AIFinanceFlow Technologies Inc. — BN 823456789 RC0001 · GST/HST 823456789 RT0001 · Not a registered investment dealer, portfolio manager, or financial planner

Privacy Policy

Last updated: June 22, 2025 · Effective for all AIFinanceFlow Technologies Inc. services

AIFinanceFlow Technologies Inc. (« AIFinanceFlow », « we », « us », or « our ») is committed to protecting your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. This Privacy Policy explains what information we collect, why we collect it, how we use and disclose it, and your rights as a Canadian resident.

1. Accountability

AIFinanceFlow Technologies Inc., located at 360 Main Street, Suite 800, Winnipeg, MB R3C 3Z3, is responsible for personal information under our control. We have designated a Privacy Officer accountable for our compliance with PIPEDA. You may contact our Privacy Officer at [email protected] or by mail at the address above. Our Privacy Officer oversees internal privacy policies, staff training, complaint handling, and cooperation with the Office of the Privacy Commissioner of Canada (OPC) when required.

2. Identifying purposes

We collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Our primary purposes include:

  • Providing AI-assisted cash flow management, budgeting, and expense categorisation services;
  • Creating and maintaining your account and service preferences;
  • Processing subscription billing in Canadian dollars with applicable GST/HST;
  • Connecting to financial accounts with your explicit consent for transaction import;
  • Communicating service updates, security alerts, and support responses;
  • Sending marketing communications only where you have provided CASL-compliant express consent;
  • Improving our platform through aggregated, de-identified usage analytics;
  • Complying with legal obligations under Canadian federal and provincial law.

We will identify the purpose of collection at or before the time personal information is collected. If we wish to use your information for a new purpose not previously identified, we will obtain your consent unless otherwise permitted by law.

3. Consent

Your knowledge and consent are required for the collection, use, or disclosure of personal information, except where inappropriate or permitted by law. Consent may be express (checking an unchecked consent box on our contact form) or implied (continuing to use the service after being notified of an updated policy for non-material changes). You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide certain services — for example, disconnecting bank account links will prevent automatic transaction import but will not delete your historical data unless you also request account deletion.

For sensitive financial transaction data, we require express consent before collection. We never pre-check consent boxes on our website forms. Marketing email consent is separate from service consent and can be withdrawn independently via unsubscribe links or by contacting us directly.

4. Limiting collection

We collect only personal information necessary for the identified purposes. This may include: your name, email address, phone number, billing address, payment method details (processed by our payment processor — we do not store full credit card numbers), account credentials for our platform (hashed passwords), financial transaction data imported from linked accounts or CSV uploads, AI categorisation preferences and corrections, support correspondence, and technical data such as IP address, browser type, and device identifiers for security purposes.

We do not collect social insurance numbers, passport numbers, or other government identifiers unless legally required for a specific purpose disclosed to you in advance. We do not collect information unrelated to financial management services.

5. Limiting use, disclosure, and retention

Personal information is used only for the purposes for which it was collected, except with your consent or as required by law. We may disclose personal information to:

  • Service providers who assist with hosting, payment processing, email delivery, and account aggregation — bound by contractual confidentiality and data protection obligations;
  • Professional advisers (lawyers, accountants) under confidentiality obligations;
  • Law enforcement or regulatory authorities when required by valid legal process;
  • Successors in the event of a merger or acquisition, with continued PIPEDA protection.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Financial transaction data is never shared with investment firms, trading platforms, or credit repair agencies.

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Inactive account data is archived after twenty-four months of non-use and deleted after thirty-six months unless you request earlier deletion. Financial transaction data is retained for the duration of your active subscription plus twelve months after cancellation to support export requests and dispute resolution.

6. Accuracy

We take reasonable steps to ensure personal information is accurate, complete, and up-to-date for the purposes for which it is used. You can review and update your account information through your dashboard or by contacting our Privacy Officer. AI-generated categorisations are suggestions — not authoritative records — and should be reviewed and corrected by you before reliance for tax or legal purposes.

7. Safeguards

We protect personal information with security safeguards appropriate to its sensitivity. Measures include: TLS encryption for data in transit, AES-256 encryption for data at rest, role-based access controls for employees, multi-factor authentication for administrative systems, regular security assessments, and incident response procedures. While we implement industry-standard protections, no system is completely secure — we encourage you to use strong passwords and enable available security features on your account.

In the event of a data breach posing a real risk of significant harm, we will notify affected individuals and the OPC as required under PIPEDA's breach notification provisions (sections 10.1–10.3).

8. Openness

We make information about our privacy policies and practices readily available on this page and through our Privacy Officer contact. Upon request, we will explain our policies and procedures in plain language. Our website footer on every page includes our corporate identity, business number, and financial services disclaimer.

9. Individual access

You have the right to request access to personal information we hold about you and to challenge its accuracy. Submit access requests to our Privacy Officer at [email protected] with sufficient information to verify your identity. We will respond within thirty days, as required by PIPEDA. Access may be limited or denied in circumstances permitted by law — for example, where disclosure would reveal personal information about another individual or is subject to solicitor-client privilege. We may charge a reasonable fee for document reproduction but not for the access request itself.

10. Challenging compliance

If you believe we have not complied with this Privacy Policy or PIPEDA, contact our Privacy Officer first. We will investigate all complaints and respond within a reasonable timeframe. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

11. Children's privacy

Our services are not directed at individuals under eighteen years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor, we will delete it promptly.

12. International transfers

We prefer to store and process data on servers located in Canada. Where service providers operate outside Canada, we ensure contractual protections equivalent to PIPEDA requirements and inform you of the countries involved. You may request details about cross-border data flows by contacting our Privacy Officer.

13. Cookies and tracking

We use cookies and similar technologies as described in our Cookie Policy. Essential cookies support site functionality; analytics cookies require your consent through our cookie banner. We do not use cookies for investment profiling or third-party advertising networks.

14. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email (with CASL consent) or a prominent website notice at least thirty days before taking effect. The « Last updated » date at the top of this page indicates the most recent revision.

15. Contact

Privacy Officer
AIFinanceFlow Technologies Inc.
360 Main Street, Suite 800
Winnipeg, MB R3C 3Z3
Email: [email protected]
Phone: +1 (204) 555-0164

16. Financial transaction data

Transaction imports power cash flow dashboards, categorisation, and budget flow plans. This data is not used to recommend securities, insurance products, lending instruments, or third-party investment platforms. Disconnection stops new imports; historical data remains per retention policy unless deletion is requested.

17. Employee access controls

Personnel access follows least-privilege principles with annual PIPEDA training, confidentiality agreements, and quarterly access log reviews. Contractors face equivalent contractual obligations including breach notification requirements.

18. Privacy impact assessments

New features materially affecting data collection undergo privacy impact assessment before release, informing consent updates and security enhancements.

19. Automated processing transparency

AI categorisation involves automated processing but requires your review before finalisation. No automated decisions affect pricing, creditworthiness, or service eligibility without human oversight channels available on request.

20. Complaint escalation timeline

Privacy complaints receive acknowledgement within five business days and substantive response within thirty days. Complex requests may require extension with written notice explaining delay reasons and expected completion date per OPC guidance. We maintain internal complaint registers reviewed quarterly by the Privacy Officer.