Inflopick Privacy Policy
Effective Date: 2026-04-21 Last Updated: 2026-05-17
1. Introduction and Scope
This Privacy Policy describes how Inflopick (9557-4240 Quebec Inc.) ("Inflopick," "we," "us," or "our") collects, uses, discloses, retains, and protects personal information in connection with the Inflopick platform and all related services (collectively, the "Services").
This Privacy Policy applies to all persons who use the Services in any capacity: Buyers who discover and purchase products through the platform; Creators who promote products via affiliate links and operate storefronts; and Merchants who list products and manage promotion partnerships. It covers personal information collected directly from you, received from third-party platforms you connect to your account, and received from other Users through use of the Services.
This Privacy Policy is incorporated by reference into our Terms of Use and forms part of the complete agreement governing your use of the Services. Where the Terms of Use describe specific data-handling practices (for example, Section 8.7.3 on Creator tax reporting, or Section 10 on automated decisions), this Privacy Policy provides the companion privacy-law disclosure. In the event of a conflict between this Privacy Policy and the Terms of Use on a privacy matter, this Privacy Policy controls. See Terms of Use §1.4.
This Privacy Policy does not apply to the practices of third-party services you access through the platform (such as the Merchant's checkout, the identity-verification flow used during Creator onboarding, or third-party social platforms). Those services operate under their own privacy policies, which we encourage you to review.
Privacy-by-design commitment. Inflopick builds privacy considerations into its platform design, data architecture, and vendor selection from the outset, consistent with the spirit of article 25 of Quebec's *Act Respecting the Protection of Personal Information in the Private Sector* ("Law 25").
2. Who We Are
Legal entity: Inflopick (9557-4240 Quebec Inc.) Jurisdiction of incorporation: Quebec, Canada Principal place of business: Montreal, Quebec, Canada Governing privacy law: Quebec Law 25 (*Act Respecting the Protection of Personal Information in the Private Sector*, RLRQ c P-5), and Canada's *Personal Information Protection and Electronic Documents Act*, SC 2000, c 5 ("PIPEDA").
2.1 Data Protection Contact
Inflopick has designated a Data Protection Contact responsible for overseeing compliance with applicable privacy legislation, responding to privacy inquiries, and managing access and rectification requests. The Data Protection Contact is Inflopick's internal designee under article 3.1 of Law 25 and Principle 1 of PIPEDA's Schedule 1.
Data Protection Contact
Inflopick (9557-4240 Quebec Inc.)
Montréal, Québec, Canada
Email: contact@inflopick.com
Inflopick operates as an online platform. All privacy inquiries, access requests, rectification requests, and complaints should be directed to the Data Protection Contact at the email address above. Inflopick maintains a physical mailing address on file with the Registraire des entreprises du Québec and includes that address in every Inflopick-originated commercial electronic message as required by CASL.
3. Information We Collect
We collect personal information that you provide directly, information generated through your use of the Services, and information received from third-party services you connect to your account. We collect only the minimum information necessary for the purposes described in this Privacy Policy (data minimisation principle, PIPEDA cl. 4.4; Law 25 Art. 7).
The categories of information we collect differ by User type.
3.1 Buyers
Information you provide at registration:
| Subject | Purpose |
|---|---|
| Email address | Identify your account, send order updates, and contact you about your account |
| Name | Identify your account, show who you are in chat, and attach your name to orders |
| Shipping address | Pre-fill your checkout and let you track your orders |
| Phone number (optional) | Share order contact details with the merchant when you choose to provide it |
Information generated through use of the Services:
| Subject | Purpose |
|---|---|
| Saved and wishlist items | Save products you're interested in and notify you about price drops or restocks if you opt in |
| Shopping cart and the creator who referred you | Build your cart at checkout and credit the right creator for the sale |
| Order details | Track your orders, credit the referring creator, and calculate commissions |
| Chat messages and attachments | Let you communicate with merchants and creators |
| Reviews and ratings | Build trust on the platform and rank storefronts |
| Notification read status | Deliver and manage your notifications |
| Browsing and click activity | Understand platform usage, credit creators for referrals, and recommend products |
Buyer payment card data is not collected by Inflopick. All payment processing occurs exclusively through the relevant Merchant's Shopify-powered checkout. Inflopick never receives, processes, or stores payment card numbers, CVVs, or other card data. PCI-DSS scope for buyer payments is delegated entirely to Shopify. See Terms of Use §4.2.
3.2 Creators
Information you provide at registration:
| Subject | Purpose |
|---|---|
| Email address | Identify your account, send account messages, and notify you about payouts |
| Name | Identify your account, report taxes, and display your public creator profile |
| Business or mailing address | Tax reporting and account administration |
| Social media links and bio | Display your creator profile on storefronts |
Information generated through use of the Services:
| Subject | Purpose |
|---|---|
| Referral clicks and sales activity | Credit your commissions and show your performance in the Creator Dashboard |
| Commission earnings records | Calculate your payouts and report taxes |
| Social media account insights (refreshed daily) | Match you with merchants and display your creator profile |
| Sample and promotion requests | Manage your tasks and collaborations |
| Chat messages and attachments | Let you communicate with merchants and buyers |
| Content submission records | Run the promotion request workflow |
Creator identity verification and bank account information are handled exclusively by our third-party identity-verification and payments processor. Inflopick does not receive, store, or access any identity documents, government ID photos, or banking details submitted during Creator onboarding. The verification process and the collection of KYC data are governed by that processor's own privacy policy. See Section 9 and Terms of Use §5.2.5.
3.2.1 Creator Tax Reporting (T4A)
The following tax-reporting provisions mirror Terms of Use §8.7.3 precisely. Drift between these two documents is a compliance risk.
Where a Creator's aggregate paid-out entitlements to a Canadian-resident Creator meet or exceed CAD $500 in a calendar year, Inflopick is required to prepare a T4A Statement of Pension, Retirement, Annuity, and Other Income in respect of that Creator. Where this threshold is reached, Inflopick will request the tax information necessary to prepare and file the applicable T4A. Any such tax information is:
(a) collected solely for tax reporting purposes;
(b) encrypted at rest in Inflopick's systems;
(c) moved to restricted-access cold storage following submission of the applicable T4A filing; and
(d) purged in accordance with Canada Revenue Agency retention requirements (six years from the end of the relevant tax year).
This tax information is not shared with any third party other than the Canada Revenue Agency as required by applicable tax law.
3.3 Merchants
Information you provide at registration:
| Subject | Purpose |
|---|---|
| Business name | Identify your account and display your storefront |
| Business registration and tax details | Handled by our identity-verification and payments provider (see note below) |
| Secure store connection credentials | Keep your store connected so products and orders stay in sync; stored securely |
Information generated through use of the Services:
| Subject | Purpose |
|---|---|
| Product catalog | Display your products on the marketplace, generate affiliate links, and calculate shipping |
| Orders | Track orders, calculate commissions, and credit the referring creator |
| Store connection status | Keep your store connection working and restore it when needed |
| Commission charge records | Bill monthly platform commissions and maintain our accounting records |
| Chat messages | Let you communicate with creators and buyers |
| Promotion requests | Manage collaborations |
| Creator performance data | Power your merchant analytics dashboard |
Merchant business registration and tax identification data are handled exclusively by our third-party identity-verification and payments processor (see Section 9). Inflopick does not store these documents or tax IDs.
4. Why We Collect and Use Your Information
4.1 Purposes of Collection
We use personal information to:
(a) operate and deliver the Services — create and maintain accounts, process commission attribution, generate affiliate links, display storefronts, facilitate checkout redirects to Shopify, and manage the Creator payout lifecycle;
(b) facilitate communication — operate the in-platform chat system (buyer–merchant, creator–merchant, creator–buyer) and deliver in-app notifications;
(c) fulfil legal obligations — prepare T4A tax reports for qualifying Creator payouts; calculate, collect, and remit GST/HST/PST/QST on Inflopick's commission; respond to regulatory inquiries; and maintain records as required by CRA and applicable law;
(d) protect platform integrity — detect and prevent fraud, abuse, and manipulation of the commission system or platform rankings;
(e) provide analytics — give Creators and Merchants aggregated performance data on affiliate link clicks, conversions, earnings, and storefront activity; and
(f) improve the Services — use anonymised and aggregated data to understand how the platform is used and identify improvements.
4.2 Legal Bases for Processing
We process personal information on the following legal bases:
- Contract — processing necessary to perform the agreement between us as set out in the Terms of Use;
- Legal obligation — processing required by applicable law (e.g., CRA tax reporting, Law 25 compliance);
- Consent — processing you have explicitly authorised (e.g., OAuth connection of a Social Account; marketing email opt-in); and
- Legitimate interest — processing necessary for our legitimate business interests (e.g., fraud prevention, platform analytics, product ranking), where those interests are not overridden by your privacy interests.
4.3 No Secondary Use
We do not sell your personal information.
Personal information collected for a specific purpose is not used for any other purpose without your knowledge and consent, except where required by law. Social account insights received via OAuth are used only for creator-merchant matching and creator profile display within the platform — not for advertising targeting, profiling, or resale. This reflects the secondary-use limits under PIPEDA Principle 5 and Law 25 Art. 12.
4.4 No Sale of Personal Information
We do not sell your personal information to third parties. We do not sell, rent, trade, or otherwise transfer personal information to outside parties for their own commercial purposes. We share personal information only with processors acting on our behalf and with other Users as necessary to operate the Services, as described in Section 11.
5. Shopify Data
5.1 Our Role in Relation to Shopify
Inflopick is a Shopify App Partner. The Inflopick app is installed on Merchants' Shopify stores and receives data from Shopify via webhooks and the Shopify Admin API. Inflopick's use of Shopify data is governed by the Shopify Partner Program Agreement and the requirements of the Shopify App Store Review Policy.
