Privacy Policy

Effective date: May 30, 2026 · Last updated: May 30, 2026

This Privacy Policy (Part B) describes how Hatch handles personal information in connection with hatchlabs.tech. It forms part of a combined document together with our Terms & Conditions (Part A).

B1. Overview and scope

This Privacy Policy describes how Hatch collects, uses, communicates, and protects personal information in the course of operating the Site. “Personal information” has the meaning given in the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 (as modernized by Law 25, the “Québec Privacy Act”), and means any information that relates to a natural person and directly or indirectly allows that person to be identified. This Policy is also intended to comply with the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Two distinct roles. For personal information collected through the Site (from visitors, demo requesters, and newsletter subscribers), Hatch acts as the enterprise that determines the purposes of processing (a “controller”). For personal information processed through the Platform on behalf of a Client, Hatch acts as a service provider / mandatary (a “processor”); that processing is governed by Section B7 and by Hatch’s agreements with the Client — not by this Site policy. This Policy applies to personal information of natural persons and not to information about businesses, except where such information also identifies a natural person.

B2. Person in charge of personal information (Privacy Officer)

In accordance with section 3.1 of the Québec Privacy Act, Hatch has designated a person in charge of the protection of personal information (the “Privacy Officer”), whose title and contact information are published below. The Privacy Officer oversees compliance with this Policy and applicable privacy law and handles access, rectification, and complaint requests.

• Title: Privacy Officer (Responsable de la protection des renseignements personnels)
• Email: privacy@hatchlabs.tech
• Address: 9900 Boulevard Cavendish, Saint-Laurent, Québec H4M 2V2

B3. Personal information we collect through the Site

We collect only the personal information necessary for the purposes identified in this Policy.

(a) Information you provide.

• Demo requests: your name, work email, phone number (optional), company, role or use case, expected application volume, and any message you send;
• Newsletter: your email address;
• Other inquiries: any information you choose to include when you contact us or book a meeting.

(b) Information collected automatically (with consent where required).

• IP address and approximate location; device and browser type; operating system; language settings; pages viewed; links clicked; time on page; and referring URL.

(c) Information from third parties.

• Business (firmographic) and account-identification data from our marketing and visitor-identification tools, used to identify and qualify potential business leads, where collected with consent or as permitted by law.

We do not collect sensitive personal information (such as biometric, health, credit, or financial-account information) through the Site. Such information is only ever processed through the Platform on behalf of a Client, as described in Section B7.

B4. How we collect

We collect personal information by fair and lawful means and primarily from you, as well as through cookies and analytics (with consent where required) and from the business-data tools described above. In accordance with section 8 of the Québec Privacy Act, when we collect personal information from you we inform you of the purposes and means of collection, your rights of access and rectification, your right to withdraw consent, and — where applicable — the possibility that the information may be communicated outside Québec.

B5. Why we collect it (purposes)

We collect, use, and communicate Site personal information to:

• schedule and run product demos at your request;
• respond to your inquiries and send you operational messages;
• with your separate consent, send marketing and product updates;
• measure and improve the Site’s performance and content;
• identify and qualify potential business leads;
• detect, prevent, and investigate fraud, abuse, security incidents, and unauthorized access; and
• maintain business records and comply with legal and regulatory obligations.

We use Site personal information only for these purposes or as otherwise permitted by law (section 12 of the Québec Privacy Act). We do not sell or rent your personal information.

B6. Consent and your choices

In accordance with section 14 of the Québec Privacy Act, consent must be clear, free, and informed, and given for specific purposes in clear and simple language. Consent may be express or implied depending on the sensitivity of the information and the circumstances. If you provide us with personal information about another individual, you confirm that you are authorized to do so. You may withdraw your consent at any time — for example, by using the one-click unsubscribe in any marketing email (consistent with Canada’s Anti-Spam Legislation, S.C. 2010, c. 23) or by contacting the Privacy Officer. In limited circumstances permitted or required by law, we may collect, use, or disclose personal information without consent (for example, to prevent or detect fraud or to comply with a legal requirement).

B7. Personal information processed through the Platform (our role as a service provider / mandatary)

When Hatch processes personal information through the Platform, it does so on behalf of, and under documented instructions from, the Client, which is the enterprise that determines the purposes of the processing. In that capacity Hatch is a service provider / mandatary within the meaning of section 18.3 of the Québec Privacy Act, and the processing is governed by a written agreement (including data-processing terms) between Hatch and the Client — not by this Site policy.

