Terms of Service

Terms of Service

The terms and conditions governing your use of the FNi+ platform

1. Agreement to Terms

These Terms of Service ("Terms") govern your access to and use of the FNi+ platform (“Platform”) and are entered into between FNi+ Technologies Inc., a corporation incorporated under the Business Corporations Act (Alberta), or its successor in interest (any of them, the "Company", "we", "us", or "our"), and the Organization (defined below) that executes the signature page to these Terms or that accesses or uses the Platform, whichever occurs first.

The Organization agrees to be bound by these Terms by: (a) executing the signature page; (b) clicking the agreement and acknowledgment boxes presented through the Platform; or (c) accessing or using the Platform — whichever occurs first. Each of these constitutes valid acceptance and the Organization need not do more than one. By accepting, the Organization confirms that it has read and understood these Terms, that it has had the opportunity to obtain independent legal advice, and that it has the authority to bind the Organization and all Dealership locations operated by it.

If you are accessing or using the Platform on behalf of a Dealership, Organization, or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms. If you do not agree to these Terms, you must not access or use the Platform.

These Terms apply in conjunction with our Privacy Policy and Data Processing Agreement, form as schedules to these Terms, and terms of which are incorporated herein by reference.

Your continued access or use of the Services after Company posts updated terms, constitutes your acceptance of the changes and consent to be bound by the Terms, policies and supplemental terms, as amended. If you do not agree to the amended Terms, policies or supplemental terms, you must stop accessing and using the Services.

2. Definitions

• "Platform" means the FNi+ web application, including all associated software, APIs, tools, and Services provided by the Company.
• "Services" means the digital F&I (Finance and Insurance) processing services made available through the Platform, including credit application management, buyer verification, electronic signatures, analytics, and all related functionality.
• "Dealership" means an automobile dealership that has subscribed to the Platform through an Organization account.
• "Buyer" means an individual who submits a credit application through the Platform in connection with a vehicle purchase at a Dealership.
• "Co-Applicant" means an individual who submits a joint credit application alongside a Buyer through the Platform.
• "FM" means a Finance Manager or Dealership employee who holds an authorized user account on the Platform.
• "Director" means a Dealership or Organization administrator who holds elevated permissions on the Platform.
• "Organization" means a legal entity that operates one or more Dealerships and holds a subscription to the Platform.
• "Authorized User" means any FM, Director, or other individual who has been granted access to the Platform.
• "Content" means all text, data, images, documents, files, and other materials uploaded to, generated by, or transmitted through the Platform.
• "Confidential Information" means any information or data disclosed by one party to the other, whether orally, in writing, electronically, or by any other means, that is designated as confidential at the time of disclosure or that a reasonable person in the relevant industry would understand to be confidential given the nature of the information and the circumstances of disclosure, including (without limitation): business plans, financial information, pricing, customer and supplier data, technical specifications, software, algorithms, trade secrets, product roadmaps, and the terms and existence of these Terms. Confidential Information does not include information that falls within any of the exclusions set out in Section 23.2.

3. Geographic Scope

The Platform is currently offered to Dealerships located in the Canadian provinces of Alberta, British Columbia, Saskatchewan, Manitoba, Ontario, New Brunswick, Nova Scotia, Prince Edward Island, and Newfoundland and Labrador. The Platform is not currently offered to Dealerships located in Quebec, and the Company makes no representation that the Platform satisfies the requirements of An Act respecting the protection of personal information in the private sector (Quebec, "Law 25"). Use of the Platform by Quebec-based Dealerships is not permitted unless the Company has provided written agreement to extend services to Quebec under a separate addendum.

4. Account Registration and Security

To access the Platform as an FM or Director, you must register for an account and provide accurate, complete, and current information. You are responsible for maintaining the confidentiality of your account credentials, including your password and any PIN codes used for kiosk mode access.

You agree to:

• Not share your account credentials with any other person.
• Notify us immediately at support@fniplus.ai if you become aware of any unauthorized access to or use of your account.
• Accept responsibility for all activities that occur under your account.

You confirm that you are the age of majority in the place where you live and are capable of entering into a legally binding agreement to use our Services, and that you have read, understand and agree to these Terms. These Terms shall be binding on any corporate entities that you form and act on behalf of during your use of the Services.

You agree to provide accurate, complete, and up-to-date information for your account. Where the information you provide comprises personal information about you or another party, you represent and warrant that you have obtained the consent of all of the applicable individuals to share that information as part of your use of the Services and to enter that information onto the Platform.

We reserve the right to suspend or terminate any account at any time if we reasonably believe that the account has been compromised, is being used in violation of these Terms, or poses a security risk to the Platform or its users.

Except where we agree otherwise under a separate executed written instrument, we may also suspend access to the Services for scheduled or planned maintenance, service, patching, or repair.

5. Description of Services

FNi+ is a white-label SaaS platform that digitizes the Finance and Insurance workflow for automobile dealerships. The Platform provides:

• Digital credit applications: Multi-step online forms for Buyers and Co-Applicants to submit credit application information electronically.
• Buyer verification: SMS-based identity verification.
• Electronic signatures: Capture of legally binding electronic consent and signatures, as further described in Section 9.
• Behavioural analytics: Collection and analysis of Buyer interaction data, including step timing, panel engagement, and product interest signals.
• Engagement scoring: Proprietary scoring system that computes Buyer engagement scores to inform FM preparation.
• Product interest tracking: Monitoring of Buyer interactions with F&I product information at the category level.
• Bank rate management: Tools for managing lender rate sheets and financing parameters.
• PDF generation: Automated generation of credit application documents and summaries.
• Kiosk mode: In-Dealership self-service mode with PIN-protected access.
• Co-applicant flow: Separate application pathway for joint credit applicants.
• White-label branding: Customizable Dealership branding including logos, colours, and dealer-specific theming.
• Subscription billing: Automated billing and subscription management.

We reserve the right to modify, enhance, or discontinue any feature of the Platform at any time. Material changes to core functionality will be communicated to active subscribers in advance.

6. License Grant and Acceptable Use

Subject to your compliance with these Terms and payment of all applicable subscription fees, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Platform solely for the purpose of conducting authorized Dealership F&I operations.

This license does not include the right to:

• Copy, reproduce, or duplicate any portion of the Platform or its source code;
• Modify, adapt, or create derivative works based on the Platform;
• Distribute, sublicense, lease, lend, sell, resell, transfer, publicly display, publicly perform, transmit, stream, broadcast, or otherwise exploit the Services except as expressly permitted by the Company;
• Reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, algorithms, or underlying structure of the Platform;
• Link to, mirror, or frame any portion of the Services;
• Cause or launch any programs or scripts for the purpose of scraping, indexing, surveying, or otherwise data mining any portion of the Services or Platform or unduly burdening or hindering the operation and/or functionality of any aspect of the Services or Platform;
• Attempt to gain unauthorized access to or impair any aspect of the Services or its related systems or networks;
• Use the Platform for any purpose other than its intended use in automobile Dealership F&I operations; or
• Remove, alter, or obscure any proprietary notices, labels, or markings on the Platform.

Any other types of usage are prohibited. Any rights not expressly granted herein are reserved by the Company.

This license is effective until termination of these Terms in accordance with Section 19.

By using the Services, you grant the Company a non-exclusive, worldwide, royalty-free license to use, reproduce, modify, and display any content or feedback you submit through the Services for the purpose of providing and improving the Services.

You are solely responsible for all information or content that you give us through the Services. You represent and warrant that you have obtained all necessary permissions and consents from all third parties whose information is included in any Content that you submit to the Platform.

