Last updated: July 11, 2024
1. Introduction
1.1. Purpose
At Trst Innovations Inc., we are committed to protecting the privacy and confidentiality of our users' personal information. Our Data Privacy Policy is designed to uphold the highest standards of trustworthiness and integrity in handling your data. This Privacy Policy outlines our aim to safeguard your data and maintain transparent practices, and clear communication regarding the collection, use, and disclosure of your personal information.
Trst Innovation Inc. will only collect and process the data necessary to provide you with our services, ensuring that your information is handled responsibly and with respect for your privacy preferences. At Trst Innovations Inc., integrity is paramount, and we continuously evaluate and improve our data handling practices to maintain your trust.
1.2. Scope
This policy applies to all individuals who interact with Trst Innovations Inc.'s products, services, websites, and platforms, including but not limited to employees, customers, visitors, partners, third-parties and other stakeholders.
1.3. Responsibilities
Operational Employees: All employees are responsible for understanding and adhering to the data Privacy Policy in their daily activities. This includes handling personal data with care, following established procedures for data protection, and promptly reporting any potential breaches or concerns. All inquiries regarding our Privacy Policy or practices, requests to access personal information and/or how it has been used should be directed to the Privacy Officer.
Developers: Developers are responsible for understanding and adhering to the data Privacy Policy in their daily activities. This includes all change management, data management and record keeping requirements of the Data Privacy Policy. Specific responsibilities will be determined by the level of access control in a given role.
Management: Management is responsible for implementing and maintaining data privacy measures and enforcing the provisions of this policy and any updates or evolutions of legal requirements. They are responsible for promoting a culture of privacy throughout the organization, providing guidance and training to employees, overseeing data handling practices within their respective areas, and escalating any compliance issues to higher management. IT administrators are responsible for implementing and maintaining technical privacy controls, monitoring systems for vulnerabilities, and enforcing the provisions of this policy.
2. Privacy Officer
Trst Innovations Inc is responsible for the personal information under its control and has designated a Privacy Officer who is accountable for ensuring the company’s compliance with this Privacy Policy. We are fully accountable for our data processing activities, and we welcome feedback and inquiries regarding our privacy practices to uphold our commitment to transparency and accountability. Should you have concern or complaint about Trst Innovation Inc.’s privacy practices we commit to reviewing and investigating your concerns and notifying you with results of such review clearly and promptly, including any steps taken to correct any inaccurate personal information or modify policies based on the outcome.The Privacy Officer can be contacted at privacy@trstinc.ca
3. Data Collection and Use
By using the Service in different ways you agree to the collection and use of your information in accordance with this Privacy Policy. Trst Innovation Inc. aims to make your choice to consent clear and accessible.
Beta Phase Notice: During the course of the Beta Phase, all data described in Business and User Accounts will be collected and will not be adjustable via opt-in or opt-out settings. The purpose of the Beta phase is to demonstrate the usability and functionality of the Services and to gather feedback and improve and refine our Services. If at any time during the Beta Phase, you would like to request your data be deleted, please contact the Privacy Officer or request an account deletion here.
3.1. Business Accounts
This section describes how Trst Innovations Inc collects and uses your information when you (whether you are a person acting as a sole proprietor or on behalf of another business entity) visit our website or apply or sign up for a Trst account. If you are a consumer interacting with a business that uses Trst, please refer instead to Section 3.2.
3.1.1. Information you provide to us
When register for you Trst account, you will be asked to provide information that allows Trst to register your account, verify your identity, authenticate your business and provide access to the Service. This information is provided directly by you and is required for the Service to function and in order to fulfill Trst’s regulatory obligations. By completing the registration process, users consent to the collection, processing, and storage of their personal and business data.
| Type of Information | Collection Location | Examples | How it is used |
| Owner Information | Web Portal | Name, address and contact information of the owner or operator of the business | To authorize and create your Trst account.
