LOONEYCALL PRIVACY POLICY

Introduction

At Yak Communications ( Canada) Inc. (the “Company") we are committed to your privacy. This means we do not distribute, rent or sell any of your personal information to third parties except as provided for in this policy or as specifically consented to by you. For example, the Company may provide your personal information to third party carriers for the provision of services, for billing and/or collection purposes, etc. All such provision of personal information to third party providers shall only be done in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and this policy.

Our new privacy policy provides you with all of the safeguards as standardized in PIPEDA.

Scope

This policy applies to personal information about identifiable LOONEYCALL customers and employees of the Company that is collected, used or disclosed by the Company. It also applies to the management of personal information in any form whether oral, electronic or written.

This policy will apply to and protect all personal information collected, used or disclosed by the Company, except information that is aggregated in such a manner that it cannot be connected to a person and/or information which is publicly listed in a written or online directory or typically made available through directory assistance as permitted by law. For example, the Company may share non-personal, non-individual information with our partners in aggregate form for research analysis. The information will not show that you called a specific destination but rather, how many customers called that destination.

Personal information which may fall under the policy may include but is not limited to:

• Details of calls/usage as contained in invoices or on your Call History website account;
• Account information from other telephone companies;
• Internet user names and activity reports;
• User names and passwords;
• Technical support records;
• Call data records;
• Name and address information obtained via your use of LOONEYCALL services;
• Credit history/performance information;
• Credit card information;
• Payment and banking information;
• Special needs

Any information that the Company collects from you is intended to improve and personalize your telecommunications experience.

Definitions

To better understand our policy, the Company has set out some basic definitions to use when reading and interpreting the principles below.

Collection: the act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.

Consent: voluntary agreement to the collection, use and disclosure of personal information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized representative. Express consent can be given orally, electronically or in writing, but is always unequivocal and does not require any inference on the part of the Company. Implied consent is consent that can reasonably be inferred from the circumstances or from an individual's action or inaction.

Disclosure: making personal information available to a third party.

Personal Information: information about an identifiable individual that is recorded in any form, but does not include aggregated information that cannot be associated with a specific customer. For a customer, such information does not include that which is aggregated in such a manner that it cannot be connected to him/her and/or information which is publicly listed in a written or online directory or typically made available through directory assistance.

Use: the treatment, handling and management of personal information by and within the Company.

Principles

This privacy policy is organized along the privacy principles of PIPEDA.

Principle #1 – Accountability

The Company is responsible for personal information under its control and has designated its Privacy Officer as accountable for the Company's compliance with the following principles:

• Accountability for the Company's compliance with the provisions of this privacy policy rests with the Privacy Office within the Company, which shall designate one or more persons to be accountable for compliance with this privacy policy. Other individuals within the Company may be delegated to act on behalf of designated person(s) or to take responsibility for the day-to-day collection and processing of personal information. The Privacy Office has been created to ensure customers and employees have a designated avenue to answer their privacy-related inquiries.
• The Company shall make known, upon request, the title of the person or persons designated to oversee the Company's compliance with this policy.
• The Company is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Company shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
• The Company shall implement policies and practices to give effect to these principles, including:
• Implementing procedures to protect personal information;
• Establishing procedures to receive and respond to complaints and inquiries;
• Training staff and communicating to staff information about the organization's policies and practices; and
• Developing information to explain the organization's policies and procedures.

Principle #2 - Identifying Purposes

Where appropriate, the Company will identify the purposes for which personal information is collected at or before the time the information is collected.

• The Company collects personal information only for the following purposes:
• To provide service(s) and/or products to its customers;
• To establish and maintain responsible commercial relations with customers and to communicate with its customers (which will include, but not be limited to: billing, collection, advertising, promotion and account verification);
• To understand customer needs and preferences;
• To afford promotional or other opportunities to our customers (e.g. contests);
• To meet legal and regulatory requirements; and
• To administer and manage its business operations, including personnel and employment matters.
• Except where the collection of personal information is reasonably necessary in order to carry out the express wishes of the customer or employee, the Company shall specify orally, electronically or in writing the identified purposes to the customer or employee at or before the time personal information is collected.
• Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected, or will refer the individual to a designated person at the Company who will explain the purposes.
• Unless required by law, the Company shall not use or disclose personal information for any purpose other than those described above without first identifying and documenting the new purpose and obtaining the consent of the customer, where such consent may not reasonably be implied.

Principle #3 – Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except in certain circumstances as described below:

• In certain circumstances, personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate where there is an emergency threatening the individual's life, health or security, or where the individual is a minor, seriously ill, or mentally incapacitated. In other instances, information may be publicly available. In addition, organizations that do not have a direct relationship with a customer may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.
• Where appropriate, the Company will generally seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when the Company wants to use information for a purpose other than those identified above).
• In obtaining consent, the Company will use reasonable efforts to ensure that a customer is advised of the identified purposes for which personal information collected will be used or disclosed.
• The form of consent sought by the Company may vary, depending upon the circumstances and type of information disclosed. In determining the appropriate form of consent, the Company shall take into account the sensitivity of the personal information and the reasonable expectations of its customers and employees.
• The Company will seek consent when the information is likely to be considered sensitive. Implied consent will generally be appropriate where the information is less sensitive. The use of services or products by a customer or the acceptance of employment by an employee will be considered implied consent to collect, use and disclose personal information for all identified purposes.
• An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The Company will inform the individual of the implications of such withdrawal. In order to withdraw consent, an individual must provide notice to the Company in writing.
• With respect to personal information already collected by the Company prior to the publication of this policy, this policy will constitute reasonable notice to the Company's current customers and employees of the purposes and uses for which such personal information has been collected. Should an individual object to these ongoing uses or disclosures, consent may be withdrawn upon providing notice to the Company in writing.

Principle #4 - Limiting Collection

The collection of personal information will be limited to that which is necessary for the purposes identified by the Company. Information will be collected by fair and lawful means.

• The Company collects personal information from its customers and employees for the purposes described under Principle #2.
• The Company may also collect personal information from such third parties as credit bureaus, employers, personal references or other third parties that represent they have the right to disclose the information.

Principle #5 - Limiting Use, Disclosure and Retention

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual, or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

• The Company may collect, use or disclose personal information without the individual's knowledge or consent in certain circumstances as described in Principle #3.1.
• The Company may disclose a customer's personal information to:
• Another telecommunications company for the provision of telecommunications services to that customer;
• A company involved in providing communications directory services;
• A company involving in providing billing services;
• A person involved in the development, promotion, marketing or enhancement of the Company's services;
• A credit collections agency;
• Emergency services in an emergency situation;
• The Company's agents and affiliates;
• A person who, in the reasonable estimation of the Company, is an agent of the customer; and
• Any other third party, upon receiving the consent of the customer or as required by law.
• The Company may disclose an employee's personal information in the following circumstances:
• In the administration of that employee's benefits;
• In providing references to prospective employers, upon receiving the consent of the employee; and
• As may be required by law.
• Only employees of the Company with a business need to know, or whose duties reasonably so require, are granted access to personal information about customers.
• The Company will retain personal information for only as long as required to fulfill the identified purposes or as required by law.
• Personal information that is longer required to fulfill the identified purposes will be destroyed, erased or made anonymous according to the guidelines and procedures established by the Company.

Principle #6 – Accuracy

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

• The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about that individual.
• The Company will update personal information about customers and employees as and when necessary to fulfill the identified purposes or upon notification by the individual.

Principle #7 – Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

• The Company will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage.
• The Company protects all personal information regardless of the format in which it is held. Our methods of protection include:
• Physical measures, such as filing cabinets which are kept locked when not in use and restricted access, both to the Company's place of business in general and to internal offices as well;
• Organization measures, such as security clearances and limited access on a need to know basis; and
• Technological measures, such as the use of passwords, firewalls and encryption.
• The Company makes its employees aware of the importance of maintaining the confidentiality of personal information. All of the Company’s employees with access to personal information will be required as a condition of employment to contractually respect the confidentiality of personal information.
• The Company will protect personal information it discloses to third parties through contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.

Principle #8 – Openness

The Company shall make readily available to customers and employees specific information about its policies and practices relating to the management of personal information.

• The Company will make information about its policies and practices easy to understand, including:
• the title and address of the person(s) accountable for the Company's compliance with the policy and to whom inquiries or complaints can be forwarded;
• the means of gaining access to personal information held by the Company; and
• a description of the type of personal information held by the Company, including a general account of its use.
• The Company will make this privacy policy available online at www.looneycall.ca. On request, a copy of this privacy policy shall be provided by mail.

Principle #9 - Individual Access

Upon request, a customer or employee shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

NOTE: In certain circumstances, the Company may not be able to provide access to all the personal information it holds about a customer or an employee. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, information that is subject to solicitor-client or litigation privilege, or, in certain circumstances, information of a medical nature. The Company will provide the reasons for denying access upon request.

• Upon request, the Company will inform an individual whether or not the organization holds personal information about the individual, and will provide that individual with a reasonable opportunity to review any personal information which the Company may possess about the individual.
• The Company will allow the individual access to his or her personal information once the individual has provided the Company with a written request application, a copy of which application is attached hereto as Schedule A. The Company will make the application available to customers through Customer Service Representatives and to employees through the Human Resources Department. The application will include sufficient information to permit the Company to provide an account of the existence, use, and disclosure to any third parties of this personal information. The Company will use the application only for this purpose.
• The Company will respond to an application for individual access to personal information within a reasonable time and at minimal or no cost to the individual. The requested information will be provided or made available in a form that is generally understandable.
• The Company will be as specific as possible in providing an account of third parties to which it has disclosed personal information about an individual. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the Company will provide a list of organizations to which it may have disclosed information about the individual.
• When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Company will amend the information as required. Depending upon the nature of the alleged inaccuracy, amendment involves the correction, deletion or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
• When an alleged inaccuracy is not resolved to the satisfaction of the individual, the Company will record the substance of the unresolved issue. When appropriate, the existence of the unresolved issue will be transmitted to third parties having access to the information in question.

Principle #10 - Challenging Compliance

An individual will be able to address a challenge concerning compliance with the above principles to the Company’s Privacy Officer.

• The Company will maintain procedures for addressing and responding to all inquiries or complaints from its customers or employees about the Company's handling of personal information.
• The Company will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.
• The person or persons accountable for compliance with this privacy policy may seek external advice where appropriate before providing a final response to individual complaints.
• The Company shall investigate all complaints. If a complaint is found to be justified, the Company will take appropriate measures, including, if necessary, amending its policies and procedures.

All inquiries or complaints involving the Company's handling of personal information or compliance with this policy or with PIPEDA shall be directed to the Company’s Privacy Officer. The Privacy Officer will respond to all such inquiries or complaints within 14 business days of receipt thereof. If necessary, the Privacy Officer will advise the customer or employee of the existence of relevant complaint procedures under PIPEDA. Further, if the Privacy Officer deems it advisable, the Privacy Officer may consult with external legal counsel prior to providing a final response with respect to any individual complaint. In any event, the Privacy Officer will make reasonable efforts to resolve all such complaints within 30 days of receipt of the initial complaint. If a complaint is found to be justified, the Privacy Officer will take reasonable measures to correct the situation, including amending the Company’s policies and procedures if necessary.

For More Information

Please contact our Privacy Office as follows:
E-mail
privacy@looneycall.ca
Mail
LooneyCall
300 Consilium Place, Suite 500
Toronto, ON M1H 3G2
Attention: Privacy Office