Privacy policies on private data

As a mass mailing newsletter service provider, ADNETIS takes all necessary precautions to preserve the security and confidentiality of personal data processed, in particular to prevent them from being distorted, corrupted, damaged or accessed by unauthorized third parties.

These policies govern the gathering and use of data from recipients concerned by the dispatch of newsletters in Canada (Canada’s Anti-Spam Law (CASL) – C28) in Quebec (Bill 25) and in Europe (RGPD).

Our commitment as a service provider, hereinafter referred to as “We” are meaning ADNETIS and its employees, is to provide the necessary environment and tools so that the client of the newsletter platform, hereinafter referred to as the “Customer”, is able to comply with the various regulations in force.

Data collected:

Subscribers’ data can be collected in three (3) ways:

1. Data collected when subscribing to a newsletter:

A. Email address

  • We save the email address in order to communicate with the subscriber in response to their subscription request.
  • Saving the email address makes it possible, for example, to send a welcome email confirming the subscription and, at the same time, offer the option of unsubscribing in the event that a subscriber’s email address has been used maliciously.

B. Language of communication

  • The original language of communication is set according to the language of the website where the user is located at the moment of the subscription. This data is matched and preserved with the email address in order to send newsletters in the subscriber’s language of correspondence.

C. Other sensitive data

  • At the request of a customer, we save any other data presented in a subscription form when they are filled in by the recipient at the time of subscription.
  • The information collected may be used to sequence future newsletter sending’s according to various interests, or to personalize the subscribers’ experience by displaying personalized information such as the recipient’s “First Name” in the newsletter.
  • In certain circumstances, other information invisible to subscribers may be collected at the time of registration, depending on the customer’s needs. This information is mainly used to analyze the composition of a database, or to better understand the interests of subscribers.
  • We strongly recommend that our customers do not request sensitive information from subscribers during the newsletter registration process. For example, data concerning payment methods (credit card number) or sensitive information (social security number) should not be captured using our newsletter mailing system. This type of data is not essential to the successful execution of campaigns.

D. Mailing lists

  • When subscribing, the recipient enters a mailing list based on the subscription form used. This information is saved for future mailings based on segmentation by centers of interest.

E. Registration date

  • The initial registration date is stored in the database as required by Canada’s Anti-Spam Legislation (CASL) – C28. This information provides the basis for explicit consent.

F. Date of consent

  • We save the date on which a recipient has consented to receive a newsletter, regardless of whether consent was given at the time of the initial subscription or in a subsequent newsletter.

G. Modification date

  • Whenever there is a change in a subscriber’s profile, the newsletter platform assigns and saves the last adjustment date, whether the change is made directly by the subscriber, by one of our employees or by the customer.
  • This information is primarily intended to protect personal information and trigger privacy control processes.

* Other than the date of registration and modification, we are not responsible for the accuracy of the information, as it is provided by the subscriber at the time of subscription. However, we are responsible for preserving and securing this information according to the methods mentioned in our usual terms and conditions policies.

2. Data collected and integrated from another system:

A. All data records

  • The purpose of the integrated data remains the same as for a subscription made by a recipient, but the data collected comes from a third-party source that we do not monitor. Consequently, we have no control over the accuracy or nature of the information integrated into the newsletter platform.
  • We strongly recommend that our customers limit themselves to importing only the data essential to the proper execution of a newsletter campaign. In other words, the email address and language of communication. We encourage the import of secondary data, such as subscribers’ “first name” and correspondence preferences, and limit it to information for segmenting and displaying personalized information in newsletters, avoiding sensitive data.

B. Date on which consent is given

  • Our system records and determines the type of consent according to the data transmitted by a third-party system, such as an external CRM, or according to the information provided by the customer.
  • When a subscriber has explicitly signed up for a newsletter through another computer system, or when a database has been sent to us with explicit consent, our system integrates the said subscriber under the terms of such consent, with a date of consent specific to each subscriber. This information then appears with the subscriber’s private data. In such cases, this information will enable the explicit consent request to be withdrawn in subsequent newsletters for the intended recipients.
  • Our system also allows our customers to comply with Canada’s Anti-Spam Legislation (CSL) – C28 by subscribing to the terms governing mass email communications in Canada. Although optional in the system, our customers are invited to define the type of recipients concerned by implicit consent. In other words, our customers are able to define the following recipient’s types: a client who has made a purchase, an individual who has requested information, a partner, a service provider, an employee or a public email address where there is a close link between the subject of the newsletter and the professional position. Once an expiration date has been set, our system will use this information to write off all communications to recipients who have not explicitly consented within the prescribed timeframe. In addition, this expiration date could be used to display a request for explicit consent in the body of subsequent newsletters, or to carry out automated mailings aimed at obtaining explicit consent from recipients some time before they reach a cut-off date.

* In all cases, our mandate remains to offer a system enabling our customers to manage explicit and implicit consents in an automated manner based on integrated information. We cannot be held responsible for the accuracy of this information. As with data captured during registration via a subscription form, we have systems in place to protect and secure the data.

3. Data integrated by a customer:

A. All data records

  • Whether the data is automatically integrated from an external system, transmitted to our employees as part of our turnkey service solution, integrated manually or massively by the customer, the customer remains responsible for the concerned data. He also remains the owner of the data relating to its subscribers.
  • We are committed to providing all the information necessary for data integration and the proper execution of a newsletter campaign to users of our solution. We provide bilingual (French and English) customer service and support to ensure the efficient use of our data integration tools. We strive to update our user guides for the emailing platform in a timely manner. We offer expert support and customized solutions.

* We cannot be held responsible for the improper use of our data management tools or misunderstanding of the information transmitted. Only the customer has real power over decisions and actions concerning the data of its subscribers.

Data collected following a newsletter delivery:

A. Newsletter customization

  • When a newsletter is sent out, it is fully personalized to each individual subscriber’s profile. In other words, our system assigns technical properties specific to each recipient in order to, not only to capture statistics, but also to personalize the subscriber experience. This personalization includes: management of the language used for communication, display of recipient-specific data in the newsletter or on a landing page, segmentation by data or mailing list, management of bounces, management of consent and, more specifically, management of recipient unsubscription.
  • The newsletter customization techniques that are deployed are necessary for the proper functionality of our solution. The primary objective of data collection remains to provide a pleasant and functional communication experience for subscribers.

B. Newsletters sendings history

  • Our system records and preserves the history of all newsletters sent, received and viewed in order to manage final delivery. For functional purposes, the history makes it possible to counter the automated resending of a newsletter already received, and to determine the general curve of email addresses reached over time.

C. Newsletters openings

  • We detect the opening of outgoing newsletters whenever the subscriber’ technological environment allows it. This capture enables us to establish open rates by campaign, by newsletter and by recipient. The information gathered helps our customers to define recipients’ interest in the newsletters they receive, with a view to increasing their appreciation of the content they receive.
  • In certain circumstances, knowing the opening rate enables senders to carry out re-engagement campaigns. This means removing recipients who don’t open newsletters, in order to avoid polluting their inboxes.
  • Open detection not only detects whether a particular subscriber has opened a newsletter, but also whether there has been a general deliverability problem for a specific domain.

D. Viewing external links

  • Our system captures click on all external links to the newsletter. This also includes the email addresses featured in the newsletters. A meter is applied to this indicator to count unique clicks against total clicks. This data enables the customer to track the performance of a newsletter campaign, confirm interest in corresponding subjects, and follow up closely with recipients who have shown greater interest in a given subject.

E. Viewing landing pages

  • As with external links, our system detects when landing pages are accessed. Unlike external links, the system also captures page display time, in order to determine the real interest of recipients who have clicked. This capturing is designed to give our customers the opportunity to improve the subscriber experience.

F. UTM source links APPs

  • Depending on our customers’ analysis needs, our system allows UTM links to be generated and integrated into a newsletter in order to be able to identify the source of link consultations in external performance analysis tools, such as Google Analytics. We limit ourselves to integrating UTM links into newsletters and preserving these links. We do not capture any data resulting from the use of these links.

G. Website tracking (Cookies)

  • At the request of a customer, our employees can introduce a tracking tool (cookie) in the newsletters. When we introduce this tool, we know the precise actions carried out by a specific subscriber on a given website page. The data collected is limited to the pages viewed and does not take into account the length of time or the path taken by the subscriber during their visit. The customer is then able to make his own interpretations of the data collected.

H. IP address

  • When a newsletter is opened, our system captures the IP address and, in some cases, the approximate geographical location of its recipients. This technique is deployed to protect subscribers from attempts at phishing technics, profile modification, fraud or extortion.
  • Capturing this information enables the detection of multiple openings within a short period of time for different IP addresses in different locations. In such cases, a security system is triggered and the personalization of the newsletter to the recipient’s profile is deactivated. In addition, IP and geographical data are not made available to the customer and are intended to protect the privacy of personal data.

I. Browser

  • At the same time as the newsletter is opened, our system captures the browser used by subscribers to improve the compatibility of the multimedia integration techniques used.

J. Language modification

  • When a subscriber views a newsletter in a language other than the one in which it was sent, our system modifies the subscriber’s preferred language so that he or she receives future newsletters in the language of choice.
  • We record the time of language modification for future reference and comparison with other data acquisition systems such as a CRM.

K. Segmentation history

  • Our system preserves the history of subscription preferences by list, but only when a change of interest is made by a subscriber. This data is captured to fulfill recipients’ subscription options.
  • When a recipient is manually or massively moved or added to a new subscription list by an external IT system, an employee or a customer, the previous subscription history is not captured.

L. Unsubscription management

  • According to our terms and conditions policies, it is imperative that each newsletter contain an unsubscribe link. When consulted, subscribers have several options. They are then able to subscribe to another subscription list, unsubscribe from lists to which they are currently subscribed, or unsubscribe from all communications. When a subscriber makes their selection, they are immediately subscribed or unsubscribed to the concerned list of interest. The system captures the date of subscription to the new interest list, as well as the date of unsubscription.
  • We comply with all applicable laws worldwide regarding unsubscribing. Our system draws the “unsubscribe” status to the recipients concerned, in order to respect their wishes and prevent them from being re-subscribed. It then becomes impossible to subscribe an already unsubscribed recipient through massive manual integration or using an external IT system.
  • Occasionally, some subscribers request to be unsubscribed by performing the “Reply” action from a received newsletter. In such circumstances, inboxes may use the reply-to address provided in your customer account settings, or the sender’s address (e.g. client@solutions-emailing.com). If the request is forwarded to the reply-to address, it becomes the customer’s responsibility to unsubscribe the recipient. If the sender address is used, the unsubscribe request is lost and we cannot be held responsible, since we have provided a reliable unsubscribe method to the recipient and the inbox uses an unconventional correspondence method.

* Please note that it is possible for a customer to counteract an unsubscription by manually reactivating a recipient, despite a warning message appearing in the recipient management system. In such a case, we cannot be held responsible for any actions resulting from this manipulation.

M. Bounced email addresses

  • When the customer uses a reply address made up of @solutions-emailing.com, our newsletter system will declassify bounced email addresses. These email addresses then become classified as invalid. We preserve this information to make it impossible to reintegrate these addresses. As a result, the recipient will no longer be able to subscribe to this email address, even if he or she uses a subscription form.

N. Auto-reply

  • When the customer uses a response address consisting of @solutions-emailing.com, our system will receive all automated “Absence” messages. These messages are routed to an internal response management address accessible only by certain of our employees. No third party has access to this information.

Account protection:

A. Securing your access

  • Our customer account is protected by a unique password linked to your username, i.e. your e-mail address. Generated at random, this access password is not known by our employees. Once the access password has been generated and the customer has logged on to the newsletter management system, it is possible for the user to change the password. Once again, our employees are unaware of this password.

* We cannot be held responsible for the recovery of a user’s password in such circumstances: automatic saving of the password on a workstation, takeover of a workstation by a hacker, workstation left unattended, exchange of password with a colleague or third party and saving of the password in an electronic or physical file.

B. Access levels

  • The newsletter mailing system has a multitude of access levels. By definition, users have unlimited access to all platform functions, including managing subscriber data.
  • Our customers can define different levels of access for certain users. The possibilities are as follows: display data without the possibility of modifying or extracting it, or hiding the display of sensitive data.
  • It is the customer’s responsibility to ask our employees to define specific access levels for their various users. In addition, it becomes the customer’s responsibility to inform our employees that a user has left his or her position, in order to remove access to the system.

C. Securing our customers' workstation

  • Although we do not control our customers’ workstations and the automatic saving of their passwords within a browser, the newsletter platform has a mechanism for detecting extended session inactivity, making access to the account unavailable. Following an extended period of inactivity, the password is then required to continue accessing the account.

D. Our employees' access

  • For logistical reasons, technical support or collaboration as part of a turnkey solution, our employees have access to all our customers’ newsletters and data.
  • All our employees’ workstations are secured using VPN remote connections protected by private bandwidth. These workstations are also secured by anti-virus software that is regularly updated according to rigorous internal processes.
  • The download and handling of sensitive data by our employees is systematically recorded and periodically checked by administrators.

E. Data transfer

  • In the context of technical support for data import, the transmission of databases containing sensitive information to our employees may be required. In such circumstances, we invite our customers to upload the information directly into the system or to use a recognized tool for the secure transfer of electronic documents. In addition, we invite our customers to remove any sensitive data that is not essential to the efficient execution of a newsletter campaign.
  • Despite this invitation, we are committed to destroy all database transfered by email following the download and to store these databases in secure strategic locations on our internal servers.

* We cannot be held responsible for the interception of data sent by email or any other system of transfer. In addition, we cannot be held responsible for holding sensitive information if the customer has failed to remove such information prior to transfer.

 

Data protection:

A. Protection between customer accounts

  • Our solution features a secure system that does not allow data to be exchanged between customer accounts. In other words, it is impossible for a user of one customer account to access another customer account.

B. Protection of the newsletter platform

  • The accessibility of all the web pages composing our newsletter mailing solution is protected by a secure hypertext transfer protocol (HTTPS) with authentication certification issued by a third-party authority.

C. Data hosting

  • All data is hosted on servers located in a secure data center in Canada, in the province of Quebec, by a trusted service provider. This service provider is committed to provide high quality hosting for all recipient private information.
  • The data center in which infrastructure activities take place meets expectations in terms of equipment configuration to ensure continuity of services. Continuous cooling of server rooms and redundancy of power supply is applied. At the same time, other mechanisms, such as network backup, ensure service recovery in the event of an incident.
  • The server rooms are equipped with lightning conductors, a fire detection system, generators with 24-hour autonomy, uninterruptible power supplies (UPS) of sufficient capacity and emergency transformers with automatic load switching.
  • Physical access to the servers on which subscribers data is stored is based on restrictive perimeter security, effective from the entry zone. Security measures are put in place to control access to physical sites. Employees are required to wear identification badge linked to their identity, and to wear it visibly. This identification is deactivated as soon as its owner is no longer authorized to access the facilities, or when it is no longer used for more than three weeks.

