Purpose

CGI (“we or our”) has issued this myAutoPlus Data Privacy Policy (“Policy”) to inform you, as the requesting consumer (“you” or “your”) about how and why we collect and Process your Personal Information, CGI privacy practices, and your rights with respect to the Processing of your Personal Information.

This Policy sets out the general standard that CGI has implemented when Processing Personal Information within the Application.

1. Definitions

For the purposes of this Policy, the following definitions apply:

“Application” means the myAutoPlus application downloaded and used by you to access your myAutoPlus Report.

“Applicable Data Protection Legislation” refers to applicable Canadian privacy laws and any applicable local laws relating to the Processing of Personal Information.

“myAutoPlus Report” means the report requested by you through the Application containing your automobile insurance and claims history report data held by CGI. This report will contain your personal information only, but not the personal information of other parties related to your insurance policy.

“Personal Information” means the personally identifiable information about you contained in a myAutoPlus Report and as supplied by you in the use of this Application.

“Process”, “Processing” or “Processed” refers to any operation or set of operations performed on Personal Information, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, using, disclosing by transmitting, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

2. Context and Scope

As part of CGI’s agreements with the Canadian Property & Casualty (P&C) Insurers, CGI acts as a service provider to process and manage automobile insurance data provided to it by such P&C Insurers. As CGI provides reports to P&C Insurers to be used for insurance underwriting purposes, CGI is registered as a consumer reporting agency in applicable jurisdictions, whereupon a consumer’s request, CGI must provide their respective automobile insurance and claims history report (the myAutoPlus Report) to that requesting consumer. This report will contain your personal information only but not the personal information of other parties related to your insurance policy. Such other related parties must obtain their own reports.

This Policy governs the supply and management of a myAutoPlus Report to you as a requesting consumer, pursuant to applicable consumer protection and privacy laws. You may also request a paper copy to be delivered to your residential address by contacting the CGI help desk at insurance.helpdesk@cgi.com.

Access to a myAutoPlus report is not currently offered in all provinces and territories. You acknowledge that a myAutoPlus Report and access to automobile insurance data is not available to requesting consumers in British Columbia, Quebec, Manitoba or Saskatchewan.

This Privacy Policy does not affect or govern CGI’s existing agreements or data processing obligations with respect to its role as service provider to Canadian Property & Casualty (P&C) Insurers.

3. Which Personal Information do we use about you?

Subject to Applicable Data Protection Legislation, some or all of the following Personal Information categories may be Processed by CGI and any third party engaged by CGI for providing services to CGI:

1. Data provided by you during registration, including e-mail address, contact phone number, and certain information derived from a Driver License scan;
2. Insurance data contained within your myAutoPlus Report pertaining to you;
3. Any additional data provided by you or entered into the Application by you;
4. Data related to logging and IP address, and application use metrics;

Third party advertising partners may collect certain data from you, based on your consent.

All data collected and required to be stored for the purposes of operating the Application will be stored in Ontario and/or Quebec.

4. Why do we use your Personal Information?

CGI will Process Personal Information as strictly necessary to fulfil the purposes and functions of the Application relative to your receipt and management of your myAutoPlus Report and other personal information supplied by you, and in conformance with consents to Processing given by you.

4.1 Processing Principles

Transparency, fairness and lawfulness: CGI will Process Personal Information lawfully, fairly and in a transparent manner in accordance with the requirements of this Policy and as necessary for compliance with the Applicable Data Protection Legislation.

Purpose: CGI will Process Personal Information as strictly necessary to fulfil the purposes and functions of the Application relative to your receipt and management of your AutoPlus data and other personal information supplied by you, and in conformance with the consents to Processing given by you.

Data minimization: when the purpose for Processing Personal Information is established, CGI will only collect Personal Information to the extent required for accomplishing such purpose.

Accuracy of Personal Information: CGI manages your myAutoPlus Report data as provided to it by industry sources, including insurance companies and their service providers, and from organizations having legal or regulatory jurisdiction or oversight of such insurance industry data (the “Data Providers"). CGI stores and reports such automobile insurance data but is not authorized to make changes to it. Every reasonable step will be taken to ensure that Personal Information that is reproduced accurately from our Data Providers. CGI will provide means for you to inform CGI, the Data Providers and/or a relevant agency or regulatory body in case of any errors in their Personal Information. You acknowledge that CGI cannot unilaterally make changes to the myAutoPlus Report data without the approval of the relevant Data Providers.

Any information otherwise provided to CGI directly by you can be subject to correction or updating based on your direction and notification.

Data retention limitation: CGI will ensure that it does not keep your Personal Information for a longer period than strictly necessary to achieve the purpose for which your Personal Information is collected. Consequently, CGI will determine before the performance of the Processing an appropriate retention period. In doing so, CGI will consider the time during which the Personal Information is necessary to achieve the purpose of the Processing.

