Privacy Policy

We collect information in two categories.

Broker information (collected during registration and account setup):

• Name, email address, phone number
• Business name and mortgage broker licence number
• Province and how you heard about us
• Logo and brand colours (for the white-label client experience)
• Two-factor authentication credentials, if you enable them — a TOTP secret and/or registered passkey credentials

Client information (collected during the compliance flow on behalf of the broker):

• Name and email address
• KYC questionnaire responses (mortgage purpose, employment, income and payment preferences, insurance status, and declarations such as prior bankruptcies, legal proceedings, or debt obligations)
• Electronic signature
• CASL marketing consent status (if given)

• Government identity documents: ComplaiLite does not perform identity verification. It does not collect, request, or store government-issued ID images, ID numbers, or biometric information.
• Passwords: Broker accounts use passwordless authentication (magic links). No passwords are stored.
• Payment information: ComplaiLite is free during the XEVA rollout. We do not collect or store any payment or credit card information.
• Advertising or tracking data: We do not use advertising cookies, remarketing pixels, or third-party tracking scripts.

• Provide the compliance onboarding service to brokers and their clients
• Generate and deliver compliance documents (KYC PDF, signed Client Agreement)
• Send transactional emails (magic-link login, client invite, completion confirmation, reminders)
• Monitor platform health and resolve technical issues

We do not use client data for marketing, advertising, analytics, AI training, or any purpose other than providing the compliance service to the broker.

The broker who created the client session, and that broker's authorized team members, can view the client's information through the ComplaiLite dashboard.

No other broker can see a broker's client data. The application scopes every query to the authenticated broker's account, so one broker's sessions are never returned to another.

HNDL (platform operator) is the data processor. Our internal admin console references client sessions by anonymous session ID and does not display client names or personal information. HNDL personnel with production database access — which is limited, least-privilege, and used only for support, maintenance, and security — can technically reach stored data; they are bound by confidentiality obligations and act only on the broker's instructions.

We rely on the following service providers to operate ComplaiLite:

• Supabase — the primary database (system of record). Hosted on AWS infrastructure in Canada (ca-central-1, Montréal). Client data at rest lives here, encrypted with AES-256.
• Vercel — application hosting and content delivery. United States, with a global edge network. The web application is served through Vercel; personal information passes through it in transit while the platform is in use, and is not persistently stored there.
• Resend — transactional email delivery. United States. Outbound emails (the client invite, reminders, and the completion email — the last of which includes the client's name and the generated PDF documents) are delivered through Resend.

Cross-border note: client data stored at rest remains in Canada. Two supporting providers — application hosting and email delivery — are US-based, so some personal information is processed in the United States in transit and for email delivery, under contractual safeguards. PIPEDA permits this where appropriate safeguards are in place.

Mortgage-platform integration (coming soon): A future, optional integration will let a broker connect a mortgage origination platform (such as Newton Velocity or Finmo) to create sessions automatically. It is not yet available and processes no data today. When it launches, a broker that enables it will be connecting that platform as a sub-processor for their account, and our Data Processing Agreement will be updated accordingly with notice.

Each provider operates under its own privacy terms, and we share only the minimum information necessary for each to function.

• Client data is stored at rest in Canada (AWS ca-central-1, Montréal).
• Data at rest is encrypted with AES-256; data in transit uses TLS 1.2 or higher.
• Broker portal access supports two-factor authentication (an authenticator app or a passkey).
• The database is not exposed to the public; all reads and writes happen through server-side application routes.
• Client data is isolated per broker through application-layer query scoping — every query is bound to the authenticated broker's account.

If we discover or are notified of a security breach affecting personal information, HNDL notifies the affected broker promptly after confirming the breach, with the information needed to assess it.

Because the broker is the data controller, the broker is responsible for determining whether the breach meets PIPEDA's "real risk of significant harm" threshold and for any required reporting to the Office of the Privacy Commissioner of Canada, applicable provincial commissioners, and affected individuals. HNDL provides the documentation and assistance reasonably needed to support that process. Full breach obligations are set out in our Data Processing Agreement.

During the compliance flow, clients may optionally consent to receive marketing communications from their broker. This consent is:

• Collected through a clear, unchecked checkbox (not pre-selected)
• Recorded with a timestamp
• Stored on the client session record
• Voluntary, and does not affect the compliance process

ComplaiLite records this consent for the broker's use; it does not send commercial electronic messages on the broker's behalf. The transactional emails ComplaiLite sends (invite, reminders, completion) relate to an active onboarding and are not commercial electronic messages under CASL.

Mortgage brokers subject to FINTRAC's obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act must retain client identification and transaction records for a minimum of five years. British Columbia's BCFSA framework calls for a longer period for mortgage transaction records.

To support brokers regardless of which province they operate in, ComplaiLite retains completed client session data for a minimum of seven years from completion. As a result, a request to delete client data cannot be fully honoured before that retention period ends. Brokers remain responsible for their own record-keeping obligations.

Under the Personal Information Protection and Electronic Documents Act, you have the right to:

• Access the personal information we hold about you
• Request corrections to inaccurate information
• Withdraw consent for the use of your personal information (subject to the legal retention requirements in Section 9)
• Unsubscribe from marketing emails at any time

For clients: Contact your mortgage broker directly. They are the data controller for your compliance information. ComplaiLite processes data on behalf of the broker.

For brokers: Contact us at the email below.

ComplaiLite uses the following cookies:

• Session cookies: Required for broker portal authentication (complailite_session, complailite_admin). These are functional cookies necessary for the service to operate.
• 2FA cookies: Temporary cookies used during the two-factor authentication flow.

We do not use advertising cookies, remarketing pixels, or third-party tracking scripts on the ComplaiLite platform.

We may update this privacy policy from time to time. Any changes will be reflected on this page with an updated "Last updated" date. We encourage you to review this policy periodically.

If you have questions about this privacy policy or how we handle personal information: