Privacy Policy

Effective Date: September 13, 2023

Introduction

One Wealth Technologies Inc., and its group of companies operating as "OneVest" (“we”, “us” or “our[s]”) respect your privacy and are committed to protecting it by complying with this Privacy Policy. 

This Privacy Policy describes:

• how we collect, use, disclose and protect the personal information and demographic information of our customers and website users (“you”, “your[s]” or “the Client”);
• The types of information we may collect from you or that you may provide when you visit the onevest.com website as well as any other media form, media channel, website or mobile application (“App”) related, linked, or otherwise connected thereto (the “Site”); 
• Our practices for collecting, using, maintaining, protecting, and disclosing personal information.

Privacy laws generally define "Personal Information" as any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person such as your first and last name, phone number, email address, home address, etc. “Demographic Information'' includes your postal or zip code, country, general area, frequency of visits, etc. By using our Site, App or service, you grant your consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. Personal information does not include business contact information (generally found on a business card or work email signature), including your name, title, or business contact information (work email address, office location, office direct line number, work cell phone number, office fax number, etc.).

The Site may include links to third party websites, plug-ins, services, social networks, or applications. Clicking on those links or enabling those connections may allow the third party to collect or share data about you. If you follow a link to a third party website or engage a third party plug-in, please note that these third parties have their own privacy policies and we do not accept any responsibility or liability for these policies. We do not control these third party websites, and we encourage you to read the privacy policy of every website you visit.

Our App may access and read accounts, data and/or content on your device (personal computer, browser, laptop, tablet, mobile phone or other device), and change settings of your device, for the following reasons: (i) allowing to access and use the service (or its features and functions); (ii) saving app images and sound files and writing usage logs to the device; (iii) sending and receiving data needed for App operations; (iv) to provide you notice when you are not connected to a network; and (v) in connection with your service usage. You consent to these activities by installing the App or otherwise using the service. Your device settings enable you to disable, change or limit some of these activities and you can disable all of them associated with the App by uninstalling the App.

Please read this Privacy Policy carefully to understand our policies and practices for collecting, using, disclosing and storing your information. If you do not agree with our policies and practices, your choice is not to use our Site. By accessing or using this Site, App or service, you indicate that you understand, accept, and consent to the collection, use and disclosure practices as described in this Privacy Policy. This Privacy Policy may change from time to time (see “Changes to Our Privacy Policy”). Your continued use of this Site after we make changes indicates that you accept and consent to those changes, so please check our Privacy Policy periodically for updates. We will notify you in advance of any material changes and obtain your consent to any new ways that we may collect, use, and disclose your personal information.

1. Collection and Use of Personal Information

We may collect and use personal information when you:

• Buy or use our products and/or services
• Create an OneVest profile through our App or an implementation of our App by a business partner or customer*
• Sign up to receive marketing emails such as newsletters, offers and promotions
• Apply for a job at OneVest
• Contact us with a comment, question or complaint

*Please note that certain products and/or services made available through our App have additional terms and conditions that may apply.

Information we collect

We collect and use several types of information from and about you, including:

• Personal information, that we can reasonably use to directly or indirectly identify you, such as your name, address, email address, telephone number, Internet Protocol (“IP”) address used to connect your computer to the Internet, and any other unique identifier we may use to contact you ("personal information")
• Technical information, that we and other third parties automatically collect about your device when you visit the Site including information about your web browser, time zone, and some of the cookies that are installed on your device, non-personal details about your Site interactions, including information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information.” 

We and other third parties collect Device Information (e.g. hardware model, IP address, other unique device identifiers, operating system version, and device settings you use to access our products and/or services) using the following technologies:

• “Log files” which track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

• “Web beacons,” “tags,” and “pixels” which are electronic files used to record information about how you browse the Site.

Please refer to the applicable third parties’ privacy policies for more information.

• Usage information, such as information about the products and/or services you use, the time and duration of your use of our App or Site, what portions of the our App or Site you use, how often you use them, what links or materials (including advertising) you click when using our App or Site, whether you open the emails we send, what materials (including advertising) you view when using our App or Site, whether you make a purchase after seeing or clicking advertising we serve, the search terms you use, and other information about your interaction with content offered through our App and Site, and any information stored in cookies and similar technologies that we have set on your device.
• Location information, such as your computer’s IP address or general location (e.g. city/town/province/country), or with your express consent, your mobile device’s GPS-based location. Your location information is used to provide you with relevant information that relates to your location. You can adjust your location preferences at any time in your device settings.

As with many online services, certain limited data is required for our App to function on/with your device. This data includes the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the App accessed our servers. In addition, we may use third party service providers to collect analytical information about your use of the App, such as the feature you use and/or time spent on the App, collectively for the purposes of helping us to improve the App experience for all users and to manage and analyze data in order to better understand our users.

We may also monitor use of our App, Site and services by our guests in order to detect, investigate or prevent any actual or potential violation of our terms and conditions.

We may generate aggregated, non-identifiable data and use such information to monitor and improve the performance, use and stability of the App, Site and our products and/or services.

How We Collect Information About You

We use different methods to collect your information, including through:

• Direct interactions with you when you provide it to us, for example, by signing up for our waitlist, filling in forms or corresponding with us directly.
• Automated technologies** or interactions, as you navigate through our Site. For example, Device Information is automatically collected when you visit the Site.

**We may also use these automated technologies to collect information about your online activities over time and across third party websites or other online services (behavioural tracking). The information we collect automatically is statistical information and may include personal information, and we may maintain it or associate it with personal information we collect in other ways that you provide to us, or receive from third parties. It helps us to improve our Site and to deliver a better and more personalized service.

Customer Service:

When you contact us, we may collect information that identifies you (such as your name, email address, telephone number, address, etc.) along with any information we need to help us promptly answer your question or respond to your comment. We retain this information to assist you in the future and to help improve our customer service, products and/or services.

Email Marketing Communications:

If you sign up to receive email marketing communications from us about products, services, events, programs, promotions, and special offers that may interest you, you can unsubscribe at any time by clicking the “Unsubscribe” link included at the bottom of each email. Please note that you may continue to receive transactional or account-related communications from us.

Job Applications:

In connection with a job application for employment at OneVest or related inquiry, you may provide us with certain personal information about yourself (such as that contained in a resume, cover letter, or similar employment-related materials). We use this information for the purposes of processing and responding to your application for current and future career opportunities.

Other information We Collect:

We may also collect and use other information about you, your device, or your use of our products and/or services in ways that we described to you at the point of collection or otherwise with your express consent.

Social Media:

We may offer you the opportunity to engage with our content on or through social networking websites and applications. When you engage with our content in this context, the third party social networking website/application will collect, use or disclose personal information for the purposes of enabling you to engage with our content and as otherwise set out in their privacy policies. We may also collect, use and disclose certain information made available through such websites and applications for the purposes of responding to your outreach, analyzing your interactions with our content and otherwise maintaining our social media presence.

Surveys:

From time to time, we may offer you the opportunity to participate in one of our surveys. The information obtained through our surveys is used in an aggregated, de-identified form. We use this information to help us understand our customers and improve our products and/or services.

How we use your personal information

We use information that we collect about you or that you provide to us, including any personal information:

• To present our Sites and its contents to you.
• To provide you with information, products, or services that you request from us.
• To fulfill the purposes for which you provided the information or that were described when it was collected, or any other purpose for which you provide it.
• To carry out our obligations and enforce our rights arising from any contracts with you, or to comply with legal requirements.
• To notify you about changes to our Site or any products and/or services we offer or provide through it.
• To measure or understand the effectiveness of the advertising we serve to you and others, and to deliver relevant advertising to you.
• To help us screen for potential risk and fraud (in particular, by using your IP address)
• To improve and optimize our Site, products and/or services, marketing, or customer relationships and experiences (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.

We may also use your information to contact you about products and/or services that may be of interest to you, as permitted by law. If you do not want us to use your information in this way, please use the unsubscribe mechanism at the bottom of our emails or email us at optout@onevest.com.

Why we collect your personal information

Collecting information helps us serve you better. OneVest collect personal information only for the following purposes:

• to establish and maintain responsible commercial relations with you and provide you with ongoing service;
• to understand your needs and eligibility for products and/or services;
• to recommend particular products and/or services to meet your needs;
• to develop, enhance, market or provide products and/or services;
• to manage and develop the business and operations of OneVest, including personnel and employment matters; and
• to meet legal and regulatory requirements.

2. Sharing your personal information

The following provides information about purposes for which we may share your personal information. Our privacy practices vary depending on the type of information and sharing mechanisms.

With our Employees

Employee Training

We will share your personal information to OneVest employees on a need-to-know basis. These employees require access in order to fulfill their job requirements and/or provide you with our products and/or services. 

Since we are committed to raising awareness and building knowledge of privacy throughout OneVest, the following training and awareness initiatives will take place:

1. All new employees are required to take the privacy e-learning training module;
2. Targeted training will be delivered to key internal groups that are considered high risk due to the amount and sensitivity of the employee or customer information they manage (as part of OneVest’s annual compliance training program); and
3. On an ongoing basis, the Privacy Officer (“PO”) or delegate will deliver privacy briefings to the senior executive team and onboarding of new executives on their accountabilities under privacy legislation and targeted, proactive risk management/mitigation. The points of discussion will be recent regulatory changes, changing customer expectations, privacy trends and potential impacts on OneVest’s business operations and workplace.

The Compliance department will ensure that all new employees have received, reviewed, and understood their obligation to protect nonpublic personal information. The Chief Compliance Officer (“CCO”) or delegate will also remind all employees of their privacy protection obligations in connection with OneVest’s annual compliance training.

Conducting Privacy Impact Assessments

In addition to these training and awareness initiatives, Privacy Impact Assessment(s) (“PIA[s]”) will also be conducted on new and modified activities or initiatives to help identify and mitigate risks to individuals’ privacy. A PIA is a risk management process that helps organizations ensure that they meet legislative requirements and identify the impacts that their programs and activities will have on individuals’ privacy. 

A PIA is generally required if OneVest’s activity or initiative may have an impact on the personal information of individuals. If any of the following instances occur, this will trigger the need for OneVest to conduct a PIA:

• when personal information may be used as part of a decision-making process that directly affects the individual;
• when there are major changes to existing activities or initiatives where personal information may be used for an administrative purpose (meaning as part of a decision-making process that directly affects the individual); or
• when there are major changes to existing programs or activities as a result of contracting out or transferring activities or initiatives to another vendor, service provider or other third party.

The key employees who are involved in the PIA process include the following:

• Program staff (the individual or group of people responsible for developing and delivering the activity or initiative)
• Privacy staff (includes the PO)
• Internal/external legal counsel (if applicable)
• Information technology (“IT”) team (as required)
• Front-line staff (as required)
• Private-sector third parties, if involved in the program or activity
• Senior executive(s) responsible for new or substantially changed programs or activities 

We may not need to engage all of the parties listed above for each PIA, however, at a minimum, OneVest will involve relevant program and privacy staff in any PIA process.

With our Business Partners and Service Providers

We take reasonable steps to ensure that any business partners and service providers who we entrust with your personal information are reputable and have safeguards in place to help protect this information. We may share your personal information with our business partners, contractors, service providers (such as our affiliates*, delivery services, hosting vendors, advertising service providers, marketing service companies, etc.) and other third parties we use to support our business (such as data analytics and search engine providers that assist us with Site improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this Privacy Policy.  

Our business partners and service providers are given the information they need to perform their designated functions, and we do not authorize them to use or disclose personal information for their own marketing or other unrelated purposes. Our service providers may be located across Canada, in the U.S., or other foreign jurisdictions.

With Other Third Parties

Some content or applications on the Site are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our Site. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with behavioural advertising or other targeted content. We also share your personal information with advertisers and advertising networks that require the information to select and serve relevant advertisements to you and others.

For example, we use Google Analytics to help us understand how our customers use the Site - for more information, you can read more about how Google uses your personal information here: https://www.google.com/intl/en/policies/privacy/. To prevent the storage and processing of this data (including your IP address) by Google, you can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.You can also obtain additional information on Google Analytics’ data privacy and security at the following links:

• https://policies.google.com/technologies/partner-sites; and
• https://support.google.com/analytics/topic/2919631. 

Where we share your personal information with third parties, those third parties will be required to handle your personal information in accordance with this Privacy Policy. However, where you provide your personal information directly to a third party such as through a link available on a Site, App or through a product and/or service, your personal information will be subject to the privacy policies of those third parties, so please familiarize yourself with the third parties’ privacy practices before providing your personal information to them.

In Connection with a Commercial Transaction (when necessary)

OneVest does not generally conduct commercial transactions requiring the disclosure of personal information on an ongoing basis. 

If and when this occurs, we may share your personal information, in accordance with applicable law, to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, change in corporate control, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our customers and users is among the assets transferred. The disclosure of personal information for this purpose will be primarily governed by this Privacy Policy and if personal information is being provided by a relinquishing organization, their privacy policy.

Also, depending on the purpose of the commercial transaction and the type of data being provided, additional consideration will be taken to ensure that all applicable regulatory requirements will be included in our PIA.

With Other Parties When Required or Permitted by Law, or As Necessary to Protect Our Guests and Services

We may also share your Personal Information:

• To comply with any formal and valid court order, law, or legal process, including responding to any public, government or regulatory request, in accordance with applicable law.
• To enforce or apply our terms and conditions of use and other agreements.
• If we believe disclosure is necessary or appropriate to protect and enforce the legal rights, property, privacy, or safety of OneVest, our customers, affiliates, business partners, employees, agents, guests or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Otherwise With Your Consent or at Your Direction

In addition to the sharing practices described in this Privacy Policy, we may share information about you with third parties whenever you consent to or direct such sharing of personal information. Without limiting the generality of any other terms of this Privacy Policy, we will obtain your consent to collect, use, or disclose personal information except where we are authorized or required by law to do so without consent. Your consent can be expressed, implied or given through an authorized representative such as a lawyer, agent, broker or other individual mandated by law.

Consent may be provided orally, in writing, electronically, through inaction (such as when you fail to notify us that you do not wish your personal information to be collected, used or disclosed for various purposes after you have received notice of those purposes) or otherwise.

If you provide personal information to us about another individual (e.g. spouse, partner, beneficiary, etc.), you represent and warrant to us that you have the consent of that person to provide their personal information to us. We will only use their personal information for the purpose of contacting them as you have requested, and we will thereafter destroy their personal information as applicable, unless they give their consent for us to retain it.

3. Digital Advertising

Types of digital technologies we may use

We and other companies that provide us with advertising and other services may use cookies, web beacons, and similar technologies (“digital technologies”) to facilitate administration and navigation of our App and Site, to better understand and improve our products and/or services, to determine and improve the advertising shown to you on our App and Site or elsewhere, and to provide you with a customized online experience, including by providing you with personalized content and ads that are of more interest to you.

Analytics

As already mentioned above, we may use a third party such as Google Analytics to help us gather and analyze information about the areas visited on our Site (such as the pages most read, time spent, search terms and other engagement data) to evaluate and improve the user experience and our Site. These third parties may use cookies and other tracking technologies. 

Beacons

We, along with third parties, also may use technologies called “beacons” (or “pixels”) that communicate information from your device to a server. Beacons can be embedded in online content, videos, and emails, and can allow a server to read certain types of information from your device, know when you have viewed particular content or a particular email message, determine the time and date on which you viewed the beacon, and the IP address of your device. We and third parties use beacons for a variety of purposes, including to analyze the use of our Site and (in conjunction with cookies) to provide content and ads that are more relevant to you on and off our Site.

Cookies

“Cookies” are small files that are placed on your computer or other device when you visit a website. Cookies may be used to store a unique identification number tied to your computer or device so that you can be recognized as the same user across one or more browsing sessions, and across one or more sites. Cookies serve many useful purposes such as:

• remembering your sign-in credentials, so you do not have to enter those credentials each time you visit our Site;
• helping us and third parties understand which parts of our Site are the most popular because they help us see which pages and features visitors access and how much time they spend on the pages (i.e. By studying this kind of information, we are better able to adapt our Site and provide you with a better client experience; and
• helping us and third parties understand which ads you have seen so that you don’t receive the same ad each time you visit our Site.

For more information on our Cookie Policy, please refer to Cookie Policy (onevest.com).

Interest-Based Advertisements

Interest-based advertising involves the tailoring of ads you see based on your personal information, including your activity in our App or on our Site. We may use third parties to serve ads on our App, Site, and on other websites and digital platforms. These third parties may use digital technologies to collect and use information about your visits to our App or Site and other websites (including usage information, such as web pages or other content you interact with and your response to ads) to measure the effectiveness of our and our third party advertiser marketing campaigns, and to deliver ads that are more relevant to you and others, both on and off our App and Site. We may also use services provided by third parties (such as social media platforms) to serve targeted ads to you and others on such platforms. For example, we may provide a hashed version of your email address, device ID or other information to the platform provider to facilitate the delivery of tailored advertising. To learn more or to opt-out of having your information used for interest-based behavioural advertising purposes, please see Section 4 below, “Privacy and Access Choices Available To You”.

Local Storage & Other Tracking Technologies

We, along with third parties, may use other kinds of technologies in connection with our App and Site. These technologies are similar to the cookies discussed above in that they are stored on your device and can be used to store certain information about your activities and preferences. However, these technologies may make use of different parts of your device from standard cookies, and so you might not be able to control them using standard browser tools and settings.

