Privacy policy

Created July 3, 2025 — Updated April 6, 2026

Version française — In the event of any discrepancy between the French and English versions, the French version shall prevail.

1. Introduction and commitment

Solutions néSaaSity S.E.N.C. (“the Company”, “we”, “our”), the operator of the Paymely.app application (“Paymely”, “the Service”), is committed to protecting the confidentiality and security of personal information. This Privacy Policy describes how we collect, use, disclose and protect personal information in accordance with the laws applicable in Quebec and Canada, including:

• Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25 (An Act to modernize legislative provisions as regards the protection of personal information);
• The federal Personal Information Protection and Electronic Documents Act (PIPEDA);
• Canada's Anti-Spam Legislation (CASL) as it relates to commercial electronic messages.

2. Person responsible for the protection of personal information

In accordance with Law 25, we have designated a person responsible for the protection of personal information to ensure compliance with this policy and applicable laws:

Name: Simon Fortin

Title: Person responsible for the protection of personal information

Email: privacy@nesaasity.ca

Address: Solutions néSaaSity S.E.N.C., Chambly, Quebec, Canada

Any question, access request, complaint or request to exercise your rights may be directed to this person.

3. Our roles: data controller and data processor

Our role varies depending on the type of data:

• Data controller: We act as data controller for personal information we collect directly from our clients (businesses that subscribe to Paymely) for account creation and management.
• Data processor: We act as data processor for information that our clients upload to the platform regarding their own customers (debtors). In this case, our client is the data controller, and we only process this data according to their instructions.

This policy primarily covers our obligations as data controller. Our obligations as data processor are governed by our terms of use and data processing agreements concluded with our clients.

4. Information we collect

4.1. Client data (as data controller)

We collect the following information directly from our clients' representatives:

• Full name
• Professional email address
• Professional phone number
• Job title
• Account password (stored in encrypted form)
• Payment information (processed directly by Stripe; we never store your credit card data)
• Company name

4.2. Debtor data (as data processor)

Our clients may upload the following information about their own customers (debtors):

• Full name
• Email address
• Phone number
• Invoice amounts and details
• Payment history
• Communication notes

Important: Our client is the data controller for this data. We only use it in accordance with our client's instructions and the purposes intended by the Service.

4.3. Technical and usage data

• IP address
• Browser type and device
• Pages viewed and interactions with the Service
• Technical log data
• Cookies and similar technologies (see our Cookie policy)

5. Purposes of collection and use

We use personal information for the following purposes:

• Providing the Service: Creating and managing accounts, enabling login, ensuring proper functioning of subscriptions and platform features.
• Payment processing: Billing subscription fees and credit purchases through our payment provider (Stripe).
• Service communications: Sending important Service updates, security alerts, invoices, renewal notifications and responses to support requests.
• Commercial communications: With your consent, sending emails about new Paymely features. You may unsubscribe at any time via the unsubscribe link included in each email, in compliance with CASL.
• Automated processing and artificial intelligence: Certain features of the Service use artificial intelligence (AI) to assist our clients, including automated payment detection and communication suggestions. No sensitive data is sent to AI providers. No decision with a legal effect on you is made exclusively by automated processing without human intervention. In accordance with Law 25, you have the right to be informed when automated processing is used and to submit your observations.
• Service improvement: Analyzing Service usage in aggregated and anonymized form to improve our features.
• Legal compliance: Meeting applicable tax, financial and regulatory requirements.

6. Sharing and disclosure of information

We do not sell your personal information. We may share it with third-party service providers (processors) who help us operate our Service, within the following limits:

6.1. Providers with data hosted in Canada

• Supabase (database): Database hosting on Amazon Web Services (AWS) in the ca-central-1 region (Montreal, Canada).
• Upstash (task scheduling and rate limiting): Services hosted in the AWS ca-central-1 region (Canada).
• Vercel (application hosting): Hosting and serving the web application from servers located in Montreal, Canada.
• Telnyx (SMS delivery): Sending SMS follow-up messages on behalf of our clients, via Canadian phone numbers. Data hosted on Canadian nodes.

6.2. Providers with data hosted in Europe

The European Union offers a level of personal information protection comparable to that of Quebec and Canada, through the General Data Protection Regulation (GDPR), which directly inspired Quebec's Law 25.

• Resend (email delivery): Sending service emails and follow-up communications on behalf of our clients. Data hosted in the eu-west-1 region (Ireland, European Union).
• Sentry (error monitoring and performance): Automatic detection of technical errors and application performance monitoring to ensure the reliability and stability of the Service for our users. Data hosted in the eu-central-1 region (Frankfurt, Germany, European Union). No sensitive data, no debtor personal information, and no financial data is transmitted to Sentry. Only technical data is collected (anonymized identifiers, browser type, pages visited during an error, code execution traces). IP addresses are not stored.

6.3. Providers whose data may transit through the United States

In accordance with Law 25, we inform you that some of our service providers are based in the United States. Before any transfer, we have conducted a privacy impact assessment for each of these providers to ensure that an adequate level of protection is offered:

• Stripe (payment processing): Secure credit card payment processing. Stripe is PCI DSS Level 1 certified. We never store credit card data on our servers.
• OpenRouter (artificial intelligence): Processing AI requests for payment detection and content generation features. No sensitive data is sent to this provider.
• Google Analytics (website analytics): Collecting anonymized data about website usage for improvement purposes. This data is collected with your consent through our cookie management mechanism.

We ensure that each provider offers appropriate contractual guarantees in accordance with Law 25 requirements regarding cross-border transfer of personal information.

7. Your privacy rights

In accordance with Law 25 and PIPEDA, you have the following rights:

• Right of access: You may request access to the personal information we hold about you. We will respond to your request within thirty (30) days.
• Right to rectification: You may request correction of any inaccurate or incomplete information, including through the “Profile” section of your Paymely account.
• Right to erasure (“right to be forgotten”): You may request deletion of your personal information:
  1. By cancelling your subscription from your account, which results in immediate suspension followed by permanent deletion after a ninety (90) day grace period.
  2. By contacting the person responsible for the protection of personal information for accelerated deletion. We will retain only data required by law (see section 9).
• Right to data portability: You have the right to receive your personal information in a structured, commonly used digital format (e.g. CSV, JSON).
• Right to de-indexation: You may request that links to your personal information be de-indexed when their dissemination contravenes the law or a court order.
• Right to withdraw consent: You may withdraw your consent at any time for the processing of your information for commercial communications, using the unsubscribe link in our emails or by contacting us directly.
• Right to information about automated decisions: In accordance with Law 25, you have the right to be informed when a decision concerning you is made exclusively by automated processing. You may then submit your observations to a member of our staff able to review the decision.

To exercise any of these rights, please contact our person responsible for the protection of personal information at privacy@nesaasity.ca.

8. Data security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication with encrypted passwords
• Role-based access control within the platform
• Rate limiting to prevent abuse
• HTTP security headers (CSP, HSTS, X-Frame-Options)
• Continuous monitoring and audit logs

9. Data retention

We retain your personal information for as long as necessary for the purposes for which it was collected, respecting the following periods:

• Active account data: Retained for the duration of your subscription and up to 90 days after cancellation (grace period), after which it is permanently deleted.
• Billing and financial data: Retained for seven (7) years after the last transaction, in compliance with the tax requirements of the Canada Revenue Agency and Revenu Québec.
• Communication logs (emails and SMS sent): Retained for three (3) years after the end of the business relationship, in accordance with applicable limitation periods in Quebec.
• Anonymized and aggregated data: Retained indefinitely, as it no longer allows identification of any individual.

10. Privacy incidents

In the event of a privacy incident presenting a risk of serious harm, we will take the following measures, in accordance with Law 25 and PIPEDA:

1. Notification to the Commission d'accès à l'information (CAI): We will notify Quebec's CAI as soon as possible.
2. Notification to affected individuals: We will notify individuals whose information is affected by the incident, describing the nature of the incident, the information involved and the measures taken.
3. Incident register: We maintain a register of all privacy incidents, which we retain for at least five (5) years.

11. Cookies and tracking technologies

We use cookies and similar technologies to operate and improve our Service. For detailed information about the types of cookies we use, their purposes and how to manage your preferences, please consult our Cookie policy.

12. Complaints and recourse

If you believe your personal information has not been handled in accordance with this policy or applicable laws, you may:

1. Contact us directly at privacy@nesaasity.ca. We undertake to respond to any complaint within thirty (30) days.
2. If our response is unsatisfactory, you may file a complaint with the Commission d'accès à l'information du Québec (CAI).
3. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

13. Changes to this policy

We may update this Privacy Policy from time to time. In the event of a substantial change, we will notify you by email at least thirty (30) days before the changes take effect, and we will publish the updated version on our website with the new update date. Continued use of the Service after the changes take effect constitutes your acceptance of the revised policy.

14. Contact information

For any question, concern or to exercise your privacy rights, please contact:

Simon Fortin

Person responsible for the protection of personal information

Solutions néSaaSity S.E.N.C.

Chambly, Quebec, Canada

privacy@nesaasity.ca