Privacy Policy and Procedures for the Protection of Personal Information

‍ ‍

At Zamax Financial Inc., we are committed to protecting the confidentiality of the personal information entrusted to us in the course of our business activities. We always act in compliance with applicable privacy and data protection laws.

Whenever this Policy refers to Zamax Financial, it also refers to our affiliated companies. This Policy applies to both Zamax Financial clients and advisors who use our services.

1. Concerns, General Inquiries, and Requests

All privacy-related concerns, general inquiries, or requests directed to Zamax Financial are forwarded to the Compliance Director. The Compliance Director will review the request and acknowledge receipt within 24 hours. In their absence, requests will be forwarded to an appropriate individual for handling. Clients will be kept informed of the progress made regarding the matter, and complete documentation of the concern and all related activities will be maintained in the client file.

The Compliance Director reports all privacy-related concerns, inquiries, requests, and issues regarding the company’s products and services to the President of Zamax Financial.

‍ ‍

2. Client Requests to Access Personal Information

Under privacy legislation, clients have the right to access their personal information contained in records maintained by Zamax Financial and, where applicable, challenge its accuracy.

Any client request to access personal information contained in Zamax Financial client records will be sent to the Compliance Director for response. The date and details of the request will be documented until the request is completed. The Compliance Director will assist clients in preparing their access request if necessary.

Information will be provided as quickly as possible and no later than 30 days after receipt of the request, in a commonly used technological format.

Zamax Financial will correct or amend personal information where its accuracy or completeness is challenged and found to be inaccurate or incomplete. Any disagreement regarding information will be documented, and third parties will be notified where appropriate.

‍ ‍

2.1 Automated Decision-Making

If Zamax Financial implements automated decision-making technology, upon request, the client will be informed, no later than the time the decision is communicated, of the personal information used to make the decision. Zamax Financial will explain, in clear and understandable language, how the decision was made. The client retains the right to review and correct any inaccurate information.

‍ ‍

2.2 Misuse of Personal Information

Any person contacted must immediately report any misuse of personal information or any potential breach of security measures relating to products and services to the Zamax Financial Compliance Director.

2.3 Privacy Incidents and Data Breach Process

A privacy breach occurs when personal information is accessed, used, disclosed, lost, or retained without authorization due to a failure of security safeguards. A privacy breach may also include any violation of privacy legislation, such as retaining personal information beyond the period for which it is required.

Privacy breaches may be intentional, accidental, or the result of criminal activity.

Examples of Privacy Breaches

  • Copies of client statements containing personal information are stolen from a vehicle.

  • A financial advisor’s laptop containing client personal information is lost or stolen.

  • An advisor’s computer hard drive containing client information is hacked or compromised.

  • Client information is emailed to the wrong recipient, internally or externally.

  • Client information is mailed to the wrong address and opened by another person.

  • Personal information is disclosed or used without proper authorization.

  • Information relating to inactive clients is retained longer than permitted under retention schedules.

All privacy breaches must be assessed to determine the level of risk to affected individuals.

‍ ‍

Risk Assessment Terminology

Assessments may identify a Real Risk of Significant Harm (RROSH) or a Serious Risk of Harm (SRH). Throughout this document, these will collectively be referred to as an “assessment.”

Where an assessment determines that the risk is serious or significant, the breach must be reported to the appropriate privacy regulator, including:

  • Quebec’s Commission d’accès à l’information (CAI)

  • The Office of the Privacy Commissioner of Canada (OPC)

  • Applicable provincial privacy commissioners outside Quebec

These regulators are collectively referred to as “the Commissioner.”

‍ ‍

2.3.1 Policy and Procedure

All suspected or actual privacy breaches, complaints, or concerns involving privacy issues—whether affecting an individual or a service provider—must be reported immediately to the Zamax Financial Compliance Director.

The Compliance Director will:

  • Prevent further disclosure of information;

  • Assess the situation;

  • Correct the issue; and

  • Improve controls and safeguards to prevent similar incidents in the future.

‍ ‍

2.3.2 Breach Containment Process

In the event of a privacy breach involving client information (e.g., cyberattack or unauthorized data access), contact the Compliance Director immediately.

The Compliance Director will communicate with the compliance representatives of the insurer and/or business partner involved.