To fulfill our contract to you. To enable multi-factor authentication to protect your account. |
| Owner Identity Documents | Web Portal | Driver’s license or other photo ID | To go through our identity verification process which fulfills regulatory obligations |
| Business Account Information | Web Portal | Email, account password, contact | To provide the Service at the business For account access and to identify use logins To enable multi-factor authentication to protect your account
|
| Financial Information | Web Portal | Bank account information, payment card numbers, business and HST number and Stripe ID | To process payments To fulfill our contract with you To go through our identity verification process which fulfills regulatory obligations |
| Employee Information | Web Portal | Names, roles, usernames and email addresses of all employees of the business who will interact with the Trst terminal | To manage authorized users of the Trst service and terminal interfaces |
| Employee Trst Accounts | Web Portal | Personal Trst account information for all employees with authorized access | To link an employee account to the business account |
3.1.2. Information collected while the Service is being used
When you use the Trst terminal or apps, some information is collected from you or the devices you use. We need this data to fulfill our legal and regulatory obligations, to protect your account against fraud and unauthorized access. We can also use this information to help us improve our Services for you and others, as well as develop new products and services.
Not all of this data is essential to the core of our Service, however when you do choose to share it with us, you receive the benefit of improved service, stronger fraud protection, and a personalized product and service mix. You are able to adjust and update your privacy and consent settings at any time.
| Type of Information | Collection Location | Examples | How it is used |
| Location Data | Terminal/Kiosk (in-store) or Trst servers | Terminal IP Address | To authenticate terminal and user locations to strengthen fraud prevention |
| Transaction Data | Trst servers | Date, time, total | To fulfill regulatory requirements To conduct fraud analysis To build user profiles in order to strengthen fraud protection |
| Usage Data | Web Portal | Merchant IP address | To validate user logins from a web address |
| Behaviour Data | Website | Website and application usage analytics | To provide, improve and analyze the Service To debug and fix errors that impair how our Services function |
3.2. User Accounts
Users must register for an account in order to use the Service. This section describes how Trst Innovations Inc. collects and uses your information when you register as a user of the Service. If you are a business using Trst, please refer instead to Section 3.1.
3.2.1. Information you provide to us
Upon registration, you will be asked to provide information that allows Trst to register your account, verify your identity and provide access to the Service. This information is provided directly by you and is required for the Service to function and in order to fulfill Trst’s regulatory obligations. By completing the registration process and enrolling a biometric identifier, users explicitly consent to the collection, processing, and storage of their personal data, including biometric information. Trst Innovations Inc. ensures the utmost security and confidentiality of biometric data and uses it solely for the purpose of user authentication and access control.
| Type of Information | Collection Location | Examples | How it is used |
| User Information | Web Portal | Name, email, address and phone number, birth date | To identify you To administer and maintain the Service To contact you |
| Biometric Image | Web Portal | A selfie | At registration and enrollment your image is compared to you Identity Documents to validate user unique ID |
| User Identity Documents | Web Portal | Driver’s license or other photo ID | To go through our identity verification process which fulfills regulatory obligations |
| Account Information | Android or iOS App | User name, password | To provide users access to their accounts |
| Financial Information | Android or iOS App | Credit Card number | Financial information is collected via Stripe to create a unique ID for you but is not stored by Trst at any time More information on Stripe’s Privacy Policy |
| Biometric Template | Terminal or Kiosk (in-store) | Palm vein information | To create a unique representation of users that linked to their account |
| Third-Party Unique IDs | Web Portal | Unique ID created to define users in 3rd party systems (created by other systems like a loyalty program). Either you will enter this directly or will authorize a third party to disclose to Trst. | To integrate with third-party/external services where users may already have an account to provide services including access control and transactions |
3.2.2. Information collected while the Service is being used
Usage data is collected on our website and apps. Trst Innovations Inc. employs continuous verification methods to enhance security and user experience. Users are informed about the continuous verification process and its implications for their privacy. By continuing to use our services, users provide ongoing consent for the continuous monitoring and verification of their identity. We prioritize the protection of user data and only use it for legitimate purposes related to security and authentication.
We use Cookies and similar tracking technologies to track the activity on our website and store certain information. A cookie is a small file placed on your device. Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when you go offline, while Session Cookies are deleted as soon as you close your web browser. By accepting cookies, users consent to the use of these tracking technologies.