D. Compliance and certifications

  • Our customers’ data is hosted in an environment that meets the requirements of several standards and certifications (PCI-DSS certification, ISO/IEC 27001 certification, SOC 1 TYPE II and SOC 2 TYPE II attestations).
  • In line with its standards, security audits are carried out on a regular basis to ensure compliance and data security. Technical audits are carried out by internal or external auditors and include, without limitation, intrusion tests, vulnerability scans and code reviews. When a non-compliant situation is identified, a corrective measure is added to the action plans already in place. All these measures are formally tracked and traced, and regularly reviewed for effectiveness. The nature and frequency of the audits carried out depend on the solutions and scope.

E. Risk management

  • IT experts do their very best to ensure the security of newsletter subscribers’ data, as well as that of the customer himself. The data is hosted in an environment based on the ISO 27005 standard. This methodology formalizes the analyses carried out: identification of assets, critical business processes, threats and vulnerabilities.

F. Infrastructure monitoring

  • Our system is equipped with a multitude of monitoring processes to ensure the smooth operation of the entire solution:
  • All newly created accounts are manually verified by one of our employees before a newsletter sending is authorized. Only users with the necessary access rights are able to start a final newsletter sending.
  • Each newsletter sending is monitored and recorded. A process is also put in place to slow down, or even completely stop, a mailing in progress if an irregular situation is detected. In addition, each recipient involved in a newsletter transmission is calculated, saved and archived.
  • All planned sending’s are always recorded and visible to our employees. A process is in place to delete unsolicited scheduled sending.
  • All trigger events for automated newsletter delivery are always recorded and visible to our employees. In addition, each recipient of an automated newsletter is placed in a dispatch queue approximately 15 minutes before the final sending. Unsolicited automated mailings can be deleted during this time and are always visible to our employees.
  • All actions taken as a direct result of newsletter mailings are archived and presented to our employees in a daily report. This includes a summary of the subscribers reached, by requested domain, campaign results including newsletter openings, inbox complaints and bounces generated by a sender. These reports are carefully analyzed by a quality manager and systematically communicated to all employees on a weekly basis. Procedures are also put in place to mitigate various situations and to inform our customers in the event of the detection of problems requiring intervention.

G. Alert systems

  • The email marketing platform is equipped with an alert system designed to detect production and security incidents, with a focus on notifying responsible parties and triggering appropriate procedures depending on the situation.

    Three (3) alert levels are implemented:

Level 1 - Sending problems

An alert is triggered within minutes of detecting a sending problem or a connection failure between dispatch servers. A rapid crisis management process is set in motion, and developers are immediately assigned to resolving the situation.

Level 2 - Sending in progress

Each regular or scheduled newsletter delivery in progress triggers a sending alert to all employees, in order to validate the compliance of deliveries with our terms and conditions policies. In the event of an unsolicited or irregular mailing, a discussion process is initiated with the customer to find solutions for either stopping a mailing in progress or improving the situation for future newsletters.

Level3 - Errors generated in the platform

All errors generated by users or the platform’s functionality code are communicated to the development team. Depending on the nature of the error, rapid intervention may be required. An action plan is drawn up and solutions put into practice.

These alerts benefit from a continuous improvement process for monitoring, evaluation and overall management of incidents and their corrective actions.

H. Our experts' roles

  • Roles and responsibilities between platform developers and newsletter production specialists are separated.
  • The developers document the code that is created, deal with errors, manage access, secure data backup, identify vulnerabilities and make periodic improvements to infrastructure security.
  • Newsletter specialists validate new solution functionalities, carry out tests in approval environments and validate the progressive deployment of solutions.

Annotations :

A. Policy updates

  • This privacy policy concerning the capture, storage and use of private data of subscribers and customer accounts may be modified from time to time in order to maintain compliance with the various laws in force.

B. Communicating updates

  • We recommend that our customers check our privacy policy from time to time to ensure that they are aware of any updates.
  • In certain circumstances where significant changes are made to our data collecting methods, communication will be made to our customers.

Last updated: August 4, 2023