‍ ‍

2.3.2.1 Loss, Theft, or Hacking of Electronic Devices

Zamax Financial will:

  • Scan affected computers for malware before reconnecting them to systems.

  • Immediately contact the technical support teams of all affected companies to request password changes.

  • Report the incident to law enforcement.

  • Change passwords for other systems, such as online banking services.

‍ ‍

2.3.2.2 Loss or Theft of Paper Documents

Examples include policies, applications, and client files.

Zamax Financial will contact law enforcement to report the theft of documents.

‍ ‍

2.3.2.3 Emails or Mail Sent to the Wrong Recipient

Zamax Financial will:

  • Attempt to immediately recall the email.

  • If recall is not possible, request written confirmation from the unintended recipient that the email was deleted, removed from deleted items, not saved, and not forwarded.

  • Request the return of mailed documents or confirmation that they were securely destroyed (e.g., shredded).

‍ ‍

2.3.2.4 Cyberattacks

A cyberattack is an attempt to gain unauthorized access to computers or networks to expose, alter, disable, destroy, steal, or otherwise misuse information.

Zamax Financial will:

  • Mobilize its IT support team.

  • Contact law enforcement.

‍ ‍

2.3.2.5 Ransomware

Ransomware is malicious software that restricts access to systems or files until a ransom is paid.

Zamax Financial will:

  • Mobilize the IT support team.

  • Contact law enforcement and cooperate with investigations.

  • Immediately disconnect infected devices from the network.

  • Preserve evidence and avoid deleting information.

  • Investigate the source of the infection.

  • Run comprehensive antivirus and anti-malware scans after removal.

  • Reinstall systems where malware cannot be fully removed.

  • Verify backups before restoring data.

  • Use available decryption tools where appropriate.

  • Maintain a policy of not paying ransom demands, subject to the circumstances.

  • Consider engaging a cyber breach response expert (“breach coach”).

  • Implement corrective measures to prevent future attacks.

‍ ‍

2.4 DOCUMENTATION PROCESS

Zamax Financial shall begin documenting any privacy breach as soon as the breach has been contained. All records relating to privacy breaches must be securely maintained.

In Quebec, Zamax Financial must maintain a record of all privacy breaches for five (5) years from the date it becomes aware of the breach and must be prepared to provide this record to the Commission d'accès à l'information (CAI) upon request.

Outside Quebec, records relating to all privacy breaches must be retained for twenty-four (24) months. The practice must be able to provide such records to the Privacy Commissioner or other regulatory organizations upon request.

The record(s) must be maintained in a secure location and include the following information:

  • Date of the breach

  • Description of the circumstances surrounding the breach

  • Number of individuals affected

  • Types of personal information involved

  • Sensitivity of the information affected by the breach

  • Likelihood of misuse

  • Potential harm that could result from the breach

  • An indicator confirming:

    • Whether the breach created a serious or significant risk of harm to the individual, including an explanation supporting that conclusion

    • That the affected individual(s) were notified

    • The date of notification and confirmation provided to the Privacy Commissioner for individuals residing outside Quebec who were affected by the breach

  • Measures taken to prevent similar breaches from occurring in the future, including consideration of the following:

    • What was the root cause of the privacy breach?

    • Which controls failed to prevent the privacy breach?

    • Should new processes or controls be implemented?

    • Should existing processes or controls be improved or modified?

    • Are there any gaps or vulnerabilities in the security controls that need to be addressed?

    • Should employee training be strengthened, or should new training programs be developed and delivered?

Zamax Financial must also record the following information:

  • The date Zamax Financial became aware of the incident

  • If a description of the personal information involved is not provided, the reason why

  • If a serious or significant risk of harm is determined to exist, the date and confirmation of notification provided to the CAI and affected individuals, as well as details of any public notices issued and the reasons for issuing them

A centralized tracking register containing a list of all privacy breaches by region may also be maintained. Zamax Financial may use this register to satisfy CAI record-keeping requirements.

‍ ‍

2.5 CONDUCTING AN ASSESSMENT

All privacy breach incidents must be assessed to determine whether they create a serious or significant risk of harm.

To determine whether a serious or significant risk exists, consider the following questions:

  • Does the incident involve sensitive personal information?

