1. Introduction
This privacy policy is meant for those who use one of the Antidote Applications or one of the Websites, as these expressions are defined below:
- Antidote 12 and prior editions for installation on a computer (it is still possible for an organization to add workstations to an Antidote 11 or Antidote 10 license), Antidote Web for access through a browser at antidote.app, as well as Antidote Mobile for iPhone and iPad (the “Applications”), including its corrector, dictionaries, language guides, documentation, deployment and installation scripts, configuration files, and the applications which allow it to be integrated with other software (e.g. Connectix);
- The websites www.antidote.info and www.druide.com as well as the services which they allow you to access, such as your Client Portal from services.druide.com and the Help Centre from assistance.druide.com (the “Websites”).
This document uses clear and simple terms to describe the practices and procedures adopted by our company, Druide informatique inc. (“Druide”), to protect your personal information.
2. What Information Do We Collect and Why?
2.1. Information Provided by Users
2.1.1. Primary User
Contact information — An account is required to use the Applications. For primary users (over 16 years of age), creating an account requires the user’s full name, email address, and choice of language for the interface of selected Applications and for Druide communications. Other personal information, such as their telephone number and mailing address, is optional. The same applies for the choice of avatar. Sometimes, when it is necessary or advisable, we may use the information provided by the primary user for service-related communications and technical support requests or announcements.
Credit card information — Anyone who pays for an Application through the account they have created must provide their credit card details (card number, expiration date, security code) and billing address. The transaction is secured by Stripe, a PCI DSS (Payment Card Industry Data Security Standard) level 1 certified payment platform, the highest security level for online payments. Information relating to your credit card is encrypted and is never transmitted over the Internet in unencrypted form. Additionally, it is processed exclusively by Stripe and never comes into our possession.
For more information on Stripe’s practices in terms of the protection of personal information, please read its Privacy Policy.
Username and password — When creating an account, the primary user chooses a personal password. The username is the same as their email address. The username and password are required for signing in to the Applications, for accessing certain services offered by the Websites, as well as for submitting a request for technical support online.
2.1.2. Invited Users Aged 16 and Over
Contact information — When creating an account for an invited user aged 16 years or older as part of a family subscription or an organizational subscription to the Applications, the invited user’s full name and email address are required. Other information, such as their telephone number and mailing address, is optional. The same applies for the choice of avatar. Sometimes, when it is necessary or advisable, we may use this information for service-related communications and technical support requests or announcements.
Username and password — When signing in for the first time, the invited user aged 16 years or older chooses their personal password. The username is the same as their email address. The username and password are required for signing into the Applications and for certain services offered by the Websites, as well as for submitting a request for technical support online.
2.1.3. Invited Users Under 16 Years of Age in a Family Subscription
Contact information — In a family subscription to the Applications, it is possible to create an account for an invited user under the age of 16. All you need to create the account is the invited user’s full name. No email address is linked to the account. Unlike with other users, we never communicate with invited users under 16 years of age, not even for service-related communications or technical support. You can provide the date of birth of an invited user under 16 years of age. This way, the status of the invited user’s account will change on their 16th birthday.
Username and password — The primary user also chooses a username and password when creating the account. Users under 16 years of age cannot change their username or password; only the primary user can make these changes. A username and a password are required to connect to the Applications.
2.1.4. Invited Users Under 16 Years of Age in Schools
Contact information — As part of an organizational subscription to the Applications, a school may create an account for an invited user under 16 years of age. This requires the invited user’s full name and email address. The email address must be linked to the school’s domain (e.g. student@yourschool.com). We will only contact invited users under 16 years of age for essential messages (e.g. password reset).
Username and password — When logging in for the first time, invited users under 16 years of age must choose a password. They cannot change their username, which corresponds to their email address. The username and password are required to log in to the Applications.
2.1.5 Customizations
Depending on the Applications, it is possible to add a word to a personal dictionary, to add a custom rule for a word or a string, to configure custom settings or to create lists of favourites for quick access to dictionary entries or guide articles. You can edit or remove customizations.
2.1.6. Communication
Support requests — The Help Centre of our Websites contains a form allowing you to describe a problem, leave a comment or share a suggestion. You must then provide any information that will help us process your request.
Comments and suggestions — You may send us comments and suggestions regarding the Applications or Websites. You acknowledge that Druide may use them in the development, improvement and marketing of its products or services without any restriction or obligation to provide remuneration.
Messages — We use your email address to send you essential messages (e.g. password reset). We also use it to send you optional messages (e.g. newsletters, tutorials). Your Client Portal allows you to manage your preferences regarding these optional messages.
2.2. Information Collected Automatically
2.2.1. Usage Data
As a provider of web-based services, Druide automatically collects certain information for its web server logs. The information collected may be related to the device used (operating system, type of hardware, browser name, etc.) or the nature of the use of the Websites and Applications (session frequency and length, activated options, display settings, word searches, etc.). We only use this information in aggregate for users as a whole. This information helps us in making decisions for the improvement of our products and services. For example, we may decide to improve the integration of Antidote Web with the most popular browsers or to add certain words to the dictionaries that are frequently searched for by users. Unless you are logged in to your account, this information is used without the possibility of individual identification.
2.2.2. Texts Submitted to Antidote’s Corrector
As the processing of texts submitted to the corrector varies depending on the application used and the agreement governing its use, we present below a summary of the different scenarios.
Antidote 12 and its previous editions under perpetual license (single-user license or device-based license) — Texts submitted to the corrector are only processed locally. They are never transmitted to our servers.
Antidote 12 with an Antidote+ subscription or an organizational subscription — Texts submitted to the corrector also remain on the computer where the application is installed, unless you use the Reformulation mode. To be reformulated, texts are transmitted via the Internet to our servers. Reformulated texts are neither stored nor used to train artificial intelligence models.
Antidote Web with an organizational subscription — Texts submitted to the corrector are destroyed as soon as the correction is completed. Therefore, they cannot be used to train artificial intelligence models.
Antidote Web with an Antidote+ subscription — With this subscription designed for individuals, texts submitted to the corrector are kept in their original form for eight hours to provide the user access to recent texts. After this period, the submitted texts are destroyed unless the user consents to their anonymization and subsequent retention for training artificial intelligence models. In the anonymized texts, the following elements are replaced with completely different words: the names of any natural or legal persons, place names, demonyms, dates and times, numbers, addresses, postal codes, telephone numbers, email addresses, URLs, brand names, acronyms, etc. Following the anonymization, the original text will be destroyed and no link between an anonymized text and the person who submitted it will be saved. Consequently, the anonymized data no longer allows for the direct or indirect identification of a particular person. This process cannot be reversed.
2.2.3. Authentication and Provisioning Services
When an account is linked to a single sign-on service, such as Google Single Sign-On and SAML (Security Assertion Markup Language), or to a provisioning service, such as SCIM (System for Cross-domain Identity Management), we only collect the login information required by that service: the user’s full name, email address, the language selected for the interface of the chosen Applications and for Druide communications and, if applicable, the time zone and the avatar URL. The password, however, is not collected.
2.2.4. Cookies
Cookies are small blocks of data stored on your device (computer, smartphone, tablet) by your web browser. They are a standard technology used by all browser software. Like most online services, we use cookies to enable the functionality of our Applications and Websites and to evaluate their performance and usability. Some cookies are required for them to function properly, while others are optional. Cookies can be deleted, but if they are disabled or blocked, it may prevent the Applications and Websites from working correctly.
The cookies used for the Applications are strictly necessary. However, it is possible to configure the cookies used for the Websites in your Cookies Settings.
2.2.5. IP Address
We may collect and analyze IP addresses, but without collecting the precise geolocation of a user or a device, because they can help us identify the cause of a technical issue (e.g. incorrect display of time zones and appropriate currencies). Except for these purposes, we do not collect or store any geolocation data.
2.2.6. Web Analytics
To understand the context of a technical issue, to improve our Applications and Websites or to protect them from attacks carried out by automated applications (bots), we may use third-party web services such as Matomo or hCaptcha.
2.2.7. Advertisement Tracking
To follow visitors’ interactions with our Websites when they access them by clicking on an advertisement, we may use conversion tracking tools such as Meta Ads’ “Meta Pixels” or Google Ads’ “tags”. The information collected this way is anonymized before it reaches us; we cannot see users’ personal information.
