The Charter of the French language and its regulations govern the consultation of English-language content.

Thank you for visiting the website of the Institut de tourisme et d’hôtellerie du Québec (the “Organization”). This Privacy Policy applies to the website accessible at www.ithq.qc.ca (the “website”).

1. Who we are

For the purpose of this privacy policy (the “Privacy Policy”), any reference to the Organization or the Foundation is deemed to include its respective employees, officers, administrators, agents, subcontractors, and other representatives. When we use the expressions “we”, “us”, or “our” below, we are referring to the Organization, as responsible for the processing of your personal data. 

This Privacy Policy describes in which way we may collect, use, communicate, disclose, and otherwise process the personal data shared by using the website. Our Privacy Policy also describes the steps we take to ensure data security, as well as how you can access, modify, or delete the personal data we hold about you. In addition to this Privacy Policy, your visit of the website is also subject to (i) our Terms & Conditions, and (ii) any other terms or conditions that may be communicated to you from time to time by the Organization.

If you do not consent to the Organization’s practices regarding the collection, use, communication, disclosure and processing of personal data as set out in this Privacy Policy, please do not provide us with your personal data and do not use the website.

2. When and how we collect your personal data

We respect your privacy and aim to minimize the collection of data from you. We also aim to be transparent, which is why we detail below the limited circumstances in which we may collect and process your personal data.

2.1 Direct Interactions

We may collect your personal data in the context of the following direct interactions with you:

  • When you apply for admission to one of our programs;
  • When you apply to the Foundation for financial assistance;
  • When you voluntarily fill out one of the forms available on our website, notably to register for training or to provide us with feedback on one of our products or services;
  • When you create an “employer” account on the website to post job or internship offers;
  • When you make a reservation on the website or on one of the reservation platforms offered by our technology partners;
  • When you communicate with us about the services and products we offer, such as when you request a quote or information about the Organization, or when you register for a workshop, information session, individual information meeting, or open house;
  • When you enter into a contractual relationship with us to obtain a product or service, in particular to fulfill our obligations to you or to follow up on the product or service delivered to you; 
  • When you contact us to ask a question, submit a comment or make a complaint;
  • When you complete your subscription to our mailing lists, e-mail communications, and messaging services to receive news, updates, and promotional offers;
  • When you request to be added to the Graduate Business Directory;
  • When you update your contact information with the Alumni Office;
  • When you apply for a job;
  • When you make a donation or participate in a Foundation fundraising activity;
  • When you apply for a professional certificate of merit;
  • When you make a request to our library services, including a request for information, a purchase, a loan, or a digitization;
  • When you interact with us through social media.

2.2 Automated online technologies or interactions

We may collect certain types of information electronically when you interact with our website, via emails, social media accounts, online advertising, or through the use of our or a third party’s technologies, which include cookies, web beacons or single pixel gifs or analytics engines. This information helps us understand what actions you take when you interact with these technologies and allow them to work properly.

We may combine this information with other information collected online such as your browsing history. We do this to understand how you use our website and for the purpose of analytics, in order to provide you with more tailored advertising and marketing campaigns. This includes serving interest-based advertising to you. To learn more about the privacy choices available to you, please review Section 9 of this Privacy Policy.

The technologies we use include:

  • Cookies, which are small text files that are saved on your computer when you visit a website so that information can be saved between visits, such as your login credentials or language preferences. For example, cookies allow you to log in quickly when you visit our website.
  • web beacons, and single pixel gifs, which are small image files that have information about you, such as your IP address, that can be downloaded when you visit a website or open an e-mail. This allows us to understand your online behaviour, monitor our email delivery, and provide you with interest-based advertising. These tools also allow our third-party tracking tools to gather information, such as your IP address, and provide this back to us in an anonymized, aggregate form (i.e., in a manner that prevents us from identifying you personally). Aggregate information refers to personal data compiled and expressed in a summary form where no personal identifiers are included.
  • web analytics tools such as Google Analytics, which uses cookies to analyze your use of our website, to create reports about visitor and user activities for us and to provide further services associated with the use of our website.
  • Analytics engines, which pull Usage data from multiple sources and help manage and collect this data to use for personalization, interest-based advertising, customizing content and other methods to gain insights into the needs and preferences of visitors to our website.
  • Tools that help protect against inappropriate uses, such as Google Invisible reCAPTCHA, which collects hardware and software information, such as device and application data and the results of integrity checks, as well as unique online identifications such as IP address, and sends that data to Google for analysis.

You may delete or disable certain of these technologies at any time via your browser. However, if you do so, you may not be able to use some of the features on our websites. To learn more about the privacy choices available to you, please review Section 9 of this Privacy Policy.

2.3 Third Party Sources

We may obtain information about you from other sources, including from third-party service providers who provide services to the Organization in the conduct of their business. The Organization collects personal data from these third parties solely for the purposes described in this Privacy Policy.

More specifically, the Organization obtains some of your personal data from third parties in the following circumstances:

  • You apply for admission through a technology platform operated by a third party (e.g., SRAM or COBA platforms);
  • You apply for a job through a technology platform operated by a third party (e.g., SOFE platform); or
  • You make a reservation through a technology platform operated by a third party (e.g., LIBRO, OPERA CLOUD, LOUNGE UP or LUXURY RES platforms).

3. What personal data we collect

For the purposes of this Privacy Policy, the term “personal data” means any information about an individual from which that person can be identified. It does not include data from which identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you. The type of personal data that we may collect is described in the table below, along with an indication as to whether this information is mandatory or facultative in order for the Organization to fulfill its activities.

Type of Personal DataMandatory or Optional
Contact data includes name, surname, pronoun, email address, title, telephone number, postal address and contact preferencesMandatory: to respond to any of your requests, to process your admission, internship, or job application and to provide products or services that you have requested

Optional: for all other purposes
Demographic data includes date of birth or genderMandatory: the date of birth will be used to process your scholarship application or to update your graduate profile

Optional: all other uses
Geographical data, including country, province, administrative region, city or postal codeMandatory: to respond to your requests, to process your application for admission, internship or volunteer work, or to provide you with the products or services you have requested.

Optional: for any other purpose
Data relating to employment or professional activities, which includes all personal data that may be presented in a cover letter, curriculum vitae, or other similar documents submitted in support of a job application, internship application or volunteer offerMandatory: to process your job application and manage any subsequent employment relationship

Optional: for all other purposes
Social media data includes information associated with your social media accounts and related profiles, such as name, username, email address, profile picture, date of birth and genderOptional
Technical data includes IP (Internet Protocol) address, your login data, clickstream and other related information, such as the websites you visited immediately before and immediately after visiting our website, your time zone and location settings, information about your Internet service provider and other technologies on the devices you use to access our websiteOptional
Usage data includes the number of visits to our website and the date and average time spent on our websiteOptional
Marketing and communication data includes your preferences in receiving marketing from us and third parties with whom we have a connection and your communication preferencesMandatory: in order to provide you with marketing communications that you have consented to receive or which is allowed by applicable laws

Optional: for all other purposes

We also collect, use, store and share Aggregated Data, such as statistical or Demographic data. Aggregated Data could be derived from your personal data, but is not considered personal data if it does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we will treat the combined data as personal data and use it in accordance with this Privacy Policy.

We do not collect any sensitive personal data that includes details about racial or ethnic origin, political opinions, religious or philosophical beliefs or union membership, nor any genetic or biometric data for the purpose of uniquely identifying a natural person, nor any data concerning the health, sexual life, or sexual orientation of a natural person.

If you fail to provide personal data

When we need to collect personal data by law, or pursuant to the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform such contract. In this case, we may have to cancel the delivery of a product or the performance of a service that you have requested from us should your refusal make it impossible to perform our obligations. If so, we will notify you in due time.

4. How we use the personal data we collect about you

We limit the collection of personal data to what is reasonably required to fulfill the purposes for which it is collected. Most commonly, we will use your personal data in the circumstances described below.

  • With your consent: for instance, we will obtain your consent before sending marketing communications to you;
  • For reasons consistent with the reasons why the personal data was collected: for instance, processing your data where it is necessary to answer your questions or requests, for the performance of a contract to which you are a party, or to take steps on your behalf or at your request before entering into such a contract;
  • For purposes that are clearly to your benefit: for instance, to perform a contractual or other obligation that we have towards you;
  • Otherwise as permitted by law and when we have to comply with a legal obligation: comply with a legal obligation means processing your personal data where it is expressly permitted by applicable privacy laws or necessary for compliance with a legal obligation that we are subject to.

From time to time, we may use your personal data to conduct surveys in order to improve our products and services. In such cases, we will not collect sensitive personal data and the survey results will be anonymous. We do not use your personal data for automated decision-making. In the event that we conduct a survey for purposes other than those identified above or make an automated decision, a privacy statement will be communicated to you before these activities take place.

Your personal data may, as required, be accessible to our employees, consultants, subcontractors, students and volunteers, on a need-to-know basis, which means whenever access is required to fulfil the purposes described in this Privacy Policy, and always in accordance with our access management procedure.

5. How we disclose your personal data

5.1 Principle

Unless expressly stated in this Privacy Policy, we do not sell, rent, transfer or disclose your personal data with third parties without your consent for purposes which are not disclosed herein.

5.2 Exceptions

We may share your personal data with third parties in the circumstances described below.

  • Third-party providers: We may share all of the categories of personal data identified in Section 3 above with third parties who provide services to the Organization such as online reservation services, accounting services, payment processing services, electronic communications (marketing) services, advertising services or analysis services (for example, monitoring the effectiveness of our marketing campaigns and analyzing the use of our website), online training services. These third parties are only permitted to use your personal data for the purpose of delivering such services to the Organization and are not permitted to use your personal data for their own internal purposes. 
  • External partners: We may disclose your personal data to an external partner when you request information, registration or participation in an internship or other activity offered in collaboration between the Organization and that external partner. In all cases, the name of the partner to whom your personal data will be disclosed will be mentioned in the information provided to you regarding the activity in question.
  • The Foundation: we may disclose your personal data to the Foundation, a non-profit legal entity whose mandate is to obtain funding to support the Organization in carrying out its mandate and mission. Certain personal data collected through the website is communicated to the Foundation, namely:
    • when you apply for a scholarship from the Foundation;
    • when you create a “donor’ account on the website;
    • when you make a donation to the Foundation;
    • when you register for a fundraising activity organized by the Foundation; or 
    • when you apply to volunteer with the Foundation.

The information described above is used by the Foundation in accordance with its privacy policy for the following purposes:

  • to evaluate a scholarship application;
  • to evaluate the application of an individual who wishes to volunteer with the Foundation;
  • to administer the donation made to the Foundation;
  • to administer fundraising activities in which you have requested to participate;
  • to send you electronic communications with your consent or otherwise in accordance with applicable laws.
  • Students and volunteers: We may disclose your personal data to the Organization, students or certain volunteers when such disclosure is necessary for the purposes described in this Privacy Policy. These third parties are authorized to use your personal data only for the purposes set out in this Privacy Policy and are not authorized to use your personal data for their own purposes.
  • Judicial purposes: We may disclose your personal data when requested or required for judicial purposes. More precisely, the Organization and its third-party providers may disclose your personal data in response to a search warrant or other legally valid inquiry or order, or where necessary to respond to an investigative body in the event of a breach of agreement or a violation of the law, or as otherwise required or permitted by law. We may also disclose personal data where necessary for the establishment, exercise or defense of legal claims, to prevent actual or suspected loss, to avoid personal injury or property damage.
  • Sale, transfer of business or other transactions: We may share your personal data with another entity if we sell part or all of our business or if we sell or transfer assets as part of a business transaction or as part of a merger, a change in our incorporation or organizational structure, or any other legal transaction relating to the legal form of the Organization. In the event the transaction is completed, your personal data will remain protected by applicable privacy laws. In the event the transaction is not completed, we will require the other party not to use or disclose your personal data in any manner whatsoever and to completely delete such data, in compliance with applicable laws.
  • Other permitted reasons: Applicable laws may permit or require the use, sharing, or disclosure of personal data without consent in specific circumstances (e.g., when investigating and preventing suspected or actual illegal activities, including fraud, or to assist government and law enforcement agencies). These circumstances include situations when permitted or required by law or when necessary to protect our group of companies, our employees, our customers, or others. If this happens, we will not share more personal data than is reasonably required to fulfill that particular purpose.

Our website may contain links to other websites that we do not own or operate. In addition, links to our website may appear on third-party websites on which we advertise. Except as provided in this Privacy Policy, we will not share your personal data with these third parties without your consent. Links to third-party websites are provided to the users of our website for convenience only. These links are not intended to be an endorsement or recommendation of the linked sites. The linked websites may have separate and independent privacy statements, notices and terms of use, which we recommend you read carefully. We do not have any control over such websites, and therefore we have no responsibility or liability for the manner in which the organizations that operate such linked websites may collect, use, disclose, protect or otherwise process your personal data.

6. Transfers of personal data to other countries

As the Organization is headquartered in Canada, your personal data will be accessible from that location. The personal data that we collect from you may be transferred to, or stored at, a destination outside Canada. We will take reasonable steps, in accordance with applicable privacy laws, to ensure that any personal data transferred outside Canada is treated securely and will receive an adequate level of protection. However, it is possible that local laws in the country of destination may not provide the same level of protection as privacy laws in Canada.

7. How we handle and protect your personal data internally

7.1 How we protect your personal data

We have put in place and use administrative, technical and physical safeguards to protect the personal data we hold about you against unauthorized access, use, modification and disclosure including, without limitation: 

  • We limit our employees’ technological and physical access to your personal data by implementing an access management process;
  • We carry out security audits, penetration tests and vulnerability tests on internal and external networks to identify and correct any weaknesses;
  • We offer regular training to our employees on personal information security issues;
  • We have set up an Access to Information and Privacy Committee, which constantly monitors issues relating to the protection of personal information;
  • We have adopted an Information Security Policy and a Directive on Protection against Cyber Threats and Reporting of Cyber Security Incidents, which are communicated to all of our employees.

Security measures are also taken when we dispose of or destroy your personal data with a view of completing these processes in a confidential and secure manner. Further, we use reasonable safeguards to ensure that our service providers protect your personal data wherever it is used or stored.

7.2 Who has access to your personal data and how it is handled

We give access to your personal data to our employees, contractors and third-party providers (each a “Representative”) only on a need-to-know basis, to fulfill the specific functions that we have assigned to them. During the retention period of your personal data, our Representatives are required to maintain the confidentiality of your personal data. They also have the responsibility to adhere to the administrative, technical and physical safeguards that we prescribe in order to protect your personal data. They must otherwise comply with the policies and procedures designated in this Privacy Policy.

7.3 Our policies related to security incidents

We also take special measures to assess the potential risks applicable to the disclosure of your personal data. In the event of a security breach or a confidentiality incident, namely if your personal data is lost, accessed, used, disclosed without your authorization, or becomes accessible to an unauthorized person, we will inform you of such breach if it poses a risk of serious harm. For example, a risk of serious harm includes reputational damage, credit report damage, identity theft, bodily harm, humiliation, loss of professional opportunities or financial loss. If the breach poses a risk of serious harm, we will notify you directly as soon as possible. If we cannot notify you directly, we will notify you of the breach by public communication. We will provide you with the information required to understand the significance of the security breach and take the necessary steps to reduce the risk of harm that may arise from it. We will also report the security breach to the government and any other organization that we believe may reduce the risk of harm that may result from this breach. We keep records of all security breaches or confidentiality incidents. Following a security breach or a confidentiality incident, the Organization investigates the causes of the breach or incident and reviews the safeguards in place to prevent a reoccurrence.

