Privacy Policy

1. Introduction

Edimono Inc. ("we", "our", "us") protects your personal information in accordance with Quebec Law 25 (Loi 25), Canada's PIPEDA, and the EU GDPR where applicable.

2. Information We Collect

We collect information that you provide directly to us, including:

• Account information (name, email address, organization)
• Building and property data
• Energy consumption and meter reading data
• Usage data and analytics
• Communication preferences

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our energy management services
• Generate energy performance reports and analytics
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and requests
• Monitor and analyze trends, usage, and activities
• Comply with legal obligations (Loi 25, PIPEDA, GDPR where applicable)

4. Data Retention

We retain your personal data while your account is active or as required by law. Specific retention periods:

• User profiles: retained while account is active, archived after 2 years of inactivity
• Meter readings: retained for up to 5 years
• Audit logs: retained for 7 years (regulatory compliance)
• Session data: automatically purged after 30 days

5. Your Rights

Under Loi 25, PIPEDA, and GDPR, you have the right to:

• Access: Request a copy of your personal data (Art. 27)
• Rectification: Request correction of inaccurate data (Art. 28)
• Erasure: "right to be forgotten" (Art. 28.1)
• Portability: Request your data in a machine-readable format (Art. 27.1)
• Withdraw consent: At any time (Art. 14)
• Object to automated decision-making: Including AI recommendations (Art. 12.1)

6. Data Security

We apply appropriate technical and organizational measures: AES-256 encryption at rest, TLS 1.3 in transit, mandatory MFA, role-based access control, immutable audit logs, and regular security audits. The platform is SOC 2 Type II, CyberSecure Canada, and ISO 27001 aligned.

7. Cookies & Tracking

We use essential cookies for authentication and session management. Optional analytics and marketing cookies are only set with your explicit consent via the consent banner. You can change your preferences at any time from the banner or the "My Data" page.

8. Privacy Officer

In accordance with Loi 25 Art. 8.1 and PIPEDA, Edimono has designated a Privacy Officer:

For access, correction, erasure, portability requests, or complaints, contact the Privacy Officer. Response SLA: 30 days (Loi 25 Art. 32). You may also contact the Commission d'accès à l'information du Québec or the Office of the Privacy Commissioner of Canada.

9. Cross-Border Transfers (Loi 25 Art. 17)

Your data is hosted in Canada by default (AWS ca-central-1, Montreal). Some features may involve processors located outside Canada. Those transfers are governed by Data Processing Agreements (DPAs) and require explicit consent when they involve personal information. See the list below:

Every cross-border transfer of personal information is recorded in an audit log. Quebec tenants may disable these transfers entirely from Settings → Privacy; the system will degrade to local/rule-based processing.

10. Automated Decision-Making (Loi 25 Art. 12.1)

The platform uses AI engines (fault detection, forecasting, recommendations). Every AI-generated recommendation can be explained by clicking the "Explain" icon displayed beside it. You may object to automated processing by contacting the Privacy Officer via Settings → Privacy → Contact. AI recommendations never replace a human decision.

11. Incident Notification (Loi 25 Art. 3.5)

In the event of a privacy incident presenting a risk of serious injury, we notify the Commission d'accès à l'information du Québec and affected individuals within 72 hours of discovery, as required by Loi 25.