Done.comInc. — Privacy Policy

Done.com Inc. (“Done.com”, “we”, “us”, or“our”) is committed to protecting the privacy of individuals in Canada. ThisPrivacy Policy explains how we collect, use, disclose, retain, and protect yourPersonal Information in compliance with Canada’s federal Personal InformationProtection and Electronic Documents Act (PIPEDA) and, where applicable,provincial private-sector privacy laws (Alberta Personal Information ProtectionAct (PIPA), British Columbia Personal Information Protection Act (PIPA), andQuebec’s Act respecting the protection of personal information in the privatesector as amended by Law 25).

This Policy applies to our websites,applications, products and services, and any interaction you have with us. If aseparate privacy notice applies to a particular product or activity, thatnotice will govern to the extent of any conflict.

_{1) Definitions}

“PersonalInformation” means information about anidentifiable individual. It includes information that can be used alone or incombination with other information to identify you, such as your name, contactdetails, identifiers, or financial information.

“De-identifiedInformation” means information that does notidentify an individual and cannot be linked to an individual in reasonablyforeseeable circumstances.

“BusinessContact Information” means an employee’s name,position name or title, business telephone number, business address, businessemail and fax number, and other similar information used for contacting theindividual in relation to their employment or profession. In some provinces,Business Contact Information is not considered Personal Information.

_{2) Information We Collect}

We collect only the Personal Informationreasonably necessary for the purposes described in this Policy. The categoriesinclude:

·      Identifiersand contact details: name, date of birth, nationality, address, email, phonenumber, government-issued ID numbers (where permitted/required), IP address.

·      Professionaldetails: education, employment status, employer name, role/position.

·      Financialand transactional information: bank details (e.g., institution, accountidentifiers), payment records, transaction history, and information required byanti‑money laundering and anti‑terrorist financing (AML/ATF) laws.

·      Accountand interaction data: records of communications (meetings, calls, chats,emails), preferences, support requests.

·      Onlineactivity data: device information, log data, pages viewed, approximategeolocation, cookies and similar technologies (see Section 10).

·      Inferencesand preference data: service usage patterns, segments for personalization,participation in promotions or events.

We generally do not collect sensitivecategories such as racial or ethnic origin, political opinions, religious orphilosophical beliefs, or sexual orientation, unless strictly necessary andpermitted by law (e.g., to comply with AML/ATF requirements).

_{3) How We Collect Personal Information}

·      Directlyfrom you when you use our services, create an account, make a purchase, orcommunicate with us.

·      From yourorganization (e.g., if you are an employee, representative, or beneficial ownerof a customer).

·      Fromservice providers and business partners who assist us in delivering ourproducts and services.

·      Frompublicly available sources (e.g., government publications, public websites,professional profiles, and social media you make public).

_{4) Purposes for Collection, Use, and Disclosure}

We collect, use, and disclose PersonalInformation for the following purposes:

·      Providing,personalizing, and improving our products and services; operating accounts;processing transactions; customer support.

·      Conductingidentity verification, due diligence, risk assessments, and complying withlegal and regulatory obligations (including AML/ATF compliance under thePCMLTFA).

·      Communicatingwith you about your account, transactions, service updates, events, andmarketing (with your consent where required).

·      Managinginformation technology and security, ensuring service continuity, detecting,investigating, and preventing fraud or abuse.

·      Analytics,research, and product development, including creating de‑identified oraggregated insights.

·      Maintainingbusiness records, enforcing agreements, and protecting our rights and thesecurity of our users and systems.

_{5) Consent and Appropriate Purposes}

We collect, use, and disclose PersonalInformation with your knowledge and consent, except where otherwise permittedor required by law. Your consent may be express or implied, depending on thesensitivity of the information and reasonable expectations. We will not requireyou to consent to the collection, use, or disclosure of information beyond whatis necessary to provide the product or service.

You may withdraw consent at any time,subject to legal or contractual restrictions and reasonable notice. If youwithdraw consent, we will inform you of any implications (for example, where wecannot provide or continue a service).

We limit our handling of PersonalInformation to purposes that a reasonable person would consider appropriate inthe circumstances (PIPEDA s.5(3)).

_{6) How We Share Personal Information}

We may disclose Personal Information to:

·      Ouraffiliates and brands for the purposes described in this Policy.

·      Serviceproviders who perform services on our behalf (e.g., cloud hosting, security,payments, analytics, identity verification). We require them by contract toprotect Personal Information and use it only as instructed.

·      Businesspartners, independent agents, or intermediaries involved in delivering ourservices, where appropriate.

·      Lawenforcement, regulators, courts, or other public authorities where we arerequired or permitted by law (e.g., to meet AML/ATF obligations, respond tolegal process, or protect rights and safety).

·      Professionaladvisors (e.g., lawyers, auditors) under confidentiality obligations.

·      Otherparties with your consent or as permitted/required by law.

_{7) Transfers Outside Canada}

Your Personal Information may betransferred to and processed in jurisdictions outside your province or outsideCanada (e.g., the United States) where privacy laws may offer a different levelof protection. When we transfer information to service providers or affiliatesin other jurisdictions, we remain accountable for it and use contractual andorganizational measures to ensure a comparable level of protection. Whererequired (e.g., in Quebec), we conduct a privacy impact assessment forcross‑border transfers and proceed only if the information will receiveadequate protection.

_{8) Security Safeguards}

We use physical, organizational, andtechnological safeguards appropriate to the sensitivity of the information toprotect against loss, theft, and unauthorized access, disclosure, copying, use,or modification. However, no method of transmission or storage is completelysecure; we cannot guarantee absolute security.

_{9) Retention and Destruction}

We retain Personal Information only as longas necessary to fulfill the purposes for which it was collected and to meetlegal, regulatory, tax, accounting, or reporting requirements. For example,certain financial and identity records may be retained for at least five (5)years to comply with AML/ATF laws. When information is no longer required, wewill delete, anonymize, or securely destroy it.

_{10) Cookies and Similar Technologies}

We use cookies and similar technologies tooperate our sites, remember your preferences, measure performance, andpersonalize content. You can manage cookie preferences through your browsersettings. Some cookies are necessary for site functionality and cannot bedisabled without affecting performance.

_{11) Automated Decision-Making and Profiling}

If we use automated processing to makedecisions that produce legal effects concerning you or significantly affectyou, we will provide meaningful information about the logic involved and thesignificance and consequences of such processing, as required by applicable law(e.g., Quebec Law 25). You may also have the right to request human review ofsuch decisions where required by law.

_{12) Your Privacy Rights}

·      Access:request information about our handling of your Personal Information and obtainaccess to it.

·      Correction:request correction of inaccurate or incomplete Personal Information.

·      Withdrawalof consent: withdraw consent to our processing, subject to legal/contractuallimits.

·      Portability(Quebec): request a copy of certain computerized Personal Information in astructured, commonly used format, where required by law.

·      Marketingchoices: opt out of marketing communications at any time using the unsubscribelink or by contacting us.

To exercise your rights, contact ourPrivacy Officer using the details in Section 15. We may need to verify youridentity before responding. We will respond within the timelines required byapplicable law.

_{13) Children’s Privacy}

Our services are not intended for childrenunder the age where meaningful consent can be obtained under applicable law. Ifyou believe a child has provided us with Personal Information withoutappropriate consent, please contact us so we can delete it.

_{14) Data Breach Notification}

We will assess all privacy incidents and,where a breach creates a real risk of significant harm, we will notify theOffice of the Privacy Commissioner of Canada (and any applicable provincialcommissioner), notify affected individuals, and keep records of all breaches asrequired by law.

_{15) Contacting Us and Complaints}

Privacy Officer: Done.com Inc.
Email: info@done.com

_{16) Changes to this Policy}

We may update this Policy to reflectchanges to our practices or legal requirements. We will post the updated Policyon our website with a new effective date and will notify you of significantchanges through our usual communication channels.

‍