PRIVACY POLICY
1. Scope of this policy
This privacy policy explains how Vorellis Inc. (“Vorellis”, “we”, “our”) collects, uses, discloses, retains and protects personal information in connection with its business activities, websites, communications and its Agent AlexArc product.
This policy applies in particular to:
a) the Vorellis website, accessible at www.vorellis.com;
b) the Agent AlexArc website, accessible at www.alexarc.com;
c) the Agent AlexArc app;
d) requests for contact, demonstrations, information or support;
e) the creation and management of user accounts;
f) purchase orders, subscriptions, payments and invoices;
g) transactional and administrative communications;
h) permitted marketing communications;
i) security, administration, abuse prevention and service protection activities.
This policy applies to personal information that Vorellis processes for its own purposes.
It does not replace the Addendum relating to the processing of personal information applicable between Vorellis and a client where Vorellis processes personal information contained in the Client Data on behalf of that client within the AlexArc Agent.
2. Responsible organisation
Vorellis is responsible for the personal information it processes for its own purposes.
Vorellis Inc.
2572 Daniel-Johnson Boulevard, 2nd floor
Laval, Quebec, H7T 2R3
Canada
General email: info@vorellis.com
Privacy / Legal email: legal@vorellis.com
Data Protection Officer: RPRP Vorellis
Requests regarding data protection, the exercise of rights, complaints, or this policy should be sent to legal@vorellis.com.
3. Personal information we collect
The personal information we collect depends on the context in which an individual interacts with Vorellis, our websites or Agent AlexArc.
3.1 Visitors to our websites
When you visit www.vorellis.com or www.alexarc.com, we may collect certain technical or usage information, including:
a) the IP address;
b) browser type;
c) device type;
d) the operating system;
e) the pages viewed;
f) the date and time of the visit;
g) interactions with pages, forms, or buttons;
h) cookies, technical identifiers, pixels or similar technologies, where used.
3.2 Requests for contact, demonstrations, or information
When you contact us, fill in a form, request a demonstration or ask for information, we may collect:
a) your name;
b) your work email address;
c) your telephone number, if applicable;
d) the name of your organisation;
e) the type of request;
f) the subject and content of your request;
g) the information you choose to provide to us.
3.3 Creating and using an Agent AlexArc account
When you create, activate or use an AlexArc Agent account, we may collect:
a) your name;
b) your work email address;
c) your organisation;
d) your role or user profile;
e) your account credentials;
f) your account settings;
g) access and usage logs;
h) information necessary for account administration;
i) information necessary for account security;
j) mobile telephone number, when required or provided for multi-factor authentication, identity verification, account security, secure account recovery or prevention of unauthorised access.
3.4 Purchase orders, subscriptions, payment, and invoicing
When your organisation subscribes to Agent AlexArc, we may process:
a) the customer’s legal name;
b) the customer’s address;
c) the name, title and email address of the administrative contact;
d) the name, title and email address of the billing contact;
e) the products subscribed to;
f) the number of organisations included;
g) the economic activities of each organisation;
h) the payment terms;
i) the amounts invoiced;
j) applicable taxes;
k) partner codes, vouchers or promotional credits, where applicable;
l) evidence of electronic acceptance of the purchase order.
Payments may be processed by an external payment provider, including Stripe, in accordance with that provider’s applicable roles, terms and policies.
3.5 Transactional communications
When we send you emails relating to the services, we may process:
a) your email address;
b) your name;
c) the subject and content of the message;
(d) transmission metadata;
e) information necessary for the delivery, security and technical monitoring of communications.
Transactional emails or system notifications may be sent using Twilio SendGrid.
3.6 Multi-factor authentication and SMS security messages
When multi-factor authentication is enabled, required or selected, we may collect and use a user’s mobile telephone number to send verification codes, authentication messages, security alerts or account access communications.
These messages are used only for security, authentication, identity verification, fraud prevention, account protection or administration of the Services.
We do not use the mobile telephone number provided for multi-factor authentication for marketing purposes unless the user has provided a separate consent for that purpose.
SMS messages may be sent through Twilio and through the telecommunications carriers or technical intermediaries required to deliver the message. These providers may process the telephone number, the technical content of the message, the time of transmission, the delivery status, and related metadata required for routing, delivery, security, troubleshooting, fraud prevention, compliance, and proof of transmission.
SMS messages should not be used to transmit sensitive information. Verification codes may expire quickly and must not be shared with anyone.
Message and data rates may apply depending on the user’s telecommunications provider.
3.7 Support and administrative communications
When you contact us for support or regarding an administrative matter, we may process:
a) your name;
b) your email address;
c) your organisation;
d) your role;
e) the subject and content of your communications;
f) the technical information required to process your request;
g) screenshots, documents or information that you voluntarily provide to us;
h) follow-ups and history relating to your request.
Customer support and CRM functions related to Agent AlexArc are managed internally within the Agent AlexArc administration module.
3.8 Security, logs and prevention of misuse
To protect our websites, the Agent AlexArc application, accounts, infrastructure and the information we process, we may collect and use:
a) access logs;
b) IP addresses;
c) technical identifiers;
d) connection events;
e) information relating to devices and browsers;
f) information relating to errors, alerts, anomalies or unauthorised access attempts;
g) metadata necessary for security, monitoring, abuse prevention and incident response.
4. Purposes of the use of personal information
We use personal information solely for specific, legitimate and necessary purposes in the course of our business.
In particular, we may use personal information to:
a) operate, maintain, secure and improve our websites;
b) provide, operate, maintain and secure Agent AlexArc;
c) create, configure and manage accounts;
d) process requests for contact, information or a demonstration;
e) process purchase orders, subscriptions, payments and invoices;
f) send transactional, administrative or security communications;
g) provide support;
h) manage customer relations;
i) prevent, detect and rectify errors, misuse, fraud, incidents, unauthorised access or non-compliant use;
j) protect Vorellis’ rights, assets, systems, services and users;
k) improve the user experience, functionality and services;
(l) to send permitted marketing communications, where permitted by law;
m) manage unsubscriptions and communication preferences;
n) comply with our legal, tax, accounting, contractual and regulatory obligations;
o) establish, exercise or defend our rights;
p) verify the identity of users;
q) enable, administer and manage multi-factor authentication;
r) send verification codes, authentication messages or security alerts;
s) prevent unauthorised access, fraud, abuse, account compromise and security incidents.
5. Cookies and similar technologies
Our websites and the Agent AlexArc app may use cookies, technical identifiers, pixels, activity logs or similar technologies.
These technologies may be used, in particular, to:
a) operate the websites and the app;
b) maintain a user session;
c) secure connections;
d) remember certain preferences;
e) measure audience figures and general usage of our websites;
f) analyse the effectiveness of certain pages or campaigns;
g) carry out, where applicable, marketing, retargeting or advertising measurement;
h) detect errors, abuse or suspicious activity;
i) improve services.
Some cookies are necessary for the websites or the app to function. These cookies cannot be turned off via our preferences tool, as they are required to provide a requested service, ensure security or maintain a session.
Other cookies or similar technologies may be used for analytics, marketing, advertising pixels, retargeting or campaign measurement. These technologies are used only within the limits of available settings and required consents.
As of the effective date of this policy:
a) www.vorellis.com uses cookies, in particular for the operation of the website and, where configured, for measuring or improving the website;
b) www.alexarc.com may use analytics tools, marketing pixels or retargeting technologies, in particular to measure audience figures, understand interest in Agent AlexArc, improve campaigns and present more relevant communications.
A cookie banner is displayed on www.vorellis.com and www.alexarc.com to allow visitors to manage their preferences for non-essential cookies and technologies.
You can also configure your browser to block or delete certain cookies. However, some features may not work properly if necessary cookies are disabled.
Cookie preferences may be stored to avoid asking you for the same preferences on every visit.
6. Disclosures to suppliers or third parties
We may disclose certain personal information to suppliers, service providers, or third parties where necessary for the purposes described in this policy.
These third parties may include, in particular:
a) OVHcloud, for hosting, infrastructure and certain services related to infrastructure security;
b) Stripe, for payments, billing, transaction processing and certain payment data;
c) Twilio SendGrid, for transactional emails and system notifications;
d) Twilio, for sending SMS messages related to multi-factor authentication, verification codes, security alerts and account access communications;
e) telecommunications carriers and technical intermediaries required to route, deliver, secure, troubleshoot or confirm delivery of SMS messages;
e) providers of analytics, audience measurement, marketing pixels, retargeting or advertising measurement used on www.alexarc.com, where these tools are enabled and in accordance with the applicable consent preferences;
f) cookie or consent management providers, which are used to record and apply visitors’ choices;
g) providers of security, monitoring, logging, vulnerability analysis, malware protection, patch management, access protection or incident response services;
h) professional advisers, including lawyers, accountants, tax advisers, auditors or consultants, where necessary;
i) government, administrative, judicial or regulatory authorities, where required or permitted by law.
For security reasons, we do not necessarily publish a detailed list of our security tools or providers. Where these providers process personal data to a significant extent, we bind them by appropriate contractual, organisational or technical measures.
We do not sell personal information.
7. Agent AlexArc and Client Data
AlexArc Agent enables our clients to structure, document, track, and manage certain aspects of compliance, governance, risk management, cybersecurity, and the protection of personal information.
In this context, a client may enter, upload, import or generate data within Agent AlexArc. This data may include personal information relating to employees, clients, suppliers, representatives, individuals subject to a request, individuals affected by an incident or other persons.
This data is referred to as Client Data in the applicable contractual documents.
When Vorellis processes personal information contained in the Client Data on behalf of a client, such processing is governed by the applicable contract with that client, in particular, the Addendum relating to the processing of personal information.
In this context, the client generally remains responsible for determining:
a) the personal information it enters or uploads into the AlexArc Agent;
b) the purposes of processing;
c) data subjects;
d) the applicable legal bases, consents or authorisations;
e) responses to requests for access, rectification, erasure, objection or other rights;
f) communications to be made to the relevant authorities or individuals, where applicable.
If your personal data has been entered into Agent AlexArc by one of our clients, we generally invite you to contact that client directly to exercise your rights. We may, however, assist that client in accordance with the applicable contract.
8. Payments, transactional emails and technical providers
8.1 Payments
Payments may be processed via Stripe. When you or your organisation use Stripe to make a payment, Stripe may process certain payment information in accordance with its own terms, roles, legal obligations and applicable policies.
Vorellis does not necessarily retain all information contained on the payment card. However, we may retain billing information, transaction records, receipts, amounts, taxes, payment status, transaction identifiers, and other information necessary for subscription management and to comply with our legal, tax, and accounting obligations.
8.2 Transactional emails
We may use Twilio SendGrid to send transactional emails, system notifications, account notices, security notices, billing notices or other communications related to the services.
These communications are necessary for the provision and administration of the services. They cannot necessarily be disabled where they are required for security, billing, account management or the performance of the contract.
8.3 SMS security messages and multi-factor authentication
We may use Twilio to send SMS messages related to multi-factor authentication, verification codes, identity verification, account security or administration of the Services.
These messages are not marketing communications. They are used to protect accounts, verify access and administer the Services when this authentication method is enabled, required or selected.
The user is responsible for maintaining an accurate mobile telephone number and for protecting access to the mobile device, SIM card, telephone account, verification codes and related credentials.
Vorellis is not responsible for message or data charges imposed by the user’s telecommunications provider.
We recommend that users never share verification codes with anyone. Vorellis will never ask a user to disclose a verification code outside the authentication flow.
8.4 Hosting and infrastructure
Hosting and certain components of the AlexArc Agent infrastructure are provided by OVHcloud, notably in Quebec or Canada, depending on the services configured by Vorellis.
