1. Introduction MoneyRadar (“MoneyRadar Inc.,” “we,” “our,” “us”) is a Canada-based news service that delivers real-time market coverage, curated commentary, and data-driven insights to retail investors and small-business decision-makers. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when subscribers, guest analysts, sponsors, or visitors engage with MoneyRadar.ca, our mobile apps, newsletters, or customer-support channels.

2. Privacy Policy
   • Information we collect
     (a) Profile data — name, email, province, industry role, preferred language, multi-factor token, sign-in IP logs.
     (b) Engagement data — articles read, podcast streams, watch-list tickers, note highlights, poll or webinar responses.
     (c) Payment data — tokenised card reference, billing postal code, GST/HST allocation, transaction history (premium tiers).
     (d) Contributor material — biography, headshot, professional credentials, submitted columns or audio files.
     (e) Device telemetry — browser build, mobile OS, feature clicks, session duration, crash traces.   (f) Support artefacts — chat transcripts, voicemail files, screen-share recordings.

• Purposes
  – personalise news feeds, push alerts, and research digests;
  – save reading progress, sync highlights across devices, and suggest related coverage;
  – process subscription fees and send CRA-compliant receipts;
  – compile de-identified usage analytics that guide editorial planning and product design;   – enforce community guidelines, investigate abuse, and satisfy legal or audit obligations.

• Retention Engagement history and preference profiles are stored for the life of the account plus two years. Contributor contracts and payment records remain for seven years in line with CRA rules. Encrypted backups rotate on a 35-day cycle.

• Access & Correction
Subscribers may review or amend profile data via Settings → Profile or by emailing privacy@moneyradar.ca.

• Consent Express consent is captured at registration, newsletter opt-in, or payment-method addition. Implied consent covers operational security logs. Withdrawal is honoured unless statutory or contractual duties override; any functional impact is explained beforehand.

• Accountability A designated Privacy Officer conducts annual compliance reviews, staff training, and responds to written privacy inquiries within 30 days.

3. GDPR
   Although MoneyRadar targets Canada, some readers and contributors may reside in the European Economic Area (EEA). Where the EU General Data Protection Regulation applies, we act as controller for profile, billing, and engagement data, and processor for contributor content you supply. Processing bases: performance of a contract (Art. 6 (1)(b)), legitimate interest in platform security and editorial optimisation (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EEA residents may request access, rectification, erasure, restriction, portability, or objection via dpo@moneyradar.ca and may lodge complaints with their supervisory authority.

4. Cookie Policy

4.1. Types of Cookies
Essential — session tokens, CSRF guards, load-balancer cookies for secure login
Preference — stores language, font size, dark-mode toggle, sector filter
Analytics — first-party Matomo cookies with IP truncation to measure dwell time and page latency Marketing — optional cookies that promote premium reports or partner webinars; never shared with ad networks

4.2. How to Disable Cookies
Most browsers allow you to block or delete cookies. Essential cookies are mandatory for portal access; disabling them prevents login. Preference and analytics cookies can be declined via our banner or by enabling “Do Not Track.” Marketing cookies load only after explicit opt-in and can be toggled off under Account → Privacy.

5. Transfer to Third Parties
   We do not sell personal information. Limited disclosures occur only to:
   • Canadian cloud hosts running encrypted servers in Toronto and Montréal
   • PCI-DSS Level 1 payment processors
   • Independent auditors bound by NDA
   • Legal counsel, regulators, or courts when compelled by law or to defend claims
   • Law-enforcement agencies where disclosure is necessary to investigate fraud or protect public safety All vendors sign Data Processing Agreements mandating safeguards equal to PIPEDA and, where relevant, EU Standard Contractual Clauses.

6. Data-Security Measures
   • AES-256-GCM encryption at rest with tenant-specific keys stored in FIPS 140-2 Level 3 HSMs
   • TLS 1.3 with Perfect Forward Secrecy for data in transit
   • Zero-trust segmentation isolating each user vault
   • Role-based access control enforced by hardware-backed multi-factor authentication
   • Hourly incremental and nightly full backups replicated across two Canadian regions (RPO 15 min, RTO 4 h)
   • Continuous vulnerability scanning, quarterly penetration tests, and annual SOC 2 Type II audit • Incident-response plan that notifies affected users within 72 hours of a confirmed breach and provides remediation updates

7. Effective Date This Privacy Policy is effective as of 19 June 2025 and supersedes all previous versions. Material updates will be announced by email and in-app notice at least 30 days before enforcement.