Privacy Policy

1. CURRENT PRIVACY POLICY  

1.1 Our Privacy Policy  

InnovMetric takes its obligations regarding privacy and personal data protection seriously. Please read this Privacy Policy carefully, as it contains essential information regarding the way in which we process your personal data. Moreover, the personal data of clients, employees, suppliers (where applicable), and partners will be processed in the same way. Please note that the policy should be read together with the Website terms of use, the terms and conditions of the offer, the licence agreement and the service agreements, where applicable.

By using our Website accessible at https://www.polyworks.com (hereinafter referred to as the “Website”) or dealing with us using technological means, you declare that you have read and accepted this Privacy Policy. You accept that we may collect, use, process, disclose, and retain your personal data in accordance with the conditions described herein. If you do not accept to abide and be bound by this Policy, you are not authorized to visit, access or use our Website, nor to share your personal data with us using technological means.

Moreover, by providing your personal data to us, you expressly authorize us to collect and process, in accordance with the terms and principles described hereafter, the following personal data, which is identified below.  

For its part, InnovMetric undertakes to take all reasonable and necessary precautions to protect the personal data from loss, theft, disclosure or unauthorized use.

1.2 InnovMetric group companies  

In this Policy, references to “we”, “us”, or “our” are references to InnovMetric and all companies in its group, listed at https://www.polyworks.com/en/find-a-contact. This Policy describes how we will collect and use personal data, as well as describing the choices and rights you have regarding our use of your personal data.  

We have appointed a data security officer, responsible for overseeing compliance with data protection regulations, guaranteeing the security of personal information, and addressing stakeholder concerns regarding data privacy. In any case, all complaints and requests to exercise the rights of data subjects should be addressed to privacy@innovmetric.com. We will take steps to ensure that the responsible officer responds to the complaint or request.  

1.3 This Policy applies to the personal data of the following persons  

This Policy describes our practices when using:  

  • the personal data of business contacts, employees, clients (including the clients of our clients), all companies in our group, and their suppliers; and  
  • the personal data of other persons who (a) may visit our Website (“Users of our Website”) or who (b) may visit our web pages on social media sites.  

This Policy will apply whether you provided the information to us directly or we obtained it from another source, such as a third party.  

 

2. BUSINESS CONTACTS  

2.1 Sources of business contact information  

We collect personal data directly from our business contacts or from the following sources:  

  • Browsing on our Website (Find a contact section);
  • Third-party recommendations;  
  • Client verification processes, such as due diligence reviews;  
  • Social media sites, such as LinkedIn or other public Internet sites;  
  • Credit agencies, insurance information offices and government or financial institutions; and  
  • Other public resources, such as phone books, newspapers, Internet sites, marketing lists available on the market, public registers, or archives.  

2.2 Personal data we collect on business contacts  

The categories of information we collect on business contacts include the following:  

  • Personal data, including the name, home address, employer, office address, personal and work phone numbers, and personal and work email addresses;  
  • Financial data, including payments made and received, as well as applicable taxes;
  • Goods or services provided or purchased;  
  • Communications with our business contacts;  
  • When business contacts have online accounts, login identifiers and other similar identifiers, as well as information regarding the use of these services;  
  • Captured images, such as photos taken during events, videos and CCTV videotapes; and
  • Civil or criminal legal proceedings, decisions and convictions, subject to applicable laws, in certain circumstances.  

2.3 How we use the personal data we collect on business contacts  

We use this information for certain activities, including the following:  

  • Facilitating the smooth operation of the business through communications with client businesses and suppliers, for example, to communicate information on goods and services we receive from suppliers;  
  • Establishing and maintaining relationships with clients and suppliers;  
  • Offering, improving, or developing products and services, existing and new, including, but not limited to, direct marketing tools;
  • Planning activities;  
  • Closing a transaction initiated by a business contact;  
  • Closing a transaction initiated by one of our employees, such as the purchase of furniture or equipment;  
  • Closing a transaction with or for our clients;  
  • Performing bookkeeping related to any commercial or other activity we carry out;  
  • Deciding whether to accept a person as a client or supplier;  
  • Keeping registers of purchases, sales, or other transactions for the purpose of ensuring that necessary payments and/or deliveries are carried out or that services are provided;  
  • Conducting customer satisfaction surveys;  
  • Carrying out research and development;  
  • Prospecting;  
  • Managing events, including inviting our business contacts to events and exhibitions;  
  • Conducting database management;  
  • Organizing competitions;  
  • Ensuring security and crime prevention;  
  • Preventing or investigating fraud and theft, or for other risk management activities;  
  • Ensuring compliance with contractual, legal, and regulatory obligations;  
  • Allowing business contacts to access their online accounts;  
  • Conducting internal analyses and research to help us improve our services;
  • Adding and using all functionalities on online accounts; and
  • Exercising our rights in legal proceedings where applicable.

We do not sell this information and have not done so in the last twelve (12) months.  

2.4 Why we use the personal data of our business contacts  

We use this information because:  

  • it is necessary for the performance of our obligations or the exercise of our rights under contracts with our clients and suppliers; and  
  • it is necessary to meet the legal or regulatory obligations to which we are subject.  

We have a legitimate commercial interest in:  

  • managing our business and our brand;  
  • providing and improving our services; and  
  • operating our business.  

A legitimate interest will only apply if we consider that it is not outweighed by the interests or rights of a business contact that requires the protection of their personal data.  

In a limited number of circumstances, such as in the case of marketing, the consent of a business contact is required by applicable law. When we rely on the consent of a business contact, that contact will have the right to withdraw their consent by writing to privacy@innovmetric.com or by unsubscribing by email at any time.  

If a business contact wishes to obtain further information about our legitimate interests regarding their personal data, they may write to privacy@innovmetric.com.  

In certain circumstances, when a business contact does not provide the required personal data, we will be unable to fulfill our obligations under the contract concluded with them or we will be unable to provide products and services. We will make it clear if and when this situation arises, and will indicate the consequences of not providing this information for the business contact.  

2.5 Recipients of information on business contacts  

We may disclose the personal data of our business contacts to third parties, including to:  

  • Our group companies to process data for the above-mentioned purposes;  
  • Any of our authorized distributors located in the business contact’s territory;  
  • Business associates and other professional advisors;  
  • Third parties, including for event management purposes;  
  • Requesters, right holders, assignees, and beneficiaries;  
  • Suppliers of goods and services, and other third parties who work on our behalf to maintain or service business contact databases or other computer systems, such as the suppliers of the computer systems we use to process personal data or who provide other technical services, such as printing;  
  • Third parties who provide services, such as our professional advisors (for example, auditors and lawyers, the computer security manager, the analyst, the data hoster, and a marketing firm);  
  • Competent authorities, such as tax authorities, courts, regulatory bodies and law enforcement or security authorities, when required or mandated by law or when we deem it necessary; and  
  • Subject to applicable law, in the event of a merger or sale of InnovMetric, or in the event of a transfer of all or part of our assets (including in the event of bankruptcy), or in the event of another change in corporate status as part of such a transaction.  

These disclosures only serve to promote our commercial interests, and the use of personal data by assignees for their own purposes is forbidden.  

2.6 Additional information  

Please refer to Sections 4 to 8 below to obtain additional information regarding our use of personal data.  

 

3. POLYWORKS® SOFTWARE END USERS

 

3.1 Personal data collected on end users of the PolyWorks software

The categories of information we collect on end users of the PolyWorks software include:

  • The IP address of the workstation on which the PolyWorks software is used;
  • Usage data, such as the length of use, how often each module is used, the functionalities used (such as the number of clicks on each functionality), the speed of use, etc.;
  • Information related to the operating system, such as the version, language, platform, country, product, etc.; and
  • The hardware configuration, including the memory, processor, hard drives, etc.  

We do not collect any data that could directly identify end users. We cannot link the IP address or usage data to a physical person using the PolyWorks software. 
 

3.2 Use of personal data collected on end users of the PolyWorks software 
 

We use this information for the following purposes: 

  • research and development; and
  • statistical and analytical purposes to improve the functionality of our software and our services.

The data collected (IP address and related usage data) will be retained for a period of one (1) year and then automatically anonymized.

3.3 Legal basis for processing the personal data of end users of the PolyWorks software

The processing of personal data of PolyWorks software end users for statistical and analytical purposes is based on our legitimate interest and on the consent of the PolyWorks end user. 

The end user may withdraw their consent to the processing of their personal data through the PolyWorks settings. 


3.4 Transfer of data to Québec, Canada

The personal data of PolyWorks end users is transferred to Québec, Canada, where our headquarters is located, for processing of usage data for the above-mentioned purposes. 
 

The transfer of personal data to Québec, Canada is based on the European Commission’s Adequacy Decision (Commission Decision of 20 December 2001 C [2001] 4539). 


3.5 Further information 
 

Please refer to Sections 5 to 9 below to obtain further information regarding our use of personal data.

 

4. WEBSITE USERS AND PRIVACY ISSUES RELATED TO THE WEB  

 

4.1 Personal data we collect on users of our Website and on visitors of our social media pages  

The categories of information we collect on users of our Website and social media pages include the following:  

  • Data that users provide when they enter information on our Website, for example, when they input contact information, answer online questionnaires, fill out comment forms or job applications, or submit résumés;  
  • Information users provide when they subscribe to newsletters, such as their names, email addresses, and job titles;
  • Information users provide when they register for an online account on our Website; and  
  • Information users provide when they post content on social media platforms.  

We also collect personal data on the usage of our Website by users, including:  

  • Information entered in our blogs, such as information about devices (for example, brand, device model, screen size), Unique Identification Numbers (for example, IP address and device identifier), and information on a browser (for example, uniform resource locator, browser type, pages visited, date or time of access);  
  • Information about user behaviors, such as information regarding the behavior or presumed interests of persons related to these persons, and that can be used to create a user profile); and  
  • Information captured by our cookies (see our Cookie Policy).  

If a user of our Website submits its data in one of our forms and has installed cookies on its browser, all data relating to behaviour and blogs will be associated with the user. The user of our Website will be informed of this when they fill out our forms.  

We may also collect non-personal data. In the event that non-personal data is combined with personal data in such a way as to enable the identification of data subjects, this information will be processed as personal data until it can no longer be linked to a specific person.

4.2 How we use the personal data of users of our Website and of visitors of our social media pages  

We use the personal data of users of our Website and of visitors of our social media pages for certain activities, including:  

  • Customizing the experience on our Website;  
  • Providing the products and services requested by users of our Website;  
  • Administering our Website, investigating complaints, and providing customer services;  
  • Providing users of our Website and persons accessing our web pages on social media sites with information and offers about products or services that may be of interest to them; and  
  • Monitoring social media content to manage customer relationships and promote our business and brand;  
  • Administering the Website; and  
  • Conducting statistical and trend analyses to improve the user experience and performance of our Website.  

4.3 Why we use the personal data of users of our Website and of visitors of our social media pages

We use the personal data of users of our Website and of visitors of our social media pages on websites such as Facebook, Instagram, LinkedIn, and X, as they are necessary for us to comply with all legal or regulatory obligations to which we are subject.  

We have a legitimate commercial interest in:  

  • promoting our brand and business through our Website and social media tools; and  
  • monitoring and reporting any attempts to breach the security of our Website and investigate them.  

A legitimate interest only applies if we consider that it is not outweighed by the interests or rights of a website or social media user that requires the protection of their personal data.  

In the case of marketing, the consent of the user is required by applicable laws. When we rely on the consent of a user, that user will have the option to unsubscribe and will also have the right to withdraw their consent by writing to privacy@innovmetric.com.  

We use personal data on the usage of our Website as it is necessary to meet the legal or regulatory obligations to which we are subject.  

We have a legitimate commercial interest in:  

  • monitoring and reporting any attempts to breach the security of our Website and investigate them; and  
  • improving the performance and user experience of our Website.  

A legitimate interest will only apply if we consider that it is not outweighed by the interests or rights of a website or social media user that requires the protection of their personal data.  

If a website user or a person accessing our web pages on social media sites needs further information about our legitimate interests regarding their personal data, they may write to privacy@innovmetric.com.  

In certain circumstances, when a user of our Website does not provide the required personal data (for example, regarding our online services), we will be unable to fulfill our obligations under the contract concluded with them or we will be unable to provide products and services. We will make it clear if and when this situation arises, and will indicate what the consequences of not providing this information will be for the Website user.  

4.4 Recipients of the personal data of Website users and of visitors of our social media pages  

We may disclose the personal data of users of the Website and social media pages to third-party recipients, including to:  

  • Our group companies that process data for the above-mentioned purposes;  
  • Third parties who work on our behalf to maintain and service software as a service (SaaS) platforms for our Website;  
  • Third parties who provide services, such as our professional advisors (for example, auditors and lawyers, the computer security manager, the analyst, the data hoster, and a marketing firm);  
  • Competent authorities, such as tax authorities, courts, regulatory bodies and law enforcement or security authorities, when required or mandated by law or when we deem it necessary; and  
  • Subject to applicable law, in the event of a merger or sale of InnovMetric or in the event of a transfer of all or part of our assets (including in the event of bankruptcy), or in the event of another change in corporate status as part of such a transaction.  

Moreover, these service providers offer us sufficient guarantees regarding the implementation of adequate security measures of your processed or communicated personal data before this personal data is communicated to them. When our service providers no longer need your personal information, they destroy it.  

The personal data we collect and retain remains protected and may be securely hosted on servers located in Canada or the United States.  

We may also share, transfer or communicate, in strict compliance with this Policy, your personal data to third parties when required by law or as part of a commercial transaction involving the sale, transfer or assignment, in whole or in part, of our company or our assets. In this case, and if the commercial transaction is completed, we will inform you before your personal data is governed by another privacy policy.

4.5 Additional information  

Our Website and online services are intended for individuals who are 18 years of age or older. Our online services are not intended for children who are under 18 years of age.  

Therefore, we do not knowingly collect or use the data or personal data of persons who are under 18 years of age. If you are under 18 years of age, you must not provide your personal data without the consent of your parents or your guardian.

If you are a parent or guardian, and you learn that your child has provided personal data without your consent, please contact us by writing to privacy@innovmetric.com to request that your child’s personal data be removed from our systems.

Please refer to Sections 4 to 8 to obtain additional information regarding our use of personal data.

5. POTENTIAL USE OF AI-BASED SOLUTIONS

We may use artificial intelligence (“AI”) systems in the course of our activities. When AI is used to process personal data, we are committed to:

  • Clearly stating the purpose of the processing (e.g., service improvement, customer support, fraud detection);
  • Specifying the legal basis for processing (e.g., explicit consent, legitimate interest); and
  • Informing individuals of their right to object and the means to exercise this right.  

We may use AI systems, including conversational analysis or analytics tools and other AI-based solutions, to improve service quality, enhance user experience, and support operational efficiency. When such tools process personal data, we ensure compliance with applicable laws, clearly communicate the purpose and legal basis, and respect individuals’ rights, including objection, data minimization, encryption, and regular audits. Explicit, informed consent will be obtained where required, and individuals will receive clear explanations of AI-driven processes, with the option to request human review. These processes do not result in fully automated decisions without explicit consent. Data is retained only for the minimum period necessary, and any cross-border transfers comply with applicable legal safeguards, which is in line with Quebec’s Loi 25, GDPR, and other relevant regulations. This policy adheres to governance principles applicable to emerging technologies.

 

6. INTERNATIONAL TRANSFERS  

As a global company, we may transfer your personal data to other companies or suppliers in the InnovMetric group, located outside your territory of residence. We will take all reasonable steps to guarantee the security of personal data and ensure that any transfer of this type complies with applicable law.  

We may transfer and retain the personal data of persons covered by this Policy on servers or in databases located outside Québec and the European Economic Area (EEA). Some of these countries may not have the level of protection equivalent to the EEA or Québec under their data protection laws.  

The countries to which we transfer data outside the EEA are Canada and the United States.  

If you would like to obtain detailed information regarding these security measures, you can request it at privacy@innovmetric.com.    

 

7. RETENTION PERIODS  

We will retain your personal data for as long as necessary for the purposes for which it was collected, depending on the legal basis for which the data was obtained and/or if additional legal or regulatory obligations require its retention. We may also retain personal data during the period under which a claim may be filed concerning our relationship with you.  

In general, this means that your personal data is retained for the duration of our relationship with you, and:  

  • For the period required by tax and corporate laws and regulations; and  
  • For as long as necessary for you to bring a legal action against us and for us to defend ourselves against any legal action. This is generally the duration of the relationship plus the duration of any legal limitation period applicable under local laws.  

In certain circumstances, data may be retained for a longer period, for example, when we are in correspondence, or when a claim or investigation is ongoing.  

After this limitation period, personal data is destroyed or anonymized securely.

If you wish to obtain further information about the retention periods applicable to your personal data, you may write to privacy@innovmetric.com.  

 

8. RIGHTS OF DATA SUBJECTS  

8.1 Description and exercise of the rights

Persons have the following rights, in certain circumstances, regarding their personal data:  

  1. Right of access to their personal data;
  2. Right to rectification of their personal data;  
  3. Right to restriction of use of their personal data;  
  4. Right to request the erasure or removal of their personal data;  
  5. Right to object to our processing of their personal data;  
  6. Right to data portability (in certain specific circumstances);
  7. Right to lodge a complaint before a regulator;  
  8. Right to deindexation (the right to be forgotten); and
  9. Right to be informed of a decision based solely on automated processing.

A summary of each right and how a person can take steps to exercise it is presented below.  

If you would like to exercise one of the above-mentioned rights, please communicate with us using the contact information indicated below. These requests must include information enabling us to verify your identity (such as your name, address, email address, and, where applicable, supporting documents or any other information that can be reasonably required).  

When we receive a request to exercise one of these rights, we provide information on the steps we take regarding the request, without undue delay, and in all cases within one (1) month after receiving the request. Except in Québec, where the request must be answered within thirty (30) days, this delay can be extended by an additional two (2) months in specific circumstances, for example, when requests are complex or numerous.  

The information will be provided free of charge, except where the requests are manifestly unfounded or excessive, in particular because of their repetitive nature. In these circumstances, with the exception of Québec, where only reproduction costs can be claimed, we may invoice reasonable fees or refuse to proceed with the request. We will inform each person of the fees to be invoiced before proceeding with a request.  

We may request additional information to verify a person’s identity before proceeding with a request.

If we refuse to proceed with a request, we will inform the person without delay within one (1) month of receiving the request and will indicate the reasons for which we have refused to proceed with the request.  

8.1.1 Right of access to personal data  

In certain circumstances, individuals have the right to be informed of the following:  

  • that we hold and/or process (or not) their personal data; and  
  • some specific information regarding processing.  

Persons also have the right to access their personal data and receive a copy of it, subject to exceptions provided for by law.  

8.1.2 Right to restriction of processing of personal data  

In certain territories, persons have the right to request that we restrict the processing of their personal data when one of the following conditions applies:  

  • A person contests the accuracy of the personal data. The restriction will apply until we have taken steps to verify the accuracy of the personal data;  
  • The processing is illegal, but a person does not want the personal data to be erased and instead requests a restriction;  
  • We no longer need the personal data for processing purposes, but it is still required by a person in the context of legal proceedings; or  
  • A person has exercised their right to object to processing. The restriction will apply until we have taken steps to verify whether we have compelling legitimate reasons to continue the processing.  

8.1.3 Right to object to the processing of personal data  

When personal data is used for marketing purposes with respect to a person, this person has the right to object to it at any time.  

A person also has the right to object to the processing of their personal data when the legal basis for processing is based on our legitimate interests. We will have to stop processing until we can verify that we have compelling legitimate reasons for processing that override the interests, rights, and freedoms of the person, or that we must continue such processing for the establishment, exercise or defence of a right in court.  

8.1.4 Right to withdrawal

In Québec, a person has the right to simply withdraw or change their consent to the collection, use, communication, or retention of their personal data at any time, subject to applicable legal or contractual restrictions.

8.1.5 Right to rectification of personal data  

In certain territories, if a person believes that the personal data we retain regarding them is inaccurate, that person can request the rectification, modification, or update of said data if it is outdated, inaccurate, or ambiguous. The person can also request that incomplete personal data be completed, including by providing an additional declaration.  

8.1.6 Right to erasure of personal data (“right to be forgotten”)  

A person may also request the erasure of their personal data in certain circumstances, including, but not limited to:

  • The personal data is no longer necessary for the aims for which it was collected or otherwise processed; and  
  • Processing was based on a consent that was withdrawn, and there is no other basis in law for processing.  

There are also certain exceptions where we can refuse a request for erasure, for example, when the personal data is required to comply with a legal obligation or for the establishment, exercise, or defence of a right in court.  

If a person requests the erasure of their personal data, this will potentially remove the records we hold in their favour, such as this person’s presence on a deletion list, and the person will have to contact us to provide personal data if they want us to retain their personal data in the future.  

8.1.7 Right to data portability  

When our legal basis relies on consent or the fact that processing is necessary for the performance of a contract to which a person is a party, and the personal data is processed using automatic means (for example, electronically), a person has the right to receive all the personal data they have provided to us in a format that is structured, commonly used, and machine-readable, and to have it directly transmitted to another controller when it is technically possible to do so.  

8.1.8 Right to lodge a complaint before a regulator  

A person has the right to lodge a complaint before a regulator in the territory where their habitual residence is located, the territory where they work, or the territory where the alleged violation of data protection laws was committed.

8.1.9 Right to deindexation

A person has the right to ask us to stop disseminating their personal data and deindex any link related to their name that gives access to their information if such dissemination contravenes the law or a court order.

8.1.10 Right to information

A person has the right to be informed when they are the subject of a decision based solely on automated processing or when an identification, location, or profiling technology is used and of the means provided to activate these functions.

 

9. MISCELLANEOUS  

9.1 Limitation of liability  

We are committed to taking all reasonable steps to ensure a level of privacy and security of personal data that complies with adequate technological standards given our line of business.  

Notwithstanding the foregoing, you declare that you understand and recognize that no computer system offers absolute security, and that an element of risk is always present when personal data is transmitted on a public network such as the Internet.  

You therefore accept that we may not be held liable for any breach of privacy, computer hacking, virus, loss, theft, misuse, or alteration of personal data transmitted or hosted on its systems, or on those of a third party. You also declare that you waive all claims in this regard, except in the case of gross negligence or intentional misconduct on our part. Therefore, you agree to hold us, as well as any officers, administrators, associated persons, and commercial partners, harmless from any damages whatsoever, whether direct or indirect, incidental, special, or consequential related to the use of your personal data.  

In the event of a breach of privacy or security of your personal data that causes a serious risk to your rights and freedom, this breach will be communicated to you as soon as possible, and we will take the steps necessary to preserve the privacy and security of your personal data.    

9.2 Publication of content by the user  

The user of the Website has the possibility, through their user account, to make comments and present other information as they wish. We remind you that we cannot be held liable for the content of your remarks nor for the consequences that may ensue. We strongly advise you not to publish any personal information about yourself on our Website to ensure your personal data is protected.

9.3 Third-party websites  

Our Website may contain links to other websites. When you click on one of these links, you are taken to another site for which we are not responsible. We recommend that the user read the privacy policies of all these sites, as they may differ from ours. Therefore, we assume no responsibility for the content and activities of these sites.

9.4 Security  

We have implemented technical and organizational security measures to prevent the loss of your personal data or unauthorized access to it. These measures include:  

9.4.1 Access control

  • All access to our systems is protected by multi-factor authentication (MFA) integrated into an enterprise-grade single sign-on (SSO) cybersecurity software solution.
  • Role and access privileges are defined based on each employee’s duties. Access is limited to the minimum necessary, in accordance with the principle of least privilege (PoLP), to minimize the risk of unauthorized access.

 

9.4.2 System and data protection

  • A corporate firewall is in place to restrict access to authorized sites only, ensuring controlled and secure network usage.
  • Antivirus protection is provided by an enterprise-grade antivirus system that is centrally managed, providing consistent and up-to-date protection against malware.

 

9.4.3 Incident monitoring and response

  • A structured IT incident management process is in place, enabling the proactive monitoring, timely handling, and documentation of security alerts, in accordance with applicable notification requirements in the event of a privacy incident.
  • This process includes maintaining an incident register and evaluating potential impacts on data subjects.

9.5 Local regulations  

Although this global policy aims to provide coherent and efficient information on a global scale, all information will always be processed in accordance with applicable local legislation. To obtain further information on local regulations applicable to your territory of residence, please refer to part C of this Policy.  

9.6 Changes made to the Policy

From time to time, we may change and/or update this Policy. If this Policy is changed in any manner, we will publish an updated version on our Website. We recommend that you regularly consult our Website to ensure you are always aware of our practices regarding information management and of any changes made to these practices. Any change to this Policy will come into effect upon its publication on this web page.  

9.7 Language  

In the event of inconsistencies between a translation of this Policy and the original English version, the English version will prevail.  

1. PERSONAL DATA COLLECTED FOR RECRUITMENT PURPOSES

1.1 Personal data processing

You will be directed to a third-party website to fill out your job application, but know that we take our obligations regarding privacy and personal data protection seriously.  

1.2 Contact information

You may contact us at privacy@innovmetric.com if you have questions or complaints regarding the use of your personal data or this Recruitment Policy.  

1.3 Personal data collected

We collect the information about you indicated below during the recruitment process. If you do not provide some information upon request, we will not be able to proceed with your application. This includes:  

  • Information provided in your résumé, the application form, the cover letter and, during the interview process, your name, date of birth, age, sex, personal address, personal email address, references, as well as details about your studies, qualifications, and work experience;  
  • Information we collect or create during the recruitment process, including interview notes, test results and correspondence between us; and  
  • Information regarding criminal convictions, as we may conduct background checks as part of the recruitment process.  

We strive to limit personal data collection to that which is necessary to proceed with your application through to hiring.

If we must collect non-personal data and there is a possibility it may be combined with personal data that enables identification, the information will be processed as personal data until it can no longer be linked to a specific person.

We do not knowingly collect or use the personal data of individuals who are under fourteen (14) years of age. If you are under fourteen (14) years of age, you must not provide your personal data without the consent of your parents or your guardian.

1.4 Information sources

This information is (a) provided by you; (b) obtained from third parties as part of the job application and recruitment process; (c) obtained from public sources such as LinkedIn; or (d) created by us during the recruitment process.  

1.5 How we use personal data

We use your personal data to move the recruitment process forward, evaluate your ability for a role and make a decision regarding it, communicate with you, conduct checks, and obtain references about your training, diplomas obtained, and previous employment. We will also use your information so that we may comply with legal and regulatory obligations.  

1.6 Information related to criminal convictions

As part of the recruitment process, we may conduct criminal background checks. We use these background checks (a) to evaluate your ability for a regulated role; (b) to protect your interests, our interests, and the interests of third parties; and (c) because this is necessary as concerns legal proceedings. We are authorized to use your personal data in this manner when it is necessary for the exercise of our rights and the fulfillment of our obligations relative to employment, and we will always process your data in accordance with applicable local legislation.

1.7 Information that we share

We only share your personal data with the following third parties for the purpose of processing your job application: (a) employment agencies; (b) suppliers responsible for background checks and online tests; and (c) regulatory bodies and authorities having jurisdiction. We will also share your personal data within our group for administration, accounting, and reporting purposes.  