Learn how Meta protects your personal information in its Privacy Policy.
Learn how Google protects your personal information in its Privacy Policy.
3. What We Do With the Information Collected
We do not collect personal information that is not necessary for the delivery of the products and services that we offer. This means we use your personal information to:
- provide you with services through the Applications and Sites;
- provide you with technical assistance;
- maintain our commercial relationship with you;
- ensure the proper functioning and improvement of the Applications and Websites;
- respond to your questions and, if applicable, your job applications.
4. What We Do Not Do With the Information Collected
We do not collect, use or share your personal information in any way that is not disclosed in this Privacy Policy. This also means that we do not do the following:
- We do not sell, trade, rent or provide the personal information of users of the Applications and Websites to third parties.
- As our Applications are fee-based, we do not expose users to advertisements.
- We do not provide any messaging system for users to communicate privately with each other.
5. How Do We Protect Information?
5.1. Security Measures
When it comes to protecting user information, security is our highest concern. We follow industry-recognized standards, such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, the Open Worldwide Application Security Project’s (OWASP) Application Security Verification Standard and the Payment Card Industry Data Security Standard (PCI DSS). Here’s what we do to keep the Applications and Websites secure:
5.1.1. Web Servers and Browsers
We use SSL (Secure Sockets Layer) to establish an encrypted link between our web server and a browser. This link ensures that all data transferred remains private and secure.
5.1.2. Server Protection
We use firewall-protected servers stored in a secured location to prevent any unauthorized access.
5.1.3. Password Protection
We store and transfer passwords using encryption technologies deemed to be secure.
5.1.4. Restriction of access
We control and limit our employees’ access to our user database. The same is true for access to log files containing user and employee interactions with the Applications and Websites, as well as security events. Only employees who require this information to perform their duties have access to it. In such cases, we apply the principle of least privilege: the access granted is the minimum access required for these employees to perform their duties.
5.1.5. Staff Awareness
We regularly educate our employees about information security issues and about how important personal information is to our customers. The manner in which this information is handled is set out in a written document read and accepted by all relevant members of our staff.
5.1.6. Development Security
We implement control measures to ensure that the Applications’ and Websites’ development is secure. These measures include searching for disclosed vulnerabilities in third-party software included in the Applications and Websites, reviewing code, validating changes before deployment, training technical staff in good development practices, etc.
5.1.7. Security Tests
We continuously test the Applications’ security and fix any detected vulnerabilities presenting a security risk. For Websites, we remediate any vulnerabilities identified through network scans conducted quarterly using a solution approved by the PCI Security Standards Council. We periodically appoint external experts to carry out security audits, including vulnerability and penetration testing.
5.1.8. Infrastructure and Software
We use only industry-standard, publisher-supported software and technology infrastructures. We diligently keep them up to date with the latest patches.
5.1.9. Update Management
We implement measures for managing all Applications’ and Websites’ updates, whether or not they are required for security reasons. We take swift and appropriate action to prevent any vulnerability from being exploited, from the moment one is identified to the deployment of the update required to address the situation.
5.1.10. Security Reviews
We periodically review all above security measures and practices.
5.2. General Measures
We comply with laws and regulations on privacy and data protection in multiple jurisdictions, notably the Act Respecting the Protection of Personal Information in the Private Sector (ARPPIPS—Government of Quebec), the Personal Information Protection and Electronic Documents Act (PIPEDA—Government of Canada), the Children’s Online Privacy Protection Act (COPPA—United States of America) and the General Data Protection Regulation (GDPR—European Union). Here are the measures we take to comply with these laws and regulations:
5.2.1. Information From Children Under 16 Years of Age
We are committed to protecting the information of all users—notably children under the age of 16. We will not require them to disclose more personal information than necessary. Should you become aware that we have inadvertently collected personal information from a child—for example, if a child has taken out an Antidote subscription—we will take action to promptly delete such information. To report that a child’s personal information has been inadvertently collected or provided without the consent of a parent or legal guardian, please contact us at privacy@druide.com.
5.2.2. Deletion and the Right to Be Forgotten
Unless required to meet the legal obligations described in section 5.2.7, we delete your personal information when it is no longer necessary for a legitimate purpose related to the products and services we provide to you (e.g. when a subscription has expired). In the case of a subscription, any account (containing personal information) is automatically deleted one year after its expiration, unless it is used for other purposes. We also delete personal information upon request; you can exercise your right to be forgotten by writing to privacy@druide.com. Finally, you can destroy the information yourself by deleting your account in your Client Portal. If you are the primary user, you can also delete the account of any invited users under 16 years of age. Upon deletion, personal information is permanently erased and cannot be restored.
5.2.3. Right to Correction
Personal information can be found in your account (Client Portal); you can view and edit it at any time. However, users under 16 years of age cannot edit their personal information; only the primary user can do so. You can also submit a request to amend the incorrect information to privacy@druide.com.
5.2.4. Data Ownership, Control and Portability
The content of customizations (see paragraph 2.1.5) belongs to users. We do not claim any right of ownership or control over the content added. You can modify or delete your customizations. If authorized by the manager of an organizational subscription, you can share them with other members of the organization. You can also export their content in a structured, commonly used, machine-readable and interoperable format. If your subscription entitles you to use the Applications on more than one device, a service allows you to synchronize customizations between each of these devices.
5.2.5. Parental Consent
COPPA mandates obtaining parents’ verifiable consent before collecting information from their children and describes different accepted ways to do so. By inviting a child under the age of 16 to join your subscription, you certify that you are the child’s parent or legal guardian and consent to the collection of information described in this policy. By inviting a child under the age of 16 to join a school-based organizational subscription, you certify that you are acting as an agent of the child’s parent or legal guardian. We recommend that you retain verifiable proof of parental consent for the collection of this child’s information.
5.2.6. Transfer of Your Personal Information
In order to comply with the GDPR, we must inform you that your personal information will be transferred outside the European Union (EU) to Canada. The GDPR allows for the transfer of data to certain countries whose legal system affords a level of protection deemed “adequate” with regard to personal information. Under an adequacy decision rendered by the European Commission, Canada is one of the countries to which the transfer of personal information from the EU is authorized. On January 15, 2024, the European Commission reviewed this decision and confirmed that Canada continues to provide an adequate level of protection for personal data.
5.2.7. Legal Requirements
We may disclose personal information in good faith in the following circumstances: when required to do so by law or by a court; to investigate or defend against third-party claims or allegations; to protect the security and integrity of our services; and to protect our rights and those of our users.
5.3. In Case of Failure
We strive to protect our users against unauthorized use, disclosure, or access to their personal information. Although we adhere to the best industry standards, we cannot claim that our security system is 100% immune to failure. If we identify a privacy incident affecting user accounts and determine that there is a risk of serious harm, we will contact the affected users by email within 24 hours. In the case of an organizational or family subscription, the primary user will be contacted.
6. About This Privacy Policy
6.1. Modifications
This document will occasionally be updated to keep pace with improvements to the Applications and Websites, security technology and changes to privacy legislation. We expect that such updates will be minor amendments. However, if any modification significantly reduces the protections outlined in this policy, we will seek consent by email from all users of the Applications who have a Druide account, provided that they are aged 16 or older.
6.2. General Consent
Your use of one of the Applications or Websites implies your consent to the terms of this Privacy Policy. Should you disagree with any of its terms, you should immediately cease using the Applications and Websites.
6.3. Contact
We strive to make our Privacy Policy as easy to understand as possible. If you have any questions about it or would like to make a request relating to the protection of your personal information, please send an email to privacy@druide.com or write to us at:
Druide informatique inc.
Data Protection Officer
1435 Saint-Alexandre Street, Suite 1040
Montreal, Quebec H3A 2G4
Canada
6.4. Recourse
If you are not satisfied with the way in which we use your personal information, you can appeal to the supervisory authority with jurisdiction over such matters in your country. For example, the Office of the Privacy Commissioner of Canada is authorized to oversee matters relating to the handling of personal information in Canada, while the Commission nationale de l’informatique et des libertés (CNIL) has jurisdiction in France. If you reside in a European Union country, please visit the site of the European Data Protection Supervisor to find the relevant authority in your country.