How issuers are expected to protect personally identifiable information (PII) they access through the addy platform
Applies to: All issuers on the addy platform
Owner: Legal & Compliance, addy Technology Corp.
Download: Issuer PII Acknowledgement
β¨ Purpose
This policy lays out exactly how issuers are expected to protect personally identifiable information (PII) they access through the addy platform. That includes any data about users or members β like names, emails, SINs, and investment records.
Why does it matter? Because protecting this data isnβt optional β itβs a legal and contractual requirement. Any mishandling of personal info is considered a serious breach of your obligations on the platform.
This policy aligns with Canadian privacy laws like PIPEDA and provincial regulations.
π₯ Who This Applies To
Any issuer (and your employees, contractors, or agents) using addy to raise capital, manage investor relationships, or run communications involving user/member data.
π Key Terms
PII (Personally Identifiable Information):
Any info that can identify a person β like full names, addresses, email addresses, SINs, bank info, IP addresses, and investment records.
Issuer:
Any company or entity using the addy platform to raise capital or manage investors.
Processing:
Any handling of personal data β collecting, storing, using, disclosing, sharing, or deleting it.
β Your Responsibilities
Issuers are 100% responsible for following this policy and complying with Canadian privacy laws. Here's what that looks like:
π Access Controls
Only authorized people should be able to access PII β and only when needed to manage an offering or meet a legal obligation.
π Data Minimization
Only collect the bare minimum data you need. If you want to collect or use more, you need written approval from addy.
π Secure Storage
PII must be stored securely using encryption, password protection, and enterprise-grade systems. Donβt store it on unencrypted devices or consumer-grade cloud tools.
π Data Retention
Only keep personal data for as long as youβre legally required to. When itβs no longer needed, delete or anonymize it using best practices.
π€ Transmitting PII
This part is critical. When sharing any document that contains PII:
-
β Use the addy Data Room. This is the approved method.
-
β Never use unencrypted email or insecure platforms.
-
β If you must use another method, encrypt the file and send the password separately.
-
β Any service used to send or store PII must comply with Canadian privacy standards β including data residency.
Failing to follow these rules is considered a breach of policy.
π« What You Canβt Do With PII
You are strictly prohibited from:
-
Using investor or user data for marketing or unrelated business purposes
-
Selling or renting data to anyone
-
Sharing it with third parties without documented investor consent and written authorization from addy
-
Transferring investor lists between entities or deals
Any misuse may result in removal from the platform and potential regulatory consequences.
π¨ Breach Reporting
If you suspect or confirm any unauthorized use, loss, or breach of PII, notify our Compliance team immediately:
π§ compliance@addyinvest.com
Your report must include:
-
What happened
-
What data was involved
-
When and how it was discovered
-
What youβve done to contain and fix it
addy may suspend your access, notify affected members, and report the incident to regulators.
π Enforcement
We take privacy seriously. If you donβt follow this policy, the consequences may include:
-
Suspension or removal from the addy platform
-
Termination of your investment offerings
-
Legal action or regulatory enforcement
Compliance is a requirement to access the platform.
π Annual Acknowledgement
Issuers must accept this policy when they onboard and recertify every year β or whenever thereβs a major update. Not acknowledging it may lead to restrictions on your account.
π€ Need Help?
Questions or concerns? Weβre here.