Privacy

Individuals rely on us to safeguard personal information and ensure responsible collection and use. To do so, we have committed to the following principles:

1. We will be transparent about how we handle your personal information and our privacy practices;
2. We will use your personal information to benefit and enhance your customer experience;
3. We will protect your personal information and handle it responsibly.

This Notice describes how we handle your personal information specifically, what we collect, and how we collect it, use, share, protect and store it. We also explain your Privacy Choices and how you can exercise those choices.

This Notice applies to you when you visit one of our websites or premises, sign up to receive information from us, apply for any of our products, services, programs, promotions or events, express interest in FirstOntario, or enter into a contract with us.

This Notice applies for as long as FirstOntario holds your information, including after the end of membership. By providing us with your information, you are consenting to the collection, use or sharing of your information as set out in this notice. Our Privacy Notice serves the purpose of informing you about our data practices and your rights regarding your personal information.

Please note that additional terms and conditions may apply to how we use or manage your personal information when you engage with us under certain circumstances. For example, you are required to accept terms and conditions when you purchase insurance with FirstOntario. Those terms and conditions apply together with this Privacy Notice.

FirstOntario collects the following type of personal information:

Contact information

Such as your address, telephone number, email, social media, or other electronic address we may use to communicate with you.

Identity information

Such as your name, date of birth, citizenship, and employment information. This also includes government-issued identification and utility bills we may collect from you to establish and verify your identity.

Biometric information

Technology that enables verification of your identity, including unique physical and behavioral details such as your facial features and voice patterns.

Social Insurance Number (SIN)

Is collected for tax reporting purposes when you open or request a product that generates income. Your SIN may also be used to aid in verifying your identity to make sure we get accurate information from credit bureaus; however, providing us with your SIN for this purpose is optional. You may refuse to consent to the use of your SIN except for purposes required by the law, such as tax reporting.

Credit information

From credit reporting agencies, credit bureaus and other financial services databases when you apply for specific products. This information is collected during the application process, and on an ongoing basis, to review and ensure your suitability and eligibility for the product, and to prevent against fraud.

Other financial information

Such as your income, net worth, and transaction history to better understand your needs and ensure that the financial advice, investment products and services we provide are suitable and appropriate for you and your circumstances.

Marketing information

Such as your marketing preferences and responses to surveys and promotional offers is collected to help us understand your financial needs and activities better. This helps us inform you about relevant products and services, determine your eligibility for various promotions, conduct satisfaction surveys, and develop tailored products and services to meet your needs.

Other individuals’ information

Such as contact information of beneficiaries, spouse, dependents, or common law partners covered by an insurance product or service or named in a registered plan or trust. This information may be required by law or to provide certain protection to you. If you give us information about another person, we assume you have the right to give us their information and obtained their consent for us to collect, use and share their information according to our Privacy Notice.

Your interaction with us

Such as recordings of telephone calls or electronic communication with us, record of your usage of our products and services along with the relevant transaction and payment history. This will be collected to ensure mutual protection, process your inquiries, and improve our services. We may also use video recording in and around our physical premises and ATMs to ensure your safety and ours and to prevent against fraud and other illegal activities.

We collect personal information in the following ways:

Directly from you

You may provide personal information to us on site when you visit one of our branches, on the phone or via email when you express interest in our products or services, through our websites or mobile applications, forms, and documents you provide, our online banking system, or in any other direct manner.

From other sources including third parties

We may receive personal information from other sources or if the law requires or permits us to do so. We may also collect your personal information from payment card networks, government agencies, insurance companies, law enforcement authorities or other financial institutions with knowledge of your personal information.

From technologies used at our properties

We may collect personal information through various types of technologies used across our branches, such as: video surveillance used for security purposes, to protect against theft, to prevent damage to our locations and to prevent fraud; and any devices used to collect information from branch office walk-ins.

Through our websites and mobile applications

We may collect certain types of information electronically when you interact with our websites and mobile applications, email, social media accounts, online advertising, or through the use of our or a third party’s technologies which include cookies. See What is a Cookie for more information on cookie technology.

Specifically, we use two kinds of cookies — session cookies and persistent cookies.

• A session cookie exists only for the length of your browsing session and is deleted when you close your browser. We use a session cookie to maintain the integrity of your online account session. With each page you visit, the cookie is passed back and forth between our server and your browser. We use the cookie to distinguish your session from many others that may be happening at the same time. Our session cookies never store any personal information, such as your name, date of birth, or financial information such as accounts and balances. The information collected may include your location, IP addresses, information about your operating system, web browser, or internet connection.
• A persistent cookie stays on your computer after you close your browser. A persistent cookie may or may not expire on a given date. We use persistent cookies to help verify you as our member, to remember your preferences, and to help block unauthorized attempts to access your Personal Information. Persistent cookies store information on your hard drive and can be reread when you return to the site that placed them on your hard drive.

