Legal information
Privacy
Policy
Last updated: March 27, 2026
Table of contents
1. Data controller
Bamandi is the data controller for personal data collected through the bamandi.ca website.
Email: contact@bamandi.ca
Province: Quebec, Canada
2. Data collected
Depending on your use of the site, we collect the following data:
| Data | Collection context |
|---|---|
| First name, last name | Account creation, order, contact form |
| Email address | Account creation, order, newsletter, contact |
| Password (hashed) | Account creation with email |
| Google identifier | Sign-in via Google OAuth |
| Delivery address | Order |
| Order history | Order |
| IP address (anonymized) | Visit statistics, security |
| Contact message | Contact form |
| Language preference | Navigation (session cookie) |
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Customer account management | Contract performance |
| Order processing | Contract performance |
| Newsletter sending | Consent |
| Contact message responses | Legitimate interest |
| Anonymized visit statistics | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Legal and accounting obligations | Legal obligation |
4. Retention periods
- Active customer account: throughout the account lifetime + 3 years after last activity
- Orders: 7 years (accounting obligation)
- Contact messages: 2 years
- Newsletter subscription: until unsubscription
- Anonymized visit logs: 13 rolling months
- Password reset tokens: 1 hour
5. Data sharing
Bamandi never sells your personal data. It may only be shared with:
- Carriers (name, delivery address) for shipping your orders
- Payment providers for secure transaction processing
- Google in connection with reCAPTCHA and OAuth authentication (see sections 7 and 8)
- Competent authorities if required by law
All our service providers are contractually bound to protect your data and use it only for the purposes for which it was shared.
6. Cookies and trackers
Bamandi uses only strictly necessary cookies for the site to function:
| Cookie | Purpose | Duration |
|---|---|---|
| bamandi_session | User session (cart, account, language) | Session |
| bamandi_lang | Language preference | 30 days |
No advertising or third-party tracking cookies are placed on your device. The site does not use Google Analytics or any advertising network.
7. reCAPTCHA Google
reCAPTCHA v3 analyzes browsing behavior invisibly (without user interaction) and assigns a trust score. During this analysis, Google may collect information such as IP address, page interactions, and browser settings.
The reCAPTCHA badge is visually hidden in accordance with Google's usage rules, subject to this disclosure in the present policy.
8. Google sign-in (OAuth)
When signing in via your Google account, we receive the following information from Google: first name, last name, email address, unique Google identifier, and profile picture (avatar).
This data is used solely to create or identify your customer account on bamandi.ca. Bamandi does not access any other data from your Google account (contacts, calendar, etc.).
To revoke Bamandi's access to your Google account: myaccount.google.com/permissions.
9. Newsletter
By subscribing to the Bamandi newsletter, you consent to receiving our email communications. You may unsubscribe at any time by clicking the unsubscribe link in each email.
We only retain your email address for this purpose. No browsing data is linked to your newsletter subscription.
10. Your rights
In accordance with Quebec's Law 25 and GDPR for our European customers, you have the following rights:
- Right of access — obtain a copy of your personal data
- Right of rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your data
- Right to portability — receive your data in a readable format
- Right to object — object to certain processing activities
- Right to withdraw consent — withdraw your consent at any time (e.g. newsletter)
To exercise these rights, contact us at contact@bamandi.ca. We respond within a maximum of 30 days.
11. Data security
Bamandi implements appropriate technical and organizational measures to protect your data:
- Secure HTTPS (TLS) connection throughout the site
- Passwords stored as bcrypt hashes (irreversible)
- IP addresses stored as anonymized hashes (SHA-256)
- Restricted and authenticated database access
- Session tokens regenerated at each login
- CSRF protection on all forms
In the event of a data breach likely to affect your rights, Bamandi undertakes to notify you within the timeframes required by applicable regulations.
12. Contact and complaints
For any questions regarding this policy or to exercise your rights:
- Email: contact@bamandi.ca
- Form: bamandi.ca/contact
If you believe your rights are not being respected, you may file a complaint with the Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca.