Privacy Policy
How Syndic+ collects, processes, and protects your personal information under Quebec's Bill 25.
Our commitment#
Syndic+ is committed to protecting the personal information of co-owners, administrators, and managers using the platform, in compliance with Bill 25 (An Act to modernize legislative provisions as regards the protection of personal information, in force since September 2023) and Quebec's Act respecting the protection of personal information in the private sector.
Information collected#
Co-owner data#
- Identity: first name, last name, preferred language
- Contact: email, phone, postal address
- Status: resident or not, primary or secondary owner
- Unit: number, fraction, cadastral lot
- Payments: assessment history, outstanding balance
Syndicate data#
- Declaration of co-ownership
- Meeting minutes
- Financial statements
- Insurance policies
- Technical documents (plans, permits)
Technical data#
- IP address, browser, OS
- Access logs (login/logout)
- In-app actions (audit log)
Purposes#
Syndic+ uses your data to:
- Provide the service — syndicate management, communications, billing
- Legal compliance — Bill 16 (notices, meetings), Bill 141 (water heaters), Bill 25 (security incidents)
- Security — detect suspicious logins, auditing
- Product improvement — aggregated and anonymized statistics
Consent#
By creating a Syndic+ account, you explicitly consent to the processing of your data for the purposes above. You may withdraw your consent at any time by contacting us (see Contact section).
Hosting and transfers outside Quebec#
Your data is hosted:
- Databases: Supabase (
aws-us-east-1region, Virginia, USA) - File storage: Supabase Storage (same region)
- Transactional emails: Resend (USA)
Because some data transits outside Quebec, Bill 25 requires us to assess risks and obtain your express consent. You consent to the transfer by accepting this policy.
A Canada hosting option (Supabase aws-ca-central-1) is planned for 2026-Q4. Enterprise syndicates can request it today.
Retention periods#
| Data type | Retention |
|---|---|
| Active co-owners | As long as the unit is active + 7 years after departure |
| Meeting minutes | Permanent (legal requirement) |
| Financial statements | 10 years (tax requirement) |
| Audit logs | 3 years |
| Payment data (cards) | Not stored — processed by Stripe |
| Deleted accounts | 30 days (trash) then permanent purge |
Your rights#
Under Bill 25, you have the right to:
- Access your personal information (JSON download via Settings → Privacy)
- Rectify inaccurate data
- Be informed about automated use (Syndic+ uses no automated decisions with legal effect)
- Portability — export your data in a structured format
- Withdraw consent and request deletion
To exercise a right: dpo@syndicplus.ca or from Settings → Privacy → Exercise a right.
Security#
- Encryption in transit: TLS 1.3
- Encryption at rest: AES-256 on Supabase
- Secrets: HashiCorp Vault
- Passwords: argon2id (never in plaintext)
- 2FA: TOTP, SMS, WebAuthn passkey
- Audits: SOC 2 Type II (in progress — 2026-Q3)
Privacy incidents#
As required by Bill 25, Syndic+ notifies the Commission d'accès à l'information (CAI) and affected individuals in case of an incident presenting a "risk of serious injury", as soon as possible and no later than 72 hours after discovery.
Incident register: available upon request by competent authorities.
Cookies and trackers#
Syndic+ only uses strictly necessary cookies:
session— authentication (7-day lifetime)csrf-token— CSRF protectionlocale— preferred language
No advertising cookies or third-party pixels. Google Analytics is disabled.
Contact#
Privacy Officer (DPO):
Syndic+ inc. dpo@syndicplus.ca 1234 Main Street, Montreal, QC
Complaint to the CAI: cai.gouv.qc.ca
Changes#
This policy may be updated. For material changes, we notify you by email 30 days before the effective date. Last revision: January 1, 2026.