Privacy Policy

1. Information We Collect

We collect information in four ways: directly from you, automatically through our platform, through third-party services you voluntarily connect, and indirectly when you interact with a pre-suasion tool that a Capturia client has published on their own website.

• Information you provide directly: first and last name, email address, phone number, company name, website, industry, responses to forms and qualification questionnaires, messages exchanged with our team or AI agents, appointment information (date, time, participants, meeting notes), data entered in the client portal.
• Information collected automatically: IP address, browser type and operating system, pages visited on the platform and time spent, approximate geolocation derived from your IP address, session identifiers, cookies essential to platform operation (see section 16). Our error monitoring tool Sentry also captures execution traces (stack traces) along with your IP address and application context when an error occurs, in order to diagnose bugs.
• Information from third-party integrations you voluntarily activate: Google Calendar data (availability, events, Google account email address) when you connect Google Calendar; Zoom profile (name, email), meeting data, and recordings when you connect Zoom; transactional and payment data processed by Stripe; call transcriptions generated by our transcription service AssemblyAI.
• Information collected through pre-suasion tools embedded on our clients' websites: responses to quizzes, calculators and diagnostics, email address and contact details voluntarily submitted by visitors. For this flow, the Capturia client is the principal data controller within the meaning of Quebec Law 25 (see section 4); Capturia acts as a processor and stores this data on the client's behalf.

2. Categories of Data Subjects

This policy covers four distinct categories of individuals whose personal information may be processed by Capturia:

• SMB clients — businesses that have subscribed to a Capturia plan. The information processed concerns the company itself (legal name, address), its legal representative, and payment information.
• Internal users of SMB clients — administrators, sales representatives and collaborators invited by a client to use the platform. The information processed includes account credentials, preferences, platform activity, and content produced as part of their work (responses to internal quizzes, funnel configurations).
• Visitors to capturia.io and prospects — individuals who browse our marketing site, fill in a contact form, register for a webinar, or interact with our AI qualification agents.
• Visitors to pre-suasion tools and sites published via the renderer — end consumers who interact with quizzes, calculators or capture pages that a Capturia client has published on their own domain. These individuals have no direct relationship with Capturia; the SMB client is the principal data controller and their own privacy policy applies first.

3. How We Use Your Information

We use your information exclusively to provide, maintain, secure and improve the services you have requested. Each use is directly tied to a feature visible in the platform.

• Synchronize your sales representatives' calendars with Google Calendar to display availability on public booking pages and automatically create events and Google Meet rooms when appointments are confirmed.
• Create and manage video meetings via Zoom (permanent rooms per representative, automatic links in invitations).
• Process payments for your Capturia subscription via Stripe.
• Send SMS (via Twilio) and transactional emails (via Resend) as part of your workflows — appointment confirmations, follow-ups, reminders. For emails sent on behalf of a Capturia client, we automatically provision a dedicated sending subdomain in the form "{client-name}.mail.capturia.io" via Resend.
• Generate content, analyses, summaries and recommendations using our artificial intelligence providers (Anthropic Claude, Google Gemini, OpenAI) — conversational agents, funnel builder, sales coaching, post-meeting summaries, lead qualification.
• Transcribe sales calls via AssemblyAI to power coaching and quality assurance.
• Compile and publish client pre-suasion tools on the Cloudflare infrastructure (Workers, R2, KV) served from tool.capturia.io and from clients' custom domains.
• Measure usage of published tools through our edge function "renderer-track" which collects anonymous usage metrics (page views, conversion events) without persistent identifiers.
• Ensure platform security, prevent fraud, monitor errors (via Sentry) and diagnose technical issues.

4. Our Role: Capturia as Controller and as Processor

Within the meaning of Quebec Law 25, Capturia does not have a single role. Depending on the data flow concerned, Capturia acts either as a data controller, or as a processor acting on behalf of a client.

