PRIVACY POLICY

Jurisdiction: Canada

Version: 1.2

Effective Date: December 8, 2025

Last Updated: February 16, 2026

INTRODUCTION AND ACCEPTANCE

Commitment to Protection

VIREC Intelligence Inc., carrying on business as VIREC ("VIREC", "we", "our", or "us"), is committed to protecting the privacy and Personal Information of its users. This Privacy Policy (the "Policy") describes our practices regarding the collection, use, storage, sharing, and protection of Personal Information in connection with our Services (as defined in Section 3 (Definition), in accordance with Applicable Laws relating to data protection (as defined in Section 2.1).

Acceptance and Consent

By accessing the Services, creating an Account, or using any feature of our Platform, you acknowledge that you have read, understood, and agree to the terms of this Policy in its entirety. Your continued use of the Services following any modification to this Policy (in accordance with Section 11) constitutes your acceptance of such modifications. If you do not accept this Policy, you must immediately cease all use of the Services and contact us at privacy@virec.ca to request deletion of your Account in accordance with Section 10.3.

Incorporation by Reference

This Policy forms an integral part of our Terms of Use and must be read in conjunction therewith. In the event of a conflict between this Policy and the Terms of Use, the Terms of Use shall prevail, except with respect to specific privacy rights guaranteed by applicable laws, which shall remain inviolable.

LEGAL FRAMEWORK AND COMPLIANCE

Applicable Laws

This Policy respects and complies with Canadian laws relating to the protection of Personal Information (collectively, the "Applicable Laws"), including without limitation:

(a) Federal Legislation:

  • Personal Information Protection and Electronic Documents Act (PIPEDA) (Loi sur la protection des renseignements personnels et les documents électroniques), S.C. 2000, c. 5;
  • Canada's Anti-Spam Legislation (CASL) (Loi canadienne anti-pourriel), S.C. 2010, c. 23;
  • The Fair Information Principles set out in Schedule 1 of PIPEDA.

(b) Provincial Legislation (Québec):

  • Act to modernize legislative provisions as regards the protection of personal information (Bill 25) (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels), S.Q. 2021, c. 25, amending in particular the Act respecting the protection of personal information in the private sector (Québec) (Loi sur la protection des renseignements personnels dans le secteur privé), CQLR c. P-39.1;
  • Civil Code of Québec (Code civil du Québec), CQLR c. CCQ-1991, in particular articles 3 and 35 to 41 relating to respect for privacy.

(c) Other Provincial and Territorial Legislation:

Any other applicable provincial or territorial privacy legislation in jurisdictions where the Services are accessible.

Geographic Scope

The Services are intended for users located in Canada. Some of our Third-Party Providers may process Personal Information outside Canada (for example, in the United States), as described in Section 5.3. If you access the Services from outside Canada, you acknowledge and agree that: (a) your Personal Information may be transferred, processed, and stored in Canada and/or in other jurisdictions as described in Section 5.3; (b) Canadian data protection laws will apply; (c) such laws may differ from those of your jurisdiction of origin; and (d) VIREC implements technical geo-blocking measures to restrict access from unauthorized jurisdictions.

Exclusions

This Policy does not apply to: (a) websites, applications, or services of third parties not controlled by VIREC, even if accessible via links from our Services (see Section 10.10 or more details); (b) data processing practices of Third-Party Providers (as defined in Section 3 (Definition)), for which you should consult their respective privacy policies; (c) information that does not constitute Personal Information (as defined in Section 3 (Definition)); or (d) information governed by specific agreements between VIREC and Enterprise clients.

Age Restrictions

The Services are intended solely for use by businesses and adults for commercial purposes. Individuals under the age of eighteen (18) years, are not permitted to register for an Account or use the Services. VIREC does not knowingly provide Services to, or collect known Personal Information from, minors. If we become aware that we have collected Personal Information from a minor, we will delete such information as soon as reasonably possible. If you believe a minor may have provided Personal Information to VIREC, please contact privacy@virec.ca immediately.

