What is personal information?
Surplus RD applies the definition of “personal information” which is used by the local laws which apply to you, as required by law. In Quebec, the Act respecting the protection of personal information in the private sector defines “personal information” as any information which relates to a natural person and allows that person to be identified.
Why do we process your personal information?
We process your personal information mainly with the following objectives in mind:
- When we communicate with you upon your request, including when you use the “contact us” form, or, generally, to follow up on your requests for information on our products and services;
- To get our newsletter to you, when you have chosen to subscribe to it;
- When you buy one of our products on this website, including for payment and financing purposes, such as Accord D financing requests;
- To deliver the products that you bought on this website and allow you to follow up on delivery;
- If we have your explicit consent, we may send advertising emails to inform you of our sales, offers, new products and of the release of our newsletter. You can also receive reminders if you have left a product in your basket, or if a product you wanted that was not available has become so.
- To tailor advertising by using third party pixels;
- When you fill forms to participate in contests or polls;
- To allow you to submit a spontaneous application online;
- When you create an account with us;
- When you share our products or our website through your social networks;
This list is not exhaustive, we could need to process your personal data for other legitimate purposes; per example, to ensure the security of your financial transactions, of our website, or to prevent fraud.
What is the personal information you process?
- When you fill in the contact form or the question form on our website, we request the following: your name, your phone number and your email address.
- When you complete your purchase, we collect your first and last name, delivery adress (including province, city, postal code and country), email and phone number. You can also indicate the name of your firm, but that is not a requirement to complete your transaction. If you choose the in-store pickup, you must also indicate the name person who will do the pickup.
- When you make your payment, we ask for the number of your credit card, your card’s CVV number, and its expiration date. You must write your billing address, if it different than the delivery address. The same information is required if you choose to pay with Accord D of Desjardins.
- When you apply for a position by spontaneous application on our website, you must provide us with some personal information, such as your name, address, city, email, phone number and your mobile phone number (optional). You must also include your CV, which contains additional personal information under your control, including your work history.
- When you create an account with us, you have to transmit your name, email and password. Your account includes your billing and delivery addresses by default, which you can modify at any time. You can also see your reviews of our products, and your wish list.
Is my personal information safe with you and your partners?
We make efforts to ensure that organizational and technical measures are implemented with the purpose of securing your personal information. We also deploy efforts to select trusted partners only. As an example, Desjardins, our Accord D financing partner, is SOC 2 Type 1, ISO 27001 and PCI DSS certified. We have contractual commitments in place which ensure that our partners respect our strict personal information protection standards.
What is personalized retargeting?
Who has access to my personal information?
Internally, access to personal information works on a “need to know” basis, that is that your employees do not have access to your personal information unless it is necessary for them to perform their job duties.
To know who has access to your personal information externally, please see the next question.
Do we share your personal information with third parties?
These third parties can be found in one of the following category of recipients:
- Our delivery drivers, since we must make sure that you receive your products at the right address;
- Our financial partners, such as the Caisse Desjardins for Accord D, or third parties involved in the processing of your banking data on our website. All these entities apply the PCI DSS standard for credit cards.
- Our advertising partners, such as our ad agency and your ad and client management software.
- Our IT service providers, such as your data hosting providers amongst others.
We could be obligated to share your personal information to comply with a legal order, such as a subpoena from a judge. When we receive such requests, we do all necessary verifications to ensure that they are legal and if possible, we inform you of this data processing.
In any case, we transfer your personal information only if the law allows us to do so.
Where is my personal information hosted?
Your personal information is hosted in Montréal, by a third party named “Ecritel”. A description of the security measures implemented by this partner can be found here. These measures include physical protection of the data as much as access restriction and detection and defence against attacks by continuously analyzing incoming data traffic to Ecritel’s network. Ecritel holds several certifications which are recognized by the marketplace, such as ISO 27001, ITIL, ISO 9001 and HAD (“Health Data Hosting”), and PCI DSS as well.
When your personal information is shared with third parties, such as described below, these third parties can host your data with their hosting providers, which can be located outside of Quebec or Canada.
How long can my personal information be held?
When you buy our products online, we hold your financial information, such as your credit card, for 90 days. All other personal information is held as long as it is necessary for operational or legal needs.
Is it possible to withdraw my consent to the data processing?
You can withdraw your consent at anytime by sending your email to email@example.com, and we will stop processing your data, notwithstanding certain conditions related to applicable legal and regulatory provisions.
You can at all times unsubscribe from our newsletter by clicking on the option directly in the newsletter’s email. If you have account with us, you can modify your subscription to the newsletter directly in your account’s setting.
What are my rights?
If the personal information requested is not required for the making or concluding of a sale, then you can legally refuse to give us that information.
You have a right of access to the personal information that we are processing and that concern you, and you also have the right to ask for the rectification of those if they are incorrect, incomplete, or ambiguous, or that they are not valid anymore or not justified by the purpose at hand. Otherwise, you can provide us with comments to have them deposited to your file.
In this case, we will notify our rectification without delay to any person who has received the information in the preceding six months.
If you believe that our collecting your personal information was illegal, you can ask for it to be deleted.
If we are required to delete your personal information, we will issue you a written attestation that your personal information has been deleted.
You can exercise your rights free of charge. Should you ask for a transcription, reproduction or transmission of your personal data, a reasonable charge may be required. In this case, we will inform you of the charge before proceeding with the transcription, reproduction or transmission of the information.
To exercise your rights, you must make a written request, via mail our email at the following coordinates:
You can access and modify most of your personal information through your online account.
If your request is denied, you will receive our notification in writing, with the reasons for our refusal and information concerning avenues for appeal. In this case, we will keep the relevant personal information until you have exhausted you have exhausted the recourses provided by law. In any case, we will respond not later than 30 days after the date of receipt of your request.