Not all of this data is essential to the core of our Service, however by granting us permission to process your data through additional AI services, you receive the benefit of improved service, stronger identity profile and fraud protection, and a personalized product and service mix. You are able to adjust and update your privacy and consent settings at any time.
| Type of Information | Collection Location | Examples | How it is used |
| Transaction Data | Trst servers | Date, time, total, terminal location | To fulfill regulatory requirements To conduct fraud analysis To build user profiles |
| Biometric Capture | Terminal (in-store) | Scan of palm vein collected during a transaction | To compare again template on your account and validate the use of the Service |
| Location Data | Future Plan | Mobile or Wearable device location | To provide service and validate user logins To authorize current transactions by confirming your presence at the location of the terminal To ensure validity of future transactions by strengthening your profile as a unique identifier |
| Visible Wireless Devices | Future Plan | Wifi, Bluetooth, beacons | To confirm location and presence |
| Mobile Device Sensor Data | Future Plan | Data from your mobile device accelerometer or gyrometer | To strengthen fraud prevention |
| Behaviour Data | Future Plan | Deriving a personal profile from the aggregate of data collected. | To authorize transactions and fight fraud To ensure timely transactions and access control |
| Mobile App Usage | Android or iOS App | When you open and use the app including how you navigate the app | To provide, improve and analyze the Service To help to authenticate users and prevent fraudulent use of user accounts To identify any unusual activity on your account so as to detect and prevent fraud To debug and fix errors that impair how our Services function To remember the choices you make when you use the app and adjust our service behaviours. |
| Internet or Network Activity | Website | Cookies, web beacons, IP Address | To provide, improve and analyze the Service To help to authenticate users and prevent fraudulent use of user accounts To identify any unusual activity on your account so as to detect and prevent fraud To debug and fix errors that impair how our Services function To remember choices you make when you use the website, such as remembering your login details or language preference To provide promotional information about products or services similar to those that you have already purchased or enquired about unless you have opted not to receive such information. See 3.3. Opt-In for Promotional Communication. |
3.3. Opt-in for Promotional Communication
For promotional communications, including newsletters, notifications about new features, upgrades, or marketing offers, users must expressly opt-in to receive such materials. Trst Innovations Inc. maintains internal processes to ensure clarity on every communication you receive from us. We respect user preferences regarding promotional communication and provide clear instructions for opting in or out of receiving marketing materials. Users can manage their communication preferences through their account settings or by contacting our customer support team.
3.4. Withdrawing Consent
Trst Innovations Inc. keeps a record of all identified data collection purposes and consents given.
Users can exercise their right to withdraw consent through a variety of mechanisms including managing preferences in user account settings and utilizing opt-out or unsubscribe options in communications and notifications from Trst Innovation Inc.
Opt-out options specifically for the collection and usage of personal information, location data, and other data processing activities may impact the functionality of the service received through our platform.
Users can manage cookie preferences through their browser settings or by adjusting Cookie preferences on our website. However, if you do not accept Cookies, you may not be able to use some parts of our service. Unless you have adjusted your browser setting so that it will refuse Cookies, our service may use Cookies.
If you have questions or concerns about withdrawing your consent, please contact our Privacy Officer.
4. Data Storage and Protection
4.1. Storage
Your information, including personal data, is processed at Trst Innovations Inc.'s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.
4.2. Protection
The security of your personal data is of utmost importance to us. Trst Innovation Inc. utilizes all industry-standard security tools including but not limited to encryption, password, firewalls, and security patches as well as internal organization controls to manage access to data and ensure our employees are knowledgeable and current on all industry best practices. Remember that no method of transmission over the Internet, or method of electronic storage is 100% secure and we cannot guarantee its absolute security.
If at any time you are concerned about the privacy of your data or are suspicious of a breach in privacy, please contact the Privacy Officer as quickly as possible to request a review. Upon receiving your request, Trst Innovation In will complete a review and respond to you within 30 days.
