Last updated: April 22, 2026

Your privacy matters to tom & tom (hereinafter “we” or “us”). This privacy policy explains how we collect, use, retain, and protect your personal information when you visit tomtom.design or get in touch with us.

It is intended to comply with the Act to modernize legislative provisions as regards the protection of personal information (Law 25, Québec) and the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada).

1. Person in charge of protecting personal information

In accordance with Law 25, we have designated a person in charge of protecting personal information:

  • Simon Gauthier Boudreau, co-founder
  • Email: [email protected]
  • Phone: 514 773-2719 (business days, 9 a.m. – 5 p.m.)

You can contact them with any question about this policy or about exercising your rights.

2. Information we collect

We collect only the information that is strictly necessary for the purposes described below. Depending on how you interact with the site, this may include:

  • Contact form: your email address and the content of the message you send us. If you choose to include a phone number in the body of your message, it will also be kept along with it.
  • Server and anti-spam logs: IP address, user agent, and request timestamps, solely for security, fraud detection, and technical diagnostics.
  • Analytics (if applicable): aggregated, anonymous usage data (pages visited, browser, approximate location) collected without cookies or browser fingerprinting.

We do not collect sensitive information (health data, banking data, social insurance number) through the site.

3. Purposes of collection

Your information is used exclusively to:

  • Respond to requests you send through the contact form.
  • Ensure the site’s security and proper operation (anti-spam, abuse detection).
  • Measure site traffic on an aggregate basis to improve its content.
  • Meet our legal obligations.

4. Legal basis

We process your information based on your consent (when you submit a form), our legitimate interest (security, logs), or our legal obligations.

5. Cookies and trackers

By default, the site places no tracking cookies, no advertising cookies, and no third-party pixels (Facebook, Google, etc.). Our analytics tool, when enabled, runs in cookieless mode (cookieless).

Strictly functional cookies may be used to maintain your session or remember your language preference. These are never used to track you across other sites.

6. Sharing with third parties — service providers

We do not sell or rent your information. We rely on carefully selected service providers to operate the site:

  • Railway (web hosting) — Railway Corporation, United States.
  • SMTP2GO (delivery of contact emails) — SMTP2GO Ltd., New Zealand.
  • Cloudflare Turnstile (anti-spam protection for the form) — Cloudflare, Inc., United States. See the Turnstile Privacy Policy.
  • PostHog (cookieless analytics, when enabled) — PostHog Inc., United States.

Each of these providers is bound by a contract that limits their use of your data to delivering the service alone.

7. Transfers outside Québec

As required by Law 25, we inform you that some information may be processed outside Québec, primarily in the United States, by the service providers listed above. We assess that this processing provides adequate protection equivalent to that required in Québec.

8. Retention period

  • Messages sent through the form: kept for up to two (2) years after the conversation closes, then deleted.
  • Server logs: thirty (30) days, except in the event of a security incident.
  • Aggregated analytics data: up to twelve (12) months.

You can request early deletion at any time by writing to us.

9. Your rights

With respect to your personal information, you have the following rights:

  • Access to a copy of the information we hold about you.
  • Correction of information that is inaccurate, incomplete, or ambiguous.
  • Deletion or withdrawal of your consent.
  • Portability: receiving your information in a structured, commonly used technological format.
  • Objection to certain processing.

To exercise any of these rights, write to us at [email protected]. We will respond within a maximum of thirty (30) days.

If you feel our response is unsatisfactory, you may file a complaint with the Commission d’accès à l’information du Québec.

10. Security

We apply reasonable technical and organizational measures to protect your information:

  • Encrypted connections (HTTPS/TLS) across the entire site.
  • Databases and emails hosted on secure platforms, with automatic backups.
  • Access to information limited to people who need it for their work.
  • Periodic review of our practices and those of our service providers.

Since no system is perfect, we will notify you without delay, as required by law, in the event of a confidentiality incident that could pose a risk of serious harm.

11. Automated decisions

We do not use any exclusively automated decision-making process that produces legal or significant effects concerning you.

12. Minors

The site is not directed at people under the age of 14, and we do not knowingly solicit their information. If you become aware of such collection, please write to us and we will delete it.

13. Changes to this policy

This policy may be updated to reflect changes in our practices or in the legal framework. The current version is always available at tomtom.design/en/privacy-policy/. Any substantial change will be communicated to you, where possible, through a visible notice on the site.

14. Applicable legislation

This policy is governed by the laws in force in Québec and Canada, notably :

  • Act respecting the protection of personal information in the private sector (CQLR, c. P-39.1), as modernized by Law 25.
  • Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5).

15. Acceptance

By browsing the site or submitting a form to us, you acknowledge that you have read this policy and accept its terms.