DEFINITIONS

For the purposes of this Policy, the following terms have the meanings set out below:

"Account" means the user account created to access the Services, including all associated identifiers, settings, preferences, and Personal Information.

"Affiliate(s)" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means the direct or indirect ownership of more than fifty percent (50%) of the voting securities or other ownership interest of such entity, or the power to direct the management and policies of such entity.

"Aggregated Data" means data that has been combined, compiled, or grouped such that it relates to a group or category of individuals and does not identify (and cannot reasonably be used to identify) any individual.

"Anonymized Information" means information that has been irreversibly modified so that it does not identify an individual and cannot reasonably be used, alone or in combination with other information, to identify an individual, in accordance with Applicable Laws.

"Commission d’accès à l’information" or "CAI" means the Commission d’accès à l’information du Québec, the Québec public body responsible for overseeing the application of the Act respecting the protection of personal information in the private sector and other access-to-information and privacy legislation in Québec, as amended from time to time.

"Consent" means any freely given, informed, and specific indication of the individual's wishes by which the individual agrees to the Processing of their Personal Information for specified purposes. Consent may be: (a) explicit, when given in a clear and affirmative manner; (b) implicit, when it can reasonably be inferred from the actions or inaction of the individual in the circumstances; or (c) deemed, in the limited cases permitted by Applicable Laws. Consent may be withdrawn at any time in accordance with Section 10.4.

"Cookie Banner" or "Preference Centre" means the mechanism(s) made available by VIREC (including a banner, pop-up, or settings interface) that allow individuals to be informed about and manage preferences relating to Cookies and similar technologies (including consenting to, refusing, or withdrawing consent where required).

"Data Services" means proprietary information services, including licensed access to datasets, compilations, analyses, and reports provided by VIREC, which may include publicly available personal information, such as property owner names and addresses sourced from land registries and other public records. Such information remains Personal Information under Applicable Laws; however, its public availability may permit its collection, use, and disclosure for legitimate commercial purposes without individual consent, in accordance with Applicable Laws (including, where applicable, PIPEDA section 7(1)(d) and the Act respecting the protection of personal information in the private sector (Quebec)). VIREC does not use publicly available personal information in Data Services in a manner that would be inconsistent with the purposes for which it was originally made public. Sources may include land registries, assessment rolls, court or administrative records, corporate registries, and other public records or licensed datasets made available for legitimate commercial purposes. If you believe publicly available personal information included in Data Services is inaccurate or should be updated/suppressed in accordance with Applicable Laws, you may submit a written request to privacy@virec.ca. VIREC will review such requests case-by-case and respond in accordance with the timelines and limitations set out in Section 10.

"De-identified Information" means information that has been modified so that it cannot reasonably be linked to an identifiable individual, in accordance with Applicable Laws and the standards set out in Section 6.3.

"Enterprise Client" means a legal entity that enters into an agreement with VIREC for access to the Services for business purposes and under which one or more Authorized Users may access the Services.

"Personal Information" means any information about an identifiable individual, or any information that relates to, describes, or can reasonably be associated, directly or indirectly, with an identifiable individual, as defined in the Applicable Laws (Section 2.1), including without limitation the categories listed in Section 4. Personal Information does not include: (a) De-identified Information that cannot reasonably be linked to an identifiable individual in accordance with the standards set out in Section 6.3; (b) Aggregated Data; (c) publicly available commercial information about legal entities (not individuals).

"Processing" means any operation or set of operations performed on Personal Information, whether or not by automated means, including without limitation: collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in the Applicable Laws.

"Security Incident" means any incident involving Personal Information that results in, or creates a reasonable risk of: unauthorized access to, acquisition of, use of, disclosure of, loss of, or alteration of Personal Information, or any breach of safeguards protecting such information, as understood under Applicable Laws.

"Services" means collectively the VIREC Platform, all accessible modules, Data Services, application programming interfaces (APIs), software, documentation, and all related services provided by VIREC.

"Third-Party Providers" means external service providers used by VIREC in certain categories of operational, technical, or support services, as described in Section 7.

