2024 © First Canadian Financial Group. All Rights Reserved.
Last updated: January 22, 2026
This Privacy Policy (“Policy”) explains how First Canadian collects, uses, discloses, safeguards, and retains personal information in connection with our Group Benefits services, including our member-facing mobile application and online claims portal, and our employer/plan administrator portal (together, the “Services”). This Policy is intended to be written in clear and simple language and made available to plan members and other individuals who use the Services, including
individuals in Québec.
In this Policy, “First Canadian,” “we,” “us,” and “our” means First Canadian Insurance Corporation and, where applicable, other First Canadian affiliates that provide or support the administration of group benefits. Depending on the plan design, some benefits may be underwritten or administered in coordination with third parties engaged by First Canadian to deliver the Services.
What this Policy applies to
This Policy applies to personal information we handle when you enroll in a group benefits plan, use the member app or claims portal, update your profile, submit and manage claims, communicate with us, or otherwise interact with the Services.
This Policy does not apply to third-party websites or platforms that you may access through the Services. For example, where the Services enable single sign-on access into GreenShield+ for certain features, your use of GreenShield+ is governed by GreenShield’s privacy practices and terms.
The personal information we collect
We collect personal information that is reasonably necessary to administer group benefits plans and provide the Services. Depending on how you use the Services and what your plan includes, this may include identifying and contact information, such as your name, gender, date of birth, email address, phone number, and communication preferences (including SMS preferences) , as well as plan and eligibility information.
We also collect information you provide about dependents and other individuals connected to your coverage, such as dependent name and date of birth, and information required to record beneficiary designations where applicable.
Where you elect direct deposit for claims payments or benefits payments, we collect and use banking information to issue electronic funds transfers.
When you use the Services, we may also collect account and security information to authenticate and protect access, such as login credentials, multi-factor authentication settings, and security questions used for account recovery.
When you submit claims, we collect claims information and supporting documentation, which may include health or dental information, and other sensitive information required to assess, adjudicate, and administer claims. Claims are processed through our claims processing arrangements, which may include third-party claims administrators and related systems used to exchange claims data and results.
How we use your personal information
We use personal information to administer your group benefits coverage and provide the Services. This includes using your information to enroll you and confirm eligibility, to manage coverage and balances, to allow you to manage profile, dependent, authorized individual, beneficiary, and banking details, and to administer and communicate with you about your benefits and claims.
We use personal information to assess, process, investigate, and manage claims, including communicating with you about claim status and outcomes.
We use personal information to protect the security and integrity of the Services, including verifying identity, preventing fraud and misuse, and maintaining audit and security logs.
Consent and legal authority for collection, use, and disclosure
We obtain consent for the collection, use, and disclosure of personal information as required by applicable privacy laws, including for sensitive information such as health information. Under Canada’s federal private-sector privacy law, meaningful consent requires that individuals are provided clear information about what an organization is doing with their information.
You may withdraw your consent, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may affect our ability to administer your coverage, process claims, or provide access to some or all of the Services.
How we disclose personal information
We disclose personal information on a need-to-know basis to support plan administration and the delivery of the Services.
We may disclose personal information to third-party administrators, service providers, and vendors that perform services on our behalf, such as claims processing and adjudication, technology hosting, customer support, communications delivery, and secure data exchange (including communications service providers that send email and SMS on our behalf). For example, our workflow includes integrations that exchange claims data and results through secure
processes and systems used for storage and transfer.
We may disclose personal information to health professionals, facilities, or other relevant entities where reasonably necessary for claims assessment, investigation, or plan administration, and as permitted or required by law.
We may also disclose personal information to comply with legal requirements, to respond to lawful requests, to protect our rights and the security of the Services, or in connection with a corporate transaction (such as an amalgamation, acquisition, or reorganization), subject to applicable law.
Service providers, data hosting, and cross-border considerations
We may use HubSpot as a client management and intake/ticketing tool as part of our operations. HubSpot’s contractual terms contemplate that personal data may be accessed and processed on a global basis, including processing in the United States and other jurisdictions where HubSpot and its sub-processors operate.
HubSpot’s regional data hosting approach also contains important exceptions, including that if a data hosting location is not specified in the applicable order form, customer data is hosted in the United States, and certain categories of access and processing may occur outside the selected
“Location” (including for support, security, integrations, and some usage data).
We may use Twilio to send SMS messages and to support messaging delivery and related logging. Depending on configuration, Twilio may process and store messaging data (including message content and associated metadata) in the region where the messaging workload is processed, and by default certain workloads may be handled in the United States unless a different region is selected and implemented. Twilio’s documentation also indicates that
SMS/MMS message bodies and records may be retained in Twilio systems until the customer deletes them, so our configuration and retention practices are designed to minimize what is included in messages and what is retained externally.
Where we use service providers that may process information outside Canada, we take reasonable steps to require appropriate contractual and organizational safeguards, and to ensure transfers are made in compliance with applicable privacy laws. We also seek, where feasible and appropriate to our operations, to keep use and processing within Canadian jurisdictions. Although we prefer to keep use and processing within Canada, some service providers (and their sub-
processors) may provide support or processing from other jurisdictions depending on the service configuration and support model.
Communications with you
We communicate with plan members using email, SMS (text message), and/or in-app communications about enrollment, plan administration, security, and claims status. Where you provide a mobile number and opt in (or otherwise consent where required by law), we may send you service-related text messages such as verification codes, security alerts, and administrative notifications. You can opt out of SMS notifications at any time by following the instructions included in the message (for example, replying STOP where available) or by adjusting your preferences in the Services, subject to certain essential messages required for account security or service delivery.
Retention
We retain personal information only as long as necessary to fulfill the purposes described in this Policy and to meet applicable legal, regulatory, tax, and recordkeeping requirements, including requirements related to limitation periods and lawful holds. Where information is no longer required, we securely destroy, delete, or anonymize it in accordance with applicable law and our internal retention practices.
Safeguards
We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. These safeguards include access controls and account protection measures such as multi-factor authentication options and account recovery controls within the Services. We design notifications to minimize sensitive content. For example, we do not include detailed health or claim information in SMS messages.
Your privacy rights
Subject to applicable law, you may request access to, and correction of, personal information in your file. You may also request information about how your personal information has been used and to whom it has been disclosed, as required by applicable law. You may withdraw consent as described above. If you believe we have not handled your personal information appropriately, you may contact us using the information below.
Additional information for Québec residents
If you reside in Québec, we will handle your personal information in accordance with Québec privacy law, including requirements for transparency and the obligation to make a confidentiality policy available where personal information is collected through technological means. Where required, we will provide Québec-specific notices and obtain consent in the manner required by Québec law, including where personal information is sensitive. We will also respond
to rights requests in accordance with Québec law and applicable timelines.
Children and dependent information
Where the Services collect information about dependents, the plan member is responsible for ensuring they have authority to provide that information for the purposes of plan administration and claims processing. Where we require additional authorization or documentation to administer benefits for a dependent, we will request it.
Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will provide notice through appropriate channels, which may include posting an updated Policy and/or notifying users through the Services, as applicable.
Contact us
If you have questions about this Policy, wish to exercise your rights, or want to make a privacy- related request or complaint, you may contact the First Canadian Privacy Officer at privacy@firstcanadian.ca.
2024 © First Canadian Financial Group. All Rights Reserved.
Regulatory Disclosures | Privacy Policy | Group Benefits Privacy Policy | Group Benefits Terms of Use | Legal Notice | Complaints |
Code of Conduct Policy | Contact Us