ScotiaConnect Privacy Policy: How We Handle Your Personal Information Under PIPEDA
This privacy notice explains how ScotiaConnect collects, uses, discloses and protects personal information about commercial banking users and authorised contacts in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the practices of the Scotiabank Group. Last updated 16 April 2026.
Information We Collect
Categories of Information We Process
- Identity and contact — name, title, business email, phone, mailing address.
- Credentials — Customer Number, User ID, hashed password, token serial, session metadata.
- Transaction data — payment, deposit, FX and reporting activity originated in ScotiaConnect.
- Device and technical data — IP address, browser fingerprint, device identifiers, session logs.
- Correspondence — contact-form submissions, help-desk tickets, recorded support calls.
ScotiaConnect is a business-to-business platform. Personal information collected through the portal is incidental to the commercial relationship rather than consumer-facing: authorised users are typically officers, managers or employees of a client organisation acting on behalf of that organisation. We do not collect more information than is necessary for the operation, security and regulatory compliance of the commercial banking service.
Why We Collect and Use Your Information
We collect and use personal information for clearly identified purposes aligned to the PIPEDA principles of accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access and challenging compliance:
- Providing commercial banking services — authenticating users, executing payments, producing statements and reports, operating the mobile app.
- Identity verification and fraud prevention — matching credentials to client records, detecting anomalous behaviour, preventing account takeover.
- Regulatory compliance — meeting obligations under PIPEDA, the Bank Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (FINTRAC), OSFI guidance and Payments Canada rules.
- Service improvement — aggregated analytics and usability research; this is never combined with identifiable transaction content.
- Communications — security alerts, regulatory notices and, where you have opted in, product updates.
Consent
By signing a ScotiaConnect service agreement and activating credentials, client organisations and their authorised users consent to the collection, use and disclosure of personal information as described in this notice. Where personal information is collected for a purpose that is not essential to the commercial service — for example, optional marketing communications — separate opt-in consent is requested. You may withdraw consent for optional purposes at any time by contacting the Privacy Officer. Consent to the essential collection and use cannot be withdrawn without ending the service relationship.
Disclosure to Third Parties
We disclose personal information only to the parties and for the purposes described below:
- Regulators and law enforcement — OSFI, FINTRAC, the Canada Revenue Agency, the Financial Consumer Agency of Canada, and law enforcement where required by Canadian law.
- Correspondent banks and payment networks — Payments Canada (Lynx, AFT, Real-Time Rail), SWIFT correspondent banks, Interac Corp., Visa and Mastercard commercial networks, to complete transactions you initiate.
- Service providers — cloud hosting, identity verification, fraud analytics, application monitoring and customer support vendors under contractual safeguards consistent with PIPEDA.
- Scotiabank Group affiliates — within the Scotiabank Group, for purposes consistent with this notice and the service you receive.
- Successors and assigns — in connection with a sale, merger or reorganisation where the recipient assumes equivalent privacy obligations.
Cross-Border Data Transfers
Personal information may be processed or stored in Canada, the United States, and in Pacific Alliance countries (Mexico, Chile, Peru and Colombia) where Scotiabank Group operates treasury and technology hubs. When personal information is outside Canada it is subject to the laws of the receiving jurisdiction, which may differ from Canadian privacy law. Contractual safeguards, encryption in transit using TLS 1.2+ and at rest using AES-256, and access controls aligned to PIPEDA principles apply regardless of location.
Security Measures
Security safeguards are described in detail on the Security page. Summary: TLS 1.2 or 1.3 in transit, AES-256 at rest, ScotiaConnect Token multi-factor authentication on every session and payment release, role-based access control with dual-control thresholds, seven-year immutable audit trail, and monitored intrusion-detection across the Scotiabank environment. Employees with access to personal information are subject to confidentiality obligations and need-to-know access controls.
Retention Schedule
We retain personal information only as long as necessary for the identified purposes and applicable regulatory requirements. OSFI record-keeping guidance and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act establish minimum retention of seven years from the end of the client relationship for most commercial banking records.
| Data Category | Purpose | Retention | Shared With |
|---|---|---|---|
| Identity and contact information | User authentication, service delivery | 7 years post-relationship | Regulators, service providers |
| Credentials and session logs | Authentication, security monitoring | 7 years (logs); hashed permanently | Fraud and security vendors |
| Transaction records | Commercial banking service delivery | 7 years post-transaction (OSFI) | Payment networks, regulators |
| Device and IP data | Fraud prevention, device binding | 2 years rolling window | Fraud analytics vendors |
| Support correspondence | Service quality, audit | 7 years | Support service providers |
| Audit log entries | Regulatory compliance, fraud forensics | 7 years immutable | Internal and external auditors |
| Marketing preferences | Communications opt-in tracking | Until withdrawn + 3 years | Not shared externally |
Your Rights Under PIPEDA
Under PIPEDA you have the right to access the personal information we hold about you, to request correction of inaccurate information, and to challenge our compliance with the Act. To exercise these rights, contact the ScotiaConnect Privacy Officer at privacy@scotiaconnect.at. We respond to access requests within 30 days, with a permissible extension of up to 30 additional days on written notice.
If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca. The OPC has authority to investigate complaints, issue findings and recommend remedies under PIPEDA.
Cookies and Similar Technologies
ScotiaConnect uses a minimal set of cookies:
- Strictly necessary cookies — session identifiers, CSRF tokens and security flags. These are required for the portal to function and cannot be disabled without breaking sign-in.
- Functional cookies — language preference (English or French), accessibility settings (high contrast, dynamic type) and last-account-viewed shortcuts.
- Analytics cookies (aggregated) — anonymised usage analytics for service improvement. No third-party advertising trackers are loaded on scotiaconnect.at.
You can manage cookies in your browser. Disabling strictly necessary cookies will prevent sign-in.
Privacy Officer and Contact
ScotiaConnect has designated a Privacy Officer responsible for compliance with PIPEDA and this notice. Contact:
ScotiaConnect Privacy Officer
Email: privacy@scotiaconnect.at
Telephone: 1-800-267-7220
International: +1-416-701-7351
General support queries should be directed to support@scotiaconnect.at or via the Help Centre.
Changes to This Policy
We may update this privacy notice to reflect changes in law, regulation, technology or our practices. Material changes will be communicated through the ScotiaConnect portal and, where appropriate, by email to authorised users. The Last updated date at the top of this notice indicates the current version. Please review periodically.