Privacy Policy

Introduction

ContiWealth ("we," "us," or "our") is committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our digital information legacy platform.

Who We Are:

ContiWealth
Province of Quebec, Canada
Email: privacy@contiwealth.com

Chief Privacy Officer: [To be appointed]
Email: privacy@contiwealth.com

This Privacy Policy applies to all users of ContiWealth, including Testators (account holders) and Recipients.

1. Information We Collect

We collect different types of information to provide and improve our Service.

1.1 Information You Provide Directly

Account Information:

• Name
• Email address
• Phone number (optional)

Inventory Information:

• Account details (institutions, account numbers, public references)
• Property records (addresses, estimated values)
• Vehicle information (make, model)
• Investment value details
• Digital asset public keys and inventory data
• Other items you choose to organize

Uploaded Documents:

• Testamentary documents
• Other documents you upload

Recipient Information:

• Names and contact information of designated Recipients
• Relationship to you
• What information each Recipient can access
• Recipient preferences and settings

Communication Data:

• Messages to support team
• Feedback and survey responses
• Communication preferences

1.2 Information Collected Automatically

Usage Information:

• Pages and features you access
• Time spent on different sections
• Actions you take (adding items, inviting Recipients, etc.)
• Device information (type, OS, browser)
• IP address and approximate location (city/country)
• Login history and timestamps

Cookies and Tracking:

• Session cookies (to keep you logged in)
• Analytics cookies (to understand usage patterns)
• Preference cookies (to remember your settings)

Technical Information:

• Error logs and diagnostic data
• Performance metrics
• API usage and response times

1.3 Information from Third-Party Services

Financial Data Connections (via third-party service):

• Account balances and public transaction history
• Account numbers and routing information
• Institution names
• Account types

Note: We use READ-ONLY access. We cannot move funds or initiate transactions.

Digital Ledger Data (for digital asset inventory):

• Public key addresses (you provide)
• Token inventory balances
• Public ledger transaction history

Note: We NEVER ask for or store private keys. We only query public ledger data.

Payment Processors (Stripe):

• Payment method information
• Billing history
• Transaction records

Analytics Providers:

• Aggregated usage statistics
• Demographics (if available)
• Referral sources

2. How We Use Your Information

We use your information for the following purposes:

2.1 To Provide the Service

• Create and manage your account
• Organize and display your inventory and summary
• Connect to data sources
• Store your documents securely
• Monitor account inactivity
• Verify status or inactivity
• Share information with designated Recipients (after verification)
• Process your subscription payments
• Provide customer support

2.2 To Communicate With You

• Send important account notifications
• Alert you to inactivity verification attempts
• Notify Recipients when appropriate
• Respond to your support requests
• Send product updates (if you consent)
• Request feedback (if you consent)

Marketing Communications:

We will only send marketing emails if you explicitly consent. You can unsubscribe at any time.

2.3 To Improve Our Service

• Analyze usage patterns and trends
• Identify and fix bugs
• Develop new features
• Test and optimize performance
• Conduct research (with anonymized data)

Note: Analytics are performed on aggregated, anonymized data when possible.

2.4 For Legal and Security Purposes

• Comply with legal obligations
• Respond to legal requests (court orders, subpoenas)
• Prevent fraud and abuse
• Detect and prevent security threats
• Enforce our Terms of Service
• Protect our rights and property
• Investigate suspected violations

3. Legal Basis for Processing (GDPR)

If you are in the European Union, we process your personal data based on:

Consent (GDPR Article 6(1)(a)):

• Marketing communications
• Optional analytics cookies
• Specific features you explicitly consent to

Contract Performance (GDPR Article 6(1)(b)):

• Providing the Service you signed up for
• Managing your account
• Processing payments

Legal Obligations (GDPR Article 6(1)(c)):

• Complying with tax laws
• Responding to legal requests
• Data breach notifications

Legitimate Interests (GDPR Article 6(1)(f)):

• Fraud prevention
• Security and protection
• Service improvement (with minimal privacy impact)
• Internal analytics

You have the right to object to processing based on legitimate interests.