• Capturia acts as a data controller for: information collected through capturia.io (visitors, prospects, contact forms), account information of SMB clients (legal name, payment, configuration), and information of internal users of clients (sales representatives, administrators).
• Capturia also acts as a data controller for information collected through booking pages hosted on capturia.io and its subdomains, when a visitor books an appointment with an SMB client. In this flow, Capturia operates the collection system (form, validation, AI agent, preparation emails, calendar) and this policy applies to the visitor. The relevant SMB client, whose identity is displayed on the booking page, becomes a recipient of the visitor's contact details after the booking is confirmed, for its own subsequent commercial follow-up. For any question about the SMB client's use of contact details after the booking (commercial follow-up, addition to a CRM, subsequent communications), the visitor may contact the SMB client directly.
• Capturia acts as a processor for: information about end leads captured through pre-suasion tools that a Capturia client has published on their own site (the client's custom domain, distinct from capturia.io). In this case, the SMB client determines the purposes, and Capturia processes the data strictly according to its instructions, within the scope of the subscription contract.
• For this last flow (pre-suasion tools on the client's custom domain), the SMB client is responsible for providing its own privacy policy to data subjects and for collecting the required consent. A Data Processing Addendum (DPA) is available to SMB clients on request at [email protected]. The DPA frames Capturia's obligations as processor and lists the sub-processors used (Anthropic, Google Gemini, Cloudflare, etc.) along with a right of objection.
• Capturia never combines data processed for one client with data processed for another: isolation is enforced at the database level by Row Level Security (see section 10).

5. Integrations and Third-Party Services

Capturia integrates with several third-party services to deliver its features. Each integration is voluntarily activated by you and can be disconnected at any time from the platform settings. Upon disconnection, OAuth access tokens are immediately deleted from our systems. Here is the detail of each integration:

• Google Calendar and Google Meet — Data accessed: calendar (availability and events), Google account email address. Purpose: synchronize sales representatives' availability, create appointment events, generate Google Meet rooms. OAuth scopes requested: calendar.readonly, calendar.events, userinfo.email. OAuth access and refresh tokens are encrypted with AES-256-CBC before storage. Capturia does not store the detailed content of your existing events — only availability slots are consulted. Revocation: from the Capturia settings or via myaccount.google.com/permissions.
• Zoom — Data accessed: user profile (name, email), meeting creation and management, recordings list. Purpose: automatically create meetings for appointments, generate permanent rooms per representative, access recordings for coaching. OAuth tokens are encrypted with AES-256-CBC before storage. Capturia never stores your Zoom password. Revocation: disconnect from Capturia settings (calls Zoom's OAuth revoke endpoint immediately) or uninstall via marketplace.zoom.us > Manage > Added Apps (Zoom sends us a deauthorization event and we confirm data deletion back to Zoom).
• Microsoft Teams — Data accessed: Teams meeting metadata (participants, dates, identifiers), meeting recordings when available. Purpose: complete coaching and call analysis for sales representatives who use Teams instead of Zoom or Google Meet. OAuth tokens are encrypted before storage and revocable from the Capturia settings.
• DocuSign — Data processed: signer information (name, email), contract content, electronic signature with timestamp and IP address. Purpose: have DFY contracts signed by SMB clients at the moment of conversion. The DocuSign webhook triggers the transition of the client account from demo to active state. DocuSign policy: docusign.com/company/privacy-policy.
• Stripe — Purpose: processing of Capturia subscription payments. Capturia does not store your credit card numbers — they are processed directly by Stripe (PCI-DSS Level 1 certified). Stripe policy: stripe.com/privacy.
• Stripe Connect — For SMB clients who choose to use it, Stripe Connect allows Capturia to facilitate the processing of their own clients' payments through the platform. The SMB client controls their Connect accounts, products, prices and payment links. Capturia neither sees nor stores card numbers of the SMB client's own customers.
• Anthropic (Claude API) — Data processed: content of conversations sent to our AI agents, lead context, content generation prompts for the funnel builder. Purpose: powering conversational agents, the AI-assisted funnel builder, and copy analysis. Under Anthropic's Commercial Terms and DPA effective January 1, 2026, data sent through the API is not used to train its models. Anthropic retains API data by default for 7 days for security and abuse prevention purposes, then deletes it. Policy: privacy.claude.com.
• Google Gemini API — Data processed: prompts sent to the AI-assisted funnel builder and to certain generation features. Purpose: content generation, suggestions, analysis. Under Google Cloud's "Cloud Data Processing Addendum", prompts sent to Gemini for Google Cloud are not used to train its models.
• OpenAI — Data processed: sales conversation content, call transcriptions, lead context data for certain legacy agents. Purpose: powering AI conversational agents and post-meeting summary generation. Under OpenAI's API policy, data submitted via the API is not used to train its models.
• AssemblyAI — Data processed: sales call audio files. Purpose: automatic call transcription for coaching and quality assurance. Audio files are deleted by AssemblyAI after transcription.
• Fireflies.ai — Data processed: recordings and transcripts of video meetings (Zoom, Google Meet, Microsoft Teams) when the Fireflies bot is invited into the meeting. Purpose: meeting transcription and analysis to power post-meeting coaching. Capturia receives transcripts via webhook after processing by Fireflies.
• Twilio — Data processed: contact phone numbers, SMS message content, call metadata and recordings, voicemails. Purpose: sending and receiving SMS, voice calls and voicemails as part of your workflows. Twilio also handles regulatory STOP/opt-out keyword management.
• WhatsApp Business — Data processed: phone numbers, content of inbound and outbound WhatsApp messages. Purpose: WhatsApp conversations in the unified inbox of clients who enable this channel. Opt-out is managed per contact in the database.
• Resend — Data processed: recipient email addresses and content of transactional emails. Purpose: email delivery. For each Capturia client, we automatically provision a dedicated sending subdomain under mail.capturia.io via Resend, which improves deliverability and per-client isolation.
• Meta (Facebook, Instagram) — Data accessed: connected Facebook pages, professional Instagram accounts, Facebook Ads campaigns. Purpose: (a) receive leads submitted via Facebook Lead Ads directly into the Capturia platform, (b) send server-to-server conversion events (Conversions API) to measure campaign performance — for example a Lead event on webinar registration, a Purchase event on Blueprint purchase. Meta OAuth tokens are encrypted before storage.
• GoHighLevel — Data processed: for clients who use Layla (Capturia's main SMS bot) or landing-page capture flows, certain contact information (name, email, phone, tags) is synchronized to GoHighLevel for clients whose primary CRM remains hosted there. This synchronization is being progressively replaced by the native Capturia CRM.
• Cloudflare — Purpose: hosting of published pre-suasion tools (Workers + R2 storage + KV for routing), CDN, web application firewall (WAF), management of clients' custom domains via Cloudflare for SaaS. Cloudflare may process visitors' IP addresses and HTTP headers to ensure security and content delivery.
• ENTRI — Third-party component loaded in the browser inside the client dashboard when adding a custom domain. ENTRI enables one-click DNS configuration with more than 60 registrars. Capturia does not store any registrar credentials and performs no DNS writes from its servers.

6. Google User Data — Google API Services User Data Policy Compliance

Capturia's use of information received from Google APIs adheres to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. Capturia commits to the following restrictions:

• Capturia accesses Google Calendar data only to provide calendar synchronization, appointment management, and meeting room creation features directly visible in the platform user interface.
• Capturia does not use or transfer data received from Google APIs for any of the following purposes prohibited by Google: (1) targeted advertising, (2) selling to data brokers, (3) providing to information resellers, (4) determining credit-worthiness, (5) lending purposes, (6) user advertisements, (7) personalized advertisements, (8) retargeted advertisements, (9) interest-based advertisements, (10) creating databases, (11) training, fine-tuning or improving artificial intelligence models, whether developed internally or by our third-party AI providers (Anthropic, Google Gemini, OpenAI).
• Capturia never sells Google user data to third parties.
• Capturia does not allow humans to read data received from Google APIs unless: (a) you have given explicit and informed consent, (b) it is necessary for security purposes (investigating abuse or a vulnerability), (c) to comply with a legal obligation, or (d) in aggregated and anonymized form for internal operations that do not allow identification.
• Google OAuth access and refresh tokens are encrypted using AES-256-CBC before storage in our database and are never stored in plain text. Tokens are transmitted exclusively over HTTPS encrypted connections. Upon disconnection of a Google integration, tokens are deleted immediately and the associated Google data is no longer accessible to Capturia. Upon termination of your account, all tokens are deleted within 30 days in accordance with the account deletion procedure described in section 14.

7. Information Sharing and Sub-processors

We never sell your personal information. We share your information only with the following categories of recipients, to the extent strictly necessary for the purposes described in this policy:

