Privacy Policy

1. Key Terms and Definitions

“Personal information” means information about an identifiable individual. It includes, without limitation, information relating to identity, nationality, age, gender, address, telephone number, email address, Social Insurance Number, date of birth, marital status, education, employment history, assets, liabilities, payment records, financial information, income and information relating to financial transactions as well as certain personal opinions or views of an Individual.

Personal information can also include information collected through Spendsafe’s website, such as device model, browser type and IP address. However, personal information does not include the name, title, business address or telephone number of a person or employee of an organization.

"Cardholder" means the individual who is registered as the prepaid cardholder. This is the individual approved for a Spendsafe Mastercard Reloadable Prepaid Card1.

"Guardian" means the individual applying for the Spendsafe Mastercard Reloadable Prepaid Card on behalf of the cardholder. These are the parents, guardians, etc. associated with a client.

“Customers” means the cardholder and guardian collectively.

"Database" means the list of names, addresses, emails, telephone numbers, etc. of clients and guardians held by Spendsafe in the form of, but not limited to, computer files and files on computer hard-drives and that may be at least partly in the Software and/or the App.

Service Providers” means the third-party company that Spendsafe procures services from (e.g. Peoples Trust Company).

App” means the app Spendsafe uses to carry on its business.

"Express consent" means the client or/and guardian has signed the application form, or other forms containing personal information, authorizing Spendsafe, and/or its Service Providers to collect, use, and disclose the individual's personal information for the purposes set out in the application forms, website or App, and this privacy manual.

"Implied Consent" means Spendsafe or its Service Providers may assume that the client or/and guardian consent to the information being used, retained and disclosed for the original purposes, unless notified by the client or/and guardian.

2. Policy Statement

Preamble

Spendsafe respects its customers’ personal information and is committed to ensuring the proper use, disclosure, protection and security of all personal information placed under its care and in accordance with Schedule 1 of the personal Information Protection and Electronic Documents Act (PIPEDA).

Specifically, this privacy policy explains the personal information Spendsafe processes, how Spendsafe processes it, for what purposes and when to dispose of it. This policy should be read together with Spendsafe’s AML/ATF Compliance Program manual.

Where there is a conflict, this policy will prevail. This policy applies to all Spendsafe’s personnel (owners, senior management, employees) and Service Providers (data custodians, suppliers and contractors).

The Ten Principles of PIPEDA

The ten principles of PIPEDA that form the basis of this Privacy Policy are as follows:

  1. Accountability: organizations are accountable for the personal information they collect, use, retain and disclose in the course of their commercial activities, including, but not limited to, the appointment of a Chief Privacy Officer;
  2. Identifying Purposes: organizations are to explain the purposes for which the information is being used at the time of collection and can only be used for those purposes;
  3. Consent: organizations must obtain an Individual’s express or implied consent when they collect, use, or disclose the individual’s personal information;
  4. Limiting Collection: the collection of personal information must be limited to only the amount and type that is reasonably necessary for the identified purposes;
  5. Limiting Use, Disclosure and Retention: Personal information must be used for only the identified purposes, and must not be disclosed to third parties unless the Individual consents to the alternative use or disclosure;
  6. Accuracy: organizations are required to keep personal information in active files accurate and up-to-date;
  7. Safeguards: organizations are to use physical, organizational, and technological safeguards to protect personal information from unauthorized access or disclosure.
  8. Openness: organizations must inform their clients and train their employees about their privacy policies and procedures;
  9. Individual Access: an individual has a right to access personal information held by an organization and to challenge its accuracy if need be; and
  10. Provide Recourse: organizations are to inform clients and employees of how to bring a request for access, or complaint, to the Chief Privacy Officer, and respond promptly to a request or complaint by the individual.

The Privacy Officer and Responsibilities

A Privacy Officer is the first point of contact at Spendsafe when it comes to privacy issues. They have the authority to intervene on privacy issues and is responsible for overseeing all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures follow relevant privacy laws, including PIPEDA.

