: Connection type, carrier information

3.3 Third-Party Data Sources

We may receive data from:

• Google Places API: For location-based services
• Resend: Email engagement metrics (opens/clicks)
• Social Media Platforms: When you link accounts

4. Data Processing Purposes (Legal Bases Under GDPR)

Purpose	Legal Basis	Data Categories
Account management	Contractual necessity	Email, name, phone
Service delivery	Legitimate interest	Usage data, device info
Email communications	Consent (opt-in)	Email address
Camera functionality	Explicit consent	Pictures
Analytics	Legitimate interest	Aggregated usage data
Legal compliance	Legal obligation	All relevant data

5. Data Sharing and Disclosure

5.1 Service Providers

We engage these processors under strict DPAs:

• Resend (Email delivery): Privacy Policy
• AWS (Data hosting): Processes data in US/EU regions
• Google Places (Location services): Terms

5.2 Legal Disclosures

We may disclose data when required by:

• Court orders or subpoenas
• Government investigations
• Regulatory compliance audits

5.3 Business Transfers

In events such as:

• Mergers/acquisitions (with prior notice)
• Asset sales (data treated as business asset)

6. International Data Transfers

Your personal data may be transferred to, stored in, or processed in countries outside your country of residence, including but not limited to:

• Canada (processing location)
• United States (for data hosting via AWS, and for select third-party services such as Resend and Sentry)
• European Union (for backup, redundancy, and compliance purposes)

We are committed to ensuring that all international data transfers comply with the General Data Protection Regulation (GDPR), as well as other applicable privacy laws.

6.1 Legal Mechanisms and Safeguards

• Adequacy Decisions: Transfers to Canada are permitted under the European Commission’s adequacy decision, recognizing Canadian privacy laws as providing adequate protection for personal data.
• Standard Contractual Clauses (SCCs): For transfers to the United States and other countries without an adequacy decision, we implement the European Commission’s Standard Contractual Clauses (SCCs), supplemented by additional technical and organizational measures as required by the Schrems II ruling.
• Binding Corporate Rules (BCR): For intra-group transfers within clients' entities and authorized processors, we adhere to BCRs approved by the relevant supervisory authorities (e.g., CNIL, OPC), ensuring consistent protection of data across jurisdictions.
• Vendor Due Diligence: All third-party subprocessors (e.g., Supabase, AWS, Cloudflare, Resend) are subject to rigorous security and privacy assessments, and are contractually bound to comply with GDPR-equivalent standards, including data minimization, purpose limitation, and incident response obligations.
• Data Minimization: We only transfer the minimum amount of personal data necessary for the specified processing purposes, and never store loyalty program data or other restricted categories outside approved jurisdictions.
• Onward Transfers: Onward transfers to additional third parties are strictly prohibited without prior written consent from client and are subject to equivalent safeguards.

6.2 Your Rights and Transparency

• Right to Information: You may request further details about the safeguards and legal mechanisms we use for international data transfers.
• Access to Agreements: Copies of relevant SCCs, BCRs, or other transfer mechanisms can be provided upon request, subject to confidentiality requirements.
• Objection and Withdrawal: Where consent is the legal basis for a transfer, you may withdraw consent at any time, though this may affect your ability to use certain features of the Service.

We regularly review and update our international data transfer practices to ensure ongoing compliance with evolving legal requirements and industry best practices. For more information or to exercise your rights, please contact our Data Protection Officer at privacy@cquest.app.

7. Detailed User Rights and How to Exercise Them

We apply the General Data Protection Regulation (GDPR) as our baseline privacy standard for all users, regardless of location. This means that, in addition to any rights granted under local laws such as the California Consumer Privacy Act (CCPA/CPRA) or Canadian privacy laws (PIPEDA and Quebec law), you are also entitled to the full set of GDPR rights described below.

7.1 GDPR Rights for All Users

All users, including those in the EU/EEA, California, Canada, and elsewhere, have the following rights under the GDPR:

• Right of Access: Obtain confirmation as to whether we process your personal data and, if so, receive a copy and related information.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data in certain circumstances (e.g., when data is no longer necessary, or you withdraw consent), subject to legal exceptions.
• Right to Restriction of Processing: Request that we limit processing of your data (e.g., while a dispute is being resolved).
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Withdraw your consent at any time where processing is based on consent, without affecting prior processing.
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA) or relevant privacy regulator.

7.2 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you are also entitled to the following rights under the CCPA and CPRA, in addition to your GDPR rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you.
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: Direct us not to sell or share your personal information (note: we do not sell your data).
• Right to Limit Use of Sensitive Personal Information: Restrict our use of sensitive personal information to what is necessary for providing services.
• Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment.

7.3 Additional Rights for Canadian Users (PIPEDA and Quebec Law)

If you are located in Canada, including Quebec, you are also entitled to the following rights under PIPEDA and applicable provincial laws, in addition to your GDPR rights:

• Right of Access: Request access to your personal information held by us.
• Right to Correction: Request correction of inaccurate or incomplete personal information.
• Right to Withdraw Consent: Withdraw your consent for processing your personal information at any time, subject to legal or contractual restrictions.
• Right to Challenge Compliance: Challenge our compliance with privacy obligations by contacting our Data Protection Officer (DPO) or the Office of the Privacy Commissioner of Canada.

7.4 How to Exercise Your Rights

To exercise any of the above rights, please contact us at privacy@cquest.app and include:

• The subject line: "GDPR Data Request", "CCPA Request", or "PIPEDA Request" (as applicable)
• Sufficient information to verify your identity and locate your data (e.g., account email, name)
• A clear description of your request

We will acknowledge your request promptly and respond within 30 days, or as required by law. For complex or multiple requests, we may extend the response period and will notify you accordingly. If we cannot fulfill your request, we will provide an explanation.

If you are unsatisfied with our response, you may contact your local supervisory authority or privacy regulator for further assistance.

8. Data Security Measures

We implement robust security measures to protect your personal data in accordance with GDPR Article 32 and other applicable regulations.

8.1 Technical Safeguards

• Encryption: All personal data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
• Access Controls: Strict role-based access controls ensure only authorized personnel can access personal data.
• Data Minimization: We collect and retain only the minimum data necessary for specified purposes.
• Pseudonymization & Anonymization: Where feasible, data is pseudonymized or anonymized to reduce risk in the event of unauthorized access.
• Regular Security Testing: We conduct regular vulnerability assessments and penetration tests to identify and address potential security weaknesses.
• Secure Development Practices: Our software development lifecycle incorporates security by design and by default principles.

8.2 Organizational Measures

• Employee Training: All staff undergo mandatory privacy and security training at least twice a year, with additional training for those handling sensitive data.
• Confidentiality Agreements: Employees and contractors are bound by confidentiality obligations regarding personal data.
• Vendor Due Diligence: All third-party processors are subject to rigorous security and privacy assessments, and are contractually required to comply with GDPR and equivalent standards.
• Data Protection Policies: Comprehensive internal policies govern data handling, retention, and disposal.

8.3 Incident Response and Breach Notification

• Incident Response Plan: We maintain a documented incident response plan to promptly address and mitigate data breaches or security incidents.
• 72-Hour Notification: In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours, as required by GDPR, and affected individuals when there is a high risk to their rights and freedoms.
• Continuous Improvement: All incidents are reviewed post-resolution to strengthen our security posture and prevent recurrence.

These measures are regularly reviewed and updated to ensure ongoing compliance with evolving legal requirements and industry best practices.

9. Data Retention and Deletion Policy

We maintain a clear data retention schedule to ensure that personal data is not kept longer than necessary for its intended purpose, in line with GDPR Article 5(1)(e) and other applicable laws. Our retention periods are determined by business needs, legal obligations, and data minimization principles.

Data Category	Retention Period	Purpose / Legal Basis
Account Information	3 years after last user activity or account closure	To support account reactivation, resolve disputes, and comply with business recordkeeping requirements
Camera Images	3 years (automatically deleted)	Temporary processing for feature delivery; images are purged to minimize risk and comply with privacy by design
Usage Logs	12 months	Aggregated analytics, troubleshooting, and security monitoring; logs are anonymized or deleted after this period
Financial Records	7 years	Compliance with tax, accounting, and statutory obligations

Automated Deletion:
Where feasible, deletion and anonymization are enforced through automated scripts and scheduled database jobs. For example, camera images are programmatically purged after 90 days, and inactive accounts are flagged for deletion after the retention period.

User-Initiated Deletion:
Users may request erasure of their data at any time (see Section 7). Upon verified request, we will promptly delete or anonymize personal data, except where retention is required by law (e.g., financial records).

Audit and Review:
Retention schedules are reviewed annually to ensure ongoing compliance with evolving legal requirements and best practices. Any changes are reflected in this policy and communicated to users.

For further details or to request deletion, contact our Data Protection Officer at privacy@cquest.app.

10. Children's Privacy

C-Quest is intended exclusively for business professionals. Use by individuals under 13 is strictly prohibited. All users are preregistered and verified by app administrators to ensure compliance. We do not knowingly collect or process personal data from children under 13. If we become aware that such data has been collected, it will be promptly deleted. Parental controls and COPPA-specific mechanisms are not applicable due to our restricted user base.

11. Third-Party Links and Services

Our Service may include links to external websites, applications, or services operated by third parties, such as:

• Business partners
• Social media platforms
• Payment processors (where relevant)

Please note the following regarding such third-party links and services:

• No Endorsement or Control: We do not own, operate, or exercise control over the content, privacy practices, or security of third-party websites or services. The inclusion of a link does not imply our endorsement or affiliation.
• Independent Privacy Policies: Third-party services are governed by their own privacy policies and terms of use. We strongly encourage you to review the privacy notices of any external sites or services before providing personal data.
• No Liability: We disclaim any responsibility or liability for the data collection, use, disclosure, or security practices of third parties, even if accessed via our Service.
• Data Transfers: If you choose to interact with third-party services (e.g., by linking accounts or making payments), your personal data may be transferred directly to those third parties. Such transfers are outside our control and are not covered by this Privacy Policy.
• User Responsibility: You are solely responsible for your interactions with third-party services. If you have questions about how your data is handled by a third party, please contact them directly.

This approach is consistent with GDPR requirements for transparency and accountability regarding onward transfers and third-party data processing.

12. Cookie and Tracking Technologies

12.1 Essential Cookies

• Session management
• Security tokens
• Consent preferences

12.2 Analytical Cookies

• Google Analytics (anonymized IPs)
• Hotjar (session recordings, opt-out available)

12.3 Your Choices

• Browser settings (block/delete cookies)
• Our preference center (granular controls)
• Global opt-out signals (GPC, DNT)

13. Policy Updates and Notifications

• Update Frequency: Reviewed quarterly
• Change Notification: Email + in-app banner
• Archive: Previous versions available on request
• Material Changes: 30-day advance notice

14. Dispute Resolution

• Primary Channel: privacy@cquest.app
• Regulatory Bodies:
  • EU: Local DPA
  • California: CPPA
  • Canada: Privacy Commissioner
• Arbitration: Binding under Quebec law

15. Contact Information

Data Protection Officer: Capsule Quest Corp.
4303 Avenue des Erables
Montreal QC, H2H 2C6 Canada
Email: privacy@cquest.app
Phone: [+1 514 583 0533] (Mon-Fri 9AM-5PM EST)

EU Representative (per GDPR Article 27):
Coming soon