Privacy & Personal Information Protection Policy and Procedure (BK Financial Services)

Last updated: May 25th 2026

1) Purpose

BK Financial Services (“we”, “our”, “BKFS”) is committed to protecting personal information and handling it responsibly, in accordance with applicable privacy laws (including Quebec’s private-sector privacy law and related requirements). This Policy and Procedure explains:

• what personal information we may collect and why,
• how we protect and retain it,
• how you can exercise your privacy rights,
• how we prevent, manage, document, and report privacy incidents.

2) Scope

This Policy applies to:

• our website and online booking tools,
• contact requests and appointment scheduling,
• consultations and client relationship communications,
• contractors and service providers who process personal information on our behalf.

3) Definitions (plain-language)

• Personal information: information that identifies or can identify an individual (name, email, phone, etc.).
• Privacy incident / breach: unauthorized access, use, disclosure, loss, or any compromise of personal information.
• Sensitive information: information that could cause significant harm if exposed (e.g., financial details, ID numbers, documents).
• Service provider: a third party that processes information for us (website host, email provider, booking plugin).

4) Roles and accountability

Privacy Officer: Boris Kolodner (or a delegated person designated in writing).
The Privacy Officer is responsible for:

• ensuring this Policy is applied,
• responding to access/rectification requests,
• maintaining a privacy incident register and related documentation,
• coordinating breach response (including reporting when required),
• reviewing and improving controls after incidents.

5) What personal information we collect

We collect only what is reasonably necessary for the purposes described below.

5.1 Website contact form (short form)

Typically:

• name,
• email address,
• phone number (optional depending on the form),
• message content (what you choose to share).

5.2 Appointment booking (Amelia calendar)

Typically:

• name,
• email,
• phone number,
• selected appointment date/time,
• optional notes you choose to add.

Important: Amelia currently sends appointment details by email to Boris. If in the future BKFS enables an integration that creates calendar entries, it would be for Boris’s calendar only (not for clients’ calendars/accounts).

5.3 Consultation and service-related information

Depending on your request, we may collect information needed to provide appropriate financial planning guidance, such as:

• general financial goals and timelines,
• high-level income/household details you choose to disclose,
• general asset/debt context (as provided by you),
• documents you voluntarily share (only as needed).

6) Why we collect and use your information (purposes)

We use personal information to:

• respond to inquiries and requests,
• schedule and manage consultations,
• communicate before/after appointments (confirmations, rescheduling, follow-ups),
• provide requested services and maintain client files when applicable,
• meet regulatory, legal, and recordkeeping obligations,
• protect against fraud, misuse, or security incidents,
• improve the website and service experience (analytics/security logs where applicable).

7) Consent and communications

Where required, we obtain your consent (explicit or implied) based on the context (e.g., you submit a form requesting contact).
You can withdraw consent for non-essential communications at any time by contacting us.

8) Sharing and disclosure (service providers)

We do not sell personal information.

We may share personal information with service providers only to the extent necessary, for example:

• website hosting and maintenance,
• email delivery services,
• booking/scheduling plugin services (Amelia),
• security tools (anti-spam, firewall, backups).

We require service providers to protect confidentiality and to use the information only for agreed services.

9) Storage, retention, and destruction

We retain information only as long as necessary for:

• the purposes described above,
• compliance with legal/regulatory obligations,
• protecting our legitimate interests (e.g., handling disputes).

When information is no longer required, we delete it or destroy it securely (or anonymize it where appropriate).

10) Security safeguards (administrative, technical, physical)

We apply safeguards proportionate to sensitivity, including:

• limiting access to those who need it,
• strong passwords and access controls,
• software updates and security monitoring,
• secure storage and controlled sharing of documents,
• staff/contractor confidentiality obligations,
• secure disposal for paper or digital data where applicable.

11) Your privacy rights (Quebec / Canada)

Depending on applicable law, you may request:

• access to personal information we hold about you,
• correction of inaccurate/incomplete information,
• withdrawal of consent (where applicable),
• information about automated decision-making (if used),
• portability of certain computerized information (where applicable).

We respond to access/rectification requests in writing within the legal timeframe (commonly 30 days for private organizations in Quebec).

12) How to submit an access or correction request

Send a written request with:

• your full name and preferred contact details,
• enough details to identify the information requested,
• proof of identity if needed for security.

We may ask for clarifications to process your request securely.

13) Automated decision-making and profiling

BKFS does not intentionally make decisions that produce legal or similarly significant effects solely through automated processing.
If we ever adopt tools that do, we will inform you of:

• the personal information used,
• key factors and logic involved (at a high level),
• your right to submit observations and request review.

14) Privacy incident response procedure

A privacy incident can be intentional, accidental, or criminal (e.g., misdirected email, lost device, unauthorized access, malware).

14.1 Reporting an incident (internal escalation)

Any suspected or confirmed incident must be reported immediately to the Privacy Officer, who will:

• stop further disclosure,
• assess the situation,
• correct/contain the issue,
• coordinate next steps and improvements.

14.2 Containment steps (examples)

Depending on the incident type:

• Lost/stolen device: change passwords, disable access, contact IT support, file police report where appropriate.
• Misdirected email: attempt recall; request written confirmation of deletion and non-forwarding.
• Paper documents lost/stolen: containment steps and police report where appropriate.
• Cyberattack/ransomware: isolate systems, preserve evidence, involve IT/security support, consider law enforcement, restore only from safe backups.

14.3 Risk assessment

We evaluate the likelihood of misuse and potential harm, considering:

• sensitivity of information,
• number of individuals affected,
• probability of malicious use,
• potential financial, identity, reputational, or other harm.

If the incident presents a serious risk of harm, we proceed to required notifications.

14.4 Notifications (when required)

When notification is required, we notify:

• affected individuals, and/or
• the appropriate regulator(s) (e.g., Quebec CAI, federal Privacy Commissioner), as applicable.

A notice to affected individuals should generally include:

• when it happened (or an estimated timeframe),
• what information was affected (as far as known),
• what BKFS has done to reduce risk,
• what you can do to reduce risk,
• how to contact us for more information.

14.5 Documentation and incident register

We document every privacy incident once contained and keep records securely. In Quebec, organizations must maintain a register of privacy incidents for five years and be able to provide it to the CAI upon request.

Records typically include:

• date and description of incident,
• categories of information involved,
• number of individuals affected,
• risk assessment and reasoning,
• notifications made (and dates),
• corrective measures to prevent recurrence.

14.6 Continuous improvement after an incident

After resolution, BKFS reviews:

• root cause,
• safeguards that failed or were missing,
• training needs,
• technical/administrative improvements,
  and implements changes to reduce recurrence.

15) Contact

To ask questions or make a privacy request:
BK Financial Services (Boris Kolodner)
Email: contact@bkfinancialservices.ca
Phone: 514-834-5558

16) Updates to this Policy

We may update this Policy to reflect changes in practices, tools, or legal requirements. The “Last updated” date will be revised accordingly.