Canada Privacy Policy
Contents
1. Introduction and Scope
2. Definitions
3. PIPEDA's Ten Fair Information Principles
4. Personal Information We Collect
5. How We Use Personal Information
6. Consent
7. Disclosure of Personal Information to Third Parties
8. Your Privacy Rights
9. Retention and Deletion of Personal Information
10. Security Safeguards
11. Cookies and Tracking Technologies
12. Electronic Commercial Messages (CASL)
13. Changes to This Privacy Policy
14. Contact Our Privacy Officer
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Introduction and Scope:
Canadian Benefits Nexus Inc. ("the Company," "we," "us," or "our") is a corporation incorporated under the laws of Quebec, Canada. We operate a technology platform that connects Canadian consumers with licensed real estate professionals and administers real estate referral and rebate programs on their behalf.
This Privacy Policy governs the collection, use, disclosure, retention, and protection of personal information that we collect from or about Canadian residents through our websites, mobile applications, forms, email communications, and any other interaction with our services (collectively, the "Services").
We are committed to complying with all applicable Canadian privacy legislation, including:
- PIPEDA (Federal, Canada): All Canadian residents; cross-border data flows
- Law 25 / Bill 64 (Quebec, Canada): All Quebec residents; enhanced rights apply
- PIPA (Alberta): Residents where PIPA is deemed substantially similar to PIPEDA
- PIPA (British Columbia): Residents where PIPA is deemed substantially similar to PIPEDA
- CASL (Federal, Canada): Electronic commercial messages sent to Canadians
Important Notice for Quebec Residents: If you reside in Quebec, you benefit from additional rights and protections under An Act Respecting the Protection of Personal Information in the Private Sector, as amended by Bill 64 / Law 25 (the "Privacy Act"). Sections specifically addressing Quebec residents are marked throughout this Policy. The enhanced Quebec rights supplement, and do not replace, your federal rights under PIPEDA.
Relationship to U.S. Entities: Canadian Benefits Nexus Inc. is a legally distinct entity from Nexus Real Estate Group, LLC and Nexus Real Estate (a Washington, D.C. licensed brokerage). Your privacy rights as a Canadian resident are governed exclusively by Canadian law, regardless of any U.S. jurisdiction language appearing in linked documents. No U.S. privacy framework limits or diminishes your rights under this Policy.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. Definitions:
The following terms have the meaning set out below throughout this Privacy Policy:
Personal Information: Any information about an identifiable individual, as defined in PIPEDA and Law 25, including name, contact details, transaction data, and device identifiers.
Sensitive Personal Information: Personal information with heightened protection requirements including financial data, government-issued identifiers, and data revealing personal characteristics.
Processing: Any operation performed on personal information, including collection, use, storage, disclosure, transfer, or deletion.
Consent: Meaningful, informed, free, and clear agreement to the collection, use, or disclosure of personal information, which may be express or implied depending on the sensitivity of the information.
Express Consent: Explicit opt-in agreement, required under Law 25 for sensitive personal information and for secondary uses not reasonably expected by the individual.
Service Provider: A third party engaged by the Company to process personal information on our behalf, subject to contractual privacy obligations.
Privacy Officer: The Company's designated individual accountable for PIPEDA and Law 25 compliance, accessible at the contact information set out in Section 14.
Breach of Security: Any loss, unauthorized access, use, disclosure, or modification of personal information.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. PIPEDA's Ten Fair Information Principles:
Our practices are organized around the ten principles set out in Schedule 1 of PIPEDA.
Principle 1 — Accountability
We are responsible for all personal information under our control, including information transferred to third-party service providers. Our Privacy Officer oversees compliance with this Policy and applicable law.
Principle 2 — Identifying Purposes
We identify the purposes for which personal information is collected at or before the time of collection. Purposes are described in detail in Section 5.
Principle 3 — Consent
We obtain meaningful consent for the collection, use, or disclosure of personal information, except where permitted by law. The form of consent varies based on the sensitivity of the information and reasonable expectations. Quebec residents receive enhanced consent protections described in Section 6.
Principle 4 — Limiting Collection
We collect only the personal information necessary for the identified purposes. We do not collect information by unlawful means or through deception.
Principle 5 — Limiting Use, Disclosure, and Retention
We use and disclose personal information only for the purposes for which it was collected, unless we obtain additional consent or are required by law. We retain personal information only as long as necessary to fulfill the identified purposes.
Principle 6 — Accuracy
We keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is used. You have the right to request correction of inaccurate personal information.
Principle 7 — Safeguards
We protect personal information with security safeguards appropriate to the sensitivity of the information, including physical, organizational, and technical measures.
Principle 8 — Openness
We make readily available specific information about our policies and practices relating to the management of personal information, including through this Policy.
Principle 9 — Individual Access
Upon written request, we will inform individuals of the existence, use, and disclosure of their personal information and give access to that information. Individuals may challenge the accuracy and completeness of the information and have it amended.
Principle 10 — Challenging Compliance
Complaints should be directed to our Privacy Officer (Section 14). Unresolved complaints may be escalated to the Office of the Privacy Commissioner of Canada or the Commission d'accès à l'information (CAI) for Quebec residents.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. Personal Information We Collect:
We collect personal information directly from you, automatically through your use of our Services, and, in limited circumstances, from third parties.
4.1 Information You Provide Directly:
Identity & Contact Information:
Data collected: Legal name, preferred name, email address, phone number, mailing address, postal code
Purpose: Account creation; agent matching; rebate delivery; compliance records
Real Estate Transaction Information:
Data collected: Purchase price, property address, closing date, agent name and brokerage, MLS number
Purpose: Rebate calculation; commission verification; payment processing
Rebate Delivery Preferences:
Data collected: Payment preference, mailing address for cheques
Purpose: Processing and delivering rebate payments post-closing
Charitable Donation Elections:
Data collected: Nonprofit selection, donation amount, confirmation of voluntary election
Purpose: Facilitating optional rebate donations; program administration
Communications:
Data collected: Emails, messages, and correspondence you send to us
Purpose: Customer service; program support; record-keeping
Partner Program Registration:
Data collected: Alumni affiliation, employer name, hotel stay confirmation, membership number
Purpose: Verifying eligibility for partner-specific rebate programs
4.2 Information Collected Automatically:
When you use our websites or digital services, we may automatically collect:
- Device identifiers, IP address, browser type and version, operating system
- Pages visited, clickstreams, time and date of access, and referring URLs
- Cookie identifiers and similar tracking technologies (see Section 11)
- General geographic location derived from IP address (province/city level only)
4.3 Information from Third Parties:
We may receive personal information from the following third-party sources, only where permitted by law and necessary for our services:
Partner Organizations: Hotels, universities, alumni associations, and other partner organizations may share your name and contact information after obtaining your consent to refer you to our Services.
Licensed Real Estate Brokerages: Brokerages and agents involved in your real estate transaction may confirm transaction details necessary for rebate processing.
Payment Processors: Our rebate delivery platform may share payment confirmation data with us for record-keeping purposes.
Information We Do NOT Collect:
- Social Insurance Numbers (SIN) or government-issued identification numbers (unless required by law for a specific purpose with your express consent)
- Financial account numbers, credit card numbers, or banking credentials
- Health information or medical records
- Biometric data
- Information from individuals under the age of majority in their province without verified parental consent
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. How We Use Personal Information:
We use personal information only for the purposes identified at the time of collection or for purposes that a reasonable person would consider appropriate in the circumstances.
Program Administration: Matching clients with licensed real estate brokerages and agents; tracking transaction progress; calculating, processing, and delivering rebates at closing; maintaining records as required by applicable brokerage and compliance regulations.
Partner Program Management: Verifying eligibility under partner-specific programs (university alumni, hotel guest programs); administering co-branded benefits; reporting aggregate program performance to partners. We never share individual personal information with partners without your consent.
Communications: Sending program updates, rebate status notifications, and transactional emails related to your active file; responding to inquiries; providing customer service.
Legal and Regulatory Compliance: Maintaining records as required under applicable real estate brokerage regulations, RESPA (for U.S.-adjacent transactions), anti-money laundering (AML) obligations, and applicable Canadian privacy legislation; responding to lawful requests from regulatory authorities.
Security and Fraud Prevention: Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other security incidents.
Service Improvement (Aggregated Only): Analyzing aggregate, de-identified data to understand program usage patterns and improve service quality. We do not use identifiable personal information for product development without separate consent.
Marketing Communications (With Consent): Sending promotional communications about our Services where you have provided express consent. You may withdraw consent at any time (see Section 8).
Secondary Uses: If we wish to use your personal information for a purpose other than those identified above, we will seek your express consent before doing so. We will not use personal information in a manner that causes harm to you.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. Consent:
6.1 General Consent Framework:
We obtain consent before or at the time we collect personal information, or before we use it for a new purpose not previously identified. The form of consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual.
Express Consent is required for: sensitive personal information; secondary uses; transfer to jurisdictions with different legal standards; any use not reasonably anticipated by the individual at the time of collection.
Implied Consent may be relied upon for: routine transactional uses clearly expected at the time of collection; uses integral to delivering a service explicitly requested by the individual.
6.2 Quebec-Specific Consent Requirements (Law 25):
If you are a Quebec resident, the following enhanced consent protections apply:
- Consent must be requested for specific purposes in clear, plain language, separately from any other information, and in a manner that stands out.
- Any consent form you sign must specifically request only that which is necessary for the stated purpose. Omnibus consent clauses are not valid under Law 25.
- You must be informed of the names of any third parties to whom your information will be communicated, the purposes of that communication, and your right to withdraw consent.
- You have the right to withdraw consent at any time, subject only to legal or contractual restrictions and reasonable notice. Withdrawal cannot be made retroactive but takes effect prospectively.
- Automated decision-making: If a decision affecting you is made using your personal information through automated processing, you have the right to be informed, to ask for human review, and to provide observations.
- Profiling: We will not use your personal information to create profiles of your behaviour for commercial purposes without your express consent.
6.3 Withdrawal of Consent:
You may withdraw consent to non-essential uses of your personal information at any time by:
- Contacting our Privacy Officer at the address in Section 14
- Using the unsubscribe link in any marketing email we send
- Submitting a written request via our Privacy Request Form at nexus.realestate/privacy
Please note: Withdrawal of consent may affect our ability to provide certain Services. We will inform you of the consequences of withdrawal before or at the time of your request. Withdrawal does not apply to uses necessary to fulfill a transaction you have already initiated or to uses required by law.
6.4 Consent of Minors:
Our Services are not directed to individuals under the age of majority in their province. We do not knowingly collect personal information from minors. If we learn that we have inadvertently collected information from a minor, we will promptly delete it. If you are a parent or guardian and believe we have collected information about a minor in your care, please contact our Privacy Officer immediately.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. Disclosure of Personal Information to Third Parties:
We do not sell, rent, or trade personal information. We disclose personal information only in the circumstances described below.
7.1 Service Providers:
We engage service providers to assist in delivering our Services, subject to change. These providers are permitted to process personal information only for the purposes we specify, subject to contractual privacy and security obligations consistent with this Policy and applicable law.
Rebate Payment Platform (Tremendous)
Information disclosed: Name, payment preference, rebate amount
Location: United States
Email Marketing Platform (MailChimp)
Information disclosed: Name, email address, program status
Location: United States
Form & Survey Platform (Typeform)
Information disclosed: Registration data, donation elections
Location: European Union
CRM / Data Management
Information disclosed: Transaction and contact data
Location: Canada / United States
Real Estate Brokerage Partners
Information disclosed: Name, contact details, transaction details for matching
Location: Canada / United States
7.2 Cross-Border Transfers:
Some of our service providers are located outside Canada, including in the United States and the European Union. When we transfer personal information outside Canada, we:
- Conduct a privacy impact assessment (PIA) to evaluate the laws of the recipient jurisdiction
- Implement contractual safeguards (data processing agreements) requiring the recipient to provide protection comparable to PIPEDA and, for Quebec residents, Law 25
- Inform you, at or before the time of collection, that your information may be transferred outside Canada and will be subject to the laws of that jurisdiction
- Maintain accountability for personal information transferred to our agents and service providers
Quebec Residents — Cross-Border Transfer Notice (Law 25, Section 17):
Before disclosing your personal information to a person or body outside Quebec, we are required under Law 25 to conduct a privacy impact assessment (PIA) and ensure your information will receive equivalent protection. If we cannot ensure equivalent protection, we are prohibited from transferring your information without your express consent. You have the right to be informed, upon request, of the jurisdictions to which your information is transferred and the protections in place.
7.3 Legal and Regulatory Disclosures:
We may disclose personal information without consent only as permitted or required by law, including:
- In response to a lawful subpoena, court order, or regulatory demand from a Canadian authority with jurisdiction
- To report suspected fraud, money laundering, or other criminal activity to law enforcement
- Where necessary to protect the vital interests of an individual
- To a successor organization in the event of a merger, acquisition, or sale of substantially all assets (see Section 7.4)
7.4 Business Transfers:
In the event of a proposed merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, or sale of substantially all assets, personal information may be disclosed to prospective parties and their advisors, subject to confidentiality obligations. If a transaction is completed, personal information will be transferred to the successor organization under a privacy regime at least as protective as this Policy. You will be notified of any material change in the purposes for which your information will be used.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. Your Privacy Rights:
Canadian privacy legislation gives you meaningful rights with respect to your personal information. To exercise any right, please use the contact information in Section 14.
Right of Access:
You may request confirmation of whether we hold personal information about you and a copy of that information, subject only to limited exceptions under PIPEDA (e.g., legally privileged or confidential third-party information).
Right of Correction:
If your personal information is inaccurate, incomplete, or out of date, you may request that we correct it. Where we do not agree to make the requested correction, we will note your disagreement on the record.
Right to Withdraw Consent:
You may withdraw consent to non-essential processing at any time, subject to legal or contractual restrictions and reasonable notice.
Right to Deletion (Quebec Residents — Law 25)
Quebec residents have the right to request deletion of personal information where: it is no longer necessary for its original purpose; you have withdrawn consent and no overriding legitimate purpose applies; or the information was collected unlawfully.
Right to Data Portability (Quebec Residents — Law 25)
Quebec residents may request that computerized personal information be communicated to them in a structured, commonly used technological format. This right applies to information you provided directly, processed by automated means.
Right to Object to Automated Decisions (Quebec Residents — Law 25)
Quebec residents have the right to be informed of, and to object to, decisions based solely on automated processing, including profiling, and to request human review.
Right to Complain
You have the right to file a complaint with our Privacy Officer. If unresolved, you may escalate to:
- Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca
- Commission d'accès à l'information — Quebec residents (CAI): www.cai.quebec.ca
8.1 How to Submit a Request:
- Email our Privacy Officer: privacy@nexus.realestate
- Complete our Privacy Request Form: nexus.realestate/privacy
- Mail a written request to the address in Section 14
We will acknowledge receipt of your request within five (5) business days and respond within thirty (30) calendar days, unless an extension is required, in which case we will notify you. We may verify your identity before processing a request. We will not charge a fee for access requests unless the request is excessive, repetitive, or manifestly unfounded.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
9. Retention and Deletion of Personal Information:
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law or regulation.
Transaction records and rebate documentation
Retention: 7 years post-closing
Basis: Real estate brokerage regulations; tax record obligations
AfBA / privacy disclosure acknowledgments
Retention: 3 years post-acknowledgment
Basis: RESPA compliance for cross-border transactions; PIPEDA accountability
Active client profile
Retention: Duration of client relationship + 2 years
Basis: Service delivery; ongoing communication
Marketing consent records
Retention: Duration of consent + 3 years
Basis: CASL; PIPEDA accountability; Law 25
Security incident logs
Retention: 5 years from incident date
Basis: OPC reporting obligations; Law 25 breach notification
Website analytics (anonymized)
Retention: 2 years
Basis: Service improvement; aggregate analysis only
Unsubmitted / abandoned registration data
Retention: 90 days, then auto-deleted
Basis: Minimum necessary retention
When personal information is no longer required, we destroy, erase, or anonymize it using secure methods appropriate to the format in which it is held. We do not retain personal information in identifiable form beyond the periods described above except where required to do so by law.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
10. Security Safeguards:
We implement a multi-layered security program to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, modification, or destruction.
