How Vesta Plus handles your information.

Vesta Plus is a document automation tool. This page explains exactly what data we collect to operate the service, and how we protect it.

Updated: June 9, 2026|Effective since: January 1, 2025

La version française prévaut en cas de conflit. The French version prevails in case of conflict.

Who We Are

Vesta Plus Inc. ("Vesta Plus," "we," "us") operates the platform available at vestaplus.ca. Vesta Plus is a document automation tool that helps Québec businesses generate privacy policies aligned with Law 25 (An Act modernizing legislative provisions as regards the protection of personal information).

⚠Vesta Plus is an automation tool, not a law firm. Documents generated by the platform are based solely on information provided by the user and do not constitute legal advice. Vesta Plus accepts no liability for the legal sufficiency or suitability of any generated document for any particular business situation.

Data We Collect

We collect only information necessary to operate the service:

Account data	Name, email address, company name, and an encrypted password (or, if you use social sign-in, your name and email received from Google or GitHub)
Form data	Answers to the Law 25 assessment questionnaire (officer name, contact info, data categories, etc.) and the compliance documents generated from them
Payment data	Processed by Stripe, Vesta Plus never stores card numbers
Technical data	IP address, browser, access logs (retained 90 days)
Cookies	Session, language preference, anonymized analytics (see §6)

We do not collect sensitive personal information as defined under Law 25 (medical, biometric, personal financial data). Form data you enter describes your business, it is not personal data about Vesta's operations.

Why We Process It

→Create and manage your Vesta Plus account
→Generate the compliance documents you request
→Process payments via Stripe
→Improve the platform (aggregated, anonymized analytics)
→Send transactional communications (confirmations, receipts, policy update notices)
→Comply with our legal obligations

We do not use your data for third-party marketing, resale, or behavioural profiling.

Third Parties & Transfers

Vesta Plus shares information with a limited set of sub-processors:

Vendor	Role	Location
Neon	PostgreSQL database hosting , stores your account, questionnaire answers and generated documents	United States
Anthropic (Claude API)	AI document generation , your inputs are sent for processing only; under Anthropic's commercial terms they are not used to train models and are not retained beyond the request	United States
Stripe	Payment processing	United States / Canada
Google, Microsoft	Optional social sign-in (OAuth) , used only if you choose to log in with them	United States
Vercel	Application hosting	United States
Resend	Transactional email delivery (verification, password reset, receipts)	United States
PostHog	Product analytics , tracks usage and feature interaction to improve the platform	United States

🌐Personal information is transferred to and processed outside the province of Québec, including in the United States. Prior to any such transfer, Vesta Plus assesses whether the destination country provides adequate protection, in accordance with Article 17 of Law 25. A Privacy Impact Assessment (PIA) has been conducted for each of these transfers.

Retention & Destruction

Account data	Subscription duration + 12 months
Form data (questionnaire)	Subscription duration + 12 months
Generated documents	Subscription duration + 12 months
Technical logs	90 days
Payment data	7 years (tax obligation)

Upon expiry of the above periods, data is irreversibly deleted or anonymized so that it can no longer be associated with an identifiable individual. Destruction is carried out securely in accordance with industry best practices.

Cookies

Type	Usage	Control
Essential	Session, authentication	Always active
Preference	Language, UI settings	Always active
Analytics	Anonymized traffic (e.g. Plausible)	Opt-out available

No advertising or third-party marketing cookies are used. You may disable analytics cookies in your account settings.

Your Rights

Under Law 25 and Québec's Act respecting the protection of personal information in the private sector, you have the following rights:

→Right of access : Obtain a copy of the personal information we hold about you
→Right of rectification : Correct any inaccurate or incomplete information
→Right to erasure : Delete your account and data directly from your account settings, or request deletion by email (subject to legal retention obligations)
→Right to portability : Receive your data in a structured, machine-readable format
→Right to withdraw consent : Withdraw consent at any time without prejudice
→Right to file a complaint : With the Commission d'accès à l'information (CAI) du Québec

✉To exercise your rights, write to confidentialite@vestaplus.ca. We will acknowledge receipt within 5 business days and process your request within 30 days as required by law.

Security

Vesta Plus implements security measures appropriate to the sensitivity of the information processed, including: encryption in transit (TLS 1.3) and at rest, role-based access controls, access logging, and continuous monitoring. In the event of a privacy incident presenting a serious risk of harm, we commit to notifying the Commission d'accès à l'information (CAI) and affected individuals, as required under Law 25.

Privacy Officer

Vesta Plus Inc.'s Privacy Officer can be reached at:

Vesta Plus Inc.

Attn: Privacy Officer

confidentialite@vestaplus.ca

Changes to This Policy

We may update this policy at any time. For material changes, we will notify you by email at least 15 days before the changes take effect. The updated date in the header is authoritative. Continued use of the service after that date constitutes acceptance of the revised policy.

Vesta Plus.

Last updated: June 9, 2026

confidentialite@vestaplus.ca