By law, all organizations must assign at least one person as their Privacy Officer. For Spendsafe, Claudius Otegbade has been appointed Spendsafe’s Privacy Officer.

As such, the Privacy Officer must be able to do the following:

  • Demonstrate knowledge of the organization’s personal information handling policies and procedures;
  • Demonstrate knowledge of the organization’s responsibilities under PIPEDA;
  • Explain the procedures for requesting personal information and filing complaints;
  • Have the support of senior management and the ability to intervene on privacy issues; and
  • Conduct or supervise complaint investigations.

Other responsibilities of the Privacy Officer include:

  • Developing and implementing personal information policies and practices.
  • Responding to requests for access to and correction of personal information
  • Working with the Information and Privacy Commissioner in the event of an investigation
  • Complying with all 10 fair information principles.
  • Protecting all personal information held by Spendsafe, including any personal information transferred to a third party for processing.
  • Conducting Privacy Audits and Impact Assessments, identifying risks and providing corresponding recommendations.
  • Training all front-line and management staff on privacy incidents and reporting.
  • Maintaining current knowledge of applicable Canadian privacy laws.
  • Responding to inquiries from privacy regulators and other government authorities.

3. Consent

Consent Mechanisms

Meaningful consent is an essential element of PIPEDA. Spendsafe is required to obtain meaningful consent for the collection, use and disclosure of personal information. To make consent meaningful, individuals must understand what they are consenting to. That is, they must understand the nature, purpose and consequences of the collection, use or disclosure of their personal information. The form of consent must consider the sensitivity of the personal information.

Express (Explicit) Consent - When Consent is Required

In many situations, Spendsafe will obtain the customer’s explicit consent when collecting, using or disclosing any personal information, except where otherwise required by law. (See below).

Spendsafe will also make reasonable efforts to ensure that the customers understand how their personal information will be used and disclosed.

Specifically, Spendsafe will obtain the knowledge and express written consent of new customers to collect, use or disclose personal information at the time they become a customer of Spendsafe through the acknowledgement (i.e. signing) and acceptance of the Customer Account or Service Agreements.

The knowledge and explicit consent of existing customers to collect, use or disclose personal information is also communicated through the publication, distribution and acceptance (i.e. signing) of new versions of the Customer Account Agreement as they may be issued from time to time.

The knowledge and explicit consent of a parent or guardian are required when collecting, using, or disclosing the personal information of any individual unable to provide meaningful consent themselves, such as children under 13 or mentally incapacitated adults. This consent must be obtained at the time they join Spendsafe through the signing and acceptance of the Customer Account or Service Agreements.

Implied Consent

In some other situations, consent between Spendsafe and an individual can be implied. Implied consent is consent that is not given explicitly, but which can be inferred based on the individual’s actions and the facts of a particular situation. While express consent is usually given on paper (i.e. through Customer Account or Service Agreements), implied consent is generally provided through actions.

Instances where implied consent will be applicable include:

  • When an individual signs-up for a service online (i.e. website or the mobile app) and provides their personal information; or
  • When an individual calls Spendsafe’s Customer Support and provides their personal information.

Disclosures Without Consent

Spendsafe can disclose any pertinent personal information to a solicitor representing the organization in any circumstance. This information is then protected by solicitor-client privilege.

The Privacy Officer must be advised of any planned disclosures of personal information under this provision.

Personal information can also be disclosed without knowledge or consent to a bailiff, private debt collection agency acting on behalf of Spendsafe or where the debt is assigned to a third party. Only the personal information required to collect the debt may be disclosed.

