Comply+ FINTRAC Reporting

1. Purpose

This Privacy Policy explains how Comply+ ("we," "our," "us") collects, uses, stores, and discloses personal information in connection with our compliance reporting software-as-a-service platform (the "Service"). We adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

2. Scope

This policy applies to:

Visitors to our website.
Authorized users of the Comply+ platform from our client organizations.
Customers of our clients whose personal information is entered into the Service for AML compliance purposes.

3. Information We Collect

3.1 Information You Provide

Account details: Name, email, login credentials, organization information (for authorized users).
Customer data (entered by clients): Personal identifiers and AML-relevant information, including but not limited to names, dates of birth, addresses, occupations, location identifiers, and transaction details.
FINTRAC reporting details: FINTRAC reporting ID, API key (encrypted), and related metadata.

3.2 Automatically Collected Information

IP addresses, browser type, and device identifiers when using our site or Service.
Logs related to login attempts, API calls, and system activity.
Analytics and Session Recording — We may use analytics and session recording tools (e.g., heatmaps, click tracking, or similar technologies) to understand how the Service is used and improve functionality. These tools may capture interactions with the Service, but we configure them to mask sensitive fields where possible.

4. Sensitive Data Handling

We process AML-related data that may include personal identifiers and transaction details for your customers.

Supabase stores company-specific reference data you enter (e.g., customers, locations), submitted report content for future reference, and draft report content before they are filed.
Report preparation occurs within the Comply+ application (front-end workflows and our server-side functions).
Submitted reports are transmitted directly to FINTRAC using your configured API credentials via our server-side integration.

5. How We Use Information

We use your information to:

Provide, operate, and maintain the Service.
Facilitate report preparation and submission to FINTRAC.
Authenticate authorized users and secure access to the platform.
Improve and troubleshoot the Service.
Comply with legal obligations.

6. Legal Basis for Processing

We process personal information:

With your consent.
As necessary to perform our contractual obligations (e.g., Subscription Agreement).
As required by law (e.g., cooperating with legal authorities where mandated).

7. Data Storage and Security

Hosting (data at rest): Company-specific reference data (customers, locations) and draft reports are stored in Supabase.
Frontend + serverless runtime: The web application and server-side functions run on Netlify, which may process limited operational data (e.g., IP addresses, logs).
Encryption: All network traffic uses HTTPS/TLS. FINTRAC API credentials are stored encrypted and scoped to the client's environment.
Access Controls: Role-based permissions and least-privilege access isolate each client's environment.
Log Retention: Operational logs (Netlify) are retained for up to 12 months for security and troubleshooting.

8. Sub-Processors

The Service uses third-party providers to deliver functionality, including:

Supabase
Netlify
Amazon Web Services (AWS)
Analytics Providers: We may use third-party analytics/session-recording tools to help us understand platform usage; we configure these to mask sensitive fields where possible.

We maintain a live list of sub-processors on our website and will notify clients prior to adding new sub-processors.

9. Data Retention

Active Clients: Company-specific data (customers, locations, transaction history, and draft reports) is retained while your subscription is active.
Terminated Clients: All company-specific data is deleted or anonymized within 30 days of account termination, except where retention is required by law.
Reports: We do not store submitted FINTRAC reports.

10. Your Responsibilities

You are the data controller for all customer and transaction data you enter into the Service. You are responsible for:

Obtaining any necessary consents from your customers.
Complying with all applicable privacy laws.
Meeting record-keeping requirements for FINTRAC filings.

11. Your Rights

Subject to applicable laws, you may:

Access personal information we hold about you.
Request corrections to your personal information.
Withdraw consent to processing (may affect your ability to use the Service).

To exercise these rights, contact support@complyplus.ca.

12. Disclosures

We may disclose information:

To FINTRAC when submitting reports on your behalf, using your provided API key.
To service providers who process data on our behalf (see Section 8).
As required by law or court order.
To protect our rights, property, or safety, or that of our users or the public.

13. International Data Transfers

If sub-processors or hosting providers store or process data outside Canada, we will ensure equivalent protections in line with PIPEDA.

14. Security Breach Notification

If we become aware of a breach involving your personal information, we will notify you and, if required, the Office of the Privacy Commissioner of Canada and affected individuals in accordance with PIPEDA.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notification. Continued use after the effective date constitutes acceptance.

16. Contact

For privacy-related questions or concerns:

support@complyplus.ca

2733420 ALBERTA INC.

#204, 10359 104 Street NW

Edmonton, AB T5J 1B9

Canada

Privacy Policy

Mailing Address: