Privacy Policy
Our Commitment to Data Protection
At AltaNova Holdings, protecting your privacy and personal information is fundamental to our business operations. We are committed to maintaining the highest standards of data protection while providing exceptional natural resource investment services. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with Canadian privacy legislation and international best practices.
We understand that trust is essential in investment relationships, and we take our responsibility for safeguarding your information seriously. This policy applies to all personal data we process in connection with our investment services, website interactions, and client communications. Last updated: August 1, 2025.
Data Collection Information
What Personal Data We Collect
We collect personal data necessary to provide our natural resource investment services and maintain regulatory compliance. This includes contact information such as your name, address, and communication preferences, financial information including income verification, investment objectives, and risk tolerance assessment, identification data for compliance purposes, and transaction history related to your investment activities.
Additionally, we may collect technical data about your website interactions, including IP address, browser type, device information, and usage patterns. This technical data helps us improve our investment platform and ensure optimal user experience. All data collection is limited to what is necessary for legitimate business purposes and regulatory requirements.
How We Collect Data
Personal data is collected through various channels including our website contact forms and investment consultation requests, direct communications via phone, email, or in-person meetings, account opening procedures and know-your-client documentation, transaction processing and portfolio management activities, and automated technologies such as cookies and analytics tools when you visit our website.
We may also receive information from third parties such as credit agencies for verification purposes, regulatory databases for compliance screening, and financial institutions for transaction processing. All third-party data sources are carefully vetted and contractually bound to maintain appropriate data protection standards.
Legal Basis for Data Processing
We process personal data based on several legal grounds including your explicit consent for marketing communications and optional services, contractual necessity for providing investment services and managing your account, legal obligations under Canadian securities regulations and anti-money laundering requirements, and legitimate interests in fraud prevention, service improvement, and business analytics.
For sensitive financial information, we ensure appropriate safeguards and only process data when legally required or with your explicit consent. Our legal basis for processing may vary depending on the specific data type and purpose, and we will clearly communicate the basis for any data processing activities.
Data Retention Periods
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Client information and transaction records are typically retained for seven years following account closure to meet regulatory requirements. Marketing consent and communication preferences are maintained until you withdraw consent or request deletion. Technical data and website analytics are generally retained for 24 months unless required for longer periods for security or compliance purposes. We regularly review our data retention practices and securely delete or anonymize data when retention is no longer necessary.
Data Usage and Sharing
How We Use Your Personal Data
We use personal data to provide personalized investment services, including portfolio management, investment recommendations, and account administration. Your data enables us to assess investment suitability, process transactions, generate performance reports, and maintain ongoing client communications. We also use data for regulatory compliance, risk management, and fraud prevention activities.
Marketing communications are sent only with your consent and may include information about new investment opportunities, market insights, and educational content related to natural resource investments. You can modify your communication preferences at any time through your account settings or by contacting our client services team.
Data Sharing with Third Parties
We may share personal data with carefully selected third parties who assist in providing our services. This includes financial institutions for transaction processing, custodial services for asset management, technology providers for platform maintenance and security, and professional service providers such as auditors and legal advisors. All third parties are contractually bound to maintain strict confidentiality and data protection standards.
We may also disclose personal data when required by law, including regulatory reporting requirements, court orders, or other legal processes. In such cases, we will limit disclosure to the minimum necessary and notify you where legally permissible. We do not sell personal data to third parties for marketing purposes.
International Data Transfers
When transferring personal data internationally, we ensure appropriate safeguards are in place through adequacy decisions, standard contractual clauses, or other approved transfer mechanisms. Our primary data processing occurs within Canada, but some service providers may be located in other jurisdictions with appropriate data protection standards. We maintain oversight of all international transfers and ensure your data receives equivalent protection regardless of location.
Data Protection Measures
Security Measures in Place
We implement comprehensive technical and organizational security measures to protect your personal data. Our security framework includes multi-layered encryption systems for data in transit and at rest, secure access controls and authentication mechanisms, regular security assessments and vulnerability testing, employee training on data protection and security protocols, and incident response procedures for potential security breaches.
Our systems are designed to meet industry-leading security standards and are regularly audited by independent security professionals. We continuously monitor for threats and update our security measures to address evolving risks in the digital investment landscape.
Data Encryption and Storage
All sensitive personal and financial data is encrypted using advanced encryption standards both during transmission and storage. Our data centers employ physical security measures including biometric access controls, 24/7 monitoring, and environmental protections. Database systems utilize encryption at rest with secure key management protocols.
Regular backups are maintained in geographically diverse locations with encryption and access controls equivalent to primary systems. We employ secure deletion procedures for data that has reached the end of its retention period, ensuring complete removal from all systems and backups.
Access Controls and Monitoring
Access to personal data is strictly controlled through role-based permissions and the principle of least privilege. Only authorized personnel with legitimate business needs can access client data, and all access is logged and monitored. We maintain detailed audit trails of data access and modifications for compliance and security review purposes.
Our monitoring systems include automated alerting for unusual access patterns, regular review of user permissions and access logs, and periodic access certification processes. We maintain strict policies regarding data access and handling, with regular training for all personnel who handle personal data.
Breach Notification Procedures
In the unlikely event of a data security incident, we have established comprehensive breach response procedures. These include immediate containment and assessment of the incident, notification to relevant regulatory authorities within required timeframes, prompt communication to affected individuals when appropriate, and implementation of additional protective measures. Our incident response team is trained to handle security events efficiently while minimizing impact on clients and ensuring compliance with all notification requirements.
Your Rights and Data Management
Right to Access Personal Data
You have the right to request access to the personal data we hold about you, including information about how your data is processed, the purposes of processing, and any third parties with whom we have shared your data. We will provide this information in a clear and comprehensible format within 30 days of your request. To request access to your personal data, please contact us through the contact form on our main website with appropriate identification verification.
Right to Rectification and Erasure
You have the right to request correction of inaccurate personal data and completion of incomplete data. We will promptly update your information upon verification of corrections. You also have the right to request erasure of your personal data in certain circumstances, such as when the data is no longer necessary for the original purpose or when you withdraw consent for processing.
Please note that we may be required to retain certain data for legal or regulatory purposes even after you request deletion. In such cases, we will restrict processing to the minimum necessary for compliance purposes and will delete the data once retention requirements are satisfied.
Right to Data Portability
Where technically feasible and legally applicable, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. This right applies to data processed based on your consent or for contract performance. You may also request that we transmit your data directly to another service provider where technically possible. Data portability requests are subject to verification procedures and may exclude data that would adversely affect the rights and freedoms of others.
Right to Object to Processing
You have the right to object to processing of your personal data for direct marketing purposes at any time. You can modify your marketing preferences through your account settings or by contacting us directly. For other types of processing based on legitimate interests, you may object to processing, and we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
If you wish to exercise any of these rights or have questions about data processing, please contact us through the contact form on our main website. We will respond to your request within 30 days and may request additional information to verify your identity before processing certain requests. There is typically no charge for exercising these rights unless requests are clearly unfounded or excessive.