10.1 Technical Safeguards:
- TLS encryption for all data in transit between our systems and service providers
- AES-256 encryption for personal information at rest in our databases
- Role-based access controls limiting access to personal information to authorized personnel with a demonstrated business need
- Multi-factor authentication (MFA) for all systems containing personal information
- Automated vulnerability scanning and regular penetration testing
- Audit logging for access to and modifications of personal information
10.2 Organizational Safeguards:
- Privacy training and annual certification for all employees and contractors with access to personal information
- Contractual privacy and confidentiality obligations for all service providers
- Formal incident response and breach notification procedures
- Privacy Impact Assessments (PIAs) for new technologies or material changes to data processing
- Designation of a Privacy Officer with authority and accountability for compliance
10.3 Physical Safeguards:
- Secure, access-controlled facilities for any physical records
- Locked filing systems for paper documents containing personal information
- Secure destruction procedures for physical media and paper records
Security Breach Notification — Your Rights:
PIPEDA: We are required to notify you if a breach creates a real risk of significant harm to you. We will report to the Office of the Privacy Commissioner of Canada and notify affected individuals without unreasonable delay.
Law 25 (Quebec): We are required to notify the CAI and affected individuals of any confidentiality incident involving your personal information within 72 hours of determining that a breach has occurred.
Notification will include: the nature of the incident, the personal information involved, steps taken or planned, and what you can do to minimize your risk.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11. Cookies and Tracking Technologies:
Our websites use cookies and similar technologies to provide a functional user experience, analyze traffic, and deliver relevant communications. We do not use cookies for advertising profiling without your express consent.
Strictly Necessary Cookies
Purpose: Session management; security; load balancing; fraud prevention
Consent required: No — essential to site function
Functional Cookies
Purpose: Remembering your preferences; language settings; form auto-fill
Consent required: Yes — opt-in
Analytics Cookies
Purpose: Understanding how visitors use our site; aggregate reporting only
Consent required: Yes — opt-in
Marketing / Tracking Cookies
Purpose: Conversion tracking for our own campaigns (no third-party ad networks)
Consent required: Yes — express opt-in
You may manage cookie preferences through our cookie consent banner or your browser settings. Note that disabling strictly necessary cookies may affect the functionality of our Services.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
12. Electronic Commercial Messages (CASL):
Canada's Anti-Spam Legislation (CASL) governs commercial electronic messages (CEMs) sent to Canadian recipients. We comply with CASL in all email and SMS marketing communications.
12.1 Our Consent Practices:
- We send marketing CEMs only to individuals who have provided express or implied consent as defined under CASL
- Express consent records include: the date, method, and exact consent language presented at the time of opt-in
- We do not rely on pre-checked boxes, bundled consent, or negative option consent
- All CEMs include our full legal name, mailing address, and a functioning unsubscribe mechanism
12.2 Unsubscribe:
Every CEM we send includes a clearly visible unsubscribe link or mechanism. Unsubscribe requests are processed within ten (10) business days. You may also unsubscribe by contacting our Privacy Officer directly. Once you unsubscribe, we will not send marketing CEMs unless you later re-subscribe.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
13. Changes to This Privacy Policy:
We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or regulatory guidance. When we make material changes, we will:
- Post the revised Policy on our website with a new effective date
- Send a notice to the email address associated with your account at least thirty (30) days before the changes take effect (for material changes affecting your rights)
- For Quebec residents: seek renewed consent where material changes affect how we use your personal information, if such changes require consent under Law 25
Continued use of our Services after the effective date of a revised Policy constitutes acceptance of the revised Policy, except to the extent that renewed consent is required by law.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
14. Contact Our Privacy Officer:
For any questions, requests, or complaints regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:
Privacy Officer:
Canadian Benefits Nexus Inc.
Email: privacy@nexus.realestate
We will acknowledge your request within 5 business days and respond within 30 calendar days.
14.1 Regulatory Authorities:
If you are not satisfied with our response to a privacy complaint, you may escalate to the appropriate regulatory authority:
Office of the Privacy Commissioner of Canada (OPC)
Jurisdiction: All Canadian residents — PIPEDA
Website: www.priv.gc.ca
Commission d'accès à l'information (CAI)
Jurisdiction: Quebec residents — Law 25
Website: www.cai.quebec.ca
Office of the Information and Privacy Commissioner of Alberta
Jurisdiction: Alberta residents — PIPA
Website: www.oipc.ab.ca
Office of the Information and Privacy Commissioner for British Columbia
Jurisdiction: B.C. residents — PIPA
Website: www.oipc.bc.ca