We may also use security tools or services to protect the code, technical environments, access, logs, vulnerabilities, configurations, workstations, communications and infrastructure used to provide Agent AlexArc.
9. Retention of personal information
We retain personal information only for as long as necessary for the purposes for which it was collected, subject to applicable legal, tax, accounting, contractual, security, audit, evidence, or dispute-resolution obligations.
Retention periods may vary depending on the type of information and the context, including:
a) account information is retained for the duration of the account and for a reasonable period after its closure;
b) billing and payment information is retained in accordance with applicable tax, accounting and contractual requirements;
c) support communications are retained for the period necessary to process the request, provide evidence of follow-up and improve the service;
d) security and access logs are retained for a reasonable period for security, preventing abuse, investigation and evidence;
e) information used for marketing communications is retained until the user unsubscribes, withdraws consent where applicable, or until it is no longer required;
f) Customer Data processed in the AlexArc Agent is retained in accordance with the applicable contract with the customer;
g) mobile telephone numbers used for multi-factor authentication are retained for the duration of the account or for as long as necessary for security, authentication, access management, fraud prevention, abuse prevention, proof, troubleshooting or compliance purposes, subject to applicable legal, contractual, accounting, security or evidentiary requirements.
Certain information may remain temporarily in backups, logs or technical archives until it is deleted, in accordance with our standard retention cycles.
10. Security
We implement reasonable measures to protect personal information against unauthorised access, loss, misuse, disclosure, alteration, or destruction.
These measures may include, in particular:
a) access controls;
b) authentication mechanisms;
c) restriction of internal access based on access requirements;
d) encryption in transit, where technically feasible;
e) reasonable backups or business continuity mechanisms;
f) appropriate logging or technical monitoring;
g) reasonable vulnerability management and updates;
h) confidentiality obligations for authorised persons;
i) reasonable incident response procedures;
j) measures for deletion, archiving or deactivation in accordance with applicable cycles;
k) multi-factor authentication may be used to strengthen account security. When SMS authentication is used, account security also depends on the user’s protection of their mobile device, mobile telephone number, SIM card, telecommunications account, verification codes and related credentials. SMS authentication reduces certain security risks but does not eliminate all risks, including loss of device, unauthorised access to a device, SIM swap, interception, redirection or telecommunications provider-related risks.
No method of transmission or storage is 100% secure. We cannot, therefore, guarantee absolute security. The client and users must also protect their access credentials, devices, networks and configurations.
11. Places of processing and transfers outside Québec or Canada
Personal information may be processed, hosted, accessed, or stored in Quebec, Canada, or other jurisdictions, depending on the services, providers, tools, and settings used.
The primary hosting for Agent AlexArc is provided by OVHcloud in Quebec or Canada, depending on the services configured by Vorellis.
Certain suppliers, including Stripe, Twilio SendGrid, analytics providers, marketing pixel providers, retargeting providers, consent management providers, or certain technical or security providers, may process personal information or metadata outside Québec or Canada, depending on their infrastructure, roles, settings and applicable obligations.
SMS messaging providers, telecommunications carriers and technical intermediaries used for multi-factor authentication may process certain personal information or metadata outside Quebec, Canada or the European Economic Area, depending on their infrastructure, routing, carrier networks, technical providers and applicable legal obligations.
Where personal information is disclosed or made accessible outside Quebec or Canada, we implement reasonable contractual, technical and organisational measures to protect its confidentiality, in accordance with applicable requirements.
We do not claim that all personal information remains exclusively within Quebec.
12. Commercial communications
We may use your name, work email address, organisation, job title, preferences and history of interaction with Vorellis or Agent AlexArc to send you permitted commercial communications, including:
a) information about Agent AlexArc;
b) invitations to a demonstration;
c) product updates;
d) educational content;
e) offers or announcements from Vorellis;
f) communications relating to partners, where permitted.
You can unsubscribe from marketing communications by using the unsubscribe link included in the messages or by contacting us.
Even if you unsubscribe from marketing communications, we may continue to send you transactional, administrative, security, support, billing or contract-related communications.
13. Your rights
Subject to the limitations provided for by applicable law, you may request:
a) access to the personal information we hold about you;
b) the correction of inaccurate, incomplete or ambiguous personal information;
c) withdrawal of your consent, where processing is based on your consent;
d) the cessation of certain marketing communications;
e) information regarding the use or disclosure of your personal information;
f) the erasure of certain personal data, where permitted by applicable law;
g) any other request recognised by applicable law.
We may request reasonable information to verify your identity before responding to your request.
Certain requests may be refused or restricted where permitted or required by law, including for reasons of security, third-party confidentiality, legal obligation, contractual evidence, fraud prevention, legal privilege or reasonable technical impossibility.
14. Requests concerning data entered by a client into Agent AlexArc
If your personal data has been entered into Agent AlexArc by one of our clients, that client is generally the organisation that determines the purposes and main means of processing.
In this case, we invite you to contact that client directly to exercise your rights.
If you send us a request regarding personal information contained in the Client Data, we may:
a) ask you to identify the client concerned;
b) forward the request to the relevant client where appropriate;
c) assist the customer in accordance with the applicable contract;
d) respond directly where we are legally required or authorised to do so.
We cannot always amend, delete, disclose or restrict the use of personal information contained in the Customer Data without instructions from the relevant customer, except where required or permitted by law.
15. Additional notice for individuals located in the European Economic Area
This section provides additional information for individuals in the European Economic Area (‘EEA’) regarding the processing of their personal data by Vorellis under the GDPR.
15.1 Data Controller
Where Vorellis processes Personal Data for its own purposes, including to manage its websites, communications, leads, accounts, billing, payments, security, marketing communications or customer relations, Vorellis generally acts as the data controller.
Where Vorellis processes Personal Data contained in Customer Data within Agent AlexArc on behalf of a customer, Vorellis generally acts as a data processor for that customer. In such cases, the customer generally remains the data controller, and requests relating to such Personal Data should normally be addressed directly to that customer.
15.2 Legal bases
Where the GDPR applies, we process Personal Data on the following legal bases, depending on the context:
a) performance of a contract or pre-contractual measures, in particular to provide Agent AlexArc, manage accounts, process purchase orders, provide support, administer the customer relationship, and, where multi-factor authentication is necessary, to provide secure access to the Services;
b) legitimate interest, in particular to secure our websites, the application, accounts and infrastructure; prevent misuse; improve services; manage B2B communications, including securing accounts, verifying user identity, preventing unauthorised access, preventing fraud, protecting the Services and maintaining appropriate security controls; and protect our rights;
c) consent, in particular for certain non-essential cookies, marketing pixels, retargeting, marketing communications or communication preferences where consent is required;
d) legal obligation, in particular for billing, taxation, accounting, compliance, responding to legally binding requests or retaining certain evidence.
15.3 Categories of Personal Data processed
Depending on the context, the Personal Data processed may include:
a) identity and professional contact details;
b) account information;
c) subscription, billing and payment information;
d) communications with Vorellis;
e) technical data, logs, IP addresses, device information and security information;
f) communication preferences;
g) browsing data, cookies, pixels, technical identifiers and analytics data where these tools are used;
h) mobile telephone number and SMS authentication metadata, including verification message delivery information and related technical logs;
h) Personal data contained in Customer Data, where entered by a customer in the AlexArc Agent.
15.4 Recipients
We may disclose certain Personal Data to suppliers or categories of suppliers described in this policy, including OVHcloud, Stripe, Twilio, SendGrid, cookie or consent management providers, analytics providers, marketing pixel or retargeting providers, security providers, and professional advisers.
We do not sell Personal Data.
15.5 Cookies, pixels and retargeting
Where the GDPR or applicable European rules on cookies apply, non-essential cookies, marketing pixels, analytics tools that are not strictly necessary and retargeting technologies are subject to prior consent, where applicable.
Visitors can manage their preferences via the cookie banner or the preference management tool provided on the relevant website.
15.6 Transfers outside the EEA
Vorellis is located in Canada. Personal Data may be processed in Canada, Quebec or other jurisdictions depending on the suppliers and services used.
When Personal Data is transferred outside the EEA, we use recognised transfer mechanisms where required, including an adequacy decision, standard contractual clauses or other appropriate safeguards.
Certain suppliers, including Stripe, Twilio SendGrid, analytics providers, marketing pixel providers, retargeting providers, consent management providers, or certain technical or security providers, may process Personal Data or metadata outside the EEA in accordance with their applicable infrastructure and terms and conditions.
15.7 Retention period
We retain Personal Data for as long as necessary for the purposes described in this policy, subject to applicable legal, tax, accounting, contractual, security, audit, evidence, or dispute-resolution obligations.
Where Vorellis acts as a data processor for a client via the AlexArc Agent, the retention of Personal Data contained in the Client Data is governed by the applicable contract with that client.
15.8 Rights of individuals located in the EEA
Subject to the limitations set out in the GDPR, individuals located in the EEA may have the following rights:
a) right of access;
b) right to rectification;
c) right to erasure;
d) right to restriction of processing;
e) right to object;
f) right to data portability;
g) the right to withdraw consent where the processing is based on consent;
h) the right to lodge a complaint with a competent supervisory authority.
To exercise your rights regarding the Personal Data that Vorellis processes for its own purposes, you may write to us at legal@vorellis.com.
Where your request concerns Personal Data entered into the AlexArc Agent by one of our clients, we may ask you to contact that client directly, as they generally act as the data controller.
15.9 Automated decisions
Vorellis does not seek to make, for its own purposes, decisions based solely on automated processing that produce legal effects or similarly significant effects on data subjects.
Agent AlexArc may assist clients in structuring, documenting, or analysing certain information, but clients remain responsible for validating the results, decisions, communications, and actions arising from the Services.
15.10 Representative in the European Union
Where the GDPR requires Vorellis to appoint a representative in the European Union, Vorellis will take reasonable steps to comply with this requirement.
As of the effective date of this policy, requests relating to the protection of personal information may be sent to the following address: legal@vorellis.com.
16. Accuracy of information
We take reasonable steps to ensure that the personal information we use is accurate, complete and up to date for the purposes for which it is intended.
You can help us maintain the accuracy of the information by informing us of any relevant changes, particularly regarding your contact details, your organisation or your communication preferences.
AlexArc Agent customers remain responsible for the accuracy, quality, completeness and up-to-date nature of the Customer Data they enter, upload or process in the AlexArc Agent.
17. Personal Information of Minors
Our websites, communications and services are intended for organisations and professional users.
We do not knowingly collect personal information from minors through our websites or in our general business activities.
If a customer enters personal information relating to a minor into the AlexArc Agent, that customer remains responsible for ensuring that such processing is necessary, proportionate, authorised and compliant with applicable laws.
18. Links to third-party websites or services
Our websites or communications may contain links to third-party websites, platforms, content or services.
We are not responsible for the privacy practices of these third parties. We recommend that you read their privacy policies before providing them with personal information.
19. Changes to this policy
We may amend this privacy policy to reflect changes in our practices, services, suppliers, legal obligations or security measures.
Any changes will be identified by a new update date or a new version number.
Where the change is significant, we may provide notice by reasonable means, including by email, within the app, on our websites or on a dedicated page.
The applicable version is the one published on our websites or otherwise made available at the relevant time.
20. Contacting us
For any questions, requests, complaints, or to exercise your rights regarding this policy or our data protection practices, you may contact us:
Vorellis Inc.
Data Protection Officer
2572 Daniel-Johnson Boulevard, 2nd floor
Laval, Quebec, H7T 2R3
Canada
Privacy / Legal email: legal@vorellis.com
General email: info@vorellis.com
We will process requests within a reasonable timeframe, in accordance with applicable laws.