Privacy Statement

ARMS collects personal information from a variety of sources, depending on the services we are providing or whether the collection is for internal business operations.

We may collect personal information directly from:

• You, when you retain us or engage with our website or client portal
• Your employer, if your organization retains us
• Other ARMS member firms that we assist or collaborate with
• Third-party providers that conduct background, credit, or sanctions checks on our behalf
• Third-party analytics and advertising partners that support our marketing

These firms may provide us with data about your online activities on other websites where ARMS advertising or marketing material appears.

The types of personal information we collect include:

• Contact information: name, title, employer, phone number, email address, mailing address
• Visitor information: name, company, and person visited at ARMS offices or events
• Mandate information: details about the services requested or matters involved
• Services information: data provided or generated as part of our services, such as financial, residency, beneficiary, dependent, customer, or vendor information relevant to compliance, risk, or audit engagements
• Public profiles: information you have made public (for example, on LinkedIn or company websites)
• Communications: content of emails, voicemails, and other communications
• Preferences and interests: newsletter subscriptions, topic selections, or marketing preferences
• Feedback: client surveys and event evaluations
• Recruitment information: CVs, references, and other data for employment or internship applications
• Background check data: credit, sanctions, or criminal records checks and credential verifications
• Portal registration data: email address, password, and user activity on our client portal
• Device and browser data: IP address, browser type and version, time zone, operating system, device model, MAC address, and network information
• Browsing data: pages visited, response times, downloads, length of visits, and user interactions
• Marketing interactions: engagement with newsletters, advertising, or digital campaigns

We use personal information to provide professional services, fulfill legal obligations, and operate, market, and improve our business.

Examples include:

• Client services: audits, compliance reviews, advisory services, or other engagements
• Vendor management: managing services provided to ARMS or our clients
• Legal and regulatory compliance: conflict screening, sanctions and AML checks, recordkeeping, and reporting obligations
• Relationship management: client onboarding, invoicing, risk assessment, conflict checking, and account administration
• Business development: client pitches, cross-referrals, and service offers
• Recruitment: processing employment applications or proactive hiring searches
• Communications: responding to inquiries, newsletters, and client updates
• Event management: registration, preferences, and logistics
• Feedback: client surveys, quality assurance, and improvement initiatives
• Security: protecting ARMS facilities, systems, and client portals from misuse
• Website management: monitoring website performance and user engagement
• Business improvement: enhancing services, vendor relationships, and client experience

We may share personal information to perform services, meet legal requirements, or operate and improve our business.

Examples include sharing with:

• ARMS member firms: for cross-border services, conflict checks, or referrals
• Service providers: IT hosting, marketing, communications, and business process outsourcing partners
• Screening providers: credit, sanctions, or criminal background verification
• Clients: when your information forms part of an engagement work product or report
• Analytics providers and ad networks: supporting website and marketing analytics
• Emergency responders or authorities: in urgent health, safety, or crisis circumstances
• Regulators or law enforcement: when required by law
• Third parties in transactions: mergers, acquisitions, or other corporate reorganizations

We collect, use, and share personal information based on one or more of the following legal bases:

• Your explicit or implied consent, for example when requesting services or subscribing to communications
• The consent of an authorized party, such as your employer
• Legal obligations, such as AML, sanctions, or recordkeeping requirements
• Legitimate interests, such as managing risk or defending legal claims
• Investigations permitted by law without consent

We may use your business contact information to communicate in your business role without prior consent, as permitted under Canadian law. If we send you commercial electronic messages, we comply with Canada's Anti-Spam Legislation (CASL). You may unsubscribe at any time.

We maintain physical, technical, and organizational safeguards consistent with professional industry standards to protect the confidentiality and integrity of personal information. Service providers acting on our behalf are contractually required to uphold equivalent safeguards.

No security system is infallible. If you intend to share highly sensitive information, contact your ARMS representative to arrange a secure transfer method.

Personal information is stored primarily in Canada, but we may engage service providers or ARMS member firms in other jurisdictions. Data stored outside Canada may be subject to access by local authorities in accordance with foreign laws.

Information is retained only as long as necessary to fulfill its collection purpose, meet legal and regulatory obligations, or preserve records for investigations or potential litigation. Retention periods vary depending on the type of information and nature of the engagement.