Privacy Policy
Last update: June 24, 2025
As a law firm, Ceiba (“we”, “our”, “us”) collects, uses and discloses information regularly in order to render our legal services.
This Privacy Policy (the “Policy”) explains the types of personal information we collect and process as part of our activities, the purposes for which we collect such personal information, and your rights regarding your personal information. By providing personal information to us, whether via our website, our client platform, by email, in person or over the phone, you agree to the processing of your personal information as set out in this Privacy Policy and authorize Ceiba, its third parties and service providers to process your personal information for purposes set out below.
If you have any questions regarding this policy, you can reach out to our Privacy Officer at [email protected], or by mail at:
Ceiba Avocats Inc.
1 Westmount Square, Suite 2000
Westmount, Quebec
H3Z 2P9
This Policy applies to our processing of personal information as part of our professional services and the operation of our law firm (our “Services”), as well as when we process personal information as part of our website (https://ceiba.law/) and other digital activities, such as social media (our “Digital Activities”).
It does not apply to the processing of our professionals and contractors’ personal information. Our Services are targeted for corporations, and we mostly process business contact information in Canada, or elsewhere in North America. If you are located elsewhere, different laws may apply to you.
1. What personal information do we collect as part of our Services, and for what purposes?
As part of our Services, we collect personal information to administer and provide our legal and cybersecurity services to you, to conduct our business, and to grant you access to our project management platform. We collect this personal information directly from you. Depending on the nature of the Services we render to you, we may also collect personal information through service providers or publicly available personal information.
The table below contains a list of the purposes for which we process your personal information through our Services as well as an overview of the types of personal information that we process for each purpose.
| Purposes | Types of Personal information |
|---|---|
| To provide our Services to you and fulfill the mandate we have with you. | Name, job title, telephone number, postal address, email address, payment related information, information that is necessary to execute the mandate and any other information that you provide to us. |
| To conduct conflict searches between our members and your mandate. | Name and address, as well as the circumstances surrounding the conflict check. |
| To access our project management platform, ensuring effective collaboration on mandates. | Name, job title, company name, phone number and email address. |
| To respond to enquiries and requests for information through our website or our platforms, including social media. | Name, job title, company name, phone number and email address and any other information that you provide to us. |
| For marketing and business development purposes | Name, job title, company name, phone number and email address, as well as your consent choices. |
We may also process your personal information for other purposes such as:
- To assess the security of our systems;
- To conduct background checks and fight against fraud;
- To comply with our legal or regulatory obligations and to enforce our legal rights;
- To reorganize or make structural changes to our business.
2. What personal information do we collect as part of our Digital Activities and for what purposes?
Our processing of personal information as part of our Digital Activities includes the collection of business contact information for business development, as well as interactions on social media. For instance, through our LinkedIn page, you can subscribe to The Vox, our newsletter. We are currently working on our digital presence, so we will make sure to keep this section of our notice updated, such as when we change our cookies.
If you subscribe to The Vox, we can access your publicly available information on your LinkedIn profile. We do not extract list of subscribers, nor use them for any other purposes. You can unsubscribe at any time from our newsletter.
Through our website, you can also submit contact requests or contact us; we’ll connect the information that you share with us for this purpose.
3. How do we use cookies and other tracking technologies?
As part of our Digital Activities, we leverage cookies and tracking technologies for essential features, and for specific functionalities.
Below is a more detailed overview of the types of cookies that are installed through our website. Session cookies, also known as transient cookies, are temporary cookies that are stored in the browser’s memory only during a user’s browsing session and deleted automatically when the browser is closed. We also use persistent cookies that are retained for up to 24 months, unless you delete them.
| Type of cookies | Description |
|---|---|
| Essential Cookies | Essential cookies are necessary to operate the core functions of our websites. These include login cookies, session ID cookies as well as security cookies. |
| Functional Cookies | Functional cookies are used to provide you with certain website functionality, and to remember website preferences, consents, and configurations. |
4. How can you manage your cookie preferences?
You can manage or disable cookies by adjusting your browser settings. Below are links to instructions for managing cookies in popular browsers:
Please note that disabling cookies may affect your ability to use certain features of our website. You can also opt-out of targeted advertising through the following tools:
You can opt-out of Google cookies with the Google Analytics Opt-Out Browser Add-on.
5. Who do we communicate your personal information with?
We disclose personal information to service providers to obtain services that help us complete our mandates with you. These service providers are subject to contractual agreements with us that preserve the confidentiality of your personal information and restrict their rights to use your personal information for other purposes than to provide us with the services that we requested. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their services.
| Service Providers | Examples |
|---|---|
| Project Management Platform Provider | We use Wrike as our intranet to efficiently collaborate on mandates between members of our law firm and clients. |
| Deliverable Tools Provider | To store your documents or to create documents for you, we rely on Microsoft, Canva and Lucid Chart. |
| Language Quality Assurance Providers | We use service providers to help deliver quality documents to you, such as DeepL and Antidote. |
As part of our Digital Activities, we disclose personal information to services providers in the circumstances described below.
| Service Providers | Examples |
|---|---|
| Website Hosting Provider | To host our website, we use Ghost. |
| Digital Footprint Monitoring Provider | We use Flare to monitor our and our clients’ digital footprint and detect threats across the dark and clear web. |
We may disclose personal information or other information if required to do so by law. Nonetheless, as a law firm, we apply this exception strictly and will make all legal verification ahead of time, including, to ensure attorney-client privilege. If possible, we will also inform you of such a request.
Your personal information may also be communicated as part of a business transaction with another law firm. This law firm would also be bound by attorney-client privilege and the same ethical duties than those applicable to our lawyers. We may also have to communicate your personal information as part of an inspection of the Quebec Bar Association.
6. Where do we process your personal information?
We host our data in Canada through Microsoft Azure; however, we use service providers located in other jurisdictions, include, in the United States and the European Union.
We may process your personal information outside of where you are located. As a result, you understand that your personal information may be subject to the laws of other jurisdictions than the one you are located in or where you reside, and may be available to governments, courts or law enforcement or regulatory agencies of other jurisdictions, pursuant to laws applicable in such jurisdiction.
7. How do we protect your personal information?
We follow industry standards to protect the data you submit to us, both during transmission and once we receive it. We maintain technical and administrative safeguards to protect your personal information against destruction, loss, unauthorized changes, disclosure, access, misuse, and other unlawful processing. We implement role-based access controls to ensure only team members working on your mandate can access it. We conduct criminal background checks on all our members.
When communicating between ourselves, we only use encrypted messaging. When we communicate your personal information with service providers, we require the same level of security from these entities prior to transferring your personal information. Many of our service providers have received certifications from independent organizations attesting the quality of their security and privacy practices. These certifications include ISO 27001, ISO 27701 and SOC II.
8. How long do we retain your personal information?
Our professional obligation under the Quebec Bar Association requires us to retain your personal information for a period of 7 years. You can write to us at any time within the retention period to receive a copy of your client file. We maintain written policies and procedures on data retention.
9. What are your rights regarding your personal information, and how can you exercise them?
Depending on the jurisdiction in which you are located, you may benefit from different rights over your personal information, including:
- The right to withdraw at any time your consent to the collection and processing of your personal information.
- The right to access your personal information and obtain information about the purposes of collection and who it is shared with.
- The right to request the rectification of your personal information if it’s incomplete, inaccurate or outdated.
- The right to obtain a copy of your personal information in a structured and interoperable format for its transfer to a third party.
You may not have the same rights under the law for business information as you may have for other types of personal information. However, our Privacy Officer will attempt to help you whenever possible. When you exercise your rights, keep in mind that we may ask you to provide more personal information about you to identify you; we won’t use this personal information for other purposes. We will get back to you within 20 days with an initial response, or we will let you know if we need more time due to the complexity or nature of the request.
If you disagree with our response, you have the right to challenge our decision or file a complaint with your local regulator. In Quebec, you can contact the Commission d’accès à l’information du Québec. In Canada, you may reach out to the Office of the Privacy Commission of Canada. You can also escalate any misunderstanding or complaints to our Managing Partner based on our complaint procedures set forth in the mandate letter.
10. Will we update this policy, and how will you be informed?
We may modify this privacy notice from time to time, such as to reflect new laws, or changes to how we process personal information. Keep in mind that we’re still building our online presence and changes to reflect our growth are expected. We will keep our clients informed of changes. Please check on this policy from time to time for our changes.
Suspect a security incident?
Contact us at [email protected] or call (579) 790-1165 and select the IR Hotline.