Privacy Policy

1. Purpose

This Privacy Policy explains how Comply+ ("we," "our," "us") collects, uses, and discloses personal information and information about your business, including information about your use of the service, in connection with our Services.

2. Scope

2.1 Who This Policy Applies To

This policy applies to:

• Visitors to our website.
• Authorized users from our client organizations.
• Customers of our clients whose information is entered for AML compliance.
• Training Service users, including MSB and reporting entity employees.
• Prospective clients.
• Third parties referenced in compliance reports.
• Former clients and users.

2.2 Where and How We Collect Information

We collect information through:

• Our Website.
• Email, text, and electronic communications.\
• Voice and video communications, which may be recorded and transcribed using AI-powered tools.
• Mobile and desktop applications.
• Third-party websites and services where we advertise.

2.3 Third-Party Websites and Services

The Website and Services may link to third-party sites with their own privacy policies. We are not responsible for third-party privacy practices.

2.4 Data Processing Agreements

We may execute a separate Data Processing Agreement (DPA) with certain clients that supplements this Privacy Policy.

DPA and Privacy Policy Relationship:

If you have a DPA with us, the DPA governs our processing of customer data you enter into the Service.

• In case of conflict between the DPA and this Privacy Policy, the DPA prevails.
• For matters not in the DPA, this Privacy Policy applies.
• The DPA supplements, not replaces, this Privacy Policy.

3. Information We Collect About You

3.1 Information You Provide

We collect personal information and your business information, including information about your use of the service, including:

• Account details: Name, email, login credentials, organization information.
• Customer data: Personal identifiers and AML-relevant information (names, dates of birth, addresses, occupations, transaction details including histories, amounts, dates, counterparties, payment methods, and patterns) for compliance monitoring and AI-powered detection.
• FINTRAC reporting details: Reporting ID, encrypted API key, metadata.
• Payment information: Credit card details (via third-party processors), billing addresses, transaction history.

Communications:

• Support correspondence (emails, chat, tickets).
• Feedback: Survey and user research responses.
• Professional information: Job title, department, role, contact details.
• Training Service data: Email, name, industry, company name, enrollment, course progress, exam results, certificates, learning history.

Call Recordings and AI Note-Taking: We may record and transcribe calls using AI software (e.g., Granola.ai) to:

• Improve customer support and service quality
• Maintain records of discussions • Document technical issues
• Generate internal notes

Recordings and transcripts are retained per Section 9 and may be stored on third-party platforms. For scheduled calls, we may obtain your consent at booking or call start. If you do not consent, inform us and we will disable these tools or offer alternatives.

3.2 Automatically Collected Information

IP addresses, browser type, and device identifiers when using our site or Service.

Logs related to login attempts, API calls, and system activity.

Cookies: We use cookies for authentication, preferences, and analytics. Cookies are essential for Service functionality. Disabling cookies will prevent Service access.

Cookie Consent: By using the Service, you consent to necessary cookies. For jurisdictions with stricter requirements (EU, Quebec), contact support@complyplus.ca.

Types of Cookies We Use:

• Strictly Necessary Cookies: Required for authentication, security, and core Service functionality. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings.
• Analytics Cookies: Help us understand how the Service is used and identify areas for improvement.
• Cookie Management: Manage cookies through browser settings. Disabling cookies prevents Service use.
• Analytics Opt-Out: Contact support@complyplus.ca to opt out of non-essential analytics. This may limit technical support. Necessary analytics cannot be disabled.
• Third-Party Analytics Providers: Our analytics providers (listed in Section 8) include Google Analytics. These providers use cookies and similar technologies, are contractually obligated to protect your information, and use it only for authorized purposes.
• Behavioural Tracking and Advertising: We use analytics tools to track how users find and interact with our Website and Services, including tracking sources such as advertisements, search engines, and referral links for marketing attribution purposes.

We do not use cross-site behavioral tracking for targeted advertising or sell your personal information. Our analytics tools measure marketing effectiveness and improve our Service.

Session Recording: We use heatmaps and click tracking to improve functionality.

Geolocation Data: We derive approximate location from IP addresses for security purposes. We do not collect precise geolocation data.

Usage Data: We collect Service usage information including features accessed, time spent, navigation patterns, search queries, and report metadata.

Performance and Diagnostic Data: We collect error logs, performance metrics, browser/device diagnostics, and uptime data.

Artificial Intelligence: Some features use AI (including aiSTR™) for automated transaction detection and recommendations.

Third-Party AI Processing: Our aiSTR™ feature uses OpenAI models (US-based servers). OpenAI cannot use your data to train general-purpose models.

AI Limitations: AI systems may produce errors. You must verify all AI outputs before use. AI features do not reduce your legal obligations or replace human oversight.

Data Processing for AI Training: We may use anonymized Service data to improve our AI models.

Automated Decision-Making: Our AI features provide decision-support only. We do not make automated decisions with legal effects. You retain full control and responsibility for compliance decisions.

We use anonymized data to improve AI models.

4. Sensitive Data Handling

4.1 Your Role as Data Controller

You are the data controller for all customer and transaction data you enter into the Service. We act as data processor on your behalf. You must obtain necessary consents and comply with privacy laws.

4.2 Nature of Data We Process

We process sensitive AML-related data under PIPEDA, including:

• Names, dates of birth, addresses, and contact information
• Identification document numbers and government-issued credentials
• Occupations, employers, and business relationships
• Financial transaction data, amounts, patterns, and account details
• Politically exposed person (PEP) status and risk classifications
• Sanctions screening results and watchlist matches
• Suspicious transaction indicators and risk scores
• Source of funds and wealth information
• Beneficial ownership structures and corporate relationships
• Transaction counterparties and related party information

We process this data for FINTRAC reporting and compliance tools only, not for secondary purposes without consent (except anonymized data per Section 5).

4.3 Data Storage and Processing Architecture

Database Storage (Supabase):

• Your data is stored in our PostgreSQL database hosted by Supabase.

Application Processing (Netlify):

Report preparation occurs through:

• Front-end workflows running in your browser
• Server-side functions hosted on Netlify that validate data, prepare reports, and communicate with FINTRAC's API
• Functions process data temporarily in-memory; Netlify does not persistently store data beyond operational logs (Section 7).

4.4 Report Handling

Draft Reports:

• Draft reports that have not yet been submitted to FINTRAC are stored in Supabase until you submit or delete them.

Submitted Reports:

We retain submitted reports indefinitely unless you request deletion and we have no other retention basis under this Privacy Policy. Reports transmit directly from our server-side functions to FINTRAC's API via your credentials.

• Important: You are solely responsible for maintaining report copies and supporting documentation to meet PCMLTFA record-keeping obligations.

Temporary Processing Logs:

System logs (API calls, timestamps, status) are retained for 30 days for troubleshooting and security monitoring, then auto-deleted. Logs exclude full report content.

4.5 Data Processing and Foreign Jurisdiction Access

While data is stored on Canadian servers, our sub-processors (Supabase, Netlify, AWS) are subject to US and/or foreign jurisdiction. US or foreign jurisdiction authorities may access data under US or foreign jurisdiction laws as these companies can be legally compelled to provide access.

• Important: Physical location differs from legal jurisdiction. Service provider jurisdiction enables US or foreign government access despite Canadian storage.

4.6 Permitted Uses of Transaction Data

We process AML data for:

• FINTRAC reporting and compliance management
• AI tools: Analysis, risk scoring, recommendations (aiSTR™)
• Service improvement: Anonymized data for AI enhancement

We do not:

• Use data for marketing
• Share identifiable data except per Section 12
• Train AI on non-anonymized data (Section 5)
• Sell, rent, or trade data

5. Information Use

We use personal information and your business information, including information about your use of the service, to:

Service Delivery:

• Operate and maintain the platform
• Facilitate preparation and submission of reports to FINTRAC on your behalf
• Manage user authentication and access
• Process instructions and requests
• Enable user collaboration
• Store and manage reference data (customer profiles, locations, transaction records)

Account Management:

• Create and maintain user accounts
• Process payments
• Communicate with you about your account or Service usage
• Provide customer support and respond to inquiries
• Send transactional notifications (e.g., report confirmations, system alerts, security notifications)

Legal Compliance:

• Comply with legal obligations, including the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
• Respond to lawful requests from authorities, courts, or regulatory agencies
• Enforce our Terms of Service and other agreements
• Detect and prevent fraud, security incidents, or policy violations
• Protect rights, property, and safety
• Retain required records

Service Improvement:

• Analyze Service usage to identify areas for improvement
• Develop and deploy new features
• Conduct research and development to improve our technology
• Optimize Service performance
• Monitor system health and reliability

AI and Machine Learning:

• Train AI models using anonymized transaction data
• Detect suspicious transactions
• Generate compliance insights from transaction data
• Provide decision-support tools (human review required)

We analyze transaction data for AI and compliance.

