Privacy policy

By using the Website, you agree to the collection and use of information in accordance with this Privacy Policy.

Foreword

This policy deals with the management and protection of information deemed confidential within The Breach in accordance with Quebec legislation, notably the Act respecting the protection of personal information in the private sector (Law 25). 

The Breach is committed to respecting and protecting your privacy. We take the security and confidentiality of your personal information very seriously. The purpose of this policy is to provide you with clear and transparent information on how we handle your personal data and to explain your rights in this respect.

The policy applies to relations between all persons: directors, donors, staff members, volunteers and clientele, partners as well as all other persons working or present on the various premises of The Breach.

The policy has the following objectives:

• to ensure respect for the privacy of individuals and the security of personal information held by The Breach;
• to establish guidelines for the exchange of information both inside and outside the organization’s premises.

If you have any questions or concerns about this policy or the way in which we manage your personal information, please contact us using the contact information provided at the end of this policy.

1 | Organizational Mission & Values

The Breach is a non-profit, national organization and independent media outlet producing critical journalism to help map a just, viable future. Our mission is to produce investigations, analysis and videos about the crises of racism, inequality, colonialism, and climate breakdown—and what to do about it.

2 | Definitions

For the purposes of this policy, the following terms shall have the respective meanings :

• You means the individual accessing the Website.
• Publisher (referred to as either “the Publisher”, “we”, “us” or “our”) refers to The Breach, 403-2110 Rue Mackay, Montreal, QC, Canada H3G 2J1 and includes, Indiegraf Media. Inc. (a corporation federally registered in Canada), insofar as it is providing services to The Breach in administering the Website.
• Account means a unique account created for you to access the Website.
• Cookies are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
• Device means any device that can access the Website such as a computer, a cellphone or a digital tablet.
• Personal Data is any information that relates to an identified or identifiable individual.
• Website Provider means any party that processes the data on behalf of the Publisher. This includes third-party companies or individuals employed or otherwise retained by the Publisher to facilitate the Website, to provide the Website on behalf of the Publisher, to perform services related to the Website or to assist the Publisher in analyzing how the Website is used.
• Third-party Social Media Service refers to any website or any social network website through which a user can log in or create an account to use the Website.
• Usage Data refers to data collected automatically, either generated by the use of the Website or from the Website infrastructure itself (for example, the duration of a page visit). 
• Website refers to The Breach, accessible from www.breachmedia.ca.
• Confidentiality: The act of limiting or prohibiting others from having access to private information obtained in the course of one’s duties.
• Personal information: Any type of information that can lead to the identification of a certain person such as phone number, email address, date of birth, employment history, among others. 
• Non-personal information: Any information that cannot be used to personally identify you, such as data referring to participation in our events and general demographic information.
• Discretion: The ability to keep confidences and private information obtained outside the workplace secret in order to preserve respect, friendship and trust.

3 | Obligations of Confidentiality

The Breach collects both Personal Information and Non-Personal Information. Personal Information is the focus of this policy. 

The Breach does not sell, trade, rent or otherwise share for marketing purposes your Personal Information with third parties without your consent. We do share Personal Information with banks, third party payroll services or financial processing systems who are performing services for The Breach for purposes of processing payments and honorariums. 

In general, we use Non-Personal Information to help us improve our services and to improve our work. If our information practices change at any time in the future, we will post the policy changes to our website. We suggest that you check periodically if you are concerned about how your information is used. 

The Breach agrees to: 

• Ensure the security and confidentiality of any personal information obtained 
• Implement measures to protect confidential information 
• Ensure that complaints about confidentiality are addressed 
• Ensure the confidential treatment of complaints 
• Collect only information that is useful or necessary 
• Apply the confidentiality policy with respect to the values of The Breach 
• Act with respect and transparency when applying this policy, and act in compliance of the applicable laws.  

All persons within The Breach (employees or contractors) who obtain confidential information in the course of their duties are required to respect the confidentiality of such information. An exception is made in certain cases, where it is essential for those involved to be able to exchange certain information for the betterment of our work. In such cases, the persons concerned must also maintain the confidentiality of the information exchanged. This obligation continues even after their relationship with The Breach has formally concluded.

4 | Obligations of Discretion

Any person who, within The Breach, has exchanges that are not related to the performance of their duties must act with discretion in regards to the sharing of any confidential information. 

Accordingly, they must: 

• Respect the privacy of others;
• Not divulge confidential information obtained within the organization;
• Guard the sensitive information of those who confide in them;
• Act in accordance with the organization’s values.

5 | Collection and use of personal information

The Breach collects and uses personal information in compliance with Law 25. Personal information is collected only for specific, legitimate and clearly identified purposes, and is not subsequently processed in a manner incompatible with these purposes.

In general, the Personal Information you provide to us is used to help us communicate with you, employ you or process financial forms. For example, we use Personal Information to contact users in response to questions, send relevant information regarding your submission of this information, process payments or communicate about your role if employed by the Organization. 

We may share Personal Information with outside parties if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to meet any applicable legal process or enforceable governmental request; to enforce applicable Terms of Service, including investigation of potential violations; address fraud, security or technical concerns; or to protect against harm to the rights, property, or safety of our members or the public as required or permitted by law.

5.1 | Types of Personal Information Collected

When you interact with The Breach, whether as a donor, a subscriber, an employee, a user of our Website, or otherwise, we may collect various types of personal information in line with our organizational needs. 

This information may include, but is not limited to:

• Contact information: full name, mailing address, email address, phone number. 
• Identifying information: Date of birth, social insurance number (for payroll).
• Financial information: credit card number and other information linked to those transactions (for donations).
• Information on your interactions with The Breach: comments on the website, or received by email, website visits. 
• Any other information you choose to share with The Breach. 

5.2 | Objectives of the collection and usage of personal information 

The Breach uses the information that we collect with the objective of communicating with individuals, primarily, but not exclusively, through our newsletters. 

The Breach does not store the payment card details you provide to make a payment. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.The Breach uses Stripe, Paypal and CanadaHelps to process card payments and regular donations. Click here to view the Stripe and here for CanadaHelps privacy policy.

The Breach uses Google Analytics to collect anonymized data on our website usage. This data is anonymous, meaning that online behavior cannot be traced back to the individual.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of the Website. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You can opt-out of having made your activity on the Website available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

5.3 | Internet Cookies

You can instruct your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if you do not accept Cookies, you may not be able to use some parts of the Website.

Cookies can be “persistent” or “session” Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while session Cookies are deleted as soon as you close your web browser. 

If you navigate away from the Website, other parties may also place a Cookie in your browser. The use of such Cookies is governed by the privacy policy of those third parties. The Publisher does not control, nor is it responsible for the activities or practices of these third parties.

We use both session and persistent Cookies for the purposes set out below:

Necessary / essential cookies

Type: Session Cookies

Administered by: Us

Purpose: These Cookies are essential to provide you with services available through the Website and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services cannot be provided, and we only use these Cookies to provide you with those services.

Cookies policy / notice acceptance cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies allow us to remember choices you make when you use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use the Website.

Tracking and performance cookies

Type: Persistent Cookies

Administered by: Third-Parties

Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.

Targeting and advertising cookies

Type: Persistent Cookies

Administered by: Third-Parties

Purpose: These Cookies track your browsing habits to enable us to show advertising which is more likely to be of interest to you. These Cookies use information about your browsing history to group you with other users who have similar interests. Based on that information, and with our permission, third party advertisers can place Cookies to enable them to show advertisements which we think may be relevant to your interests while you are on third party websites.

6 | Management of Personal Information

The person occupying the role with the highest authority within The Breach, is designated as the person responsible for ensuring the protection of personal information. This person may delegate this responsibility in writing by designating them in the role of Privacy Officer. The way to contact the Privacy Officer is available in the policy, as well as on The Breach’s website. The Privacy Officer is responsible for maintaining a registry of privacy incidents. 

