(438) 299-6868
(438) 299-6868
LE BALDWIN
Private Event Hall
Effective Date : 10/6/2025
Last Updated : 10/6/2025
LE BALDWIN is a refined private event venue located in Laval, Québec, specializing in weddings, birthdays, baby showers, engagements, and other memorable celebrations.
We place the utmost importance on protecting your personal information and are committed to respecting your privacy. This privacy policy informs you about our practices regarding the collection, use, disclosure, retention, and protection of your personal information, in accordance with Québec’s Act respecting the protection of personal information in the private sector (Law 25).
This policy is written in clear, simple terms so you can easily understand how we handle your personal information and what your rights are.
Person Responsible for the Protection of Personal Information
Name: Claudio Sansalone
Email: [info@lebaldwin.com](mailto:info@lebaldwin.com)
Phone: (438) 299-6868
Address: 3954 Bd Leman, Laval, QC H7E 1A1
For any questions regarding the protection of your personal information or to exercise your rights, you can contact our Responsible Person at the coordinates above.
We collect only the personal information necessary to provide our event hall rental services and to improve your experience.
• First and last name
• Email address
• Phone number
• Mailing address (if paper billing is required)
• Type of event (wedding, birthday, baby shower, engagement, other)
• Date and time of the event
• Number of expected guests
• Preferences and special needs (layout, decoration, equipment)
• Food allergies or dietary restrictions (if catering services are coordinated)
• Billing information
• Transaction details (amount, date)
• Credit card information is processed securely by our payment provider Stripe and is never stored directly on our systems (see section 5.3)
• Anonymized IP address
• Pages visited on our website
• Duration and sequence of browsing
• Browser type and operating system
• Data collected via cookies and similar technologies (see section 6)
• Content of your emails and messages
• History of our exchanges
• Communication preferences
• Photos and videos of your event (only if you have signed a specific authorization)
We collect and use your personal information only for specific, determined, and legitimate purposes.
Purposes :
• Process and confirm your reservation request
• Manage your reservation and prepare the hall according to your needs
• Contact you regarding your event
• Coordinate details of your event
• Respond to your questions and requests
Legal basis: Performance of the service contract
Possibility of refusal: Refusing to provide this information would prevent us from processing your reservation and providing our services.
Purposes :
• Process payments and issue invoices
• Manage billing and accounting
• Prevent fraud Legal basis: Performance of the contract and legal tax obligations Possibility of refusal: This information is required to complete the transaction.
Purposes :
• Communicate with you regarding your reservation
• Send you confirmations and reminders
• Handle your requests, questions, and complaints
• Provide follow-up after your event
Legal basis: Performance of the contract and legitimate interest
Purposes :
• Send you our newsletter
• Inform you about our promotions and special offers
• Share our updates and services
Legal basis: Explicit consent
Possibility of refusal: You may refuse to receive these communications without affecting our other services. You can unsubscribe at any time by clicking the unsubscribe link in each email or by contacting our Person Responsible for the Protection of Personal Information.
Purposes :
• Understand how you use our website
• Improve our services and your experience
• Analyze traffic trends and statistics
• Optimize our site’s performance
Legal basis: Consent (for analytics tools) and legitimate interest
Purposes :
• Publish photos of your event on our website and social networks
• Use photos in our promotional materials
• Build our portfolio of achievements
Legal basis: Explicit and separate consent
Possibility of refusal: This use requires a separate written authorization that you can refuse or withdraw at any time.
Purposes :
• Comply with our legal and regulatory obligations
• Respond to requests from competent authorities
• Defend our rights in the event of a dispute
Legal basis: Legal obligations
We collect your personal information in various ways, always transparently.
• Inquiry and reservation forms on our website
• Communications by email or phone
• Newsletter sign-up forms
• Contracts and signed documents
• Exchanges with our staff
• Cookies and similar technologies on our website (with your consent)
• Sonixos online booking system
• Web analytics tools (Google Analytics – with your consent)
• Advertising tracking pixels (Facebook Pixel – with your consent)
Important: All identification, location, or profiling technologies are disabled by default and are only enabled after obtaining your explicit consent via our cookie management banner.
When you visit our website, certain technical information is collected automatically to ensure the site functions (essential cookies). Other information requires your consent (analytics and marketing cookies).
INFORMATION
We never sell your personal information. We disclose it only under the following circumstances:
To carry out your event according to your wishes, we may share certain information with our trusted partners:
• Catering services (name, contact details, event date, number of guests, allergies)
• Photographers and videographers (name, contact details, event date)
• Decoration services (name, contact details, preferences)
• Technical services: sound, lighting (name, contact details, technical needs)
Guarantees : These partners:
• Are carefully selected
• Sign confidentiality agreements compliant with Law 25
• Use your data solely to deliver your event
• Cannot use your data for their own commercial purposes
• Must delete your data after the event (except where legally required)
We use service providers who process personal information on our behalf. These subcontractors are contractually required to protect your data in accordance with section 18.3 of Law 25.
Provider : Stripe Payments Canada, Ltd.
Certification : PCI-DSS Level 1 (highest security standard for payments) Data shared with Stripe:
• First and last name
• Email and billing address
• Card number, expiration date
• CVV code (NOT RETAINED after transaction – immediate deletion in accordance with PCI-DSS standards)
• Transaction amount and date
TRANSFER OUTSIDE QUÉBEC – UNITED STATES
Payment data is processed by Stripe on servers located primarily in the United States. By using our payment services, you expressly consent to this transfer of your data outside Québec. The United States has laws different from Québec regarding data protection, including the Cloud Act, which may allow U.S. government authorities to access certain data in specific circumstances.
Protective measures in place:
• Privacy Impact Assessment (PIA) carried out in accordance with section 17 of Law 25
• Written contract with Stripe including strict protective clauses (section 18.3)
• Limited use for payment processing only
• Enhanced security: TLS 1.2 encryption, PCI-DSS Level 1 certification
• Mandatory notification in the event of a privacy incident
• Right to verify compliance
Stripe’s privacy policy: [https://stripe.com/privacy](https://stripe.com/privacy)
Your rights:
• Withdraw your consent to the transfer (limitation: would prevent online payment)
• Request access to or deletion of your payment data (except where legally required for tax purposes)
• Alternative payment option without transfer outside Québec (contact us)
System used: Sonixos (reservation management system) Data shared:
• Identification and contact information
• Reservation details
• Your reservation history
Server location: [To be confirmed with the provider – information available upon request]
Contractual protection:
• Written contract compliant with section 18.3 of Law 25
• Use limited to managing your reservations
• Strict security measures (encryption, access controls)
• Deletion of data after the end of the contract (except where legally required)
For more information about hosting location and specific protective measures, you can contact our Person Responsible for the Protection of Personal Information.
We may disclose your personal information if required by law:
• In response to a court order
• To comply with a law or regulation
• To protect our legal rights or those of others
• In the event of reorganization, merger, or sale of assets (with prior notice)
In all other cases, we will disclose your personal information to third parties only with your explicit consent.
Our website uses cookies and similar technologies. In accordance with Law 25, all identification, location, or profiling technologies are disabled by default and are enabled only with your explicit consent.
A cookie is a small text file placed on your device when you visit a website. Cookies allow the site to recognize your device during future visits.
A. Essential cookies (always active)
These cookies are necessary for the website to function and cannot be disabled. They do not collect any information that allows us to identify you.
Use:
• Maintain your session during your visit
• Secure your login
• Remember your language preferences
• Ensure the functioning of the reservation cart
Legal basis: Essential operation of the site (no consent required)
B. Analytics cookies (require your consent)
Google Analytics
Our site uses Google Analytics, a web analytics service from Google LLC, to understand the use of our site and improve your experience.
Information collected:
• Anonymized IP address (last bytes truncated)
• Pages visited, duration and sequence of browsing
• Browser type and operating system
• Geographic origin (regional level only, not a precise address)
• Actions performed on the site (clicks, forms)
Purpose: Anonymized statistical analysis to improve site performance and user experience. No commercial or marketing use.
INTERNATIONAL TRANSFER – UNITED STATES
Data is stored and processed on Google servers located primarily in the United States.
