At Estimai, your privacy matters. This policy simply explains what information we collect, why, how we protect it, and what your rights are. It applies to anyone who visits our website or interacts with us (customers, prospects, partners, candidates).
Privacy Policy
Who is responsible for your data?
Privacy Officer (PIO): Antoine Zieger— ti@estim.ai
If you have a question about your personal data or wish to exercise your rights, please contact them directly.
What information do we collect?
We only collect the information that is necessary, depending on how you interact with us:
Via our website and contact form:
First and last name
Email address
Phone number (if provided)
Your company name
Content of your message
Through our cookies and analytics tools:
IP address
Pages visited and duration of visit
Browser and device type
As part of our client mandates:
Information necessary for the completion of the project (specified in the contract)
Why do we collect this information?
Contact details (name, email, telephone): respond to your requests, manage customer relations.
Browsing data (cookies): to improve the experience on our site, to analyze traffic.
Project data: Implement agreed mandates and deliverables.
We do not use your data for purposes other than those mentioned above, without your consent.
How do we protect your data?
Storage on secure platforms with restricted access
Strong authentication (two-factor) on supported platforms
Data encryption in transit (SSL/TLS) and at rest
Access limited to only those who need it
Internal procedures for managing confidentiality incidents
Do we share your data?
No, except in the following cases:
Partners or subcontractors involved in your project (always with confidentiality agreement)
Legal obligations (e.g. governmental authority on a legal basis)
We never sell your data to third parties.
Transfers outside Quebec
Some of our work tools host data on servers located outside Quebec, particularly in the United States. Prior to any transfer, we ensure that the provider provides a level of protection equivalent to that required by Bill 25, in accordance with our Privacy Impact Assessment (PIA) process.
How long do we keep your data?
Contact and project data: 7 years (legal and tax requirements)
Browsing data (cookies): depending on the settings of the analytics provider (usually 13 months)
Application data: 2 years after the end of the recruitment process
After these periods, your data is securely deleted or anonymised.
Cookies
Our site uses cookies to function properly and improve your experience.
Types of cookies used:
Essential cookies: necessary for the proper functioning of the site (cannot be refused)
Analytical cookies: help us understand how visitors use our site (e.g. Google Analytics)
Marketing cookies: may be used by certain partners (e.g. LinkedIn)
You can manage your cookie preferences at any time through your browser settings.
Your rights
Under Bill 25, you have the right to:
Accessing Your Personal Information Held by Estimai
Correct any inaccurate or incomplete information
Withdraw your consent for a use of your data
Get a portable copy of your data (portability), in a structured and readable format
Request the de-indexing of information about you that is posted online, if it is no longer necessary or if you withdraw your consent
To exercise any of these rights, write to our RPRP : Antoine Zieger at ti@estim.ai
We are committed to responding within 30 days.
Confidentiality incident
In the event of an incident affecting your data, we are committed to:
Inform you promptly if it poses a serious risk to you
Notify the Commission d'accès à l'information (CAI) if required
Take the necessary corrective actions
Right to appeal
If you feel that your rights are not being respected, you can file a complaint with the Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca — 1-888-528-7741.
Updates to this Policy
This policy may be amended to reflect legal developments or our practices. The update date is always indicated at the top of the document. In the event of a material change, we will notify you directly if we have your contact information.
Data Processing Agreement (DPA)
This section describes how we process personal information when we act as a processor on behalf of a customer using the Estimai platform. These commitments are formalized in the Data Processing Agreement (DPA) that is part of our service contracts; We present them here for information and transparency.
1. Purpose and roles
Purpose. This DPA describes how Vendor processes personal information to provide the Services.
Roles. The Customer is "controller" and gives instructions; the Supplier is a "subcontractor/processor" and only follows the documented and lawful instructions of the Customer or those required by law.
2. What we deal with and why
Account and authentication data (name, surname, work email, organization, role, logins, preferences). Why: to create and manage the account, to authenticate and authorize authorized Users, to provide support, to communicate on the evolution of the Services.
Usage and technical data (access logs, IP addresses, device/browser type, instance identifiers, actions in the interface, errors, integration/API metadata). Why: To deliver the Services, measure availability/performance, secure access, prevent fraud/abuse, investigate incidents, and improve stability.
Front and back observability data (RUM/session replay, browser telemetry, metrics, traces and application logs including interface events, browsing, interactions, response time, errors, and associated technical metadata). Why: Monitor performance, troubleshoot, detect security incidents, improve user experience, and reliability. Privacy settings (e.g., input masking) are configured to limit content capture; the Client undertakes not to enter sensitive data in the free fields.
Content provided by the Client (PDF plans and specifications, annotations, comments, generated reports, exports, support attachments) that may contain incidental personal information. Why: to run the AI Features (automated analysis, calculations and AI Results), to enable annotation/validation, to generate and export the requested reports, to provide support.
Support data (requests, transcripts, support emails, associated technical logs). Why: respond to tickets, reproduce and correct problems, inform about resolutions.
Continuous improvement. The above data may be anonymized or aggregated to improve performance, model quality, and security, without identifying the Customer or the individuals involved.
Sensitive data. The Provider does not require sensitive data (e.g. health, payment, children's data) and the Customer undertakes not to transmit any data via the Services.
3. Duration and location
Duration. The Provider processes the data for the duration of the contract and until it is deleted or returned in accordance with Section 8.
Location and transfers. The Services are hosted on cloud infrastructure (e.g., AWS or equivalent). Data may be transferred or made accessible outside of Quebec or Canada with appropriate safeguards (standard contractual clauses or equivalent mechanisms). Customer consents to such transfers to the extent necessary for the performance of the Services.
4. Security
Measurements. Vendor maintains industry-standard administrative, physical, and technical measures: encryption in transit (TLS) and, when available, at rest; role-based access controls; centralized identity management; logging and monitoring; logical segmentation; backups and recovery; vulnerability and patch management; Hardening of administrative environments.
Confidentiality. Access is limited to those who need it to provide the Services and who are bound by confidentiality and security obligations.
Registry and minimization. The Provider maintains a relevant processing record and only accesses the data to the extent necessary for the performance of the contract.
5. Subcontractors and Disclosures
Sub-processors. Customer authorizes the use of subcontractors for cloud hosting, monitoring, support, backup and internal analytics, including observability/monitoring services (e.g., Datadog APM, logs and RUM/session replay configured with privacy settings). The Provider imposes equivalent data protection obligations and remains liable for their actions.
Legal Disclosures. The Provider shall disclose the data only if required by law, after informing the Customer (unless prohibited by law) and limiting the disclosure to the minimum required.
6. Incidents and Support
Incident notification. The Provider will notify without undue delay, and no later than seventy-two (72) hours after confirmation, any security incident resulting in the destruction, loss, alteration, unauthorized disclosure or access to personal information. The notification will include the nature of the incident, the categories of data and data subjects, the likely consequences, and the corrective actions taken or proposed.
Assistance. The Supplier will reasonably assist the Customer (fees may apply) to: respond to data subject rights requests, conduct privacy impact assessments, document compliance, and cooperate with data protection authorities.
7. Rights of data subjects
The Supplier will redirect to the Client any request received directly from a data subject and will not respond without instructions from the Client, unless required by law. The Client remains responsible for verifying identity and responding to requests.
8. Restitution and deletion
During the term of the contract, the Client may export its data via the functionalities of the Services or on request.
Upon termination or expiration, and upon written request within thirty (30) days, Provider shall return the data in a reasonably usable format. Unless otherwise required by law, data will be deleted or anonymized within ninety (90) days, except for backup copies deleted during their normal cycle.
9. Audits and transparency
Upon reasonable written request (once a year unless there is an incident or regulatory requirement), Vendor will provide available information demonstrating compliance (security policies, control descriptions, available third-party reports). On-site audits require thirty (30) days' notice, agreed scope, limited duration, compliance with Vendor's policies, and a non-disclosure agreement; the costs are to be borne by the Client.

