This Privacy Policy (the “Policy”) governs the manner in which Credwise Financial Inc. (hereinafter referred to as "we," "us," "our," or "the Company") collects, uses, maintains, and discloses information collected from users (each, a "User" or “you”) of the RewardsX mobile application (the "App") and its associated services (collectively, the "Services"). By using the App, you consent to the terms and conditions of this Policy. If you do not agree with the terms herein, you are advised to discontinue use of the App immediately.
Information Collection and Use
Personal Information Collected
For the purposes of this Privacy Policy, “Personal Information” shall be defined as any information, data, or content relating to an identified or identifiable natural person (the “Data Subject”), including, without limitation, data that can be used to directly or indirectly identify, locate, or contact an individual. Credwise Financial Inc. (hereinafter referred to as “the Company”) collects Personal Information from Users of the RewardsX application (hereinafter referred to as “the App”) in the following categories, each of which is lawfully processed based on the legal grounds established by applicable data protection regulations, including but not limited to the General Data Protection Regulation (GDPR) and relevant domestic privacy laws:
Identity and Contact Information: This includes data such as, but not limited to, the User’s full legal name, email address, and telephone number. This information is collected to facilitate the provision of the Services and to enable communication between the Company and the User for purposes including but not limited to notifications, updates, and customer support.
Financial Information: The Company may collect credit card information, transaction history, card types, and other financial data necessary for tracking User rewards, points, cashback, and other financial benefits derived from the User’s interactions with the App. All such financial information is processed in strict accordance with the Payment Card Industry Data Security Standard (PCI DSS) and is encrypted both in transit and at rest. The Company does not store credit card details for transactional purposes and will never use such data for unauthorized purposes.
Geolocation Data: Subject to the User’s explicit consent, the Company may collect real-time geolocation data, which is processed to enable location-based services and personalized offers. This includes, but is not limited to, the User’s precise location when using the App for the purpose of offering nearby merchant recommendations, special rewards, and other location-sensitive features. Users may withdraw consent for the collection of geolocation data at any time by disabling location services in their device settings.
Device and Technical Data: The Company automatically collects information about the User’s device, including but not limited to the Internet Protocol (IP) address, device type, operating system, browser type, mobile network information, unique device identifiers, and similar data. Such information is collected for security purposes, performance monitoring, and to ensure the functionality of the App across different platforms and devices. The collection of device information is necessary for the legitimate interest of safeguarding the App and its Services against fraud, unauthorized access, and other forms of abuse.
Usage Data and Analytics: The Company collects data related to the User’s interactions with the App, including but not limited to feature usage, session activity, clickstream data, crash logs, and diagnostic data. This data is collected and processed for the purpose of understanding User preferences, improving the App’s functionalities, performing troubleshooting activities, and optimizing User experience. In cases where this data is non-identifiable and aggregated, it shall not be considered Personal Information under this Policy.
Voluntary Information: In addition to the foregoing, the Company may collect any other information voluntarily provided by the User during the use of the App or in interactions with the Company, including but not limited to feedback, inquiries, or responses to surveys. Any such voluntary data will be processed in accordance with the specific purposes for which it was provided and in line with the User’s explicit consent, where required.
Non-Personal Information Collected
In addition to Personal Information, the Company may collect and process data that does not identify or directly relate to an individual, which shall be referred to as "Non-Personal Information." Non-Personal Information may include, but is not limited to, aggregated usage statistics, anonymized transaction data, general geolocation data (such as the User’s city or region), and other technical information that cannot be used to identify the User directly or indirectly. This information is collected for the purpose of enhancing the App’s functionality, conducting research and analytics, and improving the Company’s Services.
To the extent that any Non-Personal Information is combined with Personal Information, such data will be treated as Personal Information for the purposes of this Policy and will be subject to the same protections and safeguards.
Methods of Data Collection
The Company collects Personal Information and Non-Personal Information from Users through various lawful methods, including but not limited to:
Direct Interaction: Information voluntarily provided by the User during the registration process, through the User’s account settings, or through communications with the Company, including email, surveys, and feedback forms.
Automated Technologies: Information automatically collected through the App’s operation, such as device data, IP addresses, cookies, and other tracking technologies. The Company employs cookies and similar tracking technologies to enhance User experience, for authentication purposes, and for the purpose of offering personalized services. Users may control the use of cookies through their device settings; however, disabling certain cookies may impact the App’s functionality.
Third-Party Data Collection: The Company may receive Personal Information from third-party service providers, including but not limited to data analytics providers, advertising partners, and customer support vendors. Such third parties are contractually bound to process the data solely for the purposes designated by the Company and are prohibited from using such data for any other unauthorized purposes.
Legal Grounds for Data Processing
The Company processes Personal Information pursuant to one or more of the following lawful bases, as permitted under applicable law:
Performance of a Contract: Processing is necessary for the performance of a contract to which the User is a party or in order to take steps at the User’s request prior to entering into such a contract. This includes providing the Services offered by the App, including rewards tracking, personalized recommendations, and transaction management.
Consent: In circumstances where the User has provided explicit consent to the processing of their Personal Information for a specific purpose, such as marketing communications, geolocation tracking, or voluntary surveys, the Company will process such data in accordance with the scope of the User’s consent. Users may withdraw consent at any time, and such withdrawal shall not affect the lawfulness of processing based on consent prior to withdrawal.
Legal Obligation: Processing is necessary to comply with legal obligations to which the Company is subject, including but not limited to data retention requirements, responding to lawful requests by public authorities, or fulfilling obligations related to fraud prevention and financial reporting.
Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the User. Legitimate interests include, but are not limited to, ensuring the security and integrity of the App, optimizing User experience, conducting internal analytics, and protecting against fraudulent or malicious activity.
The Company undertakes to process all Personal Information in accordance with applicable data protection laws, including but not limited to the GDPR, the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Purpose of Data Collection and Processing
Provision of Services
The Company processes Personal Information to deliver and manage the core functionalities of the App. Specifically, the purposes include:
Rewards Tracking and Management: Personal Information, including but not limited to credit card details and transaction history, is processed to track the User’s rewards, points, cashback, and other financial benefits associated with their credit card usage. The processing of this data is critical to fulfilling the contractual obligations between the User and the Company under the App's terms of service. This processing occurs in Canada, with data stored and processed in secure data centers compliant with Canadian privacy laws.
Personalized Recommendations: The Company processes transactional data, geolocation data (subject to User consent), and other User-specific information to provide personalized credit card usage recommendations. These recommendations are designed to enhance the User’s ability to maximize rewards based on their purchasing behavior and geographical location. This processing is necessary to improve the User experience and is based on the Company’s legitimate interest in optimizing service offerings.
Account Management and Support: The Company processes identity and contact information to create and maintain User accounts, authenticate access, and enable Users to interact with the App’s features. Additionally, we process Personal Information to respond to User inquiries, resolve technical issues, and provide customer support in accordance with our legal obligations and service terms. This processing is essential to fulfilling the contractual relationship with the User.
Performance Optimization and Analytics
The Company processes Personal Information and Non-Personal Information for the purposes of optimizing the App’s performance, conducting internal analysis, and improving the overall User experience. This includes:
App Performance Monitoring: The Company collects and processes usage data, device information, and session activity for the purpose of monitoring and enhancing the App’s performance. This may include collecting data such as crash reports, error logs, and device diagnostics to resolve technical issues and improve the functionality of the App. This processing is carried out in Canada and is necessary to ensure the integrity of the Services provided by the Company.
Feature Improvement and Development: Usage patterns and aggregated data may be analyzed to develop new features or improve existing ones. Such data will be anonymized or pseudonymized where applicable to ensure that individual Users cannot be identified. This processing is conducted in accordance with the Company’s legitimate interests in continuously improving its products and services while adhering to Canadian privacy requirements.
Data Analytics and Reporting: The Company may conduct internal reporting and analytics using aggregated data to assess service performance and trends. Data analytics will be performed in compliance with Canadian data protection laws, ensuring that any Personal Information is either anonymized or processed in a way that protects the identity and privacy of Users.
Marketing and Communications
The Company may process Personal Information for the purposes of marketing and communications, subject to the consent requirements under Canada’s Anti-Spam Legislation (CASL) and other applicable Canadian laws. This may include the following:
Promotional Communications: With the User’s explicit consent, the Company may use Personal Information, such as email addresses or phone numbers, to send promotional content, special offers, newsletters, or other marketing materials. The Company complies with CASL and provides Users with the ability to opt out of such communications at any time, either by using the "unsubscribe" feature or contacting the Company directly.
Push Notifications: With the User’s consent, the Company may process geolocation data and device information to send push notifications related to personalized offers, rewards, or nearby merchants. Users can withdraw consent or disable these notifications at any time through their device settings.
Surveys and Feedback Requests: The Company may use Personal Information to invite Users to participate in surveys or provide feedback about the App’s features and services. Any information collected through these surveys is used for internal research and development purposes and is processed with the User’s consent.
Compliance with Legal and Regulatory Obligations
The Company processes Personal Information where such processing is necessary to comply with the legal obligations imposed by Canadian federal and provincial law, including but not limited to PIPEDA, PIPA, and other applicable regulations. This includes:
Regulatory Compliance: The Company may be required to process and retain Personal Information to comply with statutory obligations, such as tax reporting, record-keeping, and other legal compliance requirements under Canadian law. Personal Information processed for these purposes will only be retained for the legally prescribed retention periods.
Law Enforcement and Legal Requests: The Company may disclose Personal Information to regulatory bodies, law enforcement agencies, or other governmental authorities when required to do so by law, such as in response to a subpoena, court order, or other legal process. In such cases, the Company will comply with all applicable legal requirements and take steps to ensure that only the minimum amount of data necessary is disclosed.
Fraud Prevention and Security: The Company may process Personal Information to detect and prevent fraudulent activities, unauthorized access, and other illegal actions. This includes the use of security monitoring systems and internal controls designed to safeguard the App against malicious activity. Processing for this purpose is necessary to protect both the Company’s legitimate interests and the rights and safety of its Users.