Examples of sensitivity levels:

  • High: Social Insurance Number (SIN), banking information, medical information

  • Low: Name, email address, gender, marital status

  • Was the personal information obtained maliciously?

Personal information obtained through theft, fraud, or system hacking is more likely to be used for malicious purposes and generally presents a higher level of risk.

  • Are five (5) or more individuals affected?

The greater the number of individuals affected, the greater the likelihood of misuse.

  • Has the information still not been recovered?

If personal information cannot be recovered promptly, it may indicate that it has been, is being, or may be misused.

  • Are you still awaiting confirmation that the personal information has been destroyed?

If the unintended recipient has not confirmed destruction of the personal information, it may indicate that the information has been, is being, or may be misused.

  • Did the incident result from a systemic issue?

Systemic issues may lead to additional incidents and increase the likelihood that personal information will be misused.

  • Have more than ten (10) business days elapsed between the date of the incident and the date it was discovered? ‍

A lengthy delay in discovering the incident may indicate that the unintended recipient had sufficient time to misuse the personal information. ‍

If the answer to all of the above questions is "No," the determination regarding the existence of a serious or significant risk of harm will generally be "No," and both the sensitivity level and likelihood of misuse will be considered low. Proceed to the section entitled Improvement of Control Measures.

If the answer to any of the above questions is "Yes," you must determine whether the sensitivity level and likelihood of misuse are low or high by considering:

  1. The sensitivity of the personal information involved in the breach;

  2. The potential consequences to affected individuals if the information were misused; and

  3. The likelihood that the personal information will be misused.

‍ ‍

2.6 MANDATORY REPORTING OF PRIVACY BREACHES UNDER PROVINCIAL PRIVACY LEGISLATION OR THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA)

If Zamax Financial determines that an incident presents a serious or significant risk of harm, affected individuals must be notified, provided such notification does not interfere with an official investigation.

Depending on the location of the affected individuals, the breach must also be reported to the Commission d'accès à l'information (CAI) in Quebec and/or the appropriate Privacy Commissioner as soon as possible, even if only one individual is affected.

Zamax Financial must also notify any other organization or business that may be able to reduce or mitigate the harm to affected individuals.

2.6.1 NOTICE TO AFFECTED INDIVIDUALS

Where applicable, Zamax Financial shall provide affected individuals with notice of the privacy breach. Such notice must include:

  1. A description of the circumstances surrounding the breach;

  2. The date of the breach or the period during which it occurred, or, if exact dates are unknown, an approximate timeframe;

  3. A description of the personal information affected, to the extent known;

  4. A description of the measures implemented to reduce the risk of harm resulting from the breach;

  5. A description of steps affected individuals may take to reduce or mitigate the risk of harm; and

  6. Contact information through which affected individuals may obtain additional information regarding the breach.

‍ ‍

2.6.2 NOTICE TO REGULATORY AUTHORITIES FOR BREACHES DETERMINED TO PRESENT A REAL RISK OF SIGNIFICANT HARM (RROSH)

Zamax Financial shall:

  • Submit a report to the Office of the Privacy Commissioner of Canada (OPC) using the applicable PIPEDA Breach Report Form.

  • Submit a report to the Commission d'accès à l'information (CAI) using the privacy incident reporting form available on the CAI website.

  • In British Columbia, where there is a real risk of significant harm, follow the guidance provided by the Office of the Information and Privacy Commissioner and consult the Privacy Breach Checklist to determine whether reporting is required.

  • Submit a report to the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) using its Privacy Breach Notification Form. Website: https://oipc.ab.ca/

‍ ‍

2.7 IMPROVEMENT OF CONTROL MEASURES

‍ ‍

Zamax Financial shall review all processes, system updates, employee training programs, and related procedures, and implement improvements where necessary to prevent similar incidents from recurring.

As outlined in Section 2.4, Documentation Process, Zamax Financial shall evaluate existing control measures to identify opportunities for improvement, minimize future risks, and implement any new controls required to address identified risks.

For any questions or concerns regarding our Personal Information Handling Policy or the manner in which we collect, use, or disclose personal information, please contact the Compliance Directort. The applicable version of this Policy may be consulted at any time on this website. Last Updated: August 1, 2025.

‍ ‍

‍ ‍