Cybrid Canada Inc. Privacy Notice

Effective Date: November 2025

Cybrid Canada Inc. ("Cybrid", "We", "Us", or "Our") is committed to ensuring the confidentiality, accuracy, security, and privacy of your personal information under our control. This Privacy Policy outlines how we uphold these commitments, detailing the methods by which Cybrid collects, uses, discloses, and manages your personal information through our website and investment platform. This includes any other interactions with you. 

Cybrid intends to apply for registration with the Canadian Investment Regulatory Organization (“CIRO”) in January 2026. At the date of this Privacy Policy, Cybrid is not yet registered with CIRO and is not operating as a CIRO-regulated dealer. Registration is pending and approval is not guaranteed. If and when Cybrid becomes registered with CIRO, we may be required to collect, use, retain, and disclose personal information to meet CIRO and other regulatory obligations, in addition to our existing obligations under applicable laws.  The structure of this policy adheres to the privacy principles outlined in the Personal Information Protection and Electronic Documents Act (PIPEDA), alongside certain provincial statutes, which govern the collection, use, and disclosure of personal information in commercial activities within Canada.

Cybrid is currently preparing for and pursuing registration with CIRO. Any references in this Privacy Policy to CIRO or to obligations that may arise under CIRO rules are provided to explain how our practices may evolve if and when registration is granted and should not be interpreted as a statement that such registration has already been approved.

This Privacy Policy will continue to apply for as long as we hold your information, including after the termination of any of your products or services with us. By providing us with your personal information, you are consenting to the collection, use, and sharing of your personal information as set out in this Privacy Policy.  Where required by law, under Canada’s Anti-Spam Legislation, we will obtain your express consent before using your personal information for certain purposes.

This Privacy Policy may be updated periodically to reflect changes in our personal information practices. If we make any significant changes to how we treat our users’ personal information, we will notify you by email using the email address specified in your account or place information banners on our website. We will include the date the Privacy Policy was last revised at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our website and this Privacy Policy specifically to check for any changes.  If changes are material, we will take reasonable steps to bring them to your attention and, where required by law, obtain your consent before the changes take effect.

Consent

We obtain your informed consent to collect, use, and retain your personal information, except where otherwise permitted or required by law. Consent can be expressed (verbal, electronic, or written) or implied through your use of a product or service or inquiry about our offerings. We seek express consent when the information is considered sensitive.  This includes certain types of financial, identification, and biometric information.

In certain circumstances, we may collect, use, or disclose personal information without your knowledge or consent for legal, or security reasons.  For example, we may do so to comply with CIRO rules, securities legislation, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) and related regulations, or other applicable laws. If and when Cybrid becomes registered with CIRO, we may also be required to comply with CIRO rules and related regulatory obligations.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform you of the implications of such withdrawal. To withdraw consent, please contact the Privacy Officer in writing at compliance@cybrid.app.  In some cases, if you withdraw consent for key uses of your information, we may no longer be able to provide you with certain products or services or maintain your account.

What Personal Information We Collect

Personal information we may collect includes contact details, identifying information, technical diagnostic data, interaction data, advertisement interaction data, approximate location, and any photos or videos you choose to upload. We may also collect information from third parties like credit bureaus, employers, or personal references.

Personal information doesn't include the business contact information of an individual which is collected, used, or disclosed solely for the purposes of communicating or to facilitate communication with the individual in relation to their employment, business, or profession. Personal information also doesn’t include any information that is aggregated or anonymized.

Biographical information – May include your name, address, phone numbers, email address, birthdate, employment information, Social Insurance Number (SIN), or other national or provincial identifiers provided by you when you sign up for an account.

Financial information – May include bank account information, transactional history, account types and balances or limits, names of financial institutions, and related financial information that we collect from you or your financial institution.

Photo ID – We may collect copies of government-issued identification or a picture/video of yourself that you provide us or one of our service providers.

Signatures – We may collect your signature if you sign up for certain products.

Questionnaire responses and other regulatory questions – This may include asset holdings and values, and investment knowledge and objectives that you provide in risk information forms we ask you to complete.

Information you provide when you contact us – If you reach out to a customer service agent or representative you may be asked for information that identifies you (such as your name, address, or a phone number), along with additional information we need to help us promptly answer your question or respond to your comment or complaint. We may keep a record of the conversation or retain this information to assist you in the future, to improve our customer service, and improve our product and service offerings.

Service information We collect information that is generated through your actions when you use our platform or Website, such as your transactions, interactions with our products, your preferences or statistics regarding your use of our services.

Cookies and similar technologies In our online interactions, we may use Cookies or similar technologies to track user patterns. You can reset your browser to notify you of or refuse to accept Cookies. Please see our Cookie Policy (link) for more information.  Our Cookie Policy describes in more detail the types of cookies and similar technologies we use, the purposes for which we use them (including analytics and advertising), and your choices in relation to such technologies.

Log data and usage information In general, you can visit our Website without indicating who you are or submitting any personal information. However, we collect and log the IP (Internet protocol) addresses of all visitors to the Websites and other related information such as page requests, browser type, operating system, and average time spent on the app and Website. We use this information to help us understand activity and to monitor and improve the platform and Website.

Analytics We may use third parties to help us gather and analyze information about the areas visited on the Website in order to better understand, evaluate and improve the user experience and the convenience of the Website.  These third parties may use cookies, pixels, or similar technologies to provide us with aggregate statistics and reports. Where required by law, we will seek your consent before using such tools for analytics or marketing purposes.

Information from Third Party Service providers – if you decide to fund your account or link a bank account automatically using one of our partners, including Sumsub, we will receive data collected from your financial accounts, including identity and transaction information from all accounts and sub-accounts (e.g. chequing, savings, and credit cards) accessible through the account credentials you used. Depending on your product and the programs you have agreed to participate in, this data may include the following:

  • Account information, including financial institution name, account name and account type; and
  • Information about an account balance, including current and available balance (e.g. for instant fund transfers)

Social Media information – if you engage with our content through social networking websites, plug-ins and applications, we may collect certain information associated with your social media account (e.g., name, username, email address, profile picture, gender).

How We Use Your Personal Information

Cybrid will identify the purposes for which personal information is collected at or before the time of collection.

In addition to the purposes identified to you before or at the time of collection, the personal information we collect is used for the following purposes, as applicable:

  • verifying your identity and other information you have provided to us;
  • understanding your financial needs and delivering financial products and services that help meet them;
  • helping us review the investments that best fits you and your needs;
  • managing your relationship among Cybrid Products and Affiliates, including opening and servicing your account, and maintaining accurate and consistent information about you;
  • helping us manage and assess our risks and operations;
  • detecting, preventing and suppressing errors, fraud, financial abuse and other unauthorized or illegal activities;
  • meeting legal and regulatory requirements, including self-regulatory organizations. This includes obligations under applicable securities laws, tax laws, and anti-money laundering and anti-terrorist financing laws such as the PCMLTFA and related regulations.  If and when Cybrid becomes registered with CIRO, this may also include obligations under CIRO rules and related regulatory requirements;
  • tailoring your Website experience, including making recommendations for Cybrid products or services;
  • de-identifying your information by removing personal identifiers such as your name, address and account numbers. This information will not be used to identify individuals, and may be used for analytics and reporting, developing and improving our products and services, and identifying trends and insights that may be of value to us and our clients;
  • transferring your account to or from another institution; and
  • as otherwise required or permitted by applicable law.

Automated Decision Making

Cybrid may use automated decision making systems to process your personal information. Cybrid may rely on decisions made by these automated systems for the following purposes:

  • providing our Products or services to you (e.g. verifying your identity, assessing internal risk or creditworthiness);
  • customer service purposes (e.g. using AI powered chatbots);
  • security, anti-money laundering, and fraud detection or prevention purposes.

Where we use automated decision-making that has a significant impact on you, you may contact us to request further information about the logic involved, to express your point of view, and, where appropriate, to request a review of the decision by a Cybrid staff member, subject to applicable law and legal restrictions.

Where We Send Your Personal Information

We do not sell your personal information.

Affiliates When you open a Cybrid account, you may be required to open an account with one or more Cybrid Affiliates. These Affiliates may share your information with other Affiliates, including records of transactions and statements of cash and securities in your accounts, or in instances where we believe you might be interested in other Cybrid Products or services.

Service Providers – We may transfer your personal information to our Affiliates and other third-party service providers who provide various services on our behalf such as identity verification, technology, administration, printing, marketing and advertising, hosting, data analysis, legal and accounting. Should you use automatic account linking, your account data may be shared with the third-party service provider, including Sumsub, in accordance with their privacy policies.