The person holding the highest authority at The Breach is authorized to access the personal information held by the organization as necessary in the usual course of duty, with the exception of cases of conflict of interest. All other employees are authorized to access any personal information to the extent that it is necessary for the completion of their tasks. 

In accordance with Law 25, a privacy incident includes any unauthorized access, use or disclosure of personal information, as well as any loss or breach of personal information.  

The procedure to seek recourse for any breach of personal information is outlined in section 11 of this policy.

7 | Conservation of personal information

The Breach implements security measures designed to protect your information from unauthorized access. Your data is protected by implementing security measures including passwords, and multi-factor authentication for accessing data. However, these measures do not guarantee that your information will not be accessed, disclosed, altered or destroyed by breach of such security measures. By submitting your data, you acknowledge that you understand and agree to assume these risks. We will do our best to minimize any chance of this happening.

7.1 | Exchanges of information outside The Breach:

The Board of Directors, management and employees must not discuss files, persons or decisions specific to The Breach, with outsiders or persons not concerned. In an exceptional situation, they must limit exchanges of information to the strict minimum.

7.2 | Exchanges of information within The Breach

• Limit exchanges of information between employees to team meetings or in a secure area (e.g. office with closed door);
• Avoid discussing issues pertaining to confidential information outside of these times. If this is not possible, make sure not to use identifying information, and discuss in a place that ensures confidentiality;
• Ensure that telephone conversations dealing with confidential information are not overheard by others.

7.3 | Security measures to limit access to information

The Breach does not store personal information in hard copies at our office. All personal information is stored virtually. 

• All personal information will be protected by a password 
• Personal information will be stored in the following locations; emails secured by The Breach, online storage platforms secured by password, and when necessary, for a short period of time on a USB key (ex: for sustainers who will be sent a gift in the mail, we might print all the labels at the print shop, requiring them to be put on a USB for the duration) 

7.3.1 | Office

The Breach primarily works in a virtual office, and occasionally uses a physical office. The following applies to both circumstances: 

When others are present a Breach employee must: 

• Lock computer screens at lunchtime or when absent;
• Change password (server, computer, voice mail or other) regularly. 
• Lock the main office door on departure.
• Close office doors at lunchtime, at the end of the day, or in case of absence. 

7.4 | Limits of confidentiality

The Breach will not disclose any personal information to any outside party or to any of its affiliated entities without the person’s knowledge and consent, except to the following persons:

• an auditor related to an audit of The Breach 
• an organization or individual providing services to The Breach, if the personal information is reasonably necessary for the provision of said services. In such a case, the organization or individual must act in accordance with this Policy, and use such personal information only for the purposes of providing services to The Breach.
• a lawyer representing The Breach in a matter involving personal information.
• anyone submitting a subpoena, warrant or court order obligation.
• a government institution requesting such information, which submits its request authorization, in connection with the administration of any applicable law.
• in any other circumstance where disclosure is explicitly permitted under applicable privacy laws.

7.5 | Limits of technology

The Breach uses the following platforms to conduct our operations; G Suite, Zoom Pro, Slack, Active Campaign and CiviCRM. These platforms are protected by passwords. It is important to note that these are American platforms, and thus follow American laws on privacy protection. Though we do our best to maintain rigorous privacy measures for technology, there is always a risk that personal information could be compromised.  The Breach may integrate new software as required to perform our duties in a regular course of operations.

ActiveCampaign is a software as a service (SaaS) platform that offers email marketing sending service. For more information on the privacy practices of ActiveCampaign, please visit their Privacy Policy.

8 | Destruction or anonymization of personal information

The Breach ensures the destruction or anonymization of personal information in accordance with the requirements of Law 25, as soon as the data is no longer required for the purposes for which it was collected.

9 | Communicating personal information collected with the concerned person

An individual has the right to request access to their personal information retained by The Breach. Once these information have been requested in writing, The Breach will communicate these informations within a delay of 30 days in accordance with provisions of Law 25. 

Accessing your personal information: 

• An individual can request a copy of their personal information to consult the information. 
• An individual has the right to make corrections to the information when they are inexact and incomplete. 

In some circumstances, the organization can legitimately refuse to give the individual access to certain parts of their personal information file if it could compromise the mission and values of the organization.

Please submit a request form here.

9.1 | Breach of Confidentiality

A breach of confidentiality has occurred when a member of The Breach carries out one of the following actions: 

• If a member of The Breach accesses personal information for their individual personal gain or interest.
• If a member of The Breach discusses personal information with external parties.  
• If a member of The Breach gives personal information to non-authorised parties. 
• If a member of The Breach leaves personal information in a location where non-authorised parties could access it. 

10 | Failure to comply with the obligations of this policy

Any breach of the obligations set out in this Privacy Policy will be dealt with appropriately in accordance with the remedies and sanctions provided by Law 25.

11 | Recourse

In the event that it is determined that an individual’s personal information has been used in a manner that is inconsistent with this policy or the law, that individual has the right to recourse.

The individual has the right to file a complaint here with the Privacy Officer. Should the complaint pertain to the Privacy Officer, the complaint will be sent to the Executive Management, or to the Board of Directors of The Breach, if the complaint concerns the general management. These complaints will be saved for a period of five years. 

The Privacy Officer will consult with the management and/or the board of directors where appropriate to determine if the incident presents a ‘risk of serious prejudice’, as outlined in article 3.5 of Law 25. Subsequently, they will define measures to reduce the risk of similar future incidents. 
Any breaches of privacy that have been determined as presenting a ‘risk of serious prejudice’ are recorded in the register of privacy incidents. The Privacy Officer will assess, based on the degree of risk of prejudice, to advise the Commission d’accès à l’information and any others potentially impacted by this breach about the incident.

The management of The Breach is responsible for the implementation and application of the privacy policy.

12 | Terms of application

As soon as this policy comes into effect, directors, management, employees and volunteers must commit to complying with the policy.

In the event of non-compliance with the confidentiality policy by management, the Board of Directors must intervene.

If a director, employee or volunteer has disclosed confidential information, the competent authority will impose a sanction in accordance with The Breach’s policies, regulations and by-laws. The sanction may range from reprimand to exclusion.

13 | Contacting us

If you have any questions, concerns or comments regarding this Privacy Policy or our data collection practices, please contact them at the following address: [email protected] 

Our Privacy Officer will answer any questions you may have questions about our Privacy Policy within 10 business days.

The privacy officer will be disclosed on the Breach website for public access. The Director of Operations, Amanda Siino, is the Privacy Officer effective September 2024.

14 | Adoption of the Policy

This policy was adopted on 1 September 2024 following its adoption by the Board of Directors. It can be modified at the opportune time after an effective analysis. Any modification must respect the values and rules of The Breach.

* End of Policy*

Additional notes on privacy through Google

Google Analytics: is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of the Website. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

You can opt-out of having made your activity on the Website available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en

Google AdSense and DoubleClick Cookie

Google, as a third party vendor, uses cookies to serve ads on the Website. Google’s use of the DoubleClick cookie enables it and its partners to serve ads to our users based on their visit to the Website or other websites on the Internet.

You may opt out of the use of the DoubleClick Cookie for interest-based advertising by visiting the Google Ads Settings web page: http://www.google.com/ads/preferences/

AdMob by Google

AdMob by Google is provided by Google Inc.

You can opt-out from the AdMob by Google service by following the instructions described by Google: https://support.google.com/ads/answer/2662922?hl=en

For more information on how Google uses the collected information, please visit the “How Google uses data when you use our partners’ sites or app” page: https://policies.google.com/technologies/partner-sites or visit the Privacy Policy of Google: https://policies.google.com/privacy

Google Ads (AdWords)

Google Ads (AdWords) remarketing service is provided by Google Inc.

You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: google.com/settings/ads

Google also recommends installing the Google Analytics Opt-out Browser Add-on – tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.

For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: policies.google.com/privacy?hl=en

Children’s privacy

The Website is not intended to address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.