Depending on the workflows a Client configures, the Platform may process, on the Client’s behalf, categories of personal information such as applicant identification and contact details; financial and transactional data obtained through open-banking / instant-bank-verification integrations; credit-bureau data; identity-verification (KYC) results, which may include facial-liveness biometric checks performed by a third-party KYC provider; fraud and device signals; and documents and electronic signatures. Automated decisioning logic (rule sets and risk models) is configured and controlled by the Client.

If you are an applicant or end user whose personal information is processed through the Platform, the Client is your point of contact for privacy rights (including access, rectification, withdrawal of consent, and information about automated decisions). Please direct your request to the Client; Hatch will refer such requests to the relevant Client and assist as required under its agreement. Where the Platform processes biometric information on a Client’s behalf, the Client is responsible for obtaining express consent and for any disclosure to the Commission d’accès à l’information required under sections 44 and 45 of the Act to establish a legal framework for information technology, CQLR c. C-1.1; Hatch supports those obligations through its platform controls.

As a processor, Hatch uses Platform personal information only to provide the contracted services, keeps it confidential, applies the security measures described in Section B13, and returns or destroys it at the end of the mandate in accordance with section 18.3 and the Client agreement.

B8. Cookies and similar tracking technologies

We use cookies and similar technologies, managed through a consent-management platform, to operate and secure the Site, analyze its performance, and — with your consent — measure marketing effectiveness and identify business interest. Strictly necessary cookies (session, security, and consent-state) are always active. Technologies that allow you to be identified, located, or profiled are deactivated by default and are activated only after you provide affirmative consent through our cookie banner; you can change your choices at any time via the “Cookie Settings” link in the Site footer. Consistent with section 8.1 of the Québec Privacy Act, we inform you of the use of such technologies and of the means available to activate or deactivate them.

Category	Purpose	Provider(s)	Default
Strictly necessary	Session, security, load-balancing, consent state	Hatch / CMP	On
Functional	Remember your preferences	Hatch	Off (consent)
Analytical	Aggregate usage statistics	Analytics provider	Off (consent)
Marketing / Profiling	Business-account identification, retargeting	As configured	Off (consent)

A current list of cookies in use, their purposes, providers, and retention periods is available through the “Cookie Settings” link.

B9. Automated decision-making

We do not use personal information collected through the Site to make decisions about you based exclusively on automated processing. Automated decisioning that occurs within the Platform is configured and controlled by the Client as controller; where such a decision is based exclusively on automated processing, the obligations under section 12.1 of the Québec Privacy Act — to inform the individual and, on request, of the personal information and principal factors used and the right to have it corrected, and to allow observations to be submitted — rest with the Client, and Hatch supports the Client in meeting them.

B10. Disclosure of personal information and service providers

We may communicate Site personal information to:

• Service providers (mandataries) retained to perform functions on our behalf under written agreements requiring confidentiality and use limited to the mandate, in accordance with section 18.3 of the Québec Privacy Act — including website hosting, analytics, scheduling, customer-relationship management, and consent management;
• Public authorities, regulators, and law enforcement, where required or permitted by law; and
• Successors or assignees in connection with a merger, financing, or sale of all or part of our business or assets, subject to the safeguards in section 18.4 of the Québec Privacy Act.

We do not sell or rent personal information. Disclosure of Platform personal information is governed by the Client agreement, as described in Section B7.

B11. Cross-border transfers

Some of our service providers store or process data outside Québec, including elsewhere in Canada, in the United States, and in the European Union. Before communicating personal information outside Québec, we conduct a privacy impact assessment in accordance with section 17 of the Québec Privacy Act, considering the sensitivity of the information, the purposes of the communication, the contractual and other protections applied, and the legal framework of the destination jurisdiction. We rely on written agreements and recognized transfer mechanisms (such as Standard Contractual Clauses or adequacy/equivalency findings). Information transferred abroad may be subject to lawful access by authorities in those jurisdictions.