4. Privacy and Access Choices Available to You

Choices With Respect To Interest-Based Advertising

You can manage your preferences regarding interest-based advertising (including opting out) by visiting the Preferences section of your account in the App. Please note that even if you opt out of interest-based advertising, tracking technologies may still collect data for other purposes including analytics and you will still see ads from us, but the ads will not be interest-based ads.

You can opt-out of several third party ad servers' and networks' cookies simultaneously by using the Digital Advertising Alliance of Canada Opt-Out Tool or the opt-out tool created by the Network Advertising Initiative. You can also access these websites to learn more about online behavioural advertising and how to stop websites from placing cookies on your device. Opting out of a network does not mean you will no longer receive online advertising. It does mean that the network from which you opted out will no longer deliver ads tailored to your web preferences and usage patterns. We do not control these third parties' tracking technologies or how they are used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

Choices With Respect To Digital Technologies

You may block digital technologies in your browser or device settings, as and if permitted by such device, but in some circumstances, disabling these features may interfere with your ability to access our products and/or services. 

Managing Your Account

You may access, modify to a certain extent or delete your account on the settings or profile page contained in your account or by contacting the PO at legal@onevest.com with a written request. Whichever way you contact us, we may ask that you confirm and verify your identity.

Marketing Communications.

You may opt-out of receiving email and other electronic messages from us (excluding transactional messages) by following the instructions contained in those messages. You can also contact us as set out below.

Privacy by Default

OneVest will utilize the “privacy by default” approach. This means that your privacy settings and/or technological functions will be automatically adjusted to the highest level of confidentiality and privacy at all times. You may need to adjust these settings or functions in order for us to continue providing you with our products and/or services. We will also implement new processes to request user activation for specific functions if necessary.

Your Rights

Subject to certain exceptions prescribed by law, you may have the right to access, update, and correct inaccuracies in your personal information in our custody and control and withdraw your consent to our collection of your personal information. 

You may request access, update and report corrections of inaccuracies in the personal information we have in our custody or control, withdraw your consent to the collection, use or disclosure of your personal information or exercise any additional privacy rights available to you by writing to us at the contact information set out below. 

We may request certain personal information for the purposes of verifying the identity of the individual seeking access to their personal information records. Please note that if you withdraw your consent to our collection, use or disclosure of your personal information, we may not be able to provide some or all of our products and/or services to you.

Accessing And Correcting Your Personal Information

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. By law, you have the right to request access to and to correct the personal information that we hold about you.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal information that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, or erased in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

To make such a request, you may contact our PO at legal@onevest.com

Withdrawing Your Consent

Where you have provided your consent to the collection, use, and disclosure of your personal information, you may have the legal right to withdraw your consent at any time, subject to legal, contractual and other restrictions, provided that you give us reasonable notice under certain circumstances. If you notify us that you would like to withdraw your consent, if applicable, contact us at legal@onevest.com. Please note that if you withdraw your consent, we may not be able to provide you with a particular product and/or service. We will inform you of the likely consequences of that withdrawal, such as explaining the impact to you at the time to help you with your decision (i.e. our inability to provide certain products and/or services for which that information is necessary).

5. Data Security

Confidentiality

OneVest cannot guarantee complete confidentiality or security for information that is transmitted electronically. By accessing the Site, you acknowledge that OneVest is not responsible for any damages or losses you may suffer as a result of your electronic transmission of confidential or sensitive information to us.

Data retention, destruction & deletion of records

The security of your personal information is very important to us. We use physical, electronic, and administrative measures designed to safeguard your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. In addition to this Privacy Policy, we have several internal policies and procedures to help protect your personal information, which include, but is not limited to:

• Access Control Policy
• Code of Conduct
• Data Management Policy
• Incident Response Plan
• Information Security Policy
• Operations Security Policy
• Third Party Management Policy

We restrict access to personal information on a need-to-know basis to employees and authorized service providers who require access to fulfill their job requirements.

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal information for as long as necessary for the purposes set out in this Privacy Policy or as otherwise required to meet legal or business requirements. 

Under securities legislation, we are required to retain your personal information for a minimum period of 7 years from the end of its fiscal year in which the last entry was made. After this time, we will ensure that the personal information in our custody and control will be destroyed and removed from our systems, premises, etc. 

Any requests to modify the retention period of specified records are subject to the express written approval of the CCO. No records may be destroyed or deleted without the prior express written consent of the CCO. 

OneVest shall not delete or destroy any business records relevant to any pending or imminent litigation or government investigation, or any audit in respect of OneVest or any advisory representative or associated person, until the matter is closed or legal counsel or delegate determines that disposal of such document is appropriate and in accordance with all applicable law.