It is therefore possible that your personal data may be communicated to Canada and the United States.

1.8 Retention of your information

We will retain your personal information for the duration of the recruitment process and for a maximum of seven (7) years thereafter, only as necessary for the purpose of creating an employee file when your application is selected. Unless you consent to your personal data being used or processed for another purpose or retained for a longer period, the personal data will then be destroyed or anonymized securely in accordance with applicable privacy laws and internal data protection policies.

1.9 Where your information will be retained

We will transmit the personal data we collect about you to our group companies outside the EEA for recruitment process management and administration purposes, subject to the implementation of appropriate security measures. If you would like to obtain copies of these measures, you can request them using the above-mentioned contact information.  

1.9 Your rights

You have the following rights regarding your data: the right of access, the right to rectification, erasure, object, restriction, deindexation, information about a decision solely based on automated processing, transfer in a structured format (right to portability), as well as the right to withdraw your consent and lodge a complaint before a regulator.  

1.10 Additional information

Please refer to Sections 4 to 8 of our Privacy Policy to obtain additional information regarding our use of personal data.  

1.11 Security

We have put in place physical, technological, and organizational security measures aimed at adequately protecting the privacy and security of your personal data against loss, theft, or any unauthorized access, disclosure, reproduction, communication, use, or modification.  

Moreover, we limit access to your personal data to employees who need it to fulfill their duties. These persons only have access to information necessary to perform their tasks.

Despite adopting such measures, we cannot guarantee the absolute security of your personal data. If you have reason to believe that your personal data is no longer protected, please contact us immediately at privacy@innovmetric.com.

1.12 Limitation of liability

You declare that you understand and recognize that no computer system offers absolute security and that an element of risk is always present when personal data is transmitted on a public network such as the Internet.  

You therefore accept that we may not be held liable for any breach of privacy, computer hacking, virus, loss, theft, misuse, or alteration of personal data transmitted or hosted on our systems, or on those of a third party. You also declare that you waive all claims in this regard, except in the case of gross negligence or intentional misconduct on our part. Therefore, you agree to hold us, as well as any officers, administrators, associated persons, and commercial partners harmless from any damages whatsoever, whether direct or indirect, incidental, special, or consequential related to the use of your personal data.  

In the event of a breach of privacy or security of your personal data that causes a serious risk to your rights and freedom, this breach will be communicated to you as soon as possible, and we will take the steps necessary to preserve the privacy and security of your personal data.    

Note: Although this global Policy aims to provide coherent and efficient information to candidates on a global scale, all information will always be processed in accordance with applicable local legislation.

1. DATA COLLECTED IN QUÉBEC

Bearing in mind the obligations imposed in Québec by the Act respecting the protection of personal information in the private sector, we have put in place many measures so as to comply, but more importantly, to better protect the personal data collected and maintain the trust of our clients, employees, and partners.

Among other things, we have:

  • Appointed a data security officer;
  • Deployed a process enabling quick response and recovery from any privacy incident, whether it be technological, human, or other in nature;
  • Deployed a personal data governance framework that includes a Personal Data Protection Policy, a Privacy Policy, a Website terms of use, a process for handling complaints related to the protection of personal data, an express consent process when implicit consent is insufficient, as well as other policies, procedures, guides, processes, and documents required to manage personal data;
  • Established rules in the event of communication or hosting of personal data outside Québec;
  • Put in place important technological measures to restrict access to personal data to those individuals who need it for their work only and prevent, to the extent possible, any attack on personal data.

 

2. FOR CHINA RESIDENTS

2.1 Legal basis for processing personal information

In the event of an inconsistency between the terms of Part C and Part A, the terms of Part C will apply for users that are protected under China’s data protection and cybersecurity laws and regulations (hereinafter “Personal Information Subjects”).

If we use your personal information for other purposes not described in this Policy, or collect your personal information for other specific purposes, we will inform you in a reasonable manner and obtain your consent again before using your personal information.

According to applicable laws and regulations, it is not necessary to obtain your consent when your personal information is processed based on the following lawful bases:  

  • Necessary for the conclusion or performance of a contract to which you are a party;  
  • Necessary for the fulfillment of statutory duties or legal obligations;  
  • Necessary to respond to a public health emergency or to protect the life, health, safety, or property of individuals in an emergency situation;
  • Processing within a reasonable scope of personal information that is voluntarily disclosed by you or already lawfully disclosed, as stipulated under the *Personal Information Protection Law (PIPL) of the People's Republic of China; and
  • Other circumstances prescribed by applicable laws and regulations.

 

2.2 Data Sharing

Other than in the situation specified under Section 2.5 of Part A, we might share your personal information with any third-party companies, organizations, or individuals in the following circumstances:

  • At your request, or based on your prior explicit authorization or consent;
  • In connection with our fulfillment of obligations under applicable laws and regulations;
  • Where you have voluntarily disclosed the personal information to the public;
  • Collecting personal information that is legally and publicly available, such as legitimate news reports, open government information, and other lawful channels;
  • With our affiliated companies to facilitate the joint service from our group and affiliates, your personal information may be shared only as necessary, and such sharing is subject to the purposes stipulated under this Policy. Once we or our affiliates change the purpose of personal information processing, we will obtain your authorization and consent again.
  • With our service providers or commercial partners when such partners act as data controllers, they will have to obtain your consent in their own name to process your personal information. Said partners will have their own independent privacy policy and terms of conditions. We recommend that you carefully read the third-party terms of conditions and privacy policy.
  • Any other circumstances stipulated by applicable Chinese laws and regulations.

The details regarding the sharing of your personal information with third-party companies, organizations, or individuals are listed in our Privacy Impact Assessment (PIA) compliance report. If you wish to opt out of personal information processing that you have expressly consented to previously, please contact us via the methods listed in Part D.

If the transfer is necessary, we will inform you of the purpose of the transfer, type of personal information, and transferee before the transfer (if sensitive information is involved, we will also inform you of the content of such sensitive information). The transfer will be initiated after obtaining your consent, unless otherwise provided by laws and regulations.

Even if we have obtained your consent, we will only share your personal information for legitimate, lawful, necessary, specific, and explicit purposes. We will only share your personal information with companies, organizations, and individuals as necessary to fulfill the purposes stated in this Policy. We will enter into strict data protection and confidentiality agreements with these entities, requiring them to comply with the agreements and adopt appropriate security measures to protect your personal information. They will not be permitted to use the shared personal information for any other purpose.

2.3 Transfer

In principle, we will not transfer your personal information to any other company, organization, or individual. However, if we are involved in a merger, acquisition, or bankruptcy liquidation, and the transfer of personal information is necessary, we will inform you of the name and contact details of the recipient, and we will require the new entity holding your personal information to continue to be bound by this Policy. Personal information for which no recipient is identified will be deleted. If there are any changes to the collection or processing of personal information as stipulated in this Policy, the new entity will obtain your renewed consent.

