Privacy Policy

1. Information We Collect

1.1 Personal Information You Provide

When you submit a form on our website, contact us by phone or email, or open a banking relationship with Thornbury Banking Ltd., we collect personal information that you provide directly.

This includes your full legal name, email address, phone number, mailing address, business name, position or title, and any other details you share during the inquiry or onboarding process.

1.2 Business Information

As a business banking institution, we collect information about your business operations as part of our Know Your Client (KYC) and Know Your Business (KYB) compliance obligations.

This includes your business legal name, provincial or federal registration numbers, beneficial ownership structures, articles of incorporation, annual revenue data, financial statements, corporate tax returns, and business banking history.

1.3 Automatic Information

When you visit thornburybanking.com or use TBL Connect, we automatically collect certain technical information. This includes your IP address, browser type and version, operating system, device type, screen resolution, referring URL, pages visited, time spent on each page, and click patterns.

This data is collected through server logs and analytics tools. We use this information to improve site performance and identify technical issues.

1.4 Cookies and Similar Technologies

We use cookies — small text files stored on your device — to enable site functionality and analyze usage patterns. Section 8 of this policy provides full details on the specific cookies we deploy and how to manage your preferences.

2. How We Use Your Information

2.1 Service Delivery

We use your personal and business information to provide commercial banking services. This includes underwriting credit facilities, managing operating and deposit accounts, processing ACH/EFT transactions, generating business account statements, producing ACH processing reports, and executing foreign exchange transactions.

For TBL Connect users, we use your information to provide platform access, configure API integrations with your accounting and ERP systems, and generate real-time cash positioning reports.

2.2 Regulatory Compliance

As a regulated financial institution, we are required by law to collect, verify, and retain certain information about our clients and their transactions. This includes obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC reporting requirements, and OSFI prudential standards.

We cannot waive these requirements. They are not optional.

2.3 Communication

We use your contact information to respond to inquiries, provide account updates, deliver security alerts, and communicate changes to our services or terms. We do not send unsolicited marketing emails. If you submit a contact form on our website, we will respond to your specific inquiry and nothing more.

2.4 Platform Improvement

We use aggregated, anonymized usage data from TBL Connect and thornburybanking.com to identify performance bottlenecks, prioritize feature development, and improve the overall client experience. This data cannot be traced back to individual users.

3. Legal Basis for Processing

We process your personal information on the following legal grounds:

Contractual necessity: When you enter a banking relationship with Thornbury Banking Ltd., processing your personal and business information is necessary to perform the services described in your facility agreement, account documentation, and TBL Connect terms of use.

Legal obligation: We are required by Canadian federal and Ontario provincial law to collect, verify, and retain certain client information. FINTRAC, OSFI, and the Canada Revenue Agency impose specific record-keeping and reporting obligations on deposit-taking institutions.

Legitimate interest: We process limited technical data (site analytics, usage patterns) to maintain and improve our services. We balance this interest against your privacy rights and process only the minimum data necessary.

Consent: Where we process information beyond what is required for service delivery, legal compliance, or legitimate interest, we obtain your explicit consent. You may withdraw consent at any time by contacting us at [email protected].

4. Information Sharing and Disclosure

4.1 Regulatory Authorities

We disclose information to regulatory authorities when required by law. This includes FINTRAC (suspicious transaction reports, large cash transaction reports, electronic funds transfer reports), OSFI (prudential reporting), and the Canada Revenue Agency (tax reporting obligations).

We do not have discretion over these disclosures. They are mandatory.

4.2 Service Providers

We share limited information with third-party service providers who assist us in operating our business. These include our cloud infrastructure provider (for hosting TBL Connect), our payment processing partners (for ACH/EFT origination and wire transfers), and our security monitoring vendor (for threat detection and SOC 2 Type II compliance).

Every service provider is bound by a data processing agreement that restricts their use of your information to the specific service they provide to us. We conduct annual security reviews of all critical vendors.

4.3 With Your Consent

When you authorize a TBL Connect API integration with a third-party platform — such as QuickBooks Online, Xero, ConnectWise, or Lightspeed — we share specific financial data with that platform as necessary for the integration to function. You control which integrations are active, and you can revoke access at any time through your TBL Connect dashboard.

