Privacy Policy

Approved by API-Enfance's Board of Directors on September 18, 2023.


The purpose of this policy is to inform Users of our Website and Web Application about the nature of their Personal Data that we collect, to explain how and for what purpose we process such data and to recall the underlying legal framework.


Unless otherwise mentioned in the text or inconsistent therewith, words and expressions beginning with a capital letter in this policy shall be interpreted as follows:

1) Organization
API-Enfance, a non-profit legal person incorporated under Part 3 of the Companies Act (RLRQ, c. C-38), having its head office at 1024, rue de Nouë, Quebec City (Québec) G1W 4L3, registered in the Registraire des entreprises du Québec under number 1175257550.

Contact Details
+1 (819) 200-0203

2) Licensee
Refers to an establishment in the healthcare and social services network, the education network, a community organization or an individual who has signed a Web Application license agreement with the Organization.

3) Website
Refers to the website created and developed by the Organization, accessed through the domain, and redirecting users to the Web Application.

4) Web Application
Refers to the application software hosted on a server and accessed via a web browser created and developed by the Organization and supporting the Blooming Words™ program, including the improvements. The use of the Web Application does not require installation on any physical computer hardware.

The Web Application includes the following elements: domain and all related applications,
– User Management Module (Dashboard),
– Training Modules,
– Technical Support Module.

5) User Account
Refers to an access created for a User wishing to access the Web Application.

6) Role
Refers to a set of permissions assigned on the Web Application to a User Account. The following Roles are available:

– Organization,
– Manager,
– Professional,
– Parent.

7) Client
Refers to the clientele served directly by the Licensee (children and their families or immediate guardians), as well as its directors, employees and contractors.

8) User
Refers to any User of the Licensee who is required to access the Web Application, or any person browsing the Website.

9) Personal Data
Refers to any data that makes it possible to identify (directly or indirectly) a User, within the meaning of current legislation.

10) Cookies
Refers to text files holding browsing data, created by websites when a user visits them. They enable websites to remember users’ visits and preferences.

These files are automatically saved by the Internet browser on the user’s device when they visit a website. The server of the website consulted may keep a copy. For these reasons, cookies hold personal information about users.


1) What Personal Data does the Organization collect?

We collect only the minimum data necessary for the use of our Site and Web Application.

About the Website

When you fill in a contact form, you agree to provide us with:

– a valid e-mail address,
– any personal data that you decide to provide us with when you fill the “Message” section of the contact form.

About the Web Application

When you agree to use the Web Application and a User Account is created for you, you agree to provide us with:

– your last name,
– your first name,
– a valid e-mail adress,
– your choice of language for the Web Application.

You can provide the Organization with other information such as your phone number.

When you are logged on the Web Application, we automatically collect the following data:

– IP address used,
– Date and hour of the last visit,
– Clicks and interactions on different pages:

o Downloaded files,
o Videos viewed and duration of viewing,
o Answers to questions, language stimulation challenges and quizzes (multiple-choice questionnaires).

Some of the above data is collected in the form of cookies when you visit the Website and when you use the Web Application.

When you transmit Personal Data to us from a third party, you represent and warrant that you have obtained that third party’s consent to the transmission of their Personal Data and have informed them of this transmission.

We save event logs (User interactions with the Web Application), and the data is accessible only by a Web Application administrator via Bubble and/or FluskVault software.

2) How does the Organization use my Personal Data?

Your Personal Data will only be used if there is a proper and relevant legal basis under current legislation. Thus, your Personal Data is processed either based on our legitimate interests and/or based on your explicit consent.

Our legitimate interests in processing your Personal Data are as follows:

– manage and improve the Website and Web Application,
– manage your requests for contact or technical support via the Website and Web Application,
– detect and prevent fraud and other offenses, and to manage risks on the Web Application.

When you agree to use the Web Application and a User Account is created for you, you explicitly consent to the collection of your data. The granting of your consent is contractual and/or regulatory in nature. If you do not consent to the use of your Personal Data, none of your Personal Data entered when the Licensee created your User Account will be kept and your User Account will be permanently deleted.

We need your explicit consent to process your Personal Data for :

– deposit Cookies on your terminal,
– ensure you have a good experience on the Web Application,
– inform you of changes to our programs (if any),
– carry out occasional clinical efficacy studies and/or program implementation evaluations, in partnership with Licensees (in which case your data will be anonymized).

By using the Website and the Web Application, you authorize us to use your information in Canada and in any other country in which we may operate

We expressly acknowledge that we will not use your Personal Data for any other purpose without your consent. Furthermore, we will only collect Personal Data to the extent necessary for the purposes stated above.

If we wish to use your Personal Data for a purpose other than those mentioned above, we will contact you via your e-mail address to obtain your consent. In addition, if we make any significant changes to the way we process your Personal Data and if we change this policy in any way, we will notify you through the Website, the Web Application or by email.

3) What Cookies does the Organization use?

The issue and use of Cookies by third parties and the storage of your Personal Data by these third parties are subject to the privacy policies applied by these third parties. Cookies issued on the Website and/or Web Application by third parties because of integrated third-party applications are:

Required Cookies

These Cookies are necessary to enable the basic functions of the Website and Web Application to work, such as authentication.

Bubble is a tool that lets you create web applications without using computer code.
Our Web Application was developed using this tool.
Privacy Policy

Twilio (SendGrid),,,,,,,,,,,,,,,,,,
Twilio is a digital communications company which enables users to create voice, VoIP and SMS applications via an application programming interface.
Privacy Policy

Functional Cookies

These Cookies enable us to analyze your use of the Website and Web Application to provide you with a better experience. For example, by remembering your login details or your browser language.

Amazon (Web Services),,
Amazon Web Services provides reliable, low-cost digital data storage infrastructure to hundreds of thousands of users in over 190 countries.
Privacy Policy
Service Terms

Vimeo is a video-sharing platform which allows users to upload, share and watch videos.
Privacy Policy

We are not responsible for the privacy practices of other sites you may click on while using our Web Application or when you browse our Website and encourage you to read their privacy policies.

4) How can I manage the Cookies stored by my browser?

You can view, limit or delete the data stored in cookies at any time by going to your browser settings. You can also configure your browser to block Cookies or to send an alert message before a Cookie is installed on your computer.

Limited Cookie management may result in limited access to all Website and Web Application functionalities. Thus, the above-mentioned required cookies will still be stored on your computer. This is part of our legitimate interests.

5) How long does the Organization store my Personal Data?

We store your Personal Data for as long as is necessary to fulfill the purposes for which it was collected or to comply with any legal or regulatory obligation, within the limits of:

– three (3) years from your last visit to the Website,
– two (2) years from the last connection to your User Account on the Web Application.

If your Personal Data is no longer required by us or upon the occurrence of these deadlines, it will be securely and permanently deleted, unless it is necessary to keep it for a longer period.

6) Where is my Personal Data stored?

Personal Data of Website Users are stored on DomainePlus servers, located in Montreal, Canada and on Microsoft servers located in Quebec City, Canada (for contact form submissions).

Personnal Data of Web Application Users are stored on Amazon AWS servers, located in Oregon, United States of America.

7) How can I request the deletion of my Personal Data?

You have several rights under current legislation:

