Your data

Privacy Policy

LB Advisor places fundamental importance on the protection of personal data. This policy explains what data we collect, why, how long we retain it, and how you can exercise your rights. Compliant with the General Data Protection Regulation (EU 2016/679) and Quebec's Law 25 on the protection of personal information.

Data Controller

LB Informatique Formation Evolution Inc. (operating under the LB Advisor brand), a Canadian joint-stock corporation with its registered office in Montréal (Quebec, Canada), is the controller of personal data collected through this website and in the course of its services. For any question relating to data protection:

contact@lb-advisor.com · subject: "GDPR — Personal Data"

Privacy Officer (Quebec Law 25)

In accordance with Section 3.1 of Quebec's Act respecting the protection of personal information in the private sector (Law 25), a privacy officer has been designated. They can be reached at privacy@lb-advisor.com. Their name is provided on request as part of a formal contractual exchange.

Data Collected

Through the contact form

First and last name
Professional email address
Organization and role
Free-form message content

During professional interactions with us

Professional contact details (phone, postal address)
Information exchanged in connection with a quote, contract, or engagement
Billing data (banking details, business registration number, VAT)

Automatically collected

IP address, browser type, pages viewed — solely for site security and aggregated audience analysis (no individual profiling)

Purposes & Legal Bases

Purpose	Legal Basis
Responding to a contact request	Pre-contractual measures (GDPR art. 6(1)(b))
Management of quotes, contracts, and engagements	Contract performance (GDPR art. 6(1)(b))
Invoicing and accounting obligations	Legal obligation (GDPR art. 6(1)(c))
Site security, fraud prevention	Legitimate interest (GDPR art. 6(1)(f))
Commercial communication, newsletter	Consent (GDPR art. 6(1)(a))

Data Recipients

Your data is processed by LB Advisor. Certain sub-processors may access it strictly within the scope of their assignments, under a compliant data processing agreement (DPA):

Sub-processor	Country	Purpose
Netlify, Inc.	United States (DPF certified)	Site hosting
Google Workspace	Canada / EU / US (DPF certified)	Professional email, calendar, storage
Anthropic, PBC	United States (DPF certified)	Claude AI models (systematic no-training clause)
Amazon Web Services	EU (eu-west-1) or Canada (ca-central-1)	Service infrastructure
Supabase, Inc.	EU or Canada (depending on chosen hosting)	Relational storage for engagements
Accounting firm	Canada	Tax and accounting obligations

No data is sold or transferred to third parties for commercial purposes. The complete and up-to-date list is available on request at privacy@lb-advisor.com.

Retention Periods

Data	Duration
Contact form without follow-up	12 months after last exchange
Active client (quotes, contracts, engagements)	Duration of relationship + 5 years (commercial limitation period)
Accounting and tax records	10 years (legal obligation)
Security logs	12 months maximum
Newsletter (if enabled)	Until unsubscribe + 3 years

Transfers Outside the EU / Canada

When sub-processors are located outside the European Union or Canada, transfers are governed by the following mechanisms:

European Commission Standard Contractual Clauses (Decision 2021/914) for transfers to the United States and other countries without an adequacy decision.
Adherence to the EU-U.S. Data Privacy Framework for certified U.S. sub-processors (Anthropic, AWS, Netlify, Google).
Systematic Privacy Impact Assessment (PIA) for transfers from Quebec, in accordance with Section 17 of Law 25.
For engagements involving sensitive data, sovereign hosting in the EU or Canada exclusively, or on-premise deployment at the explicit request of the client.

Your Rights

In accordance with the GDPR and Law 25, you have the following rights:

GDPR Art. 15Right of accessObtain confirmation and a copy of data concerning you.

GDPR Art. 16Right to rectificationCorrect inaccurate or incomplete data.

GDPR Art. 17Right to erasureRequest deletion of your data under the conditions provided.

GDPR Art. 18Right to restrictionTemporarily restrict processing.

GDPR Art. 20Right to portabilityReceive your data in a structured format.

GDPR Art. 21Right to objectObject to processing based on legitimate interest.

To exercise these rights, write to contact@lb-advisor.com. We will respond within a maximum of one month. Proof of identity may be requested.

Cookies

The LB Advisor website uses a minimal number of cookies, strictly limited to technical needs:

Essential technical cookies — exempt from consent (language preference, session)
Anonymized audience measurement — only on the basis of explicit consent, without individual profiling

No advertising cookies, no third-party trackers for marketing purposes. A consent management banner is displayed on your first visit, in accordance with the guidelines of the CNIL and the CAI. You may modify your preferences at any time from the footer.

Automated Decisions

In accordance with Section 12.1 of Law 25 and Article 22 of the GDPR, some of LB Advisor's services involve decision-support systems based on artificial intelligence (scoring, classification, anomaly detection, conversational assistants). For each of these services:

You are informed of the nature, purpose, and main parameters of the automated processing.
Qualified human intervention is systematically embedded in decisions with legal or significant effect (validation, appeal, contestation).
You have the right to request human review of any automated decision concerning you.
No purely automated decision is made on the basis of personal data without prior information and explicit contractual agreement.

Security

LB Advisor implements proportionate technical and organizational measures: encryption in transit (TLS 1.3) and at rest, role-based access control, access logging, quarterly security reviews, and incident management policy. Any data breach will be notified to the competent authority (CNIL or CAI) within 72 hours, in accordance with legal obligations.

Supervisory Authorities

If you believe that your rights are not being respected, you may file a complaint with:

the French Data Protection Authority (CNIL) for French residents — cnil.fr
the Commission d'accès à l'information du Québec (CAI) for Quebec residents — cai.gouv.qc.ca
the Office of the Privacy Commissioner of Canada — priv.gc.ca

Changes

This policy may be updated to reflect changes in our practices or in the legal framework. The version in force is the one accessible on the website. In the event of a substantial change, you will be informed by email (if we have your address) or by a visible notice on the website.

Last updated · April 23, 2026