Privacy Policy

Localcoin Privacy Policy (Canada)

  1. Purpose

The purpose of this Privacy Policy (the “Policy”) is to set out the requirements regarding 9992987 Canada Inc. o/a Localcoin’s (“Localcoin”) collection, use, disclosure, and retention of information about an identifiable person (“Personal Information”).

This Policy applies when Localcoin has Control of Personal Information, including when Localcoin:

  • directly collects any Personal Information. Localcoin will continue to be in Control of Personal Information it has collected even if the information is transferred to another party (e.g., service provider) for storage and/or processing; and
  • receives Personal Information from an external source.

This Policy applies to Localcoin and its affiliates, as well as all of their employees, contractors, and directors. For clarity on capitalized terms not defined within the content of this Policy, refer to Appendix A – Privacy Definitions and Examples.


  1. Introduction

Privacy rights and the protection of Personal Information are important concerns for any organization, but particularly for Localcoin. A Privacy Breach, even a seemingly minor one, can have significant negative financial and reputational impacts on the affected individual(s), and Localcoin may face significant fines, liability for losses, regulatory penalties, and negative reputational impact. In Québec, non-compliance with the Act respecting the protection of personal information in the private sector (Québec), as amended by the Act to modernize legislative provisions as regards the protection of personal information (Québec) (the “Quebec Privacy Act”), may result in significant administrative monetary penalties, penal fines, and civil liability, including punitive damages in certain circumstances. Localcoin must, therefore, take all reasonable measures and precautions when dealing with Personal Information. 

Localcoin’s collection, use, disclosure, and retention of Personal Information raises compliance risk with the Personal Information Protection and Electronic Documents Act (Canada) (the “PIPEDA”) and any provincial privacy legislation which Localcoin is subject to, including the Quebec Privacy Act.

Localcoin is in Control of Personal Information when:

  • Localcoin has a service provider relationship with its customers and Personal Information collected from customers is transferred to or through Localcoin. This Personal Information is subject to both contractual obligations and certain aspects of privacy law; and
  • Employee or contractor Personal Information is collected. 

Localcoin is subject to the full requirements under privacy law for Personal Information it directly collects. For clarity, if Localcoin uses an agent or means other than an employee (e.g., online form) to collect Personal Information, Localcoin is still considered to have directly collected the information. This Policy is a critical component of Localcoin’s regulatory compliance program and all employees are responsible for ensuring it is adhered to in applicable daily operations.


  1. Operational Procedures

A department that directly collects Personal Information, or receives Personal Information from an internal or external source, is responsible for any operational procedures it requires. 

Localcoin’s Compliance team (“Compliance”) is available as a resource to assist in the development and updating of operational procedures.


  1. Personal Information Requirements

Personal Information is information that relates to an identifiable individual. Personal Information that Localcoin collects includes an individual’s name, contact details, financial information, transaction information, criminal record, employment history, home address, Social Insurance Number, driver’s license information, and other information. This information is collected for business purposes specific to certain departments and as outlined in each department’s Personal Information and privacy operational procedures. 

A single piece of non-specific information, such as an individual’s place of employment does not constitute Personal Information. However, if that piece of information is combined with other pieces of information, such as the individual’s name and address, it becomes easier to identify that individual, and all those pieces of information can constitute Personal Information.

In this Policy, unless specified otherwise, Personal Information includes Employee Personal Information but does not include Business Contact Information or work product information of employees completed during employment.

Localcoin must adhere to the following requirements with respect to the collection, use, disclosure, and retention of Personal Information:


a. Accountability 

Localcoin is accountable for Personal Information under its Control, and this accountability is cascaded down to the individual departments that collect, use, disclose, and/or retain such Personal Information. 


b. Identifying Purposes

The purpose(s) for the collection, use, and disclosure of Personal Information must be identified by the departments involved before the information is collected. The department collecting the information must identify the purpose in a manner that permits the individual to understand how the information will be used. If Personal Information in Localcoin’s Control is to be used for a purpose not previously identified, the new purpose must be identified prior to use or disclosure. Localcoin must then either provide notice to and/or obtain Valid Consent of the individual (as set out below) before the information can be used for the new purpose. Valid Consent is not required where the new purpose is required by law, such as disclosure pursuant to a court order, or in circumstances where an exemption to the need for Valid Consent applies under privacy laws.


c. Valid Consent

A department that collects, uses, or discloses Personal Information is responsible for ensuring that Valid Consent is/has been obtained and documented where it is required under privacy laws. 

Departments that collect Personal Information directly must submit the document used to request Valid Consent to Localcoin’s Legal team (“Legal”) for review. 

When Localcoin receives Personal Information through a third party, Localcoin must ensure, through contractual or other means, that the third party obtained Valid Consent for the transfer of the information to Localcoin and Localcoin’s use, disclosure, and retention of the information.

Valid Consent requirements for Personal Information collected by Localcoin are outlined below:


  1. Personal information collected directly by Localcoin (excluding Employee Personal Information)

The department collecting personal information must determine the form of consent to use, taking into account

  • the circumstances and type of information
  • the sensitivity of the information
  • the reasonable expectations of the individual, and
  • any risk of harm to the individual.

The form of the consent sought may vary depending on the above factors. 

Localcoin must:

  • clearly document in writing the purpose for collecting the Personal Information and communicate that purpose to the individual at or before the time the information is collected; 
  • obtain express written consent after the purpose has been communicated and before the information is collected. Express written consent can be provided via electronic means if the consent can reasonably be attributed to the individual who owns the Personal Information; 
  • disclose the risk of harm or other potential consequences faced by individuals at the time consent is collected; 
  • notify individuals that Localcoin may collect and use identity verification information, including geolocation or device/location information, to verify identity, confirm eligibility, prevent fraud, and comply with legal and regulatory obligations, including through a third-party verification service provider; and
  • make available a clear and accessible choice for collection, use or disclosure that is not necessary to provide any product or service.

All consents will be obtained by fair and lawful means and not through deception or by providing false or misleading information.

The department collecting the Personal Information must, if asked, clearly explain the purpose(s) for the collection, use, or disclosure of the Personal Information.

If Personal Information in Localcoin’s Control is to be used or disclosed for a different purpose than for which consent was obtained, a new Valid Consent must first be obtained.

Withdrawing Consent

An individual may withdraw consent at any time, subject to reasonable notice and legal or contractual restrictions, including applicable anti-money laundering laws. Localcoin will inform the individual of the implications of such withdrawal. 


  1. Applicants

Where an individual who is not an employee of Localcoin applies for employment and provides a document containing personal information (e.g., résumé), Valid Consent is not required if the document is used only for determining his or her suitability for employment. However, all other requirements within this section apply.


  1. Personal Information Received from Third Parties for the Provision of a Product or Service

Before receiving Personal Information from a third party for the purpose of providing a product or service, the department providing the product or service must obtain the third party’s written agreement that appropriate consent has been received from the individuals who provided their Personal Information. 


  1. Exceptions to Obtaining Valid Consent

Under certain, specific circumstances set out in privacy law, Localcoin is not required to obtain Valid Consent before collecting, using, or disclosing an individual’s Personal Information. In some cases, Localcoin is only required to provide notice to affected individuals. In other cases, the collection, use or disclosure is allowed without notice. If a department wants to rely on such an exception, it must first contact the Legal Department before collecting, using, or disclosing the Personal Information without Valid Consent.


d. Limiting Collection

A department that directly collects or receives Personal Information is responsible for ensuring that 

  • the information collected or received is limited to that which is necessary for the purpose(s) identified and communicated to the individual;
  • the information is collected by fair and lawful means; and
  • the information is not collected indiscriminately.

Localcoin will not as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purpose.


e. Limiting Use, Disclosure, and Retention

A department that directly collects Personal Information must only use or disclose the information for the original purposes that were identified. Any new purpose(s) must be documented by the department, and the department must obtain the individual’s Valid Consent for the new purpose(s) or, if the department is relying on an exception to the requirement to obtain Valid Consent, contact Compliance before using or disclosing Personal Information for a purpose where Valid Consent has not been obtained.

A department that directly collects Personal Information is responsible for ensuring that the information is retained only as long as necessary to fulfill the documented purpose(s) unless:

  • continued retention is required or appropriate for legal, regulatory, tax, audit, or documented business purposes, including under Localcoin’s retention schedule. Localcoin may retain applicable records for a minimum of five (5) years to meet applicable anti-money laundering/FINTRAC obligations, and up to seven (7) years to meet tax, CRA, accounting or business recordkeeping obligations; or
  • it is Personal Information that has been used to make a decision that directly affects the individual. In such case Localcoin must retain personal information as long as necessary to allow individual access to the information after the decision has been made and to exhaust any recourse available.