Legitimate Business Interests
The Company processes Personal Information for purposes related to its legitimate business interests, in compliance with Canadian law, provided that such interests do not override the fundamental rights and freedoms of Users. These legitimate interests include:
Internal Business Operations: The Company may process Personal Information for administrative purposes, including but not limited to financial record-keeping, internal audits, and corporate governance, all of which are essential to the Company’s business operations. This processing is conducted in accordance with Canadian corporate and financial regulations.
Business Transactions: In the event of a potential or actual merger, acquisition, restructuring, or sale of the Company’s assets, Personal Information may be transferred as part of the business transaction. Such transfers will comply with all applicable Canadian data protection laws, and Users will be notified in the event of any significant changes to the ownership or use of their Personal Information.
Data Retention and Minimization
The Company will retain Personal Information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by Canadian law. Where Personal Information is no longer needed for the original purpose for which it was collected, or where its retention is no longer necessary for compliance with legal obligations, the Company will securely delete, anonymize, or pseudonymize such data in accordance with industry standards and Canadian data protection laws, including PIPEDA and PIPA.
Sharing and Disclosure of Information
Disclosure to Service Providers
The Company may engage third-party service providers, consultants, and contractors to assist in the provision of the App and associated services (collectively, "Service Providers"). These Service Providers may have access to Personal Information only to the extent necessary to perform specific tasks on behalf of the Company, such as data hosting, payment processing, customer support, or analytics services. All Service Providers are contractually obligated to protect the confidentiality and security of any Personal Information they receive and to comply with all applicable Canadian privacy laws, including PIPEDA and PIPA.
Data Hosting and Storage: Personal Information may be stored on third-party servers located in Canada or other jurisdictions where such data hosting providers operate, subject to compliance with applicable Canadian data protection laws. In the event that Personal Information is transferred outside of Canada, the Company will ensure that appropriate safeguards are in place to provide a level of protection equivalent to that provided under Canadian privacy laws, including but not limited to contractual agreements and adherence to recognized privacy frameworks.
Payment Processing: If the User links credit card data or engages in transactions through the App, Personal Information may be disclosed to third-party payment processors for the purposes of reward tracking or other financial functions. Such disclosures are made in compliance with PCI DSS (Payment Card Industry Data Security Standard) and applicable Canadian financial privacy laws, and only as necessary for the performance of the contractual obligations between the User and the Company.
Legal and Regulatory Disclosures
The Company may disclose Personal Information to governmental authorities, regulators, law enforcement agencies, or other third parties if required to do so by applicable Canadian law, or in the event that such disclosure is necessary to comply with legal obligations or to protect the Company’s rights, property, or safety, as well as the rights, property, or safety of others. Such disclosures include, but are not limited to:
Compliance with Legal Requirements: The Company may disclose Personal Information in response to a valid legal request, including but not limited to subpoenas, court orders, or regulatory demands issued by Canadian governmental bodies, courts, or enforcement agencies. Such disclosures will be made only to the extent necessary to comply with applicable laws and regulations.
Fraud Detection and Prevention: The Company may disclose Personal Information to third-party fraud prevention services, law enforcement agencies, or other organizations engaged in the prevention, investigation, or prosecution of fraudulent or illegal activities. This disclosure is made in accordance with the Company’s legitimate interest in protecting itself and its Users from fraud, unauthorized access, or other harmful activities, and in compliance with Canadian laws governing fraud prevention and cybersecurity.
Enforcement of Rights: The Company reserves the right to disclose Personal Information where necessary to enforce or apply the terms and conditions of the App, including but not limited to enforcing contracts or agreements with Users, or to protect the Company’s rights, property, or security. This includes cooperating with legal authorities in the investigation of any violations of laws or third-party rights.
Business Transactions
In the event that the Company undergoes a business transition, such as a merger, acquisition, reorganization, or sale of all or part of its assets, Personal Information may be transferred as part of the transaction. Such transfers will be conducted in accordance with applicable Canadian laws, including PIPEDA and PIPA, and will be subject to the following provisions:
Due Diligence and Confidentiality: During any potential business transaction, the Company may disclose Personal Information to prospective buyers or other parties involved in the transaction for the purpose of due diligence. All such parties will be required to enter into confidentiality agreements to protect the privacy of Personal Information disclosed during the transaction.
Post-Transaction Safeguards: In the event that Personal Information is transferred to a successor entity following the completion of a merger, acquisition, or asset sale, the Company will ensure that the successor entity is bound by this Privacy Policy and complies with all applicable Canadian data protection laws, including but not limited to PIPEDA and PIPA. Users will be notified of any changes to the ownership or use of their Personal Information as a result of such a transaction, and will have the opportunity to exercise their rights with respect to their data.
Consent-Based Disclosures
The Company may disclose Personal Information to third parties in cases where the User has explicitly consented to such disclosure. This includes, but is not limited to, situations where the User voluntarily provides Personal Information to third-party partners or affiliates of the Company in connection with specific services, offers, or promotions. In such cases, the scope and purpose of the disclosure will be clearly communicated to the User at the time consent is obtained, in compliance with PIPEDA, CASL (Canada's Anti-Spam Legislation), and other applicable Canadian laws.
Users may withdraw their consent for such disclosures at any time, subject to reasonable notice, by contacting the Company at the details provided in this Privacy Policy. However, withdrawing consent may affect the User’s ability to access certain features of the App or to participate in specific promotions.
International Transfers of Data
Where Personal Information is transferred outside of Canada to jurisdictions that may not have data protection laws equivalent to those in Canada, the Company will ensure that appropriate safeguards are in place to protect the privacy and security of the data in compliance with PIPEDA, PIPA, and other applicable Canadian laws. Such safeguards may include contractual agreements with third-party service providers, the use of recognized privacy frameworks, or other mechanisms designed to ensure that the level of protection provided is equivalent to that required by Canadian privacy standards.
Adequacy Decisions and Contractual Clauses: The Company will only transfer Personal Information to foreign jurisdictions where there is an adequacy decision from the relevant Canadian regulatory authorities or where such transfers are governed by legally binding agreements that ensure the data is protected to a standard comparable to Canadian privacy law.
Aggregated or De-Identified Data
The Company may share aggregated, anonymized, or de-identified data with third parties for the purposes of conducting analytics, improving the App, or developing new products and services. Such data will not include any Personal Information and will be processed in a manner that ensures the anonymity of the individuals to whom the data originally related. This processing is conducted in compliance with PIPEDA and other applicable Canadian privacy laws, ensuring that User privacy is fully protected.
Data Security and Protection
Security Measures
The Company employs a variety of industry-standard security measures to protect Personal Information from unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:
Encryption: All Personal Information, including sensitive financial data such as credit card details, is encrypted both in transit and at rest using strong encryption protocols. This ensures that data transmitted between the User’s device and the Company’s servers is protected from interception or unauthorized access by third parties. Encryption standards comply with Canadian privacy and financial regulations, including PCI DSS (Payment Card Industry Data Security Standard), ensuring that all credit card information is processed securely.
Access Control: Access to Personal Information is restricted to authorized personnel who require such access to perform their job functions. The Company uses role-based access controls (RBAC) to ensure that only those employees, contractors, or Service Providers who need to process Personal Information for legitimate business purposes have access to such data. These access controls comply with PIPEDA and PIPA to ensure that privacy principles of accountability and limiting collection are adhered to.
Data Anonymization and Pseudonymization: Where feasible, Personal Information is anonymized or pseudonymized to minimize the risk of identifying individuals. Anonymized data is stripped of identifiers that could link it back to individual Users, and pseudonymization techniques ensure that even if data is compromised, it cannot be used to directly identify a specific person without additional information.
Firewalls and Intrusion Detection Systems: The Company employs advanced firewalls, intrusion detection, and intrusion prevention systems (IDS/IPS) to monitor network traffic and detect any potential threats or unauthorized access attempts. These security measures are regularly updated to address evolving security risks and comply with Canadian and international cybersecurity standards.
Regular Security Audits: The Company conducts regular internal and external security audits to ensure that its data security policies and systems are up to date and compliant with applicable regulations. These audits include vulnerability assessments and penetration testing to identify and mitigate potential security risks. The results of these audits are used to enhance the Company’s security posture and ensure compliance with Canadian data protection laws.
Data Breach Notification
In the event of a data breach or security incident involving Personal Information, the Company will comply with all applicable Canadian breach notification laws, including PIPEDA and PIPA. If the Company becomes aware of an unauthorized access, use, or disclosure of Personal Information that poses a real risk of significant harm to affected individuals, it will take the following steps:
Containment and Remediation: The Company will immediately take steps to contain the breach, investigate its cause, and implement measures to prevent further unauthorized access or damage. The Company will also engage with external cybersecurity experts, if necessary, to assist in the remediation process.
Breach Notification: The Company will notify the Office of the Privacy Commissioner of Canada (OPC) and the Alberta Information and Privacy Commissioner (AIPC), as required by law, without undue delay and, where feasible, within the legally prescribed timeframes. The notification will include details of the breach, the nature of the compromised data, the steps taken to mitigate harm, and the actions proposed to prevent future breaches.
User Notification: Where a breach is likely to result in a real risk of significant harm, the Company will notify affected individuals as soon as practicable. This notification will include a description of the breach, the type of information affected, the potential risks to the individual, and the steps they can take to mitigate harm. Users will also be informed of any remedies the Company offers to reduce the potential impact of the breach.
Data Retention and Destruction
The Company will retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as required by Canadian law. Once Personal Information is no longer necessary for the purposes outlined in this Privacy Policy, or where the User has requested its deletion, the Company will take the following steps to ensure secure destruction of the data:
Retention Periods: The Company will retain Personal Information in compliance with applicable retention periods prescribed by Canadian federal and provincial laws. For example, financial records may be retained to comply with tax and regulatory obligations, and such records will be securely stored for the required retention period. After this period, the data will be securely destroyed.
Secure Destruction Methods: Personal Information that is no longer required will be securely deleted or destroyed using methods that are appropriate for the sensitivity of the information. This includes, but is not limited to, secure erasure of electronic records and shredding of physical documents. The Company’s data destruction practices comply with PIPEDA, PIPA, and any other applicable regulations related to the secure disposal of personal data.
International Data Transfers
Where Personal Information is transferred to jurisdictions outside of Canada, the Company will ensure that appropriate safeguards are in place to protect the security and privacy of such data, in compliance with PIPEDA, PIPA, and other applicable laws. These safeguards may include:
Adequacy Decisions: Personal Information may only be transferred to foreign jurisdictions that have been deemed to provide an adequate level of data protection by the relevant Canadian regulatory authorities, including the Office of the Privacy Commissioner of Canada (OPC).
Standard Contractual Clauses: In cases where data is transferred to countries without adequacy decisions, the Company will use legally binding contractual clauses or other mechanisms approved by the OPC to ensure that Personal Information is protected to a standard comparable to Canadian privacy laws.
Third-Party Service Providers: Where Personal Information is transferred to a third-party Service Provider outside of Canada, the Company will ensure that the Service Provider is contractually obligated to implement and maintain appropriate security measures to protect the Personal Information in accordance with Canadian privacy laws.
User Responsibilities
While the Company employs robust security measures to protect Personal Information, Users are responsible for maintaining the security of their devices and credentials used to access the App. Users are advised to follow best practices for safeguarding their accounts, including:
Using strong, unique passwords for their App account.
Regularly updating passwords and avoiding reuse of passwords across different services.
Enabling multi-factor authentication (where available) to enhance account security.
Not sharing account credentials with third parties or unauthorized persons.
Users are responsible for promptly notifying the Company if they suspect any unauthorized access or compromise of their account information.
Third-Party Security
The Company is not responsible for the security practices of third parties, including external websites, applications, or services that may be linked to or integrated with the App. Users are encouraged to review the privacy and security policies of any third-party services before providing them with Personal Information. Where a third-party service is engaged by the Company to assist in providing the App’s services, the Company will ensure that the third-party service provider adheres to the security and privacy standards required by Canadian law.
Data Retention and Processing of Financial Information
Processing of Financial Information
In the course of providing rewards tracking, recommendations, and related services through the App, the Company may collect and process the following types of financial information from Users:
Credit Card Details: The Company collects information such as the credit card number, expiration date, card type (e.g., Visa, Mastercard, American Express), and the User’s transaction history. This information is used solely for the purposes of tracking and managing rewards, calculating cashback, and providing Users with personalized recommendations for credit card usage.
Transaction Data: The Company may process information about the User’s purchases and transactions, including the amount spent, the merchant involved, and the category of the purchase (e.g., dining, travel). This information is processed to optimize the User’s ability to maximize credit card rewards, such as points, cashback, or travel miles.
Security of Financial Information
The Company is in the process of obtaining PCI DSS compliance to ensure that all credit card data is handled in accordance with industry standards for security and privacy. Until such certification is obtained, the Company has implemented strict interim security measures to protect financial data, including:
Encryption of Financial Data: All financial information, including credit card numbers and transaction data, is encrypted during transmission and at rest using industry-standard encryption protocols. This ensures that credit card details are protected from unauthorized access while being processed and stored by the Company.
Limited Access to Financial Data: Access to financial information is strictly limited to authorized personnel who require such access to perform their duties. The Company has implemented role-based access controls (RBAC) to ensure that financial data is only accessed by individuals who are responsible for processing it for legitimate business purposes, in compliance with PIPEDA and PIPA.
Tokenization (Pending PCI DSS Certification): The Company is in the process of implementing tokenization as part of its journey toward PCI DSS certification. Tokenization will replace sensitive financial data, such as credit card numbers, with a unique identifier or "token" that cannot be used outside of the RewardsX environment, thereby reducing the risk of unauthorized access.
Until PCI DSS certification is finalized, Users should be aware that while the Company is taking all necessary steps to safeguard their financial information, full compliance with PCI DSS has not yet been achieved. The Company will notify Users upon completion of the certification process and provide updated information on how financial data is processed and protected.
Data Retention of Financial Information
The Company retains financial information, including credit card data and transaction histories, only for as long as is necessary to fulfill the purposes for which it was collected, or as required by Canadian law. Financial information will be securely deleted or anonymized once it is no longer needed for its original purpose or to comply with legal or regulatory obligations.
Retention for Legal and Regulatory Purposes: In some cases, the Company may be required to retain financial information to comply with legal and regulatory requirements under Canadian law, such as for auditing, tax reporting, or fraud prevention. Such information will be securely stored for the duration of the legally required retention period and will be deleted or anonymized once this period has elapsed.
Deletion of Financial Information: Upon the User’s request, the Company will delete financial information, such as credit card data, unless the retention of such information is required by law. The User may exercise their right to request deletion by contacting the Company at the details provided in this Privacy Policy. The Company will take all reasonable steps to ensure that financial data is securely erased in compliance with PIPEDA, PIPA, and applicable Canadian financial privacy laws.
User Consent and Control Over Financial Data
The Company processes financial information based on the User’s explicit consent, which is obtained when the User links a credit card to their RewardsX account. By linking a credit card or using the App to track transactions, the User agrees to the collection and processing of their financial information in accordance with the terms of this Privacy Policy. Users have the following rights with respect to their financial data:
Withdrawal of Consent: Users may withdraw their consent for the processing of financial information at any time by unlinking their credit card from their account or by contacting the Company directly. Upon withdrawal of consent, the Company will cease processing the User’s financial information, and such data will be securely deleted, unless retention is required by law.
Access and Correction: Users have the right to access and correct any financial information held by the Company. Users may review their credit card details, transaction history, or any other financial data by logging into their account or by submitting a request to the Company. The Company will comply with such requests in accordance with the requirements of PIPEDA and PIPA.
Fraud Prevention and Risk Management
As part of its commitment to protecting financial data, the Company implements fraud detection and prevention measures to safeguard against unauthorized access, identity theft, and other malicious activities. These measures include:
Monitoring and Auditing: The Company monitors transactions for any unusual or suspicious activity and may audit financial data to detect and prevent fraud. In the event of suspicious activity, the Company may suspend access to financial information or accounts until the issue is resolved. The Company complies with Canadian laws governing fraud prevention and reporting.
Cooperation with Law Enforcement: In cases where financial information is compromised or used in connection with fraudulent or illegal activities, the Company may disclose such data to law enforcement agencies, as required by Canadian law. Such disclosures are made in compliance with PIPEDA, PIPA, and other applicable regulations, ensuring that the User’s privacy rights are respected while cooperating with lawful investigations.
Third-Party Service Providers and Financial Data
The Company may engage third-party service providers to assist in the processing of financial information, including payment processors, fraud prevention services, and data hosting providers. The Company ensures that these third parties are contractually obligated to comply with Canadian privacy laws and to implement appropriate safeguards to protect financial data.
Payment Processors: Where financial data is processed by third-party payment processors, such providers are required to comply with PCI DSS standards and to use encryption and other security measures to protect financial information. The Company works only with reputable payment processors that have obtained PCI DSS certification.
Third-Party Transfers of Financial Data: The Company does not sell or rent financial data to third parties. Any transfers of financial information to third-party service providers are conducted in accordance with this Privacy Policy and only for legitimate business purposes, such as rewards tracking or fraud prevention.
User Rights and Control Over Personal Information
Right to Access
Users have the right to access the Personal Information that the Company collects and holds about them. Upon request, the Company will provide Users with a comprehensive summary of the Personal Information processed, the purposes for processing, and any third parties with whom such information has been shared.
How to Access Personal Information: Users may request access to their Personal Information by contacting the Company through the contact details provided at the end of this Privacy Policy. The Company will respond to access requests in accordance with the timeframes stipulated by PIPEDA and PIPA, which generally requires responses within 30 days. In some cases, additional time may be required, and the Company will notify the User if an extension is necessary.
Exceptions to Access Rights: In certain circumstances, the Company may be unable to provide access to specific information. Such circumstances may include cases where access would violate the privacy rights of other individuals, where the information is subject to solicitor-client privilege, or where the information cannot be disclosed for legal or security reasons. In these cases, the Company will provide the User with an explanation of why the information cannot be disclosed.
Right to Rectification
Users have the right to request the correction or updating of any inaccurate or incomplete Personal Information held by the Company. The Company takes reasonable steps to ensure that all Personal Information is accurate, complete, and up to date; however, Users are encouraged to notify the Company of any changes or inaccuracies.
How to Request Corrections: Users may submit a request to correct their Personal Information by contacting the Company directly. The Company will review the request and, if applicable, update the information in its systems. Where a correction cannot be made, the Company will inform the User of the reasons for this decision and will append a note to the file indicating that a correction was requested but not made.
Right to Withdraw Consent
Where the Company processes Personal Information based on the User’s consent, the User has the right to withdraw that consent at any time. This includes withdrawing consent for the collection, use, or disclosure of Personal Information for specific purposes, such as marketing communications or geolocation tracking.
How to Withdraw Consent: Users may withdraw their consent by adjusting their preferences within the App settings or by contacting the Company directly. Upon receipt of a withdrawal request, the Company will cease processing the User’s Personal Information for the purposes covered by the withdrawal, unless such processing is required by law. Users should be aware that withdrawing consent may impact their ability to use certain features of the App.
Impact of Consent Withdrawal: Withdrawing consent will not affect the lawfulness of any processing conducted prior to the withdrawal. The Company will provide clear information about any consequences of withdrawing consent, including how it may affect access to rewards tracking or other App services.
Right to Deletion
Users have the right to request the deletion of their Personal Information in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or where the User has withdrawn consent and there is no other legal basis for processing.
How to Request Deletion: Users may request the deletion of their Personal Information by submitting a written request to the Company. The Company will review the request and, if there are no legal or regulatory reasons preventing deletion, will take reasonable steps to securely delete or anonymize the data. The Company will notify the User once the deletion process has been completed.
Exceptions to Deletion: There may be circumstances where the Company is legally required to retain Personal Information, such as for tax, audit, or compliance purposes. In such cases, the Company will securely retain the necessary information and will notify the User of the reason for the retention. After the legally required retention period, the data will be deleted in accordance with the Company’s data retention and destruction policies.
Right to Object and Restrict Processing
Users have the right to object to the processing of their Personal Information, particularly where such processing is based on the Company’s legitimate interests. Users may also request the restriction of processing in certain circumstances, such as when the accuracy of the data is contested or when the User has objected to processing but the Company is determining whether its legitimate grounds override the User’s objection.
