This Privacy Policy is effective as of June 24th, 2025 and applies to the Dynamic Needs Analysis website at https://dynamicneedsanalysis.com, our web and mobile applications, and any related services we provide (collectively, the “Services”).

By accessing or using the Services, you acknowledge that you have read this Privacy Policy and understand how we collect, use, and disclose your personal information.

Dynamic Needs Analysis Inc. (“DNA,” “we,” “us,” or “our”) is a Canadian software company headquartered at:

Dynamic Needs Analysis Inc.
410 West Georgia St, Suite 507
Vancouver, BC V6B 1Z3
Canada

For privacy law purposes:

• Under the General Data Protection Regulation (“GDPR”), we act as a data controller for personal data we collect from, or about, users of our Services.
• Under the California Consumer Privacy Act (“CCPA”), we act as a business.
• Under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and substantially similar provincial statutes, we act as an organization.

If you have any questions, concerns, or complaints regarding this Privacy Policy or our privacy practices, you may contact us at:

• Privacy email (requests & questions): privacy@dynamicneedsanalysis.com
• Data Protection Officer (DPO): Robert McCurdy – robert@dynamicneedsanalysis.com

Please do not include sensitive personal information in unencrypted emails.

Personal Data / Personal Information (“PII”)
‍Any information that can reasonably identify, relate to, describe, or be linked to an individual.

User / Data Subject
‍An individual advisor, client, or website visitor whose data is processed by DNA.

Processor / Service Provider
‍A third party that processes data on DNA’s behalf and according to our instructions.

Account
‍The secure profile an advisor or organization creates to access the Services.

Capitalized terms not defined here have the meanings given in applicable privacy laws.

We collect different categories of personal information depending on how you use the Services.

We use personal information for the following purposes:

• To deliver the Services
  • Creating and maintaining your Account
  • Generating needs-analysis reports and automated compliance documents
  • Providing dashboards, analytics, and AI-based advisor guidance
• To improve and secure the platform
  • Monitoring performance and reliability
  • Debugging and incident response
  • Fraud detection and prevention
  • Capacity planning and scaling
• To process transactions
  • Managing subscriptions and billing
  • Processing payments and issuing invoices
  • Handling refunds and account adjustments
• To communicate with you
  • Service-related messages (e.g., feature updates, maintenance notices)
  • Security alerts and important account notices
  • Marketing and product updates, where permitted by law and with the ability to opt out at any time
• To develop new features
  • Using de-identified or aggregated data to analyze usage patterns
  • Enhancing AI models and advisor insights while avoiding direct use of identifiable client data whenever possible
• To comply with legal obligations
  • Maintaining business and tax records
  • Responding to lawful requests from regulators or law enforcement
  • Enforcing our Terms of Service and other agreements

  Legal Bases (GDPR)
  Where GDPR applies, we rely on one or more of the following legal bases when processing personal data:

  • Performance of a contract (for example, providing the Services you or your organization subscribed to)
  • Legitimate interests (for example, improving and securing the platform, preventing fraud)
  • Your consent (for example, for marketing communications or precise location collection in mobile apps)
  • Compliance with legal obligations (for example, record-keeping and regulatory reporting)

What are cookies?
Cookies are small data files placed on your device by your browser. They are widely used to remember you and your preferences, and to help websites function effectively.

DNA’s cookie practice (as of the Effective Date):

• Type of cookies
  All cookies placed directly by DNA are strictly necessary (“essential”) first-party session cookies, used for authentication and core security functions. We do not set analytics, advertising, or social-media tracking cookies.
• Opt-out
  ‍Because these cookies are essential for logging in and using the Services, they cannot be disabled individually. If you block or delete them in your browser, the platform may not function correctly.
• Cookie banner / preferences
  ‍DNA does not maintain a separate cookie-preference centre because we do not use optional or non-essential cookies.

We periodically review our use of cookies and similar technologies to verify that we remain limited to essential purposes only. If our cookie practices change, we will update this section and, where required, notify you in advance.

Your browser may allow you to block, delete, or receive alerts about cookies. Refer to your browser’s help documentation for more information.

We do not sell your personal information. We share personal data only with the categories of recipients described below and only as necessary to operate the Services or comply with law.

Cloud hosting and infrastructure

‍Purpose: application hosting, data storage, backups, security monitoring.
Safeguards: hosted on cloud providers that maintain ISO 27001 and/or SOC 2 certifications; contractual confidentiality and security commitments.

Payment processors

‍Purpose: subscription billing and payment processing.
Safeguards: PCI-DSS compliant; DNA never stores full card numbers or CVV.

Service providers

‍Purpose: functions such as email delivery, customer support, and operational tooling.
Safeguards: data-processing agreements requiring appropriate security and use only on our instructions.

Affiliates and successors

‍Purpose: corporate restructuring, mergers, acquisitions, or asset transfers.
Safeguards: contractual privacy assurances and continued protection of personal data.

Regulators and law enforcement

‍Purpose: legal compliance, responding to lawful requests, fraud investigation.
Safeguards: disclosure only upon verified, lawful requests and to the minimum extent necessary.

Advisor-selected integrations

‍Purpose: tools such as CRM systems or carrier illustration platforms that you choose to connect.
Safeguards: enabled and controlled by the advisor or organization via account settings.

We do not authorize our service providers to use personal information for their own marketing purposes.

DNA hosts all production application servers, databases, and encrypted backups exclusively in Canadian data centres.

We do not transfer or remotely access your personal information from outside Canada in the ordinary course of business. If, in the future, we contemplate cross-border processing, we will:

• Update this Policy to describe the new processing
• Obtain any required consents
• Ensure an equivalent level of protection, including through Canadian adequacy decisions or contractual safeguards

We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, or as required by law.

Typical retention periods include:

• Account data – while your subscription is active, plus 90 days following termination for audit, dispute resolution, and tax purposes
• AI inputs and outputs – up to 90 days to provide context history and improve model quality, after which they are de-identified or deleted
• Marketing consent records – up to 5 years to meet legal record-keeping obligations
• System logs – up to 24 months for security monitoring and diagnostics

You may request earlier deletion of certain data where permitted by law (see Section 11). In some cases, we may need to retain limited information to comply with legal obligations or to establish or defend legal claims.

Under PIPEDA and substantially similar provincial privacy laws in Canada, you have certain rights in relation to your personal information.

Access
‍What it means: obtain a copy of the personal information DNA holds about you.
How to exercise: email privacy@dynamicneedsanalysis.com with “Access Request” in the subject line.

Correction
‍What it means: challenge the accuracy or completeness of your information and have it amended.
How to exercise: specify the data you believe is inaccurate or incomplete and provide supporting documentation.

Withdrawal of consent
‍What it means: withdraw consent to optional processing where consent is the legal basis (for example, marketing emails).
How to exercise: use the unsubscribe link in marketing messages or contact us at the address above.

Accountability and complaints
‍What it means: raise concerns about DNA’s privacy practices.
How to exercise: contact our DPO using the details in Section 3. If unresolved, you may contact the Office of the Privacy Commissioner of Canada.

We respond to verified requests within 30 days, unless an extension is permitted by law. Exercising your rights is generally free of charge; however, we may charge a reasonable fee for copies of large data sets, as allowed by PIPEDA.

Additional rights in other jurisdictions
If you are located in the European Economic Area (EEA), the United Kingdom, or California, you may have additional rights under local law (for example, the right to data portability or to restrict certain processing). You can contact us at privacy@dynamicneedsanalysis.com to exercise these rights, and we will handle your request in accordance with applicable law.

The Services are designed for professional financial advisors and are not directed to children under 13 years of age.

We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate steps to remove the information and terminate any related access.

We take the security of your data seriously and implement a combination of organizational and technical safeguards, including:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Multi-factor authentication for internal administrative access
• Role-based access controls and regular access reviews
• Routine penetration testing and vulnerability scanning

No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. However, we follow industry best practices and continuously work to strengthen our defences.

The Services may contain links to websites, apps, or services that DNA does not own or control. This Privacy Policy does not apply to those third-party services.

We are not responsible for the privacy or security practices of any third party. We encourage you to review the privacy policies of every third-party service you use in connection with, or instead of, our Services.

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our business practices.

• Material changes will be communicated via email and/or an in-app notice at least 30 days before they take effect.
• The “Effective Date” at the top of this Policy indicates when it was last updated.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Policy.

If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, please refer to the contact details in Section 3 (Contacting Us). We will do our best to respond promptly and address your concerns.