7.4 Retention of personal data

We keep your personal data only as long as necessary to fulfill the purposes described in this Privacy Policy or to otherwise comply with the requirements of the law.

7.5 Internal training and privacy awareness program

Our Representatives are made aware of this Privacy Policy prior to having access to your personal data and undertakes to protect its confidentiality and to comply with the procedures and policies set out herein. In addition, we make available training programs to our Representatives in order to increase their awareness about our obligations arising out of applicable privacy laws and our internal data governance processes. These training programs are available on a continuous basis to make it easier for our Representatives to remain up to date on industry standards. More specifically, the Organization holds regular awareness campaigns dedicated to this topic, during which various activities are offered pursuant to the mandatory viewing of educational videos, the broadcasting of instructive information on display screens located on its premises, the organization of informative kiosks, and more.

7.6 Responsibilities of our Privacy Officer

We have appointed a Privacy Officer who is responsible for overseeing questions in relation to this Privacy Policy and who is in charge of the protection of personal data within our Organization. If you have questions or comments regarding how we treat your personal data, including any request to exercise your legal rights, or if you wish to request access to, update or correct the personal data we hold about you, please contact our Privacy Officer as indicated below:

Attention: Déwi Collin, Assistant Corporate Secretary
Phone: 514-282-5111
Mailing address: 3535, Saint-Denis St, Montréal Québec H2X 3P1
Email: [email protected]

Our Privacy Officer is also responsible to handle any privacy complaint that you may have in relation to how our Organization processes your personal data. Our Privacy Officer will handle each complaint in the following manner:

  • contact the complainant in writing to acknowledge receipt of the complaint;
  • investigate the complaint and assess its merits when sufficient information is available to the Privacy Officer; and
  • respond to the complaint in writing including details of the Organization’s privacy practices related to the complaint.

8. Your legal rights

In relation to your personal data, you have the rights detailed below:

  • Request access to your personal data: this enables you to receive a copy of the personal data that we hold about you.
  • Request the correction or update of the personal data we hold about you: this enables you to have any incomplete, inaccurate or outdated data we hold about you corrected or updated. However, we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Request to transfer your personal data to you or to a third party: we will provide you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated or computerized personal data.

If you wish to exercise any of the rights set out above, please contact our Privacy Officer using the contact information provided in Section 7.6 of this Privacy Policy.

You will not have to pay any fees to access your personal data (or to exercise any of the other rights set out above).

If you want to exercise any of the above-mentioned rights, we may need to ask you for specific information to help us confirm your identity and ensure your right to access your personal data (or to exercise your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you for further information in relation to your request to speed up our response.

We will respond to all legitimate requests within twenty (20) days.

9. Changing your privacy settings

Electronic communications: At any time, you can have your name removed from our mailing lists for promotional or marketing electronic communications by unsubscribing from our emails.

Cookies: You can block the use of cookies by activating the setting for this purpose in your browser.

Targeted advertising: You may opt out of personalized advertising from third-party advertisers and advertising networks that are members of the Digital Advertising Alliance of Canada (DAAC) by visiting the DAAC Opt-Out Page.

10. Changes to privacy policy

This Privacy Policy is regularly reviewed and may be updated from time to time to reflect changes in applicable laws or our practices regarding personal data. If we decide to change our Privacy Policy, we will post the revised policy on our website. We will treat your personal data in accordance with the most recent version of the Privacy Policy.

11. How to contact us

For any inquiries related to this Privacy Policy, you can contact our Privacy Officer using the contact information provided in Section 7.6 above.