Technical and Organizational Measures: CGI will implement appropriate technical and organizational measures, consistent with prevailing industry standards adopted by CGI, to guard against unlawful access or Processing of Personal Information.

4.2 Sensitive Personal Information

If CGI collects and processes information which is deemed to be Sensitive Personal Information under CGI will do so only where strictly necessary and will ensure appropriate technical measures are in place to protect such data as required by applicable privacy laws. Currently CGI does not intend to or need to collect sensitive personal information from you.

“Sensitive Personal Information” refers to specific categories of Personal Information that reveal racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, as well as the Processing of genetic or biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation.

5. Management of Data Incidents and Breaches

5.1 Incident Management

CGI has a mature, industry standards-based security incident response and management process designed to handle privacy and security incidents. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.

High-priority incidents are managed through a 24x7 Global Security Operations Centre, where trained, full-time incident response professionals coordinate response efforts. CGI’s Data Privacy team is engaged in the incident management process whenever Personal Information is suspected to be involved.

5.2 Notification of Personal Information Breach

If CGI reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information transmitted, stored or otherwise Processed has occurred, CGI will provide security incident notification and status updates to the relevant regulatory body(ies) and to you, as required by Applicable Data Protection Legislation.

6. Who do we share your Personal Information with?

As part of CGI operations, we may collect your Personal Information and disclose it on an as needed basis to third parties engaged by CGI and providing services as part of the Application or performing services on our behalf (e.g. suppliers and subcontractors). Whenever CGI relies on third parties to Process Personal Information, CGI ensures that such third parties provide an adequate level of protection to the Personal Information they process as required by Applicable Data Protection Legislation.

Based on your consent, we may also share your Personal Information with third parties providing authentication services to CGI. On a regular basis, CGI conducts due diligence and third-party privacy and security risks assessments with all third parties engaged by CGI, to establish their corporate capabilities and maturity with respect to security and data protection.

CGI will disclose your Personal Information if the disclosure is reasonably necessary to protect CGI’s rights and pursue available remedies, enforce CGI’s terms and conditions, investigate fraud, or protect CGI’s operations or users.

CGI may also disclose your Personal Information to administrative, judicial or governmental authorities, state agencies or public bodies, strictly in accordance with Applicable Data Protection Legislation and after careful review, the legality of any order to disclose such Personal Information. CGI will challenge the order if there are legal grounds to do so.

7. What are your rights and how can you exercise them?

Individuals have several rights under the Applicable Data Protection Legislation to request access to their Personal Information held by CGI and/or information about how CGI Processes their Personal Information. If you have any questions regarding the Processing of your Personal Information, please send your formal request to privacy@cgi.com.

Under Applicable Data Protection Legislation you have the following rights:

1. to access your Personal Information;
2. to rectify any of your inaccurate or incomplete Personal Information;
3. to object to the Processing of your Personal Information at any time;
4. to delete your Personal Information, except where its retention is still necessary for the purposes for which it was collected; necessary to protect CGI’s rights; or required by Applicable Data Protection Legislation
5. to restrict the Processing of your Personal Information that is no longer accurate or necessary;
6. to receive your Personal Information in a structured, commonly used and machine-readable format; or
7. to withdraw your consent given for the Processing of your Personal Information.

CGI will act in accordance with the Applicable Data Protection Legislation and other relevant legal and contractual obligations in the search for and provision of relevant Personal Information. You may be required to deal directly with your insurance company to exercise these rights. CGI may need to ask you further questions in relation to your Personal Information or to verify your identity.

If you do not agree with the information on your myAutoplus Report please contact the Complaint Officer or Ombudsperson of your insurer.

For Ontario:

A list of these individuals can be found on the Financial Services Regulatory Authority of Ontario website How to Resolve an Auto Insurance Complaint | Financial Services Regulatory Authority of Ontario (fsrao.ca) and select “Find your insurance company’s complaint officer”.

Account deletion:

To initiate the process of myAutoPlus account deletion please email our Helpdesk at insurance.helpdesk@cgi.com. In the header of the email please mention "myAutoPlus Account Deletion" to help process your request. You may be required to provide proof of your identity and confirmation of the original email used to create the account.

8. Changes to this Policy

This Policy may be amended from time to time to comply with Applicable Data Protection Legislation or changes in the data management or processing practices of CGI. CGI will ensure that you are notified of any material changes to the Policy promptly, through an update or notification in the Application and/or myAutoPlus.ca, by email or other appropriate method of communication. Should you require a status update, you may raise a request by sending an email to privacy@cgi.com.

9. Data Privacy Organization - Questions

CGI has designated a Chief Privacy Officer (CPO) to oversee CGI’s global data protection strategy, enterprise- wide data protection policies and procedures, and data protection regulatory compliance, and a network of Privacy Business Partners may also be appointed as Data Protection Officers in accordance with Applicable Data Protection Legislation. In case of questions or concerns related to the interpretation or operation of this Policy, please send an email to privacy@cgi.com or contact CGI's Chief Privacy Officer at Paris – Carré Michelet, 10-12 Cours Michelet, 92800 Puteaux, France.

10. myAutoPlus Cookie Policy

myAutoPlus is a digital platform developed by CGI Inc. (“we”, “our” or “us”) to allow customers to stay up to date, understand their driving and insurance history, and make informed decisions to be sure their insurance best meets their needs. Operated and maintained with the goal of enhancing the customer experience in the automotive insurance industry, myautoplus.ca (“website”) provides information about the myAutoPlus mobile application.

To deliver secure and efficient browsing experience, the website uses cookies and similar tracking technologies. This Cookie Policy explains how and why we use these technologies, and how you can manage your preferences.

What are Cookies?

Cookies are small text files stored on your device that contain data, which typically includes a unique identifier. They are created when you first visit a website or web application. On subsequent visits, your browser returns these cookies to the site, allowing it to recognize your device and provide a more personalized experience.

The Categories of Cookies We Use

We use both persistent cookies, which remain on your device for a set period of time, and session cookies, which are temporary and expire once you close your browser. Some of these cookies are strictly necessary, while others are optional.

Strictly necessary cookies ensure the proper operation of the website. They enable core technical functionalities, ensure security, and allow access to secure areas of the website. The cookies are set by default and do not require your consent. Disabling these cookies may impair the functionality of the website.

Optional cookies help us remember your preferences, analyze site usage, and provide targeted content and marketing communications. These cookies are not essential to the basic operation of the website and are only set after you have provided your explicit consent. You can review, accept, or decline optional cookies at any time via our Cookie Management Center, accessible anytime from the website footer.

The current list of cookies we use is available in our Cookie Management Center.

Our use of Google Analytics

If you have accepted statistics cookies through the Cookie Management Center, our websites use Google Analytics 4 (“GA4”)—a service that enables us to: (a) measure traffic and engagement across the website; (b) reduce redundant or outdated content and facilitate accessibility to our websites; and (c) meet evolving needs and expectations of our website’s users. GA4 collects event-based data from users’ interaction with our website. This data typically includes internal search queries, start of session, page views, bounce rate, and interaction with videos.

GA4 may also collect technical information about your browser and device (e.g., screen resolution and language setting), information retrieved from cookies set on your device and coarse geo-location data derived from IP addresses that are anonymized as soon as technically feasible.

Data collected through GA4 may be transferred to Google’s servers in the United States. Data collected through GA4 are automatically deleted after 14 months. The deletion of data whose retention period has been reached occurs automatically once a month. Before data deletion, we may generate from aggregated data reporting results that are stored separately from user data.

As we respect your privacy, data collected through GA4 is not used to profile or identify you as an individual. We have also entered into a data processing agreement with Google, so that any personal data collected through GA4 is processed in accordance with our instructions only. We have implemented additional privacy controls available in GA4, including disabling Google Signal (a feature of GA4 that allows cross-device reporting and remarketing), opting out of data sharing with Google (such that Google does not have access to our GA4 data), and ensuring that GA4 does not track users who have declined or opted out of statistics cookies.

Our legal basis for the use of GA4 is your consent. You may revoke your consent at any time without giving reasons by rejecting or disabling statistics cookies in our Cookie Management Center. You may also prevent GA4 from collecting regarding your visit to, or interaction with, our websites any data (including IP address) by downloading the Google Analytics opt-out browser add-on. Any processing up to the time of the revocation remains unaffected. For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration

Other Tracking Technologies We Use

Local and Session Storage

We may use session and local storage to store unsent telemetry event (such as page views and clicks) or to store recently sent telemetry event in case of retries or deduplication needs.

Server logs

We also use server logs to collect data about visitors’ use of our websites. These logs may be reviewed for security purposes, e.g., to detect intrusions into our network. Furthermore, server log data, which contains visitors’ IP addresses could, in instances of criminal malfeasance, be used to trace and identify individuals. In such instances, raw data logs would be shared with appropriate investigative bodies authorized to investigate such breaches of security. Server logs data are kept separate. They are not automatically used to identify you or combined with any personal data you may voluntarily provide to us.

Web beacons and tags

Web beacons and tags are tracking elements (small, invisible image files or code snippets) embedded in or delivered through our webpages or emails to check whether and how users interact with our content. Their main purpose is to collect usage statistics and build analytical reports on users’ activities.

Managing Your Preferences

You can always change your cookie preferences through our Cookie management center. Any preferences you make will be automatically set.

You may also disable some or all cookies through your browser. To do so, please follow the instructions provided by your web browser or visit this section on https://aboutcookies.org to learn how to manage or delete cookies using your browser.

Contact Us

If you have any questions about this policy, please send an email to privacy@cgi.com.