Skip to Content

Privacy Policy – Solution Instrumentation

Effective Date: September 1, 2025

1. Scope & Purpose

This policy applies to all digital interactions (website, portal, email, phone, etc.) between Solution Instrumentation (“we,” “us,” or “our”) and clients. It governs how we collect, use, store, share, and protect personal data in compliance with Québec’s Law 25, Canada’s PIPEDA and CASL, the EU GDPR & ePrivacy Directive, and relevant U.S. federal and state privacy laws. Clients are responsible for ensuring that their use of our systems conforms to applicable local regulations.

2. Definitions: Personal & Sensitive Data

  • Personal Data: Identifiers like name, email, phone number, job title, credentials, geo-location, or system-specific records linked to individuals.
  • Sensitive Personal Data: Includes information such as health details, biometric data, political or religious beliefs, union membership, and is strictly prohibited from our systems, even in free-text fields.

3. Data Collection Sources

We collect data through:

  • Manual entry (e.g., service requests via phone),
  • Emails,
  • Bulk uploads,
  • System integrations.

This data is used only to deliver our core services—like calibration, support, or implementation. Always collect only what’s necessary and ensure users are informed of its purpose.

4. Purpose & Consent

Personal data is used for business operations (setup, billing, communication).

  • Under PIPEDA, consent may be explicit or implied if reasonable.
  • Québec’s Law 25 mandates explicit, informed, and purpose-specific consent.
  • GDPR requires freely given, specific, informed, and unambiguous consent for EU data subjects.
  • In the U.S., compliance depends on state law; many states require opt-outs or specific transparency mechanisms.

Clients must secure and document appropriate consent for data they manage.

5. Marketing Communications

We follow the strictest privacy rules across jurisdictions:

  • Canada (PIPEDA/CASL): Requires express opt-in or a demonstrable Existing Business Relationship (EBR); must include sender ID and opt-out.
  • Québec: Business contact information may be used without consent, but transparency and opt-out mechanisms are mandatory.
  • EU (GDPR/ePrivacy): Explicit opt-in required for marketing and cookies; no implied consent or bundled consent allowed.
  • U.S.: Varies by state; laws like CCPA/CPRA demand a clear "Do Not Sell" link and rights to know, delete, and opt-out; many states are following similar patterns.

6. Cookies & Tracking

  • GDPR / ePrivacy: Informed consent is required before setting non-essential cookies; clear consent banners and purpose-specific disclosures are mandatory. ([turn0search0], [turn0search2], [turn0search18])
  • U.S.: In states like California, tracking may trigger sale-sharing disclosures and opt-outs under CCPA/CPRA.
  • Compliance Requirements: Only strictly necessary cookies run by default. Others (analytics, marketing) require explicit opt-in. Granular control, transparency, consent logs, and third-party disclosures are critical. ([turn0search6], [turn0search18])

7. User Rights​

Region

Key rights

EU (GDPR)

Access, correction, deletion, data portability, objection to processing, withdraw consent at any time.

Québec (Law 25)

Similar to GDPR, including breach notification to CAI and privacy-by-design.​

Canada (PIPEDA)

Access, correction, and complaint to the Privacy Commissioner.

U.S. States

Rights to know, delete, correct, opt-out of sale/profiling; varies by state (e.g., CPRA, VCDPA, CPA). ([turn0search17], [turn0search9], [turn0news20])

8. Privacy Governance & PIA

A Privacy Officer (by default, our CEO) oversees compliance and internal privacy operations. Privacy Impact Assessments (PIAs) are conducted for new systems, cross-border transfers, or novel processing activities—regardless of jurisdiction.

9. Security & Retention

We use encryption, secure hosting, access controls, and regular audits. Personal data is only kept as long as necessary. Once obsolete, it’s securely deleted or anonymized.

10. Breach Notification

  • Québec: Notify affected parties and CAI in serious breaches.
  • U.S.: Varies by state; some laws include private right of action for breaches (e.g., CCPA). ([turn0search11], [turn0search26])
    EU / Canada: GDPR and PIPEDA also mandate timely breach notifications.​

11. Data Transfers & Third Parties

Cross-border transfers and third-party handling require PIAs and enforceable contract clauses to maintain equivalent protection levels.

12. Policy Updates

This policy will evolve with legal or operational changes. Any modifications will feature a new effective date.

13. Contact & Legal Support

To ask questions or request additional documentation (DPAs, PIAs):

Privacy Officer

Solution Instrumentation

Montréal, Québec

Email: [email protected]

Phone: (450) 695-1922