The Shopify API scopes authorised by Merchants during app installation are: read_products, read_inventory, read_locations, read_orders, read_customers, read_checkouts, and applicable billing scopes. See Terms of Use §5.3.1.
5.2 Protected Customer Data
The following table lists each category of Shopify customer data that Inflopick receives via webhook or API, together with its specific purpose. This disclosure is provided in compliance with Shopify's Protected Customer Data requirements.
| Subject | Purpose |
|---|---|
| Buyer email address | Record the order, show order status, credit the referring creator, and send order notifications |
| Buyer name | Record the order and provide context in merchant chat |
| Buyer shipping address | Track the order and show it in the merchant's fulfilment view |
| Buyer phone number | Provide order contact details to the merchant, only where the buyer provided it |
| Order line items | Calculate commissions, credit the referring creator, and power analytics |
| Shopping cart reference | Match the order to the right cart session so the correct creator is credited |
| Referring creator reference | Identify which creator's link generated the order and allocate the commission |
| Order date and time | Start the commission accrual window (Terms of Use §8.4) |
| Fulfilment and delivery status | Track when creator payouts become available for release |
| Refund details | Issue store credits and adjust creator payouts |
| Secure store connection credentials | Keep the store connected for product sync, orders, and billing |
No Shopify customer data is used for advertising, profiling, resale, or any purpose beyond those listed in this table.
5.3 Shopify GDPR Compliance Webhooks
Inflopick implements the three mandatory Shopify GDPR compliance webhooks. These endpoints are registered in the Inflopick Shopify App configuration and respond within 30 days of receipt of a valid request.
| Subject | Purpose |
|---|---|
| Customer data access request | We compile and return all personal data we hold for that customer (in connection with the merchant's store) within 30 days |
| Customer data deletion request | We delete or anonymise that customer's data within 30 days, subject to legal retention obligations (e.g., 7-year tax records) |
| Store data deletion request (app uninstall) | We delete or anonymise all data associated with that store within 30 days, subject to legal retention obligations |
The 30-day SLA applies from the date Inflopick receives a valid webhook notification from Shopify.
6. Meta Platform Data
This section uses the phrase "Meta Platform Data" as required by Meta's Platform Terms and as a condition of Meta's Tech Provider Access Verification.
6.1 What Is Meta Platform Data
Meta Platform Data refers to any data, content, or information obtained by Inflopick from Meta Platforms, Inc. (including Instagram) through the OAuth authorization flow described in this Section 6. Inflopick's use of Meta Platform Data is governed by Meta's Platform Terms (https://developers.facebook.com/terms/) and the Meta Developer Policies.
6.2 Instagram Login Path and OAuth Scopes
Inflopick accesses Instagram data through Instagram Login (Path B) — the standalone Instagram Login flow for Business and Creator accounts. Inflopick does not use Facebook Login. The following Instagram OAuth scopes are requested:
| Subject | Purpose |
|---|---|
| Basic Instagram profile (username, name, picture, bio, website, follower and post counts) | Display your creator profile, match you with merchants, and help merchants discover you |
| Instagram engagement metrics (reach, impressions, interactions) | Show your performance to you and to merchants evaluating partnerships |
Only Business and Creator account types on Instagram are eligible to connect via this flow.
6.3 How We Use Meta Platform Data
Inflopick uses Meta Platform Data solely for the following purposes:
(a) Creator profile display — displaying the Creator's follower count, username, and public profile information to Buyers on the Creator's Inflopick storefront;
(b) Creator-merchant matching — enabling Merchants to discover Creators whose Instagram audience and engagement metrics align with their products; and
(c) Creator analytics — enabling Creators to view their own Instagram engagement metrics within the Creator Dashboard.
Inflopick does not use Meta Platform Data for:
- advertising targeting of any kind;
- creating or augmenting advertising audiences;
- profiling individual users for commercial purposes beyond the platform services described above;
- resale, licensing, or transfer to any third party for the third party's own use.
This constitutes a Limited Use declaration under Meta's Platform Terms, Section 4.
6.4 Data Caching and Retention
Meta Platform Data is cached on Inflopick's servers with a daily refresh cycle. Cached insights are stored in Inflopick's primary database in a Canadian region for as long as the Creator maintains an active Instagram connection on the platform.
On disconnection: When a Creator disconnects their Instagram account from Inflopick (through account settings or by revoking access via Instagram), deletion of all cached Meta Platform Data is initiated immediately and completed within a reasonable delay. Inflopick has implemented a data deletion callback endpoint that is registered in the Meta App Dashboard and receives and processes Meta's data deletion requests in accordance with Meta's Platform Terms.
6.5 No Scraping
Inflopick accesses Instagram data only through the OAuth API grant described above. Inflopick does not scrape, crawl, or otherwise access Instagram data through any means not authorised by the Creator's OAuth consent. See Terms of Use §5.2.6.
