How we handle the information you trust us with.

Introduction

The Breken Group of Companies Inc. ("Breken," "we," "us," or "our") is committed to protecting the personal information that it collects, uses, and shares within the framework of its activities.

This Privacy Policy sets out the terms and conditions relating to the collection, use, sharing, retention, and protection of personal information from users ("you" or "your") of our services, in accordance with applicable Canadian and international privacy laws and regulations, including but not limited to:

• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25)
• The General Data Protection Regulation (GDPR), where applicable

The expressions "Breken services," "our services," or the "services" mean the services provided by Breken as described in the Breken Terms of Use.

This policy was last updated on October 2, 2025. We encourage you to review this policy periodically to stay informed about how we protect your personal information.

Definitions

• "Personal information" means any information about an identifiable individual, including but not limited to name, email address, home address, telephone number, sex, payment information, and any other information that can be used to identify an individual directly or indirectly.
• "Breken partner" means an entity (such as a city, municipality, or university) that uses Breken services to communicate with you and provide services to you.
• "Third‑party processor" means a certified entity retained by Breken to process specific data, such as credit card information, in accordance with applicable security standards.
• "Consent" means any freely given, specific, informed, and unambiguous indication of agreement to the collection, use, or sharing of personal information.

Responsibility and accountability

Under the provisions of applicable laws and regulations, Breken is responsible for the personal information that we collect or that we have in our possession or under our control. To ensure accountability:

• Breken has appointed a Privacy Officer who is responsible for overseeing compliance with this policy and all applicable privacy laws and regulations.
• All Breken employees and subcontractors who handle personal information are trained on privacy practices and are subject to confidentiality obligations.
• Breken conducts regular privacy impact assessments to evaluate risks associated with the collection, use, and sharing of personal information.
• Breken maintains written agreements with all subcontractors and third‑party processors to ensure that personal information is handled in accordance with this policy and applicable laws.

Legal basis for processing

Breken collects, uses, and shares personal information based on the following legal grounds:

• Consent. When you create an account, use our payment platform, or otherwise provide personal information, you consent to its collection and use as described in this policy.
• Contractual necessity. Certain personal information is required to fulfill our contractual obligations to you, such as providing access to Breken services.
• Legal obligations. We may process personal information to comply with applicable laws, regulations, or legal proceedings.
• Legitimate interest. We may process personal information where it is in our legitimate interest to do so, provided that such interests do not override your fundamental rights and freedoms.

You have the right to withdraw your consent at any time by contacting our Privacy Officer. Withdrawal of consent may affect your ability to use certain Breken services.

Data collection and use

5.1Data that you provide

Account creation

When you create your user account to access Breken services, you must provide the following personal information:

• Name
• Email address
• Password

We save this personal information in order to identify you and provide you with access to our services. Passwords are stored using industry‑standard hashing algorithms and are never stored in plain text.

Online payment platform

When you use the Breken online payment link, we use a third‑party payment platform (Stripe — stripe.com/en-ca). For information about how Stripe collects and processes your data, please review Stripe's privacy policy.

Credit card information

Credit card information is handled as follows:

• It is transferred only to a PCI DSS‑certified third‑party processor for verification and processing.
• Breken does not store credit card information on its own servers.
• The certified processor may process and store credit card information outside of Canada (see Section 9 for details on international data transfers).

5.2Data collected during use of Breken services

We collect certain personal information automatically when you use the Breken platform, including:

• Cookies and similar technologies. To access our services, you must accept cookie files or similar technologies in order to remain logged in to your account for the duration of your session. Cookies are small data files sent to your browser and saved on your computer's hard drive when you visit certain websites.

• Log data. We may collect information such as your IP address, browser type, operating system, referring URLs, and pages visited to help us analyze usage patterns and improve our services.

5.3Purposes of data collection

We collect and use personal information for the following purposes:

• To create and manage your user account
• To provide you with access to Breken services
• To process payments through the Breken payment platform
• To communicate with you about your account and services
• To improve and develop new services and features
• To comply with legal and regulatory obligations
• To protect against fraud, unauthorized transactions, and other security risks
• To conduct analytics and research to improve user experience

We will not use your personal information for purposes other than those described in this policy without first obtaining your consent.

Sharing of personal information

Breken may share your personal information with the following parties:

6.1Third‑party processors

Credit card information is shared with PCI DSS‑certified third‑party processors solely for the purpose of verifying and processing payments.

6.2Breken partners

When you use Breken services provided in connection with a Breken partner (such as a city, municipality, or university), certain personal information — including your name, email address, home address, and telephone number — may be shared with that partner for the purpose of providing services to you.

Once your personal information has been transferred to a Breken partner, that partner becomes an independent data controller and is responsible for its own handling of your personal information in accordance with its own privacy policy. Breken is not responsible for the privacy practices of Breken partners.

We encourage you to review the privacy policy of any Breken partner with whom you interact through Breken services.

6.3Subcontractors

We may hire subcontractors to provide services on our behalf. These subcontractors:

• Are authorized to use personal information solely for the purpose of providing the services that Breken has entrusted to them.
• Must not use personal information for any other purpose.
• Are bound by written agreements that provide at least the same level of protection as this policy.

6.4Legal requirements

We may disclose personal information if required to do so by law, regulation, court order, or other legal process, or if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws or regulations
• Protect the rights, property, or safety of Breken, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

6.5Business transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the successor entity, provided that the successor agrees to be bound by this policy or a comparable privacy policy.

Your rights

In accordance with applicable privacy laws, you have the following rights regarding your personal information:

7.1Right to access

You have the right to request access to the personal information that Breken holds about you. Upon request, we will provide you with a copy of your personal information in a commonly used electronic format.

7.2Right to rectification

You have the right to request the correction of any inaccurate or incomplete personal information that we hold about you.

7.3Right to deletion (right to be forgotten)

You have the right to request the deletion of your personal information, subject to certain legal exceptions — for example, where retention is required by law or for legitimate business purposes.

7.4Right to data portability

You have the right to receive your personal information in a structured, commonly used, and machine‑readable format, and to transmit that information to another data controller.

7.5Right to withdraw consent

You have the right to withdraw your consent to the collection, use, or sharing of your personal information at any time. To withdraw your consent, please contact our Privacy Officer at privacy@breken.com. Please note that withdrawal of consent may affect your ability to use certain Breken services.

7.6Right to object

You have the right to object to the processing of your personal information where such processing is based on legitimate interest.

7.7Right to restriction of processing

You have the right to request that we restrict the processing of your personal information under certain circumstances — for example, while a complaint is being investigated.

7.8Right to file a complaint

You have the right to file a complaint with the applicable privacy regulatory authority if you believe that your privacy rights have been violated. In Canada, you may contact:

• Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca
• Commission d'accès à l'information du Québec (CAI): cai.gouv.qc.ca

For users in the European Union, you may contact your local Data Protection Authority (DPA).

7.9Exercising your rights

To exercise any of these rights, please contact our Privacy Officer at privacy@breken.com, by phone at (705) 741‑5867, or by mail at 541 Weller Street, Peterborough, Ontario, K9H 2N9.

We will respond to your request within 30 days of receiving it. If we are unable to fulfill your request within this timeframe, we will notify you and provide a revised timeline.

Data retention

Breken retains personal information only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.

8.1Active accounts

Personal information associated with active accounts is retained for as long as your account remains open and active.

8.2Closed accounts

Within 90 days following the closing of your account or your online payment account, the information associated with your account will be deleted, with the exception of:

• Data that Breken is required to retain by law or regulation
• Data that is necessary for Breken to exercise or defend legal claims

8.3Payment information

Credit card information stored by a certified third‑party processor will be deleted upon your request or within 90 days of account closure, unless the processor is required by law to retain it.

8.4Cookies and log data

Cookies are deleted at the end of each session or when you manually delete them. Log data is retained for a maximum of 12 months for analytics and security purposes.

International data transfers

In some cases, personal information may be transferred to and processed in countries outside of Canada — for example, credit card information processed by certified third‑party processors.

