Personal Information Protection Policy

Welcome!

Welcome to Fortisia. We hope you enjoy using our "Services", which include: (i) visiting our website at: https://www.fortisia.com/ (the "Website"); and (ii) using our "Platform" which provides our users (each, a "Member") with access to an intelligent application dedicated to unions (the "Application"). The Platform is available (x) on our Website from any device with a web browser; and (y) via our Application, using the portable device or tablet on which you downloaded the Application (the "Device").

Fortisia takes the protection of your privacy and the security of your personal data very seriously. We publish this personal information protection policy (the "Policy") to explain who we are, describe the personal data we collect from and about you, and indicate what we do with your personal data when you browse the Website, the Application or interact with us online. The Policy also explains the rights granted to you under applicable law and how you can contact us and the relevant authorities to exercise those rights. We invite you to read it carefully.

Key Elements of the Policy

The following are the key elements of this Policy that will allow you to immediately identify important sections in order to make an informed decision about your consent to the collection, use and disclosure of your personal data. By transmitting personal data to us by any means, you consent to the collection, use and disclosure thereof. You will find the details in the rest of the Policy.

Personal data we collect from you (only with your consent)

Contact Information

• What we do with this data: Respond to your requests and communicate with you
• Types of third parties to whom we disclose it: Companies that provide technical infrastructure for the Website, as well as companies that help us manage our mailing list and send emails

Account Data for a Member

• What we do with this data: Account creation and verification
• Types of third parties to whom we disclose it: Companies that provide technical infrastructure for the Website and Application, and companies that help us send emails.

Certain Terms

Before setting out the details of the Policy, here is a definition of certain terms that we believe will facilitate your reading.

"Data Protection Laws" means the laws designed to protect your personal data and privacy where you live. Fortisia is committed to complying with all applicable Data Protection Laws, including the following:

1. The "GDPR", the General Data Protection Regulation of the European Union, whose official name is Regulation (EU) 2016/679 of the European Parliament and of the Council;
2. The "UK GDPR" which applies to our activities in the United Kingdom; please note that references in this Policy to the "GDPR" include the UK GDPR, where applicable;
3. "PIPEDA" (Personal Information Protection and Electronic Documents Act), which is the Canadian data protection law that applies to our activities in Canada; and
4. The Act Respecting the Protection of Personal Information in the Private Sector of Quebec (the "Quebec Privacy Act"), as amended by Bill 25, which applies to our activities in Quebec.

"Personal data" means the information we collect from or about you and which is defined in the GDPR as "any information relating to an identified or identifiable natural person". It can be as simple as your name or email address, or as complex as an online identifier assigned to you. Under PIPEDA and the Quebec Privacy Act, the equivalent concept is "personal information", which has roughly the same scope. In this Policy, any reference to "personal data" also includes personal information.

About us; our Chief Privacy Officer

9529-9079 Quebec inc. d.b.a. Fortisia ("Fortisia"), which owns and operates the Website and the Platform, is a Quebec corporation located in the province of Quebec, Canada. References in this Policy to "Fortisia" may refer to 9529-9079 Quebec inc. or its affiliated companies, and their respective shareholders, directors, officers, employees, agents, partners, principals, representatives, successors and assigns (collectively, the "Representatives"), as the context requires. The use of "we", "our" or "us" in this Policy also refers to Fortisia.

Under the GDPR, Fortisia is generally a "data controller". Under PIPEDA, Fortisia is an "organization", while under the Quebec Privacy Act, it is an "enterprise".

If you have any questions about this Policy or wish to exercise any of your personal information rights, you may contact us at:

Fortisia's Chief Privacy Officer

Email: confidentialite@fortisia.com

Address: 305-33 Prince Street, Montreal, Quebec, H3C 2M7, Canada

Your Rights

You have the following rights regarding your personal data held by Fortisia. These rights may be exercised without affecting the prices or costs charged by Fortisia, if any:

• the right to withdraw your consent to Fortisia processing your personal data at any time;
• the right to have your personal data erased from Fortisia records;
• the right to have a link removed at Fortisia (or on the Website or Platform) that is associated with your name;
• the right to access your personal data and any relevant information regarding its processing and use;
• the right to obtain a copy of your personal data in an easy-to-read format;
• the right to have your personal data corrected or updated if you believe it is inaccurate or out of date;
• the right to opt out of marketing communications we send you at any time;
• the right to know whether Fortisia shares your personal data (and if so, who receives it);
• the right to require that Fortisia refrain from selling your personal data. Please note that Fortisia does not sell your personal data;
• the right to restrict the processing of your personal data if it is inaccurate or if our processing is contrary to law;
• the right to opt out of any form of targeted marketing or advertising by Fortisia, where applicable.

If you wish to exercise any of these rights, please contact our Chief Privacy Officer at the coordinates above.

Please note that if you request the deletion of your personal data, we will do so to the extent possible. However, Fortisia reserves the right to retain certain data for a reasonable period of time to satisfy certain legal obligations or for the purposes of any legal proceedings.

Limited Personal Data Collected from You

Fortisia limits the amount of personal data it collects to what is necessary and appropriate for the purposes determined. We will not use or disclose your personal data for purposes other than those for which it was collected, unless you consent or applicable law permits or requires it.

The table below describes all the personal data we may collect directly from you, what we do with it and the legal basis under the GDPR. Under PIPEDA and the Quebec Privacy Act, the legal basis is your free and informed consent, and by transmitting this personal data, you acknowledge that you have given such consent to Fortisia.

Personal Data We Collect (Only with Your Consent)

Website

• Category of Personal Data: Contact Information
• Personal Data Processed:
  • Your first and last name
  • Your email address
  • The name of your union
  • Your role within the union
• What we do with it (the purpose of processing):

1. Respond to your requests and communicate with you
2. Send you our newsletter

• Legal basis for processing under the GDPR: Your consent to provide us with this information

Platform (Website and Application)

• Category: Account Data for a Member
• Data Processed:
  • Your first and last name
  • Your email address
  • Your phone number
  • The name of your union and your role within the union
  • Optional: your age, gender and postal code
  • Your Member status (retired or active)
  • Your photo (optional)
• What we do with it (the purpose of processing):
  1. Account creation and verification
  2. Send you update emails and/or notifications regarding the Platform
• Legal basis for processing under the GDPR: Your consent to provide us with this information

Personal Data Collected About You from Third Parties

We sometimes obtain personal data about you from third parties, or third parties collect it on our behalf. Under PIPEDA and the Quebec Privacy Act, the legal basis is your informed consent. None of this data comes from publicly available sources.

• Category of Personal Data: Account Data for a Member
• Personal Data Collected by the Third Party: Your first name, last name, email address, union name and role within the union
• Who Collects the Personal Data: Your union
• What we or the third party does with it: Invite you to create an account on the Platform

To the extent that analytical identifiers are generated by or collected from third parties, they may be considered personal data collected from third parties. You will find details about this further in this Policy.

Companies or Organizations to Whom We Transfer Your Personal Data

We only disclose certain of your personal data to the designated third parties identified in the table below. Each category of third parties identified below is bound by a contractual obligation not to 1) transfer or sell your personal data; or 2) use your personal data for any purpose other than the one identified in the table below.

We transmit personal data to law enforcement or other public authorities if: 1) applicable law requires us to do so; 2) if we deem it necessary to investigate, prevent or take action regarding illegal activities, fraud or threats to a person safety; 3) if we deem it necessary to investigate malicious use of the Website, Application or the Internet in general; 4) if we are required to do so under applicable law.

We may also transmit personal data: 1) to a parent company, subsidiaries, joint ventures or other companies under common control with Fortisia; 2) if Fortisia merges with another entity, undergoes a corporate reorganization, sells or transfers all or part of its business, assets or shares.

We will never share your personal data with other third parties, except in these circumstances or as permitted by Data Protection Laws. We do not sell or rent your personal data to third parties.

Personal Data We Transfer to Third-Party Companies

Website

Category: Analytics Identifiers and Related Information, Including IP Address

• Companies or organizations to whom we transfer them: Companies providing data analytics for the Website, in particular Google Analytics and Unbounce as detailed in the Limited Collection section below.
• What they do with it: Provide us with analytics on how the Website is used, generate statistics, improve services and detect fraudulent activities.

Category: Contact Information

• Companies or organizations to whom we transfer them:
  • Companies that provide technical infrastructure for the Website, in particular Microsoft Azure.
  • Companies that help us manage our mailing list and send emails, such as HubSpot.
• What they do with it:
  • Store the data and retain it for record-keeping purposes.
  • Send you emails, as explained in the Email Communications section below.

Account Data for a Member

• Companies or organizations to whom we transfer them:
  • Companies that provide technical infrastructure for the Website, in particular Microsoft Azure.
  • Companies that help us send emails, such as HubSpot, Sendgrid and Desk365.
• What they do with it:
  • Store the data and retain it for record-keeping purposes.
  • Send you emails, as explained in the Email Communications section below.

Application

Category: Analytics Identifiers and Related Information, Including IP Address

• Companies or organizations to whom we transfer them: Companies providing data analytics for the Application, in particular Azure App Insights, as detailed in the Limited Collection section below.
• What they do with it: Collect, transmit and analyze telemetry data (errors, performance, user behaviour) in order to diagnose problems, optimize the Application and produce usage statistics.

Account Data for a Member

• Companies or organizations to whom we transfer them: Companies that provide technical infrastructure for the Application, in particular Google Play and Apple Store.
• Use by these companies: Store the data and retain it for record-keeping purposes
• Companies or organizations to whom we transfer them: Companies that help us manage our mailing list and send emails, such as Sendgrid and Desk365.
• Use by these companies: Send you emails, as explained in the Email Communications section below.

Sensitive Personal Information

We do not collect any data considered sensitive under Data Protection Laws from you when you visit the Website or the Platform, unless you voluntarily provide it to us, which you should avoid doing.

Email Communications and Anti-Spam Law Compliance

Fortisia uses HubSpot, Sendgrid and Desk365 (the "Email Service Providers") to send invitations to join the Application, communicate with Members, respond to your technical support requests, and to send its mailing list and newsletter. Personal data is transmitted to the Email Service Providers to facilitate email communications. Your email address is used only for sending emails. The Email Service Providers do not use this personal data for any other purpose, nor do they transfer or sell it to other third parties. For more information, please consult the privacy policy of each of our Email Service Providers: HubSpot, Sendgrid and Desk365.

You may unsubscribe from Fortisia mailing list at any time by following the link displayed at the bottom of our newsletter. Other types of emails, such as transactional or relational emails, do not include an unsubscribe option, as they contain information necessary for the use of the Services.

Fortisia email practices are designed to comply with anti-spam laws, including Canada Anti-Spam Legislation (CASL) and the U.S. CAN-SPAM Act of 2003. If you believe you have received an email from us that violates these laws, please contact the Chief Privacy Officer using the contact information provided earlier in this Policy.

Limited Collection of Information for Statistical, Analytical and Security Purposes

Fortisia automatically collects certain information through "Third-Party Analytics Programs", Azure App Insights, HubSpot, Google Analytics and Unbounce, to help it better understand visitors to its Website and Platform and how they use them, but none of this information allows you to be personally identified, except by an alphanumeric string. Fortisia also uses the information obtained for statistical purposes: it tracks the number of people who have visited the Website and Application in order to make improvements.

Your IP address and other relevant information we collect through Third-Party Analytics Programs may be used to track fraudulent or criminal activities.

Tracking Technology (Cookies) and Related Technologies

Fortisia uses tracking technologies ("cookies" and related technologies such as tags, pixels and web beacons) on the Website and in connection with the Platform. Cookies are small text files placed on your computer or Device when you visit a website or application, in order to track the use of the site or application and to improve the user experience. By using the Services, you agree to their use, but only if you explicitly consent to such use, in accordance with the cookie banner presented to you when you visit the Website. By default, all non-necessary cookies are disabled when you visit the Website or the Platform for the first time; you can use our cookie management tool to accept or refuse other categories of cookies.

More specifically, we use cookies and related technologies for the following functions:

• to perform your authentication and enable your connection to and the main features of the Platform;
• to provide general analytics and internal statistics on the use of the Platform and conduct research to improve the content of the Website and Platform using Third-Party Analytics Programs;
• to track information about emails you receive, for example whether you have opened them or clicked on links they contain; and
• to facilitate the detection of potentially fraudulent activities.

It is possible to set your browser to refuse cookies or to delete them after they have been accepted and stored. Here are instructions for the most commonly used browsers and operating systems:

• Google Chrome
• Mozilla Firefox
• Microsoft Edge
• Opera
• Apple Safari
• iOS
• Android

Please note that deleting or refusing cookies may impair your user experience on the Platform. In addition, deleting cookies could completely prevent the use of certain features of the Platform.

How We Protect Your Personal Data

We have implemented rigorous technical and organizational methods to ensure that, by default, we only process the personal data necessary for each specific processing purpose. These methods help prevent the loss of your personal data, its unauthorized use or access.

We have also implemented a procedure to detect any suspected data security breach. Where Data Protection Laws require us to do so, we will notify you and any relevant supervisory authority within the applicable timeframe.

Fortisia applies only industry best practices to ensure the security of the data collected. For example, Fortisia uses Microsoft Azure, a recognized leader in data security, to host the Website and the Platform. Fortisia also uses Google Play and the Apple App Store to host the Application. You can learn more about their security programs here: Microsoft Azure, Google Play and App Store.

All information, including personal data, is transmitted with encryption via the SSL protocol or the TLS protocol, strict security standards for data transfer and transactions on the Internet. You can use your browser to verify the validity of Fortisia SSL security certificate on the Website and Platform.

Internal Procedures and Policies

In addition to the measures protecting your personal data described in the previous section, we have developed and implemented certain internal procedures and policies regarding personal data, including the following:

1. A framework for the retention and destruction of personal data, including when we may retain anonymized data;
2. The definition and description of the roles and responsibilities of Fortisia staff members throughout the personal data lifecycle;
3. A process for handling complaints and individual requests regarding personal data and the exercise of a person rights under Data Protection Laws; and
4. An information management and technology policy and procedure to address potential data breach incidents involving personal information held by Fortisia.

Transfer of Your Personal Data Outside the EEA and the United Kingdom

We strive to retain personal data of European Members or visitors to our Website within the EEA or the United Kingdom (as applicable).

Some of our data processors (and Fortisia) are located in other countries where your personal data may be transferred. These countries include the following:

• Canada: We will transfer your personal data to our operations in Canada, but Canada has been determined to have an "adequate level of protection" for your personal data under European data protection legislation.
• United States: Your personal data is transferred only to companies established in the United States that: 1) have signed agreements with us or informed us that they comply with the GDPR; and 2) have entered into standard contractual clauses for the transfer of personal data outside the EEA and the United Kingdom.

You have the right to object to your data being transferred outside the EEA or the United Kingdom. To do so, please contact our Chief Privacy Officer. Please note that making such a request may prevent you from using the Platform.

Transfer of Your Personal Data Outside Quebec

For Quebec Members and Quebec visitors to the Website, we strive to retain your personal data in Quebec. However, some of our third-party service providers are located in other provinces or countries where your personal data may be transferred. In this case, we take the following measures to protect your personal data:

1. We conduct a "privacy impact assessment" (or "PIA") before personal data leaves Quebec. If the PIA does not meet our standards and the standards required by the Quebec Privacy Act, we do not transfer your personal data to such a service provider.
2. If it allows us to transfer the personal data to such an out-of-Quebec service provider, we enter into a "data processing agreement" (DPA) with the service provider, which protects the personal data transferred to it and limits its use thereof to what we have agreed with it to do. This data processing agreement complies with the requirements of the Quebec Privacy Act.

Supervisory Authority and Complaints

Under the GDPR, persons located in the EEA or the United Kingdom have the right to lodge a complaint with the relevant supervisory authority. If you are dissatisfied with the response received or the measures taken by our Chief Privacy Officer, or if you wish to file a complaint directly about Fortisia data practices, we invite you to contact the supervisory authority in your country.

Persons located in the United Kingdom should contact the Information Commissioner Office. You can contact the Office by various means, including by telephone (0303 123 1113 in the United Kingdom) and by post (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). If you are in France, you should contact the Commission nationale de l informatique et des libertes. Their contact details can be found here.

Please click on this link to obtain the complete list of data protection authorities across the EEA.

If you are in Canada and are dissatisfied with the response received or the measures taken by our Chief Privacy Officer, you may file a complaint with the Office of the Privacy Commissioner of Canada on its website. In Quebec, you may file a complaint with the Commission d acces a l information on its website.

Data Retention and Anonymization

Your personal data is retained only for as long as necessary to fulfill the purpose of the processing. For example, we will retain your account information for as long as you hold an account on the Platform.

We may be required to retain your data for a longer period in order to comply with the requirements of applicable law, such as anti-spam laws, or to protect our legal interests. In certain cases, where permitted by Data Protection Laws, we may retain anonymized personal data for legitimate business purposes.

Automated Decision-Making

Fortisia does not use automated decision-making processes regarding your personal data in connection with the provision of the Website or the Platform.

Children Privacy Statement

Our Services are intended only for persons who are of legal age in their respective country.

Data Protection Laws contain various age limits regarding the minimum age required to hold personal data about a natural person. We do not intentionally collect personal data from children who are below the applicable minimum ages. If we learn that we have inadvertently received personal data from a person who is below a minimum age through the Website or the Platform, we will delete this information from our records.

Application Access to Your Device

Below is a complete list, along with a description, of the third-party-developed features of your Device that the Application accesses and/or may modify. Unless otherwise indicated, these permissions apply to both the iOS and Android versions of the Application. Where applicable, these features will only be activated with your explicit authorization. You acknowledge that refusing such explicit authorization may impair or limit your user experience.

• External Storage - The Application may access the external storage of your Device in order to save system files necessary for the proper functioning of the Application.
• Notifications - The Application may send you notifications (only with your explicit authorization).
• Wi-Fi Connection Information - The Application may retrieve information relating to the network connectivity and connection speed of your Device.
• Camera - The Application may access the camera of your Device, exclusively to enable the reading of QR codes. This access is subject to your explicit authorization.

Uninstalling the Application

You may uninstall the Application; uninstallation methods may vary depending on your Device or the iOS or Android version used. Fortisia has no control over the uninstall function and disclaims all liability for your use thereof.

Amendments to this Privacy Policy

The date at the top of this page is the date on which the Policy was last updated. As Data Protection Laws are constantly evolving, we must from time to time update this Policy. You will always find the most recent version at this URL. We will post a prominent notice on the Website and Platform if we make any material changes to the Policy.

Thank you for reading! Protect your personal data and we promise to do the same.

© 9529-9079 Quebec inc. d.b.a. Fortisia (under licence), 2026