Privacy policy

Who We Are

Hermann Chie, trading as Hermanor, operates as an individual operator. Our postal address is 10 2e Rue S, Thetford Mines, Quebec G6G 4Z2, Canada. You can reach us via email at heermanor@outlook.com. We are responsible for the personal information we collect and hold.

Privacy Officer (PIPEDA Principle 1 — Accountability)

Under PIPEDA Principle 1, Hermanor designates Hermann Chie as the individual responsible for compliance with this Privacy Policy. You may contact our Privacy Officer at heermanor@outlook.com for any privacy-related inquiries.

What Personal Information We Collect (PIPEDA Principle 4 — Limiting Collection)

  • Identity: name
  • Contact: email, phone, delivery/billing address
  • Transaction: order history, payment details (processed by third-party providers — we do not store card numbers)
  • Technical: IP address, browser type, device, Shopify session data
  • Usage: pages visited, products viewed, referral source
  • Marketing: your communication preferences

We collect only what is necessary for the purposes identified below.

How and Why We Use Your Information (PIPEDA Principle 2 — Identifying Purposes)

  • Processing and fulfilling orders
  • Managing payments
  • Sending order confirmations and updates
  • Fraud prevention and security
  • Improving our website
  • Legal obligations (tax records — Income Tax Act s.230, 6-year retention)

Consent (PIPEDA Principle 3)

PIPEDA meaningful consent model:

  • Implied consent for information necessary to fulfil a transaction or for non-sensitive purposes
  • Express consent for sensitive personal information and marketing communications (CASL)

You may withdraw your consent at any time, subject to legal or contractual restrictions. Withdrawal of marketing consent does not affect order-related communications you continue to receive for purchases you make.

Limiting Use, Disclosure, and Retention (PIPEDA Principles 5 + 6)

We use and disclose personal information only for the purposes identified in this Privacy Policy. We do NOT disclose your personal information to third parties for purposes other than those identified in this Privacy Policy without your consent. Personal information is kept accurate and up-to-date based on what you provide and update through your account.

Who We Share Your Information With

  • Shopify Inc. (e-commerce platform headquartered in Ottawa, ON; hosting infrastructure in the United States)
  • Payment processors (Shopify Payments)
  • Delivery partners (Canada Post, courier services as applicable)

We do NOT disclose personal information for purposes beyond fulfillment, security, legal obligation, and (with consent) marketing.

Safeguards (PIPEDA Principle 7)

We protect personal information through physical, organizational, and technological safeguards appropriate to the sensitivity of the information, including encrypted transmission (TLS), access controls, and Shopify platform security.

Openness (PIPEDA Principle 8)

Information about our policies and practices relating to personal information is openly available through this Privacy Policy and on request from our Privacy Officer.

Individual Access and Correction (PIPEDA Principle 9)

You have the right to access your personal information, challenge its accuracy, and request correction. You may withdraw your consent at any time. To exercise your rights, contact our Privacy Officer at heermanor@outlook.com. We will respond within 30 days, as required by PIPEDA s.8(3). Where the request is complex, we may extend this period and notify you of the extension under PIPEDA s.8(4).

International Transfers (PIPEDA Principle 1 — Cross-Border Accountability)

Some service providers process data outside Canada, including:

  • Shopify Inc. (Canadian-headquartered but with hosting infrastructure in the United States via Google Cloud and AWS)

Where your information is transferred outside Canada, we remain accountable for its protection under PIPEDA Principle 1, and our service providers are bound by contractual privacy commitments.

Data Retention

  • Order data: retained for 6 years (Income Tax Act s.230; CRA recommends 6-year minimum)
  • Marketing data: until consent withdrawn
  • Technical/analytics data: typically 26 months for analytics platforms

We securely delete or anonymise your information when no longer needed for the identified purposes.

Cookies

For details about cookies and tracking technologies, see our Cookie Policy.

