Privacy Policy

Done.com Inc. ("Done.com", "we", "us", or "our") is committed to protecting the privacy of individuals in Canada. This Privacy Policy explains how we collect, use, disclose, retain, and protect your Personal Information in compliance with Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial private-sector privacy laws (Alberta Personal Information Protection Act (PIPA), British Columbia Personal Information Protection Act (PIPA), and Quebec's Act respecting the protection of personal information in the private sector as amended by Law 25).

This Policy applies to our websites, applications, products and services, and any interaction you have with us. If a separate privacy notice applies to a particular product or activity, that notice will govern to the extent of any conflict.

1) Definitions

"Personal Information" means information about an identifiable individual. It includes information that can be used alone or in combination with other information to identify you, such as your name, contact details, identifiers, or financial information.

"De-identified Information" means information that does not identify an individual and cannot be linked to an individual in reasonably foreseeable circumstances.

"Business Contact Information" means an employee's name, position name or title, business telephone number, business address, business email and fax number, and other similar information used for contacting the individual in relation to their employment or profession. In some provinces, Business Contact Information is not considered Personal Information.

2) Information We Collect

We collect only the Personal Information reasonably necessary for the purposes described in this Policy. The categories include:

• Identifiers and contact details: name, date of birth, nationality, address, email, phone number, government-issued ID numbers (where permitted/required), IP address.
• Professional details: education, employment status, employer name, role/position.
• Financial and transactional information: bank details (e.g., institution, account identifiers), payment records, transaction history, and information required by anti‑money laundering and anti‑terrorist financing (AML/ATF) laws.
• Account and interaction data: records of communications (meetings, calls, chats, emails), preferences, support requests.
• Online activity data: device information, log data, pages viewed, approximate geolocation, cookies and similar technologies (see Section 10).
• Inferences and preference data: service usage patterns, segments for personalization, participation in promotions or events.

We generally do not collect sensitive categories such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation, unless strictly necessary and permitted by law (e.g., to comply with AML/ATF requirements).

3) How We Collect Personal Information

• Directly from you when you use our services, create an account, make a purchase, or communicate with us.
• From your organization (e.g., if you are an employee, representative, or beneficial owner of a customer).
• From service providers and business partners who assist us in delivering our products and services.
• From publicly available sources (e.g., government publications, public websites, professional profiles, and social media you make public).

4) Purposes for Collection, Use, and Disclosure

We collect, use, and disclose Personal Information for the following purposes:

• Providing, personalizing, and improving our products and services; operating accounts; processing transactions; customer support.
• Conducting identity verification, due diligence, risk assessments, and complying with legal and regulatory obligations (including AML/ATF compliance under the PCMLTFA).
• Communicating with you about your account, transactions, service updates, events, and marketing (with your consent where required).
• Managing information technology and security, ensuring service continuity, detecting, investigating, and preventing fraud or abuse.
• Analytics, research, and product development, including creating de‑identified or aggregated insights.
• Maintaining business records, enforcing agreements, and protecting our rights and the security of our users and systems.

5) Consent and Appropriate Purposes

We collect, use, and disclose Personal Information with your knowledge and consent, except where otherwise permitted or required by law. Your consent may be express or implied, depending on the sensitivity of the information and reasonable expectations. We will not require you to consent to the collection, use, or disclosure of information beyond what is necessary to provide the product or service.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. If you withdraw consent, we will inform you of any implications (for example, where we cannot provide or continue a service).

We limit our handling of Personal Information to purposes that a reasonable person would consider appropriate in the circumstances (PIPEDA s.5(3)).

6) How We Share Personal Information

We may disclose Personal Information to:

• Our affiliates and brands for the purposes described in this Policy.
• Service providers who perform services on our behalf (e.g., cloud hosting, security, payments, analytics, identity verification). We require them by contract to protect Personal Information and use it only as instructed.
• Business partners, independent agents, or intermediaries involved in delivering our services, where appropriate.
• Law enforcement, regulators, courts, or other public authorities where we are required or permitted by law (e.g., to meet AML/ATF obligations, respond to legal process, or protect rights and safety).
• Professional advisors (e.g., lawyers, auditors) under confidentiality obligations.
• Other parties with your consent or as permitted/required by law.

7) Transfers Outside Canada

Your Personal Information may be transferred to and processed in jurisdictions outside your province or outside Canada (e.g., the United States) where privacy laws may offer a different level of protection. When we transfer information to service providers or affiliates in other jurisdictions, we remain accountable for it and use contractual and organizational measures to ensure a comparable level of protection. Where required (e.g., in Quebec), we conduct a privacy impact assessment for cross‑border transfers and proceed only if the information will receive adequate protection.

8) Security Safeguards

We use physical, organizational, and technological safeguards appropriate to the sensitivity of the information to protect against loss, theft, and unauthorized access, disclosure, copying, use, or modification. However, no method of transmission or storage is completely secure; we cannot guarantee absolute security.

9) Retention and Destruction

We retain Personal Information only as long as necessary to fulfill the purposes for which it was collected and to meet legal, regulatory, tax, accounting, or reporting requirements. For example, certain financial and identity records may be retained for at least five (5) years to comply with AML/ATF laws. When information is no longer required, we will delete, anonymize, or securely destroy it.

10) Cookies and Similar Technologies

We use cookies and similar technologies to operate our sites, remember your preferences, measure performance, and personalize content. You can manage cookie preferences through your browser settings. Some cookies are necessary for site functionality and cannot be disabled without affecting performance.

11) Automated Decision-Making and Profiling

If we use automated processing to make decisions that produce legal effects concerning you or significantly affect you, we will provide meaningful information about the logic involved and the significance and consequences of such processing, as required by applicable law (e.g., Quebec Law 25). You may also have the right to request human review of such decisions where required by law.

12) Your Privacy Rights

• Access: request information about our handling of your Personal Information and obtain access to it.
• Correction: request correction of inaccurate or incomplete Personal Information.
• Withdrawal of consent: withdraw consent to our processing, subject to legal/contractual limits.
• Portability (Quebec): request a copy of certain computerized Personal Information in a structured, commonly used format, where required by law.
• Marketing choices: opt out of marketing communications at any time using the unsubscribe link or by contacting us.

To exercise your rights, contact our Privacy Officer using the details in Section 15. We may need to verify your identity before responding. We will respond within the timelines required by applicable law.

13) Children's Privacy

Our services are not intended for children under the age where meaningful consent can be obtained under applicable law. If you believe a child has provided us with Personal Information without appropriate consent, please contact us so we can delete it.

14) Data Breach Notification

We will assess all privacy incidents and, where a breach creates a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (and any applicable provincial commissioner), notify affected individuals, and keep records of all breaches as required by law.

15) Contacting Us and Complaints

Privacy Officer: Done.com Inc.

Email: info@done.com

16) Changes to this Policy

We may update this Policy to reflect changes to our practices or legal requirements. We will post the updated Policy on our website with a new effective date and will notify you of significant changes through our usual communication channels.