7. TikTok Data
7.1 TikTok OAuth Connection and Scopes
Creators may optionally connect their TikTok account to Inflopick via OAuth. The following TikTok OAuth scopes are requested:
| Subject | Purpose |
|---|---|
| Basic TikTok profile (display name, avatar) | Identify and display your creator profile |
| TikTok follower and engagement counts | Display your profile and match you with merchants |
| Public profile information and verification status | Display your creator profile |
| Public video library (titles, thumbnails, view counts, engagement) | Show your content portfolio to buyers and merchants |
Access is read-only. Inflopick does not post, delete, modify, or otherwise interact with TikTok content on a Creator's behalf.
7.2 How We Use TikTok Data
Inflopick uses TikTok data solely for:
(a) displaying Creator profile information and content portfolio to Buyers and Merchants on the platform; and
(b) enabling Merchants to evaluate Creators for promotion partnerships based on audience size and engagement.
Inflopick does not use TikTok data for advertising targeting, creation of advertising audiences, profiling for purposes beyond creator-merchant matching, or resale to any third party. This is a Limited Data Use declaration consistent with TikTok's developer data use requirements.
7.3 Data Caching and Retention
TikTok data is cached with a daily refresh cycle. On Creator disconnection of their TikTok account, all cached TikTok data is deleted from Inflopick's systems within 30 days of the disconnection or data deletion request.
7.4 TikTok Platform Terms
Creator connection of a TikTok account is subject to TikTok's Terms of Service (https://www.tiktok.com/legal/terms-of-service) and TikTok's Developer Data Use Policy in addition to this Privacy Policy.
8. YouTube API Services Data
8.1 YouTube OAuth Connection and Scopes
Creators may optionally connect their YouTube channel to Inflopick via OAuth. Inflopick's use of YouTube API Services is subject to the YouTube Terms of Service at https://www.youtube.com/t/terms. By connecting a YouTube account, you acknowledge that your use of YouTube data through Inflopick is also subject to the YouTube Terms of Service.
The following YouTube OAuth scopes are requested:
| Subject | Purpose |
|---|---|
| Public YouTube channel details, video list, and public video statistics | Display your creator profile, match you with merchants, and show your public metrics in the Creator Dashboard |
Access is read-only at the channel level. Inflopick does not access private videos, YouTube messages, private YouTube Analytics data (watch time, audience demographics, retention, traffic sources), monetisation details, or any other data beyond what is granted by the scope above.
8.2 How We Use YouTube API Services Data
Inflopick uses data obtained through YouTube API Services solely for:
(a) displaying Creator channel information (name, subscriber count, video list) to Buyers and Merchants on the platform;
(b) enabling Merchants to evaluate Creators based on channel performance metrics; and
(c) enabling Creators to review their own public channel metrics in the Creator Dashboard.
Google Limited Use affirmation: Inflopick's use of data obtained through YouTube API Services is limited to the purposes described in this Section 8 and does not extend to advertising, advertising-audience creation, profiling for purposes beyond platform services, or resale. This affirms compliance with Google's API User Data Policy (Limited Use requirements).
8.3 Data Caching and Retention
YouTube API Services data is cached with a daily refresh cycle. On Creator disconnection of their YouTube account or revocation of the OAuth grant (including through Google Account settings at https://myaccount.google.com/permissions), all cached YouTube data is deleted from Inflopick's systems.
8.4 Google OAuth Verification
Inflopick requests only the youtube.readonly sensitive scope; no restricted scopes are used. Inflopick completes Google's standard OAuth app verification (brand verification and consent-screen review) before the YouTube connection feature is made available to users in production. Users connecting their YouTube account will not see an "unverified app" warning.
9. Other Third-Party Processors
9.1 Scope and Relationship to Other Sections
Inflopick engages third-party processors to operate the Services. Each processor acts on Inflopick's documented instructions and is bound by an appropriate data processing agreement. Each processor is reviewed before engagement against an appropriate security baseline (SOC 2, ISO 27001, or equivalent third-party certification).
This Section 9 describes the categories of processors Inflopick uses, the purposes for which each is engaged, and Inflopick's substantive commitments to Users in relation to each category. Sections 5–8 separately disclose data Inflopick receives from third-party platforms (Shopify, Meta/Instagram, TikTok, YouTube). The full per-processor disclosure required for cross-border transfers — including the location, data categories, and safeguards applicable to each processor that handles personal information outside Quebec — is set out at Section 12.
9.2 Identity Verification and Payments Processor
Purpose. Creator identity verification (KYC) and Creator payouts; Merchant business registration and tax identification during onboarding.
Inflopick's role. Inflopick initiates the onboarding flow with the third-party identity-verification and payments processor and receives from that processor only a confirmation of verification status (complete / incomplete / suspended). Identity documents, government ID photos, and banking details are submitted directly by the User to the processor and are not transmitted to or stored by Inflopick. PCI-DSS scope for payout transactions is delegated to the processor. See Terms of Use §5.2.5.
