Privacy policy

Version 1.1 · Published April 24, 2026

This policy explains how Wingchum, operated by YN et associés Inc. (Mont Saint Hilaire, Quebec, Canada), collects, uses and protects your personal information in compliance with Quebec's Loi 25 and federal PIPEDA.

1 · Data controller

YN et associés Inc., Mont Saint Hilaire (Quebec), Canada. For any question or request, email privacy@wingchum.ca. We acknowledge within 72 hours and respond within 30 days (Loi 25 art. 35).

2 · Personal information collected

At signup · your email address and a timestamped consent to this policy. After signup · a unique Wingchum ID (format WC-XXXXXXXX) generated by us. Optionally · your consent to product analytics (PostHog), revocable at any time from your profile.

3 · Processing purposes

Passwordless email authentication (magic link), compliance with Loi 25 legal obligations (consent traceability), service improvement via analytics if you consent, operational security.

4 · Subprocessors and recipients

Brevo (Sendinblue SAS, France · magic link email delivery, SOC 2 Type II and ISO 27001, DPA pending signature). PostHog Cloud EU (Frankfurt, Germany · product analytics if consented). Sentry (application observability, error tracking). SimpleLogin (Proton, Switzerland/France · email alias forwarding). OVH (Beauharnois, Quebec · VPS hosting and DNS).

5 · Transfers outside Quebec

Brevo hosts in France (European Union, equivalent protection to Quebec) · privacy impact assessment completed April 21, 2026. PostHog hosts in Germany (EU, equivalent protection). Your email address is pseudonymized as a SHA-256 hash in our internal logging tables.

6 · Retention

Your account and associated information are kept as long as you use the service. After deletion, consent timestamps are retained for 3 years (Quebec civil statute of limitations, art. 2925 of the Civil Code) to prove consent in case of dispute. Brevo logs are retained 6 months on the subprocessor side.

7 · Your Loi 25 rights

Access (art. 32) · obtain a copy of the information concerning you. Rectification (art. 34) · correct inaccurate information. Deletion (art. 40) · request the removal of your account and associated data. Withdrawal of consent (art. 42) · at any time (since Loi 25 consent is the basis of the service, withdrawing it deletes the account). Portability (art. 84) · receive your data in a structured, commonly used format.

8 · How to exercise your rights

Send your request to privacy@wingchum.ca specifying the nature of the request. For questions or complaints about the processing of your information, you may also contact the Commission d'accès à l'information du Québec · www.cai.gouv.qc.ca.

9 · Security

Let's Encrypt TLS encryption for all traffic. Application secrets stored outside source code (macOS Keychain for Nicolas, environment variables on the VPS). Rate-limiting on magic link email delivery. Security journal maintained in the repository (docs/security/log.md, available on request).

10 · Policy changes

We version the policy (currently version 1.1, published April 24, 2026). Any material change will be notified by email at least 14 days before it takes effect, with the option to decline and delete your account before that date.