A Privacy Impact Assessment (PIA) was conducted in accordance with Law 25. Contractual protective measures have been put in place with Google.
Privacy configuration:
• IP anonymization enabled (mandatory)
• No data sharing with other Google services
• No personalized advertising based on Google Analytics
• Limitation of collection to essential statistics
Google Analytics cookies:
• _ga (duration: 2 years): Identify unique visitors
• _gid (duration: 24 hours): Identify visitors
• _gat (duration: 1 minute): Limit request rate
Your rights:
• Refuse Google Analytics via our consent banner
• Install Google’s opt-out add-on:
[https://tools.google.com/dlpage/gaoptout](https://tools.google.com/dlpage/gaoptout)
• Withdraw your consent at any time
• Request access to or deletion of your data
Google’s privacy policy: [https://policies.google.com/privacy](https://policies.google.com/privacy)
C. Marketing and advertising cookies (require your consent) Facebook Pixel (Meta Pixel)
We use the Facebook/Meta pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram.
Information collected:
• Pages viewed and actions on our site
• IP address and unique browser identifier
• Information about your device and browser
• Interactions with our Facebook/Instagram ads
Purposes :
• Measure conversions from our ads (how many people book after seeing an ad)
• Create audiences for remarketing (show our ads if you visited our site)
• Optimize delivery of our Facebook/Instagram ads
• Analyze the effectiveness of our marketing campaigns
INTERNATIONAL TRANSFER – UNITED STATES
Data is transmitted to Meta Platforms, Inc., whose servers are located in the United States.
Important: Meta (Facebook) received a record fine of €1.2 billion in May 2023 for data transfers to the United States. Meta now relies on the new Data Privacy Framework adopted in July 2023, but legal uncertainties remain.
A thorough Privacy Impact Assessment (PIA) was conducted in accordance with Law 25, including a risk analysis related to these transfers.
Protective measures:
• Limited use to essential conversions only
• No extensive profiling
• Standard contractual clauses with Meta
• Regular compliance review
Facebook Pixel cookies:
• _fbp (duration: 3 months): Visit tracking
• fr (duration: 3 months): Advertising and measurement
Your rights:
• Refuse Facebook Pixel via our consent banner
• Manage your ad preferences: [https://www.facebook.com/settings?tab=ads](https://www.facebook.com/settings?tab=ads)
• Withdraw your consent at any time
• Request deletion of your data
Meta’s privacy policy: [https://www.facebook.com/privacy/policy/](https://www.facebook.com/privacy/policy/)
On your first visit: A consent banner appears allowing you to choose the categories of cookies you accept.
Change at any time: You can modify your preferences by clicking the “Manage my cookie preferences” link available at all times in the footer of our site.
Validity period: Your consent is valid for a period of 12 months. After this period, we will ask for your consent again.
No consent: If you refuse analytics or marketing cookies, it will not affect your ability to use our website and make reservations. Only essential cookies will remain active.
Your browser settings: You can also set your browser to refuse all cookies or to be notified when a cookie is placed. Note:
refusing essential cookies may prevent certain site features from functioning properly.
We retain your personal information only for as long as necessary for the purposes for which it was collected, or as required by law.
7.1 Retention periods
Type of information Retention period Justification Reservation and contract data Duration of the event + 1 year Customer relationship management and potential claims Invoices and tax data 6 years after issuanceLegal tax obligation (Revenu Québec) Payment data – CVV NEVER retained (immediate deletion) PCI-DSS standards (strict prohibition) Payment history 10 years Accounting and commercial obligations Correspondence (emails, messages) 2 years after last contact Proof of contractual relationship
Analytics data
(Google Analytics)
Up to 26 months Trend analysis
Documented consents
3 years after
consent withdrawal
Proof of legal compliance
Portfolio photos/videos
(with consent)
3 to 5 years
depending on
authorization
Marketing purpose (with possibility of withdrawal)
Privacy incident
register
Minimum 5 years Legal obligation (Law 25)
Non-converted prospects
3 years after last
contact
Business management (presumption of loss of interest)
Inactive newsletter
subscribers
3 years without interaction Presumption of disinterest
Upon expiry of the deadlines: Your personal information is either:
• Securely destroyed (complete and unrecoverable deletion from our systems and backups)
• Irreversibly anonymized (removal of all elements allowing identification)
Destruction process:
• Deletion from active databases
• Purge of backups
• Deletion of archives
• Certificate of destruction for sensitive data
Exception: We may retain certain information beyond the stated periods if required by law, to defend our rights in the event of a dispute, or with your explicit consent.
Protecting your personal information is a priority. We implement physical, technological, and administrative security measures appropriate to the sensitivity level of the information.
• Encryption: All transmissions of sensitive data (payments, forms) use HTTPS with TLS 1.2 encryption at minimum
• Encryption of data at rest: Stored data is encrypted on our servers
• Firewalls and intrusion detection systems: Protection against unauthorized access
• Strong passwords: Strong password policy and multi-factor authentication for administrative access
• Secure backups: Regular encrypted backups
• Security updates: Systems and software regularly updated
• Antivirus and malware protection: Deployed on all systems
• Restricted access: Secured premises with access control
• Locked storage areas: Locked offices and cabinets
• Secure destruction: Paper documents destroyed by confidential shredding
• Personal information governance policy: Established and published internal rules
• Staff training: All staff are trained on Law 25 and our obligations
• Limited access on a “need-to-know” basis: Only authorized staff who need access to perform their work have access
• Confidentiality clauses: All employees and partners sign confidentiality commitments
• Regular audits: Periodic review of our security practices
• Incident management: Established procedures to detect, manage, and notify incidents
All our subcontractors and partners are contractually required to:
• Implement appropriate security measures
• Use the information only for authorized purposes
• Not retain information beyond the necessary duration
• Immediately notify any privacy incident
• Allow compliance verifications
9. PRIVACY INCIDENTS
Despite all our protective measures, no system is infallible.
A privacy incident is a situation where your personal information is subject to unauthorized access, use, disclosure, loss, or destruction.
Our commitments:
• All incidents are recorded in a register (kept for a minimum of 5 years)
• We immediately take measures to limit risks and impacts
• If the incident presents a risk of serious harm to you:
o We notify the Commission d’accès à l’information du Québec (CAI) as soon as possible
o We notify you personally as soon as possible
o The notification includes: nature of the incident, information involved, possible consequences, measures taken, measures you can take to mitigate risks
Content of the notification:
• Description of the incident
• Date or period of the incident
• Categories of information affected
• Number of persons concerned (estimate)
• Possible consequences for you
• Measures we have taken
• Measures you can take to protect yourself
• Contact details for more information
Means of notification:
• By email to the address you provided
• By phone if email is unavailable
• By postal mail if necessary
• Public notice on our website if it is impossible to contact you individually
If you observe or suspect a privacy incident concerning your information, please contact us immediately:
Person Responsible for the Protection of Personal Information
Name: Claudio Sansalone
Email: [info@lebaldwin.com](mailto:info@lebaldwin.com)
Phone: (438) 299-6868
Address: 3954 Bd Leman, Laval, QC H7E 1A1
Law 25 grants you several rights concerning your personal information. You may exercise these rights at any time, free of charge.
You have the right to:
• Know whether we hold information about you
• Obtain a copy of all personal information we hold about you
• Know how it is used
• Know the third parties to whom it has been disclosed
Response time: Maximum 30 days (possibility of a 30-day extension if the request is complex, with notification)
You have the right to:
• Have inaccurate or incomplete information corrected
• Have outdated information deleted
• Have missing information added
Response time: Maximum 30 days
If rectification is made: We will inform third parties to whom we disclosed the erroneous information, unless this proves impossible or requires disproportionate efforts.
You have the right to:
• Withdraw your consent at any time for any use of your information based on consent
• Unsubscribe from our newsletter (link in each email)
• Withdraw your consent for analytics and marketing cookies
• Withdraw your consent for the use of photos/videos
Consequences of withdrawal:
• Withdrawal takes effect immediately going forward (does not apply retroactively)
• Depending on the consent withdrawn, certain services may no longer be available (e.g., online payment if transfer to Stripe is refused)
• We will inform you of the consequences before the withdrawal takes effect Exceptions: We may retain certain information despite withdrawal if another legal basis applies (legal obligation, defense of rights).
Since September 2024, you have the right to:
• Receive your personal information in a structured, commonly used, and machine-readable format (e.g., CSV, JSON, PDF)
• Transmit this information to another service provider
Portable information:
• Information you have provided to us directly
• Information created by your use of our services
• Excluded: Information generated by us (internal analyses, assessments)
Response time: Maximum 30 days
You have the right to:
• Request deletion of your personal information in certain circumstances:
o Information not necessary for the purposes for which it was collected
o Withdrawal of consent and absence of another legal basis
o Information collected or used unlawfully
o Legal obligation to delete
Exceptions: We may refuse deletion if:
• Legal obligation to retain (invoices: minimum 6 years)
• Necessary to defend our rights in court
• Consent cannot be withdrawn (performance of an ongoing contract) If refused: We will explain the reasons for refusal and your recourses.
You have the right to:
• Object to certain uses of your information (direct marketing, profiling, automated decisions)
Automated decisions: We currently do not use any fully automated decision-making systems that have legal or similar effects concerning you.
How to make a request:
To exercise any of these rights, contact our Person Responsible for the Protection of Personal Information:
Contact details :
Name: Claudio Sansalone
Email: [info@lebaldwin.com](mailto:info@lebaldwin.com)
Phone: (438) 299-6868
Address: 3954 Bd Leman, Laval, QC H7E 1A1
Information required in your request:
• Your first and last name
• Contact details (email, phone)
• Precise description of your request
• The right you wish to exercise
• A copy of an identity document (if necessary to confirm your identity)
Free of charge: Exercising your rights is entirely free.
Response time: Maximum 30 days from receipt of your request. If the request is complex, this period may be extended by an additional 30 days (we will inform you).
Identity verification: To protect your information, we may ask you to prove your identity before acting on your request.
If you believe that your rights regarding the protection of personal information have not been respected, you have the right to file a complaint.
First step: Contact our Person Responsible for the Protection of Personal Information to try to resolve the situation amicably.
We commit to:
• Examine your complaint seriously and promptly
• Respond to you within a reasonable time
• Explain the measures taken or the reasons for our decision
• Correct any non-compliance identified
If you are not satisfied with our response or if you prefer to contact the supervisory authority directly, you can file a complaint with the Commission d’accès à l’information du Québec (CAI).
Commission d’accès à l’information du Québec
Phone: 418 528-7741 or 1 888 528-7741 (toll-free)
Website: https://www.cai.gouv.qc.ca
Mailing address: 525, boulevard René-Lévesque Est, bureau 1.200
Québec (Québec) G1R 5S9
Complaint form: Available on the CAI website
Important: You can file a complaint with the CAI without affecting your other legal recourses (civil action, class action).
You retain all your legal recourses, including:
• Action for damages (minimum $1,000 in the event of intentional or gross fault)
• Class action
• Other remedies provided by law
In accordance with Law 25, we do not knowingly collect personal information from children under 14 without the consent of a parent or legal guardian.
Family events involving minors:
If your event involves children under 14 (child’s birthday, family event):
• Parental or guardian consent is required for any collection of information regarding the child
• Parental/guardian consent is required for any photo or video in which the child is identifiable
• A specific form will be provided to you If you are a parent/guardian:
• You have the right to access, correct, or delete your child’s information
• You can withdraw your consent at any time If we discover that we have inadvertently collected information from a child under 14 without parental consent, we will immediately delete such information.
Our website may contain links to third-party websites (partners, social networks, providers).
Important : We are not responsible for the privacy practices of these third-party sites. This privacy policy applies only to information collected by LE BALDWIN.
We recommend that you carefully read the privacy policies of all sites you visit.
Social media sharing buttons: If our site contains sharing buttons (Facebook, Instagram, etc.), these platforms may collect information about you, even if you do not click. Consult their privacy policies.
We regularly review this privacy policy to ensure it remains compliant with the law and reflects our practices.
In the event of changes:
• The “Last Updated” date at the top of this page will be modified
• Important changes will be notified to you by email (if we have your address) or by notice on our website
• You will have the opportunity to withdraw your consent if the changes affect the use of your information
Current version: This policy came into force on [date to be completed]. We encourage you to check this page regularly to stay informed about our practices.
For any question, request, or concern regarding this privacy policy or our practices in protecting personal information:
Person Responsible for the Protection of Personal Information
LE BALDWIN
Name: Claudio Sansalone
Email: info@lebaldwin.com
Phone: (438) 299-6868
Address: 3954 Bd Leman, Laval, QC H7E 1A1
Contact details :
Name: [To be completed]
Email: [To be completed]
Phone: [To be completed]
Hours of availability: [To be completed – e.g., Monday to Friday, 9 a.m. to 5 p.m.]
We strive to respond to all requests within 48 business hours.
To facilitate understanding of this policy, here are definitions of certain terms:
Anonymization : Irreversible process that removes all elements allowing direct or indirect identification of a person.
Consent : Free, informed, and specific expression of your will by which you agree that personal information about you may be collected, used, or disclosed.
Cookie : Small text file placed on your device when visiting a website. Encryption: Security technique that makes data unreadable to anyone not authorized.
PIA (Privacy Impact Assessment) : Mandatory analysis of risks related to transferring personal information outside Québec or to the use of certain technologies.
Privacy incident : Unauthorized access, use, disclosure, loss, or destruction of personal information.
Personal information : Any information that concerns a natural person and allows identification directly or indirectly (name, address, email, phone number, IP address, etc.).
Sensitive information : Personal information whose nature or context of use creates a higher expectation of privacy protection (medical, biometric, intimate data).
Person Responsible for the Protection of Personal Information (RPRP) : Person designated within the company to ensure the protection of personal information and compliance with the law.
Subcontractor : Person or organization that processes personal information on our behalf (service providers, technology partners).
LE BALDWIN’S COMMITMENT
At LE BALDWIN, we understand that your events are among the most precious and personal moments of your life. The trust you place in us by sharing your personal information is at the heart of our commitment to you.
We commit to:
✓ Respect your privacy at all times
✓ Be transparent about our practices
✓ Protect your information with the highest security standards
✓ Give you control over your personal information
✓ Respond quickly to your questions and requests
✓ Continuously improve our privacy practices
✓ Scrupulously comply with Law 25 and all applicable laws
Your trust guides our actions. We strive every day to earn and preserve this trust by handling your personal information with the greatest care and respect.
Thank you for choosing LE BALDWIN for your most memorable events.
Document prepared in accordance with:
• Act respecting the protection of personal information in the private sector (RLRQ, chapter P-39.1)
• Law 25: An Act to modernize legislative provisions as regards the protection of personal information (2021, chapter 25)
• Guidelines of the Commission d’accès à l’information du Québec Last review: 10/6/2025
IMPLEMENTATION INSTRUCTIONS IMMEDIATE ACTIONS TO COMPLETE:
1. Fill in the [To be completed] fields:
a. Full name of the Person Responsible for the Protection of Personal Information
b. Complete contact details (email, phone, address)
c. Effective and update dates
d. Hours of availability
2. Confirm with Sonixos:
a. Exact location of data hosting
b. Obtain a copy of the Data Processing Agreement (DPA)
c. If outside Québec: complete a specific PIA
3. Priority compliance actions:
a. Officially designate and publish the RPRP
b. Notify the Commission d’accès à l’information of the appointment
c. Implement a compliant consent banner (CMP)
d. Configure Google Analytics with IP anonymization
e. Disable GA and Facebook Pixel by default
f. Create the privacy incident register
g. Complete PIAs for Google Analytics, Facebook Pixel, and Stripe
h. Review all supplier contracts (Section 18.3)
4. Publication:
a. Publish this policy on the website (dedicated page accessible from the main menu and footer)
b. Add links to this policy in all forms
c. Update legal notices
d. Inform existing customers of the new policy