Other instances where personal information can be disclosed without consent include the following:

  • To a government institution for the purpose of communicating with next of kin or authorized representative of an injured, ill or deceased individual;
  • To a government institution or next of kin to help identify an individual who is injured, ill or deceased (if the individual is alive, they must be notified of disclosure without delay).
  • To a government institution or next of kin if the individual has been or may be the victim of financial abuse and disclosure is made for the purpose of preventing or investigating the abuse. It must be reasonable to expect the disclosure with knowledge and consent would compromise the ability to prevent or investigate the abuse.
  • For Witness Statements regarding insurance claims, if necessary to assess, process or settle the claim.
  • Disclosure may be made to another organization without consent where it is reasonable for investigating a breach of law or agreement, or detecting, suppressing or prevent fraud.
  • No consent is required when collecting, using or disclosing information produced in the course of employment, business or profession, if for consistent purposes.
  • PIPEDA legislation requires mandatory reporting of information relating to financial transactions where there are reasonable grounds to suspect that the transaction is related to the commission of a money laundering offence under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. This reporting is made to and must adhere to the requirements as prescribed by FINTRAC. In these instances, Spendsafe cannot disclose that a report has been filed or disclose the content of the report.

Sharing with Service Providers

Spendsafe may share information with service providers that perform services on the behalf of the company. Service providers may assist us with information storage; cloud and web-hosting services; payment processing; marketing; advertising; human resources management;

transaction monitoring, contact centre services; information technology services; and fraud prevention and detection, among other services.

Spendsafe will maintain a list of third parties to whom information has been disclosed or shared.

Spendsafe may store and process personal information in any country or region within the country where we have service providers, including countries outside of Canada, such as the United States, which may have different data protection rules. As a result, customers’ personal information may be securely used, stored or accessed in other countries and be subject to the laws of those countries.

However, Spendsafe will not store and process personal information within non-production (i.e. training, testing or development) environments. We will not share any personal information collected for the purpose of sending Customer Electronic Messages (CEMs) with third parties without the express consent of the individual, except where required by law. If personal information is shared, we will ensure that the third party complies with all applicable privacy and anti-spam legislation.

Tracking and Retention of Consent

Once consent is obtained, it is tracked through our secure customer relationship management (CRM) system. Each consent form is associated with the specific individual’s account or service agreement, and the details of the consent-such as the date of collection, the identity of the consenting parent or guardian, and the specific terms agreed to-are logged and stored within the system.

For its retention, consent records will be retained in client files as long as the use for which it was collected is active and for such periods of time as may be prescribed by applicable laws and regulations, resolve disputes, or enforce our agreements.

Specifically, where Spendsafe is required to keep records in accordance with the AML/CTF requirements, such records will be retained for a period of at least five years following:

  1. the termination of the agreement, in respect of business relationships;
  2. the day on which the last business transaction is conducted; and
  3. the day on which they were created, in respect of all other records.

These records are securely stored in both digital and, where applicable, physical formats to ensure they are preserved without risk of unauthorized access or loss. After the retention period expires, consent records are securely destroyed in accordance with data protection policies and regulatory requirements.

4. Personal Information

Personal Information We Collect

Spendsafe will collect the following type of personal information in order to establish a business relationship, offer our product or communicate with our customers:

Cardholders and Guardians (Customers):

Category Personal Information
Profile and Contact First and last name, email, phone, address, unique identifiers, financial info
Biometric Biometric data as part of ID verification
Identifiers Name, address, personal photo on ID, expiry dates, place of issuance
Demographic Age, DOB, nationality, sex, etc.

Website Visitors

Category Personal Information
Device/IP IP address, device ID, server, OS, browser
Web Analytics Page interactions, referring page, non-identifiable request IDs, statistics
Geolocation IP-based location, GPS data

Why We Collect Personal Information

Spendsafe is an incorporated business entity providing funding access to children through the use of its Spendsafe Mastercard Reloadable Prepaid Card; which is solely funded through the parents/legal guardian’s respective bank accounts or credit cards.

Spendsafe collects personal information on its customers for the following purposes:

  1. To establish a business relationship with the customer;
  2. To process their transactions.
  3. To verify their identity.
  4. To collect payment for their use of the Service.
  5. To track, improve and personalize our Services, content and advertising
  6. To troubleshoot problems with the Service.
  7. To comply with applicable laws and regulations, such as those relating to "know-your-customer,” terrorist financing, and anti-money laundering requirements (PCMLTFA);
  8. To detect and prevent fraud and other illegal uses of the Service.
  9. To send marketing notices, service updates, and promotional offers.
  10. To collect survey information that will be used to monitor or improve the use of our Service and overall customer satisfaction.
  11. To comply with the following regulatory and financial partners requirements:
    1. PIPEDA; and
    2. Service providers (banking partners) requirement.