2.4 Disclosure

We will only disclose your personal information under the following circumstances:

  • With your explicit consent or directed by you, we may publicly disclose your personal information;
  • Where disclosure is required by law, regulation, or mandatory administrative or judicial order, only in accordance with the type and manner of disclosure required. Subject to compliance with applicable laws and regulations, we will request the requesting party to provide the corresponding legal documentation, such as a subpoena or investigation letter, before proceeding with disclosure.
  • Any information you voluntarily disclose or publicly share while using our services may involve your personal information or that of others, including sensitive personal information. This may include transaction details or any personal information you choose to upload through text, images, videos, or other formats when posting content. You should carefully consider whether to disclose or publicly share such information when using our services.
  • According to applicable laws, where personal information has been anonymized and cannot be re-identified by the recipient, the entrustment, sharing, transfer, or public disclosure of such data does not constitute personal information processing. Therefore, the storage and processing of such anonymized data do not require further notice to you or additional consent from you.

 

2.5 How we store your personal information

In principle, the personal information we collect and generate in China will be stored in China.

2.6 International Transfer

For internal management processes (to effectively manage customer information, enhance business cooperation opportunities), the personal information that we have collected from you, including, but not limited to, name, position and title, personal and work phone numbers, personal and work email addresses, and office address) will be transmitted to the following locations outside the People’s Republic of China: InnovMetric Software Inc., 2014 Cyrille-Duquet, Suite 310, Québec City, Canada, G1N 4N6, +1 418 688-2061. We will transmit your personal information in compliance with applicable laws and regulations, obtain your consent in advance, and take necessary measures to ensure the security of your personal information.  

2.7 Personal Information Subjects’ Rights

Other than the rights specified in Section 6 of Part A, you are also entitled to the following rights

2.7.1 Right to withdraw consent

You have the right to withdraw any prior consent granted to us for specific purposes at any time. We will process your request after your request is made and cease processing your personal information. Additionally, we will delete all of your personal information. Please note that upon the withdrawal of your consent or authorization, we will no longer be able to provide the relevant products and/or services to you. However, your decision to withdraw consent will not affect the validity of any prior processing of your personal information based on your previous consent.

2.7.2 Protection of personal information of deceased individuals

In the event of a natural person's death, their immediate family members may exercise rights such as access, ratification, and deletion regarding the deceased's personal information for their own legitimate and proper interests through the contact information provided in this Policy, subject to any prior arrangements made by the deceased during their lifetime. You acknowledge and confirm that, to adequately protect the deceased's personal information rights, immediate family members seeking to exercise the rights under this clause must follow the designated procedures outlined by us, submit the deceased's identity verification documents, death certificate, the applicant's identity verification documents, proof of the applicant's familial relationship with the deceased user, and specify the type of rights being exercised and the purpose thereof.

To ensure security, we may require you to verify your identity and the legitimacy of your request in appropriate means when you exercise your Personal Information Subject Rights. We will verify your identity and process your request within fifteen (15) working days upon receipt of your feedback.

In principle, we do not charge any fees for reasonable requests. However, for repeated requests that are excessive or go beyond reasonable limits, we may charge a certain cost-based fee depending on the circumstances. Requests that are manifestly unfounded, require disproportionate technical effort (for example, the development of new systems or fundamental changes to existing practices), pose risks to the legitimate rights and interests of others, or are otherwise highly impractical (for example, involving information stored on backup tapes), may be refused.

 

3. FOR RESIDENTS OF CALIFORNIA

3.1 Information that we share

The California Consumer Privacy Act (CCPA) grants California residents specific rights regarding their personal data. This section describes your rights under the CCPA and explains how to exercise them. We collect information that identifies and describes, directly or indirectly, a specific consumer or a device (“Personal data”) or that relates to, refers to, is likely to be associated with or could be reasonably linked to it. Over the past twelve (12) months, we have collected personal data belonging to the following categories, as detailed more precisely herein.  

  • Information entered in our blogs, such as information about devices (for example, brand, device model, screen size), Unique Identification Numbers (for example, IP address and device identifier), and information on a browser (for example, uniform resource locator, type of browser, pages visited, date or time of access);  
  • Information about behaviors (such as information regarding the behavior or presumed interests of persons related to these persons, and that can be used to create a user profile); and  
  • Information captured by our cookies (see our Cookie Policy).  

We obtain the personal data categories listed above from the following sources:  

  • Directly and indirectly from activity on our Website, for example, from submissions on the Website portal or Website usage details automatically collected; and  
  • Directly from you at our annual conferences and trade shows.  

3.2 Retention

We retain data in accordance with its record retention program. The criteria used to determine retention periods include:  

  • the length of time we have an ongoing relationship with you and provide the products or services to you;  
  • whether there is a legal obligation to which we are subject; and
  • whether retention is advisable in light of our legal position, such as in regard to the enforcement of the Website Terms of Use, applicable statutes of limitations, litigation, or regulatory investigations.  

The time periods listed above are based on the longest period we need to keep a category of company records that may contain this category of personal information. When we no longer need to retain your personal information, we promptly destroy it pursuant to the ordinary course of business under our record retention program, unless a legal obligation to continue to retain that data applies. For example, we may need to retain documents that contain personal information for a longer period to comply with preservation obligations in litigation and government investigations.

3.3 Tracking

We recognize and honor Global Privacy Control (GPC) signals as a valid request to opt out of the sale or sharing of personal information.

Because we link to social media sites, and may, from time to time, include third-party advertisements, other parties may collect personally identifiable information about your online activities over time and across different websites when you visit our Website.

Please note that not all tracking will stop even if you delete cookies.

3.4 Encryption  

We use no encryption (data scrambling) on certain portions of the Website, but use encryption on portions where you are transmitting financial information, such as credit card information. When you are on any Website that asks you for confidential information, you should check to see if the information being transmitted is encrypted in order to increase the security of your information. Keep in mind that there is no such thing as perfect security.

3.5 Process for Review and Changes  

For any questions, or to review and change your information, please contact us at privacy@innovmetric.com.  

3.6 California Privacy Rights

You have the right to request that we disclose to you what information we collect, use, disclose, and sell. You also have the right to request that a business delete any personal information it has collected about you. You may review and change your information at any time by contacting us at privacy@innovmetric.com. Please note that, for your protection, any request to delete your personal information will be subject to the internal verification procedure. You have the right to direct us to not sell your information. To exercise this right to opt out of the sale of personal information, please click here: *Do Not Sell My Personal Information.

If you opt to exercise your privacy rights, we are required to verify your identity in order to prevent unauthorized access of your data. This may require us to ask you certain questions to confirm your identity or require you to provide state-issued identification. Requests to exercise these rights may be granted in whole, in part, or not at all, depending on the scope and nature of the request and applicable laws. Where required by applicable laws, we will notify you if we reject your request and inform you of the reasons we are unable to honor your request. The following rights may be exercised by California residents, subject to applicable legal conditions and limitations:

  • Access, including confirming whether we are processing your personal data. If we grant your request, we will provide you with a copy of the personal information we maintain about you in the ordinary course of business. This may include what personal information we collect, use, or disclose about you. We may not fulfill some or all of your requests to access as permitted by applicable laws.
  • Correction, taking into account the nature of the personal data and the purposes of the processing of your personal data.  
  • Deletion, depending on the scope of your request, we may refrain from granting your request, as permitted by applicable laws. For example, we may be legally required to retain your information in our business records.
  • Data portability, to the extent technically feasible, readily usable format. A consumer may exercise this right no more than two times per calendar year.  
  • Opt out of the sale or sharing of your personal information by the business.

We shall not discriminate against you for exercising any of your above rights.

You may designate an authorized agent to make a request to exercise your rights on your behalf. For your protection, we reserve the right to deny any request from an agent who does not submit proof that they have been authorized to act on your behalf.  

We have no actual knowledge that we sell personal information of minors under age 16.

We make no active effort to collect personal information from children under the age of 18 and do not wish to receive any such information.

3.7 Additional Rights

Applicable laws may give you additional rights that are not described in the Privacy Policy.

 

4. FOR RESIDENTS OF THE EUROPEAN ECONOMIC AREA (EEA)  

Please refer to our GDPR Policy.
 


5. FOR JAPAN RESIDENTS

5.1 Recipients of business contact information

We jointly utilize the personal information of business contacts in the manner or for the purposes listed below. We ensure that the personal information transferred outside of Japan will enjoy an equivalent level of protection as those provided under the Japanese Act on the Protection of Personal Information.

  • Categories of jointly utilized personal information: the personal information specified in Section 2.2 of Part A;
  • Scope of third parties jointly utilizing personal information: our company as well as our group companies listed at https://www.polyworks.com/en/find-contact
  • Purpose of joint utilization: the purposes of the processing specified in Section 2.3 of Part A
  • Company responsible for controlling the jointly utilized personal information: PolyWorks Japan K.K.

 

5.2 Recipients of personal information of website users and visitors of our social media web pages

We will not disclose the personal information of website and social media users to third parties without the website and social media users' consent, except as permitted by applicable laws.

5.3 Information that we share

We will not disclose your personal information to third parties without your consent, except as permitted by applicable laws.

 

6. FOR RESIDENTS OF MEXICO

This Privacy Policy is in compliance with the provisions of the Mexican Federal Law for the Protection of Personal Data Held by Private Parties / Ley Federal de Protección de Datos Personales en Posesión de Particulares (referred to as the “Law”) and its Regulations regarding the right to personal data protection in Mexico.

In accordance with Section 2 of this Privacy Policy, and for purposes of Mexico, in the event that the Data Controller (as such term is defined under the Law) collects sensitive personal data understood as data that affects the most intimate sphere of the Data Subject (as such term is defined under the Law), or whose improper use could result in discrimination or generate a serious risk to the Data Subject, the Data Controller shall at all times obtain the Data Subject’s express consent and will be processed in accordance with the Law and its Regulations.

By accepting this Privacy Policy, the Data Subject expressly agrees to the transfer of their personal data to the third parties indicated in Section 2.5, for the purposes stated therein. Pursuant to the Law and its Regulations, and if applicable, the Data Controller will obtain the Data Subject’s consent to formalize such transfers. In accordance with the Law, in order to exercise the rights of access, rectification, cancellation, or opposition (ARCO Rights) the Data Subject may do so by submitting a written request to the area designated for personal data matters. We will have a period of twenty (20) business days from the date of receipt to notify you electronically at the last email address provided. If the request is deemed valid, it shall become effective within fifteen (15) business days following the date on which said resolution was communicated. These time periods may be extended once for an equal period when justified by the circumstances of each case.  

The requested information will be delivered once the identity of the Data Subject, or that of their legal representative, as applicable, has been duly verified. The Data Subject has the right to file a complaint with the Ministry of Anticorruption and Good Governance if they consider that their personal data protection rights have been violated.

 

7. FOR RESIDENTS OF THE REPUBLIC OF KOREA

We process personal information of Data Subjects in the Republic of Korea in accordance with the Personal Information Protection Act of Korea (hereinafter the “PIPA”) and other applicable laws and regulations as specified below.

7.1 Items of personal information processed and purpose of processing  

We process the following items of personal information only for the purposes described below. In the event of any change to the purposes of processing, we will obtain separate consent or take other necessary measures in accordance with Article 18 of the PIPA.

The types of personal information, items processed, and purposes of processing as specified in our current Privacy Policy are listed in the table.

7.2 Period of processing and retaining personal information

We process and retain personal information only within the retention and use periods prescribed by applicable laws or within the period for which consent was obtained from the Data Subject at the time of collection.  

The retention periods applicable to specific categories of personal information and data subjects are detailed below, in accordance with relevant Korean laws and regulations.

7.2.1 Business contact information

Until all claims and obligations are settled following the termination or expiration of the contract for the use of goods or services; provided, however, that if any of the following grounds arises, the information shall be retained until the expiry of the applicable statutory period

  • Retention under the Act on the Consumer Protection in Electronic Commerce:
    • Records regarding contracts or withdrawal of offers: seven (7) years
    • Records regarding payment and supply of goods/services: seven (7) years
    • Records regarding consumer complaints or dispute resolution: seven (7) years
  • Retention under the Framework Act on National Taxes
    • Books and evidentiary documents related to all transactions prescribed under tax laws: seven (7) years

(Use of information for marketing and advertising purposes) From the date of consent until withdrawal of consent, provided, however, that if a user has not used the our services for one (1) year from the date of last service use, such user's personal information shall be stored separately pursuant to the Act on Promotion of Information and Communications Network Utilization and Information Protection.

7.2.2 Information regarding PolyWorks software end users

IP addresses and usage logs: one (1) year from the date of collection  

7.2.3 Information regarding our Website users and visitors of our social media pages

Until the withdrawal of consent  

7.2.4. Job applicant information

Until the date on which the relevant job applicant is eligible to request the return of their application documents, provided, however, that if hiring decisions have been finalized, the application documents of applicants who were not selected for hire shall be destroyed within five (5) days from the date of final decision.

(Where retention of unsuccessful applicants is required under other laws) the period specified under such applicable law.

7.3 Provision of personal information to third parties

In principle, we process personal information only within the scope set forth in Article 1 (Items of Personal Information Processed and Purposes of Processing) and shall not provide personal information to third parties except:  

  • with the Data Subject’s consent; or
  • as required or permitted under applicable laws.

We provide personal information to third parties with the Data Subject’s consent in the following cases specified in the table.

7.4 Outsourcing of personal information processing

We outsource certain personal information processing tasks to the following service providers, specified herein, for the purpose of ensuring smooth and efficient processing of personal information.

Pursuant to Article 26 of the PIPA, when entering into an outsourcing agreement, we are required to specify the following in the contract:  

  • prohibition of processing personal information for purposes other than those specified in the outsourcing agreement;  
  • technical and administrative protective measures of the outsourced personal information;  
  • restrictions on sub-contracting;  
  • supervision and management of the service provider; and  
  • matters concerning liability for damages.

In addition, we monitor service providers to ensure that they handle the outsourced personal information in a secure manner.

If there are any changes to the outsourced tasks or the service provider, we will immediately disclose such changes through this Privacy Policy.  

7.5 Cross-border transfer of personal information

For the purpose of providing services and conducting business operations, we transfer personal information of data subjects to locations outside of Korea as described herein.  

7.6 Destruction of personal information

7.6.1 Procedure for destruction

We destroy personal information without delay when:

  • the retention period has expired;
  • the processing purpose has been achieved; or
  • the collected personal information otherwise becomes unnecessary.  

If personal information must be retained despite the expiry of the retention period or the achievement of the processing purpose due to other applicable laws, we will store such personal information separately in a different database (DB) or physical location.

7.6.2 Methods of destruction

We destroy personal information using one of the following methods:

  • Electronic files: must be permanently deleted using methods that cannot be restored
  • Paper documents: must be shredded using a shredder or incinerated

7.7 Rights and obligations of Data Subjects and methods of exercise

7.7.1 Rights of Data Subjects

A Data Subject may, at any time, exercise the following rights regarding their personal information:

  • Right to request access to personal information;  
  • Right to request the correction of inaccuracies in personal information;
  • Right to request the deletion of personal information; and
  • Right to request the suspension of processing of personal information.

7.7.2 Methods of exercising rights

A Data Subject may exercise their rights by submitting a request to us via mail, email, fax, or other means using the contact information set out below. Upon receipt of such request, we will take necessary measures without delay.

Email address: privacy@innovmetric.com  

Address: PolyWorks Korea Ltd, 307Register11, 3F, 23, Jong-ro 12-gil, Jongno-gu, Seoul, (03190), Republic of Korea

7.7.3 Response period

We shall notify the Data Subject of the outcome of the request within ten (10) days from the date such request is received.

7.7.4 Exercise of rights through agents  

A Data Subject may exercise rights through a legal representative or an authorized agent. In such cases, a power of attorney must be submitted to us.

7.7.5 Limitations on the Exercise of Rights  

The rights of Data Subjects may be restricted pursuant to Articles 35(4), 36(1), and 37(2) of the PIPA.

7.8 Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

7.8.1 Purpose of using cookies

We use cookies, which store and retrieve user data as needed in order to provide customized services tailored to individual users.

Cookies are small pieces of information sent from the server operating the Website to the user’s web browser and are sometimes stored on the hard disk of the user’s computer. They serve the following purposes:  

  • Analyzing access frequency and visit times of members and non-members;
  • Identifying users’ preferences and areas of interest, and tracking usage patterns; and
  • Providing targeted marketing and personalized services by identifying levels of participation in various events and visit counts.

7.8.2 Installation, operation, and rejection of cookies

Users may disable the storage of cookies by adjusting their web browser settings under:

Tools > Internet Options > Privacy.

However, by disabling the storage of cookies, users may experience limitations in accessing certain customized services.  

7.8.3 Collection of log files

In the course of using our services, information such as IP address, time of access, and records of using service may be automatically generated and collected.

7.9 Methods of Remedy for Infringement of Rights

Data Subjects may seek dispute resolution or consultation from the Personal Information Dispute Mediation Committee, Personal Information Protection Center of the Korea Internet & Security Agency, and other relevant institutions.  

  • Personal Information Protection Center (operated by Korea Internet & Security Agency)
    • Services: Filing reports of personal information violations and submitting consultation requests
    • Website: privacy.kisa.or.kr
    • Telephone: 118 (no area code)
    • Address: 3F, 9 Jinheung-gil, Naju-si, Jeollanam-do, 58324

 

  • Personal Information Dispute Mediation Committee
    • Services: Mediation of personal information disputes, collective dispute mediation (civil resolution)
    • Website: www.kopico.go.kr
    • Telephone: 1833-6972 (no area code)
    • Address: 4F, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul, 03171

 

  • Cybercrime Investigation Division, Supreme Prosecutors’ Office

 

 

8. MEASURES TO ENSURE THE SECURITY OF PERSONAL INFORMATION

In accordance with Article 29 of the PIPA, we implement the following technical, administrative, and physical safeguards necessary to ensure the security of personal information:

8.1 Establishment and implementation of internal management plans

We establish and implement internal management plans to ensure the secure processing of personal information.  

8.2 Access limitation and training of personnel authorized to handle personal information

We designate specific personnel authorized to handle personal information and limit access to such personnel to the minimum necessary to ensure the secure management of personal information.

8.3 Implementation of regular internal audits

We conduct regular internal audits to ensure the security of personal information processing practices.  

8.4 Technical measures against hacking and other threats  

  • Multi-factor authentication (MFA) for access control
  • Microsoft 365 Single Sign-On (SSO)
  • Role and permission management based on the principle of least privilege
  • Managing roles and access based on the principle of least privilege
  • Operation of enterprise firewalls
  • Installation and management of antivirus software

8.5 Encryption of personal information

Personal information is securely stored and managed through encryption and other security measures.

8.6 Retention and prevention of forgery or alteration of access logs

Records of access to personal information processing systems are retained for at least six (6) months and maintained securely against forgery, alteration, theft, and loss.

8.7 Restrictions of access to personal information

We control access to database systems that process personal information by granting, modifying, and revoking access rights as necessary, and implement intrusion prevention systems to protect against unauthorized external access.  

8.8 Operation of organizations dedicated to protection of personal information  

We operate a dedicated internal organization responsible for overseeing overall activities related to the protection of personal information.

8.9 IT security incident response process  

We operate a structured IT security incident management process to proactively monitor security alerts, respond promptly to incidents, and maintain appropriate documentation.

9. Protection of Minors under the Age of 14

We do not collect personal information from children under the age of 14. If we become aware that we have collected personal information from a child under the age of 14, we will promptly destroy such information or take other necessary measures.

Parents or legal guardians may contact the Data Protection Officer specified in Article 9 if they believe that their child has provided personal information without consent, and may request access, correction, or deletion of such personal information.

Last update on May 1, 2026   

 

We and all our group companies listed at https://www.polyworks.com/en/find-a-contact will have access to information on persons covered by this Policy.  

1. HOW TO CONTACT US

You may exercise the above-mentioned rights at any time by sending us a letter or an email (at our mailing address: 2014 Cyrille-Duquet, Suite 310, Québec, Québec, Canada  G1N 4N6 or at this email address: privacy@innovmetric.com), or to one of our group companies (subsidiary or joint venture), also designated as an InnovMetric representative in the EEA, that operates in the country where you are located. The required contact information can be found using the following link: https://www.polyworks.com/en/find-a-contact.  

Your personal data will at all times be processed with a level of protection that complies with the requirements of applicable regulations relative to the protection of personal data, to ensure their security and privacy.  

Finally, we inform you of your right to present a request to a competent data security control authority if you believe it to be necessary or appropriate.