Personal information that is no longer required should be destroyed, erased, or made anonymous. If it is determined that it is no longer necessary to retain Personal Information, the department that collected or received the personal information must use care in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

If a request for access to Personal Information is received, Compliance will notify the affected department(s) to retain the subject Personal Information until further notice. 


f. Accuracy

When Localcoin collects Personal Information, it must ensure that the information is as accurate, complete, and up-to-date as is necessary to fulfill the documented purpose(s) and to minimize the possibility that incorrect information will be used to make a decision that would affect the individual.

Localcoin must routinely update personal information that is used on an ongoing basis. 

Accuracy and Completeness

Individuals can challenge the accuracy and completeness of information and have it amended as appropriate:


  1. Successful Requests

All personal information that is challenged and demonstrated to be inaccurate or incomplete will be amended and corrected as soon as reasonably possible. Localcoin will transmit the amended information to third parties having access to the information and each organization to the information was disclosed to in the previous year. 


  1. Unsuccessful Requests

If a correction is not made, the information in question will be annotated with the correction requested but not made. 

A record will be kept of all challenges to accuracy and completeness that are not resolved to the satisfaction of an individual.


g. Safeguards

The requirements for the safeguarding of Personal Information collected by Localcoin are outlined below:


  1. Personal Information Collected Directly 

Localcoin is responsible for ensuring that the Personal Information collected or received is protected with one or more safeguards appropriate to the sensitivity of the Personal Information, such as:

  • physical safeguards (e.g. a locked filing cabinet, keycard-controlled access);
  • administrative safeguards (e.g. disclosure on a need-to-know basis); and/or
  • technological safeguards (e.g. passwords, encryption).

Every department that directly collects, receives or transfers personal information to a third-party must make its employees aware of the importance of maintaining confidentiality.


  1. Personal Information Transferred to or Received from a Third Party

Personal Information transferred to a third party must be protected by that third party to an extent equivalent to or greater than Localcoin’s standards. The department making the decision to transfer the Personal Information, which may be different from the department transferring the information, is responsible for ensuring that such protection is in place before the transfer and will continue as long as the Personal Information is held by the third party. Further, a written contract must govern the transfer and storage of Personal Information. 

Personal Information received from a third party must be protected to the standard required by any applicable contract with that third party or Localcoin’s standards, whichever is more stringent. The department providing the product or service to the third party is responsible for ensuring that Localcoin can meet the requirements of any applicable contract with the third party. Further, a written data transfer agreement must govern the transfer and storage of Personal Information. 


h. Openness 

Localcoin will develop, follow, and make available, on request, privacy policies and practices and a complaint process.

A department that receives a request for Localcoin’s privacy policies and practices must immediately direct the request to Compliance. This information will be made available to individuals without unreasonable effort in a form that is understandable.

When collecting Personal Information using a Localcoin website, mobile app, ATM, or other online tool, Localcoin must ensure that a statement regarding Localcoin’s approach to the collection, use, disclosure, and retention of Personal Information is available to the individual at or before the time the Personal Information is collected. Such a statement is in addition to, but may be incorporated in, a request for consent.


i. Access

A department that receives a written request for access to Personal Information that was directly collected by Localcoin must direct it, without delay, as follows:

  • enquiries regarding Personal Information (excluding Employee Personal Information) to the Legal Department; and
  • enquiries regarding Employee Personal Information to Human Resources.


  1. Requests for Access

Upon receiving a request for access to his or her personal information, Localcoin will review and inform an individual of the existence, use and disclosure of personal information, give access to that information, and allow challenge to the accuracy and completeness of the information. 

If access is refused, the individual will be informed of

  • the reasons and basis for refusal,
  • the recourse available under PIPEDA, and
  • the contact information of someone at Central that can answer the individual's questions about the refusal.

Localcoin will provide an account of

  • the use made of the information, and
  • the third parties to which information has been disclosed.

When not possible to provide a list of third parties, a list of organizations which may have received personal information will be provided. 

Compliance or Human Resources, as applicable, is responsible for ensuring that

  • the individual receives a response within 30 calendar days or such other time limit that may apply under privacy laws; and
  • a response is provided at minimal or no cost to the individual. Individuals will be informed of any cost associated to a response and the approximate cost and ensure that the request is not being withdrawn.


j. Addressing Questions and Complaints

A department that receives a privacy-related question or complaint must direct it immediately to the Legal Department, which will work with the Chief Compliance Officer (“CCO”), who fulfills the role of the Privacy Officer (the “Privacy Officer), to respond in a timely manner. The affected department(s) will provide all reasonable support required by Compliance or the Privacy Officer. The CCO’s title and contact information will be made available to the public on Localcoin’s website.


k. Personal Information Stored or Processed Outside of Canada

Personal Information stored or processed outside of Canada is subject to the laws of the foreign country(is) where it is stored and/or processed. Such laws supersede contractual requirements and can allow a foreign government to access the Personal Information without notice to, or prior approval of, Localcoin. Localcoin has a strong preference not to store or process Personal Information outside of Canada. Thus, a department contemplating storing/processing of Personal Information outside of Canada must:

  • complete a Privacy Impact Assessment (“PIA”) for review by Compliance.
  • ensure, through contractual and other means (e.g., third party audit), that the vendor provides appropriate levels of protection for the Personal Information.  
  • inform affected individuals, in clear and understandable language, at the time that their Personal Information is collected, that it may be stored/processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that country.
  • consider all of the risks surrounding the project or initiative before sending personal information cross-border for processing, including the sensitivity of the information, the nature of the laws in the foreign jurisdiction and whether the information can be adequately protected.


  1. Privacy Impact Assessment

A Privacy Impact Assessment (“PIA”) is a process for determining and addressing privacy risk during the development, implementation, and post-completion operation of a product, service or initiative that involve Personal Information. These are required by law in Quebec.

Localcoin must complete a PIA before:

  • an activity is approved to introduce a new product or service, and the new product or service involves Personal Information under Localcoin’s Control; 
  • a change is approved to an existing activity, product, or service, and the change involves Personal Information under Localcoin’s Control; and
  • any change being approved to any policy or procedure relating to how Localcoin secures Personal Information.

In this context, approval includes approval of the project brief or business case, if applicable. 


  1. Privacy Breach Reporting and Notification

A department that suspects a Privacy Breach, or has information about an actual Privacy Breach, must report it to the Legal Department.

When there is reason to believe a Privacy Breach has occurred:

  • Localcoin must determine if the Privacy Breach poses a real risk of bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property that may occur to an individual (“Significant Harm”), or, in Québec, a risk of serious injury, to any individual whose Personal Information was involved in the breach by conducting a risk assessment. The risk assessment must consider the sensitivity of the information involved and the probability of the misuse of the information, and any other factors required by applicable law; and
  • if Localcoin considers the Privacy Breach poses a real risk of Significant Harm or, in Québec, a risk of serious injury, there may be an obligation to notify the affected individuals and report the breach to the governmental offices which regulate and oversee the privacy functions of Localcoin (i.e. The Office of the Privacy Commissioner of Canada and/or any applicable provincial authority, including the Commission d’accès à l’information du Québec, where applicable) (“Privacy Commissioner”). 

Localcoin must maintain records of Privacy Breaches and confidentiality incidents as required by applicable law. If required, the Legal Department is responsible for ensuring a Privacy Breach is reported to the Privacy Commissioner in the relevant jurisdiction within any timeframe stipulated in legislation. If required, notification to the affected individual(s) will be given.


  1. Privacy Training Requirements

Compliance will maintain a written privacy training program that is regularly updated as regulatory and legislative requirements change and/or Localcoin’s product(s) and/or service offering(s) change.

All employees and contractors will be trained within 90 calendar days of starting work; and when compliance requirements change. All employees and contractors who handle Personal Information will be trained/re-trained (optional for employees and contractors who do not handle Personal Information). Compliance may waive training for a contractor who can show that he or she has previously obtained training consistent with Localcoin’s privacy practices and procedures.

A department that uses an agent (e.g., service provider) to collect Personal Information must ensure that the written agreement contains the agent’s confirmation that relevant employees receive appropriate privacy training. 


  1. Privacy Commissioner Investigations

Localcoin must cooperate with Privacy Commissioner investigations as follows:

  • during an investigation, provide reasonable assistance and any information with respect to Localcoin’s privacy policies and procedures within the time frames required by the applicable commissioner in writing; and
  • provide access to business premises during business hours, where required by law.

We are open about our practices relating to the management of Personal Information, as outlined in this Policy.  From time to time, we may make changes to this Policy. This Policy is always the most recent version, indicated by the date last updated below. 

Please forward all comments, questions, access requests, concerns or complaints regarding your Personal Information or our privacy practices to our Chief Compliance Officer as follows:

By email: [email protected] 

By phone: +1 (877) 412 2646

THIS PRIVACY POLICY WAS LAST UPDATED AS OF MAY 15, 2026

Appendix A – Privacy Definitions and Examples

Below are definitions relevant to this Policy as clarified in Privacy-related legislation.