polire

Privacy Policy for Polaire

Last updated: March 2026

1. Introduction

Polaire is a civic analytics platform that helps Quebec governmental organizations (municipalities, ministries, transit agencies) understand citizen feedback on their public communications. This privacy policy explains how we collect, use, store, and protect personal information in accordance with Quebec's Law 25 (Act to modernize legislative provisions as regards the protection of personal information).

This policy applies to all services offered by Polaire, including our website, our application, our newsletter, and our processing of data from third-party platforms.

2. Privacy Officer

The person responsible for the protection of personal information at Polaire is:

Hadrien Bertrand
Chief Technology Officer (CTO)
privacy@polaire.quebec

For any questions regarding this policy, your personal data, or to exercise your rights, please contact the privacy officer at the address above.

3. Information We Collect

a) Account Data

When you create an account on Polaire, we collect:

  • Email address and/or phone number
  • Name
  • Password (stored in hashed, non-reversible form)
  • Language preference (French/English)
  • Organizational affiliation (if applicable)

b) Citizen Comments

When comments are submitted to or imported into Polaire, we collect:

  • Comment text
  • Postal code (used for geolocation by Forward Sortation Area)
  • Submission date

c) Facebook Page Data

Our platform accesses publicly available data from governmental Facebook Pages through Meta's Graph API. We collect:

  • Public posts from those Pages
  • Public comments on those posts
  • Reaction counts on posts

Important: It is Polaire, not Meta, that collects and processes this data. We use the following Meta permissions: pages_read_engagement, pages_read_user_content, and Page Public Content Access.

d) Technical Data

When you visit our site, we automatically collect:

  • IP address
  • Browser type and operating system
  • Session cookies required for authentication

e) Consultation Responses

When you participate in a public consultation on Polaire, we collect:

  • Structured answers to consultation questions
  • Voice recordings (when you choose to record a voice answer instead of typing). Recordings are automatically transcribed to text; the audio is temporary.
  • Optional open-ended text
  • Postal code (for geographic analysis by Forward Sortation Area)
  • Submission date and time

This data is linked to your user account. Your postal code is also saved to your account profile for use in future consultations. Responses are shared with authorized members of the organization that created the consultation (individual response review and CSV data export). Open-ended text enters the AI processing pipeline (see Section 6). You can edit or withdraw your response while the consultation is open (see Section 7).

4. Purposes of Processing

We use the information we collect for the following purposes:

  • Account data: to create and manage your account, authenticate you, and communicate with you (email verification, password reset)
  • Citizen comments: to classify comments by category and sub-category, geolocate them by region, and generate aggregate summaries to help governmental organizations understand citizen feedback
  • Facebook Page data: to analyze in aggregate the trends in citizen feedback on public governmental communications
  • Technical data: to ensure the security and proper functioning of our services
  • Consultation responses: to enable individual response review, geographic analysis by FSA, aggregate statistics, and data export by authorized organization members

5. Legal Basis for Processing

We process personal information on the following bases:

  • Consent: for account data, we obtain your explicit consent when you create your account. You may withdraw this consent at any time.
  • Publicly available information: public comments on Facebook Pages are publicly available information under the law. We collect them without individual consent in accordance with the applicable provisions of the Act respecting the protection of personal information in the private sector. This data is processed exclusively for aggregate civic analytics purposes.
  • Consultation participation: express consent obtained via checkbox acknowledgment at the time of response submission. This consent may be withdrawn by withdrawing your response while the consultation is open.

6. Automated Processing

Polaire uses artificial intelligence technologies to process citizen comments. This processing includes:

  • Language detection and automated translation
  • Automated classification by category and sub-category
  • Generation of aggregate summaries by geographic area
  • Speech-to-text transcription of voice recordings (the transcript becomes your text answer)

This automated processing is applied to public data (Facebook comments) and to open-ended text submitted through consultations. It is intended to produce aggregate analyses and is not used to make decisions about specific individuals.

You have the right to request information about the personal data used in this automated processing and the main parameters involved. Contact the privacy officer to exercise this right.