  • Right of access and rectification
    Following applicable laws on the protection of Personal Data, you have the right to ask us whether we hold any Personal Data about you and to obtain a copy of it, where appropriate and subject to any exceptions. You also have the right to rectify any Personal Data that is inaccurate, incomplete or equivocal, or if its collection, communication or retention is not in compliance with or authorized under the Act respecting the protection of personal information in the private sector, RLRQ, c. P-39,1.
  • Withdrawal of consent
    Subject to any applicable law, you have the right to withdraw your consent to the collection of your Personal Information, in which case you will no longer have access to the Web Application and your User Account will be deleted.
  • Right of deletion
    In certain circumstances, including if the collection of Personal Data is not authorized by any applicable law, if such Personal Data is out of date or not justified by the purpose of the collection, you have the right to have such Personal Data removed from our possession. We undertake to grant a right of access and rectification to persons concerned and wishing to consult, modify or delete information concerning them.
  • Right to be forgotten
    You may ask us to stop issuing Personal Data about you, or to de-index any hyperlink attached to your name that allows you to access this information by technological means, if such dissemination contravenes the law or a court order. You may do the same, or request that the hyperlink providing access to this information be re-indexed, if the dissemination of this Personal Data causes you harm by violating your reputation or privacy.
  • Right to data portability
    You have the right to ask us to communicate to you in a structured and commonly used technological format, in a written and intelligible form, any computerized Personal Data that we have collected from you. This communication may also, at your request, be made to a person or organization authorized to collect your Personal Data.
  • Right to information on processing
    You also have the right to ask us for information about the processing of your Personal Data, including the type of Personal Data we hold and how we process it.
  • Right to unsubscribe from our mailing list
    You have the right to ask us, at any time, to unsubscribe you from our mailing list if you have subscribed to it.

Where the collection and processing of your Personal Data is based on your consent, you have the right to revoke it. Thus, at any time, you may exercise your rights and make a request to consult, rectify or delete your Personal Data, ask any questions and raise any concerns about this Policy, or if you wish to file a complaint or have any doubts about a potential privacy incident relating to Personal Data, to the Organization’s Information Privacy Manager at the email address: or by mail at the following address:

Simon Marcoux
IT Manager
1024, rue de Nouë
Québec (Qc)
G1W 4L3

We are committed to responding to your requests within thirty (30) days of receipt of your e-mail or letter.

Please note that a Licensee’s User Data can be permanently deleted via the Licensee’s “Organization” Role User Account on the Web Application (and, subject to permission, by certain User Accounts in the Licensee’s “Manager” Role).

Finally, you can also object to the continued collection and processing of your Data, based on our legitimate interests, by simply ceasing to use the Website and Web Application.

8) How is my Personal Data protected?

Best Modern Practices
We use industry-standard methods to protect the confidentiality, security, and integrity of Users’ Personal Data against unauthorized use, access, disclosure, alteration or loss, as well as unlawful or accidental destruction

Encryption of data in transit
All traffic between your web browser and our web server (or those of our service providers) is encrypted using HTTPS/TLS. This enables us to guarantee the confidentiality of data transmitted over the Internet.

Data storage
We ensure that all data on the Site and Web Application is retained or deleted only in accordance with this policy.

The data collected in the Web Application is stored on the servers of Amazon AWS, a company internationally recognized for its secure and certified data centres. All data circulating on the global AWS network interconnecting AWS data centres and regions is automatically encrypted at the physical layer.

IT security
We are committed to maintaining the security of our systems and services through regular updates. We make constant improvements and apply patches (also known as “fixes”) to ensure the efficiency, optimum performance and security of our systems. These updates may include modifications to enhance security, correct bugs or improve functionality. We reserve the right to make such updates without notice, while ensuring that this does not interfere with the User experience and that this policy is adhered to at all times. Each change or update is evaluated by a tool to detect potential security flaws.

We carry out periodic risk and vulnerability assessments, as well as compliance audits relating to data confidentiality and security.

We promptly rectify any security vulnerabilities that are identified. We have also adopted an IT Security Incident Response Policy, which provides for three-day notification to Users in the event of a security or privacy incident, and sets out best practices for responding to the compromise of Users’ Personal Data.

Use of third-party software and platforms
We declare that we monitor the use of third-party software and platforms to ensure that they are supported and up-to-date.

Event logging
We maintain accurate event logs that records the actions of Web Application Users within the system for security reasons. This practice enables us to identify, understand and respond appropriately to any unusual or suspicious behavior, as well as any possible breach of security.

Organizational measures
All employees use complex and unique passwords for authentication on company services. Double authentication on the Site and Web Application is required for employees with access to Users’ Personal Data.

We do not informally share with our employees the User Personal Data referred to in this policy. Only employees who need it to perform their duties may access it. In such cases, the principle of minimum access rights applies, i.e. each employee is granted the most restricted access possible to enable him or her to carry out his or her duties.

In addition, employees with access to Users’ Personal Data are trained in their responsibilities when processing the data, and in the various laws and policies applicable to security.

Security Rules
In the Web Application, security rules (called “Permissions” in the dashboard, and “Privacy Rules” at the level of the server) are used to restrict access to certain information and data for specific User Accounts. These rules are programmed by an expert programming firm located in Canada.

Thus, data collected on User Accounts associated with the Licensee can be accessed by the Licensee’s “Organization” Role User Account only, and by the Licensee’s higher Role User Accounts if and only if these User Accounts have been linked together.

Data collected on all User Accounts can also be accessed by the Organization’s “Admin” Role User Accounts belonging to specific employees and subcontractors (General Management, Web Project Manager, and Web Developer). They have all signed a confidentiality agreement, professional ethics and compliance with the Organization’s policies.

Maintaining the conditions for protecting your Personal Data
We undertake to maintain a level of security for your Personal Data equivalent to that presented in this policy throughout the duration of the service.

Limitation of liability
Although we are committed to implementing best practices with regard to the security of information and Users’ Personal Data, it is impossible for us to guarantee total security in this respect, since virus and hacking technologies are constantly evolving and there are other risk factors, such as unforeseeable hardware or software failures. Consequently, we cannot be held responsible for any loss or alteration of Users’ Personal Data. We will notify any User by e-mail of a security breach affecting them within three days of discovering the situation.

If you would like to know more, please consult our IT Security Incident Response Policy, or write to us at

9) Who else can access my Personal Data?

To support the provision, maintenance, protection and improvement of our services, we share some of your Personal Data with a small group of trusted partners and suppliers. These process it on our behalf and in accordance with our instructions, this policy and any legal privacy and security requirements. These companies only have access to the information required to provide the services provided by API-Enfance. These companies are :

– Wordpress (Website development),
– DomainePlus (Website hosting),
– Vision Synergie (web development of the Website and Web Application),
– Bubble (web development of the Web Application),
– Amazon Web Services (Web Application hosting),
– Vimeo (hosting videos of the Website and Web Application),
– Twilio (e-mail and SMS sending via the Web Application),
– SendGrid (sending email via the Web Application),
– FluskVault (securing the Web Application),
– Microsoft Office 365 (only for data collected via the Website’s contact form).

In addition, we may transfer some of your Personal Data to law enforcement officials, judicial or administrative authorities, our legal counsel or any administrative authority. We may, if necessary, transfer your Personal Data to another province, country or international organization that is subject to an adequacy decision issued by the Government of Quebec, for example the European Union.

If the province, third country or international organization is not the subject of an adequacy decision, we will only transfer your Personal Data on condition that proper guarantees are put in place concerning the security of your Personal Data and the effective exercise of your rights, under the conditions of the legislation in force.

Finally, under no circumstances will your Personal Data be sold, rented, made available or distributed in any way whatsoever.

10) What legislation applies?

The Organization is responsible for protecting the personal information it holds within the meaning of section 3.1. SECTION I.1 of the Act respecting the protection of personal information in the private sector of Quebec.

We also take great care to ensure compliance with protective provisions relating to privacy and the processing of Personal Data. These include: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) or General Data Protection Regulation (GDPR), which is applied in France under the Data Protection and Civil Liberties of January 6, 1978.

If you have any questions or complaints about security and Personal Data, you can contact the Organization’s Privacy Manager at the following e-mail address: or by mail at the abovementioned address.

Users located in Québec may also lodge a complaint with the Commission d’accès à l’information (CAI).

Users located in France may also lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL).