Privacy Policy

Last updated: July 11, 2024

1. Introduction

1.1. Purpose

At Trst Innovations Inc., we are committed to protecting the privacy and confidentiality of our users' personal information. Our Data Privacy Policy is designed to uphold the highest standards of trustworthiness and integrity in handling your data. This Privacy Policy outlines our aim to safeguard your data and maintain transparent practices, and clear communication regarding the collection, use, and disclosure of your personal information.

Trst Innovation Inc. will only collect and process the data necessary to provide you with our services, ensuring that your information is handled responsibly and with respect for your privacy preferences. At Trst Innovations Inc., integrity is paramount, and we continuously evaluate and improve our data handling practices to maintain your trust.

1.2. Scope

This policy applies to all individuals who interact with Trst Innovations Inc.'s products, services, websites, and platforms, including but not limited to employees, customers, visitors, partners, third-parties and other stakeholders.

1.3. Responsibilities

Operational Employees: All employees are responsible for understanding and adhering to the data Privacy Policy in their daily activities. This includes handling personal data with care, following established procedures for data protection, and promptly reporting any potential breaches or concerns. All inquiries regarding our Privacy Policy or practices, requests to access personal information and/or how it has been used should be directed to the Privacy Officer.

Developers: Developers are responsible for understanding and adhering to the data Privacy Policy in their daily activities. This includes all change management, data management and record keeping requirements of the Data Privacy Policy. Specific responsibilities will be determined by the level of access control in a given role.

Management: Management is responsible for implementing and maintaining data privacy measures and enforcing the provisions of this policy and any updates or evolutions of legal requirements. They are responsible for promoting a culture of privacy throughout the organization, providing guidance and training to employees, overseeing data handling practices within their respective areas, and escalating any compliance issues to higher management. IT administrators are responsible for implementing and maintaining technical privacy controls, monitoring systems for vulnerabilities, and enforcing the provisions of this policy.

2. Privacy Officer

Trst Innovations Inc is responsible for the personal information under its control and has designated a Privacy Officer who is accountable for ensuring the company’s compliance with this Privacy Policy. We are fully accountable for our data processing activities, and we welcome feedback and inquiries regarding our privacy practices to uphold our commitment to transparency and accountability. Should you have concern or complaint about Trst Innovation Inc.’s privacy practices we commit to reviewing and investigating your concerns and notifying you with results of such review clearly and promptly, including any steps taken to correct any inaccurate personal information or modify policies based on the outcome.The Privacy Officer can be contacted at privacy@trstinc.ca

3. Data Collection and Use

By using the Service in different ways you agree to the collection and use of your information in accordance with this Privacy Policy. Trst Innovation Inc. aims to make your choice to consent clear and accessible.

Beta Phase Notice: During the course of the Beta Phase, all data described in Business and User Accounts will be collected and will not be adjustable via opt-in or opt-out settings. The purpose of the Beta phase is to demonstrate the usability and functionality of the Services and to gather feedback and improve and refine our Services. If at any time during the Beta Phase, you would like to request your data be deleted, please contact the Privacy Officer or request an account deletion here.

3.1. Business Accounts

This section describes how Trst Innovations Inc collects and uses your information when you (whether you are a person acting as a sole proprietor or on behalf of another business entity) visit our website or apply or sign up for a Trst account. If you are a consumer interacting with a business that uses Trst, please refer instead to Section 3.2.

3.1.1. Information you provide to us

When register for you Trst account, you will be asked to provide information that allows Trst to register your account, verify your identity, authenticate your business and provide access to the Service. This information is provided directly by you and is required for the Service to function and in order to fulfill Trst’s regulatory obligations. By completing the registration process, users consent to the collection, processing, and storage of their personal and business data.

Type of InformationCollection LocationExamplesHow it is used
Owner InformationWeb PortalName, address and contact information of the owner or operator of the businessTo authorize and create your Trst account.


To communicate with you and respond to requests.

To fulfill our contract to you.

To enable multi-factor authentication to protect your account.

Owner Identity DocumentsWeb PortalDriver’s license or other photo IDTo go through our identity verification process which fulfills regulatory obligations
Business Account InformationWeb PortalEmail, account password, contactTo provide the Service at the business

For account access and to identify use logins

To enable multi-factor authentication to protect your account


To send required notifications

Financial InformationWeb PortalBank account information, payment card numbers, business and HST number and Stripe IDTo process payments

To fulfill our contract with you

To go through our identity verification process which fulfills regulatory obligations

Employee InformationWeb PortalNames, roles, usernames and email addresses of all employees of the business who will interact with the Trst terminalTo manage authorized users of the Trst service and terminal interfaces
Employee Trst AccountsWeb PortalPersonal Trst account information for all employees with authorized accessTo link an employee account to the business account

3.1.2. Information collected while the Service is being used

When you use the Trst terminal or apps, some information is collected from you or the devices you use. We need this data to fulfill our legal and regulatory obligations, to protect your account against fraud and unauthorized access. We can also use this information to help us improve our Services for you and others, as well as develop new products and services.

Not all of this data is essential to the core of our Service, however when you do choose to share it with us, you receive the benefit of improved service, stronger fraud protection, and a personalized product and service mix. You are able to adjust and update your privacy and consent settings at any time.

Type of InformationCollection LocationExamplesHow it is used
Location DataTerminal/Kiosk (in-store) or Trst serversTerminal IP AddressTo authenticate terminal and user locations to strengthen fraud prevention
Transaction DataTrst serversDate, time, totalTo fulfill regulatory requirements

To conduct fraud analysis

To build user profiles in order to strengthen fraud protection

Usage DataWeb PortalMerchant IP addressTo validate user logins from a web address
Behaviour DataWebsiteWebsite and application usage analyticsTo provide, improve and analyze the Service

To debug and fix errors that impair how our Services function

3.2. User Accounts

Users must register for an account in order to use the Service. This section describes how Trst Innovations Inc. collects and uses your information when you register as a user of the Service. If you are a business using Trst, please refer instead to Section 3.1.

3.2.1. Information you provide to us

Upon registration, you will be asked to provide information that allows Trst to register your account, verify your identity and provide access to the Service. This information is provided directly by you and is required for the Service to function and in order to fulfill Trst’s regulatory obligations. By completing the registration process and enrolling a biometric identifier, users explicitly consent to the collection, processing, and storage of their personal data, including biometric information. Trst Innovations Inc. ensures the utmost security and confidentiality of biometric data and uses it solely for the purpose of user authentication and access control.

Type of InformationCollection LocationExamplesHow it is used
User InformationWeb PortalName, email, address and phone number, birth dateTo identify you

To administer and maintain the Service

To contact you

Biometric ImageWeb PortalA selfieAt registration and enrollment your image is compared to you Identity Documents to validate user unique ID
User Identity DocumentsWeb PortalDriver’s license or other photo IDTo go through our identity verification process which fulfills regulatory obligations
Account InformationAndroid or iOS AppUser name, passwordTo provide users access to their accounts
Financial InformationAndroid or iOS AppCredit Card numberFinancial information is collected via Stripe to create a unique ID for you but is not stored by Trst at any time

More information on Stripe’s Privacy Policy

Biometric TemplateTerminal or

Kiosk (in-store)

Palm vein informationTo create a unique representation of users that linked to their account
Third-Party Unique IDsWeb PortalUnique ID created to define users in 3rd party systems (created by other systems like a loyalty program).

Either you will enter this directly or will authorize a third party to disclose to Trst.

To integrate with third-party/external services where users may already have an account to provide services including access control and transactions

3.2.2. Information collected while the Service is being used

Usage data is collected on our website and apps. Trst Innovations Inc. employs continuous verification methods to enhance security and user experience. Users are informed about the continuous verification process and its implications for their privacy. By continuing to use our services, users provide ongoing consent for the continuous monitoring and verification of their identity. We prioritize the protection of user data and only use it for legitimate purposes related to security and authentication.

We use Cookies and similar tracking technologies to track the activity on our website and store certain information. A cookie is a small file placed on your device. Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser. By accepting cookies, users consent to the use of these tracking technologies.

Not all of this data is essential to the core of our Service, however by granting us permission to process your data through additional AI services, you receive the benefit of improved service, stronger identity profile and fraud protection, and a personalized product and service mix. You are able to adjust and update your privacy and consent settings at any time.

Type of InformationCollection LocationExamplesHow it is used
Transaction DataTrst serversDate, time, total, terminal locationTo fulfill regulatory requirements

To conduct fraud analysis

To build user profiles

Biometric CaptureTerminal (in-store)Scan of palm vein collected during a transactionTo compare again template on your account and validate the use of the Service
Location DataFuture PlanMobile or Wearable device locationTo provide service and validate user logins

To authorize current transactions by confirming your presence at the location of the terminal

To ensure validity of future transactions by strengthening your profile as a unique identifier

Visible Wireless DevicesFuture PlanWifi, Bluetooth, beaconsTo confirm location and presence
Mobile Device Sensor DataFuture PlanData from your mobile device accelerometer or gyrometerTo strengthen fraud prevention
Behaviour DataFuture PlanDeriving a personal profile from the aggregate of data collected.To authorize transactions and fight fraud

To ensure timely transactions and access control

Mobile App UsageAndroid or iOS AppWhen you open and use the app including how you navigate the appTo provide, improve and analyze the Service

To help to authenticate users and prevent fraudulent use of user accounts

To identify any unusual activity on your account so as to detect and prevent fraud

To debug and fix errors that impair how our Services function

To remember the choices you make when you use the app and adjust our service behaviours.

Internet or Network ActivityWebsiteCookies, web beacons, IP AddressTo provide, improve and analyze the Service

To help to authenticate users and prevent fraudulent use of user accounts

To identify any unusual activity on your account so as to detect and prevent fraud

To debug and fix errors that impair how our Services function

To remember choices you make when you use the website, such as remembering your login details or language preference

To provide promotional information about products or services similar to those that you have already purchased or enquired about unless you have opted not to receive such information. See 3.3. Opt-In for Promotional Communication.

3.3. Opt-in for Promotional Communication

For promotional communications, including newsletters, notifications about new features, upgrades, or marketing offers, users must expressly opt-in to receive such materials. Trst Innovations Inc. maintains internal processes to ensure clarity on every communication you receive from us. We respect user preferences regarding promotional communication and provide clear instructions for opting in or out of receiving marketing materials. Users can manage their communication preferences through their account settings or by contacting our customer support team.

3.4. Withdrawing Consent

Trst Innovations Inc. keeps a record of all identified data collection purposes and consents given.

Users can exercise their right to withdraw consent through a variety of mechanisms including managing preferences in user account settings and utilizing opt-out or unsubscribe options in communications and notifications from Trst Innovation Inc.

Opt-out options specifically for the collection and usage of personal information, location data, and other data processing activities may impact the functionality of the service received through our platform.

Users can manage cookie preferences through their browser settings or by adjusting Cookie preferences on our website. However, if you do not accept Cookies, you may not be able to use some parts of our service. Unless you have adjusted your browser setting so that it will refuse Cookies, our service may use Cookies.

If you have questions or concerns about withdrawing your consent, please contact our Privacy Officer.

4. Data Storage and Protection

4.1. Storage

Your information, including personal data, is processed at Trst Innovations Inc.'s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.

4.2. Protection

The security of your personal data is of utmost importance to us. Trst Innovation Inc. utilizes all industry-standard security tools including but not limited to encryption, password, firewalls, and security patches as well as internal organization controls to manage access to data and ensure our employees are knowledgeable and current on all industry best practices. Remember that no method of transmission over the Internet, or method of electronic storage is 100% secure and we cannot guarantee its absolute security.

If at any time you are concerned about the privacy of your data or are suspicious of a breach in privacy, please contact the Privacy Officer as quickly as possible to request a review. Upon receiving your request, Trst Innovation In will complete a review and respond to you within 30 days.

5. Transfer of data

Trst Innovation Inc. will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.

ProviderDescriptionPurpose of disclosure
StripeTrst utilizes Stripe as our payment processorYour email, credit card information, unique Stripe ID and transaction information is shared with Stripe in order to process payments.

Your Payment Data may be transferred, processed and stored outside of Canada and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws.

Stripe may delete or disconnect your personal data from your Stripe Account when requested to do so by the Customer.

Users have the option to review and agree to Stripe Connect's terms and privacy policy before completing payment transactions.

Google Cloud PlatformAuthentication servicesYour user name, email, password, 2nd-factor authentication may be shared with Firebase to provide security during sign-up and authentication
Trst business accountsThe business you transact withTrst may share transaction records only the businesses you transact with if required by a regulatory body or in an effort to perform transaction reconciliation.
Legal RequirementsGoverning bodies, Law EnforcementTrst may be obligated to disclose personal, transaction or other data if required to do so by law or in response to valid requests by public authorities.

Trst may also disclose your personal data in the good faith that such action is necessary to comply with a legal obligation, protect and defend company rights or property, prevent or investigate possible wrongdoing in connection with the Service, protect the personal safety of Users of the Service or the public or to protect against legal liability.

KYC providerTrst may contract a third party to perform identity verification processes required by regulating bodiesYour name, address, date of birth, biometric image, identity documents, and business number may be used in verifying your identity
SMS provider2-factor authenticationTrst may disclose your phone number or other 2nd factor authentication information with a third party contracted to provide this service for us.
Google/Apple AnalyticsWebsite activity monitoringTrst uses Analytic services from Google and Apple to monitor web and mobile user traffic. While using our service or downloading our app these service providers may collect anonymous usage statistics.
Other 3rd partyAccounting, CRM, email providerFrom time to time, Trst may contract 3rd parties to manage business parts. In doing so your data may be transferred.
OtherBusiness TransactionsIf the Company is involved in a merger, acquisition or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different Privacy Policy.

6. Data Retention

The Company will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. Users are able to delete their accounts at any time. Once accounts are deleted, information therein is also deleted.

Type of DataRetention Period
Personal, and Account InformationThe minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user
Business and Employee InformationThe minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the business.
Identity DocumentsThe minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user
Biometric DataThe template and or hash representations or biometric data will be anonymized and stored in correlation with other data for as long as that data is retained.
Financial InformationThe minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user
Transaction, Usage and Location DataUntil account deletion by user except when this data is used to strengthen the security or to improve the functionality of our service, or we are legally obligated to retain this data for longer time periods.
Internet or Network ActivityFor the length of the cookie life.
StripeStripe maintains their own retention periods and policies. For more information please see Stripe Privacy Center
Any data involved in a data breachIn the event of a breach, privacy regulations require us to maintain a record of all data involved for 2 years following the breach.
Compliance inquiry or complaintWe will keep all records of our internal complaint investigation and remediation process for 2 years.

All data above may be present in our access and system logs in anonymous form for up to 2 years following account deletion. We retain these logs for security, regulatory, or audit processes.

We will review our records regularly in order to identify data that is longer needed for legitimate business purposes. When we no longer need to retain your personal data, records will be physically and permanently deleted.

7. Accessing your data

7.1. How to Access

You may access, update, amend, or delete your information at any time by signing in to your user account, if you have one, and visiting the account settings section that allows you to manage your personal information. You may also contact us through the Privacy Officer to request access to, correct, or delete any personal information that you have provided to us.

7.2. Accuracy of your Data

You are responsible for maintaining the accuracy of your personal identifying information. From time to time, we may prompt all users to verify their information. Failure to do so may impact your access to the full functionality of the platform. In the event of a change of certain identifying data, we reserve the right to move through additional verification measures in order to fulfill our legislative requirements. Prior to amending personal details, we will request a secondary confirmation via a source different from the original to ensure the amendments are valid.

Upon request, a record of the personal data being stored and how it has been used and to whom it has or may have been disclosed will be provided. Contact the Privacy Officer for access.

7.3. Deleting your Personal Data

You have the right to delete or request that we assist in deleting the personal data that we have collected about you. Our service may give you the ability to delete certain information about you from within the service. To request the deletion of additional data please contact the Privacy Officer or request an account deletion here.

Please note, we may need to retain certain information when we have a legal obligation or lawful basis to do so.

8. Children's Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

9. Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

10. Employee Training

All employees of Trst Innovations Inc. will be required to participate in Privacy Training upon onboarding and on a recurring annual basis or as significant updates are made to regulations or company policy. Training covers the fundamentals of privacy, Personal Information Protection and Electronic Documents Act (PIPEDA) Principles, internal practices on data collection and obtaining consent and role specific information.

10.1. PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law for private-sector organizations to regulate the way personal information is handled in commercial activity.

There are 10 PIPEDA Principles.

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

These PIPEDA Principles give individuals the right to know why their personal information is being collected, how their personal information will be used, and to whom their personal information will be disclosed and to have the ability to ask for access to, or correction of, their personal information.

10.2. Training Objectives

Data Collection:

  • What data is collected?
  • What is it used for?
  • Who is it shared with?
  • How long is it kept

Consent:

  • Data Privacy Policy is designed to be clear and transparent about how we uphold the highest standards of trustworthiness and integrity in handling consumer data.
  • Consent can be express or implied.
  • Essential Data
  • Optional Data
  • Managing Consent

Record Keeping and Reporting:

  • Keep a record of all identified purposed and consents you have obtained
  • Record the date when the personal information was obtained or updated
  • Record the steps taken to verify the accuracy, completeness and timeliness of the information
  • All inquiries or requests regarding our Privacy Policy or practices should be directed to the Privacy Officer. Records must be kept including
    • When complaint comes in
    • Records date
    • Acknowledge receipt
    • Assign to person with skills and knowledge to review impartially
    • Notify complainant with results of review clearly and promptly, including any steps taken
    • Correct andy inaccurate personal information or modify policies based on the outcome
  • Prior to amending personal details, secondary confirmation is abstained from customers via a source different from the original
  • When requested within 30 days, advise people about the information you hold, how it was obtained, how it has been used or disclosed How to correct or amend any personal information

11. Privacy Management Program

An integral aspect of our privacy commitment is regular internal review and privacy impact assessments. Trst Innovations Inc. seeks to identify, reduce, and mitigate privacy impacts before they occur, as opposed to finding remedies after the fact.

11.1. Privacy Impact Assessment

Prior to launching a new program or activity, a Privacy Impact Assessment is completed. The PIA is a tool to guide and document the analysis of privacy impacts throughout a program or activity and to plan measures to minimize impacts and to comply with legislative policies, directives and guidelines as well as best practices.

A PIA starts with a risk assessment on the sensitivity of the data being collected, the likelihood of the incident occurring and the extent of the impact on privacy rights or harm, if it occurs.

Once risk levels have been identified, the PIA must demonstrate how programs or activities meet legal requirements. Using PIPEDA principles, all aspects of programs and activities are evaluated for compliance, the identification of any negative impacts on privacy as well as mitigation planning. Depending on the nature of the initiative, some principles will be considered in more depth than others.

https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/gd_exp_202003/#toc4-1

11.2. PIPEDA Self Assessment

The PIPEDA Self Assessment is a tool to assess ongoing compliance with current regulations. Trst Innovations Inc. will complete these assessments on an annual basis, reviewing and updating this policy as needed.

These regulations are expected to change. At time of change, additional assessments and updates to the policy will be necessary outside of the annual cycle.

11.3. Reporting and Remediation

Assessment Findings: Internal assessment findings will be documented and shared with relevant stakeholders, including IT management and executives.

Corrective Actions: The IT department is responsible for developing and implementing corrective actions to address identified issues, vulnerabilities, or policy gaps.

11.4. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.