How We Collect

Spendsafe may collect customers’ personal information directly, from third parties or automatically when a customer visits our digital platforms. Spendsafe may collect information from the following channels:

  1. Directly. Through the following:
    1. Application form;
    2. Spendsafe’s website; and
    3. Spendsafe’s App
  2. Third parties: - We can do this with the customer’s express consent or as permitted or required by law. For example, obtain customer’s personal information from the following categories of third parties:
    1. Credit bureaus
    2. Government institutions or regulatory authorities
  3. Public sources such as telephone directories, newspapers, Internet sites, commercially available marketing lists, or government agencies and registries like land or property registries or driver’s license offices, or public records as defined by applicable laws
  4. Other financial institutions including fraud management purposes
  5. Other organizations through business transactions or strategic partnerships. For example, Peoples Trust Company
  6. Third party identity verification and authentication Service Providers.

How we use and share Personal Information

When customers create an account through our website or use our services, we ask them to provide certain personal information as detailed above. We use this information to create and update their account, verify their identity and send communications about their account or assist when they contact customer support.

Personal information will be disclosed to only Spendsafe’s employees, senior management and directors who need to know the information for the purposes set out in this Privacy Policy. Personal information will also be disclosed to Service Providers with the individual's knowledge and consent, which may be implied as per this Privacy Policy.

Specifically, when we make reference to sharing information within Spendsafe, we mean sharing personal information within Spendsafe and its Service Providers. E.g. Peoples Trust Company).

We use and share personal information for the following purposes:

Cardholders and Guardians

  1. To provide customers with the requested services; Page 12 of 20
  2. To manage their account with Spendsafe;
  3. To respond to questions, comments or concerns regarding Spendsafe;
  4. To allow for more meaningful and useful marketing initiatives;
  5. Establish and authenticate customers’ identity and determine their eligibility to use Spendsafe’s products and services;
  6. Help to ensure that the products and services offered purchased by customers are appropriate for them;
  7. Send communications to by postal mail, email, text message, telephone, an automated dialling-announcing device at the numbers provided to us, fax, other telecommunication channels, social media or other methods;
  8. Better manage and improve customers’ overall relationship with Spendsafe, including monitoring, reviewing, analyzing or improving client services and business processes to make it easier to do business with Spendsafe;
  9. Perform everyday business and operations including recordkeeping or internal reporting;
  10. Manage Spendsafe’s credit, business and other risks so that Spendsafe operates as an effective, efficient and financially prudent program manager;
  11. Meet tax, legal and regulatory obligations;
  12. Protect Spendsafe and the customers from error and criminal activity, including the prevention, detection and investigation of fraud, money laundering, cyber threats and other such risks and threats; and
  13. Such other uses may be permitted or required by applicable law.

Website Visitors

  1. We use persistent cookies to measure site and mobile app usage, including browsing behaviour, to improve functionality, and evaluate the effectiveness of our sites, communications and promotional offers;
  2. We use location information derived from your IP address from your browser or mobile device and geolocation information (e.g., GPS location) from your browser or mobile device if you have enabled it to share this data;
  3. We may also use location information to personalize your user experience, including through site or mobile app content, marketing, or offers for products and services;
  4. Such other uses may be permitted or required by applicable law; and
  5. Such purposes for which Spendsafe may obtain consent from time to time.

We share customers’ information with our Service Providers to help determine the customers’ eligibility for a Spendsafe Mastercard Reloadable Prepaid Card.

How we keep Personal Information

Spendsafe protects and respects the confidentiality of all information entrusted to the company, except as permitted or required by law, contract or PIPEDA. Depending on the nature of the information, the customer’s personal information may be stored on Spendsafe’s server, in our computer systems or in record storage facilities of Spendsafe or its Service Providers.

Information may also be stored and processed in any country where our Service Providers operate. By using our products or services, customers will consent to the transfer of information to countries outside of Canada, including the United States, which may provide different data protection rules. Spendsafe and our Service Providers may perform activities outside of Canada. As a result, customers’ information may be securely used, stored or accessed in other countries and be subject to the laws of those countries.

How long we keep Personal Information

Personal information will be retained in client files as long as the use for which it was collected is active and for such periods of time as may be prescribed by applicable laws and regulations, resolve disputes, or enforce our agreements. Specifically, where Spendsafe is required to keep records in accordance with the AML/CTF requirements, such records will be retained for a period of at least five years following:

  1. the termination of the agreement, in respect of business relationships;
  2. the day on which the last business transaction is conducted; and
  3. the day on which they were created, in respect of all other records.

Where an application has been initiated but not completed, or where Spendsafe has rejected an application, the file and all personal information contained in the file will be retained for a period of six months (except for fraudulent applications - where the five-year rule will apply.

Lastly, all records that are required to be maintained under the PCMLTFA are to be retained in such a way that they can be provided to Peoples Trust Company within 30 days after a request is made. In addition, records may be kept in either machine readable form, if a paper copy can be readily produced from it or electronic form, if a paper copy can be readily produced from it and an electronic signature of the person who must sign the record is retained.

When the customer’s information is no longer required, Spendsafe shall securely destroy or make it anonymous.

How we secure Personal Information

Spendsafe is committed to securing customers’ personal information and has taken precautions to protect such information against unauthorized access, loss, theft of information, disclosure, inappropriate alteration, and misuse. We maintain appropriate physical, technical and administrative safeguards to help protect our customers’ personal information.

We update our security technology, standards and processes on an ongoing basis. We regularly test and audit our security measures and assess that they remain effective and appropriate. Our employees who have access to customers’ information are aware of the importance of keeping it confidential.

Information may be shared with or accessed by our Service Providers so that they can perform services on our behalf. We are always careful when selecting our Service Providers and require them to have privacy and security standards that meet Spendsafe’s requirements. We use contracts and other measures to maintain the security of our customers’ information and to prevent it from being used for any other purpose other than that for which it was intended.

These are some of the measures we use to protect our customers’ information:

  • Client information stored electronically is protected by a password. Access to Spendsafe’s electronic database is limited on a need-to-know basis for added security.
  • Spendsafe does not keep any hard copy client documents.
  • Access to client information will be limited to those who need to know the information for the purposes set out in the client’s consent or as otherwise permitted or required by law or contract.
  • Spendsafe’s personnel will never leave client personal information, in paper or electronic form, unattended or exposed to anyone other than the client.
  • Spendsafe will not send confidential personal information to clients by email without the client’s prior consent. Personal information sent to clients or about clients will employ password protected documents and/or secure email. If clients state they do not wish to receive emails in a secure method Spendsafe’s staff will inform clients that Spendsafe does not accept responsibility for communications sent in a non-secure way. This is documented in the client’s file.
  • Client information transmitted via email to third parties shall be sent in an encrypted format.
  • Web-based counselling will use an encrypted platform to protect client privacy and confidentiality.

How we secure Personal Information

Spendsafe makes every reasonable effort to keep our customers’ information as accurate, complete, and up-to-date as possible for the purposes in which it is used. However, Spendsafe heavily relies on the customer to update their personal information as soon as it changes.

Customers can update their information through the online account or by calling our customer care service line. Keeping customers’ information accurate and up-to-date allows us to continue to offer high quality services.

5. Accessing Customer’s Personal Information

Our customers have the right to access their personal information we hold about them. A customer who wishes to review or verify what personal information is held by Spendsafe, or to whom the information has been disclosed (as permitted by the Act), may make the request for access, in writing, to the Spendsafe's Privacy Officer.

Specifically, we will require our customers to put their request in writing. We will also need to verify their identity before searching for or providing them with access to their information. We will let them know in advance whether there will be a fee to provide access to their information. We may also ask for additional information to confirm the scope of their request, such as the relevant time period or a specific description of the information they are seeking to access.

Once we receive the written request, verify their identity and understand the scope of their request, we will provide a written response to their access request within 30 days, or the timeframe set by applicable privacy law.

If we have obtained information about them from others, they can ask us for the source of that information. On request and where legally permitted, we will provide them with the types of third parties to whom we have, or may have, given their information.

However, this will not include Service Providers we have used to do work for us. It will also not include reports to the Canada Revenue Agency, FINTRAC or information that has been provided for legal and regulatory obligations.

For those with a sensory disability, we will endeavour to provide them with access to their personal information in an alternate format, if so requested.

6. CASL Compliance

Canada's anti-spam legislation (CASL) protects consumers and businesses from the misuse of digital technology, including spam and other electronic threats.

Spendsafe is committed to adhering to Canada's Anti-Spam Legislation (CASL) to ensure that all Customer Electronic Messages (CEMs) sent by our organization comply with the law and respect the privacy of our customers. Specifically, we are committed to adhering to the following guidelines:

  • Method of Obtaining Express Consent for Customer Electronic Messages:

We will obtain express consent from parents or legal guardians before sending any commercial electronic messages (CEMs). Consent will be obtained through a clear, affirmative action, such as ticking a checkbox or completing an online form, where the intent to receive such messages is explicitly stated. This process is separate from obtaining consent for other privacy-related matters.

  • Disclosure of the Use/Intent of CEMs and Marketing:

At the time of obtaining consent, we will clearly inform the parents or legal guardians of the purpose for which their consent is being sought. This includes details about the types of CEMs they will receive, such as promotional offers, service updates, and marketing notices related to Spendsafe’s Mastercard Reloadable Prepaid Card and associated services and the frequency of such communications.

  • Management of CEMs:

Spendsafe will manage and monitor all CEMs to ensure compliance with CASL. This includes maintaining a record of all consents obtained and the communications sent. We will ensure that all CEMs contain the necessary identification information and a valid unsubscribe mechanism.

  • Procedure to Opt Out/Unsubscribe:

Every CEM sent by our organization will include a clear and easy-to-use unsubscribe mechanism, allowing recipients to withdraw their consent at any time. Below are the three ways customers can unsubscribe:

  • Unsubscribe by Text Message:
    • For CEMs sent via SMS, customers can opt out by replying with the word "STOP." This action will automatically unsubscribe them from receiving any further SMS communications from our organization.
  • Unsubscribe Link in Emails:
    • Every CEM will contain a prominent "Unsubscribe" link at the bottom of the email. By clicking this link, the recipient will be directed to a webpage where they can confirm their decision to opt out of receiving future communications. This process is simple and requires just a few clicks.
  • Contacting Customer Support:
    • Lastly, customers can also unsubscribe by contacting our customer support team via phone or email and requesting to be removed from the mailing list. Our team will process the request and ensure that the customer is unsubscribed.
  • In any case, once an unsubscribe request is received through any of the above methods, we will process it within 10 business days and cease sending any further CEMs to that individual unless they provide express consent again.

7. Breach and Incident Management

A privacy breach is an incident involving the unauthorized collection, use or disclosure of personal information. Unauthorized disclosures of personal information are the most common sources of privacy breaches and can occur when personal information is lost, stolen or inadvertently disclosed through human error.

Circumstances that could lead to a privacy breach include:

  • loss or theft of equipment containing personal information (e.g., memory sticks, disks, laptops)
  • e-mails sent to a wrong address or person
  • incorrect file attached to an e-mail
  • disposal of equipment containing personal information without secure destruction
  • insufficient controls in place to protect personal information in electronic files
  • information faxed to a wrong number
  • use of laptops, disks, memory sticks or other equipment to store or transport personal information outside of the office without adequate security measures

Upon discovery of a privacy breach or suspected breach, the following steps may need to be carried out simultaneously and in quick succession:

STEP 1: IMMEDIATELY IMPLEMENT PRIVACY BREACH PROTOCOL

  • Notify all relevant staff and senior management of the breach, including the Privacy Officer, and determine who else from within the organization should be involved in addressing the breach.
  • Develop and execute a plan designed to contain the breach and notify those affected.

STEP 2: NOTIFY OPC IF REQUIRED

  • Determine if we are required to report the breach to the Office of the Privacy Commissioner of Canada (OPC). We are required to report breaches to the OPC

under the circumstances set out in the PIPEDA regulation; these circumstances are described in the following section: "What you need to know about mandatory reporting of breaches of security safeguards.”

  • If we are required to report the breach to the OPC, we do so at the first reasonable opportunity, either online or by mail. (See a copy of the OPC reporting form here).

STEP 3: STOP AND CONTAIN THE BREACH

Identify the scope of the breach and take the necessary steps to contain it, including:

  • Retrieve and secure any personal information that has been disclosed.
  • Ensure that no copies of the personal information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
  • Determine whether the privacy breach would allow unauthorized access to any other personal information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers and/or temporarily shutting the affected system down.

STEP 4: NOTIFY THOSE AFFECTED BY THE BREACH

Spendsafe must take the necessary steps to notify those individuals whose privacy was breached, including:

  • Identify all affected individuals and notify them of the breach at the first reasonable opportunity. Notification can be by telephone or in writing or depending on the circumstances. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of personal information.
  • When notifying individuals affected by a breach, we must:
    • Provide details of the breach to affected individuals, including the extent of the breach and what personal information was involved.
    • Advise all affected individuals of the steps that we are taking to address the breach, and that they are entitled to make a complaint to the OPC. If we have reported the breach to the OPC, we must advise them of this fact.
    • Provide contact information for someone within the organization who can provide additional information, assistance, and answer questions. (A FAQ document can be developed to assist with this process).

STEP 5: INVESTIGATION AND REMEDIATION

Spendsafe will be expected to conduct an internal investigation, including:

  • Ensuring that the immediate requirements of containment and notification have been met.
  • Reviewing the circumstances surrounding the breach.
  • Reviewing the adequacy of our existing policies and procedures in protecting customers’ information.
  • Ensuring all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PIPEDA.

    • 8. Reporting Privacy Incidents and Complaints

    If a customer has a concern about Spendsafe 's personal information handling practices, a complaint, in writing, may be directed to the Spendsafe 's Privacy Officer below:

    Privacy Officer Spendsafe Inc. 600 Cochrane Dr.

    Suite 200

    Markham, ON L3R 5K3

    Or

    Email: info@spendsafe.ca

    When reaching out, customers are encouraged to include their name and contact information, the nature of their complaint, question or concern, details relevant to the matter and the names of any individuals whom they have already discussed the issue with.

    Upon verification of the individual's identity, Spendsafe 's Privacy Officer will act promptly to investigate the complaint and provide a written report of the investigation's findings to the individual.

    Where Spendsafe 's Privacy Officer makes a determination that the individual's complaint is well founded, the Privacy Officer will take the necessary steps to correct the offending information handling practice and/or revise Spendsafe 's privacy policies and procedures.

    Where Spendsafe 's Privacy Officer determines that the individual's complaint is not well founded, the individual will be notified in writing. If the individual is dissatisfied with the finding and corresponding action taken by Spendsafe 's Privacy Officer or the Privacy Officer is unable to resolve the concern, the individual may bring a complaint to the Office of the Privacy Commissioner of Canada (OPC) at the address below:

    Office of the Privacy Commissioner of Canada (OPC)

    30 Victoria Street Gatineau, Quebec K1A 1H3

    Telephone: 1-800-282-1376 Website: priv.gc.ca

    Last Updated: April 22, 2025

    Made for Kids.
    Trusted by Parents.
    ©2025 Spendsafe Financial Corp.

    This card is issued by Peoples Trust Company under licence from Mastercard International Incorporated.

    Mastercard is a registered trademark, and the circles design is a trademark of Mastercard International Incorporated. Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App store is a service mark of Apple Inc. Android and Google Play are trademarks of Google Inc.