Privacy Policy

MarshallZehr Group Inc.
(referred to as “Our Company”)

Initial Effective Date: September 15, 2008

Updated: April 13, 2022

Who is MarshallZehr Group Inc.?

Our Company is a mortgage brokerage and mortgage administrator company. We bring together borrowers who need mortgage loans and companies and/or individuals with money to lend. In undertaking these tasks, we may collect Personal Information. In this Privacy Policy, the use of the terms “we”, “our” and “us” refers to Our Company.

This Privacy Policy provides our principles related to the protection of the Confidential and Personal Information (“information”) of our customers, suppliers and other entities with which we engage in commercial activities (“Privacy Policy”). We follow the Canadian Standards Association’s Model Code for the Protection of Personal Information principles in detailing our practices in this Policy. The Policy has been designed to be compliant with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the corresponding regulations.

Our Company is also legally obligated to follow the Financial Services Regulatory Authority of Ontario Act (“FSRA”), the Mortgage Brokerages, Lenders and Administrators Act (“MBLA”) and their respective regulations. This includes FSRA principles, processes and practices, incorporating the Mortgage Broker Regulators’ Council of Canada (“MBRCC”) Code of Conduct for the Mortgage Brokering Sector (referred as the “Code”) into the FSRA’s regulatory framework. The Code provides for guidance on conduct standards and complementary practices for protection of our clients.

The protection of client privacy and the confidentiality of their information is a key priority for Our Company. As a provider of financial products and related services, the collection, use and authorized disclosure of information is fundamental to our day-to-day business operations. We are committed to treating your information fairly, with respect and in compliance with PIPEDA and similar provincial privacy legislation that apply to us.

Our Company is dedicated to maintaining the accuracy, privacy, and security of your information. Confidential Information means all non-public information disclosed by you to our Company, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of that information. Personal Information is any information that identifies an individual or by which their identity could be learned. Personal information that we collect may include name, age, home address, home telephone number, credit card numbers, unique identification numbers such as government issued identification numbers, financial records, personal references, and employment records.

Personal information does not include the name, title, business address, telephone number or email address of an employee of an organization that is used to contact the employee in their business capacity, or any information that has been aggregated or anonymized such that an individual’s personal information is non-identifiable.

Principle 1: Accountability

Our Company takes our commitment to safeguarding your information very seriously and are accountable for all information that is in our possession or under our control. We have appointed a Chief Privacy Officer who is responsible for our compliance program including analyzing all information handling practices, ensuring that this Policy is up to date and reflects our ongoing operation, commencing investigations for alleged information breaches, responding to client complaints, handling inquiries and access requests, implementing best practices and updating internal policies and procedures.

Our employees are informed about the importance of handling information safely and securely and maintaining the confidentiality of clients’ personal information. This is communicated to our employees through employment contracts, policies and procedures and through on-going privacy training.

We have taken the following measures to ensure compliance with this Privacy Policy:

1. 1. developed procedures to protect Personal Information;
   2. developed procedures to receive and respond to complaints and inquiries;
   3. trained our staff about our policies and practices respecting Personal Information; and
   4. developed and distributed information to our staff and the general public explaining our policies and procedures respecting Personal Information.

Principle 2: Identifying Purposes

Our company identifies the purposes for which information is collected at or before the time the information is collected. We collect information only for the following purposes:

1. 1. to provide the products and perform the services expected by our clients;
   2. contractual obligations with our clients;
   3. to understand client needs;
   4. to develop, enhance, market or provide products and services; and
   5. to meet legal and regulatory requirements.

Our company makes reasonable efforts to ensure that it only collects and uses information that is necessary for the purposes identified above. Upon request, persons information shall explain these identified purposes or refer the individual to a designated person with Our Company who shall explain the purposes. Unless required by law, Our Company shall not use or disclose for any new purpose information that has been collected without first identifying and documenting the new purpose and obtaining your consent, where required.

Principle 3: Consent

You have the choice of whether or not to give us your information. If you submit your information to us, we will, upon request, tell you why we are collecting it. By providing your information to Our Company or its agents, you are agreeing and consenting that Our Company may collect, use and disclose your information for the purposes outlined earlier in Policy and as permitted or required by law. Wherever possible, we collect information directly from you. If you wish to withdraw, refuse, or limit your consent in any manner, please contact our Privacy Officer.

In obtaining consent, Our Company shall use reasonable efforts to ensure that a client is advised of the identified purposes for which the information collected will be used or disclosed. Our Company shall seek consent to use and disclose information for a new purpose,

before it is so used or disclosed. In determining the appropriate form of consent, Our Company shall take into account the sensitivity of the information and the reasonable expectations of its customers. Generally, the continued use of services by a customer constitutes implied consent for Our Company to continue collecting, using and disclosing information for all identified purposes.

