Privacy Policy

Information We Receive and How It Enters Our Systems

During different phases of your relationship with our platform, information reaches us through multiple channels. Understanding when and how this happens helps clarify what we hold and why.

Account Registration and Profile Development

Creating an account begins the information intake process. You provide basic identifiers—full name, email address, phone number—along with residential details including your Canadian address. For families establishing joint accounts or planning intergenerational wealth transfer, additional household member information may be shared: names, relationships, ages, and in some cases, financial roles within the family structure.

As you develop your investment profile, the platform requests details about financial objectives, risk tolerance, time horizons, current asset holdings, income sources, and anticipated major life events (retirement timing, education funding needs, property purchases). This information doesn't arrive all at once. Some families complete comprehensive profiles during initial setup; others build them gradually through subsequent interactions.

Operational Activity Records

Every platform interaction generates operational data. When you log in, initiate transactions, adjust portfolio allocations, download reports, or communicate with our advisory team, these actions create records. Transaction histories capture investment purchases, sales, transfers, and modifications. Communication logs document when support requests were submitted, what questions were asked, and how matters were resolved.

Technical systems automatically capture device characteristics, browser types, operating systems, IP addresses, and access timestamps. These elements emerge without deliberate input—they're inherent to digital platform operation.

Financial Institution Connections

When you authorize connections between Salimon and external financial institutions—banks, existing investment accounts, retirement funds—those integrations transmit account balances, transaction histories, and holdings data. We receive this information through secure API connections established with your explicit consent. The scope and frequency of these data transfers depend on integration settings you control.

Third-Party Information Sources

Occasionally, information arrives from external sources. Credit bureaus may provide reports when accounts require financial verification. Investment custodians send confirmations about asset transfers. Regulatory databases supply information during compliance checks. Tax preparation services, when you authorize integration, share relevant financial data needed for coordinated planning.

How Information Gets Used and Internal Access Protocols

Information doesn't just sit in storage. It flows through operational processes, gets analyzed for various purposes, and enables the platform functionality you experience. Different team members access different segments based on role-specific needs.

Core Service Delivery Operations

Your financial profile powers investment recommendations. Algorithmic systems analyze risk tolerance, time horizons, existing holdings, and stated objectives to generate portfolio suggestions. Advisory team members review these automated recommendations, considering family-specific circumstances that algorithms might miss—upcoming major expenses, inheritance expectations, business ownership complications, or cross-border tax considerations for families with international ties.

Transaction processing requires accessing account balances, available funds, and authorization credentials. When you initiate a trade or rebalancing action, multiple systems coordinate: order management platforms receive instructions, custodial connections verify available assets, compliance engines check regulatory constraints, and confirmation systems document completed actions.

Communication and Support Functions

Support team members access account information when responding to inquiries. If you contact us about a discrepancy, unexpected fee, or platform functionality question, representatives pull up relevant account sections—recent activity, billing history, profile settings—to provide informed assistance. These interactions get documented in your account record, creating continuity when multiple support interactions occur.

Advisory communications reference your specific situation. When advisors send portfolio updates, market commentary, or planning suggestions, content gets tailored using information from your profile. Mass communications get segmented by relevant characteristics—families approaching retirement receive different content than those in early accumulation phases.

Risk Management and Security Monitoring

Automated security systems continuously analyze access patterns, transaction behaviors, and platform interactions to identify potential threats. Unusual login locations, atypical transaction sizes, rapid account changes, or access pattern anomalies trigger alerts that security personnel investigate. This monitoring operates in the background, examining technical indicators rather than investment decisions themselves.

Compliance functions require reviewing account activities against regulatory requirements. Anti-money laundering protocols examine transaction patterns and sources of funds. Investment suitability reviews confirm that portfolio recommendations align with documented risk tolerances and objectives. These processes involve both automated screening and human oversight from our compliance department.

Internal Access Segmentation

Not everyone at Salimon can access everything. Access permissions align with job functions. Advisory team members see financial profiles and investment holdings but have limited access to payment credentials. Support representatives access contact information and recent activity but not full financial profiles unless directly relevant to inquiries. Technical staff working on platform development see anonymized data patterns rather than identifiable accounts. Compliance personnel have broader access but operate under strict confidentiality protocols.

When Information Moves Outside Our Organization

Some operations require information to flow beyond Salimon's direct systems. Understanding these external movements clarifies where your data travels and what protections apply.

Service Provider Relationships

Several external service providers handle specific operational functions. Investment custodians hold your actual securities and execute trades—they necessarily receive transaction instructions, account identification, and holdings information. Payment processors handle fee collection and refunds, receiving payment authorizations and billing details but not investment data. Cloud infrastructure providers host platform systems and databases, maintaining the technical environment where information resides.

Identity verification services receive name, address, date of birth, and government identification numbers during account setup to confirm your identity and satisfy regulatory requirements. These services return verification results but don't retain access to your investment activities or financial profile.

Customer communication platforms—email delivery services, secure messaging systems, notification infrastructure—transmit messages containing account-related information. Document storage and e-signature platforms process forms, agreements, and official documents you complete during account setup or advisory engagements.

Legal and Regulatory Disclosures

Government agencies occasionally require information disclosure. Tax authorities may request account details during audits. Securities regulators conduct examinations requiring access to customer records. Law enforcement agencies submit valid legal process—subpoenas, court orders, search warrants—demanding specific account information. We respond to these requests when legally obligated but don't volunteer information beyond what's specifically required.

Regulatory reporting obligations involve transmitting certain information to oversight bodies. Investment advisors must file forms disclosing client counts, asset levels, and business practices. Anti-money laundering regulations require reporting suspicious activities. These disclosures typically involve aggregated statistics or specific incident reports rather than routine sharing of individual account details.

Corporate Transaction Scenarios

Should Salimon undergo significant corporate changes—acquisition, merger, asset sale, or restructuring—information would likely transfer to successor entities. Buyers conducting due diligence would review customer data as part of business evaluation. If a transaction closes, the acquiring organization would assume data stewardship responsibilities, though you'd be notified of such changes and any material policy modifications.

Authorized Third-Party Access

Sometimes you explicitly authorize information sharing with outside parties. Financial planners, accountants, attorneys, or family members you designate may receive access to account information when you grant permission. These arrangements operate under your direct instruction and can be modified or revoked through account settings.

Your Control Mechanisms and Available Options

Information relationships aren't one-directional. You maintain various controls over what we hold, how it gets used, and how long it persists.

Access and Correction Rights

You can review the information we maintain about your account. Profile sections display financial details, family structure, investment objectives, and risk parameters. Activity logs show platform interactions. Document libraries contain agreements, confirmations, and correspondence. If you identify inaccuracies—outdated addresses, incorrect family member details, mischaracterized financial objectives—correction mechanisms exist through account settings or by contacting support.

Communication Preference Management

You control which messages you receive and through which channels. Account settings specify preferences for educational content, market updates, portfolio alerts, promotional offers, and administrative notices. You can opt out of marketing communications while maintaining essential service notifications. Communication preferences apply separately to email, text messages, phone calls, and postal mail.

Integration and Sharing Controls

External financial account connections can be reviewed, modified, or disconnected through platform settings. Each integration displays what information flows from connected institutions and how frequently updates occur. Authorized third-party access—family members, professional advisors, delegated users—gets managed through permission settings where you grant or revoke specific access levels.

Account Closure and Data Retention

Closing an account initiates data retention protocols. Some information must be preserved to satisfy regulatory recordkeeping requirements—Canadian securities regulations mandate seven-year retention of client records, transaction documentation, and correspondence. After these mandatory periods expire, information gets deleted according to our retention schedule unless ongoing legal obligations require continued preservation.

Even after account closure, certain elements may persist in backup systems for limited periods due to technical backup cycles. These residual copies eventually age out as backup rotations progress. Aggregated, de-identified data derived from your account might remain in analytical databases where individual identification is no longer possible.

Security Approach and Residual Risk Acknowledgment

Protection measures aim to prevent unauthorized access, disclosure, alteration, or destruction of information. Despite comprehensive safeguards, absolute security remains impossible—understanding both our protections and remaining vulnerabilities provides realistic expectations.

Technical Protection Layers

Information in transit between your devices and our servers travels through encrypted connections using current TLS protocols. Stored data sits in encrypted databases with access controlled through multi-factor authentication. Network perimeters employ firewalls, intrusion detection systems, and continuous monitoring for suspicious activities. Application security features include session management, input validation, and protection against common attack vectors.

Infrastructure isolation separates production systems from development environments. Database access requires authentication and authorization validation. Privileged access to sensitive systems gets logged and periodically audited. Regular security assessments—both automated scanning and manual penetration testing—identify potential vulnerabilities before they can be exploited.

Organizational and Operational Safeguards

Staff receive security training covering data handling expectations, social engineering awareness, and incident response procedures. Employment agreements include confidentiality obligations. Access provisioning follows least-privilege principles—team members receive only the access necessary for their specific responsibilities. When employees leave the organization, access gets promptly revoked.

Vendor relationships include contractual security requirements, regular security assessments, and incident notification obligations. Service providers handling sensitive data must demonstrate appropriate security capabilities before engagement. Ongoing vendor management includes periodic reviews of security postures and compliance with contractual obligations.

Incident Response Capabilities

Despite preventive measures, security incidents can occur. Our incident response plan defines detection, containment, investigation, remediation, and notification procedures. If a breach compromises your information, we'll notify you about what happened, what information was affected, what steps we've taken, and what actions you should consider. Notification timing follows applicable legal requirements—Canadian regulations generally mandate disclosure without unreasonable delay.

Limitations and Residual Risks

Technology evolves, and so do attack methods. What's secure today might become vulnerable tomorrow as new exploit techniques emerge. Insider threats—malicious or negligent employees—pose risks that technical controls alone can't eliminate. Third-party providers introduce dependencies—their security failures could affect systems where your information resides. Human factors create vulnerabilities—sophisticated phishing attacks might trick users into revealing credentials despite technical safeguards.

We can reduce risk but not eliminate it entirely. Participation in digital financial services inherently involves accepting some residual security risk despite comprehensive protection measures.