Privacy Policy

1. Cookies

What Cookies We Use

RosalBank uses a small number of cookies on rosalbank.com:

• Session cookies. Keep you logged in during a browsing session. Expire when you close your browser.
• Preference cookies. Remember your language setting and cookie consent choice. Expire after 12 months.
• Analytics cookies. Help us understand how visitors use the site — which pages are visited, how long sessions last. No individual tracking.

How to Control Cookies

Your browser lets you block or delete cookies at any time. Blocking session cookies may prevent online banking from functioning. Blocking analytics cookies has no impact on your experience.

Third-Party Cookies

We use Google Analytics. Google sets its own cookies to collect aggregate usage data. IP addresses are anonymized before processing. Google's privacy policy governs their handling of this data. We do not use advertising cookies or retargeting pixels.

2. Forms & Account Data

Contact Form Data

When you submit a contact form on rosalbank.com, we collect:

• Full name
• Email address
• Phone number
• Your message and area of interest
• Preferred contact method

This information is used to respond to your inquiry. Nothing else.

Account Opening Data

Opening an account requires Know Your Customer (KYC) verification. We collect:

• Full legal name
• Date of birth
• Residential address
• Government-issued photo identification (two pieces required)
• Social Insurance Number (SIN) — required for tax reporting under the Income Tax Act
• Employment or source-of-funds information

This data is collected in person at a branch or through our secure digital onboarding process. It is stored in encrypted systems within Canada.

How Long We Retain Data

Account records are retained for seven years after account closure. This is required under federal record-keeping regulations, including the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Contact form submissions are retained for 24 months, then deleted.

3. Analytics

RosalBank uses Google Analytics to measure aggregate site usage:

• Pages viewed and time on page
• Referring URLs
• Device type and browser
• Geographic region (province level — not precise location)

IP addresses are anonymized before any data is processed. We review analytics in aggregate only. We do not build individual user profiles. We do not use analytics data for advertising.

4. Online & Mobile Banking

Encryption

All online and mobile banking sessions use 256-bit TLS encryption. Data in transit between your device and our servers cannot be intercepted or read by third parties.

Session Timeout

Online banking sessions expire after 15 minutes of inactivity. You will be required to re-authenticate. This protects your account if you step away from a device.

Multi-Factor Authentication

RosalBank requires multi-factor authentication for all online and mobile banking logins. Your authentication method (SMS code, authenticator app, or biometric) generates temporary data that is not stored after verification.

Device Fingerprinting

We use device fingerprinting to detect unauthorized access attempts. When you log in from a recognized device, no additional verification is needed. An unrecognized device triggers multi-factor authentication. Device fingerprint data is stored in encrypted form and used exclusively for fraud detection.

5. Third-Party Sharing

We do not sell personal information. Full stop.

We share personal information only in the following circumstances:

• Regulatory obligations. We are required to report certain information to FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), the Canada Revenue Agency (CRA), and the Office of the Superintendent of Financial Institutions (OSFI) as mandated by federal law.
• Service providers. Payment processors, IT infrastructure providers, and document management services that support our banking operations. Each provider is bound by a confidentiality agreement that prohibits use of your data for any purpose other than servicing RosalBank.
• Legal process. If compelled by a court order, subpoena, or regulatory examination.

We do not share data with marketing companies, data brokers, or advertising networks.

6. Your Rights

You have the right to:

• Access. Request a copy of the personal data we hold about you.
• Correction. Ask us to correct inaccurate or incomplete personal data.
• Deletion. Request that we delete your personal data — subject to regulatory retention requirements. Some data must be retained for seven years after account closure regardless of your request.

How to Make a Request

Email contact@rosalbank.com with the subject line "Privacy Data Request."

Or write to:

Privacy Officer
RosalBank Inc.
14921 90 Avenue
Surrey, British Columbia V3R 6W2

We respond to all requests within 30 calendar days.

7. Contact

Privacy Officer: David Okafor, Director of Compliance & Risk

Email: contact@rosalbank.com

Phone: (778) 268-2255

Mailing address: 14921 90 Avenue, Surrey, British Columbia V3R 6W2

If you are unsatisfied with our response to a privacy concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.