Privacy

PRIVACY & DATA-PROTECTION POLICY
Association de Généalogie d’Haïti (AGH)
Version : 2025

1. Purpose and Scope

This policy (“Policy”) explains how AGH, a Québec-registered non-profit organisation, collects, uses, stores, safeguards and discloses personal and non-personal information processed through its website, databases and applications (collectively, the “Services”). It applies to every user worldwide and supplements our Terms of Service.

2. Definitions

Term

Meaning

“Personal Data”

Any information relating to an identified or identifiable natural person.

“Processing”

Any operation performed on data, incl. collection, recording, storage, consultation, disclosure or destruction.

“Controller”

AGH, which determines the purposes and means of processing.

“Law 25”

Québec’s privacy-modernisation statute (phased in 2022-2024).

“PIPEDA”

Canada’s federal Personal Information Protection and Electronic Documents Act.

“GDPR”

Regulation (EU) 2016/679.

“CCPA/CPRA”

California Consumer Privacy Act / California Privacy Rights Act.

3. Lawful Bases

Basis

Examples

Legal References

Explicit Consent

Account creation; record uploads

GDPR Art. 6-1-a; Law 25 s.14; PIPEDA

Legitimate Interest / Public-interest Mission

Preservation of historical archives

GDPR Art. 6-1-e/f; PIPEDA s.3

Legal Obligation

Compliance with a valid Canadian court order

Criminal Code; Law 25 s.101

4. Categories of Data Collected

• Identifiers & contact details (name, email, IP)

• Genealogical content (vital records, photos, trees, metadata)

• Potentially sensitive data (ethnicity, religion, health) if voluntarily provided

• Payment data (handled by PCI-DSS-compliant processor)

• Technical logs (timestamps, browser type, error logs)

5. Purposes of Processing

a) Publish a public, collaborative genealogical database
b) Authenticate members and manage subscriptions
c) Preserve Haitian cultural heritage
d) Prevent fraud, ensure security and comply with law
e) Produce anonymised statistical analyses

6. Security Measures

• TLS 1.3 encryption in transit; AES-256 encryption at rest

• Application firewalls and network segmentation

• Off-site encrypted backups (18-month rotation)

• Patches applied within 30 days

• Annual penetration tests and WORM logging

Warranty disclaimer. Although AGH implements “reasonable and appropriate” safeguards, no system is invulnerable; AGH disclaims liability for damages arising from unauthorised access except where mandatory remedies (e.g., GDPR Art. 82, CCPA private right of action) apply.

7. Breach Notification

Regulator notice within 72 hours (EU) or “without unreasonable delay” (Canada/US) if the breach poses a “high risk”.
Individual notice where a real risk of significant harm exists.
An internal incident register is kept for 5 years.

8. International Transfers

Primary servers are located in Québec. Transfers outside Canada rely on:

• 2021/914/EU Standard Contractual Clauses, or

• Contractual commitments providing a “substantially equivalent” level of protection.

9. Retention

Data Type

Maximum Period

Rationale

Genealogical content

Until account deletion or consent withdrawal

Public-interest / historical value

Technical logs

24 months

Security & audit

Back-ups

18 months

Business continuity

10. Individual Rights

Region

Core Rights

Response Time

EU / EEA / UK

Access, rectification, erasure, portability, restriction, objection, supervisory-authority complaint

30 days

Québec

Access, correction, consent withdrawal, portability (from 22 Sep 2024)

30 days

California

Right to know, delete, opt-out of sale/share, private action for breaches

45 days

Requests should be sent to info@agh.qc.ca.

11. User-Provided Content – Disclaimer

• Content is provided “as is.” AGH does not systematically verify accuracy.

• Users must independently confirm any data before administrative, legal or medical use.

• AGH accepts no liability for losses or disputes arising from reliance on, or misinterpretation of, posted information.

12. Limitation of Liability

Except for proven gross or intentional fault, AGH’s cumulative liability is capped at the greater of CAD 100 or the membership dues paid in the preceding twelve (12) months. This clause accords with Québec Civil Code s.1474, GDPR Art. 82 (proportionality) and CCPA § 1798.150.

13. Third-Party Sites & Services

Our site may link to external resources. AGH exercises no control over such sites and disclaims all responsibility for their practices, content or security incidents.

14. Children

The Services are not directed to children under 13 (or local equivalent age). We do not knowingly collect their data; any accounts identified will be deleted.

15. Changes

Material changes will be announced 30 days before taking effect. Continued use after the effective date constitutes acceptance.

16. Governing Law & Dispute Resolution

Subject to mandatory consumer-protection rules:

• Governing law – Laws of Québec and applicable Canadian federal laws

• Exclusive venue – Courts of Montréal, Québec, Canada

US and EEA users agree to waive class-action rights, except where such waiver is legally unenforceable.

17. Contact

Data Protection Officer – Association de Généalogie d’Haïti
info@agh.qc.ca

By accessing or using our Services, you acknowledge that you have read and understood this Policy and agree to be bound by its provisions.