1. Overview
Implementing a procedure for retaining, destroying and anonymizing personal information is important to ensure the protection of individual privacy, comply with privacy laws, prevent privacy incidents involving personal information and security breaches, maintain customer confidence and protect the organization’s reputation.
2. Objective
The purpose of this procedure is to guarantee the protection of individual privacy and to comply with legal obligations regarding the protection of personal information.
3. Scope
The scope of this procedure should cover the entire life cycle of personal information, from collection to destruction. It concerns all employees and stakeholders involved in the collection, processing, storage, destruction and anonymization of personal information in accordance with legal requirements and good privacy practices.
4. Definitions
Anonymization: the process of modifying personal information so that it can no longer be identified, directly or indirectly, at any time.
Retention : secure storage of personal information for as long as required.
Destruction: deletion, elimination or permanent erasure of personal information.
Company: 10146200 Canada Inc. (Myelin Solutions)
Personal information: any information that directly or indirectly identifies a natural person.
Services: Any software, offered by the company, downloaded by the customer onto an electronic device.
5. Types of data collected
5.1 Personal identification data
Personal identification data may include, but is not limited to:
-
Email address
-
Full name
-
Banking information
-
Date of birth
-
Any information used to contact or identify a customer
-
Internet protocol address of the device used by the customer
-
Unique identifiers of the device used by the customer
5.2 Usage statistics
Statistical usage data may include, but is not limited to:
-
Browser type and version
-
Services used
-
Consulted data
-
Date and time of application use
-
Time spent on the application
-
Data interaction statistics
-
Any other data needed to diagnose computer problems
5.3 Data entered by the customer when using the services
Data entered by the customer when using the services may include, but is not limited to:
-
All documents uploaded to an account, including photos, videos, images and text.
-
Any data recorded in an account, by the customer, when using one or more applications.
4. Procedure
4.1 Data usage
4.1.1 The company uses customers’ personal information to provide and improve its services. This includes, but is not limited to
-
Establish service usage statistics
-
Manage customer access
-
Execute a contract between the company and the customer
-
Responding to a customer’s requests for its own data
-
Contacting a customer for reasons essential to the proper functioning of the services. This includes, but is not limited to
-
Responding to customer requests
-
Execute a contract between the company and the customer
-
Notify us of security updates
-
-
Contact a customer for special offers or general information about the company or services, when authorized by the customer.
4.1.2 By using the services, the customer agrees to the collection and use of information in accordance with this policy.
4.2 Retention period
4.2.1 Personal information has been categorized as follows:
-
information concerning company employees and members of the Board of Directors,
-
customer information.
4.2.2 The retention period for each of these categories has been established as follows:
- Company employees and board members: variable, depending on the type of personal information.
-
Customers: variable depending on the type of personal information
4.3 Secure storage methods
4.3.1 The degree of sensitivity of each of these storage sites has been established as follows:
-
Level 1: Highly sensitive company or customer data
-
Level 2: Sensitive internal data
-
Level 3: Internal data not intended for public disclosure
-
Level 4: Data that may be disclosed to the public
4.3.2 Personal information is stored in the following locations:
-
Neo4J database servers for the Mylin and Synerpsy applications (sensitivity levels 1,2,3 and 4 (4 being designated as public by our database).
-
Postgres database servers for Mylin and Synerpsy applications (sensitivity level 1)
-
Servers containing the activity history of Mylin and Synerpsy applications (sensitivity levels 2 and 3)
-
Employee data
4.3.3 These storage facilities, whether paper or digital, are adequately secured.
4.3.4 Access to these storage facilities has been restricted to authorized persons only.
4.4 Destruction of personal information
4.4.1 Personal information on paper will be completely shredded.
4.4.2 For digital personal information, it will be completely deleted from company devices (computers, phone, tablet, external hard drive), servers and cloud tools.
4.4.3 The destruction schedule based on the retention period established for each category of personal information has been created.
4.4.4 Destruction will be carried out in such a way that personal information cannot be recovered or reconstituted.
4.4.5 The customer may request the deletion of personal data by e-mail or telephone.
4.4.6 The destruction of a customer’s personal data will take place within a reasonable period of time.
4.4.7 This reasonable period includes time for deleting company backups made in the clear interest of the customer (data recovery in the event of data loss).
4.5 Anonymization of personal information
4.5.1 Personal information used in applications is anonymized.
4.5.2 The chosen method of anonymizing personal information is as follows:
-
De-identification: Information that directly identifies a customer is kept separate from the rest of the information.
4.5.3 The types of information considered to identify a customer include, but are not limited to, personal identification data.
4.5.4 The types of information considered not to identify a customer include, but are not limited to, data entered by the customer when using the services and statistical usage data.
4.5.5 Information considered public includes, but is not limited to, data that a customer has explicitly identified as public.
4.5.6 When personal information is deleted, only public data will be retained.
4.6 Sharing personal information
4.6.1 The company may share customer data in the following situations:
-
Run a service that requires the use of an external provider. External suppliers have their own privacy policies. External suppliers include, but are not limited to:
-
Sell all or part of the business to another company.
-
Working with a partner company. In this situation, the partner company is obliged to honor this policy. Partner companies may include, but are not limited to, a parent company, a subsidiary or any other organization controlled by the company.
-
Allow the customer to interact with other customers when using the services. When the customer shares personal information or interacts in any other way in public areas with other customers, this information may be consulted or broadcast publicly.
-
Meeting a legal obligation
4.7 Employee training and awareness
4.7.1 Employees will receive regular training on the procedure for retaining, destroying and anonymizing personal information, as well as on the risks associated with breaches of privacy.
4.7.2 This also includes raising staff awareness of good data security practices and the importance of complying with established procedures.
Last update: October 10, 2023