In the event that OneVest becomes aware of any client proceeding or regulatory inquiry, the CCO or legal counsel shall immediately inform all affected departments to suspend the destruction of any relevant records.

Privacy Safeguards

• Restricted Access - All personal information of our clients, as well as all related files and records of OneVest and its employees and associated persons, shall be maintained on a network or system with appropriate access controls (a “Confidential System”) to prevent unauthorized access to OneVest’s premises, including controls to authenticate and grant access only to authorized individuals and entities. Employees and other associated persons of OneVest may not access or use personal information, unless there is a legitimate business need for such access or use.
• Monitoring and Prevention - OneVest shall develop monitoring systems and other procedures to detect actual and attempted attacks on, or other intrusions into, facilities and other locations, including electronic locations, where personal information is held. Personal information will be held in secure media. To preserve the integrity and security of personal information in the event of computer or other technological failure, these measures will include disaster recovery programs.
• Cybersecurity Practices for All Employees - OneVest has implemented the following procedures to protect proprietary and nonpublic personal information stored on electronic systems:

• Employees are not permitted to share their passwords or store passwords in a place that is accessible to others;
• Employees must lock their computers when they leave their workstation unattended for any extended period of time (i.e. off-site meeting, lunch, etc.);
• Any theft or loss of electronic storage media must immediately be reported to the Chief Technology Officer (“CTO”) or delegate;
•  Any inquiries or requests for representations about OneVest’s cybersecurity controls from third parties, such as clients, investors, vendors, or government officials, must be forwarded to the CCO;
• Any requests from third parties for independent access to OneVest’s networks or proprietary data must be forwarded to the CTO; 
• The CTO or delegate is responsible for setting up employee’s access permissions on OneVest’s computer network; and
• At least on an annual basis, the CTO or delegate conducts a cybersecurity risk assessment where they will provide the CCO with a summary of any moderate or high risk vulnerabilities that are identified, as well as a plan to remediate such risks. 

• Working in Public Places  - OneVest employees avoid discussing nonpublic personal information in public places where they may be overheard, such as in restaurants, cafes and elevators. Employees are aware that they must be cautious when using laptops or reviewing documents that contain nonpublic personal information in public places to prevent unauthorized people from viewing the information.
• Discarding Information - Employees may only discard or destroy nonpublic personal information in accordance with OneVest’s policies. Employees are reminded that electronic and hard copy media (if applicable) containing nonpublic personal information must be destroyed or permanently erased before being discarded.
• Other Security Controls we have in place:

• Secure office premises - OneVest’s work locations are only accessible via secured access passes. All guests and visitors to these locations must be registered with the front desk and will be accompanied by OneVest’s employees at all times.
• If applicable, filing cabinets located within the secure office premises must be locked at all times and a secure shredding practice for paper records must be adhered to in accordance with OneVest’s record retention guidelines.
• OneVest uses encryption methods such as secure portals for document and personal information transfers between networks.
• We have robust authentication processes, including complex passwords, multi-factor authentication, etc. for electronic records.
• We also use data centres with effective physical and logical data security controls.

Responding to Privacy Breaches

If any OneVest employee becomes aware of an actual or suspected privacy breach, including any improper disclosure of nonpublic personal information , that employee must promptly notify the CCO or delegate. Upon becoming aware of such a breach, the CCO or delegate will investigate the situation and take the following actions, as appropriate:

• To the extent possible, identify the information that was disclosed and the improper recipients;
• Notify appropriate members of senior management;
• Take any actions necessary to prevent further improper disclosures;
• Take any actions necessary to reduce the potential harm from improper disclosures that have already occurred;
• Discuss the issue with legal counsel, and consider discussing the issue with regulatory authorities and/or law enforcement officials (if applicable);
• Assess notification requirements imposed by applicable regulatory authorities and/or law enforcement officials (if applicable);
• Evaluate the need to notify affected clients or investors, and make any such notifications; 
• Collect, prepare, and retain documentation associated with the inadvertent disclosure and OneVest’s response(s); and
• Evaluate the need for changes to OneVest’s privacy policies and procedures in light of the breach.