9.3 Cloud Platform
Purpose. Inflopick's primary cloud platform provides (a) application database and structured-data storage (including cached Social Account insights); (b) blob storage for chat file attachments and Merchant-uploaded product documents (e.g., size charts, user manuals in PDF format); (c) the AI Recommendation Assistant; and (d) delivery of Inflopick-originated transactional email (account notifications, commission events, payout alerts, platform updates).
Region. All Inflopick cloud platform resources are deployed in a Canadian region. This is a domestic (Canadian) processor and no Law 25 Art. 17 cross-border transfer disclosure is required for the cloud platform itself.
No training on customer data. Inflopick's cloud platform subscription is configured to prohibit any use of customer data for AI model training or service improvement. No Buyer personal data is sent to the AI Recommendation Assistant.
9.4 Chat Infrastructure Provider
Purpose. Real-time chat infrastructure for all in-platform messaging (buyer–merchant, creator–merchant, creator–buyer).
Data involved. Chat messages and sender identity (user IDs and display names). Chat content may include personal information shared voluntarily by Users in the course of conversation.
Security. Chat messages are encrypted both in transit and at rest on the provider's infrastructure in accordance with the provider's standard security configuration. The provider maintains SOC 2 Type II certification. The provider's handling of data it processes on Inflopick's behalf is governed by its data processing agreement and published security practices.
File attachments sent in chat are not stored with the chat infrastructure provider — they are stored on the cloud platform described in Section 9.3.
9.5 Marketing Email Provider
Purpose. Delivery of marketing and promotional electronic communications (newsletters, creator and merchant recommendations, launch and platform announcements) to Users who have provided express prior consent. Transactional email is delivered separately through the cloud platform described in Section 9.3.
Data involved. Recipient email addresses, recipient names, email subject lines, email content, and delivery and engagement metadata (delivery receipts, open events, click events, bounce events, unsubscribe events).
CASL compliance. All Inflopick-originated commercial electronic messages include (a) sender identification as Inflopick (9557-4240 Quebec Inc.); (b) the physical mailing address registered with the Registraire des entreprises du Québec for the legal entity (maintained internally and included in every marketing footer as required by CASL s.6(2)(b)); (c) the contact email contact@inflopick.com; and (d) a functioning one-click unsubscribe mechanism in every marketing message. The marketing email provider supports RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers natively and processes unsubscribe requests within seconds. Inflopick maintains a separate record of each User's opt-in consent event (timestamp and mechanism) for at least two years after the last transaction or consent activity, as required by CASL s.10.
9.6 Merchant Order Confirmation Email
Order confirmation, shipping updates, and fulfilment notifications are sent directly to Buyers by the merchant's e-commerce platform on behalf of Merchants. These messages are not Inflopick commercial electronic messages.
10. Automated Decision-Making
10.1 Disclosure
Inflopick uses automated processing in the following functions, as required to be disclosed under article 12.1 of Law 25. This section mirrors and supplements the disclosure in Terms of Use §10.
(a) Creator Attribution Matching. When a Buyer completes a purchase through Shopify, Inflopick's system automatically matches the order to the Creator whose Affiliate Link the Buyer used, based on cart session identifiers passed as Shopify cart attributes. This matching determines which Creator (if any) is credited with the sale and is entitled to the full Commission on that order. The determination is made without human review of each transaction. This process affects Creator payout entitlements.
(b) Storefront and Product Popularity Ranking. The order in which Merchants and products appear in discovery surfaces on the platform is determined by an automated ranking process that draws on aggregated traffic, transaction, and trust signals. This ranking affects the commercial visibility of Merchants on the platform.
(c) AI Recommendation Assistant. Inflopick uses an AI Recommendation Assistant, hosted on the Canadian cloud platform described in Section 9.3, to suggest Creators to Merchants and vice versa. No Buyer personal data is sent to the AI system. This recommendation affects which Creators and Merchants are introduced to each other for promotion partnerships.
10.2 Personal Information Used in Automated Processing
| Subject | Purpose |
|---|---|
| Matching a sale to the referring creator | Uses your cart's referral reference and order details to credit the right creator |
| Ranking storefronts and products | Uses aggregated activity (visits, clicks, orders, ratings) — no individually identifying data |
| AI recommendation assistant | Uses creator and merchant identifiers and product information; no buyer personal data |
10.3 Right to Human Review
Where an automated decision materially affects your rights or interests — for example, a commission attribution dispute, an account action triggered by automated fraud detection, or a material discrepancy in a Creator's payout entitlement — you have the right to request human review of that decision. To request human review, contact the Data Protection Contact at contact@inflopick.com with a description of the decision you are contesting. We will respond within 30 days.
10.4 No Sensitive Category Profiling
None of Inflopick's automated processing is based on sensitive categories of personal information such as ethnic origin, political opinion, religious belief, health, sexual orientation, or criminal history.
