Privacy Policy

Hi Finance Technologies Inc. - Privacy Policy

Last updated: April 24, 2026

1. Introduction

Hi Finance Technologies Inc. (“Hi Finance,” "we," "us," or "our") operates a Canadian software platform for post-secondary students. Our services help students find grants they may be eligible for, walk them through applications, and provide financial literacy and budgeting tools.

This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.

We are based in Alberta, Canada, and we comply with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act ("PIPEDA") and Alberta's Personal Information Protection Act ("PIPA").

By using our services, you agree to the practices described in this Privacy Policy.

2. Who is responsible for your information

Hi Finance is responsible for personal information under its control.

We have designated a Privacy Officer to oversee our privacy practices, respond to requests, and handle complaints.

Privacy Officer: Michael Lyons
Email: mike@hifinance.ca

3. Who our services are for

You must be 18 years of age or older to use our services. We verify age at signup using the date of birth you provide.

Our services are currently designed for post-secondary students in Canada outside of Quebec. International students can create accounts but some of our services are limited for them. We communicate these limitations in the product.

4. What personal information we collect

We collect only the personal information we need to provide our services.

Account information

When you create an account, we collect:

• Name

• Email address

• Password (stored as a secure hash)

• Date of birth

• Province or territory

• School or institution

• Program of study

• Year of study

Grant eligibility information

When you use features related to a specific grant, we may collect self-declared information required by that grant, including:

• Disability status

• Residency or citizenship status

• Income and financial need

We treat this information as sensitive and collect it only when a specific grant feature you choose to use requires it.

Sensitive categories we do not collect

We have chosen not to collect the following categories of information, even when some grants use them as eligibility criteria:

• Indigenous identity

• Refugee or newcomer status

• Gender identity

For grants that require these attributes, we flag the grant in our product and direct students to apply directly to the awarding body.

Financial data via Plaid (opt-in)

If you choose to connect a bank account or credit card through Plaid, we receive read-only data including account balances, transaction history, and merchant and category information.

We do not share any of your information with Plaid. We do not receive or store your banking credentials. The connection is read-only. We cannot move money.

We store Plaid access tokens (not credentials) so you don't have to reconnect every session.

Your income information in our product is self-declared. We do not derive or estimate income from your Plaid transaction data.

Usage and device information

We collect standard usage information, including login activity, feature usage, IP address, device and browser information, error logs, and security logs.

Communications

When you contact us, we collect email content, support messages, chat transcripts, and related communications.

AI feature data

When you use AI-assisted features, we store the prompts you submit and the responses generated, for quality, accuracy, and debugging purposes.

Marketing site analytics

Our public marketing website uses Google Analytics 4 to understand website traffic. We do not use third-party analytics inside our authenticated application.

5. How we use your information

We use personal information to:

• Provide and improve our services

• Identify grants you may be eligible for

• Guide you through applications

• Operate the budgeting and financial literacy features

• Communicate with you about your account

• Send marketing communications if you opt in

• Process billing when you receive a grant award

• Keep our services secure and detect misuse

• Comply with legal obligations

6. What we do not do

We do not:

• Submit grant applications on your behalf

• Act as your agent with government bodies, schools, or grant providers

• Decide whether you are eligible for a grant

• Prevent you from applying to any grant

• Provide investment, insurance, lending, mortgage, tax, legal, or health advice

• Move money or initiate transactions through Plaid

• Knowingly collect personal information from anyone under 18

7. Consent

We collect, use, and disclose personal information with your consent or as otherwise permitted by law.

You give consent when you:

• Create an account

• Agree to this Privacy Policy and our Terms of Service

• Use a specific feature that requires information

• Connect a financial account through Plaid

• Opt in to marketing communications

For sensitive information (disability status, residency status, income), we ask for your consent at the point of collection, before that information is used.

You can withdraw your consent at any time, subject to legal and operational limits. If withdrawing consent means we can no longer provide a service, we will let you know.

8. Plaid and your financial data

Connecting a financial account through Plaid is optional.

When you connect:

• The connection is read-only

• We do not receive or store your banking credentials

• We store access tokens so you don't have to reconnect every session

We revoke Plaid tokens when:

• You delete your account (within 30 days)

• Your account is inactive for an extended period (12 to 24 months)

9. AI-assisted features

We use AI to help explain grant eligibility, support application guidance, generate educational content, and assist with budgeting.

Our AI is designed to inform, not decide. It does not:

• Submit applications for you

• Determine whether you will receive a grant

• Prevent you from applying

• Provide regulated financial advice

• Set prices for you

AI outputs may be incomplete or incorrect. You should review any important information before relying on it.

We use Anthropic and OpenAI as our AI service providers under contractual terms that prevent our data from being used to train public AI models.

10. Marketing communications

We send account and service communications (receipts, updates, security notices) as part of providing our services.

We send marketing communications only if you opt in. You can unsubscribe at any time using the link in any marketing email or by contacting us.

We may also promote our services through partnerships with Student Unions and student clubs. Where a Student Union or student run club sends messages on our behalf, the Student Union is the sender of record and is responsible for obtaining your consent under Canada's Anti-Spam Legislation (CASL).

11. How we share personal information

We share personal information with service providers who help us operate, including:

• Cloud hosting (AWS)

• AI model inference (Anthropic/OpenAI)

• Email marketing (Mailchimp)

• Invoicing (QuickBooks Online)

• Anonymized data (Datadog)

Our service providers are contractually required to protect your information and use it only for the purposes we specify.

We may also disclose information:

• With your consent

• To comply with legal obligations

• To respond to lawful requests from regulators or law enforcement

• To protect the rights or safety of users or others

• In connection with a business transaction (merger, acquisition, financing)

We do not have data-sharing arrangements with government grant programs, Student Aid programs or post-secondary institutions. Grant information comes from publicly available sources.

12. Where your information is stored and processed

Our primary data storage is in Canada, using AWS ca-central-1 (Montreal).

Some of our service providers process information in the United States. When personal information is processed outside Canada, it may be subject to the laws of that country, including potential access by government authorities.

We use contractual safeguards (including Data Processing Agreements) with all our service providers to protect your information.

13. How we protect your information

We use security practices appropriate to the sensitivity of the information we handle, including:

• Encryption in transit and at rest

• Access controls with least-privilege permissions

• Multi-factor authentication for employee access

• Dependency scanning

• Regular security reviews

• Confidentiality agreements for employees and contractors

No system is perfectly secure. If we become aware of a security incident involving your personal information, we will assess the incident and notify you and the relevant regulator where required by law.

14. How long we keep your information

We keep your information as long as we need it to provide our services and meet legal obligations.

When you delete your account, we delete your personal information from our active systems. Plaid tokens are revoked within 30 days.

Some information may remain in secure backups for a limited time until those backups expire through normal rotation.

15. Your rights and choices

You have the right to:

• Access the personal information we have about you

• Correct inaccurate information

• Delete your account and associated information

• Withdraw consent (subject to legal and operational limits)

• Ask how our AI has been used in your experience

• Complain about our privacy practices

To make a request, contact our Privacy Officer at mike@hifinance.ca. We respond to requests within 30 days.

If you are not satisfied with our response, you can contact:

• Office of the Privacy Commissioner of Canada (www.priv.gc.ca)

• Office of the Information and Privacy Commissioner of Alberta (www.oipc.ab.ca)

16. Children

Our services are only for users 18 or older. We do not knowingly collect personal information from anyone under 18.

If we become aware that we have collected information from someone under 18, we will delete the account and associated information.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes, we will update the "Last updated" date at the top of this Privacy Policy. For material changes, we will provide notice through the product, email, or another reasonable method.

For material changes that affect how we handle sensitive information, we may ask you to review and accept the updated Privacy Policy before continuing to use affected features.

17. Subpoena notice

As of May 21st 2026 we have not been Subpoenaed by any major law enforcement agency to provide privileged access to client data financial or otherwise.

18. Contact us

Questions, requests, or complaints about this Privacy Policy or our privacy practices:

Hi Finance Technologies Inc.

Attention: Privacy Officer

Email: info@hifinance.ca