RBC Express Privacy Statement
This Privacy Statement describes how Royal Bank of Canada, operating the RBC Express commercial banking portal, collects, uses, discloses and retains personal information in alignment with the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Quebec Loi sur la protection des renseignements personnels dans le secteur privé (Loi 25 / Bill 64), the Alberta and British Columbia Personal Information Protection Act (PIPA), and OSFI operational expectations including Guideline B-13 on technology and cyber risk.
Last updated: 18 April 2026. Inquiries on this Privacy Statement are directed to the RBC Express Privacy Officer at privacy@rbcexpress.at. General RBC Express support is available at 1-800-769-2555 (international: +1-416-974-5151) Monday to Friday, 8:00am to 8:00pm Eastern Time.
1. Information RBC Express Collects
RBC Express collects only the personal and organisational information reasonably necessary to provide commercial banking services, comply with applicable law and protect the security of the portal.
Personal & Authentication Data
Name, title, employer, business email, business telephone, Client Card number, Service Card number (authentication identifiers, not personal identifiers), password hash (never plaintext), RBC Secure Key binding reference, biometric template result (not the template itself — biometric material stays on-device in the Apple Secure Enclave or Android Trusted Execution Environment), language preference (English or French), accessibility preferences, and role-based permission configuration.
Account & Transaction Data
Account numbers and balances, transaction history (initiator, approver, beneficiary, amount, currency, value date, BAI2 Type Code, MT reference), FX rate and spread on executed contracts, Interac e-Transfer for Business correspondent, supplier and vendor reference data, wire beneficiary details, OFAC/FINTRAC screening results, and GL code mappings configured by the Company Administrator. Retention of account and transaction data is 7 years in alignment with OSFI and CRA record-keeping expectations.
Device & Session Data
IP address, browser user agent, operating system version, device fingerprint (hashed), session identifier, idle timeout tracking, IP allowlist evaluation result, geolocation country-level (not precise latitude/longitude), login timestamp and duration, and failed authentication attempts. This information supports fraud detection, session integrity and OSFI B-13 technology and cyber risk controls.
Communication Data
Correspondence with the RBC Express Service Centre (recorded phone calls for quality and fraud-defence purposes with a disclosed retention period), secure message exchanges inside the portal, help-desk tickets and email correspondence with privacy@rbcexpress.at. Phone recordings follow the disclosure heard at call start and are retained per the Office of the Privacy Commissioner of Canada guidance on call recording in federally-regulated contexts.
2. Purposes for Collection and Use
RBC Express uses personal information only for the purposes disclosed at collection or subsequently authorised by consent or by law.
Primary purposes include: providing commercial banking services (wires, EFT, international payments, treasury management, foreign exchange, reporting); authenticating RBC Express users at every sign-in; preventing fraud and unauthorised access through behavioural analytics and device risk scoring; complying with anti-money-laundering obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) administered by FINTRAC; complying with sanctions screening obligations (OFAC and equivalent Canadian lists); complying with OSFI Guideline B-13 technology and cyber risk; complying with CRA tax information reporting; providing audit trails for commercial client internal controls and external audit; and improving RBC Express reliability and usability through anonymised service metrics.
3. Consent
RBC Express relies on express consent for most processing activities and on the implied consent or legal obligation bases permitted by PIPEDA, Loi 25 and provincial PIPA statutes for specific regulatory processing.
Express consent is obtained at the time a commercial client executes the RBC treasury services agreement and the Company Administrator provisions delegated users. Consent is also obtained at specific in-portal moments such as the initial bind of an RBC Secure Key token or the first sign-in activation flow. Implied consent supports processing reasonably necessary for the delivery of requested services — for example, beneficiary data inside a wire payment must be processed to execute the payment. Legal obligation supports processing required by PCMLTFA, OSFI guideline compliance, CRA reporting and court orders.
Under Quebec Loi 25 enhanced consent requirements, high-sensitivity processing is subject to an explicit, informed and granular consent with a right to withdraw. Consent withdrawal may impair RBC Express service delivery where the processing is essential to the service — for example, refusing wire beneficiary screening prevents the wire from being executed because regulatory screening is a legal prerequisite.
4. Data Retention and Sharing Matrix
Seven categories of RBC Express data with their purpose, retention period and the parties with whom they are shared.
| Data Category | Purpose | Retention | Shared With |
|---|---|---|---|
| Authentication identifiers | Sign-in and session security | Duration of relationship + 7 years | RBC group; no third parties |
| Transaction records | Service delivery, audit, tax | 7 years (OSFI / CRA) | Payments Canada, correspondents, CRA on request |
| AML & sanctions screening | PCMLTFA / sanctions compliance | 7 years (FINTRAC) | FINTRAC on reportable events |
| Device & session logs | Fraud prevention, B-13 resilience | 7 years | RBC cyber group; law enforcement on warrant |
| Phone recordings | Quality assurance, fraud defence | 24 months | RBC Service Centre audit |
| Marketing preferences | Communication management | Until withdrawn + 2 years | RBC marketing operations |
| Cookies (necessary / functional) | Portal operation, language | Session to 12 months | None; first-party |
5. Third-Party Disclosure
RBC Express discloses personal information only to the parties necessary to deliver the service, to comply with law, or where the individual has consented.
Third-party recipients include: Canadian regulators (OSFI, FINTRAC, CRA, Bank of Canada, provincial securities commissions as applicable); payment network operators (Payments Canada for Lynx and AFT clearing, SWIFT for international messages, Interac for e-Transfer for Business); correspondent banks for cross-border payments routing; contracted service providers supporting RBC infrastructure (cloud infrastructure, SOC 2-audited datacentre operations, security operations) bound by confidentiality and data-protection contracts consistent with PIPEDA and Loi 25 requirements; affiliates within the Royal Bank of Canada group for integrated service delivery; external auditors appointed by RBC or by the commercial client; and law enforcement or courts where required by valid legal process.
6. Cross-Border Data Transfers
RBC Express is operated primarily from Canadian infrastructure. Limited cross-border transfer may occur for contracted service providers, correspondent banking and RBC group affiliates.
Where personal information is transferred outside Canada, RBC Express relies on contractual protections aligned with PIPEDA principles and the enhanced Quebec Loi 25 requirements for cross-border transfer impact assessments. Typical jurisdictions receiving data include the United States (correspondent banks, SWIFT message routing through United States nodes), the United Kingdom (RBC affiliates in London for FX and capital markets), the European Union (GDPR-compliant affiliates) and contracted cloud providers operating in audited datacentres. Data subjects may contact the RBC Express Privacy Officer at privacy@rbcexpress.at for transfer impact assessment summaries relevant to their processing.
7. Security Controls
RBC Express security is audited against SOC 2 Type II annually and operates under OSFI Guideline B-13 on technology and cyber risk.
Encryption
TLS 1.3 in transit on every RBC Express session. AES-256 at rest on RBC datacentre storage. SSH on SFTP delivery. PGP on email attachments carrying sensitive financial output. No personal or financial information is transmitted unencrypted by the RBC Express platform.
Authentication
Multi-factor authentication on every RBC Express sign-in via Client Card, Service Card, password and RBC Secure Key. Biometric sign-in on mobile using Face ID, Touch ID or Android BiometricPrompt class 3 (strong). Device risk scoring and IP allowlisting configurable per organisation. Account lockout after five failed attempts.
Monitoring
24/7 security operations monitoring the RBC Express platform. Anomaly detection on sign-in patterns and payment flows. Automated alerts on unusual behaviour with human analyst follow-up. Annual SOC 2 Type II audit and continuous compliance with OSFI B-13 technology and cyber risk expectations.
8. User Rights
PIPEDA, Quebec Loi 25 and provincial PIPA statutes grant RBC Express users rights to access, correct, port and in some cases erase their personal information.
Data Retention Snapshot
- Access: Written request to privacy@rbcexpress.at. Response within 30 days (PIPEDA).
- Correction: Submit corrected data with supporting documentation. Update applied across RBC Express systems.
- Portability (Loi 25): Quebec residents may request structured export of their personal data.
- Erasure (Loi 25): Right to be forgotten where data is no longer necessary for the original purpose and no legal retention obligation applies.
- Opt-out (marketing): Unsubscribe link, account settings or phone 1-800-769-2555.
Requests to exercise rights should identify the individual, describe the right being exercised and specify the data in scope. RBC Express may require identity verification to prevent unauthorised disclosure. Rights may be subject to legal exceptions — for example, transaction data subject to the 7-year OSFI and CRA retention window cannot be erased before that window closes, and fraud-investigation data is preserved during investigation regardless of erasure requests.
9. Cookies
RBC Express uses first-party cookies only. No marketing or advertising trackers run on authenticated portal surfaces.
Strictly necessary cookies support authenticated session management, CSRF protection and security token rotation — these cookies cannot be disabled without breaking RBC Express functionality. Functional cookies remember language preference (English or French), accessibility settings (font scaling, reduced motion) and layout preferences — these may be disabled at the cost of re-entering preferences on every visit. Anonymised analytics cookies measure portal performance in aggregate without identifying individual users; these may be disabled via browser settings without affecting service delivery. Browser settings control all cookies at the device level.
10. Children's Privacy
RBC Express is not directed to and does not knowingly collect personal information from anyone under 18 years of age.
RBC Express is a commercial banking portal for registered businesses and institutional clients. Delegated users provisioned by Company Administrators are expected to be employees or authorised agents of commercial clients, 18 years of age or older. If you believe personal information of a minor has been submitted to RBC Express in error, contact the RBC Express Privacy Officer at privacy@rbcexpress.at for immediate review and deletion.
11. Privacy Officer and Complaint Mechanisms
RBC Express operates under a designated Privacy Officer accountable for compliance with this Privacy Statement and the supporting regulatory frameworks.
First Contact: RBC Express Privacy Officer
Email: privacy@rbcexpress.at. Mail correspondence: Royal Bank of Canada, Privacy Office, Toronto, Ontario. Response within 30 days per PIPEDA timeline. The Privacy Officer is responsible for handling access requests, correction requests, erasure requests under Loi 25, portability requests and complaints about the handling of personal information by RBC Express.
Federal and Provincial Escalation
Federal: Office of the Privacy Commissioner of Canada (OPC) for PIPEDA-governed complaints. Quebec: Commission d'accès à l'information du Québec (CAI) for Loi 25 complaints. Alberta: Office of the Information and Privacy Commissioner of Alberta for PIPA (Alberta). British Columbia: Office of the Information and Privacy Commissioner for BC for PIPA (BC). Commissioners act independently and may investigate complaints independent of RBC Express's internal resolution process.
Privacy Statement FAQ
How do I access my data held by RBC Express?
How do I file a privacy complaint?
What does Quebec Loi 25 cover?
What cookies does RBC Express use?
How do I opt out of marketing communications?
Related Pages
Last updated: 18 April 2026. This Privacy Statement is subject to periodic updates reflecting changes to Canadian privacy law, Quebec Loi 25 enforcement guidance, OSFI expectations and operational improvements. Material changes will be communicated to Company Administrators via RBC Express in-portal notification and email. The authoritative version is hosted at https://rbcexpress.at/privacy-policy.html.