Challenging Compliance (PIPEDA Principle 10)

You may challenge our compliance with this Privacy Policy by contacting our Privacy Officer at heermanor@outlook.com. If you are dissatisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

  • Web: priv.gc.ca
  • Phone: 1-800-282-1376
  • Mail: 30 Victoria Street, Gatineau, QC K1A 1H3

We encourage you to contact us first so we can address your concerns.

Changes to This Policy

We may update this Privacy Policy from time to time. The version in force when you place an order applies to that order.

Last Updated: April 2026

Quebec Residents — Loi 25 (Quebec Privacy Act)

If you are a Quebec resident, the following provisions apply in addition to the federal PIPEDA framework described above. Loi 25 (formally An Act to modernize legislative provisions as regards the protection of personal information, formerly Bill 64) establishes Quebec's autonomous privacy regime, with the Commission d'accès à l'information du Québec (CAI) as the supervisory authority.

Privacy Officer / PRPI (Loi 25 §3.1)

Under Loi 25 §3.1, Hermanor designates Hermann Chie as the person responsible for the protection of personal information (PRPI). Privacy Officer contact: heermanor@outlook.com.

Express Consent for Sensitive Information (Loi 25 §8.1)

For sensitive personal information (as defined under Loi 25 §59) — health, financial behavior patterns, biometric, ethnic origin, or other information of an intimate nature — we obtain your express consent, granular and revocable. We do not currently collect sensitive personal information; if this changes, we will obtain express consent prior to any collection.

Privacy Impact Assessments (§3.2)

For new collections of personal information, cross-border transfers, biometric data, and automated decision-making, we conduct Privacy Impact Assessments as required by Loi 25 §3.2.

Cross-Border Transfers (§17)

Where your personal information is transferred outside Quebec (for example, Shopify hosting infrastructure in the United States), we conduct a Privacy Impact Assessment to ensure adequate protection. Service providers are bound by contractual privacy commitments equivalent to or stronger than those required by Loi 25.

Your Rights Under Loi 25

  • Right of access: Obtain confirmation that we hold personal information about you and copies thereof.
  • Right to rectification: Request correction of inaccurate, incomplete, or ambiguous personal information.
  • Right to data portability (§28.1): Obtain your personal information in a structured, commonly used technological format, and request transmission to another organization.
  • Right to deindexing (§28.1): Request that outdated or harmful personal information be deindexed from search engines.
  • Right to withdraw consent: At any time, subject to legal or contractual restrictions.
  • Right to be informed about automated decision-making (§90.1): If we use automated processing (including AI) to make decisions producing legal or significant effects about you, you have the right to be informed, request human review, and object.

Automated Decision-Making (§90.1)

We do not currently use automated decision-making (including AI) to make decisions that produce legal or significant effects about you. If we begin to do so, we will inform you, document the logic used, and provide an opportunity to opt out or request human review.

Biometric Data (§31-32)

We do not currently collect biometric data. If we begin to do so, we will declare the collection to the CAI as required by Loi 25 §32 and obtain your express consent.

Breach Notification (§65)

If we become aware of a confidentiality incident likely to cause serious harm to you, we will notify you and the Commission d'accès à l'information du Québec (CAI) without unreasonable delay (typically within 72 hours of discovery for high-risk incidents).

Quebec Complaint Escalation — CAI

For Quebec-specific privacy complaints, you may file directly with the Commission d'accès à l'information du Québec (CAI):

  • Web: cai.gouv.qc.ca
  • Phone: 1-888-528-7741
  • Mail: 525, boulevard René-Lévesque Est, Bureau 2.36, Québec (Québec) G1R 5S9

Penalties

Violations of Loi 25 may result in administrative monetary penalties imposed by the CAI of up to CAD 10 million or 2% of worldwide turnover (whichever is higher) for organizations, and up to CAD 100,000 for individuals. Penal sanctions of up to CAD 25 million or 4% of worldwide turnover may apply for serious violations.