Introduction

Retiresureplus (“we”, “our”, “us”) is a Canadian digital platform that gives individuals a private dashboard for monthly analysis of retirement contributions, long-term capital projections, and tailored savings recommendations. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when you create an account, upload data, or browse retiresureplus.com. It is addressed to Canadian residents who interact with our service as contributors, spouses, beneficiaries, or casual visitors.

Privacy Policy

We observe the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial statutes in Quebec, Alberta, and British Columbia.

  • Collection – We gather:
    • (a) profile data you provide — name, email, province of residence, date of birth, and optional spouse information;
    • (b) financial data — registered and non-registered plan balances, contribution schedules, employer match percentages, payroll identifiers;
    • (c) analytics inputs — risk tolerance answers, retirement age targets, lifestyle preferences;
    • (d) device data — IP address, browser fingerprint, authentication logs;
    • (e) support content — chat transcripts and call recordings for quality assurance.
  • Purpose – Information is used to:
    • calculate personalized projections,
    • surface contribution recommendations,
    • generate year-end summaries,
    • issue security alerts,
    • process subscription payments, and
    • satisfy record-keeping duties under tax law.
  • Retention – Contribution histories and actuarial models are kept for the life of the account plus seven years after closure, unless longer retention is needed to resolve disputes or comply with CRA audit windows. Aggregated, de-identified statistics are retained indefinitely.
  • Accuracy & Access – You may review or correct profile or financial inputs at any time from the Settings → Profile page or by emailing privacy@retiresureplus.com.
  • Consent – Express consent is captured on sign-up and each time you link an external institution. Implied consent applies to non-identifiable telemetry essential to platform integrity. Withdrawal of consent may restrict access to forecasting features; we will advise you of any consequences before honouring the request.
  • Accountability – A designated Privacy Officer monitors compliance, conducts annual internal audits, and responds to inquiries within 30 days.

GDPR

Although Retiresureplus targets Canada, some users work cross-border or retain EU residency. Where the EU General Data Protection Regulation applies, we act as controller for account profiles and processor for data you import from European pension schemes.

Legal bases include contract performance (Art. 6 (1)(b)), legitimate interest in safeguarding accounts (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EU/EEA residents may request access, rectification, erasure, restriction, data portability, or objection by emailing dpo@retiresureplus.com and may complain to their national supervisory authority.

Cookie Policy

4.1. Types of Cookies

  • Essential — session tokens, anti-forgery flags, and load-balancer cookies that keep you signed in and route traffic securely.
  • Preference — stores currency, dashboard layout, and dark-mode settings.
  • Analytics — privacy-enhanced Matomo cookies with IP truncation to understand feature adoption and page latency.
  • Marketing — optional cookies that show contextual offers for new analytical modules; never used for third-party advertising networks.

4.2. How to Disable Cookies

Browser controls allow you to refuse or delete cookies. Blocking essential cookies disables login. Preference and analytics cookies can be declined via the banner on first visit or by enabling “Do Not Track”. Marketing cookies are placed only after explicit opt-in and may be withdrawn under Account → Privacy.

Transfer to Third Parties

We do not sell personal information. We disclose only to:

  • Canadian cloud providers hosting encrypted databases in Montréal and Calgary;
  • Payment processors certified to PCI-DSS Level 1;
  • Portfolio-forecasting partners supplying actuarial assumptions (data shared in aggregate, never at account level);
  • Professional advisors (legal, accounting) bound by duty of confidentiality;
  • Government agencies or courts when compelled by law or to defend legal claims.

All vendors sign Data Processing Agreements that guarantee safeguards equivalent to, or stronger than, PIPEDA and GDPR.

Data Security Mechanisms

  • AES-256-GCM encryption for data at rest with per-tenant keys managed in FIPS 140-2-validated Hardware Security Modules;
  • TLS 1.3 with Perfect Forward Secrecy for data in transit;
  • Zero-knowledge architecture for contribution ledgers—staff cannot read raw balances;
  • Role-based access control with hardware-based multi-factor authentication;
  • Continuous penetration testing, monthly vulnerability scans, and annual SOC 2 Type II audit;
  • Immutable audit trails stored in append-only object storage with thirty-day replication gap;
  • Disaster-recovery plan targeting a 4-hour Recovery Time Objective and 15-minute Recovery Point Objective;
  • Breach-notification procedure that contacts affected users within 72 hours of confirmation.

Effective Date

This Privacy Policy takes effect on 13 June 2025 and supersedes all earlier versions. Material changes will be announced by banner and email at least 30 days before coming into force.

© 2025 RetireSurePlus. All Rights reserved
Privacy Policy Terms and Conditions Business Model