Privacy Policy

This Privacy Policy explains how Cambrian Credit Union ("we," "us," "our," or "the Credit Union") collects, uses, discloses, and protects your personal information when you visit our website at cambrlan.com, use our financial services, or interact with us in any other way. We are committed to protecting your privacy and handling your personal information responsibly, in compliance with applicable Canadian privacy legislation and international best practices.

Please read this Privacy Policy carefully before using our services. By accessing or using our website and services, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with the terms of this Privacy Policy, please discontinue your use of our services immediately.

1. Who We Are

Cambrian Credit Union is a member-owned financial cooperative operating in Canada. We provide a range of financial products and services to our members, including savings accounts, loans, mortgages, investment products, and digital banking services.

As a federally and provincially regulated financial institution operating in Canada, we are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, and applicable provincial privacy legislation where it applies. Where relevant, we also align our practices with the principles of the General Data Protection Regulation (GDPR) as a recognized international benchmark for data privacy and protection.

2. Scope of This Privacy Policy

This Privacy Policy applies to:

• All personal information collected through our website at cambrlan.com
• Personal information collected through our mobile banking applications
• Personal information collected through in-branch interactions, telephone calls, and written correspondence
• Personal information collected from third parties in connection with the delivery of our services
• Personal information collected through our marketing and promotional activities

This policy does not apply to third-party websites that may be linked from our website. We encourage you to review the privacy policies of any third-party sites you visit.

3. Information We Collect

We collect various categories of personal information depending on how you interact with us and the services you use. The collection of your personal information is always done with your knowledge and, where required by law, with your consent.

3.1 Personal Identification Information

When you apply for membership, open accounts, or use our financial services, we collect:

• Full legal name
• Date of birth
• Social Insurance Number (SIN), where required by law or regulation
• Government-issued identification details (driver's licence, passport, etc.)
• Home address and mailing address
• Telephone numbers (home, work, and mobile)
• Email address
• Signature
• Marital status and family information (where relevant to financial planning)
• Employment information, including employer name, occupation, and income details

3.2 Financial Information

To deliver our financial products and services, we collect:

• Account numbers and transaction history
• Credit history and credit scores (obtained with your consent from credit bureaus)
• Income and asset information
• Debt obligations and liabilities
• Investment and savings information
• Mortgage and loan details
• Banking and payment details
• Tax-related information, including T-slips and tax returns (where applicable)

3.3 Usage Data and Digital Interactions

When you use our website or digital banking platform, we automatically collect certain technical information, including:

• IP address and approximate geographic location derived from your IP address
• Browser type and version
• Operating system and device type
• Pages visited on our website and the order in which they were visited
• Time and date of your visit
• Time spent on each page
• Links clicked and features used
• Referring website or URL
• Search terms used to find our website
• Login times and session duration for online banking
• Error logs and crash reports

3.4 Device Information

When you access our services through mobile devices or computers, we may collect:

• Device identifiers (such as device ID or advertising ID)
• Mobile carrier information
• Network connection type (Wi-Fi, cellular)
• Hardware model and specifications
• Push notification tokens (if you have enabled notifications)
• Biometric data used for device authentication (such as fingerprint or facial recognition), processed solely on your device

3.5 Cookie and Tracking Data

We use cookies and similar tracking technologies on our website. Please refer to Section 8 of this Privacy Policy and our dedicated Cookie Policy available on our website for detailed information about our use of cookies, the types of cookies we use, and how to manage your cookie preferences.

3.6 Communications and Correspondence

We retain records of communications between you and us, including:

• Emails and letters sent to and from us
• Recordings of telephone calls (where permitted by law and where you have been notified)
• Chat messages and live support transcripts
• Survey responses and feedback forms
• Social media interactions where you contact us publicly or privately

3.7 Information from Third Parties

In some circumstances, we receive personal information about you from third parties, including:

• Credit reporting agencies (Equifax, TransUnion)
• Other financial institutions during account transfers or loan verifications
• Government agencies and regulatory bodies
• Your authorized representatives, such as financial advisors or legal counsel
• Publicly available sources, such as land registry records or corporate registries
• Fraud prevention and identity verification services

4. How We Use Your Personal Information

We use personal information only for the purposes for which it was collected, with your consent, or as otherwise permitted by law. The primary purposes for which we use your personal information include:

4.1 Service Provision and Account Management

• Establishing and maintaining your membership and accounts
• Processing transactions, payments, and transfers
• Evaluating and processing applications for credit, loans, mortgages, and other financial products
• Providing customer support and responding to your inquiries
• Sending account statements, notices, and confirmations
• Verifying your identity and preventing unauthorized access
• Administering registered plans (RRSPs, TFSAs, RESPs, etc.)

4.2 Legal and Regulatory Compliance

• Complying with anti-money laundering (AML) and counter-terrorist financing (CTF) obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
• Meeting requirements under the Income Tax Act (Canada) and related tax reporting obligations
• Fulfilling obligations under provincial credit union legislation
• Responding to lawful requests from regulatory bodies, law enforcement agencies, and courts
• Conducting know-your-client (KYC) verification
• Maintaining records as required by applicable laws and regulations

4.3 Risk Management and Fraud Prevention

• Detecting, investigating, and preventing fraudulent transactions and unauthorized activities
• Assessing creditworthiness and managing credit risk
• Protecting against cybersecurity threats and data breaches
• Conducting internal audits and compliance reviews

4.4 Analytics and Service Improvement

• Analyzing usage patterns and trends to improve our website and digital services
• Conducting research and analysis to develop new products and services
• Measuring the effectiveness of our digital platforms
• Testing and implementing system improvements and updates
• Generating aggregated and anonymized statistical reports

4.5 Marketing and Communications

With your consent where required by Canada's Anti-Spam Legislation (CASL), we may use your personal information to:

• Send you information about our products, services, and promotions that may be of interest to you
• Deliver personalized offers and recommendations based on your financial profile and usage patterns
• Invite you to participate in surveys, contests, or special events
• Send newsletters and educational financial content

You may withdraw your consent to receive marketing communications at any time by contacting us at [email protected] or by clicking the "unsubscribe" link in any marketing email we send you.

5. Disclosure of Personal Information to Third Parties

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. However, we may disclose your personal information in the following circumstances:

5.1 Service Providers and Business Partners

We engage third-party service providers who assist us in delivering our services. These providers are contractually bound to protect your information and use it only for the purposes for which it was disclosed. They include:

• Information technology and cloud hosting providers
• Payment processors and interbank networks (e.g., Interac, Visa, Mastercard)
• Credit bureaus and identity verification services
• Printing and mailing services for account statements
• Analytics and website optimization providers
• Cybersecurity and fraud detection services
• Legal, accounting, and professional advisory firms
• Insurance providers (in connection with credit insurance products)
• Investment platform providers

5.2 Legal Requirements and Law Enforcement

We may disclose personal information when required or permitted by law, including:

• In response to a valid court order, subpoena, or warrant
• To comply with reporting obligations to regulatory bodies such as the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
• To prevent, detect, or investigate suspected fraud or illegal activity
• To protect the safety of our members, employees, or the public
• In connection with a legal dispute involving Cambrian Credit Union

5.3 Business Transactions

In the event of a merger, acquisition, amalgamation, or sale of assets involving Cambrian Credit Union, personal information may be transferred to the acquiring or successor entity, subject to equivalent privacy protections. We will notify you of any such change in ownership or control through our website or by direct communication.

5.4 Credit Union System

As part of the cooperative credit union system in Canada, we may share information with provincial centrals, Credit Union Central of Canada, and affiliated organizations for purposes such as liquidity management, system governance, and collective service delivery, always subject to appropriate confidentiality obligations.

6. Data Security

We take the security of your personal information seriously and implement a comprehensive set of administrative, technical, and physical safeguards to protect it from unauthorized access, use, disclosure, alteration, or destruction.

6.1 Technical Safeguards

• End-to-end encryption (TLS/SSL) for all data transmitted between your device and our servers
• Encryption of stored sensitive data, including financial and identification information
• Multi-factor authentication (MFA) for online banking access
• Firewalls, intrusion detection systems, and continuous network monitoring
• Regular vulnerability assessments and penetration testing
• Secure backup and disaster recovery systems

6.2 Administrative Safeguards

• Role-based access controls ensuring employees access only the information necessary for their duties
• Mandatory privacy and security training for all staff
• Confidentiality agreements with all employees and contractors
• Regular privacy impact assessments for new programs and technologies
• Formal data breach response and notification procedures

6.3 Physical Safeguards

• Secured physical access to server rooms and data centres
• Locked filing systems for physical records containing personal information
• Secure disposal of paper and electronic records containing personal information

Despite these measures, no method of data transmission or storage is completely secure. While we strive to protect your personal information using commercially reasonable means, we cannot guarantee absolute security. In the event of a data breach that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) in accordance with PIPEDA's mandatory breach reporting requirements.

7. Your Rights Regarding Your Personal Information

Under PIPEDA and applicable provincial privacy laws, you have several rights with respect to your personal information. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

To exercise any of these rights, please submit a written request to us at [email protected]. We will respond to your request within 30 days of receipt. In complex cases, we may extend this period by an additional 30 days, in which case we will notify you of the extension and the reasons for it.

We may require you to verify your identity before processing your request to protect against unauthorized access to your personal information.

8. Cookies and Tracking Technologies

Our website at cambrlan.com uses cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and support our marketing efforts. This section provides a brief overview of our cookie practices.

8.1 Types of Cookies We Use

• Essential Cookies: Strictly necessary for the operation of our website and online banking platform, including session management and security features.
• Functional Cookies: Allow us to remember your preferences, such as language settings and regional preferences, to provide a personalized experience.
• Analytics Cookies: Help us understand how visitors interact with our website by collecting information about pages visited, time spent, and navigation paths. We use this data to improve our website's performance and content.
• Marketing Cookies: Used to deliver relevant advertisements and promotional content, and to track the effectiveness of our marketing campaigns. These require your explicit consent.