You agree to indemnify, defend, and hold harmless the Company from and against any and all claims, demands, actions, proceedings, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or relating to any breach of the foregoing representation and warranty or your submission of third-party information to the Platform.

7. Intellectual Property

All intellectual property rights in and to the Platform, including the software, algorithms, engagement scoring models, engagement score data, user interface design, workflows, documentation, APIs, trade secrets, and all related technology, are and shall remain the exclusive property of the Company. Nothing in these Terms transfers any ownership interest in the Platform to you.

"FNi+" and the FNi+ logo are trademarks of the Company. You may not use our trademarks without our prior written consent, except as expressly permitted for white-label display within the Platform.

Dealership branding assets uploaded to the Platform by a Dealership or Organization remain the intellectual property of that Dealership or Organization. By uploading such materials, you grant us a limited license to display them within the Platform for the purpose of providing the white-label Services.

If you provide feedback, suggestions, or ideas regarding the Platform ("Feedback"), you acknowledge that we may use, implement, and incorporate such Feedback without restriction or obligation to you.

8. Insurance Licensing Disclaimer and Tier 1 Design Constraints

Disclaimer

The Company does not provide any legal, insurance, investment, accounting or other professional advice or opinions as part of the Services. The Services are provided solely for informational purposes, and are offered on a strictly as-is, where-is, and with all faults basis. Your use of or access to the Services does not create a lawyer-client or other relationship of trust. Except where we agree otherwise under a separate executed written instrument, we do not make any representations or provide any warranties concerning the Services, and we expressly disclaim all warranties in connection with the Services, whether express or implied, including, but not limited to the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

The Company expressly disclaims, and the Client expressly acknowledges and agrees, that:

• The Platform is a workflow tool that facilitates the Dealership's existing credit application and F&I workflow.
• Any educational content presented to a Buyer through the Platform is generic in nature, presented at the product category level, and not tied to any specific insurer, administrator, issuer, or product.
• Any product interest captured through the Platform reflects a Buyer's stated preference for further information from the Dealership and does not constitute an offer, application, agreement, or representation by the Company in respect of any product.
• The Dealership is solely responsible for compliance with applicable insurance licensing legislation, including (without limitation) the Insurance Act (Alberta) and Alberta Bulletin 05-2024, the Financial Institutions Act (British Columbia) and the BC Financial Services Authority's restricted insurance agent licensing regime, the Insurance Act (Ontario) and the Financial Services Regulatory Authority of Ontario's licensing requirements, and any equivalent legislation in other provinces.
• The Dealership is responsible for ensuring that all individuals who solicit, sell, recommend, or administer insurance products at the Dealership hold the licenses and authorizations required by applicable law.

FINTRAC / Anti-Money Laundering Disclaimer. The Client acknowledges that automobile dealerships, financing entities, leasing entities, or other transaction participants may be subject to obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada), FINTRAC guidance, and other applicable anti-money laundering, anti-terrorist financing, sanctions, proceeds of crime, or financial crime laws. The Company is not a reporting entity, lender, financing entity, leasing entity, AML compliance adviser, sanctions screening provider, or regulatory compliance service provider by virtue of providing the Platform, and the Platform is not designed, marketed, or warranted as a FINTRAC, AML, sanctions, suspicious transaction monitoring, customer due diligence, KYC, recordkeeping, or regulatory reporting compliance solution. The Client is solely responsible for determining and complying with all such obligations applicable to its business, Dealership locations, personnel, affiliates, financing or leasing partners, and transactions, including any registration, compliance program, client identification, reporting, recordkeeping, training, audit, and independent review requirements. The Company does not represent, warrant, covenant, or undertake that use of the Platform will satisfy, support, evidence, automate, or replace any such obligation unless expressly agreed in a separate written addendum signed by the Company.

Tier 1 Design Constraints

The Tier 1 release of the Platform is designed defensively to support the Dealership's compliance posture. The Tier 1 buyer-facing experience does not, and the Company shall not, present:

• Specific insurer, administrator, or issuer names tied to any particular product.
• Pricing, premiums, rates, or quotes for insurance, F&I, or financial products.
• Coverage amounts, policy limits, deductibles, or specific contractual terms.
• Personalized product recommendations that compare or rank specific insurers or products.
• Underwriting decisions or any function that selects, approves, or declines a specific insurance product for a Buyer.

The Company will provide you with not less than 30 days' written notice before introducing any feature that materially alters these Tier 1 constraints. Such features will be presented as opt-in only and will be accompanied by updated terms.

You agree to indemnify and hold harmless the Company in respect of any claim, loss, or regulatory action arising from the Dealership's failure to maintain the licenses, registrations, or authorizations required for its insurance, F&I, or financial product activities.

LINKS AND APIs TO THIRD PARTY WEBSITES AND SERVICES

The Company does not control any third-party website and is therefore not responsible for the content of any linked website or any link contained in a linked website. Linked websites are not part of the Platform. The Company provides such links only as a convenience, and the inclusion of any link does not imply endorsement, investigation or verification by the Company of the linked website or information contained therein, and the Company does not make any representations regarding the privacy practices, content or accuracy of materials on such third-party sites. You are responsible for reviewing and complying with any applicable third-party terms and conditions when you access or use such third-party websites or services.

10. Electronic Signatures and Lender Acceptance

Electronic signatures captured through the Platform are intended to be legally effective and enforceable under applicable Canadian electronic transactions legislation, including but not limited to the following:

• The Electronic Transactions Act (Alberta), SA 2001, c E-5.5.
• The Electronic Transactions Act (British Columbia), SBC 2001, c 10.
• The Electronic Commerce Act, 2000 (Ontario), SO 2000, c 17.
• Equivalent provincial electronic transactions legislation in other Canadian provinces.
• Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA), where applicable to federally regulated transactions or where a "secure electronic signature" is required by federal law.

By using the Platform's electronic signature features, the Buyer, Co-Applicant, and Dealership Authorized User consent to the use of electronic records and signatures and acknowledge that such records and signatures will have the same force and effect as wet-ink signatures, except where applicable law expressly requires otherwise.

Lender Acceptance

The Company does not represent or warrant that any specific lender, credit bureau, or other third party will accept electronic signatures captured through the Platform for any particular purpose. The Dealership is solely responsible for confirming that the format and method of electronic signature capture meet each lender's submission requirements. If a lender requires wet-ink signatures, alternative signature formats, or additional verification steps, the Dealership is responsible for obtaining them.

11. Data Collection and Privacy

Your use of the Platform is subject to our Privacy Policy and Data Processing Agreement, which describe how we collect, use, store, and protect personal information in compliance with applicable data privacy laws.

12. Buyer Data and Credit Applications

The Platform facilitates the collection and transmission of credit application information on behalf of Dealerships. The following clarifications apply:

• FNi+ does not make lending decisions. All credit evaluations and lending decisions are made by the Dealership and its lending partners. The Platform serves as a digital conduit for application data.
• Hard credit inquiries. By submitting a credit application through the Platform, the Buyer acknowledges and consents to the Dealership and its lending partners conducting a hard credit inquiry with one or more credit bureaus, which may affect the Buyer's credit score.
• Data retention. Application data is stored in accordance with the retention periods set out in our Privacy Policy. Dealerships are responsible for ensuring that their own data retention practices comply with applicable laws.

Dealerships are solely responsible for ensuring that appropriate disclosures and consents are obtained from Buyers prior to submitting credit applications to lending partners.

13. Behavioural Analytics and Engagement Scoring

The Platform collects interaction data during Buyer credit application sessions, including step completion timing, panel engagement duration, scroll depth, and product interest selections. This data is used to compute proprietary engagement scores. The engagement score data is a product of the Platform and property of the Company in accordance with Section 7 above. .

Permitted purposes

• Inform FM preparation by indicating a Buyer's level of engagement with F&I product information.
• Provide Dealerships with insights into Buyer behaviour patterns.
• Help FMs tailor their consultations based on demonstrated Buyer interests.
• Improve the Platform through aggregated and de-identified analysis.

Express limitations

• Engagement scores are not used to make, influence, or inform any credit or lending decisions.
• No automated decision-making regarding creditworthiness is performed by the Platform.
• The Dealership is solely responsible for how it uses engagement score data and its insights provided by the Platform.

For information on data handling when subscription tiers change, see the Privacy Policy.

14. Subscription and Billing

As specified in the Purchase Order (PO) accompanying these Terms, the PO will specify the following, among other covenants between you and the Company:

• Subscription tiers: The Platform offers Standard and Intelligence subscription tiers. Tier details are available on our pricing page.
• Billing cycle: Subscriptions are billed monthly or annually, as selected at purchase.
• Auto-renewal: Subscriptions automatically renew at the end of each billing cycle unless cancelled before the renewal date.
• Rooftop limits: Each subscription includes a specified number of Dealership locations (rooftops). Additional rooftops may be added subject to applicable per-rooftop fees.
• Price changes: Price changes will be communicated to existing subscribers at least 30 days in advance and will take effect at the start of the next billing cycle.
• Failed payments: A grace period will be provided for updating payment information. Continued non-payment may result in suspension and ultimately cancellation.
• Refunds: Solely in the event you terminate the Terms for cause, annual subscriptions are eligible for a prorated refund for the unused portion of the subscription term. Monthly subscriptions are not eligible for refunds for the current billing period.
• All fees are quoted in Canadian dollars (CAD) unless otherwise stated. You are responsible for any applicable taxes.

15. Service Availability

We use commercially reasonable efforts to maintain the availability and performance of the Platform. However, we do not guarantee uninterrupted or error-free operation.

• Planned maintenance: We endeavour to provide advance notice of scheduled maintenance windows that may affect Platform availability.
• No uptime guarantee: The Platform is provided without any specific uptime commitment or service level guarantee.
• Third-party dependencies: The Platform relies on third-party infrastructure. We are not liable for outages caused by these third parties.
• Force majeure: We are not liable for any failure or delay resulting from events beyond our reasonable control.

16. Disclaimer and Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE CANADIAN LAW:

No indirect damages

In no event shall the Company, its officers, directors, employees, or agents be liable for any indirect, incidental, consequential, special, or punitive damages, exemplary, including loss of revenue, loss of profits, loss of data, loss of business opportunity, loss of business information, or damage to reputation, or other similar damages whatsoever, arising out of or in connection with the Services or the use of or inability to use the Platform, regardless of the theory of liability and even if we have been advised of the possibility of such damages including without limitation in connection with or arising from your use of, reliance upon, access to, or exploitation of the Platform or with any linked third-party website, the materials or information contained therein, or any part thereof, or any rights granted to you hereunder, even if we have been advised of the possibility of such damages, whether the action is based on contract, tort (including negligence), infringement of intellectual property rights or otherwise.

In addition, in no event will we be liable for any loss or damage suffered by you that is caused by any one or more of: i) the actions of, or any failure to act by a third party service provider (and no such third party will be considered to be acting as our agent); ii) Mistakes, errors, omissions, inaccuracies or other inadequacies of, or contained in the Services or any data given by you to us, including your failure to update; iii) Any delay, error, interruption or failure by us to perform or fulfill any of our obligations to you due to any cause beyond our control or their control, any system malfunctions or any technical failures; iv) Unsecured communication being inaccurate, intercepted, reviewed or altered by others, or not received by you; v) Your access to the Services, including, without limitation, any delay or inability to access the Services; vi) Your failure to receive or view any communication that has been presented to you, and we will not be responsible, for any delay, damage or inconvenience that such failure may cause; or vii) Your failure to fulfill any of your obligations under these Terms.

Aggregate cap on general claims

Subject to Section 17.3 (Data and Privacy Cap) and Section 17.4 (Exclusions), our total aggregate liability arising out of or in connection with these Terms or your use of the Platform shall not exceed the total amount of fees paid by you to the Company during the twelve (12) months immediately preceding the event giving rise to the claim.

Data and privacy claims cap

Notwithstanding Section 17.2, our aggregate liability for claims arising out of or related to a Breach of Security Safeguards caused by the Company, the Company's material non-compliance with applicable data privacy laws, or the Company's unauthorized disclosure of Personal Information shall not exceed the greater of:

twenty-four (24) months of fees paid by you to the Company immediately preceding the event giving rise to the claim..

Exclusions from cap

The caps in Sections 16.2 and 16.3 do not apply to: (a) the Company's obligations under Section 17 (Indemnification) for third-party intellectual property infringement claims; or (b) any liability that may not be limited under applicable law.

As-is basis and disclaimer of warranties

The Platform and Services are provided on an "as is" and "as available" basis. We expressly disclaim all warranties of any kind, whether express or implied, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the Platform will meet your specific requirements, that the Services will be uninterrupted, timely, secure, or error-free, or that any results obtained through the Platform will be accurate or reliable.

Some jurisdictions do not allow the exclusion or limitation of certain warranties or liabilities. In such jurisdictions, our liability shall be limited to the greatest extent permitted by law.

17. Mutual Indemnification

Indemnification by the Client

You agree to indemnify, defend, and hold harmless the Company, its officers, directors, employees, agents, and affiliates from and against any third-party claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

• Your misuse or unauthorized use of Buyer Personal Information collected through the Platform.
• Your violation of PIPA, PIPEDA, or applicable provincial or federal privacy legislation, applicable insurance licensing legislation, or any other applicable law.
• The submission of inaccurate, misleading, or fraudulent information through the Platform.
• Any unauthorized access to or use of the Platform arising from your failure to maintain the security of your account credentials.
• Any claim, investigation, penalty, loss, cost, or regulatory action arising out of or relating to the Client’s actual or alleged failure to comply with FINTRAC, anti-money laundering, anti-terrorist financing, sanctions, proceeds of crime, financing, leasing, consumer finance, insurance, or other regulatory obligations applicable to the Client’s business or transactions.
• Your breach of any provision of these Terms.
• Any claim by a Buyer, Co-Applicant, or third party related to the Dealership's lending practices, credit decisions, or use of information obtained through the Platform.

Indemnification by the Company

The Company agrees to indemnify, defend, and hold harmless the Client and its officers, directors, and employees from and against any third-party claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of:

• Subject to Section 16.3 above, a Breach of Security Safeguards caused by the Company's failure to maintain the safeguards described in the Data Processing Agreement, where such failure results in unauthorized access to or disclosure of the Client's Personal Information.
• Any third-party claim that the Platform, as provided by the Company and used in accordance with these Terms, infringes a Canadian intellectual property right.

The Company's obligations under this Section 17.2 are subject to the liability caps in Section 16.

Indemnification procedure

The party seeking indemnification (the "Indemnified Party") shall promptly notify the other party (the "Indemnifying Party") of the claim, allow the Indemnifying Party to control the defence and settlement of the claim (provided that any settlement requiring an admission of liability or non-monetary obligation by the Indemnified Party requires its prior written consent), and provide reasonable cooperation at the Indemnifying Party's expense.

18. Termination

Either party may terminate these Terms as follows:

• Termination for convenience: Either party may terminate by providing 30 days' written notice to the other party.
• Termination for cause: The Company may terminate these Terms and your access to the Platform immediately, without prior notice, in the event of: (a) a material breach of these Terms; (b) non-payment of subscription fees beyond the grace period specified in your PO; or (c) any illegal activity conducted through the Platform.

Upon termination:

• Your access to the Platform and all associated Services will be revoked.
• You will have 30 days from the effective date of termination to request an export of your data.
• After the 30-day export period, your data will be deleted in accordance with the Data Processing Agreement and Privacy Policy.
• Any outstanding fees owed for the period prior to termination remain due and payable.

Sections 7 (Intellectual Property), 8 (Insurance Licensing Disclaimer), 16 (Limitation of Liability), 17 (Mutual Indemnification), 19 (Dispute Resolution), 22 (General Provisions) and 23 (Confidentiality) survive termination of these Terms.

19. Dispute Resolution

These Terms and any dispute arising out of or in connection with them are governed by and construed in accordance with the laws of the Province of Alberta and the federal laws of Canada applicable therein, without regard to conflict of law principles.

In the event of a dispute, the parties agree to the following resolution process:

• Negotiation: The parties shall first attempt to resolve the dispute through good-faith negotiation for a period of 30 days from the date written notice of the dispute is provided.
• Binding arbitration: If the dispute is not resolved through negotiation, it shall be submitted to binding arbitration in Calgary, Alberta, conducted in accordance with the Arbitration Act (Alberta). The decision of the arbitrator shall be final and binding upon both parties.
• Costs: Each party shall bear its own costs and expenses in connection with the arbitration, including legal fees, unless the arbitrator orders otherwise.
• Injunctive relief: Either party may seek injunctive or other equitable relief from a court of competent jurisdiction for the protection of intellectual property rights or Confidential Information, without first pursuing arbitration.

20. Insurance

The Company will, during the term of these Terms, maintain commercially reasonable insurance coverage appropriate to the nature and scale of the Services, including cyber liability insurance and technology errors and omissions insurance with limits of not less than CAD $2 million each per occurrence and in the aggregate. Upon written request (no more than once per calendar year), the Company will provide a certificate of insurance evidencing such coverage.

21. Changes to Terms

We reserve the right to modify or update these Terms. Changes will be effective upon posting to the Platform unless otherwise specified. For material changes that affect your rights or obligations, we will provide at least 30 days' advance notice via email to the account holder. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Terms.

22. General Provisions

• Severability. If any provision of these Terms is held to be invalid, the remaining provisions shall continue in full force and effect.
• Entire agreement. These Terms, together with the Privacy Policy and the Data Processing Agreement, constitute the entire agreement between the parties.
• Independent legal advice. You acknowledge that you have had the opportunity to obtain independent legal advice with respect to these Terms and that you are entering into these Terms voluntarily and with full knowledge of their legal effect.
• Waiver. The failure of either party to exercise or enforce any right shall not constitute a waiver. Any waiver must be in writing.
• Assignment. You may not assign or transfer your rights or obligations without our prior written consent. We may assign our rights and obligations without restriction, including in connection with a merger, acquisition, corporate reorganization (including the assignment from FNi+ Technologies Inc. upon its incorporation), or sale of all or substantially all of our assets.
• Force majeure. Neither party shall be liable for any failure or delay resulting from events beyond its reasonable control.
• Notices. All notices shall be in writing and delivered by email to the addresses associated with the parties' accounts. Notices to the Company shall be sent to support@fniplus.ai
• Relationship of parties. Nothing in these Terms creates a partnership, joint venture, agency, franchise, or employment relationship.

23. Confidentiality

In connection with these Terms, each party (the “Disclosing Party”) may disclose non-public information to the other party (the “Receiving Party”). “Confidential Information” has the meaning given to it in Section 2 of these Terms.

Confidentiality Obligations

Each Receiving Party shall: (a) hold the Disclosing Party’s Confidential Information in strict confidence, using at least the same degree of care it applies to its own confidential information of similar sensitivity, but in no event less than a reasonable degree of care; (b) not disclose Confidential Information to any person or entity other than its employees, officers, directors, legal counsel, accountants, and contractors who have a bona fide need to know such information and who are subject to obligations of confidentiality no less protective than those set out in this Section 23; (c) use Confidential Information solely for the purposes of performing its obligations or exercising its rights under these Terms; and (d) notify the Disclosing Party promptly upon becoming aware of any unauthorized use, disclosure, or breach of confidentiality with respect to the Disclosing Party’s Confidential Information.

Exclusions

The obligations in Section 23.1 do not apply to information that: (a) is or becomes publicly available through no act or omission of the Receiving Party; (b) was rightfully known to or in the possession of the Receiving Party prior to disclosure by the Disclosing Party, free of any restriction on use or disclosure; (c) is independently developed by the Receiving Party without reference to or use of the Disclosing Party’s Confidential Information; or (d) is rightfully received by the Receiving Party from a third party who is not under any obligation of confidentiality with respect to such information.

Permitted Disclosures

A Receiving Party may disclose Confidential Information to the extent required by applicable law, regulation, court order, or the lawful requirement of a governmental or regulatory authority, provided that: (a) the Receiving Party provides the Disclosing Party with prompt prior written notice of such requirement, to the extent permitted by applicable law; (b) the Receiving Party cooperates reasonably with the Disclosing Party’s efforts to obtain a protective order or other appropriate relief; and (c) the Receiving Party discloses only that portion of the Confidential Information that it is legally compelled to disclose.

Return or Destruction

Upon the termination or expiry of these Terms, or upon the written request of the Disclosing Party, the Receiving Party shall promptly return or, at the Disclosing Party’s written election, destroy all tangible materials embodying the Disclosing Party’s Confidential Information (including all copies and extracts thereof), and shall certify in writing to such return or destruction upon request. This obligation does not apply to Confidential Information that the Receiving Party is required to retain pursuant to applicable law or that is retained in automated backup or archival systems in the ordinary course of business, provided that any such retained information remains subject to the confidentiality obligations of this Section 23.

Duration

The confidentiality obligations set out in this Section 23 shall survive the termination or expiry of these Terms for a period of five (5) years, except that obligations with respect to Confidential Information that constitutes a trade secret under applicable law shall continue for so long as such information retains its status as a trade secret.

Injunctive Relief

Each party acknowledges that any breach or threatened breach of this Section 23 may cause irreparable harm to the Disclosing Party for which monetary damages would be an inadequate remedy. Accordingly, the Disclosing Party shall be entitled to seek injunctive or other equitable relief from a court of competent jurisdiction to restrain such breach or threatened breach, without the requirement to post a bond or other security and without prejudice to any other rights or remedies available at law or in equity. This right is in addition to, and not in lieu of, the Disclosing Party’s right to pursue arbitration in accordance with Section 19.

Schedule A – Privacy Policy (FNi+ default)

How FNi+ collects, uses, and protects your personal information under Canadian federal and provincial privacy legislation.

1. Introduction

FNi+ is a software-as-a-service platform provided to automobile dealerships (each, a "Dealership") by FNi+ Technologies Inc., or its successor in interest ("FNi+", "we", "us", or "our").

This Privacy Policy explains how we handle personal information collected through the FNi+ platform in respect of Dealership personnel using the platform, and in respect of when a Dealership invites you to complete a credit application or similar workflow. It applies to Dealership personnel (“Personnel”), and to vehicle buyers, co-applicants, and other individuals whose personal information is processed through the platform (each of them, an “Applicant”).

The Dealership is the organization accountable for the personal information collected through the platform under applicable privacy laws. FNi+ acts as a service provider and processor of personal information to the Dealership for the purposes of credit application processing, identity verification, and document handling.

2. Geographic Scope

The FNi+ platform is currently available to Dealerships located in the Canadian provinces of Alberta, British Columbia, Saskatchewan, Manitoba, Ontario, New Brunswick, Nova Scotia, Prince Edward Island, and Newfoundland and Labrador. The platform is not currently offered to Dealerships or buyers located in Quebec. FNi+ does not represent that the platform meets the requirements of An Act respecting the protection of personal information in the private sector (Quebec, "Law 25"). The platform should not be used for transactions involving Quebec residents or for credit applications completed at Quebec dealerships.

3. Information We Collect

Personnel: We collect the personal information of Personnel necessary to create, manage, secure, and administer Dealership user accounts and provide access to the platform. Categories include:

• Identity and business contact information: Name, business email address, business phone number, job title, Dealership, Organization, and Dealership location or rooftop.
• Account information: Username, user role, permission level, account status, subscription tier association, and administrator or authorized user designations.
• Authentication and security information: Login credentials, authentication tokens, PINs or access codes, IP address, device information, login history, session information, and security event logs.
• Platform usage information: Records of user activity within the platform, including dashboard access, application review activity, user support logs, document generation, electronic signature actions, account configuration changes, and other actions taken through the Dealership account.
• Billing and administrative information: Information relating to the Dealership’s subscription, billing contacts, payment administration, support requests, and communications with FNi+.

Applicants: We collect the personal information necessary to process an Applicant’s credit application and provide the related platform services. Categories include:

• Identity information: Full name, date of birth, marital status, and number of dependants.
• Contact information: Email address, phone number, and residential address.
• Financial information: Employment details, income, housing costs, banking information, and credit history disclosures.
• Sensitive identifiers: Social Insurance Number (SIN), collected solely for credit bureau submission by the Dealership and its lending partners.
• Vehicle and deal information: Vehicle details, deal type, trade-in information, and financing parameters.
• Electronic signature data: Signature image data, IP address, device information, and timestamps captured at the time of signing.
• Behavioural and analytics data: How you interact with the platform, including time spent on each section and product interest signals.

4. How We Use Your Information

We use your personal information for the following purposes:

• Account Administration: Creating, managing, securing, and maintaining Dealership user accounts, user roles, permissions, authentication, subscription access, and support communications.
• Credit application processing: Transmitting your credit application to the Dealership and, on the Dealership's instructions, to lenders and credit bureaus.
• Identity verification: Confirming your identity through SMS verification (PIN delivery) and email-based authentication.
• Dealership communication: Enabling the Dealership's finance team to review and act on your application.
• Service delivery: Providing platform features such as document storage, electronic signature capture, and dealer dashboard functionality.
• Fraud prevention: Detecting and preventing unauthorized access or fraudulent activity.
• Service improvement: Analyzing platform usage, completion patterns, and aggregated or de-identified analytics to maintain, troubleshoot, improve, and develop the platform.

5. Analytics and Platform Improvement

We collect limited information about how Applicants interact with the platform, including step completion timing, section views, scroll activity, time spent on each section, and product category interest selections. This information helps the Dealership prepare for follow-up discussions with Applicants and helps FNi+ maintain, troubleshoot, improve, and develop the platform.

Analytics information is used for operational and service improvement purposes only. It is not used to make, influence, or inform any credit, lending, insurance, or financing decision about an Applicant. FNi+ does not use an Applicant’s name, contact information, Social Insurance Number, banking information, income information, or other directly identifying credit application information for cross-Dealership analytics or model improvement.

Where analytics information is used to improve the platform across Dealerships, it is aggregated or de-identified before use. Aggregated or de-identified information does not identify an individual Applicant and is used to understand general platform usage patterns, completion rates, feature performance, and product category engagement.

Questions about the collection and use of analytics information, or requests to exercise privacy rights available under applicable privacy legislation, may be submitted to support@fniplus.ai.

6. Service Providers and Third Parties

We may share personal information with third-party service providers that help us operate, secure, support, and improve the platform. These service providers may include cloud hosting providers, database and file storage providers, authentication providers, SMS and email delivery providers, electronic signature and document generation providers, error monitoring and security providers, analytics providers, and payment processing providers for Dealership account billing.

We require our service providers to use personal information only for the purposes of providing services to us or the Dealership, and to protect personal information using appropriate contractual, technical, and organizational safeguards.

Where necessary to process a credit application or related workflow, personal information may also be shared with the Dealership, lenders, credit bureaus, financing partners, insurance or F&I product providers, and other parties involved in the vehicle purchase, financing, or related transaction. Those parties may collect, use, disclose, and retain personal information in accordance with their own privacy policies and legal obligations.

A current list of material service provider categories, including information about where personal information may be processed, is available upon written request to support@fniplus.ai.

7. Cross-Border Data Transfers

Your personal information is primarily stored in Canada. Limited processing occurs in the United States through the service providers listed in Section 6. By using the FNi+ platform, you consent to the transfer of certain personal information to the United States for these purposes.

We rely on contractual safeguards with each service provider to ensure that your personal information receives a comparable level of protection to that required under PIPEDA and applicable provincial privacy legislation, in line with the Office of the Privacy Commissioner of Canada's guidelines on transfers for processing.

8. Data Retention

We retain an Applicant’s personal information only for as long as necessary to provide the platform services, complete the purposes described in this Privacy Policy, comply with legal, regulatory, contractual, and audit obligations, resolve disputes, and enforce our agreements.

The following retention periods generally apply:

Requests for deletion of personal information may be submitted to support@fniplus.ai. Deletion requests will be reviewed in accordance with applicable privacy legislation; however, information may be retained where required or permitted by law, including for legal, regulatory, contractual, audit, security, fraud prevention, dispute resolution, or record-keeping purposes.

If your credit application has already been submitted to a Dealership, lender, credit bureau, financing partner, or other third party, those parties may retain your information in accordance with their own privacy policies and legal obligations.

If a Dealership changes or cancels its subscription, we may retain, export, or delete information associated with that Dealership account in accordance with our agreement with the Dealership, this Privacy Policy, and applicable law.

9. Your Rights

Subject to applicable privacy legislation, you have the following rights:

• Right of access: Request a copy of the personal information we hold about you.
• Right of correction: Request corrections to any inaccurate or incomplete personal information.
• Right to withdraw consent: Withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions.
• Right to deletion: Request the deletion of your personal information, subject to legal or regulatory retention obligations.
• Right to opt out of analytics: Opt out of cross-Dealership analytics use as described in Section 5.
• Questions or complaints: Submit inquiries or complaints regarding the handling of personal information.

Withdrawing consent or requesting deletion may limit our ability to provide platform services, process a credit application, verify identity, generate documents, or support related transactions.

If personal information has been submitted to a Dealership, lender, credit bureau, financing partner, insurer, F&I product provider, or other third party, those parties may retain and handle that information in accordance with their own privacy policies and legal obligations. Privacy rights requests or inquiries may be submitted to support@fniplus.ai.

10. Security Safeguards

We use reasonable physical, technical, and organizational safeguards designed to protect personal information against unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.

These safeguards may include encryption of sensitive information, encryption in transit (HTTPS/TLS), access controls, user authentication, role-based permissions, session management, audit logging, security monitoring, multi-tenant data isolation, and administrative controls.

No system is completely secure. We cannot guarantee that personal information will never be accessed, used, or disclosed without authorization, but we take reasonable steps to protect personal information in a manner appropriate to its sensitivity. We review and update these safeguards on a regular basis.

11. Breach Notification

If we become aware of a breach of security safeguards involving personal information, we will take reasonable steps to assess, contain, investigate, and remediate the incident.

Where required by applicable privacy legislation, we will notify affected individuals, the Dealership, applicable privacy regulators, and any other parties required by law. Notices will be provided as soon as feasible or within the timeframe required by applicable law.

We will also maintain records of breaches of security safeguards where required by applicable privacy legislation.

12. Filing a Complaint

If you are not satisfied with our response to a privacy concern, you may file a complaint with the appropriate privacy commissioner:

• Federal: Office of the Privacy Commissioner of Canada (priv.gc.ca)
• Alberta: Office of the Information and Privacy Commissioner of Alberta (oipc.ab.ca)
• British Columbia: Office of the Information and Privacy Commissioner for British Columbia (oipc.bc.ca)

To facilitate timely resolution, privacy concerns should be submitted to support@fniplus.ai in the first instance.

13. Children's Information

The FNi+ platform is not intended for use by individuals under the age of majority in their province or territory of residence. FNi+ does not knowingly collect personal information from individuals below this age. Where FNi+ becomes aware that personal information of an individual below the age of majority has been collected, FNi+ will take reasonable steps to delete such information, subject to applicable law. Privacy inquiries may be submitted to support@fniplus.ai.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in applicable law, our processing practices, or platform functionality. The "Last updated" date at the top of this policy reflects the most recent revision. Material changes will be communicated through the platform or directly to Dealership administrators.

15. Contact

Privacy inquiries

FNi+ Technologies Inc.

Email: support@fniplus.ai

We will acknowledge privacy inquiries and complaints within a reasonable time and will respond to formal requests to access, correct, or delete personal information within the timeframe required by applicable privacy legislation.

Schedule B – Data Processing Agreement

How FNi+ processes Personal Information on behalf of automobile dealerships

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of and is incorporated into the FNi+ Terms of Service between FNi+ Technologies Inc., or its successor in interest ("Service Provider"), and the automobile dealership, dealership group, or other organization that subscribes to or uses the Services ("Dealership").

This DPA governs the Processing of Personal Information by Service Provider in connection with the FNi+ platform and related services provided to Dealership. It applies to Personal Information relating to Applicants, Co-Applicants, Dealership personnel, Authorized Users, and other individuals whose Personal Information is submitted to, collected through, generated by, or otherwise Processed through the Services.

This DPA is intended to establish contractual safeguards for Personal Information Processed by Service Provider on behalf of Dealership and to allocate responsibility between the parties for privacy, security, retention, individual rights, and related data protection matters.

2. Geographic Scope

The Services are currently offered to Dealerships located in Canadian provinces other than Quebec. Service Provider does not represent that the Services meet the requirements of Quebec private-sector privacy legislation. Dealership represents that it will not use the Services for Dealership locations in Quebec unless Service Provider has agreed in writing to extend the Services to those operations under a separate written addendum.

If Dealership wishes to use the Services in Quebec or in any jurisdiction outside Canada, the parties will negotiate in good faith a separate addendum addressing any additional privacy, data protection, localization, consumer protection, language, regulatory, or other requirements applicable to that jurisdiction.

3. Definitions

• "Applicable Privacy Laws" means all Canadian federal, provincial, and territorial privacy, data protection, consumer reporting, credit application, electronic records, breach notification, and related laws applicable to the Processing of Personal Information under this DPA.
• "Authorized User" means any Finance Manager, Director, administrator, employee, contractor, representative, or other individual authorized by Dealership to access or use the Services.
• "Applicant" means an individual who submits or is the subject of a credit application or related workflow through the Services in connection with a potential vehicle purchase, lease, financing, insurance, or related transaction.
• "Co-Applicant" means an individual who submits or is the subject of a joint credit application or related workflow alongside an Applicant.
• "Dealership Data" means all data, records, documents, information, files, content, and materials submitted to, generated through, or Processed by the Services on behalf of Dealership, including Personal Information.
• "Controller" means the party that determines the purposes for which and the means by which Personal Information is Processed, to the extent that such terminology is applicable under Applicable Privacy Laws or under a future data protection framework adopted by the parties.
• "De-identified Data" means information that has been modified so that it does not identify, and cannot reasonably be used to identify, an individual, whether alone or in combination with other information reasonably available to Service Provider.
• "Personal Information" means information about an identifiable individual, including any information treated as personal information, personal data, or equivalent information under Applicable Privacy Laws.
• "Processing" means any operation or set of operations performed on Personal Information, including collection, receipt, recording, organization, structuring, storage, hosting, retrieval, access, use, disclosure, transmission, transfer, alteration, correction, deletion, return, destruction, or other handling.
• "Processor" means a party that Processes Personal Information on behalf of and on the instructions of a Controller, to the extent that such terminology is applicable under Applicable Privacy Laws or under a future data protection framework adopted by the parties.
• "Security Incident" means any actual or reasonably suspected unauthorized access to, acquisition of, disclosure of, loss of, or compromise of Personal Information Processed by Service Provider under this DPA, or any other breach of Service Provider security safeguards affecting such Personal Information.
• "Services" means the FNi+ platform and all related software, tools, workflows, APIs, electronic signature functionality, credit application management, Applicant verification, document generation, analytics, Dealership dashboard functionality, support, maintenance, and related services provided by Service Provider under the Terms.
• "Subprocessor" means a third party engaged by Service Provider to Process Personal Information in connection with the Services.

4. Roles of the Parties

As between the parties, Dealership is responsible for determining the purposes for which Personal Information is collected, used, disclosed, retained, and otherwise Processed through the Services. Dealership is the Controller of Personal Information Processed through the Services, to the extent that Controller terminology is applicable.

Service Provider Processes Personal Information as a service provider to Dealership and in accordance with Dealership’s documented instructions, the Terms, this DPA, the Privacy Policy, the applicable Purchase Order, and the configuration and ordinary operation of the Services. To the extent Processor terminology is applicable, Service Provider acts as Processor to Dealership.

For clarity, Service Provider is not the Controller of Applicant or Co-Applicant Personal Information merely because the Services collect limited platform usage, interaction, product category interest, engagement, or similar analytics information in connection with the Services. Such information is Processed to provide, secure, support, maintain, troubleshoot, analyze, and improve the Services, subject to the limitations set out in this DPA and the Terms.

Service Provider will not use Personal Information for any purpose other than to provide, maintain, secure, support, troubleshoot, improve, and develop the Services, comply with the Terms and this DPA, comply with Applicable Laws, or as otherwise expressly authorized by Dealership in writing.

Service Provider will inform Dealership if, in Service Provider’s reasonable opinion, an instruction from Dealership would require Service Provider to Process Personal Information in a manner that violates Applicable Privacy Laws or this DPA.

5. Dealership Responsibilities

Dealership is responsible for its own compliance with Applicable Privacy Laws and for the lawful collection, use, disclosure, submission, retention, and other Processing of Personal Information through the Services. Without limiting the foregoing, Dealership is responsible for:

• providing all required privacy notices, disclosures, consents, authorizations, and other communications to Applicants, Co-Applicants, Dealership personnel, Authorized Users, and other individuals whose Personal Information is Processed through the Services, and where Dealership has its own privacy policies, separately obtaining individuals’ consent to such policies and the collection of personal information;
• ensuring that Personal Information submitted to or collected through the Services is accurate, complete, current, and collected for lawful purposes;
• obtaining all consents and authorizations required for credit applications, hard credit inquiries, lender submissions, credit bureau submissions, electronic records, electronic signatures, identity verification, and any related financing, insurance, F&I product, or vehicle transaction workflow;
• ensuring that any Personal Information submitted by Dealership personnel on behalf of an Applicant, Co-Applicant, or other individual has been provided with the consent, knowledge and authority of that individual, in each case in accordance with the privacy policies of Dealership and Service Provider;
• configuring and administering Authorized User access, permissions, roles, and account status in a manner appropriate to the sensitivity of Personal Information available through the Services;
• ensuring that Authorized Users use the Services only for authorized Dealership F&I operations and in accordance with the Terms, this DPA, Dealership policies, and Applicable Laws;
• responding to requests, complaints, and inquiries from individuals and regulators except to the extent Service Provider is required by Applicable Privacy Laws to respond directly; and
• ensuring that Dealership’s own retention, export, use, disclosure, and deletion of Personal Information outside the Services complies with Applicable Privacy Laws.

6. Service Provider Obligations

Service Provider will:

• Process Personal Information only in accordance with this DPA, the Terms, the Privacy Policy, Dealership’s documented instructions, and the ordinary operation and configuration of the Services;
• use commercially reasonable efforts to ensure that Personal Information is accessed only by personnel and Subprocessors who require access to perform services for Service Provider or Dealership;
• not sell Personal Information or disclose Personal Information to third parties for their independent marketing purposes;
• not use Applicant or Co-Applicant Personal Information to make, influence, or inform credit, lending, financing, insurance, or eligibility decisions;
• not use directly identifying credit application information, Social Insurance Numbers, banking information, income information, or credit history disclosures for cross-Dealership analytics or platform improvement;
• provide reasonable assistance to Dealership in connection with Dealership’s obligations under Applicable Privacy Laws, taking into account the nature of the Services and the information available to Service Provider;
• maintain appropriate safeguards as described in this DPA; and
• notify Dealership of Security Incidents in accordance with this DPA.

7. Confidentiality and Personnel Access

Service Provider will ensure that its employees, contractors, representatives, and personnel who access Personal Information are subject to confidentiality obligations no less protective than those set out in the Terms and are authorized to access Personal Information only as reasonably necessary to provide, secure, support, maintain, troubleshoot, improve, or administer the Services.

Service Provider will take reasonable steps to ensure that personnel with access to Personal Information receive appropriate instructions regarding the confidential and secure handling of Personal Information, having regard to their roles and the nature and sensitivity of the information.

8. Personal Information Processed

The following categories of Personal Information may be Processed through the Services on behalf of Dealership:

9. Analytics, De-identified Data, and Platform Improvement

The Services may collect limited platform usage, interaction, engagement, product category interest, completion pattern, and similar analytics information in order to provide the Services to Dealership, support Dealership F&I workflows, maintain and troubleshoot the platform, improve user experience, develop new features, and understand general platform performance.

Service Provider may use De-identified Data and aggregated information for service improvement, internal research, quality assurance, benchmarking, product development, and related business purposes, provided that such information does not identify an individual Applicant, Co-Applicant or Authorized User unless Dealership has expressly agreed otherwise in writing.

Service Provider will not use analytics, engagement, or interaction information to make, influence, or inform any credit, lending, financing, insurance, or eligibility decision about an Applicant or Co-Applicant. Service Provider will not sell, lease, or disclose analytics information to third parties for their independent marketing purposes.

Nothing in this DPA restricts Service Provider from using information that is not Personal Information, including De-identified Data, aggregated information, technical performance data, statistical information, and learnings derived from operation of the Services, provided that Service Provider complies with the confidentiality obligations in the Terms and does not re-identify individuals except as required to provide the Services, investigate security issues, comply with Applicable Laws, or as otherwise permitted by Dealership in writing.

10. Security Safeguards

Service Provider will maintain reasonable physical, technical, and organizational safeguards designed to protect Personal Information against unauthorized access, collection, use, disclosure, copying, modification, disposal, loss, or similar risks, having regard to the sensitivity of the information and the nature of the Services.

Service Provider’s safeguards may include, as applicable:

• encryption of sensitive information at rest, including encryption of sensitive identifiers before storage;
• encryption in transit using HTTPS/TLS or comparable secure transport protocols;
• multi-tenant data isolation and controls designed to limit Dealership access to its own records;
• role-based access controls and permission management for Authorized Users;
• user authentication, session management, idle timeouts, inactivity expiry, and duration limits;
• audit logging and monitoring of security-relevant events;
• access logging for highly sensitive data where technically available;
• application security controls designed to address common web application risks;
• backup, recovery, and availability controls appropriate to the nature of the Services; and
• administrative controls, personnel confidentiality obligations, and internal access restrictions.

Service Provider may update its safeguards from time to time to address changes in technology, threats, business operations, Subprocessors, and industry practices, provided that such updates do not materially reduce the overall level of protection for Personal Information.

Dealership acknowledges that no system or transmission method is completely secure. Service Provider does not guarantee that unauthorized access, use, disclosure, or loss will never occur.

11. Subprocessors

Dealership authorizes Service Provider to engage Subprocessors to support the delivery, hosting, security, maintenance, billing, communication, monitoring, and operation of the Services. Service Provider remains responsible to Dealership for the performance of its Subprocessors to the extent they Process Personal Information on behalf of Service Provider in connection with the Services.

Service Provider will require Subprocessors that Process Personal Information to be subject to written obligations that are materially protective of Personal Information, having regard to the nature of the services provided by the Subprocessor and the Personal Information Processed.

The following categories of Subprocessors may Process Personal Information in connection with the Services:

A current list of material Subprocessors, including corporate identities and relevant processing locations, will be made available to Dealership upon written request.

Subprocessor Changes

Service Provider may engage, replace, or remove Subprocessors from time to time in connection with the provision, maintenance, security, support, or improvement of the Services. Service Provider is not required to obtain Dealership’s prior approval before engaging, replacing, or removing a Subprocessor.

Service Provider will remain responsible for the performance of its Subprocessors to the extent they process Personal Information on behalf of Service Provider in connection with the Services, and will require each such Subprocessor to be subject to contractual obligations that are materially protective of Personal Information, having regard to the nature of the Services provided by that Subprocessor and the sensitivity of the Personal Information processed.

Service Provider may provide notice of material changes to its Subprocessors by email, in-platform notice, posting to a designated web page, or another reasonable means. If Dealership has concerns regarding a Subprocessor change, Dealership may contact Service Provider, and the parties will discuss the concern in good faith. Service Provider is not required to modify its Subprocessor arrangements unless required by applicable law or expressly agreed by Service Provider in writing.

12. Cross-Border Processing

Personal Information is primarily stored in Canada. Certain Personal Information may be accessed or Processed in the United States or other jurisdictions by Service Provider, its personnel, or Subprocessors as reasonably necessary to provide, support, secure, maintain, troubleshoot, improve, bill for, or administer the Services.

Service Provider will use contractual, technical, and organizational safeguards intended to protect Personal Information when it is Processed outside Canada. Dealership acknowledges that Personal Information Processed outside Canada may be subject to lawful access by courts, law enforcement, regulatory, national security, or governmental authorities in the jurisdiction where the information is Processed.

Service Provider will inform Dealership of any material change to the jurisdictions in which Personal Information is stored or materially Processed where required by this DPA or Applicable Privacy Laws.

13. Security Incidents and Breach Assistance

If Service Provider becomes aware of a Security Incident involving Personal Information Processed under this DPA, Service Provider will notify Dealership without unreasonable delay and, where feasible, within forty-eight (48) hours after becoming aware of the Security Incident.

Service Provider’s notice will include, to the extent reasonably available at the time of notice:

• a description of the nature of the Security Incident;
• the categories of Personal Information affected;
• the approximate number or categories of affected individuals, where known;
• the measures taken or proposed to contain, investigate, and remediate the Security Incident;
• any recommended steps for Dealership to mitigate risk to affected individuals; and
• a contact point for further information.

Service Provider will take reasonable steps to contain, investigate, and remediate the Security Incident and will reasonably cooperate with Dealership in connection with Dealership’s assessment, investigation, record-keeping, regulatory reporting, and individual notification obligations under Applicable Privacy Laws.

Dealership is responsible for determining whether notice to affected individuals, regulators, lenders, credit bureaus, financing partners, insurers, F&I product providers, or other third parties is required, except to the extent Applicable Privacy Laws require Service Provider to notify a party directly. Service Provider will not make public statements identifying Dealership in connection with a Security Incident without Dealership’s prior consent unless required by Applicable Laws.

Service Provider will maintain records of Security Incidents as required by Applicable Laws and its internal security policies.

14. Individual Rights and Privacy Requests

Dealership is responsible for responding to requests, complaints, and inquiries from individuals regarding Personal Information Processed through the Services, including requests for access, correction, deletion, withdrawal of consent, information about use or disclosure, and similar privacy rights requests, except to the extent Service Provider is required by Applicable Privacy Laws to respond directly.

If Service Provider receives a request from an Applicant, Co-Applicant, Authorized User, Dealership personnel member, regulator, or other individual regarding Personal Information Processed on behalf of Dealership, Service Provider may redirect the request to Dealership or notify Dealership of the request, unless prohibited by Applicable Laws.

Service Provider will provide reasonable assistance to Dealership, taking into account the nature of the Services and the information available to Service Provider, to help Dealership respond to individual rights requests and privacy complaints. Dealership acknowledges that Service Provider may be unable to delete, correct, or restrict Personal Information that has already been exported, downloaded, submitted to a lender, credit bureau, financing partner, insurer, F&I product provider, or otherwise Processed outside the Services by Dealership or a third party.

15. Retention, Return, and Deletion

Service Provider will retain Personal Information in accordance with the retention periods described in the Privacy Policy, except where a different retention period is required or permitted under the Terms, this DPA, applicable law, or the documented instructions of Dealership.

During the term of the Services, Service Provider will make reasonable functionality available for Dealership to access, export, correct, or delete Personal Information within the Services, subject to the configuration and functionality of the platform.

Upon termination or expiry of the Terms, Service Provider will make Dealership’s Personal Information available for export for the period specified in the Terms, unless otherwise agreed in writing. After the applicable export period, Service Provider may delete or de-identify Personal Information from active systems in accordance with its standard deletion practices, the Privacy Policy, this DPA, and applicable law.

Service Provider may retain Personal Information to the extent required or permitted by applicable law, or as reasonably necessary for legal, regulatory, tax, audit, billing, security, fraud prevention, backup, disaster recovery, dispute resolution, or enforcement purposes. Any retained Personal Information remains subject to the confidentiality, security, and use restrictions in this DPA for as long as it is retained.

Service Provider is not responsible for deleting or retrieving Personal Information that has already been transmitted to Dealership, lenders, credit bureaus, financing partners, insurers, F&I product providers, or other third parties at Dealership’s instruction or through Dealership’s use of the Services.

16. Audit and Assurance

Service Provider will make available to Dealership information reasonably necessary to demonstrate Service Provider’s compliance with this DPA, subject to the confidentiality, security, legal privilege, trade secret, and third-party confidentiality obligations of Service Provider and its other clients.

Dealership may request reasonable information about Service Provider’s privacy and security practices, safeguards, Subprocessors, and Security Incident handling no more than once per calendar year, unless a Security Incident or documented material concern justifies additional requests. Service Provider may satisfy such requests through written responses, security summaries, policies, diagrams, questionnaires, third-party reports, or other reasonable assurance materials, as determined by Service Provider having regard to the nature of the request and the sensitivity of the information requested.

If a Security Incident affects Dealership’s Personal Information, or if Dealership has a documented and reasonable basis to believe that Service Provider is materially non-compliant with this DPA, Dealership may request an audit of Service Provider’s compliance with this DPA. Any audit will be subject to the following conditions:

• Dealership must provide reasonable prior written notice and describe the scope and basis for the audit request;
• the audit must be conducted during normal business hours and in a manner that does not unreasonably interfere with Service Provider’s operations or compromise the security, confidentiality, or availability of the Services;
• the audit must be limited to matters reasonably related to the Security Incident or documented material concern;
• any auditor must be a qualified independent third party subject to confidentiality obligations acceptable to Service Provider, unless the parties agree otherwise;
• the audit must not permit access to the Personal Information, Confidential Information, systems, or environments of other clients;
• Dealership is responsible for the costs of the audit unless the audit reveals material non-compliance by Service Provider, in which case Service Provider will reimburse Dealership for reasonable audit costs proportionate to the non-compliance; and
• all audit materials, findings, reports, and communications will be treated as Confidential Information of Service Provider.

Service Provider may implement additional routine compliance summaries, assurance reports, certifications, or third-party attestations in the future, but nothing in this DPA requires Service Provider to obtain or maintain any specific certification or attestation unless expressly agreed in a separate written agreement.

17. Cooperation with Regulatory Matters

Each party will reasonably cooperate with the other party in connection with privacy regulator inquiries, investigations, orders, or complaints relating to Personal Information Processed under this DPA, to the extent such cooperation is reasonably necessary and legally permitted.

Dealership is responsible for communications with regulators regarding Dealership’s collection, use, disclosure, retention, and other Processing of Personal Information, except to the extent Applicable Laws require Service Provider to communicate directly with a regulator or the matter relates solely to Service Provider’s systems, safeguards, or independent legal obligations.

18. Liability

Each party’s liability under this DPA is governed by the limitation of liability, exclusion of damages, indemnity, data and privacy claims cap, and related liability provisions set out in the dealership-facing FNi+ Terms of Service to which this DPA is attached or incorporated, including any Purchase Order or other written agreement that modifies those provisions.

Nothing in this DPA expands Service Provider’s liability beyond the liability caps and exclusions set out in the Terms, except to the extent such limitation is prohibited by Applicable Laws.

19. Term and Termination

This DPA takes effect when Dealership accepts or becomes bound by the Terms and remains in effect for so long as Service Provider Processes Personal Information on behalf of Dealership.

The obligations in this DPA relating to confidentiality, security, retention, deletion, return, audit, liability, and protection of Personal Information survive termination or expiry of the Terms for so long as Service Provider retains Personal Information Processed on behalf of Dealership.

20. Order of Precedence

If there is a conflict between this DPA and the Terms, this DPA prevails solely with respect to the Processing and protection of Personal Information. The Terms prevail with respect to all other matters, including payment, subscription, intellectual property, disclaimers, liability caps, indemnity, dispute resolution, governing law, and general commercial terms.

If there is a conflict between this DPA and a Purchase Order or other written agreement signed by both parties, the more specific provision governing the relevant subject matter will prevail, unless the written agreement expressly states a different order of precedence.

21. General Provisions

This DPA is governed by and construed in accordance with the laws specified in the Terms.

This DPA may be amended only in accordance with the amendment provisions of the Terms or by a written instrument signed by both parties. Service Provider may update this DPA from time to time to reflect changes in Applicable Laws, industry practices, Subprocessors, security practices, or Processing practices, provided that such updates do not materially reduce the protections afforded to Personal Information under this DPA.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.

22. Contact

Privacy and data protection inquiries:

FNi+ Technologies Inc.

support@fniplus.ai