B12. Retention

We retain Site personal information only for as long as necessary to fulfil the purposes identified, or as required by law, after which we destroy or anonymize it in accordance with section 23 of the Québec Privacy Act:

• Demo-request leads: 36 months from last contact, then anonymized;
• Newsletter subscribers: until you unsubscribe, then deleted within 30 days;
• Analytics events: 14 months;
• Cookie-consent records: 12 months;
• Records required by tax, accounting, or other law: for the period required by that law.

Retention of Platform personal information is governed by the Client agreement and the Client’s instructions, consistent with section 18.3 of the Québec Privacy Act.

B13. How we protect personal information

We implement reasonable physical, administrative, and technical safeguards appropriate to the sensitivity of the information (section 10 of the Québec Privacy Act). Across the Site and the Platform these include TLS 1.3 encryption in transit; AES-256 encryption at rest under managed keys; role-based access controls; signed, scoped, and expiring access links on the Platform; continuous monitoring and logging; an append-only, SHA-256-hashed audit ledger for Platform decisions; vendor due diligence; and confidentiality undertakings by personnel. Hatch’s control environment is designed to support recognized frameworks (including SOC 2). No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

B14. Confidentiality incidents

In accordance with sections 3.5 to 3.8 of the Québec Privacy Act, we maintain a register of confidentiality incidents and take reasonable measures to reduce the risk of injury and prevent recurrence. Where an incident presents a risk of serious injury, we promptly notify the Commission d’accès à l’information (the “CAI”) and the affected individuals. For incidents involving Platform personal information, Hatch notifies the affected Client without undue delay so the Client can meet its own notification obligations, and assists as required under its agreement.

B15. Your rights

Subject to applicable legal restrictions, you have the right to access (section 27) and obtain a copy of your personal information; rectification (section 28); withdrawal of consent (section 14); data portability — to receive computerized personal information you provided in a structured, commonly used technological format and have it communicated to a person or body authorized by law to collect it (section 27); de-indexation or cessation of dissemination (section 28.1); and to be informed about automated decision-making (section 12.1). Send written requests regarding Site personal information to the Privacy Officer; we respond within 30 days (section 32). Identity verification may be required, and a reasonable charge may apply for transcription, reproduction, or transmission (section 33). For personal information processed through the Platform, please contact the relevant Client (see Section B7). If dissatisfied, you may complain to the CAI (cai.gouv.qc.ca), the Office of the Privacy Commissioner of Canada (1-800-282-1376; priv.gc.ca), or your applicable provincial or foreign regulator.

B16. Minors

The Site is intended for business users and is not directed to children. In accordance with section 4.1 of the Québec Privacy Act, we do not knowingly collect personal information through the Site from a minor under 14 years of age without the consent of the person having parental authority or the tutor. You must be at least 18 years of age to transact with us.

B17. International visitors (EU/EEA/UK and US state privacy laws)

For visitors in the European Union, the European Economic Area, or the United Kingdom, we process personal information on lawful bases, including your consent (for analytics and marketing cookies and for marketing communications), our legitimate interests (for business-lead qualification and Site security), and steps taken at your request prior to entering into a contract (for demo requests). You have the rights of access, rectification, erasure, restriction, portability, and objection under the EU/UK GDPR and may lodge a complaint with your local data-protection authority. Where US state privacy laws (such as the California Consumer Privacy Act) apply, we honour applicable rights to know, delete, correct, and opt out of “sale” or “sharing” (we do not sell personal information). International transfers are protected by Standard Contractual Clauses or equivalent safeguards.

B18. Modifications

We may amend this Policy from time to time to reflect changes in our practices or the law. When we do, we will update the “Last updated” date above. Material changes will be announced via a banner on the Site and, if you have subscribed, by email.

B19. Contact

• Privacy Officer: privacy@hatchlabs.tech
• General inquiries: admin@hatchlabs.tech — +1 (514) 600-0924
• Head office: 9900 Boulevard Cavendish, Saint-Laurent, Québec H4M 2V2

---

This document has been reviewed against the Act respecting the protection of personal information in the private sector (CQLR c. P-39.1, “Law 25”), the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), the Act to establish a legal framework for information technology (CQLR c. C-1.1, ss. 44–45, biometrics), the Charter of the French Language (CQLR c. C-11), Canada’s Anti-Spam Legislation (S.C. 2010, c. 23), and — for international visitors — the EU/UK GDPR and applicable US state privacy laws, in each case as in force on the Effective Date. It is provided for general information and does not constitute legal advice.