Privacy

Privacy policy

Last updated: May 7, 2026

This policy explains what personal information Béluga collects, why, where it lives, who can access it, and what rights you have. It is written to be read, and to comply with the Loi 25.

Who we are

Technologies Shelter-Bay inc., Québec corporation, head office in Québec. We are the responsible party ("responsable du traitement") for the personal information described below.

What we collect

  • Account data — name, email, organization, language preference, payment method.
  • Service content — emails, files, calendars, contacts, messages, meeting recordings (if you enable them).
  • Operational telemetry — login events, error logs, performance metrics. Pseudonymized and used only to keep the service running.
  • Support exchanges — what you write to us, kept as long as needed to assist you.

What we do not collect

  • No tracking cookies, no advertising profile, no third-party analytics on the marketing site (beluga.quebec).
  • No content of your emails, documents, files or messages used to train AI models — ours or third parties'.
  • No biometric data unless you explicitly opt in to a feature that requires it.

Where your data lives

100% of personal information is stored on Béluga-owned hardware in Québec. We do not use AWS Canada, GCP Canada or Azure Canada. Encryption keys (HSM) are operated in Québec by our team.

Limited international processing

We are transparent about residual non-Québec dependencies:

  • Stripe (payment processing, ancillary to Moneris) — only the payment metadata required to charge a card.
  • Mistral API (transitional, transcription within the Matelot module) — used only when you explicitly opt in. We are actively seeking a Québec/Canadian partner to bring this in-house.
  • Cyberimpact SMTP (Québec — transactional emails such as password resets).

None of these residual dependencies receives the content of your mailboxes, documents, calendars or messages.

How long we keep data

  • Account data — for the duration of the contract, plus 30 days for export, then permanent deletion.
  • Service content — until you delete it, or 30 days after termination.
  • Operational logs — 90 days, then aggregated.
  • Backups — encrypted, retained according to the plan, never beyond 12 months.

Your rights under the Loi 25

  • Access — obtain a copy of the personal information we hold about you.
  • Rectification — correct inaccurate information.
  • Deletion — ask for permanent erasure (subject to legal retention obligations).
  • Portability — receive your data in a structured, commonly used format.
  • Objection — object to certain processing operations.
  • Complaint — file a complaint with the Commission d'accès à l'information du Québec.

Requests are handled by our person responsible for the protection of personal information at vie-privee@beluga.quebec. We respond within 30 days.

Incident notification

In case of a confidentiality incident presenting a risk of serious harm, we notify the Commission d'accès à l'information and affected persons within the deadlines set by the Loi 25 (72-hour ceiling for material incidents).

Changes

Material changes to this policy are notified by email at least 30 days in advance. Past versions are archived on request.