"Authorized User(s)" means any individual who is authorized by an Enterprise Client (or by VIREC, as applicable) to access and use the Services under an Account, including administrators and end users, and whose access may be subject to role-based permissions.

COLLECTION OF PERSONAL INFORMATION

General Categories

We may collect and process the following general categories of Personal Information in connection with the provision of the Services, subject to your Consent (as defined in Section 3) and in accordance with the Applicable Laws (Section 2.1):

(a) Identification Information:

Information allowing us to identify you directly.

(b) Authentication Information:

Username, hashed passwords, security questions/answers, and multi-factor authentication credentials. These security identifiers enable access to your Account and are processed in accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25. They are protected using appropriate administrative, technical, and physical safeguards in accordance with Section 8.2, including strong hashing for passwords, encryption in transit and at rest where appropriate, and strict access controls based on least privilege

(c) Commercial and Transactional Information:

Information relating to your subscription, transactions, and history of use of the Services.

(d) Technical and Usage Information:

Technical data concerning your access to and use of the Services, collected automatically via tracking technologies (Section 9).

(e) Geolocation Information:

General or precise location information, subject to your explicit Consent for precise geolocation.

(f) Communication Information:

Content of your communications with VIREC via email, telephone, live chat, or other support channels, retained in accordance with Section 6.2.

(g) User-Generated Content:

Information that you enter, upload, or generate when using the Services.

IMPORTANT NOTE: The above categories are intentionally generic. For detailed information specific to your situation, please contact us at privacy@virec.ca in accordance with Section 12.

Methods of Collection

We collect Personal Information through the following methods:

(a) Direct Collection:

Information you provide directly to us when you create an Account, subscribe to the Services, communicate with us, submit forms, provide billing details, or otherwise interact with the Services.

(b) Automatic Collection:

Information collected automatically when you access or use the Services, including technical and usage information such as device and browser information, IP address, log data, security and authentication events, and interactions with the Platform, through cookies and similar technologies as described in Section 9.

(c)Third-Party Sources:

Information received from third parties in connection with the provision of the Services, such as payment processors, authentication providers, analytics or security service providers, or other service providers acting on our behalf, and only to the extent necessary to provide, secure, or improve the Services.

(d) Derived Data:

Information we generate or infer from the information described above (for example, account-level preferences, usage analytics, and security risk indicators), strictly for the purposes set out in Section 5 and subject to the safeguards described in this Policy.

We limit collection to what is strictly necessary for the purposes set out in Section 5, in accordance with the data minimization principle under the Applicable Laws.

USE OF PERSONAL INFORMATION

General Purposes

We use the Personal Information collected in accordance with Section 4 for the following general purposes, based on our legitimate interests, your Consent, or our legal and contractual obligations:

(a) Provision and Management of Services:

Creating and managing your Account; providing you with access to the Platform and Services; processing your requests and transactions; providing customer support; personalizing your user experience; and performing our contractual obligations.

(b) Security and Protection:

Maintaining the security and integrity of the Platform in accordance with Section 8; preventing, detecting, and investigating fraudulent use or unauthorized access; enforcing the Terms of Use and this Policy; protecting the rights, property, and safety of VIREC, our users, and third parties; and responding to Security Incidents in accordance with Section 8.5.

(c) Legal and Regulatory Compliance:

Complying with our obligations under the Applicable Laws (Section 2.1); responding to valid legal requests from governmental or judicial authorities in accordance with Section 7.2; maintaining required records; making regulatory filings; and complying with applicable legal requirements.

(d) Improvement and Development:

Analyzing use of the Services to identify trends and improve features; developing new Services or modules; conducting internal research; optimizing Platform performance; conducting quality assurance activities, subject to the provisions of Section 6.3; and AI training and model improvement. Currently, VIREC does not use Personal Information to train AI models. If VIREC decides to use Personal Information for training purposes in the future, you will be provided with prior notice and the ability to opt out before any such use begins.

(e) Communications:

Sending transactional communications regarding your Account, the Services, or our Terms; informing you of important updates, policy changes (Section 12), or security notices; and, with your explicit Consent, sending commercial or marketing communications in accordance with Section 5.2 and CASL requirements.

(f) Other Legitimate Purposes:

Any other purpose compatible with the above purposes, for which we have obtained your Consent, or which is otherwise permitted by the Applicable Laws.

(g) Automated Decision-Making:

The Platform's AI features (search, scoring, ranking, filtering) assist users in analyzing real estate data but do not make binding decisions. All outputs are advisory and require human review and judgment. Users retain full discretion and responsibility for all business decisions made using the Platform. For transparency, scoring/ranking/filtering may consider inputs such as your search parameters, selected filters, interaction signals (e.g., viewed/saved items), and available property and market data within the Platform. The Platform may generate recommendations or priority indicators; it does not produce legally binding decisions. You may request additional information about the logic involved and the principal factors used, or ask for a review of outputs, by contacting us at privacy@virec.ca.

Commercial Communications

In accordance with Canada's Anti-Spam Legislation (CASL), we obtain your explicit Consent before sending commercial electronic messages (CEMs). You may withdraw your Consent at any time by: (a) clicking the unsubscribe link included in each message; (b) adjusting your communication preferences in your Account settings; or (c) contacting us at privacy@virec.ca. We will process any unsubscribe request within ten (10) business days in accordance with CASL.

Cross-Border Transfers

Although our Services are hosted primarily in Canada, certain Third-Party Providers may process Personal Information outside Canada. Such transfers are made in accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25. Before any transfer outside Quebec or Canada, we conduct a documented privacy impact assessment evaluating: (a) The legal framework and privacy protections in the receiving jurisdiction (b) The sensitivity of the Personal Information being transferred (c) The purposes and circumstances of the transfer (d) Contractual and technical safeguards implemented Upon written request to privacy@virec.ca, we will provide a summary of the assessment for the relevant transfer, subject to redaction of commercially sensitive information. Current cross-border transfers: Certain Third-Party Providers process Personal Information in the United States. Our assessment has determined that appropriate safeguards are in place through: (i) Contractual data protection clauses requiring compliance with standards equivalent to Canadian law (ii) Technical security measures (encryption, access controls) (iii) Limitation of transfers to necessary business purposes (iv) Ongoing monitoring of Third-Party Provider compliance.

Purpose Limitation

We will only process your Personal Information for the purposes set out in this Policy or for which we have obtained your Consent. If we wish to use your Personal Information for a substantially different purpose, we will obtain your Consent in accordance with Section 3, unless such use is permitted or required by the Applicable Laws without Consent.

RETENTION AND DELETION

General Principles

We retain your Personal Information only for as long as necessary to: (a) fulfill the purposes set out in Section 5; (b) comply with our legal and regulatory obligations; (c) resolve disputes; (d) enforce our agreements; and (e) protect our legal rights. Specific retention periods vary depending on: (i) the category of Personal Information (Section 4); (ii) your subscription level and Services used; (iii) applicable legal requirements in your jurisdiction; and (iv) our reasonable business practices.

Legal Retention Obligations

Certain Personal Information must be retained for minimum periods under the Applicable Laws, including without limitation: (a) federal and provincial tax and accounting requirements; (b) commercial record-keeping requirements; (c) retention obligations related to ongoing litigation or investigations; and (d) any other legal or regulatory obligation. In such cases, we will retain your Personal Information until the expiry of the minimum legal retention period, even if you request deletion in accordance with Section 10.3.

De-identification and Aggregation

Upon expiry of the applicable retention periods, we may: (a) permanently delete your Personal Information in accordance with our secure deletion practices; or (b) de-identify or aggregate your Personal Information such that it can no longer reasonably be associated with you as an identifiable individual. De-identified or aggregated information no longer constitutes Personal Information and may be retained indefinitely and used by VIREC for analytical, research, service improvement, or commercial purposes, without restriction and without further notice. For clarity, “de-identified” information may still be treated as Personal Information where re-identification is reasonably possible under applicable laws. “Anonymized” information is intended to be irreversibly anonymized so that identification is not reasonably possible. VIREC prohibits any attempt to re-identify de-identified or aggregated information except where required by law and with appropriate authorization.

