Policy
Privacy policy
Compliant with Quebec Law 25 — Last updated: 2026-05-16
This policy describes how Cartes Coelecoco, a service operated by Canada Horizon 3000 SA (Gatineau, Quebec), collects, processes and protects the personal information you entrust to us. It complies with the Act respecting the protection of personal information in the private sector (Law 25) of Quebec.
1. Person responsible
Per article 3.1 of Law 25:
Vignikin Edorh
Email: admin@canadahorizon3000.ca
Canada Horizon 3000 SA, Gatineau, Quebec, Canada
2. Information collected
We collect only what is strictly necessary:
- Organizer account: email, first name (optional), hashed password.
- Event: title, child name, age, date, time, location, message, photo (optional).
- Guests: name, email (optional), allergies (optional), diet (optional), emergency contact (optional), host message.
- Payment: order number, method, amount. Card details are handled by Stripe and never transit through our servers.
- Technical logs: IP address and user-agent stored as HMAC hashes (never in cleartext).
3. Purposes
- Enable creation, customization and sending of event invitations.
- Collect RSVP replies and forward useful info to the organizer.
- Bill and keep accounting (legal tax obligation).
- Detect and prevent fraud.
- Secure accounts (rate limiting, audit log).
No advertising profiling, resale, or automated decision-making.
4. Consent
Your consent is collected in a manifest, free, informed and specific manner: a non-pre-checked checkbox at signup and at each RSVP. You can withdraw consent at any time by requesting account deletion.
5. Retention
- 30 days after the event: all event and guest data is wiped.
- 7 days after a deletion request: organizer account and related events.
- 10 years for invoices (Quebec tax obligation).
- 30 days for login attempts.
6. Encryption & security
- All columns containing personal info are encrypted at rest with AES-256.
- Passwords are hashed with bcrypt cost 12.
- Communications use TLS 1.2+ (HSTS, Let's Encrypt).
- Backups are encrypted and kept 30 days.
7. Hosting & transfers
Your data is hosted in Canada (Montreal) at Web Hosting Canada (WHC). It never leaves Canada except for payment processing by Stripe (US, PCI-DSS Level 1).
8. Your rights
- Access: export all your data as JSON from your privacy page.
- Rectification: edit your info from your account.
- Erasure: request permanent deletion (effective after 7 days).
- Portability: JSON export is a standard machine-readable format.
- We respond within 30 days maximum.
9. Cookies
We use only strictly necessary cookies: cc_session (session, 2 h, HttpOnly, Secure), cc_locale (language preference, 1 year). No advertising or third-party analytics.
10. Subprocessors
- Stripe (US): card payments. stripe.com/privacy
- Brevo (France): transactional emails.
- WHC (Canada): server hosting.
11. Complaints
For disputes, write to the person responsible (admin@canadahorizon3000.ca). If unsatisfied, file a complaint with the Commission d'accès à l'information du Québec: cai.gouv.qc.ca.
12. Updates
This policy may be updated. Substantial changes will be notified by email. The "last updated" date is at the top.