How to Object or Restrict Processing: Users may exercise their right to object or request restrictions by contacting the Company directly. The Company will assess the objection or restriction request and will either cease or limit processing, where appropriate, in accordance with PIPEDA, PIPA, and other applicable Canadian laws.
Right to Data Portability
Where the processing of Personal Information is based on the User’s consent or carried out by automated means, the User has the right to receive a copy of their Personal Information in a structured, commonly used, and machine-readable format. The User may also request that the Company transmit the data directly to another service provider, where technically feasible.
How to Request Data Portability: Users may submit a request for data portability by contacting the Company directly. The Company will respond to the request within the timeframes required by Canadian law and will provide the requested data in a secure format.
Automated Decision-Making and Profiling
The Company may use automated decision-making processes, including profiling, to provide certain services, such as personalized credit card recommendations or rewards optimization. However, the Company ensures that such processes do not have legal or similarly significant effects on Users without their explicit consent or based on another legal basis recognized by PIPEDA and PIPA.
How to Object to Automated Decision-Making: Users may object to decisions based solely on automated processing by contacting the Company. The Company will ensure that Users are provided with the opportunity to request human intervention in any decision-making process that significantly affects them and will provide information on the logic involved in the decision-making process.
Right to File a Complaint
Users who believe that their privacy rights have been violated, or who are dissatisfied with the Company’s handling of their Personal Information, have the right to file a complaint with the relevant regulatory authority. In Canada, this includes filing a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the Alberta Information and Privacy Commissioner (AIPC).
How to File a Complaint: Users may file a complaint by contacting the Company directly to attempt to resolve the issue. If the User is not satisfied with the Company’s response, they may escalate the matter to the relevant privacy authority in Canada. The Company will cooperate with any investigation conducted by the regulatory authorities and will take corrective action as required by law.
Use of Third-Party Service Providers and International Data Transfers
Engagement of Third-Party Service Providers
The Company may engage third-party vendors and service providers to perform various functions in connection with the operation of the App, including but not limited to:
Data Hosting and Storage: The Company may use third-party data hosting providers to store and manage Personal Information collected through the App. Such providers may host servers in Canada or in other jurisdictions, subject to the requirements of PIPEDA, PIPA, and other applicable Canadian laws.
Payment Processing: The Company may use third-party payment processors to handle financial transactions, including rewards tracking and credit card-related functions. All payment processors engaged by the Company are required to comply with PCI DSS (Payment Card Industry Data Security Standard) and applicable Canadian financial privacy regulations. The Company will ensure that any Personal Information shared with these payment processors is limited to the extent necessary to complete the relevant transaction and is adequately protected.
Analytics and Performance Monitoring: The Company may engage third-party analytics providers to collect and analyze data related to the usage of the App. Such analytics providers may process information such as device data, usage patterns, and user interactions with the App to improve its performance, enhance user experience, and optimize service offerings. All analytics providers are required to comply with Canadian privacy laws, and any data shared with them will be anonymized or pseudonymized where possible to protect user privacy.
Security Services: The Company may work with third-party security providers to monitor and protect against cybersecurity threats, unauthorized access, and fraudulent activities. Such providers are engaged to help maintain the integrity and security of the App and its users' data. The Company ensures that these security providers are subject to strict contractual obligations to maintain the confidentiality and security of the Personal Information they access.
Protection of Personal Information by Third-Party Service Providers
The Company requires all third-party service providers to enter into legally binding agreements that ensure compliance with Canadian data protection laws, including PIPEDA and PIPA. These agreements require third-party service providers to:
Use of Data: Only process Personal Information in accordance with the Company’s instructions and for the specific purposes for which it was provided.
Security Measures: Implement and maintain appropriate technical and organizational security measures to protect Personal Information from unauthorized access, disclosure, alteration, or destruction.
Confidentiality Obligations: Maintain the confidentiality of all Personal Information and prohibit the disclosure of such information to unauthorized individuals or entities.
Data Retention and Deletion: Retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, and securely delete or anonymize such information once it is no longer required.
The Company regularly audits its third-party service providers to ensure compliance with these requirements and takes appropriate action if any provider fails to meet its obligations.
International Data Transfers
In the course of its operations, the Company may transfer Personal Information to service providers or data processors located outside of Canada. These transfers are subject to the provisions of PIPEDA, PIPA, and other applicable Canadian data protection laws, and are conducted in a manner that ensures the continued protection of Personal Information.
Adequacy of Foreign Jurisdictions: Where Personal Information is transferred to a jurisdiction outside of Canada, the Company will ensure that the foreign jurisdiction provides an adequate level of data protection comparable to that provided under Canadian privacy laws. This may include jurisdictions that have been recognized by the Office of the Privacy Commissioner of Canada (OPC) as offering adequate data protection.
Contractual Safeguards: For transfers to jurisdictions that do not provide an adequate level of protection, the Company will enter into legally binding agreements with the third-party service providers to ensure that Personal Information is protected to a standard equivalent to that required under PIPEDA and PIPA. Such agreements will include Standard Contractual Clauses (SCCs) or other legally recognized mechanisms to safeguard the rights and freedoms of data subjects.
User Notification: Where international data transfers are necessary, the Company will notify Users of the transfer and the measures taken to ensure the protection of their Personal Information. Users will be provided with information about the country or countries to which their data may be transferred, the purpose of the transfer, and the legal basis for the transfer. Users will have the opportunity to withdraw their consent for such transfers, where required by law.
Data Transfers within Canada
The Company may also transfer Personal Information within Canada, including between its offices or to third-party service providers operating within Canada. All such transfers are subject to the provisions of PIPEDA and PIPA, and the Company ensures that appropriate safeguards are in place to protect Personal Information during such transfers. Canadian service providers are subject to the same legal and regulatory requirements as the Company and are obligated to comply with all relevant Canadian privacy laws.
User Consent for Data Transfers
The Company processes and transfers Personal Information based on the User’s explicit consent, which is obtained when the User agrees to the terms of this Privacy Policy or provides consent during specific interactions with the App (e.g., by linking a credit card or using certain App features). By using the App, Users consent to the transfer, storage, and processing of their Personal Information in accordance with this Privacy Policy.
Withdrawal of Consent for Data Transfers: Users have the right to withdraw their consent for the international transfer of their Personal Information at any time. Users may exercise this right by contacting the Company through the contact information provided at the end of this Privacy Policy. Upon withdrawal of consent, the Company will cease any future transfers of Personal Information outside of Canada, except where such transfers are required by law.
Third-Party Links
The App may contain links to third-party websites, applications, or services that are not operated by the Company. The Company is not responsible for the privacy practices or content of these third-party websites or services. Users are encouraged to review the privacy policies of any third-party services before providing them with Personal Information. The Company will not be held liable for any damages or losses arising from the use of third-party services linked to or integrated with the App.
7.7 Compliance with Canadian Privacy Laws
The Company takes all reasonable steps to ensure that Personal Information transferred to or processed by third-party service providers remains compliant with PIPEDA, PIPA, and other applicable Canadian data protection laws. The Company works closely with its legal and compliance teams to ensure that all data transfers, whether domestic or international, meet the highest standards of data protection and privacy.
Monitoring and Auditing: The Company regularly monitors and audits the data processing activities of its third-party service providers to ensure compliance with Canadian privacy laws and the contractual obligations outlined in this Privacy Policy. The Company reserves the right to terminate relationships with any service providers that fail to meet its data protection requirements.
Use of Cookies, Tracking Technologies, and User Preferences
Deployment and Purpose of Cookies and Tracking Technologies
The Company, in connection with the provision of services through the RewardsX application (hereinafter referred to as “the App”), employs cookies and similar tracking technologies (hereinafter referred to as "Tracking Technologies") to collect, process, and store certain data concerning User activity and interaction. Such Tracking Technologies are utilized in strict compliance with applicable Canadian law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA). The use of these technologies is essential for ensuring optimal functionality, enhancing User experience, and supporting the legitimate interests of the Company.
Cookies: A cookie is a small data file that is placed and stored on the User's device when the App is accessed. Cookies enable the Company to distinguish Users, recognize their preferences, and track their interactions with the App. The Company utilizes both session cookies, which are automatically erased when the User’s session ends, and persistent cookies, which remain on the User's device for a defined retention period or until manually deleted. Cookies facilitate the collection of information such as device identifiers, browser types, and User behavior within the App.
Web Beacons and Pixels: The Company may employ web beacons (also known as tracking pixels), which are small, transparent image files embedded within the App or within email communications. These technologies enable the Company to track whether certain actions (e.g., completing transactions, viewing content, or opening emails) have been performed by the User. Web beacons and pixels are instrumental in measuring engagement and ensuring the effective delivery of services.
Mobile Identifiers: The Company may collect information from mobile devices via unique device identifiers, such as Advertising IDs or Device IDs. These identifiers allow the Company to analyze User interactions on mobile platforms and deliver customized content and advertisements. Mobile identifiers are anonymized and do not, on their own, reveal Personal Information unless voluntarily provided by the User.
Categories and Specific Purposes of Data Processing Through Tracking Technologies
The Company processes data collected via Tracking Technologies for specific and legally permissible purposes, including but not limited to:
Essential Functionality: Tracking Technologies are essential for the basic operation of the App and for ensuring that Users can navigate the App, utilize core features, and access secure sections. These cookies are fundamental to ensuring that the App functions as intended. For example, cookies are required for User authentication, maintaining login sessions, and ensuring security protocols. Given their necessity, these cookies are exempt from the requirement to obtain consent under PIPEDA and PIPA, as they are essential to the performance of the contract between the User and the Company.
Performance Monitoring and Analytical Purposes: The Company employs Tracking Technologies to collect aggregated and anonymized data concerning User interactions with the App. This data may include the frequency of page visits, duration of sessions, interaction with particular features, and error reports. Such data is processed for the purposes of monitoring performance, troubleshooting technical issues, and optimizing the overall User experience. The Company processes this information based on its legitimate interest in maintaining and improving the App.
