Upclick careers and job opportunities

Privacy
Policy

Security and Privacy are our priority.

EN FR ES IT DE PT JA

PRIVACY POLICY

Last Modified May 15, 2026


Document reference: Upclick Privacy Policy Current version: 3.0 Effective date: May 15, 2026 Supersedes: Version 2.0 dated April 15, 2026 Previous versions available on request from: dpo@upclick.com

This Privacy Policy (the “Policy”) describes the data collection and processing practices of Avanquest Software SAS dba Upclick and its subsidiaries and Affiliated Companies (“UpClick” “we,” “us,” or “our”) from (i) visitors to our site available at: www.upclick.com or https://u-bill.com/ or any other website that links to this Privacy Policy (“Visitors” and “Website”, respectively); (ii) Customers of our Business Partners, using our Services when purchasing a product online (all as detailed and defined below) (“Customers”); and (iii) our affiliates and merchants (“Business Partners”).

Data controller. Avanquest Software SAS is the data controller of the Personal Information provided that are processed in connection with the Services.

7270356 Canada Inc., operating as Avanquest Canada, is a subsidiary of Avanquest Software SAS and supports the operation of the Services in Canada, including customer relations, local compliance, and administrative functions.

We can be contacted at: contact@avanquest.com for general inquiries, or at dpo@upclick.com for privacy-related inquiries.

For the purpose of this policy, the “Service(s)” include payment processing and billing services provided directly to Business Partners or to Customers purchasing products and services of our Business customers.

We set out below information about the personal data we collect, how we process and use it, and the legal basis on which we do so. A complete mapping of each processing purpose to its legal basis is provided in the Legal Bases for Processing Personal Data table below.

As a general overview:

  • Where a Business Partner registers for or uses our Services, processing is based onperformance of a contract(GDPR Art. 6(1)(b));
  • Where aCustomerpurchases goods or services through our platform, processing is based onperformance of a contract(GDPR Art. 6(1)(b));
  • Where we process data for website functionality, fraud prevention, security, and business operations, we rely onlegitimate interest(GDPR Art. 6(1)(f));
  • Where we send newsletters or place non-essentialcookies, we rely on yourconsent(GDPR Art. 6(1)(a) andePrivacyDirective Art. 5(3));
  • Where weretaindata for tax, accounting, or regulatory purposes, we rely oncompliance with a legal obligation(GDPR Art. 6(1)(c)).

Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment balancing our interests against your rights and freedoms. A summary is available on request from dpo@upclick.com. You have the right to object at any time to processing based on legitimate interest by contacting dpo@upclick.com Where we cannot demonstrate compelling legitimate grounds overriding your interests, rights and freedoms, we will stop the processing.

Legal Bases for Processing Personal Data

The table below sets out each purpose for which we process your personal data, the legal basis we rely on under applicable law, and the relevant legal reference. Where we rely on legitimate interest, a Legitimate Interest Assessment (LIA) has been conducted; a summary is available on request from dpo@upclick.com

Purpose of Processing Categories of Personal Data Legal Basis Legal Reference Jurisdictional Notes
Payment processing and transaction facilitation Name, email, billing address, payment card identifiers (BIN, last four digits), postal code, country, VAT number Performance of a contract GDPR Art. 6(1)(b) LGPD Art. 7(V); Quebec PPIPS s.12
Fraud prevention, anti-fraud scoring, and abuse detection IP address, device identifiers, payment data, behavioral signals, card network data Legitimate interest — preventing financial crime and protecting customers and the business GDPR Art. 6(1)(f) LGPD Art. 7(IX); CASL s.6(6); LIA ref. CLA-LIA-2026-003
Accounting, invoicing, and financial record-keeping Name, billing address, transaction records, invoices, VAT/tax numbers Compliance with a legal obligation GDPR Art. 6(1)(c) — Code de Commerce Art. L123-22 (10-year retention); LPF Art. L102 B (6-year tax audit right) LGPD Art. 7(II); Quebec PPIPS s.12
Tax compliance and regulatory reporting Name, address, CPF/CNPJ (Brazil), VAT number, transaction data Compliance with a legal obligation GDPR Art. 6(1)(c) LGPD Art. 7(II); applicable tax regulations per jurisdiction
Account registration and management Name, email, password (hashed), company name, phone number Performance of a contract GDPR Art. 6(1)(b) LGPD Art. 7(V); Quebec PPIPS s.12
Delivery of purchased products and Services Name, email, license data, device identifiers, activation records Performance of a contract GDPR Art. 6(1)(b) LGPD Art. 7(V); Quebec PPIPS s.12
Subscription renewals and billing management Name, email, payment identifiers, subscription data Performance of a contract GDPR Art. 6(1)(b) LGPD Art. 7(V)
Customer support and help desk Name, email, support ticket content, chat logs, purchase history Performance of a contract — or legitimate interest where support is provided to non-contractual contacts GDPR Art. 6(1)(b) / 6(1)(f) LGPD Art. 7(V) / 7(IX); LIA ref. CLA-LIA-2026-003
Service-related communications to existing customers and Business Partners Name, email, account data Legitimate interest — maintaining the business relationship and operating the Services GDPR Art. 6(1)(f) CASL s.6(6) transactional exemption; LGPD Art. 7(V); LIA ref. CLA-LIA-2026-003
Newsletter and promotional marketing communications Name, email, marketing interaction data Consent GDPR Art. 6(1)(a) + ePrivacy Directive Art. 5(3) CASL S.C. 2010 c.23 — express or implied consent; LGPD Art. 7(I)
Website analytics and traffic measurement (non-essential cookies) IP address (anonymised), cookies, browsing behaviour, device data, referrer URL Consent ePrivacy Directive Art. 5(3); GDPR Art. 6(1)(a) Quebec Law 25 — consent required; CPRA — opt-out of sale/sharing
Strictly necessary cookies and session management Session identifiers, CSRF tokens, load balancing tokens Legitimate interest / technically necessary — exempt from consent requirement ePrivacy Directive Art. 5(3) — exemption for technically necessary cookies Same exemption applies under Quebec Law 25 and CPRA
Advertising, remarketing, and programmatic advertising (non-essential) Cookies, device identifiers, IP address, audience segments, browsing behaviour Consent ePrivacy Directive Art. 5(3); GDPR Art. 6(1)(a) CPRA — opt-out of sale/sharing of personal information; Quebec Law 25 — consent required
Website functionality, compatibility, and anti-spam IP address, browser agent, device identifiers, cookies Legitimate interest — ensuring website security, compatibility, and functionality GDPR Art. 6(1)(f) LGPD Art. 7(IX); LIA ref. CLA-LIA-2026-003
Network and information security, DDoS and bot protection IP address, HTTP request data, device identifiers, behavioral signals Legitimate interest — protecting systems, users, and business from security threats GDPR Art. 6(1)(f) LGPD Art. 7(IX); LIA ref. CLA-LIA-2026-003
Recruitment and candidate management Name, email, phone number, CV, application records Pre-contractual measures taken at the candidate's request GDPR Art. 6(1)(b) — pre-contractual LGPD Art. 7(V); Quebec PPIPS s.12
Compliance with court orders, legal process, and regulatory requests Any data relevant to the legal obligation or proceeding Compliance with a legal obligation GDPR Art. 6(1)(c) LGPD Art. 7(II); applicable procedural law
Exercise and defence of legal claims Any data relevant to the claim or proceeding Legitimate interest — establishing, exercising, or defending legal rights GDPR Art. 6(1)(f); Art. 17(3)(e) — retention for legal claims LGPD Art. 7(VI); LIA ref. CLA-LIA-2026-003
Corporate transactions (mergers, acquisitions, asset sales) Account data, transaction data, business partner data Legitimate interest — business continuity and corporate governance GDPR Art. 6(1)(f) LGPD Art. 7(IX)
Group-wide reporting and business intelligence (anonymised) Fully anonymised and aggregated data only — no personal data retained Not applicable — anonymised data falls outside the scope of GDPR (Recital 26) GDPR Recital 26 Same principle applies under LGPD and Quebec Law 25
Automated decision-making and profiling (fraud scoring) Payment data, device fingerprint, IP address, transaction patterns Legitimate interest — fraud prevention and financial crime prevention GDPR Art. 6(1)(f); Art. 22 — automated decision-making with human oversight LGPD Art. 7(IX)
Brazil — CPF/CNPJ collection for tax and payment compliance CPF / CNPJ (Brazilian individual or corporate tax identifier) Compliance with a legal obligation LGPD Art. 7(II) — legal or regulatory obligation; Brazilian tax and payment regulations Brazil only

Notes on legal bases:

Legitimate interest: Where we rely on legitimate interest as a legal basis, we have assessed that our interest is not overridden by your rights, freedoms, or interests, taking into account the nature of the data, the reasonable expectations of the individuals concerned, and the safeguards in place. You have the right to object to processing based on legitimate interest at any time by contacting dpo@upclick.com. Where we cannot demonstrate compelling legitimate grounds overriding your interests, we will cease the processing.

Consent: Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal of consent for non-essential cookies can be exercised via the cookie preference center available on each page of our website. Withdrawal of consent for marketing communications can be exercised via the unsubscribe link in every message or by contacting dpo@upclick.com.

Contract performance: Where processing is necessary for the performance of a contract, providing the personal data is a contractual requirement. Failure to provide the required data may prevent us from delivering the Services or fulfilling our contractual obligations.

Legal obligation: Where processing is required by law, we are not able to accommodate requests for erasure or restriction in respect of that data until the applicable legal retention period has expired.

Information Collection

Depending on your interaction with us (meaning, if you are a Visitor that just browses our Website, or if you have registered to our Services and opened an account, etc.), we may collect the following categories of information about you:

- Non-Personal Information: The first type of information is non-identifiable information which may be made available or gathered through your use of the Services. To clarify, we are not aware of your identity when we collect such information (“Non-Personal Information”). The Non-Personal Information which is being collected may include your aggregated usage information and technical information transmitted or automatically collected such as (but not limited to): the time and date you access our Website, your actions within our Services (e.g., registration, pages viewed, etc.), type of operating system, type of browser, language preference and approximate geo-location (country level).
- Personal Information: The second type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Information”). Personal Information includes either: (i) contact information such as your name, phone number, address, email address, etc., which you have submitted voluntarily; (ii) your Internet Protocol (“IP”) address and MAC address or other Online Identifiers. IP addresses and MAC addresses are treated as Personal Information in all jurisdictions where we operate, in line with GDPR Recital 30, CJEU decision in Breyer (C 582/14) and the California CCPA definition of personal information; (iii) payment information such as, individual taxpayer number, BIN and last four digits of the credit card number. All payment information is handled through industry standard secure protocols and where appropriate in accordance with relevant Payment Card Industry (“PCI”) compliance standards.
- Special Categories of Personal Data (GDPR Article 9): We do not intentionally collect or process special categories of personal data as defined under GDPR Article 9 — such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or trade union membership — directly from individuals for our own purposes as a data controller.

However, certain Business Partners, including organisations operating in the healthcare, legal, and financial sectors, may use our Services (including SodaPDF) to process, store, or electronically sign documents that may contain special category data. In such cases:

  • The Business Partner acts as thedata controllerand is solely responsible for ensuring that the processing of special category datacomplies withGDPR Article 9 and all applicable laws, including obtaining any necessary explicit consent or other valid legal basis under GDPR Article 9(2) from the relevant data subjects;
  • We act exclusively as adata processorand process such data solely on the documented instructions of the Business Partner,in accordance withour Data Processing Agreement (DPA);
  • We do not access,analyse, or use the content of documents uploaded or processed by Business Partners for any purpose other than providing the Services as instructed;
  • Business Partners processing special category data through our Services are required to have a valid legal basis under GDPR Article 9(2), to have an active DPA in place with us, and to notify us if their use of our Services involves the processing of special category data so that appropriate additional safeguards can be agreed.

If you are a Business Partner processing special category data through our Services and you do not yet have a DPA in place with us, please contact dpo@upclick.com to request one. Business Partners may also request our Technical and Organisational Measures (TOMs) document to assess the suitability of our security measures for special category data processing.

If we become aware that special category data has been inadvertently collected or processed outside the scope of a valid DPA or Business Partner instruction, we will take immediate steps to delete that data and notify the relevant parties.

How We Collect Information

Depending on the nature of your interaction with the Services, we may collect information as follows:

1. Automatically - we may useCookies (as elaborated in the Section below) to gather some information automatically, including by accessing your local storage.

2. Provided by you voluntarily - we will collect information if and when you choose to provide us with the information, such as through a registration process, contacting us communications, payment process, etc.

3. By third parties - for example, our third-party services providers who process your information on our behalf, such as supportcentres, credit vendors, and so forth.
You are not required by law to provide us with any information. You can always avoid providing us with certain Personal Information; however, you acknowledge that it may prevent us from providingyoucertain Services that rely on such information.
In the event we combine Personal Information with Non-Personal Information, the combined information will be treated asPersonal Informationfor as long as itremainscombined, or attributable to an individual person.


Information we collect from visitors of our Website

Type of Information Purpose
In the event you contact us for support or other inquiries, either through the online form available on the Website, by sending us an email or by other means of communications we make available, you will be requested to provide us your name and email address. We will use this information solely for the purpose of responding to your inquiries and providing you with the support or information you have requested.
In the event you are interested in joining our team, and wish to submit your CV, you will be required to provide us with your name, email address, phone number, and to submit your CVs. Your provision of personal information in connection with recruiting is voluntary, and you determine the extent of information you provide us. We will use the information you have provided solely to communicate with you, to manage our recruiting and hiring processes, and to comply with corporate governance, legal and regulatory requirements. If you are hired, the information may be used in connection with employment and corporate management.
If you voluntarily subscribe to our newsletter you will be asked to provide us with your email address. You can unsubscribe at any time using the unsubscribe option within the body of the newsletter or rather or by contacting customer support at dpo@upclick.com We will use your email address as part of our mailing list, in order to send you information related to our Services and to keep you up to date regarding new Services, as well as provide you with Business-to-Business tips.
IP address, cookies, tags, pixels and similar online identifiers, including browser agents, device identifiers, and referrer URL are processed about Visitors and Customers. (“Online Identifiers”) We either directly or indirectly may collect Visitors’ IP address, certain cookie information for session validation, anti-fraud and anti-spam purposes, so as for compatibility and website functionality. For these purposes, we use this information as part of our legitimate interests of (i) operating, providing, maintaining, protecting, managing, customizing and improving our Website and Services and the way in which we offer them; (ii) enhancing your experience with the Services; and (iii) fraud prevention and browsing protection.
Additional use is based on your consent and includes auditing, analyzing and tracking usage and traffic flow (analytics and business intelligence).
We also collect certain technical Non-Personal Information (as detailed above) which relates to your use of the Website. This includes user agents (namely, the browser you use, version, language). We use this technical data in order to operate, manage and improve our Website.