SHARING WITH THIRD PARTIES

Third-Party Service Providers

(a) Categories of Providers:

We may share Personal Information with Third-Party Providers (as defined in Section 3) in certain operational categories necessary to provide, maintain, and improve the Services. These categories include, without limitation:

  • Infrastructure and hosting service providers;
  • Authentication and identity management service providers;
  • Payment processing and billing service providers;
  • Artificial intelligence and data processing service providers;
  • Communication and messaging service providers;
  • Analytics and monitoring service providers;
  • Security service providers;
  • Other categories of technical, operational, or support service providers.

(b) Disclosure of Third-Party Providers:

In accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25, we identify in our Policy the categories of Third-Party Providers likely to process Personal Information on our behalf as well as the possibility of transfers outside Québec. A more detailed list of Third-Party Providers, including their geographic location, may be provided upon written request to privacy@virec.ca. We will inform users of any changes that would have a significant impact on the purposes, risks, or locations of Processing of Personal Information. The specific contractual and commercial terms with our Third-Party Providers remain Confidential Information of VIREC.

(c) Contractual Requirements:

All Third-Party Providers that process Personal Information on our behalf are contractually required to: (i) process Personal Information only in accordance with our instructions; (ii) maintain appropriate security measures in accordance with Section 8; (iii) comply with the Applicable Laws; (iv) notify VIREC of any Security Incident; and (v) assist VIREC in complying with its obligations under this Policy.

Other Disclosures

We may also disclose Personal Information in the following circumstances:

(a) With Your Consent:

We may disclose Personal Information where you have provided your consent (express or implied, as applicable) for a specific disclosure.

(b) Enterprise Accounts (Authorized Users / Account Administration):

Where an Account is registered or administered by an Enterprise Client, we may disclose certain Account and usage information to the Enterprise Client’s authorized administrators for legitimate business purposes, including account management, billing, security oversight, and compliance. For clarity, the Enterprise Client is responsible for obtaining any required authorizations from its Authorized Users.

(c) Affiliates:

We may disclose Personal Information to our Affiliates where necessary to operate, provide, secure, or improve the Services, provided such Affiliates are bound by confidentiality and data protection obligations consistent with this Policy and Applicable Laws.

(d) Business Transactions:

We may disclose Personal Information in connection with a proposed or completed business transaction, such as a merger, acquisition, financing, reorganization, or sale of all or a portion of our assets, subject to customary confidentiality protections and only to the extent necessary for the transaction. If the transaction is completed, Personal Information may be transferred as part of the transaction, subject to Applicable Laws.

(e) Legal Compliance and Protection of Rights:

We may disclose Personal Information where we believe in good faith that disclosure is necessary to: (i) comply with applicable law, regulation, legal process, or enforceable governmental request; (ii) enforce our agreements and policies; (iii) protect the rights, property, or safety of VIREC, our Clients, users, or the public; or (iv) detect, prevent, or address fraud, security, or technical issues.

SECURITY OF PERSONAL INFORMATION

Security Commitment

We implement and maintain commercially reasonable and appropriate administrative, technical, and physical security measures commensurate with the sensitivity of the Personal Information processed, in accordance with the Applicable Laws (Section 2.1) and industry standards. These measures are designed to protect your Personal Information against loss, theft, unauthorized access, disclosure, copying, use, modification, or destruction.

Categories of Security Measures

Without disclosing the specific details of our security measures, our safeguards include the following general categories:

(a) Technical Measures:

Access controls (including role-based access, least-privilege principles, and strong authentication practices), encryption in transit and, where appropriate, at rest, secure key and credential management, logging and monitoring, vulnerability management and patching practices, malware protection, network security controls, and security testing procedures.

(b) Administrative Measures:

Privacy and security policies and procedures, employee confidentiality obligations, onboarding and periodic training on privacy and security, access provisioning and deprovisioning processes, vendor due diligence, and documented incident response procedures.