A client may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Our Company will inform clients of the implications of withdrawing consent. To withdraw your consent, simply contact our Chief Privacy Officer with the contact information listed at the end of this Policy. To withdraw your consent from any electronic or other marketing communications, you may follow the unsubscribe instructions included in our electronic communications or contact us using the contact information at the end of this Policy.

Principle 4: Limiting Collection

Specifically, Our Company limits the collection to what we need for those purposes and we use it for the purposes described. Information will be collected by us using fair and lawful means. We will explain how we intend to use the information. We collect your information to establish a relationship with you and to serve your financial needs, including qualifying your mortgage application, related due diligence and other related mortgage services, and funding and servicing your mortgage loan. This may include names, addresses, financial details, credit card numbers, Social Insurance Number, date of birth and identification details which are collected via mortgage application (for borrower) or manually (by phone, email, or in-person) from lenders. This information is stored securely with access limited to those requiring the information to provide service to you (“need-to-know”).

Specifically, Our Company collects information for the following purposes:

1. 1. to meet safety, security, regulatory and legal requirements (e.g. anti-money laundering, anti-terrorist financing, legal identification, etc.);
   2. to manage our relationship with you and our ability to respond to your inquiries;
   3. to maintain client and supplier lists; and
   4. to satisfy other reasonable business interests (e.g., financial due diligence, collecting on outstanding accounts, assessing your credit risk rating).

We collect most of our information about you directly from you or through your interactions; however, we may also collect information from other sources, with the consent of the individual or where permitted or required by law, including but not limited to employers, personal references, or credit agencies.

A visitor to our Web site (www.marshallzehr.com) is not required to reveal any individually identifiable information, nor is such information collected by electronic means. On our Web site, like most other commercial Web sites, we may monitor traffic patterns, site usage and related site information in order to optimize our Web service. We may provide aggregated information to third parties, but these statistics do not include any identifiable personal information.

Principle 5: Limiting Use, Disclosure and Retention of Personal Information

We may use your Information in any of the following ways.

1. 1. We encourage you to contact us with questions and comments and the Information may be used in order to respond to your questions and comments.
   2. We may also use your Information for internal business purposes, such as analyzing and managing our operations such as in Information in Aggregate to enhance our web site security, traffic levels on the Website and other usage data.
   3. We are required to meet regulatory and legal requirements or to comply with legal process or governmental requests.
   4. The Information may also be used to enforce our contractual agreements which outline the obligations of the stakeholders our organization represents in order to protect our operations, to protect the rights, privacy, safety or property of Our Company, you or others and to permit us to pursue available remedies or limit the damages that we may sustain.

We do not share, sell or rent your Information to third parties for their own use without your written consent. Under certain circumstances, Our Company may disclose your Information:

1. 1. when we are required or authorized by law to do so;
   2. when you have consented to the disclosure;
   3. where it is necessary to assemble financial due diligence, establish or collect accounts for services rendered or work performed;
   4. if we engage a third party to provide services to us (e.g., technical reports, participate in financial transactions, collection service) and the third party is bound by our Privacy Policy;
   5. if the information is already publicly known; and
   6. to meet an emergency need.

We may also share aggregated, non-identifiable information with third parties.

We will retain your Information for the time it is required to meet the purposes set out above and for a reasonable length of time thereafter or to otherwise meet legal or regulatory requirements (e.g., for tax purposes), even if you cease to be a client. Once your Information is no longer required for such purposes, it will be securely destroyed or made anonymous.

Principle 6: Accuracy

Our Company is committed to maintaining accurate, complete and up-to-date Information. We make all reasonable efforts to keep your information up-to-date and we endeavor to base our decisions on accurate and timely information when we make a determination that may impact you. We may periodically request confirmation, written or otherwise, from you to ensure that the Information collected and maintained by us is up-to-date and accurate. If you discover that the Information we have about has changed or is inaccurate information, please inform us so that we can make any necessary changes in your active file(s) and on our databases. This will ensure that the change in information is conveyed to third parties to whom we may have provided the information, such as a credit reporting agency. We want to ensure that our service to you is not affected by incomplete or inaccurate information.

Principle 7: Safeguards

Our Company maintains your Information in secured locations and on computer servers controlled by us. We have developed and implemented a combination of administrative, technical and physical safeguards appropriate to the sensitivity of the Information to protect against a variety of risks, such as, loss, theft, unauthorized access, disclosure, copying, use, modification or destruction of such information. These security safeguards include:

Administrative

1. 1. policies and procedures and audit tests
   2. employee confidentiality agreements; and
   3. security obligations with our third-party agreements that must be maintained at a level of equal to that is provided by Our Company.