Information We Collect from Business Partners

Type of Information How Do We Use It?
You can sign up as a Business Partner through our Website, during which you will be required to register and open an account. During the registration flow, you will be requested to provide us with certain information such as your full name, email address, phone number, company name and address. Further, during the registration process, you will be required to create a password, at which time you thereby represent and warrant that you are responsible for maintaining the confidentiality of your details and password. You represent and warrant that you will not provide us with inaccurate, misleading or false information. We will use this information for the purpose of performing our contract with you, providing you with the Services you have requested, and designating your account. We will use your email address and phone number in order to send you needed information related to the Services and our business engagement (e.g., send you a Welcome message, to notify you regarding any updates to our Services, send applicable invoices, and additional occasional communications related to the Services) as well as verify your identity.
We also collect certain technical Non-Personal Information (as detailed above) as a Visitor to the Website and as detailed above. see the table above.

Information We Collect from Customers of the Service

Type of Information How Do We Use It?
When you purchase a product through our Service you will be requested to provide us with certain information that is related to your payment and billing, such as your full name, email address, postal code, address, country and payment information as per your selected payment method. You have the option of also providing us with your phone number.
For customers located in Brazil, we also collect an individual identification number (CPF/CNPJ). For B2B customers, we also collect the applicable VAT number.
We will use this information for the purpose of performing our contract with you, provide you with the Services you have requested and facilitate your payment of the goods, products or services you purchase, billing and tracking renewals. If a phone number is provided, support staff may contact you via a free call in order to provide assistance on use, functionality or installation of your purchased products.
We also collect certain technical Non-Personal Information (as detailed above) as a visitor to the Website and as detailed above. see the table above.

Sharing Personal Data

As a general principle, we do not share Personal Information collected from you with third parties unless required to provide, process or facilitate the Services, monitor them, protect or operate them, including with the following categories of third parties, in the respective circumstances:

  • Third Party service providers - we share your information withthird parties that perform services on our behalf (for example API providers, payment processors,tracking, hosting, service functionality and support, marketing). These third parties maybe located indifferentjurisdictionsand include payment service providers, card networks (Visa, Mastercard, etc.),acquiringbanks, and credit bureaus foranti fraudscoring;
  • Law Requirement - we will share your information, solely to the extent needed tocomply withany applicable law, regulation, legalprocessor governmental request (i.e., tocomply withcourts injunction, etc.);
  • Policy Enforcement - we will share your information, solely to the extent needed to enforce our policies including investigations of potential violations thereof or to detect, prevent, ortake actionregardingillegal activities or other wrongdoing, suspectedfraudor security issues;
  • Company’s Rights - we will share your information, solely to the extent needed toestablishor exercise our rights to defend against legal claims;
  • Third Party Rights - we will share your information, solely to the extent needed to prevent harm to the rights, property or safety of us, our users, yourself or any third party or for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
  • Affiliated companies - certain personal information may be shared with our affiliated companies for the purposes of group-wide operations, reporting, and service delivery. The entities that may receive your personal data include:
    • ClaranovaSE (France) — ultimate parent company, groupgovernanceand reporting;
    • Avanquest Software SAS (France) — EEA data controller, productdevelopmentand operations;
    • Avanquest Software (7270356 Canada Inc.) dbaAvanquest Canada (Canada) — Canadian operations and technical infrastructure;
    • Avanquest Canada Management Inc. (Canada) — Canadian management entity;
    • AdawareSoftware / CS Network Support Ltd dbaSupportnex(Canada/Malta) — affiliated consumer software brand;
    • myDevicesInc. (United States) — affiliated technology entity;
    • UpclickMalta Limited (Malta) — payment processing and e-commerce operations.

Intra-group data sharing is governed by intra-group data transfer agreements providing equivalent protection to the Standard Contractual Clauses. All group entities are required to process personal data only for the purposes described in this Privacy Policy and in accordance with applicable data protection law.

  • Business Partners - when we provide the Services to a Business Partner through which youencounterour Services, we will process information on their behalf and will share certain billing,orderand invoicing information with such a Business Partner.
  • Corporate Transaction - We may share Personal Information, in the event of a corporate transaction (e.g. sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Privacy Policy.

We may store Non-Personal and Personal Information on our servers or our cloud servers, use or share Non-Personal Information in any of the above circumstances, as well as for the purpose of providing and improving our Service as detailed above.
We may share fully anonymized data (within the meaning of Recital 26 GDPR, such that no natural person can be re identified by reasonable means and no re identification key is retained) with affiliates and third parties for commercial, analytical and statistical purposes. Aggregation without robust de identification is not sufficient for this purpose and is not used as a basis for sharing outside the controller group.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with applicable law. The specific retention periods for each category of data are set out in the table below. These periods are based on French law (GDPR, Code de Commerce, Code civil, CNIL guidelines) as the most demanding applicable standard, and satisfy or exceed the requirements of all jurisdictions in which we operate – including Quebec (Private Sector Act, CQLR c P-39.1, as amended by Law 25) and California (CPRA).


Data Retention Schedule

Data Category Retention Period Clock Starts Legal Basis
Account and profile data (name, email, login credentials, preferences) Duration of active use + 5 years Last login, last purchase, last support request, or last license activation — whichever is most recent Code civil Art. 2224 — 5-year general prescription
Billing, payment, and invoice data (transaction records, invoices, payment method identifiers) 10 years from the billing transaction Date of each individual transaction Code de commerce Art. L123-22 — 10-year commercial accounting retention. LPF Art. L102 B — 6-year tax audit right
Active subscription data (for customers with ongoing recurring billing) Duration of active subscription + 5 years after last billing event Date of the last successful or attempted billing event GDPR Art. 6(1)(b) — contract performance. Code civil Art. 2224 — 5-year prescription
Product license data (license key, activation records, device associations) Duration of license validity + 5 years Last product activation, last software usage, or license expiry — whichever is most recent Code civil Art. 2224. Code de la consommation Art. L217-12 — 2-year legal guarantee
Perpetual and lifetime license data Duration of product availability + 5 years after product end-of-life (EOL) or last usage, whichever is later. Maximum absolute limit: 15 years from last user activity. Official product EOL date or last software usage — whichever occurs later Code civil Art. 2224. GDPR Art. 5(1)(e) — storage limitation (absolute cap)
Marketing and mailing list data (email, consent records, interaction history) 3 years after last interaction. Consent proof retained for 5 years. Last email open, last click, last opt-in, or last direct marketing interaction CNIL commercial prospecting guidelines — 3-year inactivity threshold. Code civil Art. 2224 — 5 years for consent proof
Customer support data (tickets, chat logs, correspondence) 5 years after the inquiry is resolved Date of ticket closure or last correspondence Code civil Art. 2224 — 5-year prescription. Code de la consommation Art. L217-12 — 2-year consumer guarantee
Recruitment data (CV, contact details, application records) 2 years after last contact with the candidate, deleted earlier on candidate request Last interview, last email, last communication CNIL doctrine on recruitment, 2 year inactivity threshold. Code civil Art. 2224, 5 year prescription for disputed hiring processes
Free user accounts (account data for non-paying users) 3 years after last login or interaction Last login, last feature usage, or last account activity CNIL guidelines — 3-year inactivity threshold for inactive accounts
Trial accounts (temporary account data from free trials) 1 year after trial expiry (if no conversion to paid) Trial expiry date GDPR Art. 5(1)(e) — storage limitation / data minimization
Fraud investigation data (flagged accounts, investigation records) 5 years from investigation closure, or duration of legal proceedings + 5 years Date of investigation closure or final court ruling/settlement Code civil Art. 2224. GDPR Art. 17(3)(e) — legal claims exception
Cookies and trackers (non-essential cookies, analytics trackers) Tracker lifespan: 13 months maximum on device. Consent refreshed every 6 months. Data collected via trackers: retained for 25 months maximum from collection. Date the tracker is placed (lifespan) / Date of data collection (retention) CNIL Cookie Guidelines (2020) — 13-month tracker lifespan. ePrivacy Directive Art. 5(3). CNIL guidance — 25-month maximum for analytics data
Connection logs (IP addresses, access logs for e-commerce operations) 1 year from collection Date of connection event LCEN (Law 2004-575) Art. 6-II — 1-year retention for hosting/e-commerce operators

We conduct periodic reviews of retained data and apply automated clean-up processes to ensure data is not retained beyond the periods stated above. When data reaches the end of its retention period, it is either permanently deleted or irreversibly anonymized so that it can no longer be linked to an identifiable individual. Data that is merely hidden from view but remains in our systems is not considered deleted.
In certain cases, we may need to retain specific data beyond the standard retention periods listed above – for example, to comply with a legal obligation, to exercise or defend legal claims, or to fulfil a regulatory requirement. In such cases, we will document the legal basis and limit the extended retention to the minimum period necessary.

Information Security

We take great care in implementing and maintaining the security of our Website, Services and your information. Our processes are aligned with ISO/IEC 27001:2022 (Information Security Management System) and ISO/IEC 27701:2019 (Privacy Information Management System) as implemented by the Avanquest Software SAS, and our payment processing platform is PCI-DSS compliant.
We have implemented technical organizational monitoring protections, and established an extensive information and cyber security program, all with regards to Personal Information processed by Company. For more information regarding our security measures please see https://upclick.com/security.html

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and inform affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Art. 34). For Quebec residents, we will also notify the Commission d’accès à l’information as required by Law 25.

Data Protection Impact Assessment. In accordance with GDPR Art. 35, a Data Protection Impact Assessment (DPIA) has been conducted for our payment processing and fraud prevention activities. A summary is available on request from dpo@upclick.com.

User Rights

Individuals have the right to know what information we hold about them and, in some cases, to have such information communicated to them, as we do in this Privacy Policy. Individuals may also ask for our confirmation as to whether or not we process their Personal Information. Subject to the limitations in applicable law, individuals may also be entitled to obtain from us the Personal Information they have provided to us in a structured, commonly-used, and machine-readable format, and may have the right to transmit such Personal Information to another party.

Depending on your place of residence, you may be eligible to certain right as follows:

  • the right to access any information which is provided to us;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to complain to a supervisory authority; and
  • the right to withdraw consent (to the extent applicable).
  • for Québec residents only, the right to request cessation of dissemination or de indexing of personal information where such dissemination causes serious injury or is no longer lawful (Act respecting the protection of personal information in the private sector, s.28.1);
When you first visit our website, a cookie consent banner is displayed allowing you to accept, decline, or customize your cookie preferences. Only strictly necessary cookies are placed before you make your choice. You canmodifyyour preferences at any time byclickingthe cookie settings icon available on each page.
Siteand Services may use their own cookies to be able to function properly. To know more about our cookies and our 3rd party cookies, please refer to our Cookie Policy available on the website you browse, or for Quebec residents,our Politique relative aux témoins. Please be aware that you may set your browser to refuse or block any cookies from us or our 3rd party partners. In this case, however, some of the Services may not properly function.

Third Parties

Occasionally, Avanquest Software SAS receives information from third parties to compare it to information that you had provided to Avanquest Software SAS for fraud prevention purposes.

Any websites displayed to you by our Website as Internet search results or linked to Internet search results pages provided to you by our Website, including websites owned or operated by our clients, have been developed by third parties over which Avanquest Software SAS exercises no control. Avanquest Software SAS is not responsible for the privacy practices or the content of such websites, including such websites' use of any information collected when you are directed to or click through to such websites. Even though such information might not identify you personally, we strongly encourage you to become familiar with the privacy practices of those websites.

Direct Marketing

We may send our Business Partners and Customers emails or other messages about us or our Services, including product updates, newsletters, and relevant business communications. The legal basis for each type of direct marketing communication is set out below.

  • Newsletter and promotional communications: Where you have voluntarily subscribed to our newsletter or opted in to receive promotional communications, we process your personal dataon the basis ofyour freely given, specific, informed, and unambiguousconsentpursuant to:
    • GDPR Article 6(1)(a)for EEA and UK recipients;
    • Article 5(3) of theePrivacyDirective(as implemented in applicable member state law) where such communications involve the use of electronic communications networks;
    • Canada's Anti-Spam Legislation (CASL), S.C. 2010, c. 23for recipientslocatedin Canada — we only send commercial electronic messages to Canadian recipients where we have obtained express or implied consent as defined under CASL, and every message includes a functional unsubscribe mechanism;
    • Lei Geral deProteçãode Dados (LGPD), Art. 7(I)for recipientslocatedin Brazil — processing is based on your explicit consent, which may be withdrawn at any time.

    You can withdraw your consent and unsubscribe from newsletter and promotional communications at any time by clicking the unsubscribe link located at the bottom of each communication, or by contacting our Data Protection Officer at dpo@upclick.com. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

  • Service-related communications to existing customers and Business Partners: Where you are an existing customer or registered Business Partner, we may send you service-related communications, including account notifications, service announcements, renewal reminders, invoices, and administrative messages. These communications are necessary to the performance of our contract with you and are also sent on the basis of our legitimate interest pursuant to GDPR Article 6(1)(f) in operating and maintaining our Services and business relationship, consistent with your reasonable expectations as a customer or partner.

We have conducted a Legitimate Interest Assessment confirming that our legitimate interest in sending service-related communications is not overridden by your interests, rights, or freedoms. A summary is available on request from dpo@upclick.com.