4.4 What We Never Do

We do not sell personal information to third parties. We do not share personal information with marketing companies. We do not provide personal information to data brokers. This has been our position since 2012. It will not change.

5. Data Security

Thornbury Banking Ltd. implements administrative, technical, and physical safeguards to protect your personal and business information against unauthorized access, disclosure, alteration, and destruction.

Technical controls: All data transmitted between your device and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. TBL Connect maintains role-based access controls, multi-factor authentication, and session timeout enforcement.

Certification: TBL Connect holds SOC 2 Type II certification, verified through annual third-party penetration testing and security audits. Our CTO, Elena Vasquez-Thornbury, personally oversees security architecture and deployment processes.

Access controls: Employee access to client information is limited to personnel who require it for their specific job function. Access logs are reviewed monthly by our Chief Compliance and Risk Officer, Nadia El-Amin.

Incident response: In the event of a data breach that poses a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada within 72 hours, as required by PIPEDA's breach notification provisions.

6. Data Retention

We retain your personal and business information for as long as your client relationship with Thornbury Banking Ltd. is active.

Following the termination of a client relationship, we retain records for a minimum of 7 years. This is not our preference — it is a regulatory requirement. The PCMLTFA mandates that financial institutions retain client identification records, transaction records, and KYC/KYB documentation for at least 5 years after the relationship ends. OSFI and CRA requirements extend this to 7 years for certain records.

For website visitors who submit a contact form but do not become clients, we retain your inquiry data for 24 months and then delete it.

For website visitors who do not submit any forms, we retain anonymized analytics data only. No personally identifiable information is stored.

You may request early deletion of personal information that is not subject to regulatory retention requirements by contacting [email protected]. We will process your request within 30 days and inform you of any data that must be retained for compliance purposes.

7. Your Rights

Under PIPEDA and applicable Ontario privacy legislation, you have the following rights regarding your personal information:

Right of access: You may request a copy of all personal information Thornbury Banking Ltd. holds about you. We will provide this within 30 calendar days of receiving your request.

Right of correction: If any personal information we hold about you is inaccurate or incomplete, you may request that we correct it. We will process correction requests within 15 business days.

Right of deletion: You may request that we delete your personal information, subject to the regulatory retention requirements described in Section 6. Where deletion is not possible due to legal obligations, we will inform you of the specific reason and the retention timeline.

Right to withdraw consent: Where we process your information based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before the withdrawal.

Right to complain: If you believe we have not handled your personal information appropriately, you may file a complaint with us directly. If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

To exercise any of these rights, email [email protected] with the subject line "Privacy Rights Request." Our Privacy Officer, Nadia El-Amin, will respond within 5 business days to acknowledge your request and provide a timeline for resolution.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

These cookies are necessary for the basic functionality of our website and TBL Connect. They enable page navigation, form submissions, session management, and security features. Essential cookies cannot be disabled without breaking site functionality.

Examples: session identifiers, CSRF protection tokens, cookie consent preference storage.

8.2 Analytics Cookies

We use analytics cookies to understand how visitors interact with thornburybanking.com. These cookies collect aggregated, anonymized data about page views, session duration, traffic sources, and navigation patterns.

Analytics cookies are non-essential. You may decline them when prompted by our cookie consent banner, or at any time by clearing your browser cookies and selecting "Decline" on your next visit.

8.3 Managing Your Preferences

When you first visit thornburybanking.com, you will see a banner asking you to accept or decline non-essential cookies. Your preference is stored locally on your device and respected across subsequent visits.

You can also manage cookies through your browser settings. Most browsers allow you to block or delete cookies entirely. Be aware that blocking essential cookies may prevent TBL Connect from functioning correctly.

We do not use cookies for advertising. We do not deploy third-party advertising trackers. We do not participate in ad networks or retargeting programs.

9. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, our technology, legal requirements, or regulatory guidance.

When we make material changes, we will update the "Last updated" date at the top of this page. For active clients, we will provide 30 days' advance notice of material changes via email to the primary contact address on file.

We encourage you to review this page periodically. Continued use of thornburybanking.com or TBL Connect after a policy update constitutes acceptance of the revised terms.

Previous versions of this policy are available upon request by emailing [email protected].

10. Contact Information

For questions, concerns, or requests related to this privacy policy or your personal information, contact us: