Privacy policy

1 – Our commitment to confidentiality

Brome Consulting pays particular attention to protecting the privacy of its customers. Our company is committed to respecting the confidentiality of the personal and non-personal information it collects, in accordance with this privacy policy (hereinafter referred to as the “Policy”).

2 – Application of the privacy policy

This Policy sets out how Brome Consulting collects, uses and protects information provided by users of its website. The Policy also explains how to review or update your personal information.

Brome Consulting reserves the right to modify its Policy without prior notice. We recommend that you read our Policy carefully and consult it regularly.

3 – Digital infrastructure

Self-managed infrastructure

The bromeconseil. com website is hosted on a shared server at A2 Hosting in Michigan.
The site is based on the WordPress CMS.
We use trackers from Google Analytics, Facebook and Hubspot to collect website visit statistics and build audiences that can be used to run retargeting advertising campaigns (Google Ads and Facebook Ads).
We also use the Yoast SEO plugin for WordPress, which communicates anonymous usage information to the Yoast company.
- The following information is collected by Yoast: User Agent
We use contact and registration forms based on ContactForm, Hubspot and Convertbox technologies.
The following information is collected by ContactForm: Full name, Email.
This information is used for the following purposes:
- customer communication
The following information is collected by Hubspot: First name, Last name, Email, Date and time of meeting, IP address.
This information is used for the following purposes:
- creating user accounts
- creating appointments
- customer communication
The following information is collected by Convertbox: First name, Last name, Email, Phone number, Company.
This information is used for :
- creating user accounts
- dispatch of marketing material
- customer communication
Videos and clips posted on Brome Consulting website are hosted on the Youtube platform.

Infrastructure via cloud services

We use various cloud services to support some of our business services:

Online banking (undisclosed): Banking platform. We use it to manage our bank accounts, send payments to our suppliers and receive payments from our customers.
ConvertBox: Newsletter and e-booklet subscription forms. Convertbox communicates information to Mailchimp and Hubspot. Convertbox privacy policy.
Google (Privacy policy and terms of use)
- Google Calendar : Meeting calendar.
- Google Chat: instant communications and meetings.
- Google Drive: share documents and files with customers.
- Google Mail : Email.
- Google Meet : Meetings. Security and privacy in Google Meet.
Hubspot: CRM platform for managing sales leads and opportunities, as well as customer communications. All e-mails received or sent are copied to this platform. Hubspot is also used as a chatbot. Hubspot privacy policy.
Mailchimp: This platform is used for automated marketing and segmentation of our customers and subscribers. Mailchimp privacy policy.
Microsoft (Microsoft Privacy Statement) :
- Microsoft 365: Office suite.
- Microsoft One Drive: Backing up our corporate data. Share documents with customers.
- Microsoft Teams: Instant communications, meetings, calls and file exchange with customers .
PandaDoc: Electronic document management platform with integrated signature. We use it to sign confidentiality agreements and service contracts, collect information for the preparation of service contracts and submit service proposals. PandaDoc Privacy Notice.
QBO (Quickbooks Online): Financial accounting platform. Intuit Global Privacy Statement.
WeTransfer: File transfer platform. We use it to send documents and files of a certain volume to our customers and prospects. WeTransfer privacy statement and cookies.

4 – Collecting information

a) Personal information collected on the website or otherwise :