Most recent browser versions allow you to set some level of control over which cookies are accepted and how your browser uses them. For example, it may be set to notify you when it is receiving a cookie so you accept cookies from only known, reliable sites such as the FirstOntario website. If you are concerned about cookies, we encourage you to upgrade your browser to a recent version and review the help section of your browser to learn more about its specific control features. You may delete or disable cookies at any time via your browser. However, if you do so, you may not be able to use some of the features on our websites or mobile applications. To learn more about the privacy choices available to you, please visit How Do I Change My Privacy Choices?

We use your personal information for the following purposes:

Providing you with exceptional service

We use your personal information to provide our products and services, which include:

• Understanding your needs and responding to inquiries or requests for information;
• Verifying your identity and the information you or a third party provides to us;
• Evaluating and processing your applications, claims, and transactions; and
• Determining your eligibility and suitability for select financial products and services.

Managing our business

We use your personal information for many business reasons, which include:

• Utilizing and managing our information technology applications and systems, including our websites, mobile applications and databases/systems;
• Maintaining the safety and security of our members, employees and branches (e.g., through authentication checks and video surveillance and other monitoring technologies);
• Assessing and managing risk, including detecting, and preventing fraud or error, such as identity theft;
• Collecting debts owed and enforcing agreements between you and FirstOntario;
• Monitoring and investigating incidents and
• Meeting our legal and regulatory obligations.

Communicating with you

We use your personal information to communicate with you for a variety of reasons, such as:

• Establishing a relationship with you, providing support, reminding you of upcoming appointments or events, as well as communicating updates to products and services, or other FirstOntario news; and
• Informing you in a variety of ways (e.g., email, telephone, SMS, direct mail) about programs, products, services, special offers, promotions or events that may be of interest to you.

If you no longer wish to receive commercial electronic messages, please let us know by following the unsubscribe directions provided in any promotional messages sent by FirstOntario. For more information see How Do I Change My Privacy Choices?

We will not share your personal information outside of our group of companies, except as indicated below.

Service providers

In the course of providing our programs, products, services, promotions and events, we may share personal information with our service providers. These service providers help us operate our business, technology systems and applications, internal procedures, infrastructure, advertising, marketing, risk mitigation, and analytics capabilities as well as assist us with meeting our legal and regulatory obligations. We require these service providers to limit their access to and/or use of personal information to what is required to provide their services and to comply with our privacy requirements.

Third parties

In the course of providing certain programs, products and services, we may do so through arrangements with third parties. As a result, your personal information may be collected, used and shared by us and the applicable third party. For example, we may share personal information with a limited list of approved program partners with whom we work to provide a full range of financial services to you. These third parties may have their own privacy policies and terms and conditions, which will govern their use of your personal information.

Sale or transfer of business or other transaction

We may decide to sell or transfer all or part of our business to a related company or to a third party, to merge with another entity, to insure or securitize our assets, or to engage in another form of corporate or financing transaction, corporate reorganization, share sale, or other change in corporate control. If your personal information is required in connection with any such business transactions, we will comply with the legal requirements for the disclosure of personal information.

Other permitted reasons

Canadian law permits or requires the use, sharing, or disclosure of personal information without consent in specific circumstances. These circumstances include situations where use, sharing, or disclosure is necessary to protect FirstOntario, our employees, our customers, or others. If this happens, we will not share more personal information than is reasonably required to fulfill that particular purpose.

With your consent

Other than the purposes listed above, we may, with your implied or express consent, share or disclose your personal information outside of our group of companies, in accordance with applicable law.

We obtain your consent for the collection, use, and disclosure of your personal information, except where permitted or required by law. Your consent may be obtained in different ways depending on the sensitivity of the information and the purposes for which it is being collected, used, or disclosed. Express consent may be obtained verbally, electronically, or in writing from you or your authorized representative (such as lawyer, agent or broker). Implied consent may be inferred from your actions such as your use or continued use of a product or service or from the circumstances of a situation. There may be exceptions to consent requirements in certain limited circumstances such as:

• When information is being collected for the detection and prevention of fraud or for law enforcement.
• For legal, medical or security reasons where it may be impossible or impractical to seek consent.
• When the individual is a minor, seriously ill, or mentally incapacitated, seeking consent may be impossible or inappropriate. In these situations, consent may have to be obtained from a legal guardian (in the case of minors), an attorney acting on behalf of the individual (under a Power of Attorney arrangement), or from the Office of the Public Guardian and Trustee.
• When we are fulfilling contractual obligations such as payment or collection of debt.

While consent is primarily written, in some cases, we may rely on express verbal consent.

We will not, as a condition of the supply of a product or service, require you to consent to the collection, use or disclosure of information beyond that required to fulfill explicitly specified and legitimate purposes.

Withdrawing consent

You can withdraw your consent to our collection, use and sharing of information at any time by giving us reasonable notice, in writing to the Privacy Officer, subject to legal, business, or contractual requirements. However, withdrawing your consent may limit or prevent us from providing you with specific products and services. For example, if you don’t give us your SIN, we can’t provide you with any product where the collection of a SIN is required under tax law, such as an interest-bearing account. If you withdraw your consent to exchange personal information with credit bureaus, we will not be able to provide you with certain credit products. In some circumstances, you can’t withdraw your consent. For example, you can’t withdraw your consent if the collection, use and sharing of information without consent is:

• Permitted or required by law
• Required to ensure we have correct and up-to-date information about you, such as current address, or
• Necessary to manage our business and risks, comply with legal and regulatory obligations or assign our rights to others for business transactions

Direct marketing

You may opt-in to receiving email communications when you register for our programs, products, or services, enter our promotions or any time thereafter when you interact with us. You may opt out of:

• Receiving email or communications from the sender, by clicking unsubscribe within any marketing email you receive;
• Receiving surveys by following the unsubscribe instructions provided in the email; or
• Receiving interest-based advertisements or other communications from us.

Please note that even if you have opted out of receiving marketing communications from us, we may still contact you for transactional purposes, in compliance with applicable laws (e.g. for customer service, pertinent information about your property or service or reminder notices). We may also need to contact you with questions or information regarding your contract with FirstOntario.

It may take some time for all of our records to reflect changes in your preferences (e.g., if you request that you not receive personalized marketing communications from FirstOntario, your preference may not be captured for a promotion already in progress).

Managing your browser or device settings

We use technologies to enhance your customer experience and present offers to you. You may delete or disable certain technologies at any time via your browser. However, if you do so, you may not be able to use some of the features of our websites.

Please refer to your browser instructions or help screen to learn more about how to block, delete and manage cookies on your computer or mobile device.

You can also manage access to your location information through your device settings. We collect and use location information from your mobile device only if the location services, such as GPS, geolocation, or proximity technologies, are enabled.

Social Insurance Number (SIN)

We may ask for your Social Insurance Number to aid us in identifying you and to make sure we get accurate information from credit bureaus. Sharing your Social Insurance Number for this purpose is optional. If you choose to not provide consent, it will not stop you from applying to our non-interest-bearing products and services. However, it may impact our ability to verify the information obtained from credit bureaus which may lead us to draw incorrect conclusions and affect your eligibility for certain products or services.

Credit bureau information

When you apply for a credit product with FirstOntario, we run a credit check and exchange your information with credit bureaus. We continue to exchange information with them for as long as you hold the product and for a reasonable time after you close the product. Consent is required when requesting any lending product. If you are not requesting a lending product, you may opt out of a credit bureau check. However, opting out may impacts our ability to approve and service the products applied for.

We employ a range of security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. These measures include physical, technical, and administrative safeguards designed to maintain the confidentiality and integrity of your information.

Credit union safeguards

We implement security controls such as passwords and encryption, firewalls, access controls, and regular security assessments to safeguard personal information stored on our systems and networks. We also take physical measures such as locked filing cabinets and restricted access to offices. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information and the method of storage.

Third party agents/suppliers safeguards

Third party agents or suppliers are required to safeguard personal information disclosed to them in a manner consistent with the Privacy Notice of FirstOntario. We use contractual agreements or other means with these parties to ensure they handle personal information in compliance with applicable privacy laws and our privacy standards.

Confidentiality obligations

We restrict access to your personal information to only the employees, contractors and service providers who need to know that information to provide the required products or services to you. Our employees, contractors and service providers are bound by confidentiality obligations that restrict them from using the information for any unauthorized purposes.

Training

All FirstOntario employees are required to complete mandatory training on privacy and information security upon being hired and annually on an ongoing basis.

You have the right to request access to your personal information held by us and to request to make updates or corrections if you believe any information is inaccurate or incomplete. You may review or verify your personal information by accessing your account through our online banking services, through telephone banking and by contacting your branch or local office.

You may also make an access to information request by visiting the branch or office where your account is held. Upon request, you shall be informed of the existence, use and disclosure of your personal information. You must provide adequate proof of your identity, and sufficient information to allow us to locate the requested information.

Although we take care to keep your personal information accurate and up to date, we rely on you to inform us of any changes that need to be made. If you find any inaccuracy or incompleteness in our information about you, please inform us and submit the request to make the necessary amendments. If we agree with your request, we will make the required amendments and make sure they are conveyed to anyone we may have misinformed.

Exceptions to accessing information

In certain situations, we may not be able to provide access to all the personal information it holds about you. The exceptions include the following:

• The information sought would reveal personal information about a third party who has not provided consent for the disclosure.
• The information sought cannot be disclosed for legal, security, or commercial proprietary reasons.
• The information sought is subject to solicitor/client privilege or litigation privilege.

If we refuse a request for access to personal information in whole or in part, our response to the Access to Information Request will provide the reasons for refusal. We may refuse to confirm or deny the existence of personal information collected as part of an investigation.

Fees for access and correction

We provide information access and correction services free of charge unless the request requires a disproportionate amount of effort. In that case, we will inform you of any applicable fees before proceeding with your request.

You can request access or correction, deletion, request a review of certain automated decisions, or make a privacy complaint by contacting our Privacy Office, through email or postal address (for contact information, see Who Do I Contact with Privacy Questions?). If the Privacy Office is unable to address your concern to your satisfaction, you may bring the matter to the attention of the appropriate Privacy Commissioner. Most of our activities are subject to the jurisdiction of Office of the Privacy Commissioner of Canada; other activities are subject to the jurisdiction of the Privacy Commissioner of your province or territory of residence.