• SMB clients receiving leads after a booking — when a visitor books an appointment via a booking page hosted on capturia.io, their contact details (name, email, phone, any notes, qualification answers) are transmitted to the relevant SMB client to enable the appointment and its subsequent commercial follow-up.
• Infrastructure providers — Supabase (database, authentication, edge functions — hosted on Amazon Web Services), Vercel (web application hosting), Cloudflare (Workers, R2, KV, WAF, management of clients' custom domains).
• Artificial intelligence providers — Anthropic Claude (conversational agents, funnel builder), Google Gemini (AI content generation), OpenAI (legacy AI agents and coaching).
• Communication providers — Twilio (SMS, voice, voicemails), Resend (transactional emails and per-client sending subdomains), WhatsApp Business (WhatsApp messages for clients who enable this channel).
• Transcription and audio analysis providers — AssemblyAI (phone calls), Fireflies.ai (Zoom, Google Meet and Microsoft Teams video meetings).
• Videoconferencing providers — Zoom, Google Meet, Microsoft Teams (depending on the sales representative's choice).
• Payment providers — Stripe (Capturia subscription payments), Stripe Connect (for SMB clients who process their own clients' payments through Capturia).
• Electronic signature provider — DocuSign (DFY contract signing).
• Advertising providers — Meta (Facebook Lead Ads management, server-to-server event delivery via Conversions API to measure campaign performance).
• External CRM synchronization — GoHighLevel (synchronization of contacts and tags for clients whose primary CRM remains hosted there, triggered notably by Layla).
• Observability provider — Sentry (collection of errors and execution traces with technical context for debugging, including Session Replay).
• Internal notifications — Slack (operational notifications to the Capturia team, for example upon a new webinar registration or a technical incident). No personal data of end leads is externalized to Slack beyond contextual summaries when necessary.
• Third-party components loaded in the browser — ENTRI (one-click DNS configuration in the custom domains wizard).
• Third-party services voluntarily connected by you — Google, Zoom, Microsoft Teams, to the extent necessary for the integration you activated.
• Legal authorities — only if required by a valid court order, applicable law, or to protect our legal rights. We challenge any request that appears disproportionate to us.

8. Information Transfers Outside Quebec

Capturia is a company established in Quebec, Canada. In the course of providing our services, some of your personal information may be transferred to and processed outside Canada by our technology sub-processors. Before any transfer, we ensure that the recipient provides an adequate level of protection in accordance with Law 25 requirements and that a data processing agreement is in place. Here is the principal location of our sub-processors:

• Supabase — database and authentication, hosted on Amazon Web Services, United States.
• Vercel — web application hosting, United States.
• Cloudflare — Workers, R2, KV and WAF, multi-region infrastructure with presence in the United States and globally.
• Anthropic (Claude API) — United States. API data is not used for training, default retention of 7 days.
• Google (Calendar, Meet, Gemini API) — United States, subject to the Google API Services User Data Policy and Cloud Data Processing Addendum.
• Microsoft (Teams) — United States and other regions, subject to Microsoft standard contractual clauses.
• OpenAI — United States. API data is not used for training.
• Zoom — United States.
• Stripe and Stripe Connect — United States, PCI-DSS Level 1 certified.
• DocuSign — United States, compliant with industry standards eIDAS and SOC 2.
• Sentry — United States, acts as a processor for error collection.
• AssemblyAI — United States.
• Fireflies.ai — United States.
• Twilio — United States.
• WhatsApp Business (Meta) — United States and other Meta regions.
• Meta — United States (Lead Ads and Conversions API).
• Resend — United States.
• GoHighLevel — United States.
• Slack — United States (internal notifications to the Capturia team).

9. Privacy Impact Assessments (PIA)

In accordance with section 3.3 of Quebec Law 25, Capturia conducts a privacy impact assessment for each transfer of personal information outside Quebec as well as for any new high-risk processing project. The PIA examines data sensitivity, purposes, contractual and technical protection measures, the legal framework of the destination country, and remedies available to data subjects. The PIAs conducted by Capturia are available upon reasonable request to B2B clients and to the Commission d'accès à l'information du Québec (CAI). This procedure is reviewed at regular intervals and upon any major change of sub-processor.

10. Information Security

We implement technical and organizational security measures consistent with industry standards to protect your information against unauthorized access, loss, alteration, or disclosure:

• Encryption of all data in transit via HTTPS/TLS between your browser and our servers.
• AES-256-CBC encryption of all OAuth tokens (Google, Zoom) and sensitive authentication credentials before database storage.
• Strict per-client data isolation in the database via Row Level Security (RLS) — one client can never access another client's data.
• Role-based access controls (owner, administrator, sales representative) with server-side verification on every request.
• CSRF (Cross-Site Request Forgery) protection on all OAuth authentication flows via single-use httpOnly cookies.
• Authenticated sessions with automatic token refresh and configurable expiration.
• Cloudflare Web Application Firewall (WAF) in front of published tools to block known attacks and rate-limit traffic.
• Logging of access to sensitive data for anomaly detection, and collection of application errors by Sentry to quickly identify vulnerabilities.
• Principle of least privilege for internal access to production data: only strictly necessary personnel have access, which is logged and revocable.

11. Behavioral Analytics and Session Recording

Capturia uses two distinct recording mechanisms, for different purposes. First, on the platform (capturia.io, app.capturia.io, admin.capturia.io), Sentry's "Session Replay" integration records an anonymized visualization of your session only when an application error occurs (no capture under normal conditions, capture triggered by the error). This recording is used exclusively for diagnosing the bug. Sensitive fields (passwords, payment information) are masked automatically by default. Second, on the funnels and pre-suasion tools published by Capturia clients on their own sites, a heatmap mechanism based on the rrweb library collects anonymous clicks, scrolls and movements to help the SMB client optimize their funnel. For this second flow, the SMB client is the data controller within the meaning of Quebec Law 25 (see section 4) and Capturia acts as a processor. None of these recordings is sold or used for advertising purposes. In accordance with section 8.1 of Quebec Law 25 (technologies that may identify, locate or profile), an explicit prior consent mechanism is planned. In the meantime, you can object to these recordings by contacting us at [email protected].

12. Artificial Intelligence

Capturia uses artificial intelligence in several aspects of its platform. We believe in transparency about the use of these technologies:

• AI conversational agents — automated agents (powered primarily by Anthropic Claude, and by OpenAI for some legacy agents) qualify incoming leads, ask qualification questions, and collect relevant information. Conversations are stored in the platform and accessible to sales representatives.
• Funnel and copy builder — Anthropic Claude and Google Gemini generate marketing content (titles, sections, copy) from prompts entered by sales representatives. Generated content is always editable by a human before publication.
• Sales coaching — AI analyzes call and conversation transcriptions to provide personalized recommendations to sales representatives: strengths, areas for improvement, follow-up suggestions.
• Post-meeting summaries — after each transcribed call, AI generates a structured summary with key points, commitments, and next steps.
• Workflow automation — AI may trigger or personalize certain steps in follow-up sequences (SMS and email content, lead prioritization).
• None of these providers (Anthropic, Google, OpenAI) uses data sent through their commercial APIs to train their models, pursuant to their respective DPAs in effect in 2026.

13. Decisions Based Exclusively on Automated Processing

In accordance with section 12.1 of Quebec Law 25, Capturia commits to inform data subjects of any decision made solely through automated processing that would produce a legal effect or significantly affect them. To date, Capturia does not make any such decisions: all analyses, scores, rankings and recommendations generated by AI are decision-support tools intended for a human (sales representative, administrator, Capturia team), who remains the sole final decision-maker. If we were to introduce in the future an exclusively automated decision affecting a person (for example an automatic refusal of service), we would: (a) explicitly inform the person at the time of the decision, (b) communicate to them the personal information used, the principal factors and the general logic of the processing, (c) offer them the right to submit observations and request the review of the decision by a human, at [email protected].

14. Data Retention

We retain your personal information according to the following periods, after which it is deleted or anonymized:

• Active client account data (profile, company, configuration) — retained for the duration of the contractual relationship, then 3 years after contract end to meet legal and tax obligations.
• Prospect data and end leads captured via pre-suasion tools (quiz responses, forms, AI conversations) — 24 months after the last contact or interaction, unless instructed otherwise by the responsible SMB client.
• Call recordings and transcriptions — 12 months after creation date, then automatically deleted.
• Payment and billing data — retained as required by applicable Quebec tax regulations (minimum 6 years).
• Connection logs and security data — 12 months.
• Errors, execution traces and Session Replay recordings captured by Sentry — retained according to our Sentry provider's retention policy, typically between 30 and 90 days depending on data category and our plan, then automatically purged.
• Heatmaps and anonymous events collected on published client funnels — retained for a maximum of 24 months to allow the SMB client to analyze funnel performance, then purged.
• Data sent to AI providers (Anthropic, Google Gemini, OpenAI) — Anthropic retains API requests for 7 days by default and then deletes them; the other providers apply equivalent policies under their commercial DPAs.
• OAuth tokens from third-party integrations — deleted immediately when the user disconnects the integration. Upon account termination, all tokens are deleted within 30 days.