11. How We Share Your Information
11.1 Sharing Between Users on the Platform
The operation of the Services requires certain information to be visible to other Users. The following describes what is visible and to whom:
Buyer-visible information:
- Creator storefronts display the Creator's name, avatar, biography, social media links, follower count, ratings, and product curation.
- Merchant storefronts display ratings, reviews, and merchant responses.
Creator-visible information:
- When a Buyer messages a Creator, the Creator sees the Buyer's display name and message content.
- Creator analytics display aggregate affiliate link performance (clicks, orders, conversion rates, estimated earnings) — no individual Buyer PII is included in Creator analytics.
Merchant-visible information:
- When a Creator submits a promotion request, the Merchant sees the Creator's name, follower count, rating, and verification badge.
- When a Creator connects to a Merchant through the platform, the Merchant can view Creator social insights (follower count, engagement metrics) for the purpose of evaluating promotion partnerships.
- When a Buyer messages a Merchant, the Merchant sees the Buyer's display name, email, and order context where relevant.
11.2 Sharing with Processors
We share personal information with the third-party processors described in Section 9 solely to operate the Services. Processors are permitted to use personal information only as instructed by Inflopick and as described in this Privacy Policy.
11.3 Sharing with Authorities
We may disclose personal information to government authorities, regulators, or courts where required by applicable law, a valid court order, or a lawful regulatory request. Where permitted by law, we will notify you of such a disclosure. We do not voluntarily disclose personal information to law enforcement without a legally valid request.
11.4 Business Transfers
In the event of a merger, acquisition, sale of assets, or other business transfer involving Inflopick, personal information may be transferred as part of that transaction. We will notify Users via email or prominent in-platform notice before personal information is transferred and becomes subject to a different privacy policy.
11.5 Aggregate and Anonymised Data
We may share aggregate, anonymised, or de-identified data (from which individual identity cannot reasonably be determined) for business analytics, industry reporting, or platform improvement purposes. Such data is not personal information and is not subject to this Privacy Policy.
12. Cross-Border Transfers
12.1 Disclosure Under Law 25 Art. 17
Inflopick is a Quebec-incorporated entity. Some of our processors are located outside Canada, which means personal information may be transferred to and processed in foreign jurisdictions. Before transferring personal information to a jurisdiction outside Quebec, Inflopick conducts a Privacy Impact Assessment ("PIA") as required by Law 25 Art. 17 and confirms that the recipient provides adequate protection through contractual, technical, or organisational measures (including DPAs, SOC 2 certifications, or ISO 27001 certification where applicable).
The following table discloses each cross-border transfer by processor:
| Subject | Purpose |
|---|---|
| Identity verification & payments provider (United States) | Verify creator identity and process payouts, under a data processing agreement and recognized security certifications |
| Chat infrastructure provider (United States) | Power in-platform messaging, under a data processing agreement and security certification |
| Instagram (United States) | Display creator profiles and insights, under a data processing agreement and platform terms |
| TikTok (United States; corporate ties to China and Singapore) | Display creator profiles and insights, under a data processing agreement |
| YouTube / Google (United States) | Display creator channel information and analytics, under a data processing agreement and security certifications |
| Marketing email provider (United States) | Send opted-in marketing email, under a data processing agreement and security certification |
| Cloud platform (Canada) | Store platform data and run core services — Canadian provider, no cross-border transfer |
| Shopify (Canada) | Sync store and order data, under a data processing agreement and privacy program |
PIAs and DPAs are maintained internally as separate compliance deliverables and are available to the Commission d'accès à l'information ("CAI") upon request.
13. Retention
13.1 Retention Periods by Data Category
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, to operate the Services, and to comply with applicable legal obligations. The following table sets out our retention commitments.
| Subject | Purpose |
|---|---|
| Orders and commission records | Kept for 7 years to meet tax compliance requirements |
| Creator tax information | Kept until 6 years after the relevant tax year for tax reporting, then securely deleted |
| Click and referral analytics | Kept up to 24 months for analytics, then deleted or anonymised |
| Social media insights cache | Deleted as soon as you disconnect the relevant social account |
| Account data | Kept while your account is active |
| Deleted accounts | Personal information deleted; tax and order records anonymised and kept for the legal retention period |
| Deleted products | Recoverable for 60 days, then permanently deleted |
| Marketing consent records | Kept for 2 years after your last activity to manage marketing consent |
13.2 Anonymisation on Account Deletion
When a User deletes their account, Inflopick will delete personal information associated with that account and anonymise any transaction or commission records that must be retained for legal compliance. Anonymised records are stripped of all directly identifying information and cannot reasonably be re-attributed to any individual.
14. Security
Inflopick implements technical and organisational security measures appropriate to the sensitivity of the personal information we hold. These measures include:
(a) Encryption in transit. All data transmitted between your browser or device and Inflopick's servers is encrypted in transit using HTTPS.
(b) Encryption at rest. Sensitive data stored in Inflopick's systems, including store connection credentials, Creator tax information, and other sensitive fields, is encrypted at rest using strong, industry-standard encryption. Chat messages stored with our chat infrastructure provider are encrypted at rest on the provider's infrastructure in accordance with the provider's standard security configuration (see Section 9.4).
(c) Webhook integrity verification. All Shopify webhooks received by Inflopick are verified using cryptographic signature validation to ensure authenticity and prevent injection of fraudulent webhook events.
(d) Delegated payment security. All Buyer payment card processing is handled by Shopify. All Creator identity verification and payout banking is handled by our third-party identity-verification and payments processor (see Section 9.2). Inflopick is PCI-DSS out of scope for both Buyer-side and Creator-side payment data.
(e) Access controls. Access to personal data within Inflopick's systems is limited to personnel who require it to perform their functions. Creator tax information is moved to restricted-access cold storage following T4A filing.
(f) Vendor due diligence. Before engaging processors that handle personal information, Inflopick reviews the processor's security certifications (SOC 2, ISO 27001 where applicable) and enters into data processing agreements.
No security measure is perfect. While we take the protection of your information seriously, no transmission over the internet or electronic storage system is completely secure. We encourage you to use strong, unique passwords and to notify us immediately at contact@inflopick.com if you suspect unauthorised access to your account.
15. Your Rights
15.1 Rights Under Law 25 and PIPEDA
You have the following rights in respect of your personal information held by Inflopick. These rights apply in addition to any rights you may have under other applicable law.
(a) Right of Access (PIPEDA Principle 9; Law 25 Art. 3.2). You have the right to request access to the personal information Inflopick holds about you, including confirmation of whether we hold any such information, its source, how it has been used, and to whom it has been disclosed.
(b) Right of Rectification (Law 25 Art. 3.2). You have the right to request correction of any personal information that is inaccurate, incomplete, or out of date. For account information you can update directly in your account settings, we encourage you to do so without a formal request.
(c) Right of Erasure. You have the right to request deletion of personal information that is no longer necessary for the purposes for which it was collected, subject to Inflopick's legal retention obligations (for example, CRA 7-year records are not deletable on request). See Section 13.
(d) Right to Data Portability (Law 25 Art. 63.1). You have the right to request that your personal information be communicated to you in a structured, commonly used technological format, so that you may transmit it to another organisation. The specific technical formats in which portability exports are provided are subject to ongoing regulatory guidance from the CAI. We will provide portability exports in a standard format (e.g., CSV or JSON) to the extent technically practicable.
(e) Right to Withdraw Consent. Where our processing of your personal information is based on your consent (for example, your OAuth connection of a Social Account, or your subscription to marketing emails), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Withdrawing consent to Social Account OAuth will result in deletion of all cached social insights as described in Sections 6–8.
Notification Preferences. Buyers, Creators, and Merchants can manage non-essential in-app and email notification delivery through the Notification Preferences page in account settings. You may enable or disable delivery of specific categories of non-essential notifications. Essential transactional and compliance communications (such as security alerts, order status, commission and payout events, breach notifications, and legally required notices) continue regardless of notification preferences. Marketing and promotional email is additionally governed by the unsubscribe mechanism required by CASL.
(f) Right to Object / De-index (Law 25). You have the right to request that personal information collected for commercial or marketing purposes be de-indexed from any information technology product we make available to the public.
(g) Complaint to Supervisory Authorities. If you believe your privacy rights have been violated, you have the right to lodge a complaint with:
- The Commission d'accès à l'information (CAI) (Quebec) — https://www.cai.gouv.qc.ca
- The Office of the Privacy Commissioner of Canada (OPC) — https://www.priv.gc.ca
We encourage you to contact us first at contact@inflopick.com to allow us the opportunity to resolve your concern.
15.2 How to Exercise Your Rights
To exercise any of the rights described above, contact the Data Protection Contact:
Email: contact@inflopick.com Subject line: Privacy Rights Request — [Access / Rectification / Erasure / Portability / Consent Withdrawal / Complaint]
We will acknowledge receipt of your request promptly and will respond within 30 days of receiving a valid and complete request, as required by Law 25 Art. 3.2 and PIPEDA Principle 9. Where a request requires additional time to fulfil due to its complexity or volume, we will notify you within the 30-day period and provide a revised timeline, not to exceed what is permitted by applicable law.
We may need to verify your identity before processing a request to ensure that personal information is not disclosed to or deleted at the direction of an unauthorised person.
16. Breach Notification
16.1 Breach Assessment and Notification to the CAI
In the event of a privacy breach involving personal information that presents a risk of serious injury, Inflopick will notify the Commission d'accès à l'information (CAI) within 72 hours of discovery of the breach, as required by article 28.1 of Law 25. The notification will include the information required by Law 25 and the CAI's applicable regulations.
16.2 Notification to Affected Individuals
Where a breach presents a risk of serious injury to affected individuals, Inflopick will notify those individuals as required by article 28.2 of Law 25. Notification will be made to the email address associated with the affected User's Inflopick account. Notification will include a description of the personal information affected, the date or approximate period of the breach, corrective measures taken by Inflopick, and steps affected individuals may take to protect themselves.
16.3 Breach Register
Inflopick maintains a confidential register of all privacy breaches, including those that do not meet the threshold for notification, as required by Law 25. This register is available to the CAI upon request.
17. Cookies and Similar Technologies
17.1 Essential Cookies
The Inflopick platform uses essential cookies and similar technologies necessary to operate the Services. Essential cookies include session authentication tokens, shopping cart state, security tokens, and load-balancing identifiers. These cookies are strictly necessary to provide the Services and do not require your consent.
17.2 Non-Essential Tracking
At platform launch, no non-essential tracking technologies (such as analytics cookies, advertising pixels, or third-party tracking scripts) are installed on any Inflopick page. Before any non-essential tracking is deployed, a cookie consent banner will appear and will offer you a meaningful choice to accept or decline each category of non-essential tracking. Non-essential tracking will not be installed without your affirmative consent.
17.3 Email Tracking
Transactional emails sent by Inflopick may include read-receipt pixels or link-tracking to confirm delivery and open rates. Where such tracking is used, it will be disclosed and, to the extent required by applicable law, subject to consent.
18. Children's Privacy
The Services are intended for and available to individuals who are 18 years of age or older. This minimum age requirement applies to all User types — Buyers, Creators, and Merchants. See Terms of Use §3.1.
We do not knowingly collect personal information from persons under 18. By creating an account, you represent and warrant that you are at least 18 years old.
If we become aware that a person under 18 has created an account or submitted personal information to us, we will:
(a) terminate that account; and
(b) delete all associated personal information from our systems.
If you believe that a person under 18 has created an account on Inflopick, please notify us immediately at contact@inflopick.com.
19. International Users
The Inflopick platform is operated by a Canadian company, incorporated in Quebec, and is primarily designed for users in Canada. The privacy framework that governs our collection and handling of personal information is Canadian federal law (PIPEDA) and Quebec provincial law (Law 25).
If you are located outside Canada, please be aware that personal information you submit through the Services will be transferred to and processed in Canada in accordance with Canadian privacy law. By using the Services, you consent to this transfer and processing.
We do not specifically target users in the European Union, the United Kingdom, or the United States. This Privacy Policy does not purport to constitute compliance with the EU General Data Protection Regulation, the UK GDPR, or the California Consumer Privacy Act. If such laws apply to any Inflopick processing activity in the future, this Privacy Policy will be updated accordingly.
20. Changes to This Privacy Policy
20.1 Right to Update
Inflopick may update this Privacy Policy from time to time as the Services evolve, as new processors are engaged, or as required by applicable law.
20.2 Notice of Material Changes
For any change that materially affects your rights or our data-handling practices (including engaging new processors for sensitive data, adding new categories of data collection, or changing the purposes of processing), Inflopick will provide at least 30 days' advance written notice by:
(a) email to your registered email address; or
(b) prominent in-platform notification.
The notice will describe the nature of the change and the effective date. This 30-day advance notice period mirrors the material-change notice requirement in the Terms of Use §19 and is consistent with sections 219–221 of the Quebec *Consumer Protection Act*.
20.3 Minor Changes
Changes that do not materially affect your rights or our data-handling practices (such as typographical corrections, clarifications, or the addition of a previously omitted processor description that does not involve new data collection) may be made without advance notice. The "Last Updated" date at the top of this Privacy Policy will reflect all changes.
20.4 Acceptance of Changes
Your continued use of the Services after the effective date of a material change to this Privacy Policy constitutes your acceptance of the updated policy. If you do not accept a material change, you may close your account before the effective date in accordance with Terms of Use §16.1.
21. Language
21.1 English Version
This Privacy Policy is currently available in English only.
21.2 French Translation — Pre-Launch Obligation
In compliance with the *Charter of the French Language*, RLRQ c C-11 (as amended by Bill 96), Inflopick will publish a French-language version of this Privacy Policy and the Terms of Use before the Platform is made broadly available to Quebec consumers.
21.3 Governing Language
Once the French version is published, the French-language Privacy Policy will govern for Quebec consumers in all matters where both versions exist. In the interim period where only the English version is available, the English version governs for all Users.
21.4 Requests
Until the French version is published, Quebec-resident Users who require this Privacy Policy in French may contact us at contact@inflopick.com to request a draft or to obtain assistance in French.
22. Contact
For questions about this Privacy Policy, to exercise your privacy rights, or to submit a complaint:
Data Protection Contact
Inflopick (9557-4240 Quebec Inc.)
Montréal, Québec, Canada
Email: contact@inflopick.com
For general questions about the Services or the Terms of Use, use the same contact information.
For Shopify GDPR webhook requests: these are processed automatically upon receipt through the registered Shopify App webhook endpoints (Section 5.3). Manual requests may also be submitted to the Data Protection Contact above.
For copyright notices under Canada's *Notice and Notice* regime, see Terms of Use §6.5.