5. Transfer of data
Trst Innovation Inc. will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
| Provider | Description | Purpose of disclosure |
| Stripe | Trst utilizes Stripe as our payment processor | Your email, credit card information, unique Stripe ID and transaction information is shared with Stripe in order to process payments. Your Payment Data may be transferred, processed and stored outside of Canada and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws. Stripe may delete or disconnect your personal data from your Stripe Account when requested to do so by the Customer. Users have the option to review and agree to Stripe Connect's terms and privacy policy before completing payment transactions. |
| Google Cloud Platform | Authentication services | Your user name, email, password, 2nd-factor authentication may be shared with Firebase to provide security during sign-up and authentication |
| Trst business accounts | The business you transact with | Trst may share transaction records only the businesses you transact with if required by a regulatory body or in an effort to perform transaction reconciliation. |
| Legal Requirements | Governing bodies, Law Enforcement | Trst may be obligated to disclose personal, transaction or other data if required to do so by law or in response to valid requests by public authorities. Trst may also disclose your personal data in the good faith that such action is necessary to comply with a legal obligation, protect and defend company rights or property, prevent or investigate possible wrongdoing in connection with the Service, protect the personal safety of Users of the Service or the public or to protect against legal liability. |
| KYC provider | Trst may contract a third party to perform identity verification processes required by regulating bodies | Your name, address, date of birth, biometric image, identity documents, and business number may be used in verifying your identity |
| SMS provider | 2-factor authentication | Trst may disclose your phone number or other 2nd factor authentication information with a third party contracted to provide this service for us. |
| Google/Apple Analytics | Website activity monitoring | Trst uses Analytic services from Google and Apple to monitor web and mobile user traffic. While using our service or downloading our app these service providers may collect anonymous usage statistics. |
| Other 3rd party | Accounting, CRM, email provider | From time to time, Trst may contract 3rd parties to manage business parts. In doing so your data may be transferred. |
| Other | Business Transactions | If the Company is involved in a merger, acquisition or asset sale, your personal data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different Privacy Policy. |
6. Data Retention
The Company will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. Users are able to delete their accounts at any time. Once accounts are deleted, information therein is also deleted.
| Type of Data | Retention Period |
| Personal, and Account Information | The minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user |
| Business and Employee Information | The minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the business. |
| Identity Documents | The minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user |
| Biometric Data | The template and or hash representations or biometric data will be anonymized and stored in correlation with other data for as long as that data is retained. |
| Financial Information | The minimum of 5 years or the mandated regulatory requirement for such information after the deletion of the account by the user |
| Transaction, Usage and Location Data | Until account deletion by user except when this data is used to strengthen the security or to improve the functionality of our service, or we are legally obligated to retain this data for longer time periods. |
| Internet or Network Activity | For the length of the cookie life. |
| Stripe | Stripe maintains their own retention periods and policies. For more information please see Stripe Privacy Center |
| Any data involved in a data breach | In the event of a breach, privacy regulations require us to maintain a record of all data involved for 2 years following the breach. |
| Compliance inquiry or complaint | We will keep all records of our internal complaint investigation and remediation process for 2 years. |
All data above may be present in our access and system logs in anonymous form for up to 2 years following account deletion. We retain these logs for security, regulatory, or audit processes.
We will review our records regularly in order to identify data that is longer needed for legitimate business purposes. When we no longer need to retain your personal data, records will be physically and permanently deleted.
7. Accessing your data
7.1. How to Access
You may access, update, amend, or delete your information at any time by signing in to your user account, if you have one, and visiting the account settings section that allows you to manage your personal information. You may also contact us through the Privacy Officer to request access to, correct, or delete any personal information that you have provided to us.
7.2. Accuracy of your Data
You are responsible for maintaining the accuracy of your personal identifying information. From time to time, we may prompt all users to verify their information. Failure to do so may impact your access to the full functionality of the platform. In the event of a change of certain identifying data, we reserve the right to move through additional verification measures in order to fulfill our legislative requirements. Prior to amending personal details, we will request a secondary confirmation via a source different from the original to ensure the amendments are valid.
