Privacy Policy

Effective date: February 23, 2026  ·  Enterprise: Infra Info

This privacy policy is published in compliance with Quebec Act respecting the protection of personal information in the private sector (R.S.Q. c. P-39.1), as amended by Law 25 (Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25). La version française de cette politique est disponible sur demande.

1. Person Responsible for the Protection of Personal Information

Pursuant to section 3.1 of the Act, Infra Info has designated a person responsible for the protection of personal information:

Name Carl Boyer — PDG
Email cboyer@infrainfo.ca
Phone +1450-543-1516
Address 13405 Rue Claude,
Mirabel, QC J7J 1A4
Canada

2. Personal Information We Collect

We collect only the personal information strictly necessary for the operation of this service:

  • Account identifiers: email address and display name of operators, portal users, and contacts.
  • Authentication data: hashed passwords (bcrypt). We never store plaintext passwords.
  • Activity timestamps: last login date, last activity date, and audit-log entries (action type, actor, target, timestamp) for security and compliance purposes.
  • Server access logs: IP addresses, HTTP request method, URL, response code, and timestamp. These logs are kept by the web server for security monitoring.

We do not collect file contents. All files transferred through this platform are end-to-end encrypted using AES-256-GCM with a key derived from a password known only to the sender and recipient. The server stores only ciphertext — it is technically impossible for us to read your files.

3. Purposes of Collection

Personal information is collected exclusively for the following purposes:

  1. Create, manage, and authenticate user accounts.
  2. Deliver notifications related to file transfers (upload received, download ready, expiry warnings).
  3. Detect, investigate, and respond to security incidents, abuse, or unauthorized access.
  4. Comply with applicable legal and regulatory obligations.

Personal information is never used for advertising, profiling, marketing, or sold to third parties.

4. Legal Basis for Collection

Collection is based on the consent implicit in the voluntary creation of an account (s. 14 of the Act), or on legitimate and serious business reasons (s. 12 of the Act) in the context of a contractual relationship with the enterprise administering this service.

5. Communication to Third Parties

We do not sell, rent, or trade personal information to any third party. Information may be disclosed:

  • To our email delivery service provider (sole third party), limited to the recipient email address and message content required to deliver account notifications. This provider is contractually bound to use the information only for delivery purposes.
  • To law enforcement or regulatory authorities when legally required by a court order or applicable law.

6. Cross-Border Transfers

If personal information is transferred outside Quebec (e.g., to a cloud infrastructure provider located outside the province), such transfer complies with sections 17 and 70.1 of the Act: a privacy impact assessment is conducted and an agreement ensuring equivalent protection is in place before any transfer occurs. Contact the responsible person identified in Section 1 for details about any specific transfer.

7. Retention and Destruction

  • Transferred files: automatically and permanently deleted after 7 day(s) from the transfer date (or earlier if the recipient confirms download).
  • Account records: retained for the duration of the business relationship, then deleted within 90 days of account closure.
  • Audit logs: retained for up to 1 year for security and compliance.
  • Server access logs: retained for up to 90 days, then automatically overwritten.

Destruction is permanent and irrecoverable. End-to-end encrypted file chunks are overwritten before deletion.

8. Security Measures

We implement the following technical and organizational safeguards:

  • End-to-end encryption (AES-256-GCM) — server cannot access file content.
  • Key derivation (PBKDF2-SHA-256, 600,000 iterations) for all account keys and file encryption passwords.
  • Transport security (TLS 1.2+) for all connections.
  • Password hashing (bcrypt) — passwords are never stored or transmitted in cleartext.
  • CSRF protection, SameSite cookies, and HTTP security headers on all pages.
  • Rate limiting on all authentication and submission endpoints.
  • Audit logging of all privileged actions with actor, target, and timestamp.

9. Cookies and Tracking Technologies

This website uses only strictly necessary cookies required for the secure operation of the platform. No tracking, advertising, analytics, or third-party cookies are set.

Cookie name Purpose Type Duration
_csrf-frontend Cross-Site Request Forgery (CSRF) protection token. Required to validate that form submissions originate from this website and not from a malicious third-party page. Strictly necessary (security) Browser session
e2ee-frontend Authenticated portal user session identifier. Required to maintain your login state while navigating the portal. Contains no personal information — only a random session token that maps server-side to your session data. Strictly necessary (functionality) Browser session (30 min idle timeout)

Because these cookies are strictly necessary for security and basic functionality, they are set regardless of cookie preference. No consent is required under s. 8.1 of the Act or the Regulation respecting the confidentiality of communications made by means of information technology (chapter P-39.1, r. 1).

10. Your Rights Under Law 25

Subject to applicable exceptions, you have the following rights with respect to personal information we hold about you:

Right of access
Obtain a copy of the personal information we hold about you, in plain language and in a commonly used technological format (s. 27–28 of the Act).
Right to rectification
Request correction of inaccurate, incomplete, or ambiguous information (s. 28 of the Act).
Right to deletion
Request deletion of personal information collected without legal justification, or where retention is no longer necessary for the purpose stated (s. 28 of the Act).
Right to de-indexation
Request that personal information published online be de-indexed (s. 28.1 of the Act).
Right to portability
Receive personal information you provided to us in a structured, commonly used, machine-readable format (s. 27 of the Act, in force September 2024).
Right to lodge a complaint
File a complaint with the Commission d'accès à l'information du Québec (CAI):
www.cai.gouv.qc.ca  · 1-888-528-7741

To exercise any of the above rights, please contact the Person Responsible for the Protection of Personal Information identified in Section 1. We will respond within 30 days as required by the Act.

11. Privacy by Default

In accordance with section 9.1 of the Act, our systems are configured to apply the most privacy-protective settings by default:

  • New accounts have no information shared publicly.
  • File transfers use the shortest configured retention period by default.
  • Download notifications are limited to the intended recipient by default.
  • No optional data collection or analytics are enabled.

12. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. When we do, we will update the effective date at the top of this page. For material changes, we will notify users by email at least 15 days before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

Infra Info · Privacy Policy · Effective February 23, 2026
For privacy requests: contact Carl Boyer at cboyer@infrainfo.ca