8.2 Managing Your Cookie Preferences

You can manage your cookie preferences through the cookie consent banner displayed when you first visit our website. You may also configure your browser settings to block or delete cookies, although doing so may affect the functionality of our website and online banking services.

For complete information about the cookies we use, their purposes, and how to manage them, please refer to our Cookie Policy available on our website at cambrlan.com.

9. Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. The following general retention periods apply:

When personal information is no longer required, it is securely destroyed, deleted, or anonymized in accordance with our records management procedures.

10. Children's Privacy

Our primary financial services and digital banking platform are intended for individuals who are 18 years of age or older. We do not knowingly collect personal information from children under the age of 18 without the consent of a parent or guardian.

We recognize that minors may hold certain accounts at Cambrian Credit Union (such as youth savings accounts) in accordance with applicable law. In such cases, we collect and process personal information with the involvement and consent of a parent or legal guardian, and we take additional care to protect the privacy of young members.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us at [email protected], and we will take prompt steps to review and, where appropriate, delete that information.

11. International Data Transfers

Cambrian Credit Union is a Canadian financial institution, and we primarily store and process personal information within Canada. However, some of our third-party service providers — particularly cloud computing, technology, and software-as-a-service (SaaS) providers — may store or process data on servers located in other countries, including the United States and other jurisdictions.

When personal information is transferred outside of Canada, we take steps to ensure that it receives a comparable level of protection to that provided under Canadian privacy law, including:

• Entering into data processing agreements and contractual clauses that impose PIPEDA-equivalent privacy obligations on foreign service providers
• Conducting due diligence assessments of the privacy and security practices of international service providers
• Where applicable, aligning with GDPR transfer safeguards as a recognized international standard
• Minimizing the transfer of sensitive personal information where possible

Please be aware that personal information transferred to foreign jurisdictions may be subject to access by foreign courts, law enforcement agencies, or regulatory bodies under the laws of those jurisdictions. For more information about our international data transfer practices, please contact us at [email protected].

12. Legal Basis for Processing

In Canada, PIPEDA requires that the collection, use, and disclosure of personal information be based on the knowledge and consent of the individual, except where otherwise permitted by law. The legal bases upon which we process your personal information include:

• Consent: Where you have given express or implied consent to the collection, use, or disclosure of your personal information for a specified purpose.
• Contractual Necessity: Where the processing is necessary to fulfill a contract with you, such as providing the financial services you have requested.
• Legal Obligation: Where processing is required to comply with a legal or regulatory requirement applicable to Cambrian Credit Union.
• Legitimate Interests: Where we have a legitimate business interest in processing your information (such as fraud prevention, security, and network integrity), provided that such interests are not overridden by your privacy rights.

13. Links to Third-Party Websites

Our website may contain links to third-party websites, services, and resources that are not operated by Cambrian Credit Union. These links are provided for your convenience and information only. We have no control over the content, privacy practices, or security measures of third-party websites.

We encourage you to review the privacy policies of any third-party websites you visit. Cambrian Credit Union is not responsible for the privacy practices, data collection, or content of external websites.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. When we make material changes to this policy, we will:

• Post the updated policy on our website at cambrlan.com with a revised "Last Updated" date
• Notify you by email if we have your contact information and the changes are material
• Where required by law, obtain your renewed consent for any new or changed processing activities

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, we encourage you to contact us first so that we can address your concerns directly and promptly.

When contacting us about a privacy matter, please provide sufficient detail to allow us to identify the relevant records and respond effectively. We will acknowledge your inquiry within 5 business days and provide a substantive response within 30 calendar days.

16. Filing a Complaint with the Privacy Commissioner

If you believe that your privacy rights have been violated or that we have not adequately addressed your privacy concern, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC). We encourage you to contact us first to attempt to resolve any concerns directly; however, you are always entitled to contact the OPC at any time.

If you are a resident of a province with substantially similar privacy legislation (such as Quebec under Law 25 (Act respecting the protection of personal information in the private sector), Alberta under the Personal Information Protection Act (PIPA), or British Columbia under the BC Personal Information Protection Act (BC PIPA)), you may also file a complaint with the applicable provincial privacy authority.

Provincial Privacy Authorities

17. Glossary of Key Terms

For the purposes of this Privacy Policy, the following definitions apply:

• Personal Information: Any information about an identifiable individual, as defined under PIPEDA.
• Processing: Any operation performed on personal information, including collection, use, storage, disclosure, and deletion.
• PIPEDA: The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), Canada's federal private sector privacy law.
• CASL: Canada's Anti-Spam Legislation (S.C. 2010, c. 23), governing commercial electronic messages.
• GDPR: The General Data Protection Regulation (EU) 2016/679, a European Union regulation used as an international benchmark for privacy standards.
• PCMLTFA: The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17).
• Data Breach: A security incident in which personal information is accessed, used, disclosed, copied, modified, or disposed of without authorization.
• Consent: A voluntary, informed, and unambiguous agreement by an individual to the collection, use, or disclosure of their personal information for a specified purpose.