Upon request, a record of the personal data being stored and how it has been used and to whom it has or may have been disclosed will be provided. Contact the Privacy Officer for access.
7.3. Deleting your Personal Data
You have the right to delete or request that we assist in deleting the personal data that we have collected about you. Our service may give you the ability to delete certain information about you from within the service. To request the deletion of additional data please contact the Privacy Officer or request an account deletion here.
Please note, we may need to retain certain information when we have a legal obligation or lawful basis to do so.
8. Children's Privacy
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.
If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.
9. Links to Other Websites
Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
10. Employee Training
All employees of Trst Innovations Inc. will be required to participate in Privacy Training upon onboarding and on a recurring annual basis or as significant updates are made to regulations or company policy. Training covers the fundamentals of privacy, Personal Information Protection and Electronic Documents Act (PIPEDA) Principles, internal practices on data collection and obtaining consent and role specific information.
10.1. PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian federal privacy law for private-sector organizations to regulate the way personal information is handled in commercial activity.
There are 10 PIPEDA Principles.
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure and Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
These PIPEDA Principles give individuals the right to know why their personal information is being collected, how their personal information will be used, and to whom their personal information will be disclosed and to have the ability to ask for access to, or correction of, their personal information.
10.2. Training Objectives
Data Collection:
- What data is collected?
- What is it used for?
- Who is it shared with?
- How long is it kept
Consent:
- Data Privacy Policy is designed to be clear and transparent about how we uphold the highest standards of trustworthiness and integrity in handling consumer data.
- Consent can be express or implied.
- Essential Data
- Optional Data
- Managing Consent
Record Keeping and Reporting:
- Keep a record of all identified purposed and consents you have obtained
- Record the date when the personal information was obtained or updated
- Record the steps taken to verify the accuracy, completeness and timeliness of the information
- All inquiries or requests regarding our Privacy Policy or practices should be directed to the Privacy Officer. Records must be kept including
- When complaint comes in
- Records date
- Acknowledge receipt
- Assign to person with skills and knowledge to review impartially
- Notify complainant with results of review clearly and promptly, including any steps taken
- Correct andy inaccurate personal information or modify policies based on the outcome
- Prior to amending personal details, secondary confirmation is abstained from customers via a source different from the original
- When requested within 30 days, advise people about the information you hold, how it was obtained, how it has been used or disclosed How to correct or amend any personal information
11. Privacy Management Program
An integral aspect of our privacy commitment is regular internal review and privacy impact assessments. Trst Innovations Inc. seeks to identify, reduce, and mitigate privacy impacts before they occur, as opposed to finding remedies after the fact.
11.1. Privacy Impact Assessment
Prior to launching a new program or activity, a Privacy Impact Assessment is completed. The PIA is a tool to guide and document the analysis of privacy impacts throughout a program or activity and to plan measures to minimize impacts and to comply with legislative policies, directives and guidelines as well as best practices.
A PIA starts with a risk assessment on the sensitivity of the data being collected, the likelihood of the incident occurring and the extent of the impact on privacy rights or harm, if it occurs.
Once risk levels have been identified, the PIA must demonstrate how programs or activities meet legal requirements. Using PIPEDA principles, all aspects of programs and activities are evaluated for compliance, the identification of any negative impacts on privacy as well as mitigation planning. Depending on the nature of the initiative, some principles will be considered in more depth than others.
https://www.priv.gc.ca/en/privacy-topics/privacy-impact-assessments/gd_exp_202003/#toc4-1
11.2. PIPEDA Self Assessment
The PIPEDA Self Assessment is a tool to assess ongoing compliance with current regulations. Trst Innovations Inc. will complete these assessments on an annual basis, reviewing and updating this policy as needed.
These regulations are expected to change. At time of change, additional assessments and updates to the policy will be necessary outside of the annual cycle.
11.3. Reporting and Remediation
Assessment Findings: Internal assessment findings will be documented and shared with relevant stakeholders, including IT management and executives.
Corrective Actions: The IT department is responsible for developing and implementing corrective actions to address identified issues, vulnerabilities, or policy gaps.
11.4. Changes to this Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.