Hiveworks Inc.
Privacy Policy (Application)

Effective Date: April 16, 2025

1. Introduction

HiveWorks Inc. ("HiveWorks", "we", "our", or "us") respects your privacy and is committed to protecting the personal and financial information of our users. This Privacy Policy outlines how we collect, use, disclose, store, and protect personal information through the HiveWorks Platform ("Platform”), which provides Health Spending Account (HSA) management tools to incorporated individuals and businesses in Canada.

2. Information We Collect

We collect the following categories of information:

a. Information You Provide

Collected during sign-up, profile creation, reimbursement claims, and customer support:

• Full name, email address, phone number, date of birth
• Mailing and business address, province of incorporation
• Company name, fiscal year-end, incorporation type
• Names and relationships of dependents
• Service provider name, service type, service date, and amount
• Uploaded medical and dental receipts or invoices
• Login credentials (passwords are hashed and never stored in plain text)

b. Financial Information

• Banking information for reimbursement (transit, institution, and account numbers) for reimbursements
• Credit card and billing data (handled via Clover - we do not store credit card numbers)
• Pre-authorized debit preferences for funding (handled via Rotessa – we do not store any of your funding banking details)

c. Communications

• Transactional emails sent via MailerSend (e.g., receipts, confirmations)
• Marketing communications (only if opted in) via MailerLite

3. How We Use Information

We use collected information for the following purposes:

• To create and manage your HSA account
• To process and verify reimbursement claims
• To facilitate funding and reimbursements
• To provide support and respond to inquiries
• To send service-related notifications (e.g. payment confirmations)
• To send marketing communications if you've provided consent
• To comply with legal and tax obligations
• To improve our services and ensure platform security

We do not use personal information for automated decision-making or targeted advertising.

4. Legal Basis for Processing

Our legal bases for collecting and processing your data include:

• Consent (when you sign up or opt in to marketing)
• Contractual necessity (to provide the HSA service)
• Legitimate interests (to operate, improve, and secure the Platform)

5. Third-Party Service Providers

We share limited information with trusted third parties only as necessary to operate the Platform:

• MailerSend - Transactional emails (privacy policy)
• MailerLite - Marketing communications (privacy policy)
• Clover - Payment processing (privacy policy)
• Rotessa – Pre-authorized debits (privacy policy)

All vendors are contractually obligated to handle data in accordance with PIPEDA and must not use your information for any other purpose.

6. Data Storage and Security

All user data is stored in secure cloud infrastructure intended to reside in Canada. We implement industry-standard security measures including:

• Encryption in transit (TLS) and encryption at rest (AES-256) for all sensitive data
• Role-based access controls to ensure only authorized staff can view or manage user data
• Audit logs to track internal access and changes to personal or health records
• Internal administrative roles are restricted and monitored.

We review our technical and organizational safeguards regularly.

These measures are designed to mitigate risks including unauthorized access, misuse, and cybersecurity threats.

7. Retention and Secure Disposal

We retain personal and financial information for a period of six (6) years after the last activity on your account, in line with industry standard. After this period, records are deleted using secure methods.

Marketing consent records (e.g., email preferences) are retained for as long as necessary to provide relevant communications, or until you unsubscribe or request deletion.

8. Your Rights

Under PIPEDA you have the right to:

• Request access to your personal information
• Request correction of inaccurate or incomplete information
• Request deletion of your personal information, where legally permissible
• Withdraw your consent (where processing is based on consent)

We will respond to verified access or correction requests within 30 days. Requests can be submitted to contact@hiveco.ca.

9. Cookies and Analytics

The Hiveworks application uses cookies and analytics tools to enhance performance, monitor usage, and improve user experience. These include:

• Session cookies – Used to maintain login status and enable smooth navigation within the App
• Google Analytics – Collects anonymized usage data (e.g., screen views, session length, device type) to help us understand how the App is used and how we can improve it

While this data may include technical identifiers (e.g., IP address), it is aggregated and not used to identify individuals. You can opt out of Google Analytics tracking using the Google Analytics Opt-Out Browser Add-on.

10. Breach Notification

In the event of a breach involving your personal information, Hiveworks will:

• Notify you without undue delay
• Document the breach, investigation, and remediation measures taken

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, services, or legal obligations. The updated version will be posted in the Platform. Continued use after an update constitutes acceptance of the revised terms.

12. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your personal information, you may contact:

Hiveworks Inc.
Email: contact@hiveco.ca
Jurisdiction: Ontario, Canada