ArchiVerif

Privacy Policy

Version 1.0 · Effective May 24, 2026

Overview

This Privacy Policy governs the collection, use, and communication of information by ArchiVerif, a sole proprietorship operated by Mohaned Bouzaidi, in connection with the ArchiVerif API platform and website at archiverif.ca. ArchiVerif is subject to Quebec Law 25 (Bill 64) and the Act Respecting the Protection of Personal Information in the Private Sector (LPRPSP).

1. Identity of the Privacy Officer

All privacy-related questions, requests, and complaints may be directed to:

  • Privacy Officer: Mohaned Bouzaidi
  • Contact email: MohanedB@archiverif.ca
  • Mailing address: Brossard, Quebec, Canada

ArchiVerif will respond to any written privacy request within 30 days of receipt.

2. Nature of data processed by ArchiVerif

2.1 Public government data (primary data source)

ArchiVerif's core function is to redistribute publicly available contractor licence data published daily by the Régie du bâtiment du Québec (RBQ) on the Données Québec open government portal, under the Creative Commons Attribution licence (CC BY 4.0). This data is explicitly made available for commercial use by the Government of Quebec.

The redistributed dataset includes the following fields:

  • RBQ licence number
  • Contractor or company legal name
  • Quebec Enterprise Number (NEQ)
  • Licence status (Active, Restricted, or Revoked)
  • Licence subcategories and authorized work types
  • Administrative region
  • Surety bond amount and bond provider name
  • Licence restriction start date, if applicable

ArchiVerif does not collect, store, or publish any information that is not already publicly accessible via the official RBQ registry or the Données Québec open data portal.

2.2 Natural persons in the RBQ dataset

The majority of RBQ licence holders are corporations or legal entities. However, some licence holders are natural persons operating as sole proprietors. Where a natural person's name appears in the RBQ dataset, that name constitutes personal information under Law 25. ArchiVerif processes such personal information solely on the legal basis of legitimate interest in redistributing publicly available government data under CC BY 4.0.

2.3 App user and API client data

When individuals or businesses register to use the ArchiVerif mobile app, website, or API, ArchiVerif may collect:

  • Business or individual name and contact email address
  • Billing information (processed exclusively by Stripe — ArchiVerif never stores payment card data)
  • Firebase Authentication credentials (email/password or Google account — managed by Firebase)
  • Device push notification token (FCM token) for delivering suspension alerts to your mobile device
  • Watchlist data: the list of RBQ licence IDs you choose to monitor
  • API usage logs including timestamps, query volume, and endpoint accessed

This data is used exclusively for account management, billing, delivering push notifications, technical support, and service improvement. It is never sold or shared with third parties for marketing purposes.

3. Purposes of data collection and use

ArchiVerif collects and uses information for the following specific purposes:

  • To provide RBQ licence verification services to API clients
  • To detect and report contractor licence suspensions through the delta engine
  • To manage API client accounts and process subscription payments
  • To monitor API usage for rate limiting and billing accuracy
  • To maintain system security, detect abuse, and prevent fraud
  • To comply with applicable Quebec and Canadian law

ArchiVerif does not use personal information for automated decision-making, profiling, or any purpose other than those listed above.

4. Data retention

ArchiVerif retains data for the following periods:

  • RBQ licence data: Updated daily. Historical suspension records are retained indefinitely as they constitute a proprietary audit trail derived from daily set-difference calculations.
  • API client account data: Retained for the duration of the client relationship and for 12 months following account termination.
  • API usage logs: Retained for 90 days for security and billing verification purposes.

Upon expiry of the applicable retention period, data is securely deleted or anonymized.

5. Data sharing and third-party disclosure

ArchiVerif does not sell personal information. ArchiVerif may share information only in the following limited circumstances:

  • With Firebase (Google), which provides user authentication and push notification delivery. Firebase processes authentication credentials and device tokens on behalf of ArchiVerif.
  • With Stripe, which processes all subscription payments. ArchiVerif never stores or processes payment card information directly.
  • With RapidAPI, which manages enterprise API key issuance, billing, and rate limiting.
  • With Railway, which hosts the ArchiVerif API infrastructure as a technical hosting provider.
  • With Twilio, which sends operational SMS alerts to the ArchiVerif operator in the event of a pipeline failure. No client data is transmitted via Twilio.
  • With Apple App Store and Google Play, as required for mobile app distribution. Their respective privacy policies govern data collected during app installation.
  • When required by law, regulation, court order, or government authority.

6. Data security

ArchiVerif implements the following technical and organizational security measures:

  • All database queries use parameterized statements exclusively. No string concatenation is used in any SQL query, eliminating SQL injection risk.
  • API keys are generated and managed by RapidAPI and are never stored in plaintext by ArchiVerif.
  • All data in transit is encrypted via TLS. Credentials are stored as environment variables, never in source code.
  • Access to production systems is restricted to the Privacy Officer.
  • ETL pipeline failures trigger an immediate SMS alert, and the system rolls back to the last valid database state to prevent data corruption.

In the event of a privacy incident involving personal information, affected individuals and the Commission d'accès à l'information du Québec (CAI) will be notified in accordance with Law 25 obligations.

7. Rights of individuals under Law 25

Natural persons whose information appears in the ArchiVerif dataset (i.e., sole proprietor RBQ licence holders) have the following rights under Quebec Law 25:

  • Right of access — confirm whether ArchiVerif holds personal information about them and obtain a copy.
  • Right to rectification — request correction of inaccurate personal information. The authoritative source remains the Régie du bâtiment du Québec.
  • Right to de-indexing — request that ArchiVerif cease disseminating personal information where dissemination causes serious injury to the person's reputation or dignity, subject to applicable law.

To exercise any of these rights, contact the Privacy Officer at MohanedB@archiverif.ca. ArchiVerif will respond within 30 days of receiving a written request.

8. Cookies and tracking

The ArchiVerif API does not use cookies. The ArchiVerif website (archiverif.ca) uses minimal technical cookies necessary for website functionality only (locale preference, authentication session). No advertising, analytics, or third-party tracking cookies are used.

9. Data source attribution

In compliance with the CC BY 4.0 licence, every API response served by ArchiVerif includes the following attribution field:

"source": "Régie du bâtiment du Québec (CC BY 4.0)"

ArchiVerif is not affiliated with, endorsed by, or connected to the Régie du bâtiment du Québec or the Government of Quebec. The RBQ logo, Quebec government flag, and any government insignia are never used in ArchiVerif branding, marketing, or product interfaces.

10. Changes to this Privacy Policy

ArchiVerif reserves the right to update this Privacy Policy at any time. Changes will be posted at archiverif.ca/privacy with an updated effective date. For material changes affecting how personal information is used, ArchiVerif will notify API clients by email at least 15 days before the changes take effect.

11. Governing law and supervisory authority

This Privacy Policy is governed by the laws of the Province of Quebec and the laws of Canada applicable therein, including Law 25 and PIPEDA to the extent applicable.

Complaints may be submitted to the supervisory authority:

Commission d'accès à l'information du Québec (CAI) Website: www.cai.quebec.ca · Phone: 1-888-528-7741

Mohaned Bouzaidi · Privacy Officer · ArchiVerif · MohanedB@archiverif.ca · Effective May 24, 2026