Transmission of Information via the Internet

We endeavour to incorporate commercially reasonable physical, organizational, and electronic safeguards to help protect and secure your personal information, including physical, organizational, and technological safeguards. However, no data transmission over the Internet, mobile networks, wireless transmission or electronic storage of information can be guaranteed to be 100% secure. Because of these inherent risks and possible lack of confidentiality associated with the electronic transmission of information via the Internet or otherwise, OneVest does not guarantee the security and integrity of any electronic communications sent or received in relation to this engagement. Although we do our best to protect your personal information by checking its email correspondence with anti-virus software and other security software, we cannot guarantee: (1) that transmissions will be free from infection and (2) the security of your personal information transmitted to our Site. Any transmission of personal information is at your own risk. We accept no responsibility or liability for any damages as a result of communicating by means of the internet or other electronic media or for circumvention of any privacy settings or security measures contained on the Site.

6. Other Important Information

Applicable Law and Jurisdiction for Users within Canada

For residents and users within Quebec, the Privacy Policy, as amended from time to time, shall be governed by the laws of the province of Quebec and the federal laws of Canada applicable therein. For residents and users within all other Canadian provinces and territories outside of the province of Quebec, the Privacy Policy, as amended from time to time, shall be governed by the laws of the province of Ontario and the federal laws of Canada applicable therein.

Automated Decision Making

Only with your explicit consent and to enable you to purchase and/or use any of our products and/or services as required will OneVest engage any automated decision making tool or algorithm. 

Complaints Handling Procedures for Privacy Issues

• In most cases, a privacy-related complaint (“complaint”) is resolved simply by either sending it to us in writing or telling us about it. 
• OneVest will send an acknowledgement letter to you within 5 business days of a complaint being made, and once the complaint has been investigated, OneVest will send a formal written notification of the outcome of the complaint. However, if a client raises an issue verbally, it may not be readily apparent that the client is complaining. OneVest may ask the client to clarify a verbal complaint and, if applicable, put the complaint in writing.
• Where feasible, OneVest will attempt to resolve your complaint within 90 days.
• If the problem is not resolved to your satisfaction, you can contact OneVest’s Compliance Officer at compliance@onevest.com, or in writing to the following address: Attention: OneVest, PO Box 1145, STN Central, Calgary, AB, T2P 2K9.
• Should you not be satisfied with the outcome of our review, you may file a complaint with the Privacy Commissioner of Canada through their website at http://www.priv.gc.ca/ or by writing to the Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec, K1A 1H3.

For more information on our complaint handling procedures for non-privacy related complaints, please refer to www.onevest.com/legal/complaint-resolution.

Compliance with Canadian Anti-Spam Legislation (“CASL”)

Compliance with CASL, which affects commercial electronic messages (“CEMs”), is important to OneVest. We will only send you CEMs if we have obtained your express opt-in consent to receive CEMs from OneVest. The CEMs that you will receive will only relate to the specific purposes for which you have granted. You may withdraw your consent and opt-out or unsubscribe from receiving CEMs at any time by following the “unsubscribe” instructions that are contained in our CEMs or that are available through our Site. All requests to unsubscribe or opt-out of receiving CEMs will be processed promptly. From time to time, we may update our Site and request that you download software, plug-ins, etc. in order to continue using our products and/or services. We will not install any software to your device without your consent.

Compliance with General Data Protection Regulation “GDPR”

GDPR is another privacy regulation set forth by the European Union (“EU”). This set of rules are created for data protection and privacy for all individuals and organizations within the EU. GDPR protects the data of any individual, regardless of their nationality, and any organization (regardless of where their headquarters are located) who has their data collected while they are within the borders of an EU country. Conversely, GDPR does not apply to the data of EU citizens if the data is collected outside of the EU’s borders.The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK and any individual or organization who/which transmits or shares data within these countries must comply with the GDPR. OneVest has reviewed GDPR requirements against applicable Canadian regulations and have seen an overlap between these various legislation. With this in mind, we have taken the most prudent approach by complying with the most stringent requirements that were set forth by the different privacy laws and standards applicable to us.

International Transfers

We are headquartered in Canada however, please be aware that information you provide to us or that we obtain as a result of your use of our products and/or services may be collected in your jurisdiction and subsequently transferred to, maintained and/or processed outside of your jurisdiction (including for residents of the province of Quebec, outside of Quebec), including another jurisdiction by us or our service providers for the purposes mentioned above, in accordance with applicable law. 

Personal information processed and stored in another country by our third party service providers and agents who are not located or headquartered in Canada may be subject to disclosure or access requests by the governments, courts or law enforcement or regulatory agencies in that country according to its laws. In the United States, this means that if applicable, your personal information may be subject to U.S. disclosure obligations.

Please note that products and/or services of OneVest are only offered in jurisdictions where they may be lawfully offered for sale. 

Language

This Privacy Policy is available in both English and French and you have the option to read it in both languages. Furthermore, to the extent of any conflict between the English version and the French version of the Privacy Policy, the French version shall prevail for the residents and users within Quebec and the English version shall prevail for the residents and users within all other Canadian provinces and territories outside of Quebec.

Links to Third Party Sites

Our App and Site may link to third party websites and services that we do not operate and are outside of our control. For example, ads appearing in the App or on our Site may direct you to third parties. We are not responsible for the security or privacy of any information collected by other websites or other services. We are not responsible for the products or services offered by any third parties. Please exercise caution and review the privacy statements applicable to the third party websites and services you use.

Minors/Children’s Privacy

The Site is not intended for individuals under the age of majority (as specified by their province/territory of residence) without parental/guardian consent and no one under the age of majority may provide any personal information through the Site. If we learn that we have collected or received personal information from an individual under the age of majority without verification of parental consent, we will use reasonable efforts to dispose of that information in accordance with applicable laws and regulations. If you are the parent/guardian and you believe that your minor child has provided us with personal information,or we might have any information from or about an individual under the age of majority, please contact us at legal@onevest.com

In cases where certain products and/or services (RESPs, etc.), the authorized parent/guardian who provides the child’s/children’s personal information are excluded from this requirement. However, if OneVest learns that the child’s/children’s personal information was illegally obtained/provided, we will investigate further and may have to place a temporary hold or perhaps close the account if there is evidence of fraud, a breach of trust or other illegal activity.

Privacy By Default

OneVest may set your privacy settings to what we believe are the highest level of confidentiality by default, without any intervention from you. However, please note that browser cookies are exempt from this “privacy by default” requirement. 

Privacy Rights for Quebec Users

If you are a resident of the province of Quebec, you have the following rights in relation to your personal information:

• Right of Access. You may request information about your personal information held by us and a copy of the same.
• Right of Rectification. You may request correction of your personal information that is inaccurate or completion of such information which is incomplete.
• Right to Data Portability. You may request to receive a copy of your personal information which you have provided to us, in a structured, commonly used technological format and transmit the same to a third party designated by you.
• Right to be Forgotten/Deindexation. This enables you, under certain circumstances, to request that we cease to disclose any of your personal information, delete any information that we have collected from you or maintain about you (subject to certain exceptions) or that we deindex any hyperlink associated with your name and allow access to your personal information, if such disclosure is prohibited by law or otherwise deemed harmful. 

Prohibited Uses

Except in connection with permitted uses disclosed above, neither OneVest nor any of their employees or associated persons shall:

1. sell your personal information to any individual or third party;
2. copy, upload, or distribute personal information from OneVest’s databases or other external sources that originate from OneVest;
3. distribute personal information to anyone other than authorized personnel; or 
4. store, print, download, record, or distribute any file or other document containing personal information for their own use or for solicitation purposes. 

Changes to Our Privacy Policy

We may modify this Privacy Policy from time to time. We will notify you of changes by posting changes here, or by other appropriate means. Any changes to the Privacy Policy will become effective when the updated policy is posted on our App or the Site. Your use of our products and/or services or your provision of personal information to use our products and/or services following such changes indicates your acceptance of the revised Privacy Policy.  

We include the date this Privacy Policy was last revised at the top of the page. You are responsible for periodically visiting our Site and this Privacy Policy to check for any changes.

Contact us

For more information about this Privacy Policy or our privacy practices described in it, if you have any questions or concerns about how we treat your personal information, or if you would like to make a complaint, please contact us by email at legal@onevest.com or by mail using the details provided below:

Attention: Privacy Officer (OneVest), PO Box 1145, STN Central, Calgary, AB, T2P 2K9.

We have procedures in place to receive and respond to complaints or inquiries about our handling of personal information, our compliance with this policy, and with applicable privacy laws. To discuss our compliance with this policy, please contact our PO using the contact information listed above. Whichever way you elect to contact us, we may ask that you confirm and verify your identity.

Resources

Personal Information Protection and Electronic Documents Act (justice.gc.ca)

Personal Information Protection Act - AB

Personal Information Protection Act - BC

Personal Information Protection Act (Private Sector) - QC

*An “Affiliate” is an organization that directly or indirectly controls another entity, or has common control alongside another entity. An “Affiliate” could be a parent company or a subsidiary company. In our case, One Wealth Technologies Inc. is OneVest Management Inc.’s parent company and therefore is considered an “Affiliate”.