FREN
FREN · info@228operators.com
Legal · 2026 Edition

Privacy Policy

Last update: May 16, 2026 · Compliant with Quebec Privacy Act (Law 25) and GDPR (Europe)

228 OPERATORS processes your personal data with rigor. This document explains what data we collect, why, how long we keep it, who we share it with, and what your rights are.

Our principle: minimum necessary. We only collect what directly serves the delivery of the service or compliance with a legal obligation.

01 · Data controller

The data controller for personal information collected through 228operators.com is:

228 OPERATORS
Address: [LEGAL_ADDRESS_TO_FILL]
NEQ: [NEQ_TO_FILL]
Legal representative: Simon Senez, founder
Email: info@228operators.com

02 · Privacy Officer

In accordance with article 3.1 of the Act respecting the protection of personal information in the private sector (Quebec, Law 25), 228 OPERATORS has designated a Privacy Officer.

Designated Privacy Officer: Simon Senez
Direct contact: info@228operators.com
Email subject to use: Privacy · [your request]
Response time: 30 days maximum (legal)

03 · Data collected

3.1 Data you provide directly

CategoryWhenExamples
Identity When purchasing the Audit First name, last name, professional email
Billing At Stripe checkout Billing address, country, currency (CAD/USD). No banking data is stored by 228 OPERATORS, processing is delegated to Stripe.
Questionnaire responses After booking the Audit Information about your business, your model, your competitors, your operations. Data used solely to produce the report.
Communication Email exchanges Message content, attachments

3.2 Data collected automatically

The 228operators.com site is served as static HTML through Cloudflare Pages. No marketing tracking cookie is placed without your explicit consent. The only data collected automatically are server access logs (managed by Cloudflare): IP address, browser type, page consulted, timestamp. These logs are used solely for security and technical auditing. Retention: 30 days.

04 · Processing purposes

Your information is processed exclusively for the following purposes:

  1. Delivery of the Business Audit: analyzing your questionnaire responses and producing the personalized PDF report.
  2. Billing and accounting: issuing an invoice, keeping accounts in compliance with Quebec and Canadian tax obligations.
  3. Contractual communication: confirming your order, sending the deliverable, answering your questions.
  4. Legal obligations: retention of accounting records, response to requests from competent authorities.
  5. Site security: prevention of fraud, attacks, spam.

No data is used for commercial prospecting purposes without your prior explicit consent.

05 · Legal basis for processing

Depending on the nature of the data, the legal basis for processing is:

  • Performance of contract: delivery of the Business Audit (questionnaire, report, invoice).
  • Legal obligation: accounting retention (Tax Act, Income Tax Act).
  • Legitimate interest: site security, fraud prevention.
  • Explicit consent: any future marketing communication (never activated by default).

06 · Recipients of your data

Your data is never sold. It may be transmitted to the following technical providers, strictly as needed to execute the service:

ProviderPurposeLocation
Stripe Payment processing United States (PCI-DSS compliance, SOC 2 certified)
Cloudflare Hosting, CDN, security United States and globally distributed infrastructure
Klaviyo (if you subscribe to a communication) Sending transactional emails and consented communications United States
Google Workspace Professional emails (info@228operators.com) United States and global infrastructure

Each of these providers operates under a data processing agreement compliant with the requirements of Law 25 and GDPR.

07 · Transfers outside Quebec and outside Europe

Some of our providers (Stripe, Cloudflare, Klaviyo, Google Workspace) are based in the United States. This implies that your data may be transferred and processed outside Quebec and Europe.

In accordance with article 17 of Law 25, 228 OPERATORS ensures that these providers offer a level of personal information protection equivalent to that of Quebec, notably through their certifications (SOC 2, ISO 27001) and their Data Processing Agreements (DPA).

08 · Retention period

Data typePeriod
Client data (delivered audit) 2 years from delivery, for quality follow-up
Accounting records (invoices, contracts) 6 years (tax obligation)
Audit questionnaire responses Retained 90 days after delivery, then deleted unless explicit request
Exchange emails 3 years
Server access logs (Cloudflare) 30 days

09 · Your rights

In accordance with Law 25 (Quebec) and GDPR (Europe), you have the following rights regarding your data:

  • Right of access: obtain confirmation that data is being processed and receive a copy.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure: request the deletion of your data (subject to legal obligations).
  • Right to data portability: receive your data in a structured, commonly used format.
  • Right to de-indexation (Law 25, article 28.1): request that a link leading to your personal information cease to reference you.
  • Right to object: object to processing for legitimate reasons.
  • Right to withdraw consent: withdraw your consent at any time, without retroactive effect.

To exercise these rights, write to the Privacy Officer at info@228operators.com with subject Privacy · [type of request]. Proof of identity may be requested. Response within 30 days maximum.

10 · Cookies and trackers

The 228operators.com site is designed to operate without marketing tracking cookies. No third-party advertising cookie is placed.

Technical cookies used (strictly necessary):

  • Stripe: security cookies placed at checkout, essential to prevent fraud. Policy: stripe.com/cookies-policy/legal
  • Cloudflare: security cookies (`__cf_bm`) to detect bots. Retention: 30 minutes. No personal information stored.

No advertising, social network, or behavioral analysis cookie is used.

11 · Data security

228 OPERATORS implements reasonable technical and organizational measures to protect your data:

  • TLS 1.3 encryption across the entire site (systematic HTTPS).
  • Cloudflare Pages hosting with DDoS and WAF protection.
  • Multi-factor authentication on internal administrator accounts.
  • Access to client data restricted to Simon Senez only.
  • Regular and encrypted backups.
  • Secure deletion of data at end of retention period.

In the event of a security incident affecting your data, you will be notified within 72 hours in accordance with Law 25 (article 3.5) and GDPR.

12 · Complaint to a supervisory authority

If you believe your rights have not been respected, you may contact:

Commission d'accès à l'information du Québec (CAI)
Website: cai.gouv.qc.ca
Quebec office: 525, boulevard René-Lévesque Est, suite 2.36, Québec (Quebec) G1R 5S9
Montreal office: 2045 Stanley Street, suite 900, Montreal (Quebec) H3A 2V4

If you reside in the European Union, you may also contact the data protection authority of your country.

13 · Updates to this policy

228 OPERATORS reserves the right to modify this privacy policy at any time, notably to comply with new legal obligations. The date of last update appears at the top of this document.

In the event of a substantial modification, active clients will be notified by email.

14 · Version note

Document generated from the Quebec Law 25 + GDPR V9 template. Fields marked [TO_FILL] are to be completed before official publication. Validation by an attorney specialized in personal information protection law (Quebec) is recommended, particularly for sections 03 (data collected), 06 (subprocessors), and 07 (international transfers).