(c) Physical Measures:

Physical security controls for facilities and equipment used in connection with the Services, including controlled access to premises, secure storage of devices, and, where applicable, reliance on data centers with recognized physical security standards.

(d) Organizational Measures:

Designation of responsible roles (including the Privacy Officer), governance processes for risk management, periodic review of safeguards, segregation of duties where appropriate, and the maintenance of records and documentation required by Applicable Laws (including incident registers where applicable).

These measures are periodically reviewed and updated to address evolving threats, technology changes, and legal requirements.

Security Limitations

IMPORTANT NOTICE: Although we make significant efforts to protect your Personal Information, no security measures are absolutely infallible. No system of data transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of Personal Information and cannot guarantee that the security measures we use will always be adequate or that they will never be bypassed, disabled, or compromised.

User Responsibilities

You are responsible for: (a) maintaining the confidentiality of your Account credentials; (b) restricting access to your device and browser; (c) logging out of your Account after use, particularly on shared devices; (d) notifying us immediately of any unauthorized access or suspected use of your Account at privacy@virec.ca ; and (e) maintaining appropriate security practices on your own systems.

Security Incident Notification

In the event of a Security Incident affecting your Personal Information, we will: (a) promptly investigate and take necessary measures to limit the impacts; (b) inform you and the relevant authorities without undue delay, where there is a risk of serious harm, in accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25, and PIPEDA; (c) provide information on the nature of the incident, the categories of Personal Information affected, and the measures taken or recommended; (d) notify the relevant authorities as required by the Applicable Laws, including the Office of the Privacy Commissioner of Canada and, for Québec residents, the Commission d'accès à l'information du Québec; and (e) document the incident in accordance with our internal procedures and applicable legal requirements.

COOKIES AND TRACKING TECHNOLOGIES

Use of Cookies

We use cookies and similar technologies to operate and improve our Services. Cookies are small text files stored on your device.

Types of cookies used:

(a) Essential Cookies:

Necessary for the operation of the Platform, including authentication, security, and basic functionality. These cookies cannot be disabled.

(b) Analytical Cookies:

Help us understand how users interact with our Services, identify technical issues, and improve performance. These cookies collect aggregated and anonymized information.

(c) Functional Cookies:

Allow us to remember your preferences and settings to provide a personalized experience.

Representative Cookie Table (actual cookie names/providers may vary by configuration and are disclosed in the cookie banner/preference centre when deployed):

Cookie (name)

Provider

Purpose

Type

Expiry

virec_session

VIREC (first-party)

Maintain session and authentication

Essential

Session

virec_csrf

VIREC (first-party)

Security (CSRF protection)

Essential

Session

virec_consent

VIREC (first-party)

Store cookie consent preferences

Functional

12 months

analytics_*

Analytics provider (may be first- or third-party)

Measure usage and performance (aggregated metrics)

Analytical

Up to 24 months

Additional Tracking Technologies

We also use tracking pixels, web beacons, and analytics tools provided by third-party services to measure the use and performance of our Services.

Your Choices Regarding Cookies

You can control cookies through your browser settings: Where available, you may also manage non-essential cookies through our cookie banner or preference center.

  • Most browsers automatically accept cookies
  • You can modify your settings to refuse cookies
  • You can delete cookies already stored

Consent Required for Non-Essential Cookies

In accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25, your express consent is required before the deployment of cookies or similar technologies that are not essential to the operation of the Services, including analytical, advanced functional, or marketing cookies. A consent mechanism will allow you to accept or refuse these cookies during your first visit. Essential cookies necessary for the basic operation of the Platform do not require consent. You may modify your preferences at any time through your browser settings as described in Section 9.3.

Retention Period

(a) Session Cookies:

Session cookies are temporary cookies that are stored only for the duration of your browsing session and are generally deleted automatically when you close your browser. They are used primarily for essential functions such as authentication, security, and maintaining your session.

(b) Persistent Cookies:

Persistent cookies remain on your device for a longer period, depending on their purpose, and are used to remember preferences, support functionality, and, where applicable, enable analytics. Persistent cookies are retained for no longer than necessary for their intended purpose and are typically stored for a period ranging from a few days up to 24 months, unless you delete them earlier through your browser settings or withdraw your consent (where applicable).

(c) Control and Deletion:

You can delete cookies at any time through your browser settings. Where a consent mechanism is provided for non-essential cookies, you may also modify or withdraw your cookie preferences through that mechanism.

For more information, contact us at privacy@virec.ca.

YOUR PRIVACY RIGHTS

Right of Access

You have the right to: (a) request confirmation of whether or not we are processing your Personal Information; (b) obtain access to your Personal Information that we hold; (c) receive information about the purposes of Processing, the categories of Personal Information processed, the recipients or categories of recipients, and the applicable retention periods (Section 6); and (d) obtain a copy of your Personal Information in an accessible format. This right is subject to the legal limitations of Section 10.7 and the verification procedures of Section 10.8.

Right to Rectification

You have the right to request the correction of inaccurate, incomplete, or outdated Personal Information that we hold about you. We will process your request promptly and, if we accept the correction, we will update your Personal Information and notify the relevant third parties to whom we have communicated the inaccurate information, unless this is impossible or requires disproportionate effort.

Right to Deletion

You have the right to request the deletion of your Personal Information in the following circumstances: (a) the Personal Information is no longer necessary for the purposes for which it was collected; (b) you withdraw your Consent (Section 10.4) and there is no other legal basis for the Processing; (c) you object to the Processing and there are no overriding legitimate grounds for the Processing; (d) the Personal Information has been processed unlawfully; or (e) deletion is required to comply with a legal obligation. This right is subject to the exceptions in Section 10.7.

Right to Withdraw Consent

Where the Processing of your Personal Information is based on your Consent (as defined in Section 3), you have the right to withdraw that Consent at any time. Withdrawal of your Consent: (a) does not affect the lawfulness of Processing carried out prior to withdrawal; (b) may be effected through your Account settings, unsubscribe links in communications, or by contacting us at privacy@virec.ca; and (c) may result in our inability to provide certain Services if Consent was necessary for those Services.

Right to Data Portability (Québec)

Québec residents have the right to obtain their Personal Information in a structured and commonly used technological format, and to request its transfer to another organization, in accordance with section 27 of the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25. This right may be exercised to the extent that exercising it does not infringe the rights of others, does not reveal commercially sensitive information, and does not result in disproportionate costs.

Right to Deletion and De-identification (Québec)

Québec residents may request the deletion of their Personal Information when it is no longer necessary. In certain circumstances provided for in the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25, we may instead de-identify such information when complete deletion is not possible or when the law permits its retention in de-identified form. De-identification consists of permanently and irreversibly modifying Personal Information so that it can no longer be associated with an identifiable individual.

Limitations and Exceptions

Your rights set out in Sections 10.1 to 10.6 are subject to the limitations and exceptions provided by the Applicable Laws, including without limitation cases where: (a) disclosure or deletion would compromise security; (b) disclosure would reveal Confidential Information of VIREC or third parties; (c) the request is manifestly unfounded or excessive; (d) the Personal Information is retained to comply with legal or regulatory obligations; (e) the Personal Information is necessary for the establishment, exercise, or defence of legal claims; or (f) any other exception permitted by the Applicable Laws.

Procedure for Exercising Rights

To exercise your rights: (a) send a written request to privacy@virec.ca with the subject line "Request to Exercise Rights" specifying the right you wish to exercise; (b) provide the information necessary to verify your identity; and (c) clearly indicate the Personal Information concerned. We will respond to your request within thirty (30) days, in accordance with the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25, and PIPEDA. This period may be extended in cases provided for by these laws, and you will be informed accordingly. No fee is charged to process your request, except in situations where fees are permitted by applicable laws; in such cases, you will be informed in advance of the approximate amount.

Right to File a Complaint

You have the right to file a complaint regarding our Personal Information processing practices with the relevant authorities:

Office of the Privacy Commissioner of Canada:

Website: www.priv.gc.ca

Telephone: 1-800-282-1376

Commission d'accès à l'information du Québec:

Website: www.cai.gouv.qc.ca

Telephone: 1-888-528-7741

We encourage you, however, to first contact us at privacy@virec.ca in accordance with Section 12 so that we may attempt to resolve your concern directly.

Third-Party Websites and Services

This Policy applies only to Personal Information collected and processed by VIREC through the Services. It does not apply to: (a) Third-party websites, applications, or services accessible via links from our Platform (b) Third-Party Providers' own privacy practices (see their respective privacy policies) (c) Social media platforms where you may share content from our Services (d) Browser extensions, plugins, or tools you use to access our Services We are not responsible for the privacy practices, content, or security of such third-party services. We encourage you to review their privacy policies before providing any Personal Information. When you click a link to a third-party service, you are leaving our Platform and this Policy no longer applies.

POLICY MODIFICATIONS

Right to Modify

VIREC reserves the right to modify, update, or revise this Policy at any time, in its sole and absolute discretion. Modifications may be necessary due to: (a) changes in the Applicable Laws or regulatory requirements; (b) modifications to our data processing practices or our Services; (c) technological developments; (d) changes in our relationships with Third-Party Providers; (e) security or privacy enhancements; or (f) other legitimate business reasons.

Notification of Modifications

We will inform you of modifications to this Policy by the following means: (a) posting the updated Policy on our website with a new "Last Updated" date; (b) for material modifications or those likely to have a significant impact on your rights or the way we process your Personal Information, sending a notification by email to the address associated with your Account at least thirty (30) days before the effective date of the modifications. This notice is provided in order to comply with our transparency obligations under the Applicable Laws, including the Act respecting the protection of personal information in the private sector (Québec), as amended by Bill 25; and (c) where applicable, displaying a notification on the Platform upon your next login. Non-material modifications may take effect immediately without prior notification, at VIREC's discretion.

Acceptance of Modifications

Your continued use of the Services after the effective date of any modification to this Policy constitutes your acceptance of the modified Policy. If you do not accept the modifications: (a) you must immediately cease using the Services; (b) you may contact us at privacy@virec.ca to discuss your concerns; and (c) you may request the closure of your Account and the deletion of your Personal Information in accordance with Section 10.3.

Discretion of Application

VIREC reserves the right to: (a) selectively apply or not apply modifications among different users or categories of users; (b) maintain different versions of the Policy for different subscription levels or Services; (c) modify application according to specific circumstances; and (d) interpret the provisions of the Policy in its sole discretion. This flexibility of application does not constitute a waiver of VIREC's rights and does not create any obligation or expectation for future modifications.

CONTACT INFORMATION AND PRIVACY OFFICER

Primary Contact

For any questions, concerns, requests to exercise rights, or complaints regarding this Policy or our Personal Information processing practices, please contact our Privacy Officer:

VIREC - Privacy Officer: Christo Mavrick

VIREC Intelligence Inc., carrying on business as VIREC, 1250 Boul. René-Lévesque O, Suite 2200, Montréal, QC, H3B 4W8

Email: privacy@virec.ca (preferred method)

Alternate email: legal@virec.ca

We endeavour to respond to all requests within thirty (30) days in accordance with the requirements of the Applicable Laws.

Security Questions

For questions or concerns specifically related to security, including the reporting of potential Security Incidents (Section 8.5), please contact: security@virec.ca

General Support

For general support related to your Account or use of the Services (not related to privacy): support@virec.ca

FINAL ACKNOWLEDGEMENT

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY IN ITS ENTIRETY.

If you have any questions or concerns regarding your Personal Information or this Policy, please contact us at privacy@virec.ca.

Version: 1.2

Effective Date: December 8, 2025

Last updated: February 16, 2026

© 2026 VIREC Intelligence Inc. All rights reserved. Tous droits réservés.

VIREC and the VIREC logo are trademarks of VIREC Intelligence Inc.