The Privacy Policy

Last updated: December 20th, 2018

This Privacy Policy describes the information BOSSC Inc. and our affiliates (collectively, “BOSSC,” “We,” and “Us”) collect when a person or business (“you,” “your”) applies or signs up for an Account and this Privacy Policy applies equally to our websites worldwide and our application.

Definitions:

“Customer”: A company that has a business relationship with BOSSC for Us to perform or provide a service or access to our web platform and the services provided by or through it.

“Individual”: The person whose data BOSSC has processed, including, an employee of BOSSC, an employee of a Customer, or a person using any BOSSC Service (hereinafter defined).

“Personal Information”: Any data element or combination of data elements that enables the identification of an Individual, including, but not limited to, name, address, human resources data, personal health information, government identification such as social insurance number, biometric identifier, driver’s license number, credit card number, or bank account number.

“Services”: Include any BOSSC application, product, service, tool, feature, technology, content, website and the services available by or through a BOSSC web platform.

Scope and Consent

By signing up for an account to access our Services, you accept the terms of this Privacy Policy and consent to our collection, use, disclosure and retention of your Personal Information as described herein, and for all purposes permissible under applicable personal information privacy legislation, anti-spam legislation, and consumer protectionlaws.

If you did not sign up for an account to access our Services or you do not have access to our Services but are aware that your Personal Information is being used by third parties that use our Services, the consent you provide the third party for their collection, use, disclosure and retention of your Personal Information constitutes your acceptance of the terms of this Privacy Policy and consent to their use of your Personal Information with or in our Services as described herein and for all purposes permissible under applicable personal information privacy legislation, anti- spam legislation, and consumer protection laws.

Amendment

We may update this Privacy Policy, from time to time, by posting an edited version to our websites and updating the “Last updated” date above. The revised version will be effective at the time we post it. We will provide you with reasonable notice prior to substantial changes in how we use your information, including by email using the email address you provide in your Account. We encourage you to review this Privacy Policy when you access or use any BOSSC Services to stay informed about our information practices and the choices available to you. You can contact us if you have any questions about these changes. Your continued use of our Services constitutes your acceptance of any amendment to this Privacy Policy.

1. Accountability

We, our employees, and contractors take responsibility for Personal Information in accordance with BOSSC’s policies and standards. BOSSC trains its employees with respect to its privacy policies and practices. BOSSC’s Privacy Officer is responsible for defining the requirements of this policy and ensuring compliance with its provisions. The Information Security Officer is responsible for implementing and maintaining appropriate controls and measures to enable compliance.

We are liable for Personal Information We process and for Personal Information We provide to contractors for processing. Accordingly, contractual obligations are used to provide a comparable level of protection to Personal Information that has been transferred to a contractor to be processed. BOSSC’s liability for a third party’s performance of its obligations is set forth in each agreement We sign with our Customers, and We assume liability for the performance of the services and obligations subcontracted to such contractors.

Our Services also involve the transfer of data to third parties (for example, financial institutions and tax agencies) as instructed by Customers (usually employers who are our clients and with whom you have an agreement). In these cases, BOSSC does not have a direct relationship with the third party and is not liable for the processing of data in their possession. These third parties have their own independent obligations with respect to the data, usually by operation of law or through contracts with employers.

2. Collection of Information

BOSSC does not collect data indiscriminately; We only collect Personal Information that is necessary to provide our Services and to comply with applicable laws and regulations. Our Services can be used by a variety of industries in connection with their administrative functions, payroll, services, products, and activities, so a broad range of information about you may be uploaded to or sent through our Services through indirect sources (i.e. not provided by you directly) such as employers or benefit providers. Without information about you, we may not be able to provide the Services or the support for Services that you, your employer, benefit provider, or our Customers (third parties with whom you have an agreement)request.

Our Services are not targeted or directed at children under the age of 13 and we do not allow the creation of an Account for them. Personal information about children under the age of 13 is only collected and stored when it is provided by, and therefore with the consent of, the legal guardian and such information is only used for the purposes of providing our Services.

a. Information We Collect from Other Sources

We may collect information about you from third parties who are authorized to provide that information under the terms of an agreement you have with them or under the terms and privacy policies of their services. Such third parties may include your employer, benefit provider, third-party verification services, mailing list providers, and publicly available sources. Where lawful, this information may include your Social Insurance or other government- issued identification number. In most cases, our Customers (who may be your employer or benefit provider) are responsible for notifying you of the purpose of the information they provide us with and for obtaining your consent when they collect your Personal Information. When Personal Information is transferred to Us through our Services by our Customers, it shall be deemed to have been collected with the appropriate notification and consent. We assume no responsibility for obtaining or validating that appropriate consent has been obtained with respect to data transferred to Us by third parties including organizations and Customers.

b. Information You Provide

We collect the information you provide when you sign up for, or make changes to an Account and when you provide information as part of our identity or account verification process. We also collect information you provide when you respond to our surveys or otherwise communicate withUs.

The information We collect about you includes:

  1. Identification information about yourself and your immediate family members, such as name, personal and work email addresses, mailing address, phone number, photograph, birthdate, Social Insurance or other government-issued identificationnumber;
  2. Employment and benefits related information such as hire date, job title, remuneration, performance related data, and benefits, vacation and sick leave entitlements andusage;
  3. Financial information, including bank accountnumbers;
  1. Tax information, including withholding allowances and tax filing status;and
  2. Other historical, contact, and demographic

We also collect information you upload to or send through our Services, including:

  1. Information about products and services you may receive (including type of health benefits, corporate benefits and otherdata);
  2. Information you may provide about you or your business (including appointment, staffing availability, employee, payroll and contact data);and
  3. Information you may provide to a benefit provider or employer using our

c. Information We Collect from Your Use of our Services

We collect information about you when you use our Services, including:

  1. Transaction Information. When you use our Services to make, accept, request or record payments, Wecollect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment amounts, the withholding amounts, bank account information and address. When you use our Services to make, accept, request or record employment or benefits related information, We collect information about the type of information provided including type of benefit applied for, sick leave and vacation entitlements available andused;
  2. Location Information. We collect information about the location of your device through our application. To learn how to disable the collection of location information, please see the section titled “Your Choices” below;
  • Device Information. We collect specific information about your device when you access our Services, including your hardware model, operating system and version, unique device identifier, mobile network information, and information about the device’s interaction with our Services. We may also identify other software running on the device for malware-prevention purposes but will not collect any content from such software;
  1. Use Information. We collect information about how you use our Services, including your access time, browser type and language, and Internet Protocol (“IP”) address;and
  2. Information Collected by Cookies and Web Beacons. We use several technologies to collect information when you use our Services, such as sending cookies to your computer or mobile device and using web beacons. Cookies are small data files that become stored on your hard drive or in your device’s memory when you visit a website or view a message. Among other things, cookies support the integrity of our Services, retain your preferences and account settings, and help evaluate and compile aggregated statistics about user activity. We may also collect information using web beacons which are electronic images that may be used in our Services or emails. Web beacons may be used to deliver cookies, track the number of visits to our website, understand usage and campaign effectiveness, and determine whether an email has been opened and acted upon. To block or delete cookies, please see “Your Choices”

d. Third-Party Analytics

We may allow third-party service providers deliver content and advertisements in connection with our Services and to provide anonymous site metrics and other analytics services. These third parties may use cookies, web beacons, and other technologies to collect information, such as your IP address, identifiers associated with your device, other applications on your device, the browsers you use to access our Services, webpages viewed, time spent on webpages, links clicked, and conversion information. This information may be used by us and third-party service providers on our behalf to analyze and track usage of our Services, determine the popularity of certain content, deliver advertising and content targeted to your interests, and better understand how you use our Services. The third- party service providers that We engage are bound by confidentiality obligations and other restrictions with respect to their use and collection of yourinformation.

This Privacy Policy does not apply to, and we are not responsible for, third-party cookies, web beacons, or other tracking technologies, which are covered by such third parties’ privacy policies. We encourage you to check the privacy policies of these third parties. To learn about how to manage cookies, please see “Your Choices” section below.

4. Use of Personal Information

  • We may use information about you to provide, maintain, and improve our Services, suchas:
  1. Processing or recording transactions including those related to your employees, employment, or health plans;
  2. Transferring data to third parties designated by Customers (such as banks, the Canada Revenue Agency and benefit providers) as part of the Services provided toemployers;
  • Displaying historical transaction or usageinformation;
  1. Developing new Services;
  2. Delivering the information and support you request, including technical notices, security alerts, and support and administrativemessages;
  3. Preparing and distributing communications, conducting surveys, collecting feedback about our Services and responding to inquiries;
  • Improving, personalizing, and facilitating your use of our Services including measuring, customizing, and enhancing our Services, including the design, content, and functionality of our applications and websites, or to track and analyze trends and usage in connection with our

b - We may use information about you:

  1. To protect our rights or property, or the security or integrity of ourServices;
  2. To enforce our Terms of Use or other applicable agreements orpolicies;
  • To verify your identity (for example, some of the government-issued identification numbers we collect are used for thispurpose);
  1. To investigate, detect, and prevent fraud, security breaches, and other potentially prohibited or illegal activities;
  2. To protect Us, users of our Services or the public from harm or potentially prohibited or illegalactivities;
  3. To comply with any applicable law, regulation, legal process, or governmentalrequest;
  • With our subsidiaries, group companies, contractors and other affiliates, for the purposes outlined in this policy;
  • In connection with, or during the negotiation of, any merger, sale, transfer or acquisition of company stock or assets, financing, acquisition, divestiture, or dissolution of all or a portion of ourbusiness;
  1. With third parties to provide, maintain, and improve our Services, including your employer, health plan and other benefit providers, financial institutions and service providers who access information about you to perform services on our behalf (for example., fraud prevention, identity verification, and fee collection services);
  2. With other users or Customers of our Services with whom you interact through your own use of our Services. For example, we may share information when you make or receive a payment using our Services, file/update leave of absence requests using our Services, or file/maintain health plan claims using ourServices;
  3. With your consent;and
  • For any other purpose disclosed to you in connection with our

When required to provide information in response to a legal enquiry, BOSSC exercises reasonable caution to ensure that the order or request is valid and only legally required Personal Information is disclosed. If BOSSC has knowledge that a third party uses or discloses Personal Information in an unapproved manner, BOSSC takes reasonable steps to prevent or stop the use or disclosure.

  • We also may share aggregated information with third parties that does not specifically identify you or any individual user of our
  • We may, and we may use third-party service providers to, process and store your information in the United States of America and other countries. While we take measures to ensure protection of your information, governments, courts, law enforcement or regulatory agencies in these other countries may be able to obtain disclosure of information through the laws of these countries. We transfer Personal Information outside a local jurisdiction only with adequate protections in place and in compliance with applicable laws and

5. Security Safeguards

We take reasonable measures, including administrative, technical, and physical safeguards, using recognized industry standard security safeguards appropriate to the sensitivity of the Personal Information to protect Personal Information from loss, theft, misuse, and unauthorized access, disclosure, modification, and destruction. We hold information about you at our premises and with the assistance of third-party service providers. We restrict access to personal information to those BOSSC employees, contractors, and agents who need to know that information in order to transmit, store, or process it, who are subject to contractual confidentiality obligations consistent with this Privacy Policy. Our third-party service providers store and transmit Personal Information in compliance with adequate confidentiality and security measures in compliance with applicable laws to protect your Personal Information.

Nonetheless, BOSSC cannot guarantee that unauthorized third parties will never be able to defeat our security measures or use your Personal Information for improper purposes. In the event that any information in our possession or under our control is compromised as a result of a security breach, we will take reasonable steps to investigate the situation and, where appropriate, notify those Customers and Individuals whose information may have been compromised and take other steps in accordance with applicable laws orregulations.

For more information about our security practices, please visit https://www.bossc.ca

6. Retention and Disposal of Information

BOSSC retains Personal Information about you only as long as reasonably necessary to provide you and/or our Customers the Services or as legally required. When Personal Information is no longer necessary or relevant for the identified purpose or to fulfil a legal or business requirement, it shall be securely destroyed by making it anonymous in a non-recoverable manner or by electronically erasing it.

7. Accuracy of Personal Information

In delivering Services, BOSSC relies on Customers and employees to supply BOSSC with accurate, complete and up-to-date information that is relevant to BOSSC’s delivery of the Services. Individuals are asked to review their records on a regular basis and make the appropriate updates or notify their employer or the third party with whom they have an agreement (our Customer) of errors promptly. We make reasonable efforts to maintain the integrity of the data within Our products as necessary to fulfill the purposes for which the information is to be used. Where We collect information outside of service delivery, We make reasonable efforts to keep Personal Information as accurate, complete and up-to-date as is necessary to fulfill the purposes for which the information is to be used. BOSSC provides a means for Individuals to update or correct the Personal Information We possess as detailed in sections 9(a) and (b) of this PrivacyPolicy.

8. Notice of and Consent to the Collection and Use of Personal Information

BOSSC provides notice as to the purposes for which Personal Information is collected, used, retained, and disclosed. In most cases, Customers are responsible for notification of purpose and for obtaining appropriate consent when they collect Personal Information and Personal Information that is transferred to BOSSC by our Customers to be processed shall be deemed to have been collected with appropriate notification. BOSSC assumes no responsibility for obtaining or validating that appropriate consent has been obtained in respect of data transferred to BOSSC by organization(s)/Customers. In some cases, BOSSC collects Personal Information directly from the Individual, for example, when Individuals visit a BOSSC website, BOSSC application or when Individuals use certain confidential services. In these cases, BOSSC is responsible for obtaining appropriate consent, except where inappropriate or if the collection is required/permitted by law without consent. Where appropriate, BOSSC describes any choices available within the Services to Individuals and obtains appropriate consent. Individuals who seek to vary or withdraw consent that has been obtained by BOSSC directly may do in writing in the manner set out in Section 10 of this policy. Subject to legal or contractual restrictions, BOSSC shall abide by the withdrawal or variation of consent, and shall advise the Individual of the consequences of a change in the scope of consent. In cases where consent has been obtained by the Customer, the individual will be referred to the Customer. Unless required by law, BOSSC shall not use or disclose Personal Information for any purpose other than the purpose for which it was originally collected without first identifying and documenting the new purpose and obtaining the appropriate consent. Once data has been de-identified, aggregated or summarized it shall no longer be considered Personal Information, and Individuals cannot seek to have their information removed from an aggregated data set, nor is consent for further userequired.

9. Your Choices:

  • Personal Information

You may access, change, or correct certain information about you or your family members by logging into your Account at any time, or by contacting your employer (or other appropriate third party), or by making a request to Us as per Section 10 of this policy, in which case we may need to verify your identity and we may need to notify our Customer before granting access or otherwise changing or correcting your information.

b-Deactivating Your Account

If you wish to deactivate your Account, contact your employer or email us. BOSSC generally retains information about you only as long as reasonably necessary to provide you the Services. However, even after you deactivate your Account, we may retain archived copies of information about you and any transactions or Services in which you may have participated for a period of time that is consistent with applicable law, or as we believe is reasonably necessary to comply with applicable law, regulation, legal process, or governmental request, to prevent fraud, to collect fees owed, to resolve disputes, to address problems with our Services, to assist with investigations, to enforce our Terms of Use or other applicable agreements or policies, or to take any other actions consistent with applicable law.

c-Location Information

We may require location information to provide certain mobile applications, so if you do not consent to the collection of this information you cannot use our corresponding Services. You can stop our collection of location information at any time by changing the preferences on your mobile device but please note that certain aspects of our mobile application and Services may no longer function. Also, you may stop our collection of location information via mobile application by following the standard uninstall process to remove all BOSSC mobile applications from yourdevice.

d-Cookies

When you access or use the Services, our web server may send a cookie to your computer or mobile device (as the case may be). Some cookies we use last only for the duration of your web or application session and expire when you close your browser or exit the application, other cookies last longer and are used to remember you whenyou

return to use the Services. Some cookies used in the Services are set by Us and others are set by third parties who deliver services on our behalf. Most web and mobile device browsers are set to automatically accept cookies by default. You can change your browser settings to prevent automatic acceptance of cookies or to notify you each time a cookie is set. Please note that by blocking or deleting cookies used in the Services, you may not be able to take full advantage of the Services.

d- Access

Unless BOSSC is permitted or required by law to prohibit access, We make Personal Information available for review and updating, either directly through the self-service feature in our Services, by directing Individuals to the employer or the Customer with whom the Individual has an agreement, for access, or through an access request made to established contacts within BOSSC. Where applicable, Individuals may contact BOSSC in the manner set out in section 10 of thispolicy.

10. Contact Us

For questions regarding this Privacy Policy please contact our Privacy Department. BOSSC Inc.

1300 Cornwall Road, Suite 102

Oakville, Ontario, L6J 7W5, Canada Attention: Privacy Department privacy@bossc.ca

We may request additional details from you and may need to consult with other parties to investigate and address your concern. We aim to respond to all inquiries and complaints within 45 days. We will keep records of your request and any resolution. If you are dissatisfied with the results of our investigation you may be entitled to contact the Privacy Commissioner in your jurisdiction or to the Office of the Privacy Commissioner of Canada at the addressbelow:

Office of the Privacy Commissioner of Canada 30 Victoria Street

Gatineau, Quebec K1A 1H3

https://www.priv.gc.ca/en