Every service-related communication includes a clear and accessible opt-out mechanism. You may object to receiving service-related communications at any time by contacting us at dpo@upclick.com. Please note that if you are a registered Business Partner or active customer, opting out of service-related communications may affect our ability to provide you with the Services. If you wish to stop receiving all communications, you may request deletion of your account by contacting us at dpo@upclick.com.

Summary of legal bases by communication type and jurisdiction:

Communication Type Legal Basis Jurisdiction
Newsletter / promotional emails Consent — GDPR Art. 6(1)(a) + ePrivacy Art. 5(3) EEA / UK
Newsletter / promotional emails Express or implied consent — CASL S.C. 2010, c. 23 Canada
Newsletter / promotional emails Consent — LGPD Art. 7(I) Brazil
Service-related communications to existing customers Legitimate interest — GDPR Art. 6(1)(f), with opt-out in every message EEA / UK
Service-related communications to existing customers Contract performance / legitimate interest — CASL s.6(6) transactional exemption Canada
Service-related communications to existing customers Contract performance — LGPD Art. 7(V) Brazil

Services Not Directed to Minors

Our Services are not directed to, designed for, or intended to attract children or minors. We do not knowingly collect, process, or retain personal information from minors.

For the purposes of this section, "minor" means:

  • A child under the age of16in the European Economic Area (EEA) and the United Kingdom;
  • A child under the age of14in Quebec,pursuant totheAct respecting the protection of personal information in the private sector(CQLR c P-39.1, as amended by Law 25);
  • A child under the age of13in all otherjurisdictions, including the United States (pursuant tothe Children's Online Privacy Protection Act, COPPA).

If you are below the applicable minimum age in your jurisdiction, you must not use our Services or provide any personal information to us.

If we become aware that we have inadvertently collected personal information from a minor below the applicable minimum age without appropriate parental or guardian consent, we will take immediate steps to delete that information from our records. Where technically or operationally required, deletion will be completed as promptly as possible and within the timeframes required by applicable law.

If you are a parent or legal guardian and believe that your child has provided personal information to us without your consent, or if you wish to request the deletion of your child's personal information from our systems, please contact our Data Protection Officer directly at: dpo@upclick.com

We will respond to all such requests promptly and in accordance with applicable data protection and privacy laws.

Policy Changes

We may update this Privacy Policy from time to time. The revision date is reflected in the "Last Modified" heading and the full history is available in the Version History section below.
For material changes (for example, new categories of personal data collected, new recipients, new purposes of processing, or new international transfers), we will provide at least 30 days prior notice by:
- email to registered users and business partners;
- a persistent banner on the Website and on the login dashboard.
For non material changes (clarifications, corrections, formatting), the updated Privacy Policy is effective upon publication. Your continued use of the Services after the effective date of a change signifies your acknowledgement of the updated Privacy Policy.

Do Not Track Disclosure

Do Not Track. Do Not Track (DNT) is a browser preference that signals websites that a visitor does not want certain information collected. There is no consensus industry standard for how to respond to DNT signals and we do not currently respond to DNT.
Global Privacy Control. Global Privacy Control (GPC) is a browser level signal that, for California residents, communicates a valid opt out of the sale or sharing of personal information under the CCPA/CPRA and California Attorney General Regulation §7025. When we detect a GPC signal from a California resident, we treat it as a valid request to opt out of sale and sharing of personal information for that browser or device. For more information, see globalprivacycontrol.org.

International Transfers of Personal Data

Your personal data may be transferred to, and processed in, countries outside your country of residence, including countries outside the European Economic Area (EEA), the United Kingdom, and Quebec. We ensure that all such transfers are subject to appropriate safeguards as described below.

1. Recipients of Your Personal Data

Your personal data is processed by the following categories of recipients:

Avanquest group entities within the European Economic Area: Avanquest Software SAS (France), Upclick Malta Limited (Malta), Avanquest Deutschland GmbH (Germany), Avanquest Software Polska Sp. z o.o. (Poland).

Avanquest group entities outside the European Economic Area: 7270356 Canada Inc. dba Avanquest Canada (Canada), Avanquest Canada Management Inc. (Canada), myDevices Inc. (United States).

Third-party sub-processors: Third-party sub-processors: payment service providers and card networks (including Visa and Mastercard, both US-based entities), cloud hosting providers, customer support platforms, analytics providers, and eSign infrastructure providers. A full and current list of sub-processors is available upon request from our Data Protection Officer. We will provide registered Business Partners with at least 30 days advance notice of any intended addition or replacement of sub-processors, both by email and by updating the sub-processor page. Business Partners who object to a new sub-processor may notify us at dpo@upclick.com within 30 days of notification.

2. Transfer Mechanisms

We only transfer your personal data outside your jurisdiction where we have ensured that an appropriate transfer mechanism is in place, as follows:

Intra-EEA transfers: No specific transfer mechanism is required for transfers between EEA member states, as all EEA countries are subject to equivalent data protection standards under the GDPR.

Transfers to Canada: Transfers to Canadian entities that are commercial organizations covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) are made on the basis of the European Commission adequacy decision 2002/2/EC pursuant to GDPR Article 45. Where a Canadian recipient falls outside the scope of that adequacy decision, transfers are made on the basis of Standard Contractual Clauses (SCCs) under GDPR Article 46(2)(c), complemented by supplementary technical and contractual measures where required.

Transfers to the United States: Transfers to US-based recipients, including payment card networks (Visa, Mastercard) and cloud service providers, are made on one or more of the following bases:

  • Where the recipient is certified under the EU-US Data Privacy Framework (EU-US DPF):transfers are madeon the basis ofthe European Commission adequacy decision of 10 July 2023pursuant toGDPR Article 45;
  • Where the recipient is not certified under the EU-US DPF:transfers are made on the basis of the Standard Contractual Clauses (Module 2: Controller to Processor) adopted by the European Commission under GDPR Article 46(2)(c), complemented by supplementary technical andorganisationalmeasures where aTransfer Impact Assessment (TIA) has identified residual risks requiring mitigation.

A Transfer Impact Assessment has been conducted for all transfers to the United States and other non-adequate third countries. A summary of the TIA is available on request from our Data Protection Officer.

Transfers to the United Kingdom: Transfers of personal data to the United Kingdom are made on the basis of the EU adequacy decision for the UK adopted under GDPR Article 45 (Commission Implementing Decision (EU) 2021/1772). Where the adequacy decision does not apply, transfers are made on the basis of the UK International Data Transfer Agreement (IDTA) or the Addendum to the Standard Contractual Clauses approved by the UK Information Commissioner's Office, pursuant to UK GDPR Article 46 and Section 119A of the Data Protection Act 2018 (SI 2019/419 Schedule 1).

Transfers to other third countries: For transfers to any other third country not covered by an adequacy decision, we rely on Standard Contractual Clauses under GDPR Article 46(2)(c), supplemented by appropriate technical, organisational, and contractual measures as documented in our Transfer Impact Assessments.

3. Quebec Residents — Transfers Outside Quebec (Loi 25, Article 17)

Pursuant to the Act respecting the protection of personal information in the private sector (CQLR c P-39.1, as amended by Law 25), and specifically in accordance with Article 17 thereof, a Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée, EFVP) has been conducted prior to any communication of personal information outside Quebec.

The EFVP takes into account the following factors as required by Article 17:

  • The sensitivity of the personal information concerned;
  • The purposes for which it is to be used;
  • The adequacy of the protection measures applied in the recipientjurisdiction, including applicable laws, contractual safeguards, and technical security measures;
  • The nature of the processing activities carried out by the recipient.

The EFVP confirms that each recipient jurisdiction or organisation offers a level of protection equivalent to that required under Quebec law, or that appropriate contractual and technical safeguards have been put in place to ensure equivalent protection. Recipients of personal information outside Quebec are bound by contractual obligations requiring them to protect the information to a standard at least equivalent to that required by Quebec law.

Transfers covered by this assessment include transfers to our parent group entities in Canada and France, payment card networks (Visa, Mastercard), cloud infrastructure providers, and other third-party sub-processors. A summary of the EFVP is available on request.

4. Availability of Transfer Documents

Copies of the following documents are available on request from our Data Protection Officer:

  • Standard Contractual Clauses (EU SCCs — Module 2, Controller to Processor)
  • UK International DataTransfer Agreement (IDTA) or UK Addendum to SCCs
  • Transfer Impact Assessment (TIA) summary
  • Privacy Impact Assessment summary (Évaluation des facteurs relatifs à la vie privée, EFVP) for Quebectransfers.

To request any of these documents or for any questions regarding our international data transfer practices, please contact our Data Protection Officer at: dpo@upclick.com

Data Protection Officer

For privacy requests, rights exercise, unsubscription, account deletion and all data protection matters, contact our Data Protection Officer at dpo@upclick.com.
For commercial and support inquiries unrelated to privacy, contact dpo@upclick.com.
Please include your name, address and email address in any correspondence so that we can respond to your inquiry or request.
Business Partners seeking a copy of our Data Processing Agreement (DPA), sub-processor list, Standard Contractual Clauses, UK International Data Transfer Agreement (IDTA), or Transfer Impact Assessment summary may request these documents from our Data Protection Officer at dpo@upclick.com.

Special Jurisdictions : California Residents — Supplemental Privacy Notice (CPRA)

For California residents, please see our full California Privacy Notice available at: CPRA Notice. The California Privacy Notice supplements this Privacy Policy and provides complete disclosures required under the California Privacy Rights Act of 2020 (CPRA) and CalOPPA.

Do Not Sell or Share My Personal Information / Limit the Use of My Sensitive Personal Information

California residents have the right to opt out of the sale or sharing of their personal information and to limit the use of sensitive personal information. To exercise these rights, please use the following link available in the footer of every page of our website: Do Not Sell or Share My Personal Information.

We also recognise and honour the Global Privacy Control (GPC) signal as a valid opt-out request from sale and sharing of personal information, in accordance with California Civil Code § 1798.135(d) and California Code of Regulations § 7025.

Categories of Personal Information Collected and Disclosed

The following categories of personal information are collected and may be disclosed to third parties for business purposes. Full details are available in our California Privacy Notice (Section 1 and Section 2):

Category Collected Disclosed for Business Purpose
Identifiers (name, email, address, phone) Yes Yes — service providers, support
Online identifiers (IP address, cookies) Yes Yes — analytics, advertising partners
Payment and billing information Yes Yes — payment processors, card networks
Online and network activity Yes Yes — analytics, advertising
Device and OS information Yes Yes — infrastructure providers
Customer support and CRM data Yes Yes — support platforms
Electronic signature data and audit trails Yes Yes — eSign infrastructure providers
Marketing and advertising information Yes Yes — advertising platforms
Subscription and account data Yes Yes — affiliated companies

Sensitive Personal Information

Under CPRA California Civil Code § 1798.140(ae), the following categories of personal information we collect are classified as sensitive personal information:

  • Payment card information(card number,expirationdate, CVV) — collected and processed exclusively for payment processing purposes via PCI-DSS compliant processors. We do not use payment card data for any purpose beyondtransaction processing and fraud prevention.
  • Account login credentials(username combined with password or security credentials) — used solely for account authentication and security.
  • Precise geolocation data(derived from IP address for fraud scoring purposes) — used solely for fraud prevention and anti-abuse monitoring.

We do not use or disclose sensitive personal information for purposes beyond those necessary to provide the Services you requested, as permitted under CPRA § 1798.121. You have the right to direct us to limit our use and disclosure of sensitive personal information to these permitted purposes only. To exercise this right, use the link above or contact us at dpo@upclick.com.

Your California Privacy Rights

California residents have the following rights at all times:

  • Right to Know— what personal information is collected, used,disclosed, and sold
  • Right to Delete— request deletion of your personal information, subject to exceptions
  • Right to Correct— request correction of inaccurate personal information
  • Right toOpt-Out— of sale or sharing of personal information
  • Right to Limit— use and disclosure of sensitive personal information
  • Right to Non-Discrimination— we will not discriminate against you for exercising your rights
  • Right to Data Portability— receive your data in a portable, machine-readable format

Full details on how to exercise each right are available in our California Privacy Notice

Authorized Agents

You may designate an authorized agent to submit a privacy rights request on your behalf. To use an authorized agent, you must either:

  • Provide the authorized agent withwritten permission signed by you— we may verify your identity directly with you; or
  • Provide the authorized agent withapowerof attorneypursuant toCalifornia Probate Code §§ 4000–4465.

We may deny a request from an authorized agent who does not submit proof of authorization. Authorized agents may submit requests to dpo@upclick.com with proof of their authorization to act on your behalf.

Retention of Personal Information

We retain each category of personal information for the periods set out in the Data Retention Schedule in this Privacy Policy. Key retention periods for California residents include:

Category Retention Period
Account and profile data Duration of active use + 5 years
Payment and billing data 10 years from transaction date
Electronic signature data and audit trails Up to 10 years
Marketing and mailing list data 3 years after last interaction
Online identifiers and cookies 13 months (tracker) / 25 months (data)
Customer support data 5 years after resolution

For the complete retention schedule, see the Data Retention section of this Privacy Policy.

These links are also available in the footer of every page of our website.

Residents of Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Iowa, Nebraska, Indiana, Kentucky, and Rhode Island may have additional privacy rights under their applicable state law, including the right to opt out of the sale or sharing of personal information, the right to access, correct, and delete personal data, and the right to appeal a decision regarding a privacy rights request. To exercise any of these rights, please contact us at dpo@upclick.com or use the opt-out mechanism available at

Special Jurisdictions : Canada — Privacy Supplement (PIPEDA and Law 25)

Last updated: May 2026

This supplement applies to individuals residing in Canada, including residents of Quebec, and complements the general Privacy Policy of Avanquest Software SAS and its affiliated companies (collectively "we", "us", "our"). It is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) and, for Quebec residents, the Act respecting the protection of personal information in the private sector (CQLR c P-39.1, as amended by Law 25). In the event of a conflict between this supplement and the general Privacy Policy, this supplement prevails for Canadian residents to the extent of the conflict.

