Privacy Statement
This notice describes what happens to details you share with Krymo Pveko when you interact with our family investing resources and advisory services.
How Details Enter Our Systems
Think of the information journey as stages of engagement. When you first browse our educational content on family wealth building strategies, we receive minimal technical markers – network identifiers, device fingerprints, browsing patterns. This happens automatically because your browser and our servers exchange handshake protocols. Not much we can do about that part of the internet's architecture.
Things change when you decide to participate. Requesting a consultation guide means typing in contact coordinates. Subscribing to our monthly investment newsletter for Canadian families requires an email address. Registering for our April 2026 seminar on education savings plans pulls in your name, province, and sometimes phone details if you want reminder texts. Each action you choose reveals more.
Identity Elements
Names, email addresses, phone numbers, mailing coordinates – whatever you provide through forms, account creation, or direct communication with our advisors.
Financial Context
Investment goals, risk tolerance assessments, household income brackets, existing portfolio types when you discuss planning scenarios with our team.
Interaction Records
Which articles you read, webinar attendance, downloads of our RESP comparison charts, questions asked during virtual office hours, response patterns to educational emails.
Technical Markers
IP addresses, browser configurations, time zones, referring websites, session durations, click sequences across our educational platform.
We also receive details when you communicate with us directly. Email threads with questions about TFSA contribution strategies. Phone conversations about estate planning workshops. Text exchanges confirming appointment slots. Those dialogues naturally contain whatever context you decide to share, and we keep records because financial advice builds on previous discussions.
What We Do With This Information
Here's where purpose meets practice. Everything we collect gets filtered through operational necessity – can we deliver what you came here for without this specific piece of information? Sometimes yes, often no.
Service Delivery Functions
When you register for our February 2026 workshop on retirement income streams, we need contact details to send joining instructions. Your name goes on attendance rosters. Email addresses receive pre-session materials and post-event resources. Financial context you shared helps us tailor case studies to relevant scenarios. This isn't optional processing – it's the workshop itself.
Communication Flows
Newsletters require email addresses. Text reminders need phone numbers. Mailed educational booklets on family trusts depend on postal coordinates. We match communication channels to the preferences you indicated, though default assumes email unless you specify otherwise. Updates about investment regulation changes, new educational content, upcoming events – these rely on maintaining current contact pathways.
Content Personalization
Your browsing behavior tells us what resonates. Someone who repeatedly visits articles about intergenerational wealth transfer probably benefits from seeing related content highlighted. Parents researching RESP options get prioritized access to our education savings calculators. This matching happens through automated systems that track topic engagement without human review of individual patterns.
Platform Improvements
Aggregate usage patterns reveal which resources help families most. If everyone abandons our mortgage prepayment calculator halfway through, that signals design problems. Session recordings (anonymized, no personal identifiers) show where users get stuck. Error logs highlight technical failures. This analysis happens at population level, not individual tracking.
Regulatory Compliance
Financial services operate under scrutiny. We maintain records proving we delivered required disclosures, obtained necessary consents, followed industry standards for client communication. Audit trails document when materials were sent, who accessed what information, how recommendations aligned with stated goals. This creates overhead but protects everyone involved.
One thing we absolutely don't do: sell lists of email addresses to marketing brokers or share client rosters with unrelated businesses. Your contact details stay within operational boundaries – our team, necessary service providers, legal requirements. No external monetization of your information.
When Information Moves Beyond Our Walls
Absolute containment proves impossible in modern operations. Some functions require specialist providers, regulatory frameworks demand disclosure, legal processes compel release. Understanding these outbound flows matters because they represent moments where control transfers, at least partially.
Essential Service Relationships
Our email system runs on third-party infrastructure. Newsletter delivery depends on mailing service providers who temporarily access recipient lists. Webinar platforms host your video connections and chat messages. Payment processors handle registration fees. Document storage happens through cloud providers. Each of these relationships involves contractual restrictions – they can only use your information for the specific service we hired them to perform, must implement reasonable security, need to delete data when the business relationship ends.
These providers operate under their own privacy frameworks too. An email service might scan messages for spam patterns or technical troubleshooting. Cloud storage may replicate files across multiple geographic locations for redundancy. We select partners carefully, but their internal practices extend beyond our direct oversight.
Professional Advisory Relationships
Sometimes your situation requires specialized expertise we don't maintain in-house. Tax planning questions might go to our accountant partners. Complex estate scenarios could involve referrals to legal professionals. Insurance product analysis may connect you with actuarial consultants. We only make these connections with your explicit agreement, and we brief the specialists only on details relevant to their advice.
Regulatory Disclosures
Canadian securities regulators can request client files during audits or investigations. Tax authorities may demand records as part of compliance reviews. Court orders compel document production in legal proceedings. We comply with legitimate requests while ensuring they meet proper legal standards – we'll notify you when possible, though some orders prohibit disclosure.
Corporate Structural Changes
If Krymo Pveko gets acquired, merges with another firm, sells assets, or undergoes restructuring, your information likely transfers as part of business continuity. New owners inherit the same privacy obligations, though their broader practices might differ. We'd announce such transitions through our usual communication channels.
Emergency Situations
Immediate threats to someone's safety could justify disclosure without consent. If we receive credible information suggesting financial exploitation of a vulnerable client, reporting obligations may override privacy. These scenarios are rare but legally recognized exceptions to normal confidentiality rules.
| Transfer Type | Recipient Category | Governing Principle |
|---|---|---|
| Service Delivery | Technical infrastructure providers, communication platforms, payment processors | Contractual necessity to fulfill your service requests |
| Professional Referrals | Accountants, lawyers, insurance specialists, financial product providers | Explicit consent for specific advisory purposes |
| Regulatory Requirements | Securities commissions, tax authorities, law enforcement | Legal obligation under Canadian financial services law |
| Corporate Events | Acquiring companies, merger partners, asset purchasers | Legitimate business interests with continued privacy protections |
| Safety Situations | Relevant authorities, protective services | Vital interests of individuals or public safety |
Your Control Mechanisms
Privacy isn't something done to you – it involves ongoing agency over your own information. Canadian privacy law recognizes several fundamental powers you hold, though exercising them requires understanding both capabilities and constraints.
Request copies of personal details we maintain about you. We'll provide electronic files covering the previous 12 months within 30 days. Older archives take longer to retrieve and may incur reasonable retrieval fees to cover administrative costs.
Point out errors in your contact information, financial context, or interaction history. We update records promptly and notify any third parties who received incorrect information if it materially affects their processing.
Object to specific uses of your information, like marketing communications or optional analytics. We'll honor restrictions unless overriding legal requirements or legitimate interests apply. Core service functions remain necessary even if you limit peripheral processing.
Revoke permission for activities that require your agreement, such as newsletter subscriptions or event participation. Withdrawal doesn't affect previous processing that was lawful when it occurred. Some services become unavailable if you remove essential consents.
Ask us to remove your information entirely. We comply unless legal retention requirements prevent deletion, like tax record obligations or ongoing regulatory review. Account closures trigger automatic purging after mandatory retention periods expire.
Receive personal information you provided in structured, commonly used format. Transfer it to another service provider if technically feasible. This right covers data you actively submitted, not derived insights or analytics our systems generated.
Practical limitations exist around each of these rights. Deleting your email address makes communication impossible. Restricting interaction tracking prevents personalized content recommendations. Withdrawing consent for educational material delivery means you stop receiving updates. We'll explain tradeoffs when you make requests, but final decisions rest with you.
Making Rights Requests
Contact our privacy coordinator directly at support@krymopveko.com with requests. Include enough identifying information for us to locate your records – name, email address, approximate dates of interaction. We verify identity before releasing sensitive information or making significant changes to prevent fraudulent requests.
Response times vary by complexity. Simple updates happen within days. Comprehensive access requests need up to 30 days for thorough file compilation. Deletion requires coordination across multiple systems and backup archives, potentially taking 60 days for complete purging. We keep you informed throughout the process.
How Long Information Persists
Details don't stay forever, but immediate deletion after each interaction creates problems. Financial advice requires historical context. Regulatory audits examine years-old decisions. Service continuity depends on remembering previous engagements.
Retention Logic by Category
- Account Information: Remains active as long as you engage with our services. After 24 months of complete inactivity, we send reactivation prompts. No response after 36 months triggers account archival – retained in compressed form for regulatory purposes but removed from operational systems.
- Communication Records: Email exchanges and consultation notes stay accessible for 7 years to meet Canadian financial services recordkeeping requirements. After that, they move to deep archive with restricted access, eventually purged after 10 years unless specific legal holds apply.
- Transaction History: Registration payments, resource downloads, event attendance records persist for 7 years for audit trail purposes, then permanent deletion unless connected to ongoing legal matters.
- Marketing Preferences: Subscription status and communication opt-outs remain until you change them or close your account. We never assume silence means renewed consent – once you unsubscribe, that persists indefinitely unless you explicitly rejoin.
- Technical Logs: Server logs, session data, error reports typically purge after 90 days. Security incident investigations may extend specific log retention. Aggregated analytics with no personal identifiers stay indefinitely for long-term trend analysis.
- Backup Systems: Redundant copies exist across backup infrastructure for disaster recovery. These follow the same retention schedules but lag operational deletions by up to 60 days due to backup rotation cycles.
Specific circumstances alter these timelines. Active legal proceedings freeze related records until resolution. Regulatory investigations extend retention for examined materials. You can request earlier deletion of non-regulated information, though we'll explain any constraints.
Protection Approach and Remaining Risks
Security combines technical safeguards, operational procedures, and acknowledgment that perfect protection remains impossible. We implement measures matching industry standards for financial services, recognizing that determined attackers constantly evolve tactics.
Technical Safeguards
Encryption protects data moving between your devices and our servers – industry-standard TLS protocols create secure channels. Stored information sits in encrypted databases with access controls limiting retrieval to authorized personnel. System authentication requires multi-factor verification. Regular vulnerability scanning identifies potential weaknesses before exploitation.
Backups replicate to geographically separated facilities in case of site-specific disasters. These copies maintain the same encryption standards as primary systems. Restoration procedures test quarterly to verify data integrity under failure scenarios.
Operational Controls
Staff access follows least-privilege principles – employees see only information required for their specific roles. Marketing teams can't browse financial consultation notes. Technical administrators don't access message contents without specific support tickets. Activity logs track who viewed what records when, creating accountability trails.
New team members complete privacy training covering handling requirements, confidentiality obligations, incident reporting procedures. Annual refreshers reinforce practices. Contractors sign confidentiality agreements before receiving any system access.
Realistic Risk Acknowledgment
Despite precautions, breaches can occur. Sophisticated attackers might penetrate defenses. Insider threats involve trusted individuals misusing legitimate access. Third-party compromises could expose information we shared with service providers. Equipment failures might cause temporary data loss despite redundancy. Social engineering could trick staff into inappropriate disclosures.
We maintain incident response procedures activating immediately upon breach detection: contain the compromise, assess exposure scope, notify affected individuals within legally required timeframes, report to regulators as mandated, remediate vulnerabilities, and provide credit monitoring services if financial details were compromised.
Your Security Responsibilities
Protection works both directions. Use strong passwords on your accounts. Don't share login credentials. Verify website authenticity before entering sensitive details. Update your device operating systems and security software. Report suspicious communications claiming to be from us – we never request passwords via email or text. Monitor financial statements for unauthorized activity, especially after any publicized security incidents.
Changes to This Statement
Privacy practices evolve as services expand, regulations change, and technology develops. We update this notice periodically to reflect current handling approaches. Material changes – like new categories of information collected or expanded disclosure to third parties – trigger prominent announcements via email and website banners at least 30 days before implementation.
Minor clarifications or corrections happen without advance notice but appear in revision history at the document footer. Continuing to use our services after notification periods constitutes acceptance of updated terms. Disagreement with changes means closing your account before the new effective date.
We maintain archived versions of previous policy iterations, accessible by request, so you can review what governed during specific past interactions.
Questions, Concerns, or Complaints
Privacy issues deserve direct attention from someone who can actually address them. Reach our dedicated privacy team through these channels – responses typically arrive within 3 business days, faster for urgent situations.
Krymo Pveko
5008 50 St #5
Stony Plain, AB T7Z 1T2
Canada
If our responses don't satisfy your concerns, you hold escalation rights. File complaints with the Office of the Privacy Commissioner of Canada – they investigate privacy practices and can compel corrective actions. Provincial privacy commissioners handle issues falling under territorial jurisdiction. We cooperate fully with regulatory inquiries while protecting confidential business operations unrelated to the specific complaint.