4. How We Share Your Information

We do NOT sell your personal information. We share information only as described below:

4.1 With Your Designated Recipients

After Verified Death or Inactivity:

Your designated Recipients will gain access to the information you specified, but ONLY after:

• Extended inactivity period has passed, AND
• We have attempted to verify you are alive, AND
• You have not responded to verification attempts

What Recipients See:

• Only the information you designated for each Recipient
• Asset information you chose to share
• Documents you marked for sharing
• Messages or notes you left for them

What Recipients Do NOT See:

• Information not designated for them
• Your account password or credentials
• Communications with ContiWealth support
• Payment information

Recipient Responsibilities:

Recipients agree to use information only for intended purposes and maintain confidentiality.

4.2 With Service Providers (Subprocessors)

We share data with third-party service providers who help us operate:

Database and Hosting:

• Supabase (PostgreSQL database, file storage)
• Purpose: Securely store your data
• Security: SOC 2 Type II, encryption at rest

Application Hosting:

• Vercel (website and application hosting)
• Location: USA (global CDN)
• Purpose: Serve the website and application
• Security: DDoS protection, TLS encryption

Payment Processing:

• Stripe (subscription billing)
• Location: USA
• Purpose: Process subscription payments
• Security: PCI DSS compliant

All service providers are bound by confidentiality agreements and process data only on our instructions.

4.3 For Legal Requirements

We may disclose information when required by law:

• Court orders and subpoenas
• Government investigations
• Law enforcement requests (where legally required)
• Regulatory compliance (tax authorities, privacy regulators)

We will:

• Verify the legal validity of requests
• Notify you if legally permitted
• Provide only information specifically requested
• Resist overbroad requests

4.4 Business Transfers

If ContiWealth is involved in a merger, acquisition, or sale of assets:

• Your information may be transferred to the new owner
• We will notify you before transfer
• The new owner must honor this Privacy Policy
• You can close your account before transfer if you disagree

4.5 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you:

• Industry trends and statistics
• Research and analysis
• Marketing materials
• Public reports

Example: "Average net worth tracked on ContiWealth is $X" (no individual data).

5. Data of Deceased Persons

Important: Privacy laws treat deceased persons differently depending on jurisdiction.

5.1 GDPR (European Union)

GDPR Does Not Apply to Deceased Persons (Recital 27)

The GDPR explicitly states it does not apply to personal data of deceased persons. However:

• EU member states may have specific laws for deceased data
• France allows individuals to set instructions for posthumous data
• Estonia allows consent to remain valid for 10-20 years after death

If you are an EU resident, your designated Recipients may access your data after verified death according to our Terms of Service.

5.2 United States (RUFADAA)

Revised Uniform Fiduciary Access to Digital Assets Act

47 US states have adopted RUFADAA, which allows:

• Executors and trustees to access digital assets
• Fiduciaries to manage accounts after death
• Account holders to override defaults in wills or terms of service

ContiWealth complies with RUFADAA by:

• Allowing you to designate Recipients (equivalent to granting fiduciary access)
• Respecting your instructions for posthumous data
• Requiring verification before disclosure

5.3 Canada (PIPEDA and Quebec Law 25)

Federal (PIPEDA):

PIPEDA technically applies only to living individuals, but we treat deceased person data with the same care and sensitivity.

Quebec (Law 25):

Quebec law provides privacy protections that we extend to deceased persons where appropriate.

Our Approach:

• We honor your instructions for posthumous data access
• Recipients must verify death (death certificate may be required)
• Data is shared only with designated Recipients
• Data is retained for a specified period after verified death, then deleted
• Legal heirs can request deletion if not designated Recipients

6. International Data Transfers

ContiWealth is based in Canada, but your data may be stored and processed in other countries.

Current Data Locations:

• Primary database: USA/EU/Canada (Supabase)
• Processing: May occur in various countries via service providers

Quebec Law 25 Compliance:

In accordance with Quebec Law 25, we have conducted a Privacy Impact Assessment (PIA) regarding the transfer of personal information outside of Quebec. We ensure that our service providers in other jurisdictions offer protection equivalent to generally accepted data protection principles.

For EU Users:

If you are in the European Union, we use appropriate safeguards for data transfers:

• Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers outside EU
• Adequacy Decisions: Transfer to countries EU deems adequate (Canada has adequacy for commercial data under PIPEDA)
• Your Consent: For certain transfers, we may ask for explicit consent

For All Users:

We require all service providers to:

• Implement appropriate security measures
• Process data only on our instructions
• Comply with applicable privacy laws

7. Data Security

We implement industry-standard security measures to protect your information:

7.1 Technical Security

Encryption:

• At Rest: AES 256-bit encryption for data stored in databases
• In Transit: TLS 1.3 encryption for all data transmission
• Passwords: Hashed using bcrypt with salt
• Sensitive Documents: Additional encryption layer

Access Controls:

• Multi-factor authentication (MFA) available
• Role-based access control (RBAC)
• Principle of least privilege for employees
• Audit logs of all access

Infrastructure:

• Regular security updates and patches
• Firewalls and intrusion detection
• DDoS protection
• Vulnerability scanning

7.2 Organizational Security

Employee Access:

• Background checks for employees with data access
• Confidentiality agreements (NDAs)
• Security awareness training
• Limited access on need-to-know basis

Processes:

• Incident response plan
• Regular security audits
• Penetration testing (planned)
• Third-party security assessments

Compliance Goals:

• SOC 2 Type II certification (roadmap)
• ISO 27001 compliance (future goal)
• Regular compliance audits

7.3 Security Limitations

No System is 100% Secure:

Despite our best efforts, no security system is impenetrable. We cannot guarantee absolute security.

Your Responsibilities:

• Use a strong, unique password
• Enable multi-factor authentication
• Keep your credentials confidential
• Log out on shared devices
• Report suspicious activity immediately

In Case of Breach:

We will notify you promptly if a security breach affects your data. See Section 13 for breach notification procedures.

8. Data Retention

How long we keep your information:

8.1 Active Accounts

While Your Account is Active:

• We retain all data you provide
• You can delete specific data at any time
• We update information as you make changes

Account Inactivity:

• After a period of inactivity, we begin verification process
• Data is retained during verification process
• If you return and log in, account remains active

8.2 Closed Accounts

When You Close Your Account:

• You have 30 days to export your data
• After 30 days, we delete your account and data
• Some data may remain in backups for 7 days
• After backups cycle out, data is permanently deleted

Exception for Deceased Accounts:

If death has been verified, Recipients retain access for a specified period, then data is deleted unless Recipients request extension.

8.3 Legal and Financial Retention

Required Retention:

Some data must be kept for legal or financial reasons:

• Tax Records: 7 years (as required by tax authorities)
• Financial Transactions: 7 years (financial regulations)
• Legal Holds: Indefinitely until hold is lifted
• Fraud Investigation: Until investigation concludes

Backup Retention:

• Backups are retained for 7 days
• Backups are encrypted and access-controlled
• Backups are deleted on regular schedule

9. Your Privacy Rights

Depending on where you live, you have different privacy rights.

9.1 Rights for All Users

All ContiWealth users can:

• Access Your Data: Request a copy of information we have about you
• Correct Your Data: Update inaccurate information in your account
• Delete Your Data: Close your account and request deletion
• Export Your Data: Download your data in portable format
• Opt-Out of Marketing: Unsubscribe from marketing emails
• Manage Cookies: Control cookie preferences

How to Exercise:

• Most rights can be exercised through your account settings
• For other requests, email privacy@contiwealth.com
• We will respond within 30 days

9.2 Additional Rights for EU Users (GDPR)

If you are in the European Union:

• Right to Access (Article 15): Get copy of your data and details about processing
• Right to Rectification (Article 16): Correct inaccurate data
• Right to Erasure (Article 17): "Right to be forgotten" (with exceptions)
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive data in machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests
• Rights Related to Automated Decision-Making (Article 22): Request human review

Time to Respond: 1 month (may extend to 3 months for complex requests)

No Fee: We do not charge for reasonable requests

How to Exercise:

Email: privacy@contiwealth.com
Subject: "GDPR Data Subject Request"

Right to Complain:

You can file a complaint with your local Data Protection Authority: List of EU DPAs

9.3 Additional Rights for California Users (CCPA)

If you are a California resident:

• Right to Know (1798.100): What personal information we collect, use, disclose
• Right to Delete (1798.105): Request deletion of your personal information
• Right to Opt-Out (1798.120): We do NOT sell data, so this doesn't apply
• Right to Non-Discrimination (1798.125): Same service quality regardless of privacy choices

Categories of Data Collected:

• Identifiers (name, email, IP address)
• Commercial information (subscription history)
• Internet activity (usage data)
• Financial information (via third parties)
• Geolocation (approximate)
• Professional information (if provided)

Time to Respond: 45 days (may extend to 90 days)

How to Exercise:

Email: privacy@contiwealth.com
Subject: "CCPA Consumer Request"

Verification: We will verify your identity before fulfilling requests (for security)

Authorized Agents: Authorized agents may submit requests on your behalf with proper documentation

Right to Complain:

California Attorney General: https://oag.ca.gov/contact

9.4 Additional Rights for Quebec Users (Law 25)

If you are in Quebec:

• Right to Access: Obtain your personal information we hold
• Right to Rectification: Correct inaccurate information
• Right to De-indexing: Similar to GDPR right to erasure
• Right to Portability: Receive data in structured format
• Right to Withdraw Consent: Revoke consent (where applicable)
• Right to Object: Object to automated decisions affecting you

Time to Respond: 30 days

How to Exercise:

Email: privacy@contiwealth.com
Subject: "Quebec Law 25 Privacy Request"

Right to File Complaint:

Commission d'accès à l'information du Québec (CAI)
Website: https://www.cai.gouv.qc.ca
Phone: 1-888-528-7741
Email: caiq@cai.gouv.qc.ca

Note: As a Quebec-based company, we take Quebec privacy law very seriously and prioritize compliance with Law 25.

9.5 Additional Rights for Other Canadian Users (PIPEDA)

If you are in Canada (outside Quebec):

• Right to Access: Access personal information we hold
• Right to Correction: Correct inaccurate information
• Right to Withdraw Consent: Revoke consent (with limitations)
• Right to Challenge Compliance: Challenge our compliance with PIPEDA

Time to Respond: 30 days

How to Exercise:

Email: privacy@contiwealth.com
Subject: "PIPEDA Privacy Request"

Right to File Complaint:

Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Phone: 1-800-282-1376
Email: info@priv.gc.ca

10. Children's Privacy

ContiWealth is NOT intended for use by anyone under 18 years of age.

We Do Not:

• Knowingly collect information from children under 18
• Allow minors to create accounts
• Market to children

If We Learn:

If we discover we have collected information from someone under 18:

• We will delete the account immediately
• We will delete all associated data
• We will not use the information for any purpose

Parents:

If you believe your child has created an account, please contact us immediately at privacy@contiwealth.com so we can delete it.

11. Cookies and Tracking

We use cookies and similar tracking technologies.

Summary:

• Essential Cookies: Required for the Service to function (login, security)
• Analytics Cookies: Help us understand usage (you can opt-out)
• Marketing Cookies: Track campaigns (you can opt-out)

Your Choices:

• Manage cookies through our cookie banner
• Adjust browser settings to block cookies
• Use privacy tools and extensions

Note: Blocking essential cookies will prevent the Service from working properly.

12. Do Not Track Signals

Some browsers offer "Do Not Track" (DNT) signals.

Our Approach:

• We respect DNT for analytics and marketing cookies
• Essential cookies are still required for Service functionality
• You can also use our cookie preference center

Industry Note:

There is no universal standard for DNT, so implementations vary.

13. Data Breach Notification

In the event of a data breach affecting your personal information:

13.1 Our Response

Immediate Actions:

1. Contain and mitigate the breach
2. Assess scope and impact
3. Notify regulators as required by law
4. Notify affected users

Investigation:

• Determine what data was accessed
• Identify affected users
• Analyze security gaps
• Implement corrective measures

13.2 Notification to You

We Will Notify You:

Timing:

• Quebec Law 25: As soon as feasible
• GDPR: Within 72 hours of discovery (to regulators); without undue delay (to you)
• CCPA: Without unreasonable delay
• PIPEDA: As soon as feasible

Method:

• Email to your registered address
• In-app notification
• Notice on website (for widespread breaches)

Information Provided:

• What happened
• What data was affected
• What we're doing about it
• What you should do (change password, monitor accounts, etc.)
• How to contact us with questions

13.3 Notification to Regulators

Required Notifications:

• Quebec (Law 25): Commission d'accès à l'information (CAI)
• EU (GDPR): Relevant supervisory authority
• California (CCPA): California Attorney General (if applicable)
• Canada (PIPEDA): Privacy Commissioner of Canada (if applicable)
• Other jurisdictions: As required by local law

We maintain a breach register as required by Quebec Law 25.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

How We Notify You:

• Email to your registered address (for material changes)
• Notice on our website
• In-app notification
• Updated "Last Updated" date at top of policy

Notice Period:

• 30 days' notice for material changes
• Immediate for minor clarifications or legal requirements

Your Options:

• Review changes when notified
• Contact us with questions
• Close your account if you disagree with changes

Continued Use:

Your continued use of the Service after changes means you accept the updated Privacy Policy.

15. Contact Us

For privacy-related questions, requests, or concerns:

Email: privacy@contiwealth.com

Chief Privacy Officer: [To be appointed]
Email: privacy@contiwealth.com

Data Protection Officer (EU): [If/when appointed]
Email: dpo@contiwealth.com

Mailing Address: Quebec, Canada

Response Time: We aim to respond to all privacy inquiries within 5 business days, and fulfill requests within 30 days (or as required by law).

16. Filing Complaints

If you believe we have violated your privacy rights, you can file a complaint with:

Quebec Users:

Commission d'accès à l'information du Québec (CAI) (Primary for Quebec-based company)
525 René-Lévesque Blvd East, Suite 1.200
Quebec City, QC G1R 5S9
Phone: 418-528-7741 or 1-888-528-7741
Email: caiq@cai.gouv.qc.ca
Website: https://www.cai.gouv.qc.ca

Other Canadian Users:

Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, QC K1A 1H3
Phone: 1-800-282-1376
Email: info@priv.gc.ca
Website: https://www.priv.gc.ca

European Union Users:

Your local Data Protection Authority
List: https://edpb.europa.eu/about-edpb/board/members_en

California Users:

California Attorney General
Privacy Enforcement
1300 I Street, Sacramento, CA 95814
Website: https://oag.ca.gov/privacy

We encourage you to contact us first so we can address your concerns directly.

17. Your Acknowledgment

By using ContiWealth, you acknowledge that:

• You have read and understood this Privacy Policy
• You understand how we collect, use, and share your information
• You understand your privacy rights
• You consent to the processing described in this Policy
• You understand data may be transferred internationally
• You understand posthumous data handling varies by jurisdiction

If you do not agree with this Privacy Policy, please do not use the Service.