Client privacy protection: 2026 guide for advisors using AI

Why protecting client personal information matters

As a financial security advisor, you hold some of the most sensitive information that exists: income, net worth, debts, health status, family situation, social insurance numbers. Protecting this information is not optional — it is a legal and ethical obligation, and violations can have severe consequences for your career and your clients.

Loi 25 (Quebec's modernized privacy law)

Since September 2023, Loi 25 (RLRQ c. P-39.1) imposes enhanced obligations on any person or organization that collects, uses, or communicates personal information in Quebec. It requires the designation of a person responsible for the protection of personal information, privacy impact assessments (PIA) before any new technology project involving personal information, mandatory notification to the Commission d'acces a l'information du Quebec in the event of a confidentiality incident presenting a serious risk of harm, and the manifest, free, and informed consent of the individuals concerned.

Fines for non-compliance can reach $25,000,000 or 4% of global revenue. For an independent advisor, a single violation can mean the end of their practice.

CSF Code of Ethics (art. 16 to 20)

The Code of Ethics of the Chambre de la securite financiere (RLRQ c. D-9.2, r. 3) enshrines professional secrecy in articles 16 to 20. Article 16 requires the representative to maintain the confidentiality of all information of a confidential nature obtained in the practice of their profession. Article 17 specifies that confidential information cannot be disclosed without the client's authorization, except where required or authorized by law. Articles 18 to 20 govern the use, retention, and destruction of information.

LDPSF and Regulation 31-103

The Act respecting the distribution of financial products and services (LDPSF, art. 16 and 27) reinforces confidentiality obligations. Regulation 31-103 on Registration Requirements, Exemptions and Ongoing Registrant Obligations (art. 13.2) requires registered persons to establish and maintain reasonable policies and procedures to protect client personal information. This includes digital tools you use in your practice.

Professional liability

If a client's personal information is exposed due to your use of an AI tool, you could face disciplinary sanctions from the CSF (reprimand, suspension, striking off), civil lawsuits from the client for damages, fines under Loi 25, and irreparable damage to your professional reputation. The good news: a few simple habits are enough to virtually eliminate all risk.

What you should NEVER type into an AI tool

The golden rule is simple: if the information can directly or indirectly identify a client, it should not be entered. Here is a practical reference table:

Atlas CSF+ never needs your client's full name, SIN, address, or phone number to provide a relevant answer. The AI works with situations, amounts, and ages — not identities.

Anonymization best practices

Adopting the right habits takes only a few seconds and quickly becomes automatic. Here are the recommended anonymization techniques:

1. Age instead of date of birth

Write "58-year-old client" instead of "born March 15, 1968". Age is sufficient for all retirement, insurance, and tax calculations. If the birth year is needed for a precise calculation, use only the year without the day or month.

2. Initials instead of full names

Use "Client M.L." or simply "my client". When comparing the situations of two clients, use "Client A" and "Client B". This is enough to structure the conversation without exposing personal information.

3. Describe the situation, not the person

Instead of "Marie Lapointe, nurse at the CHUM for 25 years", write "my client, a public sector nurse with 25 years of service". The role description and seniority provide all the information needed for a complete analysis without identifying the person.

4. Amounts are acceptable, identifiers are not

You can enter financial amounts (salary, RRSP, mortgage, policy value) because these figures alone do not identify a client. However, contract numbers, policy numbers, or account numbers are direct identifiers and must never be entered.

5. Redact before uploading

If you upload a document (account statement, insurance proposal, financial statement), first redact the name, SIN, contract numbers, and address. You can use a PDF redaction tool or simply copy the relevant figures into the chat without the identifiers. In Excel, use Find and Replace (Ctrl+H) to replace the full name with initials before exporting.

How Atlas CSF+ protects your data

Atlas CSF+ was designed from the ground up with personal information protection as a priority. Here are the technical measures in place:

Encryption in transit: all communications between your browser and our servers are encrypted via TLS (HTTPS). No data travels in plain text.

Encryption at rest: conversations are stored in Supabase with at-rest encryption (AES-256). Even in the event of unauthorized database access, the data remains unreadable.

Data isolation (RLS):Supabase's Row Level Security ensures that only you can see your conversations. No other user, not even an administrator, can access your exchanges.

Anthropic API:calls to Anthropic's API (Claude) are NOT used to train AI models. Your conversations are not used to improve the AI — they remain ephemeral on the provider's side.

No third-party sharing: your data is never sold, rented, or shared with third parties for marketing, advertising, or profiling purposes.

Deletion on demand: you can delete any conversation at any time. Deletion is permanent and removes the data from our database.

Document uploads: rules to follow

Atlas CSF+ accepts PDF, Excel, CSV, TXT files, and images to help you analyze financial data. Here are the rules to follow before any upload:

Always redact: the SIN, contract numbers, full names, and addresses. Use a digital black marker on PDFs or the Find and Replace function in Excel.

What is acceptable: anonymized financial statements, asset allocations, performance tables, retirement projections, and insurance product schedules. Financial data without identifiers does not constitute personal information.

Server-side processing: Atlas extracts the text from the document on the server side for analysis and does not retain the original file. The content is processed in memory, sent to the AI for analysis, and then the response is returned to you.

Practical tip:rather than uploading an entire document, copy and paste only the relevant figures into the chat. For example: "My client has an RRSP of $245,000, a TFSA of $82,000, a projected RREGOP pension of $48,000/year, and a salary of $85,000. What drawdown strategies do you recommend?"

What to do if you accidentally shared personal information

Mistakes happen. If you realize that you accidentally entered a client's full name, SIN, or other identifying information, follow these steps:

Step 1: immediately delete the conversation in Atlas CSF+ by clicking the delete button. The data is removed from our database.

Step 2: API calls to Anthropic are ephemeral. The data is not retained by the AI provider and is not used for training.

Step 3:assess the risk of harm. If a client's SIN was exposed, Loi 25 requires you to document the incident in a confidentiality incident register. If there is a serious risk of harm, you must notify the Commission d'acces a l'information du Quebec and the individual concerned.

Step 4: restart the conversation using proper anonymization practices. Take a second to re-read your message before sending it.

In the vast majority of cases, immediately deleting the conversation is sufficient to eliminate all risk. The important thing is to act quickly and not ignore the mistake.

Quick checklist: before every message

Before pressing Send, ask yourself these four questions:

1. Does this message contain a full name?If yes, replace it with initials (J.P.T.) or "my client".

2. Does this message contain a SIN? If yes, remove it. Atlas CSF+ never needs it to answer your questions.

3. Does this message contain a contract, policy, or account number?If yes, describe the product instead: "their permanent life insurance", "their RRSP with Assumption Life".

4. Could someone identify my client from this message? If yes, remove the identifying elements. Combine techniques: initials + age + role rather than name + employer + date of birth.

By following these four habits, you fully comply with your ethical and legal obligations, while getting perfectly tailored answers for your client's situation.

Concrete example: good vs. bad practice

Bad practice (do not replicate)

"Jean-Pierre Tremblay, born March 15, 1965, SIN 234-567-890, universal life contract #UL-456789 with Assumption Life, works as an engineer at Hydro-Quebec since 1990. He wants to retire at 62. His RRSP is $340,000. How much will he receive from RREGOP?"

Good practice (follow this model)

"My client, a public sector engineer, 61 years old, 35 years of service. He has a universal life insurance policy and an RRSP of $340,000. He wishes to retire at 62. What would his estimated RREGOP pension be and what drawdown strategies do you recommend?"

Both messages describe the same situation. But the second provides exactly the same quality of information for analysis without exposing any personal information. Atlas's response will be identical in both cases.

Regulatory references

Loi 25 — An Act to modernize legislative provisions as regards the protection of personal information (RLRQ c. P-39.1). In force since September 2023.

CSF Code of Ethics — RLRQ c. D-9.2, r. 3, articles 16 to 20 (professional secrecy, use and retention of confidential information).

LDPSF— Act respecting the distribution of financial products and services, articles 16 and 27 (representative's confidentiality obligations).

Regulation 31-103 — Regulation respecting Registration Requirements, Exemptions and Ongoing Registrant Obligations, article 13.2 (protection of client personal information).

Frequently asked questions