We do not use AI training data to identify you or any individual.

Analytics:

• Create aggregated, anonymized data for analytics and research
• Analyze industry trends
• Publish insights using anonymized data
• Such data may be used without restriction.

Security and Fraud Prevention:

• Monitor for suspicious activity and security threats
• Implement security and authentication controls
• Conduct security assessments and respond to incidents
• Protect against fraudulent or illegal activity

Communications and Updates:

• Notify you about changes to the Service or our policies
• Send service updates and security alerts
• Provide AML training and resources
• Communicate service disruptions

Marketing Communications:

• Inform about new features
• Invite to events and webinars
• Share educational content and compliance updates
• Request feedback and user research participation

Opt out anytime via email links, account settings, or support@complyplus.ca. Transactional communications remain unaffected.

Business Operations:

• Operate business and maintain records
• Pursue mergers, acquisitions, and asset sales
• Maintain continuity and backups
• Conduct audits and quality assurance
• Third-Party AI Processing: AI features (including aiSTR™) may transmit transaction and customer data to third-party providers (including OpenAI) under data processing agreements, including to the United States.

Other Purposes:

• For purposes disclosed at collection
• For purposes with your consent
• As otherwise permitted or required by applicable law

We will not use personal information or your business information, including information about your use of the service, for materially different purposes without consent or as permitted by law.

6. Legal Basis for Processing

We process personal information and your business information, including information about your use of the service, on the following legal bases:

• With your consent: Where you have consented to collection, use, or disclosure for specific purposes. You may withdraw consent by contacting support@complyplus.ca, subject to legal or contractual restrictions.

As necessary to perform our contractual obligations: We process personal information and your business information, including information about your use of the service, as necessary to provide the Service and fulfill our obligations under your Subscription Agreement with us, including:

• Platform access for authorized users
• Report preparation and FINTRAC submission
• User authentication and account security
• Processing billing and payment transactions
• Customer support and technical assistance
• Delivering software updates and Service improvements

Legal Compliance: We process personal information and your business information, including information about your use of the service, to comply with legal obligations, including:

• Comply with legal and regulatory requests
• Respond to lawful authority requests
• Enforce our agreements and collect payments
• Detect and prevent fraud, security, and technical issues
• Complying with record retention requirements under applicable law

Legitimate Interests: We process personal information and your business information, including information about your use of the service, for legitimate business interests that do not override your privacy rights, including:

• Developing and improving Service features
• Analyzing usage and optimizing user experience
• Training AI/ML models using anonymized data
• Protecting Service security and preventing unauthorized access
• Protecting rights, property, and safety
• Operating our business and maintaining continuity
• Evaluating business transactions
• Analyzing transaction data for AML compliance
• Storing transaction histories for compliance tools
• Third-Party Data: You warrant lawful authority to provide customer data to us.

7. Data Storage and Security

Data Storage and Location:

We store data on Canadian servers where feasible. Service providers may be subject to the laws of the US or foreign jurisdictions per Section 13.

• Primary Database (Supabase): Company data, user accounts, and reports are stored in a PostgreSQL database on Canadian servers (AWS ca-central-1). Supabase Inc. is a US company subject to US jurisdiction.
• Application Hosting (Netlify): The web application is hosted on Netlify's infrastructure. Netlify Inc. is a US company subject to US jurisdiction.

Serverless Functions run in Canada (AWS ca-central-1) and may temporarily handle customer data. Edge Functions operate on Netlify's global network.

Netlify is subject to US jurisdiction despite using Canadian servers.

Netlify processes limited operational data (IP addresses, request metadata, error logs) for hosting and security services.

Netlify's global network may transiently process data outside Canada based on user location.

Security Limitations and Disclaimers:

While we implement reasonable security measures to protect personal information, you acknowledge and agree that:

No system is completely secure. We cannot guarantee absolute security of your information.

• Transmission risks: Transmission of information is at your own risk outside our direct control.
• User responsibilities: The security of your information also depends on you. You are responsible for maintaining the confidentiality of your login credentials, using strong passwords, enabling multi-factor authentication, and not sharing your account access with unauthorized persons.
• Third-party risks: We cannot control third-party security practices.

Security Incident Response:

If we become aware of a security breach affecting your personal information, we will:

• Conduct a prompt investigation to assess the nature and scope of the incident
• Take reasonable steps to contain and remediate the incident
• Notify you without undue delay in accordance with applicable law
• Notify the Office of the Privacy Commissioner of Canada and/or affected individuals if required by PIPEDA or other applicable privacy legislation
• Provide information about the incident, affected data, our response, and mitigation recommendations
• Cooperate with you in any investigation or remediation efforts
• Notification may be delayed if required by law enforcement or regulatory authorities.

Operational Logs and Retention:

• Operational logs are retained for up to 12 months for security, troubleshooting, and compliance, then deleted or anonymized.

8. Sub-Processors

We engage third-party service providers ("sub-processors") to deliver, support, and improve the Service.

Jurisdiction and Data Location: Sub-processors use Canadian infrastructure where indicated but are subject to US jurisdiction.

Current Sub-Processors:

The Service currently uses the following sub-processors:

9. Data Retention

We retain personal information only as long as necessary for collection purposes, legal compliance, dispute resolution, and agreement enforcement.

Active Subscription Data:

• Company-Specific Reference Data: Customer profiles, location information, transaction history, and other reference data are retained while your subscription is active or until you delete them. Transaction data enables AI-powered compliance features.
• Draft Reports: Retained until submitted or deleted.
• Historical Report References: Submitted reports retained until deletion or subscription termination. Not substitutes for your record-keeping obligations.
• User Account Information: Retained while subscription and user account are active.
• Billing and Payment Information: Retained as necessary for accounting, tax, and legal compliance.

Training Service Data:

Training service data (user codes, progress, exam results) may be deleted at any time without notice. You are responsible for exporting and maintaining training completion records.

Sandbox and Test Environments:

• Accounts without paid subscriptions are sandbox/test environments for evaluation only, not for production use or long-term storage.

Sandbox accounts have no data persistence guarantee. Data may be purged at any time without notice. You must not use sandbox environments for production compliance or live customer data. Upgrade to a paid subscription for production use.

• Testing Only: You must not use sandbox or test environments for production compliance reporting, storing live customer data, or any purpose requiring data persistence or reliability.

Terminated or Expired Subscriptions:

Upon termination or expiration of your subscription:

• Data Deletion: Company-specific data may be deleted or anonymized within 30 days of termination.
• Account Deactivation: User accounts are immediately deactivated. Account data may be deleted within 30 days.
• No Data Recovery: Once deleted, data cannot be recovered. You are solely responsible for exporting and saving any data you require prior to termination. We recommend exporting all necessary data before canceling your subscription or allowing it to expire.
• Exceptions: We may retain information where required by law (billing records, legal holds, anonymized data).
• After the retention period, logs are automatically deleted or anonymized.

Anonymization:

• Anonymized data is not considered personal information nor your business information and may be used indefinitely for business purposes without restriction.

Legal Holds and Exceptions:

We may retain information longer where:

• Required or permitted by applicable law or regulation
• Subject to a legal hold, litigation, government investigation, or regulatory inquiry
• Necessary to establish, exercise, or defend legal claims
• Required to comply with audit, accounting, or tax obligations

You have specifically requested retention (e.g., by not deleting optional historical report references)

Information will be retained only as long as necessary.

Your Retention Obligations:

You remain responsible for PCMLTFA and FINTRAC record-retention requirements. The Service does not substitute for your record-keeping system; you must maintain your own copies.

Requesting Deletion:

To delete data before termination, use the Service interface or contact support@complyplus.ca. Deletion may affect Service functionality and your regulatory compliance.

10. Your Responsibilities

By using the Service, you acknowledge and agree to the following responsibilities:

Data Controller Obligations:

• Obtaining necessary consents and lawful bases to collect and share customer information for AML compliance.
• Providing privacy notices to customers about data collection, use, and disclosure.
• Data Accuracy: Ensure accuracy and completeness of information entered. We are not responsible for your data errors.
• Ensuring lawful basis under applicable privacy legislation.
• Individual Rights: You are responsible for responding to privacy rights requests from your customers.
• Import sufficient transaction history for AI analysis.

