🔒 Issuer Policy on the Protection of Personally Identifiable Information (PII)

Applies to: All issuers on the addy platform
Owner: Legal & Compliance, addy Technology Corp.

Download: Issuer PII Acknowledgement

✨ Purpose

This policy lays out exactly how issuers are expected to protect personally identifiable information (PII) they access through the addy platform. That includes any data about users or members — like names, emails, SINs, and investment records.

Why does it matter? Because protecting this data isn’t optional — it’s a legal and contractual requirement. Any mishandling of personal info is considered a serious breach of your obligations on the platform.

This policy aligns with Canadian privacy laws like PIPEDA and provincial regulations.

👥 Who This Applies To

Any issuer (and your employees, contractors, or agents) using addy to raise capital, manage investor relationships, or run communications involving user/member data.

📖 Key Terms

PII (Personally Identifiable Information):
Any info that can identify a person — like full names, addresses, email addresses, SINs, bank info, IP addresses, and investment records.

Issuer:
Any company or entity using the addy platform to raise capital or manage investors.

Processing:
Any handling of personal data — collecting, storing, using, disclosing, sharing, or deleting it.

✅ Your Responsibilities

Issuers are 100% responsible for following this policy and complying with Canadian privacy laws. Here's what that looks like:

🔐 Access Controls

Only authorized people should be able to access PII — and only when needed to manage an offering or meet a legal obligation.

📉 Data Minimization

Only collect the bare minimum data you need. If you want to collect or use more, you need written approval from addy.

🔒 Secure Storage

PII must be stored securely using encryption, password protection, and enterprise-grade systems. Don’t store it on unencrypted devices or consumer-grade cloud tools.

🗑 Data Retention

Only keep personal data for as long as you’re legally required to. When it’s no longer needed, delete or anonymize it using best practices.

📤 Transmitting PII

This part is critical. When sharing any document that contains PII:

✅ Use the addy Data Room. This is the approved method.
❌ Never use unencrypted email or insecure platforms.
✅ If you must use another method, encrypt the file and send the password separately.
✅ Any service used to send or store PII must comply with Canadian privacy standards — including data residency.

Failing to follow these rules is considered a breach of policy.

🚫 What You Can’t Do With PII

You are strictly prohibited from:

Using investor or user data for marketing or unrelated business purposes
Selling or renting data to anyone
Sharing it with third parties without documented investor consent and written authorization from addy
Transferring investor lists between entities or deals

Any misuse may result in removal from the platform and potential regulatory consequences.

🚨 Breach Reporting

If you suspect or confirm any unauthorized use, loss, or breach of PII, notify our Compliance team immediately:

📧 compliance@addyinvest.com

Your report must include:

What happened
What data was involved
When and how it was discovered
What you’ve done to contain and fix it

addy may suspend your access, notify affected members, and report the incident to regulators.

🛠 Enforcement

We take privacy seriously. If you don’t follow this policy, the consequences may include:

Suspension or removal from the addy platform
Termination of your investment offerings
Legal action or regulatory enforcement

Compliance is a requirement to access the platform.

📝 Annual Acknowledgement

Issuers must accept this policy when they onboard and recertify every year — or whenever there’s a major update. Not acknowledging it may lead to restrictions on your account.

🤝 Need Help?

Questions or concerns? We’re here.

📧 legal@addyinvest.com
📧 compliance@addyinvest.com