Corporate Governance Policy

SPA OVARIUM is committed to protecting all personal information collected and used in the management of its activities.

PURPOSES OF INFORMATION COLLECTION

All persons working with, for or on behalf of SPA OVARIUM are required to respect the confidentiality of personal information and the right to privacy of every individual, in accordance with the Privacy Act, when collecting, using, disclosing, retaining or disposing of personal information in the performance of their duties.
duties.

POLICY STATEMENT

Personal information under the custody or control of SPA OVARIUM is only created, collected, retained, used, disclosed and disposed of in a manner that complies with the Privacy Act. We respect the privacy rights of individuals whose personal information is in our possession, in accordance with these requirements.

PERSONAL INFORMATION

Personal information is defined as any information or combination of information that relates to a natural person and allows that person to be identified. Personal information does not include an individual’s name, business title, business address, business telephone number or business e-mail address.

Personal information must be protected regardless of the nature of its medium or form: written, graphic, audio, visual, computerized or other.

CONSENT

The organization obtains the written consent of an individual in the following situations:

• prior to collecting personal information, unless seeking consent would result in the collection of inaccurate information, defeat the purpose of collecting the information or compromise the use of the information collected. For example, the organization will generally consult with the complainant to indirectly collect personal information for the purpose of conducting an investigation;
• before using or disclosing personal information for purposes that do not respect the purposes for which the information was collected or prepared;
• prior to any disposal of personal information, unless such disposal is expressly authorized by law;
• if it intends to disclose a complaint received by the company or any privileged or confidential information obtained in the course of an investigation or proceeding. In such cases, the written consent of all persons whose rights or interests may reasonably be affected must be obtained.

Obtaining an individual’s consent to the collection of personal information does not replace or establish the authority to collect such information under the Privacy Act; rather, the organization must ensure that the personal information to be collected is directly related to and demonstrably necessary for the organization’s regulatory activities.

COLLECTION OF PERSONAL INFORMATION

Personal information may only be collected or created (e.g., the assignment of a licence number or the imposition of licence restrictions constitutes the creation of personal information) under the following conditions:

• the personal information is directly related to a regulatory activity of the organization;
• the collection of this personal information is necessary to enable the organization to fulfill its statutory purposes or regulatory objectives.

To determine whether personal information is directly related to a regulatory activity, consult the policies that require or authorize the collection of personal information. The organization’s policies provide guidance and advice on the need to collect personal information to enable the organization to meet its objectives. Before collecting or creating new personal information, the organization must :

• Identify the personal information that will be collected;
• Identify the purposes for the collection of each type of personal information;
• collect only the personal information necessary to fulfill the identified purposes.

The organization collects or creates personal information intended to be used for administrative purposes directly from the individual concerned, except when :

• the individual authorizes the organization to collect the personal information from another source;
• the personal information is collected for a purpose for which it may be disclosed to the organization;
• collecting personal information directly from the individual could result in the collection of inaccurate information; or
• collecting personal information directly from the individual could defeat the purpose or compromise the use for which the personal information is collected. For example, the organization will generally consult with the person making a complaint to indirectly collect personal information for the purpose of conducting an investigation.

We limit the collection, use and disclosure of your personal information to the purposes we have identified to you. Your personal information may only be accessed by certain authorized persons, and only for the purposes for which they have been designated.

DISCLOSURE OF PERSONAL INFORMATION

Personal information held by the organization will not be disclosed without the consent of the individual concerned or unless disclosure is authorized or required under the Privacy Act.

Any person subject to this policy must :

• disclose only the minimum amount of personal information required to satisfy the valid purposes indicated;
• consult the Privacy Officer before disclosing any personal information other than that required to perform his or her duties.

RETENTION OF INFORMATION

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected. We must destroy this information in accordance with the law and our records retention policy. When we destroy your personal information, we take the necessary steps to ensure its confidentiality and that no unauthorized person has access to it during the destruction process.

ACCURACY

The organization takes reasonable steps to ensure that personal information is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used, and to minimize the possibility that inaccurate or incomplete information may be used to make a decision that directly affects an individual.

The organization has documented procedures allowing individuals to request correction of their personal information when they believe there has been an error or omission.

We do not routinely update personal information unless it is necessary to fulfill the purposes for which it was collected. The degree of accuracy, currency and completeness of personal information will depend on the input you provide on the consent to collection form.

RESPONSIBILITY

We are responsible for personal information in our possession or custody, including information we entrust to third parties for processing. We require these third parties to maintain this information in accordance with strict confidentiality and security standards.

Our Privacy Officer oversees this Privacy Policy and related processes, as well as the procedures to be followed to protect this information.

Our staff is informed and properly trained on our privacy policies and practices.

SECURITY MEASURES

The organization is required to protect personal information in its custody or control from such risks as unauthorized access, collection, use, disclosure or disposal, by taking reasonable security measures. These include a combination of technical, administrative and physical safeguards. The reasonableness of policies and practices governing the governance of personal information security measures takes into account such factors as the sensitivity, amount, distribution, format and method of storage of the information to be protected.

We have implemented and continue to develop rigorous security measures to ensure that your personal information remains strictly confidential and is protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

These security measures include organizational measures such as restricting access to what is necessary; backing up and archiving data using an external system, etc.); and technological measures such as the use of passwords and encryption (for example, frequent password changes and the use of firewalls).

ACCESS TO PERSONAL INFORMATION

The organization requires that access to personal information be role-based and limited to the minimum amount of information required for authorized purposes.

The organization monitors access to and use of personal information in order to promptly detect cases of inappropriate or unauthorized access to or processing of personal information by means such as
auditing.

The organization requires service providers to comply with the organization’s legal obligations relating to the processing and protection of personal information, and service providers are required to comply with this Privacy Policy.

REQUEST FOR ACCESS TO INFORMATION AND AMENDMENTS

Subject to the exceptions set out in the Privacy Act, any individual may access, review or receive a copy of his or her personal information held by the organization by submitting a written request to that effect to the organization’s Privacy Officer.

We will provide you with such information within a reasonable time from the date of receipt of the written request. A reasonable fee may also be charged for processing your request. Under certain circumstances, we may refuse to provide you with the requested information. Exceptions to your right of access include the fact that the information requested concerns other individuals, that the information cannot be disclosed for legal, security or copyright reasons, that the information was obtained in the course of a fraud investigation, that the information can only be obtained at prohibitive cost, or that the information is the subject of litigation or is privileged.

When we hold medical information about you, we may refuse to communicate it directly to you and ask that it be sent to a health professional you have designated to communicate it to you.

You may verify the accuracy and completeness of your personal information and, if necessary, request that it be amended.

Any request for amendment will be processed within a reasonable period of time.

Requests for access to or modification of personal information may be sent to the address below:

PRIVACY OFFICER

Antonia Couture
antonia@ovarium.com
(514) 271-7515 ext. 108

COMPLAINTS AND QUESTIONS

You may contact the Privacy Officer at the above address.
All complaints concerning the protection of personal information should be forwarded to the Privacy Officer at the above address. We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures, including, if necessary, amending our policies and practices.

TRAINING AND AWARENESS-RAISING

The company promotes best practices and respect for transparency and privacy rights in a number of ways:

• It informs all team members (consent form);
• It posts the name and contact details of the person responsible for PR;
• It mobilizes various means of raising awareness, including :

Privacy information sessions, reminders at team meetings, training for her staff, a privacy action plan, a logbook, etc.

APPLICATION

If for any reason you feel that the company has not adhered to these principles, please notify us by contacting our Privacy Officer. We will then take the necessary steps to identify and correct the problem within a reasonable timeframe. Mention “Privacy” in the subject line.

POLICY UPDATE

This policy must be reviewed every three years. It must also be updated in the event of any substantial change in legislation or regulatory requirements.

Updated: January 16, 2025