We use various service providers to specifically assist us with identity verification. These service providers may review the personal information documentation you provide us to confirm its authenticity or may compare your information in our control with information about you from other sources (e.g. credit reporting agencies, telecommunications providers) to confirm your identity when creating or logging in to your account. We may use biometric ID verification providers, such as Sum and Substance Ltd (Sumsub), to confirm the authenticity of photo identification and to verify the identities of new clients, however alternative methods of verification are available. We take these steps to verify your identity very seriously to detect, prevent and suppress errors, fraud, financial abuse and other unauthorized or illegal activities.  Where biometric information is used as part of identity verification, we limit its use to what is necessary for verification and, unless otherwise required or permitted by law, we retain such information only for as long as needed to complete the verification process and to comply with applicable legal and regulatory obligations.

Partners – We may share your personal information with third party financial institutions that jointly offer, underwrite, endorse, or sponsor elements of our products or services. We may also enter into partnership or referral arrangements with third parties who seek to provide you with products or services (“Referrals”). We do not provide your personal information as part of a Referral without your consent.

Business Transactions – If we enter into a business transaction involving personal information or are considering one, such as selling assets, we may share personal information securely with the other parties to the transaction, for example, as part of due diligence or when we complete the transaction. Accordingly, we may transfer information we have about you in connection with a prospective or completed merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Cybrid or as part of financing, a corporate reorganization or stock sale or other change in corporate control, including for the purpose of determining whether to proceed or continue with such transaction or business relationship.

Securities Regulations – We may share your personal information, including name, contact information, holdings and beneficiary information with issuers of securities that you hold in your account and other persons/companies as required in accordance with securities law. Such issuers may require your personal information in order to deliver financial reports, tax documents and other relevant materials to you or to comply with applicable regulatory obligations. We may also disclose certain personal information, including the number of and purchase price of units purchased, to the applicable Canadian securities regulatory authority where required by law.

Legal – We and our Affiliates, and third-party service providers, may provide your personal information in response to a search warrant or other legally valid inquiry or order, or to another organization for the purposes of investigating a breach of an agreement or contravention of law. This may include lawful access requests by Canadian, US, or other foreign courts, law enforcement, or governmental authorities for the purposes of detecting, suppressing or preventing fraud, or as otherwise required or permitted by applicable Canadian, US, or other law. We may also disclose personal information where necessary for the establishment, exercise or defence of legal claims and to investigate or prevent actual or suspect loss or harm to persons or property.

Accountability & How We Protect Your Personal Information

Cybrid is responsible for the personal information under its control. We make information about our privacy practices available to you in an understandable format, including details on accessing personal information and the types of information we hold.

We have designated a Privacy Officer to oversee compliance with privacy principles. While other individuals within the organization may handle the day-to-day collection and processing of personal information, ultimate accountability rests with senior management and the designated Privacy Officer. Submissions to the Privacy Officer can be made in writing via email at compliance@cybrid.app.

To protect your personal information, Cybrid has:

    • Implemented physical, organizational and technical safeguards
  • limited the personal information we collect to what is required, will only use it for those purposes and will only keep it as long as necessary
  • ensured that the service providers and contractors who have access to or are provided with your personal information are bound to protect your information and are not permitted to use it for any unauthorized purposes
  • employee training to reiterate the importance of treating personal information with the utmost care
  • protocols for responding to client inquiries and complaints regarding their personal information

We implement safeguards

We maintain reasonable organizational, technical, and physical safeguards in an effort to protect personal information in our custody and control against unauthorized access, use, modification, and disclosure. We train our employees to keep clients’ personal information strictly private and confidential. We require all of our staff to sign confidentiality agreements that oblige them to respect and protect clients’ personal information. We ensure that departing staff understand they remain contractually obliged to respect the privacy of clients’ personal information.

We store personal information electronically on computer servers to which only authorized persons have access, and only by means of secure passwords. We authorize employees and service providers to have access to clients’ personal information only on a “need-to-know” basis in order to fulfil their job requirements.

Your online access to elements of your personal information is protected with a password you select. We strongly recommend that you do not disclose your password to anyone. We will never ask you for your password in any unsolicited communication (such as letters, phone calls or email messages).

We limit the personal information we collect

We have personal information retention processes designed to retain personal information of our clients and prospective clients for no longer than necessary. Personal information will not be used, disclosed, or retained for purposes other than those for which the information was collected, except with the permission of the individual, or as permitted or required by law. In particular, certain records (such as identity verification and transaction records) must be retained for minimum periods to comply with securities, CIRO, tax, and anti-money laundering laws, which may require us to keep your information for several years after your relationship with us ends.  Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We require similar safeguards from our service providers.

Our service providers are only provided the information they need to perform their designated functions and are committed to maintaining your confidentiality. Our service providers are not permitted to use your information for any unauthorized purpose. Your personal information may be maintained and processed by our Affiliates and other third-party service providers outside of Canada, including Quebec, in the US or other jurisdictions. In the event personal information is transferred to the US or other foreign jurisdiction, it will be subject to the laws of that jurisdiction and may be disclosed to or accessed by the courts, law enforcement and governmental authorities in accordance with the laws of those jurisdictions.  We use contractual and other safeguards to require such service providers to protect your personal information in a manner that is consistent with this Privacy Policy and applicable Canadian privacy laws. However, when information is located outside Canada, it may be subject to lawful access requests by foreign courts, law enforcement and governmental authorities.

Steps You Can Take to Protect Your Personal Information

To protect your personal information and user account, we encourage you to:

  • Activate two-factor authentication for your Cybrid account as well as for any other service you use that offers it, if it is available. It's an extra security step that helps protect your accounts.
  • Use a long and unique password for Cybrid. Do not use the same password across different websites or apps
  • Never share your password with anyone
  • Limit access to your computer, phone and browser
  • Log out once you have finished using Cybrid on a shared device

Your Rights Over Your Personal Information

Individuals have the right to access, update, and correct personal information in Cybrid’s custody and control, subject to certain exceptions prescribed by law. Upon written request, we will inform you of the existence, use, and disclosure of your personal information and provide access to it within a reasonable timeframe, subject to legal exceptions.

You can update your personal information through the account area or by contacting us for assistance. In some instances, we may not be able to provide access to personal information (e.g., legal restrictions, references to other individuals, security reasons).

If information is found to be inaccurate or incomplete, we will amend it as necessary and notify third parties where appropriate.

If a challenge regarding personal information is not resolved to your satisfaction, we will record the unresolved challenge and inform relevant third parties.  Where permitted by law, you may also request that we restrict certain uses of your personal information or that we delete personal information that is no longer required for the purposes identified in this Privacy Policy or to comply with our legal and regulatory obligations.

Marketing Communications

From time to time, we may send you email, SMS text messages and other communications about Cybrid products, services, or events that may be of interest to you, as well as products, services or events of our Affiliates. You can opt-out of receiving marketing and promotional email from us by following the unsubscribe instructions contained in each of our email communications. Please note that you will continue to receive email regarding your account and transactions with us. Alternatively, you can unsubscribe from any of our marketing communications by contacting us at compliance@cybrid.app.  We comply with Canada’s Anti-Spam Legislation (CASL) and will not send you commercial electronic messages without the required consent. You may withdraw your consent to receive such messages at any time by using the unsubscribe mechanism provided in our communications or by contacting us directly.

Children’s Privacy Statement

Cybrid’s services and Website are not intended for use by children under the age of 18. We do not knowingly collect any Personal Information from a person under 18. If we become aware that we have inadvertently received Personal Information from a person under the age of 18 through the Platform, we will delete such information from our records.

Third Party Websites

The Website may contain links to other websites that are not owned or controlled by us. Please note that this Privacy Policy applies only to personal information that we collect through the Cybrid Website. We have no control over, do not review and are not responsible for the privacy policies of or content displayed on such other websites. When you click on such a link, you will leave our service and go to another site. During this process, another entity may collect personal information from you.

Contact Us

Cybrid’s Chief Privacy Officer is responsible for ensuring that Cybrid adheres to its Privacy Policy.

If you would like to make a request, a complaint or ask a question about how we process your personal information, please contact our privacy team at compliance@cybrid.app.

Complaints

If you have a complaint and you are not satisfied with the response from our Chief Privacy Officer, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

You can find out more information about this process and contact them by visiting their website or by phone at 1-800-282-1376. As Cybrid is headquartered and registered in Ontario, our privacy practices are primarily overseen by the Office of the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA). Depending on the nature of your concern (for example, if it relates to securities regulation or our conduct as a registered firm), you may also have the right to contact the Ontario Securities Commission or the Canadian Investment Regulatory Organization (CIRO).  You may also have the right to contact the Ontario Securities Commission. If and when Cybrid becomes registered with CIRO, you may also have the right to raise certain complaints with CIRO in accordance with its rules and processes.

Updates to This Policy

This Privacy Policy is effective as of November 2025. It replaces previous notices and applies to the use, sharing, and retention of personal information previously collected. We may amend this Privacy Policy at any time, with significant changes communicated via email and our website. Please review this policy regularly to stay informed of any updates. If changes are material, we will take reasonable steps to bring them to your attention and, where required by law, obtain your consent before the changes take effect.