Privacy Policy

“Courteo” refers to Courteo Inc. (currently being registered with the Quebec Enterprise Registrar), operating under the trade name Courteo Prêts. Courteo is a technology platform connecting individuals interested in mortgage products with mortgage brokers licensed by the Autorité des marchés financiers (AMF).

Important: Courteo does not perform mortgage brokerage activities under the Mortgage Brokers Act. Courteo does not advise, negotiate, or present products; it objectively qualifies your project and connects you with a third-party AMF-licensed brokerage in its network.

Pursuant to section 8.1 of Quebec Law 25, you can reach our Privacy Officer at:

• Email: rprp@courteo.ca
• Online form: courteo.ca/en/rprp

Depending on which services you use, we may collect:

• Identification: first name, last name, language, province, postal code.
• Contact: email, phone number.
• Mortgage project: file type (renewal, purchase, transfer…), amount range, income range, preferred callback slot.
• Browsing data: IP, user agent, advertising source (UTM, Meta lead_id), visited pages (only if you accept analytics cookies).
• Documents: if you upload files (T1, CRA notice), they are encrypted and stored in Canada.

We do not collect your social insurance number or credit score. The AMF-licensed broker you are connected with may request these directly, under their own obligations.

We process your personal information to:

• Connect you with an AMF-licensed mortgage broker (explicit consent at form submission).
• Call you back for objective project qualification (CASL phone consent).
• Send you the connection mandate to sign (email or SMS).
• Maintain a tamper-evident consent registry as legal evidence.
• Improve the service via aggregated and anonymized data (analytics cookies, opt-in).

• AMF-licensed brokerages in our network: if you sign a connection mandate, the designated brokerage receives your file for analysis.
• Technical subprocessors (hosting, email, SMS, anti-spam): all contractually bound to confidentiality and Law 25-equivalent protection.
• No resale to third parties without your explicit consent.

• Incomplete drafts (LeadDraft): 7 days then auto-deleted.
• Completed requests (Lead): up to 24 months after last interaction, then anonymized.
• Signed mandates: stored in encrypted vault (Object Lock) for 24 months per AMF contractual obligations.
• Consent registries and audit logs: 5 years (legal evidence CASL, AMF, Law 25).

You have the right at any time to:

• Access personal information we hold about you.
• Rectify inaccurate or incomplete data.
• Request portability in a structured technological format.
• Request erasure (right to be forgotten) when retention is no longer necessary.
• Withdraw consent at any time (e.g., reply STOP to an SMS, click unsubscribe in an email).

To exercise these rights: RPRP form or rprp@courteo.ca. We respond within 30 days.

We use essential cookies (session, security), analytics cookies (anonymized audience measurement), and marketing cookies (advertising performance). You can manage your preferences anytime via the cookie banner, which reappears if you clear our cookies from your browser.

Some of our technical subprocessors process your data outside Quebec, with Law 25-equivalent protection. A privacy impact assessment (EFVP) is maintained for each transfer.

Nominative list of subprocessors outside Quebec:

• Resend (United States) — transactional and opt-in marketing email delivery.
• Telnyx (United States, Canadian numbers) — SMS sending/receiving and call routing.
• Groq (United States) — inference of the language model used for automated SMS follow-ups.
• Backblaze B2 (United States / European Union) — encrypted geographic backup copy (Law 25 art. 17).
• Cloudflare (United States) — anti-bot protection (Turnstile) on public forms.

If we eventually use call centers outside Canada, we will notify you explicitly and obtain separate consent.

Your data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is logged (tamper-evident audit with hash chain) and restricted to strict need-to-know. Our primary infrastructure is hosted in Canada.

If you believe your rights are not respected despite our handling of your request, you can file a complaint with the Commission d'accès à l'information du Québec: cai.gouv.qc.ca.

This policy may evolve. Any material change will be notified by email if you have an account, or via the cookie banner. The update date appears at the top.