Compliance Obligations: You are the reporting entity under PCMLTFA and must:

• Determining reportable transactions
• Ensuring accurate and timely FINTRAC reports
• Maintaining an independent AML compliance program
• Training personnel on AML obligations
• Conducting ongoing monitoring and risk assessments
• Meet PCMLTFA record-keeping requirements
• Complying with all applicable laws and regulations
• The Service assists your compliance but does not replace your obligations.

Record-Keeping: You must:

• Export and maintain all required reports and documentation.
• FINTRAC Reports: Maintain copies of all submitted reports and supporting records as required by law.
• Prior to Termination: Export all required data before termination or expiration. Data is permanently deleted within 30 days.
• Training Records: Export and maintain training certificates and records as required.

Security:

You are responsible for maintaining the security of your account and systems:

• Credential Security: Safeguard login credentials, passwords, and API keys. Do not share with unauthorized persons.
• Strong Passwords: Use strong, unique passwords.
• Multi-Factor Authentication: Enable and maintain MFA on your account.
• Authorized Users Only: Restrict access to authorized personnel and promptly remove access for terminated employees or contractors.
• Device and Network Security: Ensure devices and networks are secure, updated, and malware-protected.
• Suspicious Activity: Report unauthorized access or security concerns to support@complyplus.ca.
• Logout Procedures: Log out on shared computers.

Verification and Review Obligations:

• Verify AI Outputs: Independently verify all AI-generated outputs before use. AI systems may produce errors, false positives, or false negatives.
• Review Reports: Review all reports for accuracy and completeness before FINTRAC submission. You are responsible for all content submitted under your FINTRAC reporting entity identifier.
• Validate Data: Verify accuracy of data entered.

Usage Compliance:

• Authorized Use Only: Use the Service lawfully and comply with our Terms.
• Prohibited Activities: No illegal activities or rights violations.
• Intellectual Property: Respect IP rights; do not misuse Comply+ materials.

Cooperation Obligations:

• Incident Response: Cooperate with security and regulatory investigations.
• Updates: Review and comply with policy changes.

Third-Party Services and Integrations:

• FINTRAC: Maintain your FINTRAC reporting entity registration, API credentials, and compliance with FINTRAC requirements.
• Third Parties: Manage provider relationships and comply with their terms.

Accuracy of Information Provided to Us:

• Account Information: Provide accurate contact, billing, and account details. Maintain a valid email address.
• Organization Information: Accurately represent your organization, binding authority, and authorized users.

11. Your Rights

Subject to applicable privacy laws, you have rights regarding your personal information.

11.1 Right to Access

You may request access to your personal information.

What personal information we have collected

How we have used and disclosed your personal information

To whom we have disclosed your personal information

The source (if not collected directly from you)

We will respond within 30 days.

We may charge reasonable fees with advance notice.

Self-Service Access: Users may access personal information through their account profile.

11.2 Exceptions to Access

Access may be limited where:

• Legal privilege: Information protected by legal or litigation privilege
• Prohibitive cost: Unreasonable cost or disproportionate effort
• Third-party information: Would reveal others' personal or confidential commercial information
• Dispute resolution: Part of formal proceedings or investigations
• Legal prohibitions: Prohibited by law or court order
• Security or proprietary information: Would compromise security, reveal confidential information, or threaten the Service
• Frivolous requests: Request is frivolous, vexatious, or in bad faith

If we cannot provide access, we will notify you of the reasons (subject to legal or regulatory restrictions) and your right to challenge our decision.

11.3 Right to Correction

You have the right to request correction of inaccurate or incomplete personal information we hold about you.

How to Request Correction: Contact us at support@complyplus.ca with details of the inaccurate information and requested corrections.

11.4 Right to Withdraw Consent

You may withdraw consent for processing based on consent under certain circumstances.

Withdrawing Consent: Contact support@complyplus.ca or use the address in Section 17. Specify the consent and related personal information or processing activities.

Uon withdrawal:

We may not be able to provide the Service or features

• Your subscription may need to be terminated

We may retain personal information where we have another legal basis (e.g., contractual obligations, legal requirements, or legal claims)

You cannot withdraw consent for:

Contract performance (e.g., Service provision)

Legal requirements (e.g., court orders)

Completed transactions/services

Previously relied upon (irreversible)

11.5 Right to Request Deletion

You may request deletion of personal information in certain circumstances.

