WealthAIControl Solutions Inc. — BN 834567890 RC0001 · HST 834567890 RT0001 · Not a wealth management firm or registered portfolio manager

Privacy Policy

Last updated: June 22, 2025

WealthAIControl Solutions Inc. (« WealthAIControl », « we », « us ») protects your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy standards. This policy explains collection, use, disclosure, and your rights.

1. Accountability

WealthAIControl Solutions Inc., 85 Sparks Street, Suite 400, Ottawa, ON K1P 5A5, is accountable for personal information under our control. Our Privacy Officer may be reached at [email protected]. The Privacy Officer oversees compliance, staff training, complaint handling, and cooperation with the Office of the Privacy Commissioner of Canada (OPC).

2. Identifying purposes

We collect personal information for: providing AI personal finance control and budgeting services; maintaining accounts; processing CAD billing with applicable HST; connecting financial accounts with consent; service communications; marketing only with CASL express consent; aggregated analytics; and legal compliance.

Purposes are identified at or before collection. New purposes require consent unless permitted by law.

3. Consent

Knowledge and consent are required except where inappropriate or legally permitted. Consent may be express (unchecked consent boxes) or implied for non-material policy updates. Withdrawal is permitted subject to legal or contractual restrictions. Financial transaction data requires express consent. Marketing consent is separate and independently withdrawable. Consent boxes are never pre-checked.

4. Limiting collection

We collect: name, email, phone, billing address, payment details (processed externally — no full card storage), hashed passwords, transaction data from linked accounts or CSV imports, AI control preferences, support correspondence, and technical data (IP, browser) for security. We do not collect SIN, passport numbers, or unrelated identifiers without disclosed legal necessity.

5. Limiting use, disclosure, and retention

Information is used only for identified purposes unless consented or legally required. Disclosures may occur to: service providers under contract; professional advisers under confidentiality; authorities under valid legal process; successors in mergers with continued PIPEDA protection. We do not sell personal information to marketers or investment firms.

Retention: active subscription duration plus twelve months post-cancellation for export and dispute support. Inactive accounts archived after twenty-four months, deleted after thirty-six unless earlier deletion requested.

6. Accuracy

We maintain reasonable accuracy steps. You may update account information via dashboard or Privacy Officer contact. AI categorisations are suggestions requiring your verification before tax or legal reliance.

7. Safeguards

Protections include TLS in transit, AES-256 at rest, role-based employee access, MFA for admin systems, security assessments, and incident response. Breaches posing significant harm trigger PIPEDA notification to individuals and the OPC.

8. Openness

Privacy practices are published here and available through our Privacy Officer. Website footers include corporate identity, BN, HST, and financial disclaimers on every page.

9. Individual access

Request access or accuracy challenges to [email protected] with identity verification. We respond within thirty days per PIPEDA. Access may be limited where permitted by law. No fee for access requests; reasonable reproduction fees may apply.

10. Challenging compliance

Contact our Privacy Officer first. Unresolved complaints may be filed with the OPC at www.priv.gc.ca.

11. Children's privacy

Services are not directed at individuals under eighteen. We do not knowingly collect minor data and delete it if discovered.

12. International transfers

We prefer Canadian server locations. Cross-border providers receive contractual PIPEDA-equivalent protections with country disclosure upon request.

13. Cookies

See our Cookie Policy. Analytics cookies require banner consent. No investment profiling cookies.

14. Policy changes

Material updates communicated via email or website notice thirty days before effect. « Last updated » date reflects current version.

15. Contact

Privacy Officer, WealthAIControl Solutions Inc., 85 Sparks Street, Suite 400, Ottawa, ON K1P 5A5. Email: [email protected]. Phone: +1 (613) 555-0182.

16. Financial data handling specifics

Transaction data imported from linked accounts or CSV files is processed solely for budget control, categorisation, and reporting features you activate. We do not analyse transaction data to recommend securities, insurance products, or third-party financial instruments. Aggregated, de-identified datasets may inform platform improvements — never individual profiling for marketing resale. Account disconnection stops new imports immediately; historical data remains accessible per retention schedule unless you request deletion.

17. Employee and contractor access

Access to personal information is limited to employees and contractors with role-specific need. All personnel with data access receive PIPEDA training annually and operate under confidentiality agreements. Access logs are maintained and reviewed quarterly. Contractor agreements include data protection clauses requiring equivalent safeguards and breach notification obligations.

18. Privacy impact assessments

We conduct privacy impact assessments when launching features that materially change data collection or processing — such as new aggregation providers or additional account types. Assessment outcomes inform consent language updates and security control enhancements before feature release.

19. De-identification and analytics

Where analytics use de-identified data, we apply techniques designed to prevent re-identification of individuals from aggregated statistics. De-identified datasets exclude names, email addresses, account numbers, and other direct identifiers. Analytics never feed investment product recommendation engines.

20. Third-party links

Our website may link to external resources such as regulatory agencies or educational materials. Those sites operate under their own privacy policies. We are not responsible for third-party privacy practices and encourage reviewing their policies before providing personal information.

21. Automated decision-making

AI categorisation and spending insights involve automated processing but do not produce legal or similarly significant effects without your review step. No automated decisions deny service, adjust pricing, or affect creditworthiness. You may always override AI suggestions and request human support review of categorisation disputes.

22. Record keeping

Consent records, access request logs, and breach documentation are maintained for periods required by PIPEDA and internal audit policies — typically seven years for consent evidence and three years for routine access logs unless longer retention is legally mandated.

23. Marketing and CASL compliance

Marketing communications require express consent documented with timestamp, source page, and consent text version. We maintain suppression lists for unsubscribed addresses and honour withdrawal within ten business days. Implied consent is not used for promotional emails to new contacts obtained through the contact form — only service-related responses unless separate marketing opt-in is selected.

24. Sensitive personal information

We do not intentionally collect health information, biometric data, or government identifiers beyond what you voluntarily provide in support correspondence. If sensitive information is inadvertently submitted, contact our Privacy Officer for secure deletion. Financial transaction data is sensitive and receives enhanced encryption and access logging.

25. Data processing agreements

Third-party processors — hosting providers, payment gateways, email delivery services, and account aggregation partners — operate under written data processing agreements specifying permitted uses, security standards, breach notification timelines, and prohibition on independent commercial exploitation of client data.

26. Research and product development

Product improvements may use aggregated, de-identified transaction statistics — such as average categorisation correction rates — that cannot reasonably identify individuals. Individual-level data is never sold to researchers, advertisers, or financial product marketers.

27. Account closure and data deletion

Upon verified deletion request, we remove personal identifiers from active systems within thirty days and from backups within ninety days except where retention is legally required for tax, fraud prevention, or dispute records. You receive confirmation email when deletion completes.

28. Privacy by design

New features undergo privacy-by-design review assessing data minimisation, default privacy settings, and consent requirements before development sprints commence. Features requiring new data types receive updated consent language before launch.

29. Provincial privacy laws

While PIPEDA applies federally, we respect substantially similar provincial privacy legislation where applicable to Ontario and other provinces. Quebec Law 25 requirements are monitored for future applicability as our client base evolves.

30. Contact for privacy inquiries

For any privacy question not addressed above, contact our Privacy Officer at [email protected] or mail written requests to 85 Sparks Street, Suite 400, Ottawa, ON K1P 5A5. Include sufficient detail to verify identity for access or deletion requests.

31. Vendor security assessments

Before engaging new subprocessors handling personal information, we review security certifications, privacy policies, and breach history. Existing vendors undergo annual reassessment. Subprocessors failing assessment criteria are replaced or required to implement remediation plans with defined deadlines.

32. Anonymisation techniques

When anonymising data for analytics, we remove direct identifiers, generalise dates to month-level where appropriate, and suppress small cell sizes that could enable re-identification in sparse categories. Anonymisation procedures are documented in internal privacy playbooks available to the OPC upon lawful request.

33. Client responsibilities

You share responsibility for privacy protection by using strong unique passwords, enabling available security features, reviewing AI outputs before sharing exports externally, and notifying us promptly of suspected unauthorised account access. Shared household accounts require mutual agreement on permission levels between co-users.

34. Transparency reports

We publish annual summaries describing aggregate privacy metrics — access request volumes, deletion completions, and confirmed breaches — without identifying individual clients. Transparency reports are posted on our website legal section when available. Reports include summary descriptions of subprocessors added or removed during the reporting year. We encourage subscribers to review these summaries to understand how their data ecosystem evolves over time.

35. Cross-border complaint cooperation

We cooperate with the OPC and substantially similar provincial commissioners when lawful complaints involve cross-jurisdictional data flows, providing requested documentation within regulatory timelines.