When personal information is transferred outside of Canada, Breken ensures that:

• The recipient country provides an adequate level of data protection as determined by applicable laws, or
• Appropriate safeguards are in place, such as:
  • Standard contractual clauses approved by the applicable regulatory authority
  • Binding corporate rules
  • Written agreements that provide at least the same level of protection as this policy

For users in the European Union, Breken ensures that international data transfers comply with the requirements of the GDPR, including the use of Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

You may request information about the safeguards in place for international data transfers by contacting our Privacy Officer.

Security measures

Breken has adopted comprehensive security measures to protect against unauthorized access, use, disclosure, alteration, or destruction of personal information. These measures include but are not limited to:

10.1Encryption

• Account information and payment information are encrypted at rest and in transit.
• All data transfers to subcontractors, certified processors, and Breken partners are encrypted using industry‑standard protocols.

10.2Access controls

• Access to personal information is restricted to authorized Breken employees on a need‑to‑know basis.
• All employees with access to personal information are subject to confidentiality obligations.

10.3Subcontractor and processor agreements

All subcontractors and certified processors have signed written agreements with Breken that provide at least the same level of protection as this policy.

10.4Regular audits and assessments

Breken conducts regular security audits and privacy impact assessments to identify and mitigate risks.

10.5Incident response

Breken maintains a data breach response plan to ensure timely and effective response to any security incidents (see Section 11).

Data breach notification

In the event of a data breach involving personal information that creates a real risk of significant harm to individuals, Breken will:

• Notify affected individuals as soon as feasible, and in any case within the timeframes required by applicable laws (e.g., 72 hours under the GDPR, as soon as feasible under PIPEDA and Law 25).
• Notify the applicable regulatory authorities, including the Office of the Privacy Commissioner of Canada (OPC), the Commission d'accès à l'information du Québec (CAI) where applicable, and the relevant Data Protection Authority (DPA) in the European Union where applicable.
• Take immediate steps to contain and remediate the breach.
• Maintain a record of all data breaches, regardless of whether they meet the threshold for notification.

The notification to affected individuals will include a description of the breach, the types of personal information affected, the steps Breken has taken to address the breach, recommendations for individuals to mitigate potential harm, and contact information for Breken's Privacy Officer.

Children's privacy

Breken services are not intended for use by individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children under this age. If we become aware that we have collected personal information from a child under the applicable age of consent, we will take steps to delete that information as soon as possible.

If you believe that a child under the applicable age has provided us with personal information, please contact our Privacy Officer immediately at privacy@breken.com.

Other websites

Our services may allow you to be directed to other websites, including Breken partner websites and third‑party websites. The operators of these websites may collect your personal information, as well as information produced through the use of cookies when you use a link to their website.

Breken is not responsible for how third parties collect, use, or share your personal information. We strongly encourage you to review the privacy policies of any third‑party websites before providing personal information to them.

Automated decision‑making

Breken does not currently engage in automated decision‑making or profiling that produces legal effects or similarly significantly affects you. If this changes in the future, we will update this policy and obtain your explicit consent where required by law.

Dispute resolution

If you have a concern or complaint about how Breken handles your personal information, we encourage you to follow these steps:

• Contact our Privacy Officer at privacy@breken.com. We will investigate your concern and respond within 30 days.
• If you are not satisfied with our response, you may escalate your complaint to the applicable regulatory authority — the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec (cai.gouv.qc.ca), or your local Data Protection Authority in the European Union, as applicable.

Changes to this policy

Breken reserves the right to update or modify this Privacy Policy at any time. When we make changes, we will:

• Update the "Last Updated" date at the top of this policy.
• Notify you of material changes through a prominent notice on our website or application, and an email notification to the address associated with your account.
• Where required by law, obtain your renewed consent before implementing changes that affect how your personal information is collected, used, or shared.

We encourage you to review this policy periodically. Your continued use of Breken services after any changes to this policy constitutes your acceptance of those changes.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

This Privacy Policy is available in both English and French. In the event of a discrepancy between the two versions, the English version shall prevail.

Last updated · October 2, 2025