Request Deletion: Contact support@complyplus.ca for specific or full deletion.

When We Will Delete: We will delete your personal information if:

• The information is no longer necessary for its collection purposes

You have withdrawn consent and we have no other legal basis to retain it

You have successfully objected to processing

The information was unlawfully collected or processed

Deletion is required by applicable law

When We Cannot Delete: We may be unable to delete your personal information where retention is necessary for:

• Legal obligations or court orders
• Establishment, exercise, or defense of legal claims
• Fulfilling our contractual obligations to you
• Legitimate business purposes (e.g., fraud prevention)
• Record retention requirements under applicable law
• Account Deletion: Terminate your subscription to delete personal information. Data deleted within 30 days (Section 9).You must export needed data first.

11.6 Accuracy of Information

We require accurate, current personal information and business information, to provide Service and contact you.

Update us if your information changes:

• Contact information (email address, phone number, mailing address)
• Organization details
• Billing information
• Authorized user lists
• Update information through your account profile or contact support@complyplus.ca.

11.7 Identity Verification

We verify identity before responding to privacy requests.

We may request information to confirm identity and rights.

For third-party requests, we require authorization proof and may verify identity.

11.8 Response Timelines and Procedures

Initial Response: We will acknowledge receipt of your request within five (5) business days

We will respond within 30 days or as required by law

If we need more time (typically up to 30 additional days), we will notify you with the reason and new timeline

Most requests are free, except where they require significant resources or law permits a fee

11.9 Marketing Communications

Opt out by:

• Clicking the "unsubscribe" link in marketing emails
• Adjusting your communication preferences in your account profile
• Contacting us at support@complyplus.ca with your opt-out request

Opting out will not affect:

• Transactional or Service-related communications (e.g., account notifications, security alerts, system updates, billing notices)
• Communications necessary to provide the Service
• Communications required by law or your Subscription Agreement
• Opt-outs are processed within 10 business days.

11.10 Challenging Our Compliance

If you have privacy concerns:

• Step 1: Contact our Privacy Officer at support@complyplus.ca or the mailing address in Section 17. We will investigate and respond.
• Step 2 - Escalation: If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada or your Provincial Privacy Commissioner (if applicable based on your location and the nature of the concern)
• Step 3 - Legal Remedies: You may pursue legal remedies through the courts as applicable.

12. Disclosures of Your Information

We may disclose personal information or your business information, including information about your use of the service, in the following circumstances:

12.1 Disclosure to FINTRAC

We disclose information to FINTRAC when submitting reports on your behalf using your API credentials:

• At your direction as the reporting entity
• Using your FINTRAC reporting entity identifier and API key
• In accordance with PCMLTFA obligations

You are solely responsible for reports submitted to FINTRAC.

12.2 Disclosure to Sub-Processors and Service Providers

We disclose personal information and your business information, including informatin about your use of the service, to service providers who support the Service, including:

• Database hosting (Supabase)
• Application hosting and serverless computing providers (Netlify)
• Cloud infrastructure (AWS)
• Analytics and session recording providers
• Payment processors
• Customer support and communication tools
• Security and monitoring services

12.3 Aggregated or De-Identified Data

We may use and disclose aggregated, de-identified, or anonymized information without restriction.

Such disclosures may include:

• To industry organizations or regulatory bodies for benchmarking or research purposes;
• In whitepapers, case studies, or educational content about AML compliance trends (in aggregate form only);
• To potential investors, partners, or acquirers for business development purposes; and
• In academic or policy research about financial crime compliance.
• Aggregated or anonymized data cannot reasonably identify you or your organization.

12.4 With Your Consent

We may disclose personal information or your business information, including information about your use of the service, for purposes disclosed at collection or with your express consent.

Withdraw consent at support@complyplus.ca, subject to legal/contractual restrictions.

12.5 Legal Compliance and Law Enforcement

We may disclose personal information or your business information, including information about your use of the service, as required/permitted by law:

• To comply with court orders, laws, subpoenas, warrants, or government/regulatory requests.
• To cooperate with privacy commissioners or regulatory authorities.
• To comply with lawful requests for national security, public safety, or criminal enforcement.

We notify you of requests where legally permissible.

12.6 Enforcement of Agreements

We may disclose personal information or your business information, including information about your use of the service, to enforce our rights and agreements, including for billing, collections, investigating violations, enforcing IP rights, breach claims, and recovering amounts owed.

12.7 Protection of Rights and Safety

We may disclose personal information or your business information, including information about your use of the service, to:

• Protect the rights, property, or safety of Comply+, our employees, our customers, or the public
• Prevent or address fraud, security threats, or technical issues
• Protect against legal liability or harm to our business operations
• Detect, prevent, or respond to criminal activity, including money laundering or terrorist financing
• Respond to emergencies involving danger of death or serious physical injury

This may include exchanging information with other entities for fraud protection and dispute resolution.

12.8 Business Transfers

We may disclose personal information or your business information, including information about your use of the service, to a buyer, investor, or successor in the event of:

• A merger, acquisition, or consolidation
• A sale of all or substantially all of Comply+'s assets or business
• A restructuring or reorganization
• Dissolution of the business
• Bankruptcy, receivership, liquidation, or similar proceeding

Personal information and your business information, including information about your use of the service, may be transferred. The acquiring party will honor this Privacy Policy or provide notice and opt-out rights as required.

12.9 Professional Advisors

We may disclose personal information or your business information, including information about your use of the service, to our professional advisors.

Advisors are bound by confidentiality obligations.

12.10 Affiliated Companies

We may share personal information or your business information, including information about your use of the service, with affiliates for purposes in this Privacy Policy, subject to the same commitments.

12.11 Other Disclosures with Notice

We may disclose personal information or your business information, including information about your use of the service, where:

We provide you with notice at the time of collection

• The disclosure is required or authorized by law

You have provided consent to the disclosure

Disclosure Principles

We limit disclosures to:

• The minimum information necessary
• Recipients who have a legitimate need for the information
• Circumstances where appropriate safeguards are in place

We do not sell, rent, or trade your personal information or your business information, including information about your use of the service, to third parties for their marketing purposes.

13. International Transfers

13.1 Key Risk

Data is stored in Canada but US service providers may be compelled to provide access under US law.

13.2 Your Obligations

You must inform your customers about foreign government access risks and assess whether this is acceptable for your use case.

Limited Protections: US legal processes may not provide the same privacy protections, procedural safeguards, or judicial oversight as Canadian law.

Disclosure Obligations: You must inform customers that their data may be accessible to foreign governments under applicable privacy laws.

Risk Assessment: You must assess whether using US-based service providers is acceptable given your data sensitivity, regulatory obligations, and customer expectations.

Client Responsibility: You are responsible for determining whether your use of the Service complies with applicable privacy laws, including requirements related to cross-border data transfers and foreign jurisdiction.

13.3 Safeguards and Limitations

We implement the following safeguards despite US jurisdiction risks:

• Canadian Data Storage: We use Canadian servers (AWS ca-central-1) where feasible.
• Contractual Protections: We require service providers to meet PIPEDA standards, implement safeguards, notify us of legal demands where permitted, challenge unlawful requests, and limit disclosure.
• Encryption: All data is encrypted in transit and at rest, though this may not prevent lawful government access.
• Transparency: This disclosure enables informed decisions about Service use and privacy compliance.
• Limitations: These safeguards cannot prevent lawful US government access, which service providers must honor regardless of contractual requirements.

13.4 Consent to US and foreign Jurisdiction

By using the Service, you acknowledge and consent to:

• Service providers are subject to US or foreign jurisdiction despite Canadian storage
• US or foreign authorities may access your data
• We cannot prevent, challenge, or be notified of such access
• Storage by US companies (even when physically in Canada) is subject to US laws and government access
• Data transmission may occur through US-controlled infrastructure

If you do not consent, do not use the Service.

13.5 Your Customers' Information - Your Disclosure Obligations

Customer data is subject to US jurisdiction.

You are responsible for:

• Informing customers their data will be stored by US-based providers and may be accessible to US authorities
• Obtaining necessary consents and ensuring PIPEDA compliance

13.6 Other Foreign Jurisdictions

Certain sub-processors may process data outside Canada or the United States.

13.7 Changes to Data Locations or Jurisdictions

We may change data locations when modifying sub-processors or infrastructure, with material changes communicated per Section 15.

13.8 Limitations on Our Control and Liability

We cannot prevent lawful foreign government access to data held by our service providers but will use providers with strong privacy practices and challenge inappropriate requests where possible.

14. Data Breach Notification and Response

14.1 Data Breach Definition

A "data breach" means unauthorized access to or loss of personal information posing real risk of significant harm.

Investigation and Response

Upon becoming aware of a data breach, we will contain it, secure systems, and investigate to determine affected information, impacted individuals, and remediation steps.

14.3 Notification to You

If a data breach poses a real risk of significant harm to you or affected individuals, we will notify you without undue delay.

We will notify you by email to your primary contact.

Our notification will include: breach description, affected data types, remediation steps, and mitigation recommendations.

We will provide updates as we learn more.

14.4 Notification to Regulatory Authorities

If legally required, we will notify relevant privacy commissioners and regulatory authorities within applicable timelines.

FINTRAC Breaches: You are solely responsible for assessing and fulfilling any FINTRAC reporting obligations. Consult legal counsel.

14.5 Notification to Affected Individuals

If individuals are at risk, we will coordinate with you on notification approach and timing.

As data controller, you may have independent notification obligations.

We will provide breach details and assistance to support your notification obligations.

14.6 Delay or Restriction of Notification

We may delay notification if required by authorities or court order, or if notification would cause additional harm.

Authorities request a delay for investigation

Notification would impede a criminal investigation or threaten national security

Notification would cause additional harm

We are prohibited by court order from providing notification

We will notify you when legally permissible.

14.7 Cooperation and Your Obligations

Upon notification, you agree to:

• Review the notification and assess your obligations
• Take recommended steps to mitigate potential harm
• Notify your customers if legally required or if you control the affected data
• Cooperate with us in investigating and responding to the breach
• Preserve any evidence of suspicious activity in your account
• Not publicly disclose breach details without coordinating with us (except as legally required)

14.8 Your Reporting Obligations

If you discover a security incident involving the Service or your account, you must:

• Immediately notify us at support@complyplus.ca
• Provide incident details including what occurred, when discovered, and what data was affected
• Cooperate with our investigation
• Immediately secure your account (e.g., change passwords, revoke compromised access)

14.9 Security Limitations and Disclaimers

While we make reasonable efforts to notify you of breaches and respond to incidents, you acknowledge:

• No Guarantee of Security: We cannot guarantee security or prevent all breaches. All systems involve risk.
• Transmission Risks: Transmission is at your own risk. We are not responsible for interception outside our control.

Third-Party Breaches: We are not responsible for breaches affecting third-party systems, including:

• FINTRAC's systems after reports are submitted
• Your own systems, networks, or devices
• Internet service providers or telecommunications networks
• Sub-processors (except as provided in our contracts with them)
• User Responsibilities: You are responsible for securing your credentials, devices, and networks. We are not liable for breaches from your security failures.
• Limitations of Liability: Our liability for security breaches, unauthorized access, or disclosure of personal information or your business information is limited as set forth in our Terms of Service.

14.11 Contact for Security Issues

To report security issues:

• Email: support@complyplus.ca (Subject: SECURITY INCIDENT)

15. Changes to This Policy

Continued use after changes constitutes acceptance. If you disagree, discontinue use and terminate per Section 15.

You must maintain a current email address with us and periodically review this policy for changes.

16. Governing Law

This Privacy Policy is governed by Alberta and Canadian federal law. Disputes are subject to Terms of Service provisions.

17. Contact

For privacy complaints and inquiries, contact:

Privacy Officer:

• support@complyplus.ca
• 2733420 ALBERTA INC., #204, 10359 104 Street NW, Edmonton, AB T5J 1B9
• Updated: February 12, 2026 (v2.0).

18. Survival

The following provisions survive termination of your use of the Service: Sections 4.6 (Permitted Uses of Transaction Data), 5 (Information Use, to the extent related to anonymized data), 8 (Sub-Processors), 9 (Data Retention), 10 (Your Responsibilities), 11.2 (Right to Correction), 11.3 (Right to Withdraw Consent), 11.5 (Right to Request Deletion), 12 (Disclosures of Your Information), 13 (International Transfers), 14.9 (Security Limitations and Disclaimers), 16 (Governing Law), and 17 (Contact).