Privacy Policy

HNDL Technology Inc. ("HNDL", "we", "us") operates Complai, a compliance onboarding platform for Canadian mortgage brokers. This policy explains how we collect, use, and protect personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

1. Information We Collect

We collect information in two categories:

Broker information (collected during registration):

• Name, email address, phone number
• Business name and mortgage broker licence number
• Logo and brand colours (for white-label client experience)
• Payment information (credit card details stored securely by Stripe; we do not store card numbers)

Client information (collected during the compliance flow on behalf of the broker):

• Name and email address
• KYC questionnaire responses (mortgage purpose, employment, insurance, declarations, PEP status)
• Electronic signature
• Identity verification result (document type, document number, issuing country, issued date, expiry date, verification status)
• AML screening result
• CASL marketing consent (if given)

2. Information We Do Not Collect or Store

• ID card images: Photos of government-issued identification are processed by our verification provider during the verification session. We do not receive, download, or store these images.
• Selfie or biometric images: The facial match selfie is processed in real-time by the verification provider. We do not receive or store any biometric images.
• Biometric templates: No biometric templates, hashes, or embeddings are created or stored in our system.
• Passwords: Broker accounts use passwordless authentication (magic links). No passwords are stored.
• Credit card numbers: Payment is processed by our PCI-certified payment processor. We store only the last four digits for display purposes.

3. How We Use Information

• Provide compliance onboarding services to brokers and their clients
• Generate and deliver compliance documents (KYC PDF, signed agreement, IDV certificate)
• Process identity verification and AML screening through our verification provider
• Process monthly billing through our payment processor
• Send transactional emails (magic link login, client invite, completion confirmation)
• Monitor platform health and resolve technical issues

We do not use client data for marketing, advertising, analytics, AI training, or any purpose other than providing the compliance service to the broker.

4. Who Has Access to Client Data

The broker who created the client session can view their client's information through the Complai dashboard.

HNDL (platform operator) does not have access to client names, email addresses, identification documents, or personal information. The platform admin dashboard references sessions by anonymous session ID only.

No other brokers can see another broker's client data. Data isolation is enforced at the database level.

5. Third-Party Services

We use the following third-party services:

• Database hosting: PostgreSQL hosted in Canada (AWS Montreal). All client data at rest is encrypted with AES-256.
• Identity verification: ISO 27001 certified, iBeta Level 1 certified provider for biometric presentation attack detection. Processes ID scans and selfies in real-time. We request deletion of verification session data after receiving the result.
• Payment processing: PCI DSS Level 1 certified payment processor. We do not handle or store credit card numbers.
• Email delivery: Transactional email service for magic links, client invites, and completion emails.
• Application hosting: Cloud hosting and deployment platform.

Each service operates under its own privacy policy. We share only the minimum information necessary for each service to function.

6. Data Storage and Security

• All client data is stored in Canada (AWS ca-central-1, Montreal).
• All data at rest is encrypted with AES-256.
• All data in transit uses TLS 1.2 or higher.
• Broker portal access requires mandatory two-factor authentication.
• Biometric data is processed by the verification provider and deleted after the verification decision. We call the provider's deletion API after receiving the result.

7. CASL Compliance

During the compliance flow, clients may optionally consent to receive marketing communications from their broker. This consent is:

• Collected through a clear, unchecked checkbox (not pre-selected)
• Recorded with a timestamp
• Stored on the client session record
• Voluntary and does not affect the compliance process

CASL consent applies to commercial electronic messages only (newsletters, rate updates, market insights). It does not apply to transactional communications about an active mortgage file.

8. Data Retention

FINTRAC requires identity verification records to be retained for a minimum of five years across all Canadian provinces and territories. No provincial regulator requires less than five years. British Columbia's BCFSA requires seven years for all mortgage transaction records (MB 12-001), which is the longest requirement in Canada.

To ensure compliance regardless of which province a broker operates in, Complai retains all client session data for a minimum of seven years. This satisfies both the federal FINTRAC requirement and the most stringent provincial requirement.

Biometric data (ID images, selfies) is not retained by Complai. It is deleted from the verification provider's servers after the verification decision is made.

9. Your Rights Under PIPEDA

Under the Personal Information Protection and Electronic Documents Act, you have the right to:

• Access the personal information we hold about you
• Request corrections to inaccurate information
• Withdraw consent for the use of your personal information (subject to legal retention requirements)
• Unsubscribe from marketing emails at any time

For clients: Contact your mortgage broker directly. They are the data controller for your compliance information. Complai processes data on behalf of the broker.

For brokers: Contact us at the email below.

10. Cookies and Tracking

Complai uses the following cookies:

• Session cookies: Required for broker portal authentication (complai_session, complai_admin). These are functional cookies necessary for the service to operate.
• 2FA cookies: Temporary cookies used during the two-factor authentication flow.

We do not use advertising cookies, remarketing pixels, or third-party tracking scripts on the Complai platform.

11. Changes to This Policy

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this privacy policy or how we handle personal information: