Important Facts
CIBC Digital Business is committed to protecting the privacy of the individuals and organizations that use our commercial banking services. This privacy policy describes our practices regarding the collection, use, disclosure, and safeguarding of information obtained through our banking relationships, digital platforms, and website. It applies to business account holders, authorized users, website visitors, and any individual whose personal data we process in connection with the services we provide.
As a commercial banking provider operating across the Caribbean, CIBC Digital Business processes information under the data protection frameworks applicable in the jurisdictions where we offer services. These frameworks share common principles — lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality — that guide our approach to handling personal and business information. This privacy policy should be read alongside the terms and conditions applicable to your specific CIBC Digital Business account and any supplemental privacy notices provided during account onboarding or when new services are activated.
We may update this privacy policy periodically to reflect changes in our data processing practices, regulatory requirements, or the services we offer. When material changes occur, we notify affected account holders through the contact methods registered to their CIBC Digital Business profile. The effective date at the top of this policy indicates when the current version took effect. Continued use of CIBC Digital Business services after a policy update constitutes acceptance of the revised terms, to the extent permitted by applicable law.
Information We Collect
CIBC Digital Business collects information necessary to establish and maintain commercial banking relationships, process transactions, comply with regulatory obligations, and protect against fraud and financial crime. The categories of information we collect depend on the services you use and your role in relation to a business account.
For business account applications and ongoing relationship management, we collect company identification information including legal entity name, registration number, jurisdiction and date of incorporation, registered address, and business activity description. We collect information about authorized signatories and beneficial owners as required by CFATF anti-money laundering standards and regional know-your-customer regulations. This includes full legal names, dates of birth, nationalities, residential addresses, government-issued identification document details, and specimen signatures.
Through your use of CIBC Digital Business banking services, we generate and collect transaction data including account balances, deposit and withdrawal records, wire transfer details with beneficiary information, foreign exchange transactions and rates applied, payment instructions and execution status, and merchant processing activity. Technical data from your interactions with our digital platforms includes IP addresses, device identifiers, browser type and version, operating system, login timestamps, pages and features accessed, and session duration. This technical data supports platform security, troubleshooting, and service improvement initiatives.
Communication data — records of your interactions with our support team, relationship managers, and other CIBC Digital Business personnel — is retained for service quality monitoring, dispute resolution, and regulatory compliance purposes. This includes telephone call recordings where disclosed at the start of the call, email correspondence, secure messages sent through the banking platform, and records of in-person meetings at our banking centres.
How We Use Information
CIBC Digital Business uses collected information for specified, explicit, and legitimate purposes. We do not process personal data in ways that are incompatible with the purposes for which it was originally collected without providing appropriate notice and, where required, obtaining consent.
The primary use of personal and business information is the provision and administration of the banking services you have requested. This includes opening and maintaining accounts, processing transactions, providing customer support, managing user access and permissions, and communicating service-related information including statement availability, transaction confirmations, and security alerts. Without this processing, we cannot fulfil our contractual obligations to provide the banking services you rely on.
Regulatory compliance constitutes a significant category of data processing for any financial institution. CIBC Digital Business processes information to comply with anti-money laundering and counter-terrorist financing obligations under CFATF standards and applicable regional laws, to fulfil tax reporting requirements including FATCA and CRS obligations where applicable, to respond to lawful requests from regulatory authorities and law enforcement agencies, and to maintain records required by banking regulations in each jurisdiction where we operate. These processing activities are mandated by law and do not require consent.
We process information to protect the security and integrity of our banking platform and to prevent fraud. This includes transaction monitoring to detect unusual patterns that may indicate fraud or money laundering, authentication and access control enforcement, investigation of security incidents, and enhancement of our security infrastructure based on threat intelligence. The FinCEN guidance on suspicious activity monitoring informs our approach to this category of processing, which serves both our legitimate business interests and the broader public interest in financial system integrity.
Service improvement and business analytics represent a category of processing based on our legitimate interest in providing effective, efficient, and relevant banking services. We analyze aggregated and de-identified usage patterns to understand how clients interact with our digital platforms, which features provide the most value, and where improvements would enhance the banking experience. We do not use personal data for automated decision-making that produces legal effects or similarly significant impacts without human review.
Data Sharing and Disclosure
CIBC Digital Business shares information only as necessary and under appropriate safeguards. We do not sell personal data to third parties, and we do not share information for third-party marketing purposes without explicit consent.
The following table summarizes the categories of data we process and the primary purposes for which each category is used.
| Data Category | Examples | Primary Purpose | Legal Basis |
|---|---|---|---|
| Corporate identity data | Company name, registration number, address | Account establishment and maintenance | Contractual necessity, legal obligation |
| Individual identity data | Names, dates of birth, ID documents | KYC compliance, signatory verification | Legal obligation (CFATF/AML) |
| Contact data | Email, phone, physical addresses | Service communication, security alerts | Contractual necessity, legitimate interest |
| Transaction data | Payments, balances, FX conversions | Service provision, fraud detection | Contractual necessity, legal obligation |
| Technical data | IP addresses, device info, login logs | Platform security, troubleshooting | Legitimate interest |
| Communication data | Support records, call recordings | Service quality, dispute resolution | Legitimate interest, consent (calls) |
| Compliance data | Ownership records, tax forms | Regulatory reporting, audits | Legal obligation |
Correspondent banks and payment intermediaries receive transaction data necessary to process wire transfers and international payments. This sharing is inherent in the operation of the global payments system. The data shared is limited to what the payment message standards require — typically beneficiary name, account number, amount, currency, and purpose code — and is transmitted through secure SWIFT or regional payment network channels.
Service providers who support our operations — including cloud infrastructure providers, cybersecurity monitoring services, document management systems, and communication platforms — process data under contractual agreements that mandate data protection standards equivalent to those we apply internally. These providers may only use the data for the specific purposes we authorize and must delete or return data upon termination of the service agreement.
Regulatory authorities, law enforcement agencies, and courts may require disclosure of information under applicable laws. CIBC Digital Business reviews each such request for legal validity before disclosing information, and where legally permissible, we notify affected account holders of regulatory requests unless notification is prohibited by law or would compromise an investigation.
Your Data Privacy Rights
Individuals whose personal data CIBC Digital Business processes have rights regarding that data, subject to applicable legal frameworks and exemptions. These rights generally include the ability to access the personal data we hold about you, to request correction of inaccurate or incomplete data, to request deletion of data where processing is no longer necessary or lawful, to restrict processing in certain circumstances, to object to processing based on legitimate interests, and to receive a copy of your data in a structured, commonly used format for portability to another service provider.
Exercising these rights typically requires submitting a written request through the contact channels listed at the end of this privacy policy. We verify the identity of anyone making a data rights request to prevent unauthorized disclosure. Responses are provided within the timeframe required by applicable law — generally thirty days, with the possibility of extension for complex requests. Where we cannot fulfil a request — for example, if deletion would conflict with our legal obligation to retain transaction records for regulatory periods — we explain the basis for our inability to comply.
If you believe CIBC Digital Business has not adequately addressed your privacy concerns, you have the right to lodge a complaint with the data protection authority in your jurisdiction. Contact information for regional data protection authorities is available through the UWI Cave Hill faculty of law, which maintains a directory of Caribbean data protection regulators and their complaint procedures.
Cookies and Tracking Technologies
The CIBC Digital Business website and online banking platforms use cookies and similar technologies for essential functionality, security, and analytics purposes. Essential cookies enable core platform functions — session management that keeps you logged in during your banking session, security cookies that support authentication and fraud detection, and load-balancing cookies that distribute traffic across our server infrastructure. These cookies are necessary for the platform to function and cannot be disabled without impairing service delivery.
Analytics cookies help us understand how visitors interact with our public-facing website. These cookies collect aggregated, de-identified information about page visits, navigation paths, and time spent on content. We use this information to improve website structure and content relevance. Analytics cookies are not deployed within the authenticated banking platform — the transaction data processed through your banking session is subject to the data usage provisions described elsewhere in this policy, not to cookie-based analytics.
Third-party cookies from advertising networks, social media platforms, or data brokers are not used on the CIBC Digital Business website or banking platforms. We do not engage in behavioural advertising, retargeting, or profiling based on browsing activity across third-party websites. This approach reflects both our commitment to privacy and the practical reality that commercial banking relationships are not built through the advertising techniques that consumer-facing businesses employ.
You can manage cookie preferences through your browser settings. Most browsers allow you to block third-party cookies, delete cookies when the browser closes, and configure site-specific cookie permissions. Note that blocking essential cookies will prevent the CIBC Digital Business online banking platform from functioning correctly, as session management and authentication depend on these cookies.
Data Security and Retention
CIBC Digital Business implements technical and organizational security measures designed to protect personal and business information against unauthorized access, alteration, disclosure, or destruction. All data transmitted between your device and our platforms is encrypted using TLS 1.3. Data stored within our infrastructure is encrypted at rest using AES-256. Access to production systems is restricted to authorized personnel whose roles require such access, enforced through multi-factor authentication and role-based access controls. Our security programme undergoes regular independent audits and penetration testing to identify and remediate vulnerabilities.
We retain personal and business information only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal and regulatory retention requirements. Transaction records are retained for the period required by banking regulations in each jurisdiction — typically five to ten years following account closure or transaction date. Identification and verification records collected during KYC processes are retained for the period mandated by AML regulations after the business relationship ends. Communication records are retained for a period consistent with service quality monitoring and dispute resolution needs.
When the retention period for a category of data expires, we securely delete or anonymize the information. Deletion processes include secure erasure from production systems, backups, and any offline or archived copies. Anonymized data, from which all identifiers have been irreversibly removed, may be retained indefinitely for statistical and analytical purposes, as such data no longer constitutes personal information subject to data protection obligations.
Contacting Us About Privacy
For questions about this privacy policy, to exercise your data protection rights, or to report a privacy concern, you may contact CIBC Digital Business through any of the following channels. Our privacy team reviews all inquiries and responds within the timeframe required by applicable data protection law.
Written correspondence should be directed to the Privacy Office at our registered business address. Include "Privacy Inquiry" in the subject line of email communications to ensure routing to the appropriate team. Telephone inquiries regarding privacy matters are handled through the main business contact number, +1 (246) 555-0180, with a request for transfer to the Privacy Office. Account holders may also submit privacy-related inquiries through the secure messaging function within the CIBC Com banking portal after completing CIBC Business Login, which provides an authenticated channel for identity verification during privacy-related communications.