Privacy Policy | TD Business Central

1. Information Collection

We collect personal information necessary to provide, maintain and improve the TD Business Central business banking portal. The categories of information we collect include:

Account Registration Information: Company name, business registration number, Company ID, User ID, full name, business email address, business phone number, job title and role designation. This information is collected during enrollment when your organization establishes a TD Business Central account.

Authentication Data: Passwords (stored in hashed form only), multi-factor authentication device identifiers, biometric authentication tokens (stored on-device only, not on our servers), IP addresses used during login, browser fingerprint data and device identifiers for trusted device management.

Transaction Data: Payment instructions, wire transfer details, EFT batch files, bill payment records, payroll files, foreign exchange conversion records, account balances, transaction histories and report outputs generated through the platform.

Technical Data: Browser type and version, operating system, screen resolution, session duration, pages visited within the platform, feature usage patterns and error logs. This data is collected automatically through server logs and is used for platform performance monitoring and troubleshooting.

Communication Records: Transcripts of live chat sessions, email correspondence with our support team, phone call metadata (date, time, duration) and case reference documentation related to customer service interactions.

2. Use of Information

We use your personal information for the following purposes:

Service Delivery: Processing payment instructions, executing wire transfers, managing payroll disbursements, generating financial reports and maintaining accurate account records within the TD Business Central platform.

Authentication and Security: Verifying your identity during login, enforcing multi-factor authentication, detecting unauthorized access attempts, monitoring for fraudulent transaction patterns and maintaining audit trails as required under OSFI regulatory guidelines.

Platform Improvement: Analyzing usage patterns to improve interface design, optimize feature workflows and identify technical issues. This analysis uses aggregated, de-identified data wherever possible.

Customer Support: Responding to your inquiries, resolving technical issues, processing escalation requests and maintaining records of support interactions for quality assurance and training purposes.

Legal and Regulatory Compliance: Meeting obligations under PIPEDA, the Bank Act (Canada), OSFI guidelines, Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and other applicable federal and provincial legislation.

3. Data Protection

TD Business Central employs multiple layers of technical and organizational safeguards to protect your personal information:

Encryption: All data in transit is protected by TLS 1.3 encryption. Data at rest is encrypted using AES-256 encryption standards. Database-level encryption ensures that even in the event of physical media theft, your data remains unreadable without the encryption keys.

Access Controls: Internal access to personal information is restricted to authorized personnel on a need-to-know basis. All access is logged and subject to regular audit. Role-based access controls within the platform ensure users only see data relevant to their assigned permissions.

Infrastructure Security: All TD Business Central servers are hosted in Canadian data centres that meet Tier III+ facility standards. Physical access requires biometric authentication, security clearance and documented authorization. Network infrastructure is monitored 24/7 by dedicated security operations teams.

Incident Response: We maintain a documented incident response plan that includes breach detection, containment, notification and remediation procedures. In the event of a data breach affecting your personal information, we will notify you and the Office of the Privacy Commissioner of Canada as required under PIPEDA's mandatory breach reporting provisions.

4. Third-Party Sharing

We do not sell your personal information. We share personal information with third parties only in the following circumstances:

Payment Processing Partners: When you initiate wire transfers, EFT payments or international transactions, the necessary payment details (beneficiary name, account number, routing information, amount) are shared with correspondent banks, payment networks (SWIFT, Payments Canada) and intermediary financial institutions required to complete the transaction.

Service Providers: We engage third-party service providers for specific functions including data centre hosting, network monitoring, fraud detection analytics and customer communication delivery (SMS for MFA codes). These providers are contractually bound to use your information solely for the services we have engaged them to provide and are subject to equivalent data protection standards.

Legal Requirements: We may disclose personal information when required by law, court order, regulatory directive or government request. This includes disclosures to FINTRAC under anti-money laundering obligations, to OSFI under regulatory examination powers and to law enforcement agencies with valid legal process.

With Your Consent: We may share your information with other parties when you have provided explicit consent, such as when authorizing a third-party accounting integration or data export to an external system.

5. Cookies and Tracking Technologies

TD Business Central uses cookies and similar technologies for the following purposes:

Essential Cookies: Required for platform functionality. These cookies maintain your authenticated session, enforce security controls and enable core features. Disabling essential cookies will prevent you from using the platform.

Performance Cookies: Collect anonymized data about how you use the platform, including pages visited, features used and error occurrences. This data helps us identify performance issues and optimize the user experience. Performance cookies do not collect personally identifiable information.

Preference Cookies: Store your platform preferences such as dashboard layout, default report settings and language selection. These cookies improve your experience by remembering your configurations between sessions.

We do not use advertising or tracking cookies. TD Business Central does not serve ads, does not participate in ad networks and does not share cookie data with marketing platforms. You can manage cookie preferences through your browser settings. Note that blocking essential cookies will prevent access to the platform.

6. Data Retention

We retain your personal information for the following periods:

Account Information: Retained for the duration of your active account and for seven years following account closure, as required under federal financial record-keeping regulations.

Transaction Records: Retained for a minimum of seven years from the date of the transaction, in compliance with the Bank Act, PCMLTFA and Canada Revenue Agency record-keeping requirements.

Authentication Logs: Login records, MFA verification logs and session data are retained for two years for security audit purposes.

Support Communications: Chat transcripts, email correspondence and case records are retained for three years from the date of the last interaction related to a specific case.

Technical Logs: Server logs and performance data are retained for one year in identified form and may be retained indefinitely in aggregated, de-identified form for trend analysis.

When retention periods expire, personal information is securely destroyed using methods appropriate to the storage medium, including cryptographic erasure for digital records and cross-cut shredding for physical documents.

7. Your Rights Under PIPEDA

As a user of TD Business Central, you have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA):

Right of Access: You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. In certain circumstances, we may be unable to provide access to specific information — for example, where disclosure would reveal personal information about another individual or where the information is subject to solicitor-client privilege.

Right of Correction: You have the right to request correction of personal information that is inaccurate or incomplete. If we agree the information requires correction, we will update our records and notify any third parties to whom the incorrect information was disclosed.

Right to Withdraw Consent: You may withdraw consent for the collection, use or disclosure of your personal information at any time, subject to legal or contractual restrictions. Note that withdrawing consent for essential data processing may result in our inability to provide TD Business Central services to you.

Right to Complain: If you believe your privacy rights have been violated, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at 30 Victoria Street, Gatineau, Quebec K1A 1H3, or by calling 1-800-282-1376.

8. Contact Information

For questions about this Privacy Policy, to exercise your privacy rights or to raise a concern about our data handling practices, contact us through any of the following channels:

Privacy Officer
TD Business Central
Email: privacy@businesscentral.co.com
Phone: 1-866-222-3456 (ask for the Privacy Office)

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Phone: 1-800-282-1376
Website: www.priv.gc.ca

We review and update this Privacy Policy periodically to reflect changes in our data practices, legal requirements or platform functionality. Material changes will be communicated through a notice on the TD Business Central platform. We encourage you to review this page regularly.