Personalization of User Experience: Tracking Technologies are utilized to store User preferences and settings, such as language preferences, account details, and previously completed actions, which allows for the customization of the App to suit individual User preferences. These technologies further enable the Company to provide personalized recommendations and content based on previous interactions. Personalization is conducted to enhance the User’s engagement with the App and is processed with the User’s consent where required by law.
Targeted Advertising and Marketing: Subject to obtaining explicit User consent, the Company may use cookies and other Tracking Technologies to gather information about User activities and preferences for the purpose of delivering targeted advertising and marketing communications. These technologies allow the Company to build profiles of User interests and behaviors, track the effectiveness of advertisements, and deliver personalized offers. Users may be presented with ads both within the App and across third-party websites and platforms. The Company ensures that any such data processing is conducted in compliance with Canadian privacy laws, including adherence to applicable opt-in/opt-out requirements for targeted marketing.
Security and Fraud Detection: Tracking Technologies are employed to protect the integrity of the App, prevent unauthorized access, detect suspicious behavior, and mitigate security risks. The data collected is processed to ensure the security of User accounts and to monitor the App for any indications of fraudulent or malicious activity. The Company uses these technologies to meet its legal obligations concerning cybersecurity and data protection, as mandated by Canadian law.
Legal Basis for Processing via Tracking Technologies
The Company’s use of cookies and Tracking Technologies is governed by the following legal bases, in compliance with PIPEDA, PIPA, and other applicable privacy laws in Canada:
User Consent: For any non-essential cookies or Tracking Technologies that are not strictly necessary for the functioning of the App, the Company will obtain the User’s explicit and informed consent prior to their activation. Consent will be collected through a clearly presented cookie banner or similar consent mechanism, which will offer Users the ability to accept or decline non-essential Tracking Technologies. Users are informed that their consent may be withdrawn at any time without prejudice to the lawfulness of the processing based on consent prior to its withdrawal.
Legitimate Interests: Where the Company processes data collected via Tracking Technologies to pursue its legitimate interests, such as ensuring security, analyzing performance, or preventing fraud, such processing will only occur where those interests are not overridden by the rights and freedoms of Users. The Company implements appropriate safeguards to ensure the minimization of any potential impact on User privacy.
User Rights and Preferences for Cookies and Tracking Technologies
The Company provides Users with meaningful control over their data through the following rights and options:
Consent Management Mechanism: Upon the first interaction with the App, Users will be presented with a cookie consent banner that offers transparency regarding the categories of cookies and Tracking Technologies used, along with the purposes for each. The banner will provide Users with the ability to consent to or decline the use of non-essential cookies, while essential cookies will be applied by default due to their necessity for the App’s operation.
Browser and Device Preferences: Users may modify their cookie preferences at any time by adjusting the settings within their browser or mobile device. Most modern browsers allow Users to manage cookies, including enabling, disabling, or deleting cookies, and may offer settings to block third-party cookies entirely. However, Users are advised that disabling cookies may affect the functionality of certain features or limit access to specific sections of the App.
Withdrawal of Consent: Users retain the right to withdraw consent for non-essential cookies and Tracking Technologies at any time. Users may withdraw consent by clearing cookies from their device or updating their preferences within the App’s settings. Upon receipt of a withdrawal request, the Company will promptly cease the processing of data via non-essential cookies, unless such processing is required by law.
Use of Third-Party Cookies and Tracking Technologies
The Company may engage third-party service providers, such as analytics providers, advertising networks, and social media platforms, to use Tracking Technologies on its behalf. These third-party entities may collect, process, and store data concerning User interactions with the App or across other platforms. The Company takes steps to ensure that these third-party providers comply with Canadian data protection laws, including PIPEDA and PIPA, and that any data shared with third parties is anonymized or pseudonymized where applicable.
Third-Party Analytics Providers: The Company may use analytics services such as Google Analytics to collect aggregated data about User behavior and interactions within the App. These services may deploy cookies to track usage patterns and provide insights into how the App is used. Users may opt-out of analytics tracking by configuring their browser settings or by utilizing the Google Analytics Opt-Out Browser Add-On.
Third-Party Advertising Partners: The Company may allow third-party advertising networks to place cookies for the purpose of serving targeted advertisements to Users. Such cookies track the User’s behavior across multiple websites and applications. The Company ensures that these third-party partners comply with Canadian privacy laws and provides Users with options to opt-out of targeted advertising where required.
Compliance with Canadian Data Protection Laws
The Company’s use of cookies and Tracking Technologies is conducted in full compliance with PIPEDA, PIPA, and any other applicable Canadian laws governing the protection of Personal Information. The Company ensures transparency in its data collection practices, provides Users with sufficient information to make informed choices about the use of their data, and implements adequate safeguards to prevent unauthorized access or misuse of data collected through Tracking Technologies.
Contact Information for Cookie-Related Inquiries
Should Users have any questions or concerns regarding the Company’s use of cookies or Tracking Technologies, or should they wish to exercise their rights to consent management or data access, they may contact the Company as follows:
Credwise Financial Inc. - support@credwise.ca
User Rights Concerning Personal Information
Overview of User Rights
Users of the RewardsX application (hereinafter referred to as “the App”) are granted specific rights concerning the collection, use, disclosure, and processing of their Personal Information, in accordance with applicable Canadian data protection laws, including but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA). These rights empower Users to exert control over their Personal Information and to ensure that their privacy is protected throughout their interactions with the Company. The Company is committed to upholding these rights and to facilitating their exercise in a timely and transparent manner.
Right of Access to Personal Information
Users have the legal right to request access to the Personal Information that the Company holds about them. This right encompasses access to the categories of Personal Information collected, the purposes for which such information is being processed, and the identity of any third parties to whom the information has been disclosed.
Procedure for Access Requests: Users may exercise their right of access by submitting a written request to the Company’s Data Protection Officer or through the contact details provided at the end of this Privacy Policy. Upon receipt of an access request, the Company will respond within the time limits prescribed by PIPEDA or PIPA, which typically require a response within thirty (30) days. If an extension of time is required, the Company will notify the User of the delay and provide the reason for the extension.
Exceptions to Access Rights: In certain limited circumstances, the Company may decline to provide access to specific categories of Personal Information. Such instances may include situations where the disclosure of the requested information would infringe upon the privacy rights of third parties, where the information is subject to solicitor-client privilege, or where the disclosure would be prohibited by law. In cases of denial, the Company will inform the User of the reasons for withholding access and will provide the User with information regarding available remedies.
Right to Rectification of Personal Information
Users are entitled to request the correction or rectification of any inaccuracies or incomplete information in their Personal Information held by the Company. The Company is legally obligated to take reasonable steps to ensure that all Personal Information is accurate, complete, and up-to-date.
Procedure for Rectification Requests: Users may request the correction of inaccurate or outdated Personal Information by contacting the Company’s Data Protection Officer in writing. The Company will take prompt action to rectify any identified inaccuracies. If the Company is unable or unwilling to make the requested correction, it will append a note to the User’s file indicating that the User requested a correction and provide an explanation of the Company’s refusal to do so. Users will be informed of any legal remedies available to them in such cases.
Right to Withdraw Consent
Where the processing of Personal Information is based on the User’s explicit consent, the User retains the right to withdraw such consent at any time. The withdrawal of consent will not affect the legality of the processing conducted prior to the withdrawal and shall take effect only upon receipt of the withdrawal notice.
Procedure for Withdrawing Consent: Users may withdraw their consent for the processing of their Personal Information by submitting a written notice of withdrawal to the Company. The Company will promptly cease processing the Personal Information for the specified purposes, unless such processing is required to comply with legal or regulatory obligations. Users are advised that withdrawing consent may result in the restriction or termination of certain services provided by the App, to the extent that such services require the use of Personal Information.
Right to Deletion of Personal Information (Right to Erasure)
Users have the right to request the deletion of their Personal Information in certain circumstances, such as when the Personal Information is no longer necessary for the purposes for which it was collected, or where the User has withdrawn consent and there is no other legal basis for processing.
Grounds for Deletion: The User’s right to deletion arises in situations including, but not limited to, the following:
○ The Personal Information is no longer necessary for the purposes for which it was collected or processed.
○ The User has withdrawn their consent and there are no other lawful grounds for processing.
○ The Personal Information has been unlawfully processed in breach of applicable data protection laws.
Procedure for Deletion Requests: Users may request the deletion of their Personal Information by contacting the Company. The Company will evaluate the request and, where appropriate, take steps to securely delete the relevant Personal Information. If the Company cannot comply with the request due to legal or regulatory requirements (e.g., for tax or audit purposes), the Company will inform the User of the reasons for continued retention and the timeframe for eventual deletion.
Right to Object to Processing
Users have the right to object to the processing of their Personal Information in cases where such processing is based on the Company’s legitimate interests or where the Personal Information is being processed for direct marketing purposes.
Objection to Legitimate Interest Processing: Users may object to the processing of their Personal Information where such processing is based on legitimate interests pursued by the Company or third parties. Upon receiving an objection, the Company will assess whether the legitimate interests are overridden by the User’s rights and freedoms. If the objection is valid, the Company will cease processing the Personal Information unless there are compelling legitimate grounds for continuing the processing.
Objection to Direct Marketing: Users may object at any time to the processing of their Personal Information for direct marketing purposes. Upon receiving an objection, the Company will immediately cease any marketing-related processing of the User’s Personal Information.
Right to Restrict Processing
Users have the right to request that the Company restrict the processing of their Personal Information in certain circumstances, such as where the accuracy of the data is contested, or the User has objected to processing and the Company is determining whether legitimate grounds override the User’s rights.
Effect of Restriction: Where the processing is restricted, the Company will only process the Personal Information for the purposes of storage or to comply with legal obligations. The Company will inform the User before lifting any restriction on processing.
Right to Data Portability
Users have the right to receive a copy of their Personal Information in a structured, commonly used, and machine-readable format. The User may also request that the Company transmit the data directly to another service provider, where technically feasible, provided that such a transfer does not infringe upon the rights of third parties.
Conditions for Data Portability: The right to data portability applies only to Personal Information that the User has provided to the Company and where the processing is based on the User’s consent or carried out by automated means. The Company will comply with data portability requests in accordance with the technical capabilities of its systems and within the time limits prescribed by law.
Right to Lodge a Complaint
Users who believe that their privacy rights have been violated or that the Company has failed to comply with its obligations under Canadian data protection laws have the right to lodge a formal complaint with the relevant regulatory authority.
Filing a Complaint with Regulatory Authorities: Users may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or the Alberta Information and Privacy Commissioner (AIPC). The Company will cooperate fully with any investigation or inquiry initiated by these authorities and will take corrective measures as required by law.
Timeframes for Responding to User Requests
The Company undertakes to respond to all User requests concerning their Personal Information within the timeframe mandated by PIPEDA, PIPA, or any other applicable laws. In general, the Company will respond to requests within thirty (30) days of receipt. If an extension of time is necessary, the Company will notify the User and provide an explanation for the delay.
Data Retention and Security Measures
Data Retention Policy
The Company, in compliance with applicable Canadian laws, including but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA), retains Personal Information only for as long as necessary to fulfill the purposes for which it was collected, or as otherwise required by law. The retention of Personal Information is guided by the principle of data minimization and the necessity of processing for legitimate business purposes, legal obligations, or contractual requirements.
Retention for Service Provision: Personal Information collected from Users will be retained by the Company for the duration of the contractual relationship between the User and the Company, and for a reasonable period thereafter, as may be required to satisfy legal, regulatory, and operational requirements. This includes information necessary for the proper functioning of the RewardsX application (hereinafter referred to as "the App") and for the provision of related services.
Retention for Legal and Compliance Purposes: Certain categories of Personal Information may be retained for longer periods in order to comply with statutory requirements, such as tax obligations, audit requirements, and anti-money laundering laws. In such cases, the Company will securely store the information for the duration of the legally mandated retention period. Once the statutory retention period has expired, the Company will take reasonable steps to securely delete or anonymize the data, unless further retention is justified on lawful grounds.
Retention for Dispute Resolution and Legal Claims: In cases where Personal Information is relevant to legal claims or disputes, the Company may retain such information until the final resolution of the dispute, including any appeal processes, or until the expiration of the limitation period for bringing legal action under applicable law.
De-Identification and Anonymization: Where feasible, the Company may anonymize or de-identify Personal Information in order to retain it for statistical, research, or analytical purposes. Anonymized data is no longer considered Personal Information and, as such, is not subject to the restrictions and requirements of this Privacy Policy.
Secure Disposal of Personal Information
Upon the expiration of the applicable retention periods, or when Personal Information is no longer required for the purposes for which it was collected, the Company will take reasonable steps to securely dispose of such information. Secure disposal methods may include the permanent deletion of electronic records or the physical destruction of paper records, ensuring that the information cannot be recovered or reconstructed.
Electronic Data Disposal: Electronic records containing Personal Information will be securely erased using industry-standard techniques that render the data irretrievable. This may include overwriting or encrypting the data, or the use of specialized software designed for secure data deletion.
Physical Data Disposal: Physical documents containing Personal Information, including but not limited to paper records, will be shredded, incinerated, or otherwise destroyed in a secure manner, ensuring that unauthorized individuals cannot access or recover the information.
Security Measures to Protect Personal Information
The Company implements and maintains appropriate technical, physical, and administrative security measures designed to protect Personal Information against unauthorized access, disclosure, alteration, or destruction. The Company’s security measures are aligned with industry standards and comply with applicable Canadian data protection laws, including PIPEDA and PIPA.
Encryption: All Personal Information, including sensitive data such as financial information, is encrypted both in transit and at rest using robust encryption protocols. This ensures that Personal Information is protected from unauthorized interception during transmission and unauthorized access while stored on the Company’s servers.
Access Controls: Access to Personal Information is restricted to authorized personnel who have a legitimate business need to access the data. The Company employs role-based access controls (RBAC) to ensure that only individuals with the requisite authorization and training are permitted to handle Personal Information. This principle of least privilege is designed to minimize the risk of unauthorized access or data breaches.
Multi-Factor Authentication (MFA): Where feasible, the Company implements multi-factor authentication for access to systems that store or process Personal Information. This added layer of security helps protect against unauthorized access to User accounts and sensitive data.
Physical Security Measures: The Company’s physical premises, including data centers and offices where Personal Information may be stored or processed, are secured by appropriate physical controls. These may include locked and monitored server rooms, surveillance systems, and restricted access protocols.
Regular Security Audits: The Company conducts regular security audits and vulnerability assessments to evaluate the effectiveness of its security measures. These audits are conducted by both internal teams and third-party experts, as necessary, to identify potential vulnerabilities or areas for improvement. The results of these audits are used to strengthen the Company’s security posture and ensure compliance with applicable data protection laws.
Data Breach Notification
In the event of a data breach or security incident that involves the unauthorized access, use, disclosure, or destruction of Personal Information, the Company will promptly assess the nature and scope of the breach and take appropriate remedial measures. The Company will comply with its obligations under Canadian data protection laws, including the Breach of Security Safeguards Regulations under PIPEDA, which impose specific breach reporting requirements.
Notification to Regulatory Authorities: Where the breach poses a real risk of significant harm to affected individuals, the Company will notify the Office of the Privacy Commissioner of Canada (OPC) and any other relevant regulatory authorities as required by law. Such notification will include a detailed description of the breach, the type of Personal Information affected, the estimated number of individuals impacted, and the measures taken to mitigate the harm.
Notification to Affected Individuals: Where the breach is likely to result in significant harm to affected individuals, the Company will notify those individuals as soon as reasonably practicable. This notification will provide sufficient information for the individual to understand the nature of the breach, the steps they can take to protect themselves, and the actions the Company has taken to mitigate potential harm.
Remedial Action: Following a data breach, the Company will take immediate steps to contain the breach, mitigate any further unauthorized access, and investigate the root cause. The Company will implement appropriate corrective actions to prevent the recurrence of similar incidents, including enhancements to its security measures and staff training programs.
Third-Party Service Providers and Data Security
Where the Company engages third-party service providers to process Personal Information on its behalf, the Company ensures that such service providers implement and maintain adequate security measures to protect Personal Information. The Company enters into legally binding agreements with third-party service providers, requiring them to comply with Canadian data protection laws and to ensure the confidentiality, integrity, and availability of the Personal Information they process.
Due Diligence and Contractual Obligations: Prior to engaging third-party service providers, the Company conducts a thorough due diligence process to assess their security practices and data protection capabilities. The Company enters into data processing agreements that impose stringent security obligations on the service providers, including requirements for encryption, access controls, and data breach notification.
Ongoing Monitoring and Audits: The Company regularly monitors its third-party service providers to ensure compliance with the terms of the data processing agreements. Where necessary, the Company may conduct audits or request certifications of compliance with recognized security standards.
Compliance with Canadian Data Protection Laws
The Company’s data retention and security practices are fully compliant with Canadian data protection laws, including PIPEDA, PIPA, and all other applicable laws and regulations governing the protection of Personal Information. The Company remains committed to protecting the privacy of its Users and to ensuring that Personal Information is processed, stored, and disposed of in a manner that meets or exceeds legal standards.
Governing Law and Jurisdiction
Applicable Law
This Privacy Policy, along with any disputes or claims arising out of or in connection with it, the RewardsX application (hereinafter referred to as "the App"), or the Company’s processing of Personal Information, shall be governed by and construed in accordance with the laws of Alberta, Canada, and the federal laws of Canada applicable therein, without regard to any principles of conflicts of law that might otherwise apply to the benefit of any other jurisdiction.
In particular, the Company adheres to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta Personal Information Protection Act (PIPA), and any other applicable federal, provincial, or territorial laws governing the collection, use, disclosure, and protection of Personal Information. These laws establish the regulatory framework within which the Company processes Personal Information and provide Users with legal rights concerning their privacy and data security.
Exclusive Jurisdiction
The parties agree that the courts of Alberta, located in Edmonton, shall have exclusive jurisdiction over any legal action or proceeding arising out of or relating to this Privacy Policy, the processing of Personal Information, or the use of the App. By using the App and engaging with the services provided by Credwise Financial Inc. (hereinafter referred to as “the Company”), the User consents and submits to the exclusive jurisdiction of the provincial and federal courts of Alberta, and agrees that all disputes or claims shall be litigated exclusively in these courts.
Users irrevocably waive any objection to the venue or jurisdiction of such courts, including any defense based on the doctrine of forum non conveniens or any other similar defense.
Venue for Legal Proceedings
In the event of any claim, dispute, or controversy arising from or relating to this Privacy Policy or the use of Personal Information by the Company, the parties irrevocably agree that any such legal proceedings shall be brought and litigated exclusively in the Court of Queen's Bench of Alberta, or, where applicable, in the Provincial Court of Alberta, located in Edmonton.
The User hereby submits to the personal jurisdiction of these courts and agrees that all claims shall be resolved under the laws of Alberta without regard to conflicts of law principles. Any action brought in any other forum shall be considered improper, and the User expressly agrees that the Company shall be entitled to have any such actions transferred to the appropriate Alberta court or dismissed.
Waiver of Class Action
To the fullest extent permitted by law, Users agree to resolve any disputes or claims arising from or relating to this Privacy Policy, the App, or the processing of Personal Information on an individual basis. By using the App, the User expressly agrees to waive any right to bring or participate in any class action, collective action, or other representative proceeding against the Company or its affiliates.
Users may only pursue claims individually and not as a plaintiff or class member in any purported class, collective, or representative action. If this waiver of class or collective action is found to be unenforceable or invalid under applicable law, any claim or dispute must be resolved in the appropriate court in Alberta under the terms of exclusive jurisdiction and venue as outlined in this Privacy Policy.
Arbitration Clause
At the sole discretion of the Company, any claim or dispute arising from or relating to this Privacy Policy or the use of the App may be resolved through binding arbitration, conducted under the Arbitration Act of Alberta. If the Company elects to pursue arbitration, the following terms will apply:
Selection of Arbitrator: The parties shall jointly select a single arbitrator, who shall be a qualified and independent legal professional with expertise in privacy and data protection law. If the parties cannot agree on an arbitrator within fifteen (15) days of notice of arbitration, either party may petition the Court of Queen's Bench of Alberta to appoint an arbitrator.
Arbitration Venue and Procedure: The arbitration shall be held in Edmonton, Alberta, and shall be conducted in accordance with the rules of the Arbitration Act of Alberta. The arbitration proceedings shall be confidential, and all documents, information, and evidence submitted or disclosed during arbitration shall remain confidential unless otherwise agreed by the parties or required by law.
Binding Decision: The decision rendered by the arbitrator shall be final and binding on both parties, and may be enforced as a judgment in any court of competent jurisdiction. The arbitrator shall have the authority to award legal fees and costs to the prevailing party in the arbitration.
Limitation on Arbitration: Notwithstanding the foregoing, the Company reserves the right to pursue legal action in the courts of Alberta in cases involving claims for injunctive relief, enforcement of intellectual property rights, or to compel arbitration under this clause.
Statutory Rights Not Affected
Nothing in this Privacy Policy shall limit or exclude any statutory rights Users may have under applicable Canadian data protection laws. Where a User has statutory rights under PIPEDA, PIPA, or other relevant legislation, these rights shall not be diminished, waived, or adversely affected by the provisions of this Privacy Policy or by any agreement to submit disputes to arbitration or the courts of Alberta.
Regulatory Authorities: Users retain the right to file complaints or seek assistance from the Office of the Privacy Commissioner of Canada (OPC) or the Alberta Information and Privacy Commissioner (AIPC) concerning their privacy rights and any alleged violations of Canadian data protection laws by the Company. The choice of venue in this Privacy Policy does not preclude the jurisdiction of these authorities to investigate and enforce privacy rights under Canadian law.
Limitation on Claims
Any claim, cause of action, or dispute a User may have against the Company arising out of or relating to this Privacy Policy, the App, or the processing of Personal Information must be filed within one (1) year after such claim or cause of action arises. Failure to file such a claim within the stipulated period shall result in the permanent bar of the claim, and the User agrees to waive any statute of limitations that may apply longer than this stipulated period.
This limitation does not apply to claims for breaches of confidentiality, intellectual property rights, or claims where applicable law requires a longer period that cannot be contractually waived.
Modifications to Governing Law and Jurisdiction Clause
The Company reserves the right to modify, amend, or update the governing law and jurisdiction provisions of this Privacy Policy, subject to compliance with applicable Canadian laws. Any amendments to this section shall be communicated to Users in accordance with the Company’s notice provisions as detailed in this Privacy Policy. Users’ continued use of the App following notice of any such amendments shall constitute their acceptance of the revised provisions.
Changes to the Privacy Policy
Right to Modify or Amend the Privacy Policy
Credwise Financial Inc. (hereinafter referred to as “the Company”) reserves the exclusive right to modify, amend, update, or revise this Privacy Policy from time to time in its sole discretion. Such modifications may be necessitated by changes in legal, regulatory, technological, or operational requirements, or to reflect changes in the Company’s data processing practices. The Company is committed to ensuring that any changes made to this Privacy Policy comply with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA).
Notice of Material Changes
In the event that material changes are made to this Privacy Policy, the Company will provide clear and conspicuous notice to Users, in compliance with Canadian data protection laws, before such changes take effect. Material changes refer to modifications that significantly alter the scope, purposes, or nature of the processing of Personal Information, or that affect the rights or obligations of Users under this Privacy Policy.
Means of Notification: The Company will notify Users of any material changes to this Privacy Policy via one or more of the following methods:
○ Email Notification: Users may receive an email detailing the changes, sent to the address they have provided as part of their account registration process.
○ In-App Notification: A prominent notification may be displayed within the RewardsX application (hereinafter referred to as "the App") alerting Users to the changes.
○ Website Notification: A notice may be posted on the Company’s website, along with the updated Privacy Policy, specifying the effective date of the changes.
Advance Notice: Where feasible, the Company will provide at least thirty (30) days’ advance notice of any material changes to this Privacy Policy. This period will allow Users the opportunity to review the changes, ask questions, or exercise their rights under applicable law before the revised Privacy Policy takes effect.
Consent to Changes
By continuing to use the App following the effective date of any modifications to this Privacy Policy, the User will be deemed to have accepted the changes. Where the Company is required by law to obtain the User’s explicit consent to material changes, such consent will be requested through appropriate mechanisms (e.g., an updated consent banner or an opt-in requirement).
User’s Right to Withdraw Consent: If the User does not agree to the modifications, the User retains the right to withdraw their consent to the processing of their Personal Information, as described in this Privacy Policy. Users who wish to withdraw their consent or terminate their use of the App may do so by contacting the Company at the details provided herein. The Company will honor such requests in accordance with applicable Canadian data protection laws.
Non-Material Changes
The Company may make non-material changes to this Privacy Policy at its discretion, which may include editorial updates, clarifications, or improvements that do not affect the substantive rights or obligations of Users. Non-material changes may be implemented without providing advance notice, although the revised Privacy Policy will be made available to Users on the Company’s website and within the App for their review.
Access to Updated Privacy Policy: Users are encouraged to review this Privacy Policy periodically to stay informed of any non-material updates. The Company will make the most recent version of this Privacy Policy available on its website and within the App, clearly identifying the date on which the Privacy Policy was last updated.
Retrospective Application of Changes
The Company will not apply changes to this Privacy Policy retroactively unless such retroactive application is required by law or necessary to ensure compliance with legal or regulatory obligations. Any changes to this Privacy Policy will only apply to Personal Information collected after the effective date of the revised policy, unless Users are expressly notified otherwise or unless their explicit consent is obtained.
User’s Continued Access to Rights
Notwithstanding any changes to this Privacy Policy, Users retain all statutory rights and protections afforded to them under applicable Canadian data protection laws, including PIPEDA and PIPA. The Company remains committed to protecting the privacy and security of Personal Information and will continue to comply with its legal obligations, regardless of any changes made to this Privacy Policy.
Notification of Specific Changes to Processing Purposes
In the event that the Company proposes to process Personal Information for a new or additional purpose that is materially different from, or incompatible with, the purposes for which it was originally collected, the Company will obtain the User’s explicit consent before proceeding with such processing. Users will be notified of the new purpose, and the Company will provide sufficient information for the User to make an informed decision regarding whether to consent to the new processing activities.
Impact of Refusal to Consent to New Purposes: Users are under no obligation to provide their consent to new or additional purposes, and refusal to consent will not impact the User’s access to or use of the App, except to the extent that the new purpose is essential for the provision of specific services. The Company will respect the User’s choice and ensure that their Personal Information is processed only for purposes that the User has explicitly consented to.
Retention of Prior Versions of the Privacy Policy
For the purposes of transparency and accountability, the Company will retain prior versions of this Privacy Policy, along with a record of the effective dates of each version. Users may request access to previous versions of the Privacy Policy to understand how their Personal Information was processed at a particular point in time. Such requests may be submitted to the Company’s Data Protection Officer.
Effective Date of Changes
Each updated version of this Privacy Policy will specify the “Effective Date” of the changes, clearly indicating when the revised terms take effect. Users should refer to this effective date to understand when the modifications become binding and when the revised processing terms apply to their Personal Information.
Contact Information and Questions
Data Protection Officer and Contact Information
Credwise Financial Inc. (hereinafter referred to as "the Company") is committed to ensuring full compliance with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA). To facilitate this commitment, the Company has appointed a Data Protection Officer (DPO) to oversee the Company’s data protection and privacy compliance efforts. The DPO is responsible for ensuring that the Company adheres to its legal obligations under privacy laws and acts as the primary point of contact for privacy-related inquiries.
Users who wish to submit inquiries, complaints, or requests regarding their Personal Information or this Privacy Policy may do so by contacting the Company’s Data Protection Officer at the following address:
Credwise Financial Inc.
[Insert Full Legal Address]
Attn: Data Protection Officer
Email: [Insert DPO Email Address]
Telephone: [Insert Contact Number]
Submission of Requests Concerning Personal Information
Users may submit requests concerning their Personal Information to the Company’s Data Protection Officer in writing, including but not limited to:
Access Requests: Requests to access Personal Information held by the Company, as described in Point 9 of this Privacy Policy.
Rectification Requests: Requests to correct or update inaccurate or outdated Personal Information.
Deletion Requests (Right to Erasure): Requests for the deletion of Personal Information, subject to the conditions outlined in this Privacy Policy and applicable law.
Withdrawal of Consent: Requests to withdraw consent for the processing of Personal Information, as provided for under PIPEDA and PIPA.
Objections to Processing: Requests to object to the processing of Personal Information based on legitimate interests or for direct marketing purposes.
The Company will respond to all requests in accordance with the time limits specified by PIPEDA and PIPA, generally within thirty (30) days of receipt. Where additional time is required to process the request, the Company will inform the User of the extension and provide a rationale for the delay.
Assistance with Privacy Rights and Remedies
In addition to contacting the Company’s Data Protection Officer, Users have the right to seek assistance from or lodge complaints with the Office of the Privacy Commissioner of Canada (OPC) or the Alberta Information and Privacy Commissioner (AIPC) if they believe their privacy rights have been violated or if they are dissatisfied with the Company’s response to a privacy-related request.
- Office of the Privacy Commissioner of Canada (OPC):
Website: [Insert OPC Website URL]
Contact Information: [Insert OPC Contact Details] - Alberta Information and Privacy Commissioner (AIPC):
Website: [Insert AIPC Website URL]
Contact Information: [Insert AIPC Contact Details]
The Company will cooperate fully with any investigation conducted by these regulatory authorities and will take corrective measures as directed by the authorities to ensure compliance with Canadian privacy laws.
Complaints Procedure
If a User wishes to lodge a formal complaint regarding the Company’s processing of Personal Information, the following procedure must be followed:
- Initial Complaint Submission: Users may submit a written complaint detailing their concerns to the Company’s Data Protection Officer using the contact details provided above. The complaint should include all relevant details, including the nature of the complaint, the Personal Information involved, and any supporting documentation.
- Acknowledgment of Receipt: The Company will acknowledge receipt of the complaint within a reasonable period, typically within five (5) business days, and will initiate an internal investigation to address the issues raised in the complaint.
- Resolution Process: The Company will investigate the complaint thoroughly and provide the User with a response detailing the outcome of the investigation, any corrective actions taken, and any steps the Company has implemented to prevent similar issues from occurring in the future. The Company aims to resolve complaints within thirty (30) days of receipt, although more complex matters may require additional time.
- Escalation to Regulatory Authorities: If the User is not satisfied with the resolution provided by the Company, the User retains the right to escalate the matter to the Office of the Privacy Commissioner of Canada (OPC) or the Alberta Information and Privacy Commissioner (AIPC) for further investigation.
Questions Regarding the Privacy Policy
Users who have general questions about this Privacy Policy, the Company’s data processing practices, or any other privacy-related matters may direct their inquiries to the Company’s Data Protection Officer at the contact information listed above. The Company endeavors to respond to all privacy-related questions in a timely and transparent manner, ensuring that Users have a clear understanding of how their Personal Information is handled and protected.
Language of Communication
Users may submit inquiries, requests, or complaints in either English or French, in accordance with Canada’s Official Languages Act. The Company will respond to inquiries in the language in which they were submitted, ensuring that Users can communicate in their preferred official language. The Privacy Policy and related notices will also be made available in both English and French.
Amendments to Contact Information
Should the Company’s contact information, including the Data Protection Officer’s details, change at any time, the Company will update this Privacy Policy accordingly and will notify Users in a manner consistent with the procedures outlined in Point 12 of this Privacy Policy concerning changes. Users are encouraged to review the most current version of the Privacy Policy to stay informed of any changes in the Company’s contact details or privacy practices.
Effective Date of the Privacy Policy
Effective Date
This Privacy Policy is effective as of 07-Oct-2024 (hereinafter referred to as the “Effective Date”). As of this date, all provisions outlined herein shall govern the collection, use, processing, disclosure, retention, and protection of Personal Information by Credwise Financial Inc. (hereinafter referred to as "the Company") in connection with the use of the RewardsX application (hereinafter referred to as "the App"). Users’ continued use of the App after the Effective Date constitutes acceptance of this Privacy Policy in its entirety.
Binding Nature of the Privacy Policy
By accessing or using the App, Users agree to be bound by the terms and conditions set forth in this Privacy Policy. This Privacy Policy governs the processing of Personal Information from the Effective Date onward and supersedes any prior privacy policies or data protection notices issued by the Company. The Company shall not apply any retroactive changes to this Privacy Policy unless required by law or upon obtaining the User’s explicit consent.
Version Control and Changes to the Privacy Policy
This Privacy Policy, along with any updates or modifications made by the Company, will be assigned a version number and corresponding Effective Date to facilitate transparency and version control. Users are encouraged to review this Privacy Policy periodically to ensure they are informed of the most current practices regarding the collection, use, and protection of Personal Information.
Access to Previous Versions: Users may request access to prior versions of this Privacy Policy by contacting the Company. The Company will retain copies of all previous versions for a reasonable period and will make them available upon request to ensure Users can understand the historical processing of their Personal Information.
Notification of Future Changes
In the event that the Company modifies this Privacy Policy, the updated version will clearly indicate the Effective Date of the changes and specify whether such changes are material or non-material. Material changes that significantly affect the User’s rights, obligations, or the processing of their Personal Information will be communicated to Users in advance, as outlined in Point 12 of this Privacy Policy. Non-material changes, including clarifications, editorial updates, or improvements, may take effect immediately upon being posted without prior notice, unless otherwise required by law.
User Rights Upon Policy Changes
In cases where the Company implements material changes to this Privacy Policy, Users will be given a reasonable opportunity to review the updated Privacy Policy and, where applicable, provide or withdraw their consent to any changes that affect the processing of their Personal Information. Users who do not agree to the revised terms may exercise their rights as outlined in this Privacy Policy, including withdrawing consent, terminating their account, or discontinuing use of the App.
Consent to Changes: Where the Company requires explicit consent to material changes, Users will be asked to affirmatively agree to the updated terms prior to continued use of the App. Failure to provide such consent may restrict or terminate the User’s ability to access certain features or services offered by the App, to the extent that such services require the processing of Personal Information under the updated terms.
Governing Language of the Privacy Policy
This Privacy Policy, including any future updates or changes, is provided in both English and French, in accordance with the requirements of the Official Languages Act of Canada. The governing version of this Privacy Policy shall be in the language in which it was originally presented to the User. In the event of any discrepancies between the English and French versions, the version that was first provided to the User shall take precedence. Users may request copies of this Privacy Policy in either official language, and the Company will comply with such requests in a timely manner.
Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below. These definitions are intended to clarify and standardize the terminology used throughout the Privacy Policy, ensuring consistent interpretation in accordance with applicable Canadian data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Alberta Personal Information Protection Act (PIPA).
“Company”
"Company" refers to Credwise Financial Inc., including its subsidiaries, affiliates, officers, directors, employees, and agents, who are responsible for the operation of the RewardsX application (hereinafter referred to as “the App”), as well as the collection, use, processing, storage, and protection of Personal Information in connection with the App. The Company is bound by the terms of this Privacy Policy and is responsible for ensuring compliance with applicable privacy laws in Canada.
“User”
“User” means any individual who accesses, registers for, or otherwise uses the App, and whose Personal Information is collected, used, disclosed, or processed by the Company in accordance with this Privacy Policy. The term "User" includes both registered users and visitors who may not have registered an account but interact with the App in any capacity.
“Personal Information”
“Personal Information” refers to any information about an identifiable individual, as defined under PIPEDA and PIPA. This includes any data that relates to, describes, or is capable of identifying a specific individual, either directly or indirectly. Personal Information includes, but is not limited to:
- Name
- Email address
- Mailing address
- Telephone number
- Date of birth
- Financial information (e.g., credit card details, transaction history)
- Government-issued identification numbers (e.g., Social Insurance Number, passport number)
- User account information (e.g., login credentials, passwords, preferences)
- Internet Protocol (IP) address or mobile device identifier when associated with an identifiable individual.
Personal Information does not include anonymized or aggregated data that cannot be used to identify an individual.
“Processing”
“Processing” refers to any operation or set of operations performed on Personal Information, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction. The term “processing” shall be interpreted broadly to encompass any activity involving Personal Information, consistent with the definition provided under PIPEDA and PIPA.
“Consent”
“Consent” refers to the voluntary agreement of the User to the collection, use, and disclosure of their Personal Information by the Company, as required under PIPEDA and PIPA. Consent may be either express (explicitly provided by the User, such as by clicking an “I agree” button) or implied (inferred from the User’s actions, such as continued use of the App in the context of an ongoing relationship). The Company will obtain express consent where required by law or when processing sensitive Personal Information. Users may withdraw their consent at any time, subject to legal or contractual restrictions, by contacting the Company.
“Cookies”
“Cookies” refer to small text files stored on the User’s device by the App or the Company’s website. Cookies enable the Company to recognize returning Users, store preferences, track activity, and enhance the User’s experience with the App. Cookies may be classified as essential cookies (necessary for the App’s operation) or non-essential cookies (used for personalization, analytics, or advertising purposes). The collection and use of cookies are governed by the Company’s Cookie Policy and subject to the User’s consent where required by law.
“Third-Party Service Provider”
“Third-Party Service Provider” refers to any external entity, organization, or individual engaged by the Company to perform specific functions or services on its behalf, which may involve the collection, use, or processing of Personal Information. This includes, but is not limited to, data hosting providers, payment processors, analytics services, marketing agencies, and security providers. All Third-Party Service Providers engaged by the Company are contractually obligated to comply with applicable privacy laws and to implement appropriate security measures to protect Personal Information.
“Data Breach”
“Data Breach” refers to any unauthorized access, acquisition, use, disclosure, alteration, or destruction of Personal Information that compromises the security, confidentiality, or integrity of such information. A Data Breach may occur through cyberattacks, physical theft, accidental loss, or unauthorized disclosure. In the event of a Data Breach, the Company is required to assess the risk of harm to affected individuals and, where appropriate, report the breach to regulatory authorities, such as the Office of the Privacy Commissioner of Canada (OPC), and notify affected individuals, in compliance with the Breach of Security Safeguards Regulations under PIPEDA.
“Data Protection Officer (DPO)”
“Data Protection Officer” or “DPO” refers to the individual appointed by the Company to oversee compliance with Canadian privacy laws, including PIPEDA and PIPA. The DPO is responsible for ensuring the Company’s adherence to this Privacy Policy, addressing User inquiries and complaints regarding the processing of Personal Information, and facilitating communications with regulatory authorities concerning privacy-related matters. The DPO’s contact information is provided in Point 13 of this Privacy Policy.
“PIPEDA”
“PIPEDA” refers to the Personal Information Protection and Electronic Documents Act, a Canadian federal law that governs the collection, use, and disclosure of Personal Information in the course of commercial activities. PIPEDA sets out the legal requirements for obtaining consent, ensuring data accuracy, protecting Personal Information, and providing access to individuals’ data. It applies to private sector organizations across Canada, with certain exemptions for provincially regulated entities in jurisdictions with comparable privacy laws.
“PIPA”
“PIPA” refers to the Alberta Personal Information Protection Act, which governs the collection, use, and disclosure of Personal Information by private sector organizations operating within the province of Alberta. PIPA applies to organizations, including companies, partnerships, associations, and individuals who collect or manage Personal Information in Alberta. The law aligns closely with PIPEDA, but provides specific requirements and protections tailored to the provincial level.
“Anonymized Data”
“Anonymized Data” refers to data that has been irreversibly altered to ensure that it no longer identifies or is capable of identifying an individual. Once data is anonymized, it ceases to be considered Personal Information under PIPEDA, PIPA, or other applicable privacy laws, and may be used by the Company for research, analysis, or other lawful purposes without further notice or consent from the User, provided that no re-identification of the data is possible.
“Aggregated Data”
“Aggregated Data” refers to data that has been compiled or combined from multiple sources or datasets, such that it no longer relates to or identifies any individual. Aggregated Data may be used by the Company for statistical analysis, business analytics, market research, or other lawful purposes, provided that it does not identify or link back to any specific individual.