15. Your Rights — Quebec Law 25

In accordance with Quebec's Act respecting the protection of personal information in the private sector (Law 25, RLRQ c. P-39.1) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA), you have the following rights over your personal information held by Capturia:

• Right of access — You may request a copy of all personal information we hold about you, including its source, the categories of persons who have access to it, and the planned retention period.
• Right of rectification — You may request the correction of inaccurate, incomplete, or ambiguous information.
• Right of deletion and right to de-indexation — You may request the deletion of your information when it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations.
• Right to withdraw consent — You may withdraw your consent to a specific processing activity at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
• Right to portability — You may request to receive your information in a structured and commonly used technological format, or to have it transmitted to another organization.
• Right to object to profiling and session recording technologies — See section 11 for the objection procedures.
• To exercise any of these rights, send your request to [email protected] specifying your identity and the right you wish to exercise. We will acknowledge receipt within 5 business days and process your request within a maximum of 30 days in accordance with Law 25.
• Mechanisms already in place in the platform: (a) SMB clients and their internal users can request account deletion directly from the dashboard settings, which triggers a purge process with a grace period; (b) a complete export of their data is available on demand from the dashboard; (c) for contacts managed in the CRM by an SMB client, the right to erasure is executed automatically by a daily scheduled job — deletion is effective within a target delay of 48 hours following the request, with an internal audit log; (d) two-factor authentication (2FA) is available for all accounts.
• For rights related specifically to an SMB client's use of your contact details after a booking made on capturia.io (commercial follow-up, addition to a CRM, subsequent communications), you may also contact the relevant SMB client directly, whose identity appears on the booking page. Capturia will facilitate your request if needed and remains your primary contact for the collection phase.
• If we are unable to fulfill your request (for example due to a legal retention obligation), we will inform you in writing with the reasons for the refusal and the available remedies.

16. Cookies

Capturia uses a limited number of cookies strictly necessary for platform operation. We currently do not use any advertising, retargeting or marketing analytics cookies on our own domains (capturia.io, app.capturia.io, admin.capturia.io). Essential cookies include: Supabase session cookies (authentication and maintaining your connection), temporary CSRF cookies to secure OAuth flows (Google Calendar, Zoom — httpOnly, deleted after use), and language preferences. Sentry and the heatmap mechanism described in section 11 do not deposit persistent cookies that serve to identify or locate you. For more details, see our Cookie Policy.

17. Confidentiality Incident Notification

In the event of a confidentiality incident presenting a risk of serious harm to data subjects, Capturia commits to: (a) notify without undue delay — targeting a delay of 72 hours after becoming aware — the Commission d'accès à l'information du Québec (CAI) and the affected individuals, (b) maintain an internal register of all confidentiality incidents, kept for at least 5 years, (c) cooperate with the CAI and any other competent authority, (d) take any reasonable measure to contain the incident and reduce its impact. If you suspect an incident involving your information, contact us immediately at [email protected] with "Incident" in the subject line.

18. Complaint Procedure

If you believe that Capturia has not respected your rights regarding personal information protection, we invite you first to write to [email protected] describing the situation. We will acknowledge receipt within 5 business days and provide a reasoned response within 30 days. If the response does not satisfy you, you may file a complaint with the Commission d'accès à l'information du Québec (CAI) via cai.gouv.qc.ca, or with the Office of the Privacy Commissioner of Canada (OPC) via priv.gc.ca for matters of federal scope. No retaliatory measure will be taken against any person who has exercised their rights or filed a complaint.

19. Person in Charge of the Protection of Personal Information

In accordance with section 3.1 of Quebec Law 25, the person in charge of the protection of personal information at Capturia is, by default and in the absence of a written delegation, the principal officer of Capturia The person in charge can be reached at: [email protected] — Capturia, Quebec City (Quebec), Canada. The person in charge oversees the application of this policy, processes requests for the exercise of rights, coordinates the response to confidentiality incidents, and represents Capturia before the CAI. Any written correspondence may be addressed to the attention of the "Person in Charge of the Protection of Personal Information".

20. Changes to This Policy

We may update this privacy policy to reflect changes in our practices, services, or applicable laws. The date of the latest update is shown at the top of the page. In the event of a material change, we will notify you by email or through a prominent notice on the platform before the changes take effect. Your continued use of the services after notification constitutes your acceptance of the changes. We encourage you to review this policy regularly.

21. Contact and Official Version

For any questions regarding this privacy policy, to exercise your rights or to report an incident, contact Capturia's person in charge of the protection of personal information at: [email protected] — Capturia, Quebec City (Quebec), Canada. This policy is drafted in French and in English. In case of any divergence of interpretation between the two versions, the French version shall prevail.