Privacy Policy - Coussa Group

Effective Date: April 17, 2026
Last Updated: April 17, 2026

Coussa Group Inc. (“Coussa Group,” “we,” “us,” or “our”) is a boutique automotive mergers and acquisitions (“M&A”) advisory firm headquartered at 8260 rue Sorel, Brossard, Québec, Canada. We provide sell-side and buy-side representation, valuations, and capital advisory to dealer principals, dealer groups, and qualified buyers across North America.

Because our work involves highly confidential transaction information, privacy and data protection are central to our operations. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and the rights you have under applicable privacy laws, including the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Québec’s Act respecting the protection of personal information in the private sector (as amended by Law 25), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and the European Union General Data Protection Regulation (GDPR), where applicable.

This policy applies to coussagroup.com, our confidential Seller, Buyer, and Broker portals, our CRM, deal rooms, NDA and e-signature workflows, email communications, and any other services we provide (collectively, the “Services”).

1. Who We Are and How to Contact Us

Controller / Business: Coussa Group Inc.
Address: 8260 rue Sorel, Brossard, Québec, Canada
Email: info@coussagroup.com
Telephone: (514) 554-2326

Privacy Officer (Responsable de la protection des renseignements personnels, per Québec Law 25):
Adam Coussa, Founder & Principal Advisor
Email: privacy@coussagroup.com
Mail: Attention Privacy Officer, Coussa Group Inc., 8260 rue Sorel, Brossard, Québec, Canada

All privacy-related inquiries, access requests, correction requests, deletion requests, withdrawal-of-consent requests, and complaints should be directed to our Privacy Officer.

2. Scope

This Privacy Policy applies to personal information we collect from and about:

Visitors to coussagroup.com and related marketing pages
Dealer principals, owners, and executives who contact us about selling a dealership
Qualified buyers, private-equity groups, family offices, and dealer groups seeking acquisition opportunities
Referral partners, brokers, and professional service providers
Users of our Seller Portal, Buyer Portal, and Broker Portal
Parties who sign Non-Disclosure Agreements (NDAs), engagement letters, or referral agreements with us
Recipients of our email communications, newsletters, and market updates

It does not apply to third-party websites, applications, or services that we link to. Those third parties maintain their own privacy practices.

3. Personal Information We Collect

We collect only the personal information reasonably necessary to provide our advisory services, operate our portals, comply with law, and develop our business. The categories of personal information we collect include:

Identification and contact information — full name, business title, company name, business mailing address, business email address, business telephone number, personal email address or phone number where you provide one, and, where relevant, professional license or registration numbers.

Dealership and transaction information — name(s) of dealership(s), rooftop count, OEM franchise(s), location(s), approximate revenue range, approximate EBITDA range, real-estate ownership status, exit timeline, reason for sale, acquisition criteria, capital band, target regions, target OEMs, and similar information relevant to an M&A engagement.

Financial and commercial information (collected only when you engage us on a sell-side, buy-side, or broker-referral mandate) — financial statements, tax filings, dealer statements, rent rolls, inventory and parts values, floor-plan details, insurance policies, employment schedules, purchase agreements, and similar documents provided by you or your advisors for the purpose of preparing a Confidential Information Memorandum (CIM), valuation, or due-diligence package. These materials are stored in access-controlled deal rooms.

NDA and e-signature information — signatory name, email address, IP address, browser user-agent, timestamp of signature, and the signed document itself, as captured by our e-signature provider (Zoho Sign).

Portal account information — username, hashed password, account preferences, subscription tier, NDA status, access permissions to specific deal rooms and listings.

Communications and engagement records — emails, calls, meeting notes, voicemails, messages submitted through web forms, and records of what we have discussed with you.

Marketing-preference information — whether you have opted in to our newsletters or market updates, which segments you are subscribed to, and your engagement with past messages (opens, clicks).

Website and technical information — IP address, browser type and version, operating system, device type, referring URL, pages viewed, time on page, session identifiers, and cookie identifiers. See Section 10 for details.

Sensitive information we do not collect unless explicitly required and consented to — we do not routinely collect social-insurance numbers, social-security numbers, driver’s-license numbers, passport numbers, credit-card numbers, or banking credentials through our website or portals. If a specific transaction makes such information necessary (e.g., escrow or closing documentation), we will collect it only with your express consent and will store it only in secured, access-restricted systems.

4. How We Collect Personal Information

We collect personal information:

Directly from you when you submit a website form, create a portal account, sign an NDA, or send us email or other communications
From your authorized advisors (accountant, lawyer, broker) when they provide documents on your behalf
From publicly available sources such as OEM dealer directories, provincial and state corporate registries, LinkedIn, and automotive-industry publications, for the limited purpose of identifying qualified counterparties and tailoring outreach
From commercially available enrichment providers where permitted by law, for the purpose of verifying business contact details and suitability
Automatically through cookies, web analytics, and server logs when you use our website or portals (see Section 10)

Where Québec Law 25 applies, we collect personal information only for serious and legitimate purposes and only the information strictly necessary for those purposes.

5. Why We Use Personal Information (Purposes and Legal Bases)

We use personal information for the following purposes:

To respond to your inquiry and provide the Services you have requested, including delivering valuations, preparing CIMs, facilitating NDAs, operating the deal room, and executing transactions.
To evaluate and qualify counterparties — for example, confirming that a buyer has the financial capacity, regulatory standing, and OEM relationships required to transact on a specific opportunity.
To operate, maintain, and secure our website, CRM, portals, deal rooms, and e-signature systems, including authentication, session management, fraud and misuse detection, and audit logging.
To communicate with you, including transactional emails (account confirmations, NDA status, deal-room notifications) and, where you have opted in, marketing emails such as market-update newsletters.
To comply with legal, regulatory, and contractual obligations, including anti-money-laundering and know-your-client checks where applicable, recordkeeping obligations, and responses to lawful requests from regulators or courts.
To protect our legal rights and the rights and safety of others, including investigating suspected confidentiality breaches, NDA violations, or misuse of the Services.
To improve our Services and develop new ones, using aggregated, de-identified, or anonymized data where reasonably practicable.

Under the GDPR, our legal bases for processing are:

Performance of a contract — for users of our portals and clients with whom we have an engagement letter, NDA, or referral agreement;
Legitimate interests — for outreach to qualified counterparties, fraud prevention, network security, and business development, where those interests are not overridden by your rights;
Consent — for marketing communications, optional cookies, and any processing of sensitive data;
Legal obligation — for recordkeeping, tax, and regulatory compliance.

You may withdraw consent at any time where consent is the legal basis, without affecting the lawfulness of processing before withdrawal.

6. How We Share Personal Information

Coussa Group does not sell personal information. We do not share personal information for cross-context behavioural advertising. We share personal information only in the following circumstances:

Within a mandate, on a need-to-know basis — once you are on an active sell-side, buy-side, or broker mandate with us, we share relevant personal and transaction information with the specific counterparties, advisors, or professionals required to advance the transaction (for example, a qualified buyer who has signed an NDA covering a specific opportunity, or your own lawyer or accountant whom you have authorized).

Service providers and processors — we use vetted third-party providers to operate our Services. Current providers include, without limitation:

Zoho Corporation Pvt. Ltd. — CRM, Creator portals, WorkDrive deal rooms, Sign e-signature, Flow automation, Analytics dashboards, Campaigns / Marketing Automation, and email. Data is processed in Zoho’s data-centre regions as configured for our account.
WordPress hosting and CDN providers — for website hosting, security, and performance.
Analytics and attribution providers — such as Google Analytics, subject to the cookie preferences described in Section 10.
Communication providers — such as our email, calendar, and video-conferencing tools.

Each provider is bound by contract to process personal information only on our instructions, to maintain appropriate safeguards, and to return or delete the information at the end of the engagement.

Professional advisors — our lawyers, accountants, insurers, and auditors, who are bound by professional duties of confidentiality.

Legal, regulatory, and safety disclosures — where required by applicable law, by court order, by a lawful request from law enforcement or a regulator, or where necessary to protect our rights, property, or safety or that of our clients or the public.

Corporate transactions — if Coussa Group itself is involved in a merger, acquisition, reorganization, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent confidentiality commitments.

With your consent — in any other case, only with your prior consent.

7. International Transfers of Personal Information

Coussa Group is based in Québec, Canada, and our clients and counterparties are located across Canada, the United States, and occasionally other jurisdictions. Personal information you provide to us may be stored and processed in Canada, the United States, or other countries where we or our service providers operate.

For transfers subject to the GDPR, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where applicable, supplementary measures. For transfers from Québec under Law 25, we conduct Privacy Impact Assessments before transferring personal information outside Québec and confirm that the receiving jurisdiction provides a level of protection adequate in light of generally recognized principles of data protection.

If you would like a copy of our current cross-border transfer assessments or additional detail on safeguards, please contact our Privacy Officer.

8. How Long We Keep Personal Information

We retain personal information only for as long as reasonably necessary for the purposes set out in this policy, including to meet legal, accounting, audit, tax, regulatory, and dispute-resolution requirements. General retention guidelines:

Website inquiries that do not progress to a mandate — up to 24 months from last contact, then deleted or anonymized.
Portal accounts (Seller, Buyer, Broker) — for the duration of your account, plus up to 24 months of inactivity, after which the account is archived or deleted unless a longer retention period is required by law or contract.
Engagement records (sell-side, buy-side, broker) — for the duration of the mandate plus a minimum of 7 years following closing or termination, consistent with professional recordkeeping obligations.
NDAs and signed documents — for the duration of the underlying confidentiality obligation plus 7 years.
Marketing subscription records — until you unsubscribe, plus a limited suppression record thereafter to honour your opt-out.

When retention periods end, we securely delete, anonymize, or destroy personal information.

9. How We Protect Personal Information

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including:

Access controls on CRM, portals, and deal rooms, with role-based permissions and multi-factor authentication where supported
Encryption in transit (TLS) for all website and portal traffic
Encryption at rest for sensitive deal-room documents
Audit logging of key administrative actions and deal-room access
Confidentiality agreements with all personnel, contractors, and service providers
Regular review of our security posture and incident-response procedures

No system can be guaranteed to be 100% secure. If we determine that a confidentiality incident or personal-information breach has occurred that presents a risk of serious injury, we will notify affected individuals and the relevant regulator(s) in accordance with applicable law, including the Québec Commission d’accès à l’information, the Office of the Privacy Commissioner of Canada under PIPEDA, and applicable U.S. or EU authorities where required.

10. Cookies and Similar Technologies

Our website uses cookies and similar technologies to operate essential functions and, with your consent, to understand how the site is used and to measure marketing effectiveness.

Strictly necessary cookies — required to operate the website and portals (session, authentication, security). These cannot be switched off.
Preference cookies — remember your choices (language, consent selections).
Analytics cookies — help us understand aggregate usage patterns.
Marketing cookies — used by us or our approved providers to measure the effectiveness of campaigns and, where applicable, to deliver relevant content.

Where required by law, we obtain your consent via a cookie banner before setting non-essential cookies. You can withdraw or update your cookie consent at any time by revisiting the banner or by adjusting your browser settings to block or delete cookies. Most browsers also support the Global Privacy Control signal; where we detect it, we treat it as an opt-out of the sale or sharing of personal information for applicable U.S. residents.

11. Your Privacy Rights

Subject to applicable law and reasonable verification of your identity, you have the following rights:

Under PIPEDA (Canada) and Québec Law 25 — to access the personal information we hold about you; to request correction of inaccurate or incomplete information; to withdraw consent (subject to legal and contractual restrictions); to request that information collected by automated means be communicated to you or, where applicable, transferred to another organization (data portability); to be informed of any automated decision-making that produces legal or similarly significant effects and to request human review; and to file a complaint with the Office of the Privacy Commissioner of Canada or the Québec Commission d’accès à l’information.

Under GDPR (EU/EEA and UK residents) — to access; to rectify; to erase (“right to be forgotten”); to restrict or object to processing; to data portability; to withdraw consent; and to lodge a complaint with your national Data Protection Authority.

Under CCPA/CPRA (California residents) — to know what personal information we collect, use, disclose, or share; to delete personal information (subject to legal exceptions); to correct inaccurate personal information; to opt out of the sale or sharing of personal information (we do not sell, and we do not share for cross-context behavioural advertising); to limit use and disclosure of sensitive personal information; and to be free from retaliation for exercising these rights.

Under similar U.S. state laws (including Colorado, Connecticut, Virginia, Utah, and others) — equivalent rights of access, correction, deletion, portability, and opt-out of targeted advertising, sale, or profiling, as applicable.

To exercise any of these rights, email our Privacy Officer at privacy@coussagroup.com or write to us at the address in Section 1. We will respond within the timelines required by applicable law (typically 30 days, extendable where permitted). We may need to verify your identity before acting on your request. You may designate an authorized agent to act on your behalf, subject to reasonable verification.

If we deny a request, we will explain why and tell you how to challenge the decision, including by complaint to the applicable regulator.

12. Confidentiality Obligations in Our Industry

Our industry routinely operates under layered confidentiality obligations. When you engage us, or when we share information about a specific opportunity with you under NDA:

The identity of a seller, the identity of a dealership, and the specific financial details of an opportunity are treated as confidential and are disclosed only to parties who have executed the relevant NDA and who have a demonstrated legitimate interest;
Buyers agree not to contact dealership personnel, OEM representatives, landlords, or lenders directly without our prior written consent;
Information obtained under an NDA may only be used to evaluate the specific opportunity disclosed to you and must be returned or destroyed on demand.

These contractual duties operate in addition to, and do not limit, your rights under applicable privacy law.

13. Children’s Privacy

Our Services are directed to business professionals and are not intended for, or directed to, children under 16. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact our Privacy Officer and we will delete it.

14. Automated Decision-Making

We do not use personal information to make decisions about you that produce legal or similarly significant effects based solely on automated processing without meaningful human review. Certain internal tools may score or categorize leads and opportunities, but qualification, engagement, and transaction decisions are made by our advisors.

15. Third-Party Links

Our website and emails may contain links to third-party websites or resources. We are not responsible for the privacy practices or content of those third parties. Review their privacy policies before providing personal information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, or applicable law. When we make material changes, we will update the “Last Updated” date and, where appropriate, notify you by email, through a portal notice, or by posting a prominent notice on the website.

17. Complaints

If you believe we have not handled your personal information in accordance with this Policy or applicable law, please first contact our Privacy Officer so that we can try to resolve the issue directly. If you are not satisfied with our response, you may file a complaint with:

Office of the Privacy Commissioner of Canada — priv.gc.ca
Commission d’accès à l’information du Québec — cai.gouv.qc.ca
California Privacy Protection Agency — cppa.ca.gov (for California residents)
Your national Data Protection Authority (for EU/EEA/UK residents)

Coussa Group Inc. — North America’s specialized automotive M&A advisory firm. All information is treated with strict confidentiality.