Event	Medium	Confidential information collected	Pathway
Chatbox information request	Website	Email address Any other confidential information submitted by the visitor.	Hubspot cloud service
Newsletter subscription	Website	Email address First name	ConvertBox cloud service => Hubspot cloud service => Mailchimp cloud service => MS 365 cloud service
Registration for an electronic booklet or eBook	Website	Email address First name Name Company Phone number	ConvertBox cloud service => Hubspot cloud service => Mailchimp cloud service => MS 365 cloud service
Making an appointment	Website	Email address	Hubspot cloud service => Google Calendar cloud service
Confidentiality agreement	Cloud service	First and last name Title/Position Company Postal address	PandaDoc cloud service
Service proposal	Cloud service	First and last name Title/Position Company	PandaDoc cloud service
Contract and pre-contract information	Cloud service	First and last name Title/Position Company Postal address	PandaDoc cloud service
Carrying out a mandate	Workshop in person	Any confidential information submitted by the person we meet.	MS 365 cloud service => MS One Drive Workbook
Virtual meeting	Cloud service	Any confidential information submitted by the person we meet.	Google Meet or MS Teams cloud service
Invoice	Cloud service	First and last name Company Title/Position Postal address Office telephone number Cell phone number Fax number	QBO cloud service => Google Mail cloud service

b) Non-personal information collected on the website

For the purposes of this policy, the term “non-personal information” refers to anonymous information that is usually recorded by Internet servers, such as the Internet protocol address (IP address), the date and time of access, and the operating system and browser used by the Internet user.

Demographic statistics on our visitors (age group, country of origin, language of correspondence, etc.) and their consultation habits (pages consulted, number of visits, duration of consultation, etc.) are also considered to be non-personal information.

We collect such information primarily through the use of cookies. Cookies are small data files that the browser installs on the hard disk of a user’s computer, when the user visits a website for the first time.

5 – Collection and use of your information by a third party

Please refer to our cookie policy.

6 – Disclosure and protection of your information

All information provided by users of our website, whether personal or not, remains confidential. The use of this data is for internal purposes only; under no circumstances will the disclosure of your information to a third party be authorized.

We make every reasonable effort to ensure the security of personal information provided by users of our website. An in-house technician ensures the functionality of the server and forms used for our website.

7 – Withdrawal and correction of your personal information

To remove your name from Brome Consulting’s electronic participation lists or to change the personal information you have provided, please send your request by e-mail to simon@bromeconseil.com.

8 – Brome Consulting e-mail privacy policy

We use the Google Mail platform. Google Mail data is hosted in the United States.
All our e-mails contain a statement of the confidential nature of the content: “Confidential Information: This message, and any attached files, is being sent for the exclusive use of its intended recipient(s); it is of a confidential nature and may be subject to privileged information. We advise anyone other than the intended recipient that any examination, forwarding, printing, copying, distribution or other use of this message and any attached document is (are) strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message and any attachments from your system. Thank you!”
E-mail is considered an unsafe means of communication. We are used to transmitting documents containing sensitive information via secure services such as WeTransfer or MS Teams.

9 – Brome Consulting Copyright Policy

Brome Consulting respects the intellectual property rights of others and expects users of its website to comply with its Copyright Policy.

The textual and visual content published on this site is the property of Brome Consulting. No material may be reproduced elsewhere without express prior written permission. The graphic design elements of our website, i.e. the unique combination of images, colors, sizes and fonts, cannot be reproduced in their entirety. The use of information available on the Brome Consulting website requires its authorization.

Certain logos and images on our website are the intellectual property of our customers and are used with their permission. Trademarks belong to their respective owners.

10 – Procedure for storing, destroying and anonymizing personal information

Shelf life

Personal information has been categorized as follows:
- customer information
The retention period for each of these categories has been established as follows:
- E-mails received and sent: 2 years.
- Business documents (contracts, invoices): Unlimited.
- Project files: 7 years after end of contract.

Secure storage methods

Personal information can be found in the following locations:
- Filing cabinet located at company headquarters (paper documents).
- Private computer(s) located at company headquarters. Computers are password-protected. Data encryption has been activated via Bitlocker.
- Encrypted backup of computer data to Microsoft’s OneDrive service. The data is located in a Microsoft data center in Canada. Brome Consulting is responsible for the security and confidentiality of this data.
- The following SaaS solution providers: Hubspot, Mailchimp, ConvertBox, PandaDoc, Quickbooks Online. See their respective security and privacy policies.

The degree of sensitivity of each of these storage sites has been established.
These storage facilities, whether paper or digital, are adequately secured.
Access to these storage areas has been restricted to authorized persons only.

Destruction of personal information

Personal information on paper must be completely shredded.
Digital personal information will have to be completely removed from devices (computers, phones, tablets, external hard drives), servers and cloud tools.
The destruction schedule, based on the retention period established for each category of personal information, must be drawn up. It is imperative to document planned destruction dates.
Care must be taken to ensure that destruction is carried out in such a way that personal information cannot be recovered or reconstituted.

Anonymization of personal information

Personal information should only be anonymized if the organization wishes to keep it and use it for serious and legitimate purposes.
The chosen method for anonymizing personal information is : Univariate statistical aggregation.

Employee training and awareness

Regular training should be provided to employees on the procedure for retaining, destroying and anonymizing personal information, as well as on the risks associated with breaches of privacy.
This also includes raising staff awareness of good data security practices and the importance of complying with established procedures.

11 – Procedure for requesting access to personal information and handling complaints

Application submission

Individuals wishing to access their personal information must submit a written request to the organization’s Privacy Officer. The request can be sent by e-mail or post.
The request must clearly indicate that it is a request for access to personal information, and provide sufficient information to identify the individual and the information sought.
This information may include name, address and any other information relevant to reliably identifying the individual making the request.

Receipt of request

Once the request has been received, an acknowledgement of receipt is sent to the individual to confirm that the request has been processed.
The request must be processed within thirty (30) days of receipt.

Identity verification

Before processing the request, the individual’s identity must be reasonably verified. This can be done by requesting additional information or by verifying the individual’s identity in person.
If identity cannot be satisfactorily verified, the organization may refuse to disclose the personal information requested.

Responding to incomplete or excessive requests

If a request for access to personal information is incomplete or excessive, the Privacy Officer will contact the individual to request additional information or clarification.
The organization reserves the right to refuse a request if it is manifestly abusive, excessive or unjustified.

Processing your request

Once identity has been verified, the privacy officer responsible for handling requests for access to personal information will proceed to collect the requested information.
The person in charge consults the relevant files to gather the personal information requested, taking care to respect any legal restrictions.

Information review

Before disclosing personal information to the individual, the person in charge carefully examines the information to ensure that it does not contain any third-party information that is confidential or likely to infringe other rights.
If third-party information is present, the person in charge assesses whether it can be unbundled or whether it should be excluded from disclosure.

Communication of information

Once verifications have been completed, personal information is communicated to the individual within a reasonable period of time, in accordance with applicable legal requirements.
Personal information may be communicated to the individual electronically, by secure mail or in person, depending on the individual’s preferences and appropriate security measures.

Follow-up and documentation

All steps in the process of handling a request for access to personal information must be recorded accurately and completely.
The details of the request, the actions taken, the decisions made and the corresponding dates must be recorded in an access request tracking register.
- Date application received ;
- Date of acknowledgement ;
- Date of identity check ;
- Identity verification method ;
- Decision – access request accepted or refused ;
- Date of disclosure (if applicable).

All staff involved in processing requests for access to personal information must respect confidentiality and data protection.

Complaints and appeals management

If an individual is dissatisfied with the response to his or her request for access to personal information, he or she must be informed of the complaint procedures and recourses available before the Commission d’accès à l’information.
Complaints must be handled in accordance with internal complaint management policies and procedures (next section).

12 – Complaints procedure

Receiving complaints

Complaints can be made in writing, by telephone, by e-mail or via any other official communication channel. They must be recorded in a centralized register, accessible only to designated personnel.
Employees must immediately inform the department responsible for receiving complaints.

Preliminary assessment

The designated manager reviews each complaint to assess its relevance and seriousness.
Complaints that are frivolous, defamatory or unfounded may be rejected. However, a justification must be provided to the complainant.

Survey and analysis

The complaint manager conducts a thorough investigation, gathering evidence, interviewing the parties involved and collecting all relevant documents.
The person in charge must be impartial and have the necessary authority to resolve the complaint.
The manager must maintain the confidentiality of information relating to the complaint and ensure that all parties involved are treated fairly.

Complaint resolution

The person responsible for the complaint proposes appropriate solutions to resolve the complaint as quickly as possible.
Solutions may include corrective measures, financial compensation or any other action required to resolve the complaint satisfactorily.

Communication with the complainant

The person in charge of the complaint communicates regularly with the complainant to keep him or her informed of the progress of the investigation and the resolution of the complaint.
All communications must be professional, empathetic and respectful.

Closing the complaint

Once the complaint has been resolved, the person in charge of the complaint must provide a written response to the complainant, summarizing the measures taken and the proposed solutions.
All information and documents relating to the complaint must be kept in a confidential file.

13 – Procedure for requesting de-indexation and deletion of personal information

Receiving requests

Requests for de-indexation and deletion of personal information must be received by the designated responsible team.
Customers can submit their requests via specific channels such as the online form, dedicated e-mail address or telephone number.

Identity verification

Before processing the request, the individual’s identity must be reasonably verified.
This can be done by requesting additional information or by verifying the individual’s identity in person.
If the identity cannot be verified satisfactorily, the organization may refuse the request.

Evaluation of requests

The responsible team must carefully examine the requests and the personal information concerned to determine their eligibility for de-indexation or deletion.
Requests must be handled confidentially and within the agreed deadlines.

Reasons for refusal

There are also perfectly valid reasons why we may refuse to delete or de-index personal information:
To continue providing goods and services to the customer ;
For reasons of labor law requirements;
For legal reasons in the event of a dispute.

De-indexing or deleting personal information

The responsible team shall take the necessary steps to de-index or delete personal information in accordance with eligible requests.

Follow-up communication

The responsible team is responsible for communicating with applicants throughout the process, providing acknowledgement confirmations and regular updates on the status of their application.
Any delays or problems encountered in processing applications must be communicated to applicants with clear explanations.

Follow-up and documentation

All requests for de-indexation and deletion of personal information, as well as the actions taken in response, must be recorded in a dedicated tracking system.
Records must include details of requests, actions taken, dates and results of actions taken.

14 – Privacy officer

Simon Chamberland is Brome Consulting’s Privacy Officer. He is also responsible for applying the Personal Information Governance Policy.

He can be reached at the following coordinates. Requests and complaints will be dealt with as quickly as possible.

Simon Chamberland
12-C rue Principale Sud, Sutton, Québec, J0E 2K0, Canada
Website: https://bromeconseil.com
E-mail: simon [a] bromeconseil [point] com
Phone number: 15147914771

15 – Procedure for managing security incidents and breaches of personal information

A cybersecurity incident may not be recognized or detected immediately. However, there may be indicators that a security breach has occurred, that a system has been compromised, that unauthorized activity is taking place, and so on.

Always be on the lookout for signs that a security incident has occurred or is in progress.

Some of the indicators are described below:

Excessive or unusual system login activity, especially from any inactive user ID (user account).
Excessive or unusual remote access in our organization. This may involve staff or third-party suppliers.
The appearance of any new visible or accessible wireless network (Wi-Fi).
Unusual activity related to the presence of malware, suspicious files or new or unapproved files and executable programs.
Lost, stolen or misplaced computers or devices containing payment card data, personal information or other sensitive data.

16 – Reporting cyber security incidents

No incidents have been reported to date (September 22, 2023). The following register will be constantly updated:

Date of open declaration of incident	Type of incident	Targeted information	Support or software	Number of people targeted	Measures implemented since the incident

17 – Authorization request

To obtain Brome Consulting’s authorization, you must send your request by e-mail to simon [a] bromeconseil [point] com.