Technical

1. 1. deploying technological safeguards such as security software, encryption and firewalls to prevent hacking or unauthorized computer access;
   2. restricted file access to Information; and
   3. passwords to computer terminals, personal identification numbers, password protection, audit trails and alerts, access levels and timed out computer terminals.

Physical

1. 1. secure office controls such as locked filing cabinets and restricted access to offices through security pass cards; and
   2. video surveillance.

We review our security procedures regularly to ensure that they are being properly administered and that they remain effective and appropriate to the sensitivity of Our Information.

Principle 8: Openness

Our Company has prepared this Policy to keep you informed. Our Company makes readily available specific information about its information management policies and practices to its customers and the public upon request. We make the information available in a format that is generally understandable. Our employees understand and are committed to complying with our privacy and security goals.

Principle 9: Individual Access

You have the right to access, update, and correct inaccuracies in your Personal Information in our custody and control, subject to certain exceptions prescribed by law. We will respond to your requests in a reasonable time. There may be a charge for providing this information in which case you will be notified in advance and may withdraw your request or challenge the reasonableness of the charge. If you wish to access your Personal Information, please contact our Privacy Officer (privacy@marshallzehr.com). Please make your request via e-mail.

We reserve the right to confirm your identity before complying with any access requests. In some cases, we may not provide access to your personal information if, as an example:

1. 1. disclosure would reveal confidential commercial information;
   2. the personal information is protected by solicitor-and-client privilege;
   3. the information contains personal information about other individuals;
   4. the information was collected during the investigation of a legal matter or for purposed related to the detection and prevention of fraud; or
   5. the information cannot be disclosed for other legal reasons.

If we deny your request for access to your personal information, we will advise you in writing of the reason for the refusal.

Principle 10: Challenging Compliance

Our Company has procedures to respond to complaints or inquiries about the handling of your Information. We will explain your inquiry and complaint procedures. We will investigate all complaints and take appropriate measures to rectify the situation. You may contact us with any questions or concerns you might have about your privacy or about this Privacy Policy. You should direct these questions to Privacy Office (privacy@marshallzehr.com). Please be sure to include your name, address, account number (if applicable), preferred method of communication, the nature of your question or complaint and relevant details.

Please direct your questions to our Privacy Officer at:

Privacy Officer

MarshallZehr Group Inc.

412 Albert Street, Suite 100

Waterloo, ON N2L 3V3

Phone: 519-342-1000 x224

Email: privacy@marshallzehr.com

Our Website

A visitor to our Web site (www.marshallzehr.com) is not required to reveal any individually identifiable information, nor is such information collected by electronic means. On our Web site, like most other commercial Websites, we may monitor traffic patterns, site usage and related site information in order to optimize our Web service. We may provide aggregated information to third parties, but these statistics do not include any identifiable Personal Information. Our Web site contains links to other sites, which are not governed by this Privacy Policy.

Changes to this Privacy Policy

We reserve the right to change this Policy, from time to time, including any of our policies or procedures concerning the treatment of information without prior notice. In the event of any change to our Policy, the amended version will be posted on our Website. You can determine when this Policy was last revised by referring to the “Last Updated” legend at the beginning of this policy. Any changes to our Policy will become effective upon posting of the revised Policy on our Website.

Use of the Website following such changes constitutes your acceptance of the revised Policy then in effect. We encourage you to bookmark this page and to periodically review it to ensure familiarity with the most current version of our Policy.

Whistleblower Provision

Our Company recognizes the need for whistleblowers be allowed to address any concerns they have. We promise that we will not undertake any activities that may terminate, nor demote, impose a penalty or otherwise detrimentally affect the employment of the whistle-blower.

Definitions

Aggregate Information: from which an individual can not be identified.

Chief Privacy Officer: the person within Our Company who is responsible for ensuring compliance with privacy obligations, including this policy, with respect to the collection, use, disclosure and handling of personal information by Our Company, its employees, contractors, officers and authorized agents.

Collection: refers to the act of gathering, acquiring, recording or obtaining information from any source, by any means.

Consent: voluntary agreement to the collection, use and disclosure of information for defined purposes. Consent can be express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing but is always unequivocal and does not require any inference on the part of Our Company. Implied consent can be reasonably inferred from an individual’s action or inaction.

Disclosure: the act of making personal information available to others outside Our Company

Personal Information: information about an identifiable individual that is recorded in any form, not including the individual’s name, business title, business address or business phone number. Personal information does not include aggregate information that cannot be associated with a specific individual.

Retention: refers to the act of keeping information as long as is necessary to fulfil the stated purposes, or as long as otherwise specified by law.

Third Party: any individual or organization aside from this Our Company and its customers.

Use: refers to the treatment, handling and management of information by Our Company