In accordance with Quebec's Charter of the French Language (Bill 96), this supplement is available in French upon request by contacting dpo@upclick.com.

1. Identifying Purposes - Why We Collect Your Personal Information

We collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and only to the extent necessary to fulfil those purposes. The primary purposes for which we collect personal information from Canadian residents are:

  • To provide, deliver, and manage the products and Services you havepurchasedor requested;
  • To process payments and manage billing, invoicing, and subscription renewals;
  • To create and manage your account;
  • To communicate with you about your orders, account, andtransactions;
  • To provide customer support and respond to your inquiries;
  • To send you marketing communications where you have provided consent orwherepermittedby CASL;
  • To detect and prevent fraud, abuse, and security incidents;
  • To comply withapplicable legal and regulatory obligations;
  • To improve our products, Services, and website through analytics and performance monitoring.

We will identify the purpose for any new collection of personal information at or before the time of collection. If we wish to use personal information for a new purpose not previously identified, we will seek your consent before doing so.

2. Consent

We obtain meaningful consent for the collection, use, and disclosure of personal information, in a form appropriate to the sensitivity of the information and the reasonable expectations of the individual.

Express consent is obtained for:

  • Newsletter and promotional marketing communications (in accordance withCASL S.C. 2010, c. 23);
  • Non-essentialcookies and analyticstrackers;
  • Any collection of sensitive personal information.

Implied consent may be relied upon for:

  • Service-related communications to existing customers, where the communication relates directly to the ongoing business relationship;
  • Collection of personal information necessary to fulfil atransaction you haveinitiated.

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting our Privacy Officer at dpo@upclick.com. We will inform you of the implications of withdrawing consent. Withdrawal of consent for marketing communications can be exercised via the unsubscribe link in any message. Withdrawal of consent for non-essential cookies can be exercised via the cookie preference center on our website.

3. Limiting Collection

We collect only the personal information necessary for the purposes identified above. We do not collect personal information indiscriminately. The categories of personal information we collect from Canadian residents are:

  • Identifiers (name, email address, physical address, phone number);
  • Online identifiers (IP address,cookies, device identifiers);
  • Payment and billing information (payment card identifiers, billing address,transaction history);
  • Account and subscription data (login credentials, subscription status, license data);
  • Online and network activity (browsingbehaviour, pages visited, clicks);
  • Device and OS information (browser type, operating system, device model);
  • Customer support and CRM data (support tickets, chat logs, correspondence);
  • Marketing and advertising data (campaign interactions, email engagement);
  • Electronic signature data (where you use oureSignservices): signature data, signer identity, timestamps, audittrail records, IP address attimeof signing.

4. Limiting Use, Disclosure, and Retention

We use and disclose personal information only for the purposes for which it was collected, except with your consent or as required by law. We do not sell personal information to third parties.

Disclosure to third parties is limited to the categories described in the general Privacy Policy and the sub-processor list available at dpo@upclick.com. Categories of third parties with whom we share personal information include:

  • Affiliated companies within the Claranova/Avanquest group;
  • Cloud hosting and infrastructure providers (AWS, Microsoft Azure, Google Cloud);
  • Payment processors and card networks (Stripe, Verifone/2Checkout, Visa, Mastercard);
  • Customer support platforms (Zendesk, Ada Support);
  • Analytics and marketing platforms (Google Analytics, HubSpot, Mailchimp);
  • Compliance and consent management platforms (OneTrust);
  • Electronic signature infrastructure providers (GlobalSign,LeaseWeb, Microsoft Azure);
  • Fraud prevention services (Stripe Radar, Cloudflare);
  • Legal, regulatory, and law enforcement authorities where required by law.

You have the right to request the name of any specific third party under each category by contacting dpo@upclick.com.

Retention of personal information follows the schedule set out in the Data Retention Schedule in our general Privacy Policy. As a general principle:

  • Personal information isretainedonly for as long as necessary to fulfil the identified purpose or as required by applicable law;
  • Account and subscription data isretainedfor the duration of the active relationship plus 5 years;
  • Payment and billing records areretainedfor 10 years from thetransaction datein accordance withapplicable accounting and tax laws;
  • Marketing data isretainedfor 3 years after your last interaction;
  • Personal information is securelydeletedor irreversiblyanonymisedwhen it is no longerrequired.

5. Transfers of Personal Information Outside Canada

As part of our global operations, personal information may be transferred to, and processed in, jurisdictions outside Canada, including France, the United States, Malta, and other countries where our affiliated companies and sub-processors operate.

For transfers outside Quebec, a Privacy Impact Assessment (Évaluation des facteurs relatifs à la vie privée, EFVP) has been conducted in accordance with Law 25, Article 17, confirming that appropriate safeguards are in place. A summary is available on request from dpo@upclick.com.

For transfers outside Canada generally, we ensure that recipient organisations are bound by contractual obligations providing equivalent protection to PIPEDA through Standard Contractual Clauses or intra-group data transfer agreements.

For transfers to the United States, we rely on Standard Contractual Clauses and, where the recipient is certified, the EU-US Data Privacy Framework. Full details of our transfer mechanisms are set out in the International Transfers of Personal Data section of the general Privacy Policy.

6. Accuracy

We take reasonable steps to ensure that personal information we hold is accurate, complete, and up to date as necessary for the purposes for which it is used. You may request correction of inaccurate or incomplete personal information by contacting dpo@upclick.com or through your account settings where available.

7. Safeguards

We protect personal information using security measures appropriate to the sensitivity of the information, including:

  • Encryption of personal data intransit and at rest;
  • Access controls limiting personal data access toauthorisedpersonnel only;
  • PCI-DSS compliance for payment processing;
  • Alignment with ISO/IEC 27001:2022 and ISO/IEC 27701:2019 as implemented by theClaranovagroup;
  • Regular security assessments and staff privacytraining.

In the event of a privacy breach that creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as required by PIPEDA s.10.1, and the Commission d'accès à l'information (CAI) as required by Law 25 for Quebec residents.

8. Openness and Accountability

We are accountable for personal information under our control. Our Privacy Officer is responsible for our compliance with PIPEDA and Law 25 and can be contacted at:

Privacy Officer / Data Protection Officer Avanquest Software SAS dpo@upclick.com

For data security matters: dpo@upclick.com.

We will respond to all privacy inquiries and complaints within 30 days. For complex requests, we may require up to 60 days and will notify you of the extension in writing.

9. Automated Decisions (Law 25, Art. 7)

In accordance with Article 7 of the Act respecting the protection of personal information in the private sector (as amended by Law 25), we inform Quebec residents that we use automated processing of personal information for fraud prevention and anti-fraud scoring in connection with payment transactions. This may result in a transaction being flagged, declined, or subjected to additional verification.

You have the right to be informed of any automated decision that produces significant effects concerning you, to submit observations, and to request human review of the decision. To exercise these rights, contact dpo@upclick.com.

10. Privacy by Default (Law 25, Art. 8.1)

In accordance with Article 8.1 of the Act respecting the protection of personal information in the private sector (as amended by Law 25), our Services are designed with privacy by default. Only personal information necessary for the specific purpose of the product or service is collected by default. Our cookie consent banner is configured so that only strictly necessary cookies are placed before you make an active choice — no non-essential cookies are loaded by default until consent is given.

11. Your Privacy Rights

Subject to applicable exemptions, Canadian residents have the following rights:

Right Description Applicable Law
Right to be informed To know what personal information is collected and why PIPEDA / Law 25
Right to access To request access to your personal information PIPEDA s.8 / Law 25
Right to rectification To request correction of inaccurate or incomplete data PIPEDA / Law 25
Right to erasure To request deletion of your personal information, subject to exceptions Law 25
Right to withdraw consent To withdraw consent at any time, subject to legal restrictions PIPEDA / Law 25
Right to data portability To receive your data in a structured, machine-readable format Law 25
Right to restrict processing To request restriction of processing in certain circumstances Law 25
Right to de-indexing To request cessation of dissemination or de-indexing where dissemination causes serious injury Law 25 s.28.1
Right to object to automated decisions To request human review of decisions made solely by automated means Law 25 Art. 7

To exercise any of the above rights, please contact our Privacy Officer at dpo@upclick.com. We will respond within 30 days of receipt of your verifiable request.

12. Complaints and Supervisory Authorities

If you have a complaint about how we handle your personal information, we encourage you to contact us first at dpo@upclick.com so that we can attempt to resolve the matter directly.

If you are not satisfied with our response, you have the right to lodge a complaint with the applicable supervisory authority:

For all Canadian residents: Office of the Privacy Commissioner of Canada (OPC) priv.gc.ca, 1-800-282-1376

For Quebec residents: Commission d'accès à l'information (CAI) cai.gouv.qc.ca, 1-888-528-7741

Special Jurisdictions : Brazil — Lei Geral de Proteção de Dados Pessoais (LGPD, Lei 13.709/2018)

This section applies to personal data of data subjects located in Brazil and is provided in compliance with the Lei Geral de Proteção de Dados Pessoais (LGPD, Lei 13.709/2018). It supplements the general provisions of this Privacy Policy, which continue to apply to Brazilian residents alongside this section.

Controller and Encarregado (Data Protection Officer)

The data controller responsible for the processing of personal data of Brazilian residents is:

Avanquest Software SAS For all privacy-related matters, including the exercise of LGPD rights, please contact our Encarregado (Data Protection Officer) at: dpo@upclick.com, including "LGPD" in the subject line of your message.

Categories of Personal Data Collected from Brazilian Residents

In addition to the personal data categories described in the general Information Collection section of this Privacy Policy, we collect the following data specifically from Brazilian residents:

  • CPF (Cadastrode PessoaFísica) — individual taxpayer identification number, collected from individual customers;
  • CNPJ (CadastroNacional da PessoaJurídica) — corporate taxpayer identification number, collected from business customers.

These identifiers are required under Brazilian tax and payment regulations and are collected exclusively for the purposes of payment processing, invoicing, and compliance with Brazilian fiscal obligations.

Legal Bases for Processing

We process personal data of Brazilian residents on the following legal bases under LGPD Article 7:

Purpose of Processing Lega lBasis LGPD Refe rence
Payment processing and transaction facilitation Execution of a contract Art. 7(V)
Collection of CPF/CNPJ for tax and invoicing compliance Compliance with a legal or regulatory obligation Art. 7(II)
Account registration and management Execution of a contract Art. 7(V)
Delivery of purchased products and Services Execution of a contract Art. 7(V)
Customer support Execution of a contract Art. 7(V)
Newsletter and promotional communications Consent of the data subject Art. 7(I)
Non-essential cookies and analytics Consent of the data subject Art. 7(I)
Fraud prevention and security monitoring Legitimate interest of the controller Art. 7(IX)
Website functionality and anti-spam Legitimate interest of the controller Art. 7(IX)
Compliance with legal obligations and regulatory requests Compliance with a legal or regulatory obligation Art. 7(II)
Exercise and defence of legal claims Legitimate interest of the controller Art. 7(VI)
International transfers outside Brazil Standard contractual clauses / adequacy / consent Art. 33

Where we rely on consent as a legal basis, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent for marketing communications, use the unsubscribe link in any message or contact dpo@upclick.com. To withdraw consent for non-essential cookies, use the cookie preference center available on each page of our website.

Where we rely on legitimate interest, we have assessed that our interest is not overridden by your rights, freedoms, or interests. You have the right to object to processing based on legitimate interest at any time by contacting dpo@upclick.com.

International Transfers of Personal Data

Transfers of personal data outside Brazil are carried out in accordance with LGPD Article 33, on the basis of one or more of the following:

  • Standard contractual clauses approved by theAutoridadeNacional deProteçãode Dados (ANPD);
  • Adequacy decisions whereavailable for the recipient country;
  • Explicit consent of the datasubjectwhererequired.

For full details of our international transfer mechanisms, see the International Transfers of Personal Data section of this Privacy Policy.

Data Retention

Personal data of Brazilian residents is retained in accordance with the Data Retention Schedule set out in this Privacy Policy. Retention periods are determined by the purpose of processing, applicable Brazilian law, and contractual obligations. CPF and CNPJ data is retained for the duration required by Brazilian tax and fiscal regulations, which is a minimum of 5 years from the date of the relevant transaction.

Your Rights under LGPD Article 18

Brazilian data subjects have the following rights in relation to their personal data:

  • Confirmation of processing - the right to confirm whether we process your personal data;
  • Access — the right to access the personal data we hold about you;
  • Correction — the right to correct incomplete, inaccurate, or outdated personal data;
  • Anonymisation, blocking, or deletion — the right to requestanonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data;
  • Data portability — the right to receive your personal data in a structured and interoperable format;
  • Deletion of data processed under consent — the right to request deletion of personal data processedon the basis ofyour consent;
  • Information about sharing — the right to information about public and private entities with which we have shared your personal data;
  • Information about non-consent — the right to information about the possibility of not providing consent and the consequences of refusal;
  • Revocation of consent — the right to withdraw consent at any time;
  • Review of automated decisions — the right to request review of decisions made solely by automated means that affect your interests.

To exercise any of the above rights, please contact our Encarregado at dpo@upclick.com with "LGPD" in the subject line. We will respond within 15 days as required by ANPD guidance.

Supervisory Authority

The supervisory authority responsible for the enforcement of the LGPD in Brazil is the Autoridade Nacional de Proteção de Dados (ANPD). If you believe that your personal data has been processed in a manner inconsistent with the LGPD, you have the right to lodge a complaint with the ANPD at: gov.br/anpd

UK and Germany

United Kingdom residents:

- United Kingdom residents: this Privacy Policy complies with the UK GDPR and the Data Protection Act 2018. The supervisory authority for the United Kingdom is the Information Commissioner's Office (ICO), reachable at ico.org.uk or 0303 123 1113. You have the right to lodge a complaint with the ICO at any time.

- Germany residents: BDSG applies in addition to GDPR.

Each supplement is incorporated into this policy by reference and available on request from dpo@upclick.com.