Introduction
SafeRetireCA (“SafeRetire Canada Inc.,” “we,” “our,” “us”) is a Canadian subscription platform that helps residents assess retirement readiness, model pension scenarios, and receive personalised guidance for building a secure pension plan. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when subscribers, spouses, beneficiaries, and site visitors interact with our service.
Privacy Policy
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws.
• Collection – We obtain: (a) profile information—name, email, province, date of birth, marital status; (b) financial inputs—RRSP, TFSA, and pension balances, contribution schedules, employer match details, income forecasts, debt obligations; (c) preference data—retirement age target, lifestyle cost estimates, risk-tolerance questionnaire answers; (d) technical data—device type, IP address, browser build, authentication logs; (e) support materials—chat transcripts and call recordings for quality assurance; (f) payment identifiers—the last four digits of card, billing address, and transaction history.
• Use – Data are processed to generate personalised projections, surface contribution recommendations, create downloadable pension reports, issue security alerts, levy subscription fees, and meet audit and tax compliance obligations.
• Retention – Actuarial snapshots and cash-flow models are kept for the life of the account plus seven years, or longer if required by law to resolve disputes. Aggregate, de-identified statistics are retained indefinitely for research and product improvement.
• Access & Correction – Subscribers may review or correct profile and financial data at any time through Settings → Profile or by contacting privacy@saferetireca.com.
• Consent – We rely on express consent at registration and each time you connect an external institution. Implied consent covers non-identifiable telemetry required for security. Withdrawal is honoured unless legal or contractual duties override; we will outline any consequences before proceeding.
• Accountability – A designated Privacy Officer oversees internal audits, staff training, and responses to written privacy requests within 30 days.
GDPR
Although we target Canada, some users may reside in the European Economic Area (EEA). Where the EU General Data Protection Regulation (GDPR) applies, SafeRetire Canada Inc. is a data controller for account information and a data processor for data you import from European pension schemes. Processing grounds include contract necessity (Art. 6 (1)(b)), legitimate interest in platform security and service optimisation (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EEA residents have the right to access, rectify, erase, restrict, port, or object to processing, and may lodge complaints with their supervisory authority. Requests should be submitted to dpo@saferetireca.com.
Cookie Policy
4.1. Types of Cookies
• Essential – session tokens, CSRF guards, and load-balancer cookies that keep you signed in and route traffic securely.
• Preference – preserves dashboard language, currency, theme, and chart units.
• Analytics – first-party Matomo cookies with IP truncation that measure feature adoption and page latency.
• Marketing – optional cookies used to display new module announcements or partner discounts; never shared with ad networks.
4.2. How to Disable Cookies
Most browsers allow you to block or delete cookies. Essential cookies are required for console login; disabling them will prevent access. Preference and analytics cookies can be declined via our banner or by enabling “Do Not Track.” Marketing cookies load only after explicit opt-in and can be revoked under Account → Privacy at any time.
Transfer to Third Parties
We do not sell personal information. Disclosures occur only to:
• Canadian cloud providers hosting encrypted storage in Montréal and Calgary;
• PCI-DSS Level 1 payment processors;
• Independent actuarial auditors under confidentiality agreements;
• Legal counsel, regulators, or courts when legally compelled or to defend claims;
• Law-enforcement agencies if necessary to investigate fraud or protect public safety.
All vendors sign Data Processing Agreements guaranteeing safeguards equal to PIPEDA and, where applicable, EU Standard Contractual Clauses.
Data Security Measures
• AES-256-GCM encryption at rest with tenant-specific keys stored in FIPS 140-2 Level 3 Hardware Security Modules.
• TLS 1.3 with Perfect Forward Secrecy for data in transit.
• Zero-knowledge architecture—internal staff cannot view unencrypted account balances.
• Role-based access control enforced by WebAuthn multi-factor authentication.
• Hourly incremental and nightly full backups replicated across two Canadian regions with a 15-minute Recovery Point Objective and 4-hour Recovery Time Objective.
• Continuous vulnerability scanning, quarterly penetration tests, annual SOC 2 Type II audit.
• Incident-response plan that notifies affected users within 72 hours of a confirmed breach.
Effective Date
This Privacy Policy is effective as of 18 June 2025 and supersedes all previous versions. Material updates will be announced by email and in-app notice at least 30 days before enforcement.