Privacy Policy

1. Purpose and Scope

This Privacy Policy outlines the principles and guidelines by which ViRTUS (“the Company”) collects, uses, discloses, and protects personal information. This policy applies to all personal information collected by the Company in the course of providing services and covers all employees, contractors, and third-party service providers involved in handling personal information on behalf of the Company.

2. Definition of Personal Information

Personal information refers to any information that can identify you as an individual, either directly or indirectly. This includes, but is not limited to, names, contact details, financial information, and any other data as defined in Schedule A of this policy. The Company treats all personally identifiable information with the utmost confidentiality.

3. Collection, Use, and Disclosure of Personal Information

The Company collects personal information only for the purpose of delivering services to its clients. The collection, access, use, and disclosure of personal information are limited to individuals and entities that require such information to fulfill their responsibilities in delivering the Company’s services. We do not use personal information for any purposes beyond those necessary for service delivery unless explicit consent has been obtained, except where permitted by law.

4. Consent

The Company is committed to obtaining consent from individuals before collecting, using, or disclosing their personal information, unless otherwise permitted by law. Consent may be obtained explicitly or implicitly depending on the nature of the information and the context in which it is collected. Clients have the right to withdraw their consent at any time.

5. Administrative, Technical, and Physical Safeguards

The Company has implemented administrative, technical, and physical controls to protect personal information from unauthorized collection, access, use, disclosure, destruction, or alteration. These safeguards include, but are not limited to, secure storage systems, access controls, regular audits, and employee training.

6. Encryption of Personal Information

To ensure the security of personal information, the Company uses industry-standard encryption techniques for data both in transit and at rest. This includes encryption of communications, databases, and any other storage systems where personal information is held.

7. Data Residency and Transfer

In compliance with the Freedom of Information and Protection of Privacy Act (FIPPA), the Company ensures that personal information collected on behalf of public bodies is stored and accessed within Canada. However, in certain cases, personal information may be accessed or stored outside of Canada. These exceptions include:

• when ViRTUS employees or contractors are working from locations outside of Canada;

• or when secure third-party services (such as cloud-based software) use encrypted servers located outside of Canada to process or store data.

Any transfers of personal information outside of Canada will only occur with explicit consent from the individual or as permitted by law.

8. Secure Destruction of Personal Information

The Company ensures that personal information is securely destroyed when no longer needed for service delivery or when requested by the client. Secure destruction methods comply with industry standards and include secure deletion of digital files and physical destruction of paper records.

9. Retention of Personal Information

The Company retains personal information for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specifically, personal information used to make decisions about individuals will be retained for a minimum of one year following its use, in compliance with FIPPA.

10. Metadata Management

The Company ensures that all personally identifiable information is removed from metadata generated by electronic systems that describe an individual’s interactions with the system. The Company prohibits the use or disclosure of metadata in a form that could identify individuals, including sharing such metadata with third parties.

11. Notification of Security Breaches

In the event of a security breach involving personal information, the Company will promptly notify affected clients and take all necessary steps to mitigate the breach, as outlined in Schedule A. The Company will work to resolve the breach as quickly as possible and implement additional safeguards as required.

12. Third-Party Service Providers

The Company may engage third-party service providers to assist in delivering services. These providers are required to comply with this Privacy Policy, applicable privacy laws, and FIPPA’s requirements, including data residency and security measures. The Company ensures that any transfer of personal information to third-party providers includes adequate security measures and contractual obligations to protect personal information.

13. Client Rights

Clients have the right to access, correct, delete, restrict processing, and object to the use of their personal information. Clients may also request the transfer of their data to another organization. The Company is committed to responding to such requests within one month, as required by law.

14. Compliance with Laws

The Company complies with all applicable privacy laws, including but not limited to FIPPA, CAN-SPAM Act, GDPR, CCPA, PIPEDA, and British Columbia’s Personal Information Protection Act. This policy is regularly reviewed and updated to ensure compliance with changing legal requirements.

15. Changes to This Policy

The Company reserves the right to update this Privacy Policy at any time. Clients will be notified of significant changes through email or a prominent notice on the Company’s website. The “Last Updated” date at the top of this policy will be revised accordingly.

16. Contact Information

For any questions or concerns regarding this Privacy Policy, or to exercise your data protection rights, please contact the Company at:

• Email: info@virtusinc.com

• Phone: 604-519-7000

• Website: virtusinc.com