7. Data Retention

  • Account data: retained as long as your account is active. After account deletion, your data is erased within 30 days.
  • Raw Facebook comments and posts: processed and then deleted within 90 days. Only aggregated, anonymized analysis results are retained for the duration of our service agreement with the governmental organization.
  • Citizen comments submitted through Polaire: retained for the duration of the service agreement with the relevant organization, then deleted or anonymized.
  • Technical data: session cookies expire at the end of your session. Server logs are retained for 30 days.
  • Withdrawn consultation responses: AI-processed data (translations, classifications, embeddings) is deleted immediately upon withdrawal. The response record itself is retained for a reasonable audit period, then deleted or anonymized.
  • Voice recordings: audio files are automatically deleted 3 months after the consultation closes. The text transcript persists as part of your consultation response.

When the retention period expires, personal information is destroyed or irreversibly anonymized.

8. Third-Party Service Providers

We use the following service providers, who are contractually required to protect the confidentiality of your information:

  • Cloud hosting: provider located in Quebec, Canada — application and database hosting
  • Transactional email service: provider located in the United States — sending verification and password reset emails (only the recipient's email address is transmitted)
  • AI processing service: provider located in France — comment classification and summarization (only comment text is transmitted, without personal identifiers)
  • Meta Graph API: servers located in the United States — retrieval of public posts and comments from Facebook Pages
  • Governmental organizations: organizations that create consultations on Polaire receive individual-level responses via the platform and via CSV data export. These organizations are subject to the Act respecting the protection of personal information in the public sector (LPRPSP).
  • Speech-to-text and audio storage service: provider located in Canada (Montreal region) — transcription of voice recordings and temporary audio file storage (only audio content is transmitted, without personal identifiers)

We do not sell, rent, or transfer any personal information to third parties.

9. Cross-Border Transfers

Some of our service providers are located outside Quebec. Before any transfer of personal information outside Quebec, we conduct a Privacy Impact Assessment (PIA) in accordance with Law 25 to ensure that the information receives adequate protection. Contractual agreements are in place with each provider to guarantee the confidentiality and security of the data.

Current transfers involve:

  • Transactional email delivery (United States)
  • AI processing (France)
  • Retrieval of public data via Meta's Graph API (United States)

10. Your Rights

In accordance with Quebec's Law 25, you have the following rights over your personal information:

  • Right of access — view the information we hold about you
  • Right to rectification — have inaccurate or incomplete information corrected
  • Right to erasure — request the deletion of your information when it is no longer necessary
  • Right to portability — receive your information in a commonly used digital format
  • Right to withdraw consent — withdraw your consent at any time
  • Right regarding automated processing — know what information and main parameters were used in automated processing, and to contest it where applicable

To exercise these rights, contact the privacy officer at privacy@polaire.quebec. We will respond to your request within 30 days.

11. Complaint Process

If you believe your personal information has not been handled in accordance with this policy or applicable law:

  1. Contact our privacy officer at privacy@polaire.quebec.
  2. We will acknowledge receipt of your complaint within 5 business days.
  3. We will provide a written response within 30 days.
  4. If you are not satisfied with our response, you may file a complaint with the Commission d'accès à l'information du Québec (CAI): www.cai.gouv.qc.ca.

12. Cookies and Tracking Technologies

Polaire uses only session cookies strictly necessary for the operation of the application (authentication and maintaining your session). These cookies are not used to track or profile you.

We do not currently use any third-party analytics tools or any profiling or geolocation technologies. If this changes, we will update this policy and obtain your prior consent.

13. Data Deletion for Facebook Commenters

If you have commented publicly on a governmental Facebook Page and wish to have your comment removed from our analysis database, you can submit a deletion request:

We will process deletion requests within 30 days.

14. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encrypted password storage (hashing)
  • Encryption of audio recordings at rest (server-side encryption)
  • Restricted data access based on the principle of least privilege
  • Hosting on secure servers in Canada

15. Confidentiality Incident Management

We maintain a confidentiality incident register in accordance with Law 25. In the event of an incident presenting a risk of serious injury:

  • We take immediate measures to contain the incident and prevent recurrence
  • We notify the Commission d'accès à l'information du Québec promptly
  • We inform affected individuals promptly

16. End of Service

In the event of cessation of our services or termination of a service agreement with a governmental organization, all associated personal information is deleted or irreversibly anonymized within 90 days, including data obtained from Meta's API.

17. Changes to This Policy

We may modify this policy from time to time. The most recent version is always available on our website with the date of the last update. In the event of a significant change, we will notify you by email or by a notice on our site.

18. Contact Us

For any questions regarding this policy or your personal information:

Hadrien Bertrand
Chief Technology Officer (CTO)
Person responsible for the protection of personal information
privacy@polaire.quebec