Privacy

What we collect

Identity, contact, property, employment, and financial records uploaded by you or your Broker team, plus chat transcripts, AML/KYC results, CRA consent state, and CASL marketing opt-ins. Sensitive files are converted to PDF and stored in Supabase Storage buckets that enforce “PDF only” uploads and six-year retention.

How we use your data

We process information to determine mortgage suitability, submit applications to lenders, satisfy FSRA record keeping rules (six years after the term expires), and FINTRAC record keeping rules (AML evidence for at least five years). We do not sell data or use it for unrelated profiling. Cross-border transfers are limited to transient routing through Cloudflare; the canonical database, backups, and object storage remain in Canada.

Credit & marketing consent

Every signature event is logged in public.borrower_consents with the full text you signed, timestamp, IP address, user agent, and source (Express wizard, Broker-assisted tasks, CRA assistant, etc.). Marketing forms (contact/renewal reminders) land in marketing_contact_requests orrenewal_reminders with the CASL statements you agreed to. Withdraw consent anytime by toggling settings in the dashboard or emailing [email protected].

Your rights (PIPEDA, Quebec Law 25)

• Access & portability: download a complete JSON export of your profile, deals, document metadata, chat transcripts, CRA consents, and borrower consent history directly from the dashboard or by calling GET /api/privacy/export while signed in.
• Correction: update contact/employment data inside the portal while an application is in progress or contact your Broker team.
• Deletion: we honour deletion/withdrawal requests for anything not subject to FSRA (6-year) or FINTRAC (5-year) retention. Submit requests via Settings → Privacy or email the privacy officer.
• Breach notification: we notify you and the Office of the Privacy Commissioner of Canada / Commission d'accès à l'information du Québec when there is any risk of “significant harm,” as documented in docs/compliance/05-incident-response-plan.md.

Security controls

• Supabase RLS helpers guard every table and storage bucket (see docs/compliance/rls-matrix.md).
• Edge middleware enforces authentication on /dashboard/**, rate limits public endpoints, and rewrites Supabase callbacks to server routes so service-role keys never touch the browser.
• Next.js security headers (CSP, HSTS, Referrer-Policy, Permissions-Policy) are configured centrally in next.config.mjs.
• Logs and incidents go through Sentry plus structured JSON logging (src/lib/logging.ts) so we can correlate access requests during audits.

Vendors & subprocessors

We maintain a living inventory in docs/compliance/vendors.csv. Core vendors today:

• Supabase (Montreal region) for Postgres, Auth, Storage, and policy enforcement.
• Cloudflare Workers / OpenNext for global TLS termination and rate limiting.
• Finmo and CRA for borrower intake integrations initiated by staff.
• Postmark/SMTP + Mailgun for notifications (no marketing blasts without CASL consent).

Each vendor goes through annual risk review (see docs/compliance/07-vendor-risk-management.md) that records data category, residency, and certification status.

Need help or want to escalate?

Contact our Privacy Officer at [email protected] or mail 401-815 Hornby Street, Vancouver, BC V6Z 2E6. Quebec residents may also reach the CAI directly. When emailing us, include the deal ID (if applicable) and whether your request is an access, correction, consent withdrawal, or complaint so we can respond within the statutory timelines (30 days under PIPEDA / 30 days under Law 25).

Borrowers with an active account can sign in to the portal to exercise access rights any time. If you have not yet created an account, email us and we will securely verify your identity before fulfilling the request.