Heritage Resource Limited Partnership (“Heritage Royalty” or the “Company”) is committed to protecting and maintaining the confidentiality, security and accuracy of the Personal Information of any Company Representatives and other third parties that is collected, in its possession, used or under its control, and disclosed as a result of normal business operations.

The Company collects, uses and discloses Personal Information about its Representatives, customers, suppliers, and others with whom it has contact in the course of conducting its normal business operations, including for purposes of establishing, managing or terminating employment and contractual relationships between Representatives and the Company. This privacy policy (the “Policy”) describes and governs the collection, use and disclosure of Personal Information by the Company.

This Policy and its related practices applies to the Company, and to each individual that acts as a Representative or prospective Representative of the Company, as a condition of their employment with the Company as well as any other individuals, including third parties, that may have access to Personal Information in the Company’s possession.

When a Representative, customer or supplier provides the Company with Personal Information, that individual consents to the Company’s collection, use, and possible disclosure of their Personal Information and agrees to the terms for accessing and correcting such Personal Information as described below.

The Policy governs the Company’s activities that are subject to the provisions of applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (Canada) and, where applicable, its equivalent in each province, including the Personal Information Protection Act
(Alberta).

For purposes of this Policy:

A. “Personal Information” Information, recorded in any form, about an identifiable individual (including, but not limited to: (i) for employees: name, home address, email address and phone number, names of partners and spouses, birthday, social insurance number, performance appraisals, medical and benefit information, or hobbies and interests; and (ii) for customers: credit information, billing records, service and equipment, and any recorded complaints). This does not include the business name, business title, business address or business contact information i.e. telephone/facsimile number or business email address, when used for business communications. Also, it does not include anonymous, aggregated or non-personal information or statistical data (i.e. information that cannot be associated with or tracked back to a specific individual).

B. “Representative” A director, officer, employee or independent consultant of the Company

The Company collects and maintains different types of Personal Information about individuals with whom it interacts (such as those who seek to be, are, or were employed by the Company, or customers or suppliers), including:

• • Identification and contact information: such as a Representative’s name, home address, telephone, personal email address, date of birth, social insurance number, marital and dependents status, videos, photographs, and beneficiary and emergency contact information.
• • Employment information: such as a Representative’s job title, resumes and/or applications, interview notes, letters of offer and acceptance of employment, compensation and benefit information, background verification information, drivers’ abstracts, employment references, mandatory policy acknowledgement sign-off sheets and evaluations.
• • Benefit information: such as forms relating to the application or change of employee health and welfare benefits, including but not limited to health care, life insurance, short and long term disability, and medical and dental care.
• • Payroll and financial information: including but not limited to social insurance number, wages, pay cheque deposit information, pension information, group savings plans, information, and tax related information.
• • Business relationship and operations information: such as customer and supplier service requests, customer addresses and personal contacts, credit information, billing records, service and equipment records, any recorded customer complaints, investor contact information and requests, agreement terms and preferences, property holder information necessary for administration of our leases and operations, and information necessary to effect emergency response plans.
• • Other information necessary for the Company’s business purposes, which may be voluntarily disclosed or collected in the course of a Representative’s application for, and employment with the Company.

As a general rule, and to the maximum extent possible, the Company collects Personal Information directly from the individual it pertains to. If third parties hold information the Company requires, the Company will ensure the information has been collected with the appropriate consent.

Where permitted or required by applicable law or regulatory requirements, the Company may collect Personal Information about an individual without their knowledge or consent.

The Company collects Personal Information to manage and develop its business and operations, including:

• • determining eligibility for initial employment, including the verification of references and qualifications;
• • the distribution of an internal phone directory (which may include additional information such as date of birth and names of spouse);
• • administration of pay and benefits;
• • establishing training and/or development requirements and assessing qualifications for a particular job or task;
• • performance reviews and determining performance requirements;
• • processing employee work-related claims (e.g. worker compensation, insurance claims, etc.);
• • evidencing for disciplinary action, or employment termination;
• • establishing, managing and terminating business relations with customers and suppliers;
• • protection against error, fraud, theft, damage or nuisance relating to the Company’s assets, operations or reputation and securing company-held information;
• • undertaking environmental, health and safety activities, including incident planning, emergency response and investigation;
• • compliance with individual requests;
• • compliance with applicable law or regulatory requirements; and
• • any other reasonable purpose required by the Company and to which an individual consents.

The Company may use and disclose Personal Information provided it is reasonably required in the following circumstances:

• • for purposes described in this Policy;
• • where the information is publicly available;
• • where necessary to protect the rights and property of the Company;
• • when emergencies occur or where it is necessary to protect the safety of a person or group of persons;
• • where required by Representatives and other parties (including its related business entities or affiliates) who require Personal Information to assist in establishing, maintaining and managing the Company’s relationship with an individual, including, for example, third parties that provide services to the Company or on the Company’s behalf, or third parties that collaborate with the Company in the provision of services to an individual;
• • where required by third party, in the event of a change in ownership of or granting of security interests in all or a part of the Company through, for example, some form of merger, purchase, sale, lease, amalgamation or other form of business combination, provided that the parties are bound by appropriate agreements or obligations which require them to collect, use or disclose Personal Information in a manner consistent with the use and disclosure provisions of this Policy, unless an individual otherwise objects; or
• • the Company has otherwise obtained an individual’s consent.

The Company may use or disclose Personal Information without an individual’s knowledge or consent where it is permitted or required by applicable law or regulatory requirements to do so, including, but not limited to, circumstances relating to the establishment, maintenance or termination of an employment relationship.

The Company is not in the business of selling customer or employee information to third parties.

The Company endeavours to maintain physical, technical and procedural safeguards that are appropriate to the sensitivity of the Personal Information in question. These safeguards are designed to prevent Personal Information from loss and unauthorized access, copying, use, modification or disclosure. Examples of these safeguards include: passwords, encryption and other electronic security means, locked or limited access to premises and file cabinets, and the security monitoring methods referred to earlier in this policy.

Accountability

The Company is responsible for maintaining and protecting Personal Information in our control.

Retention of Personal Information

Except as otherwise permitted or required by applicable law or regulatory requirements, the Company endeavours to retain Personal Information only for as long as it believes is necessary to fulfill the purposes for which the Personal Information was collected (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations). The Company may, instead of destroying or erasing Personal Information, make it anonymous such that it cannot be associated with or tracked back to a specific individual.

Updating Personal Information

It is important that Personal Information contained in the Company’s records is both accurate and current. The Company asks that Representatives, customers and suppliers keep us informed of any changes to Personal Information during the course of the individual’s employment or business relationship with the Company.

If an individual believes the Personal Information about them, held by the Company is not correct, the individual may request an update of that information by making a request to our Privacy Officer using the contact information set out below. In some circumstances the Company may not agree with the request to change an individual’s Personal Information and will instead append an alternative text to the record in question.

The Company shall maintain your Personal Information in as accurate, complete and up-to-date form as is necessary to fulfill the purposes for which the information is to be used.

Accessing Personal Information

An individual may ask to see the Personal Information that the Company holds about them. If someone wants to review, verify or correct their Personal Information, they may contact the Company’s Privacy Officer. Please note that any such communications must be in writing.

When making an access request, the Company may require specific information from an individual to confirm their identity and right to access, as well as to search for, and provide that individual with, the Personal Information that it holds about them. The Company may charge a fee to access Personal Information, but it will advise of any fee charges in advance. If help is needed in preparing a request, please contact the office of the Privacy Officer. Where Personal Information will be disclosed to an individual, the Company will endeavour to provide the information in question within a reasonable time and no later than 30 days following the request.

An individual’s right to access the Personal Information that the Company holds about them is not absolute. There are instances where applicable law or regulatory requirements permit or require the Company to refuse a Personal Information access request.

The Company also reserves the right to decline to provide access to Personal Information where the information requested:

• • Would disclose the following:
  • • Personal Information, including opinions, about another individual or about a deceased
    individual;
  • • Confidential information that may harm the Company or competitive position of a third party, or interfere with contractual or other negotiations of the Company or a third party;
• • Is subject to solicitor-client or litigation privilege;
• • Is not readily retrievable and the burden or cost of providing such information would be disproportionate to the nature or value of the information;
• • Could reasonably result in:
  • • Serious harm to the treatment or recovery of the individual concerned;
  • • Serious emotional harm to the individual or another individual;
  • • Serious bodily harm to another individual; or
• • May harm or interfere with law enforcement activities and other legal or employment related investigative or regulatory functions;

In addition, the Personal Information may no longer exist, may have been destroyed, erased or made anonymous in accordance with the Company’ record retention obligations and practices.

In the event that the Company cannot provide an individual with access to their Personal Information, it will endeavour to inform that individual of the reasons why access has been denied, subject to any legal or regulatory restrictions.

It is important to the Company that it collects, uses or discloses Personal Information with consent to do so or as otherwise provided in this Policy. Depending on the sensitivity of the Personal Information, consent may be implied, deemed (using an opt-out mechanism) or expressed.

• • Express consent can be given orally, electronically or in writing.
• • Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. For example, when financial information is requested for investment purposes, the Company will assume consent to the collection, use or disclosure of Personal Information for purposes related to that request for information or for other purposes identified by the requesting individual at the time.

Typically, the Company will seek consent at the time it collects the Personal Information. In some circumstances consent may be obtained after collection but prior to the Company’s use or disclosure of Personal Information. If the Company plans to use or disclose Personal Information for a purpose not previously identified (either in this Policy or separately), it will endeavour to advise an affected individual of that purpose before such use or disclosure.

The Company may collect, use or disclose Personal Information without an individual’s knowledge or consent where it is permitted or required to do so by applicable law or regulatory requirements.

The Company assumes that, unless it is advised otherwise, by receiving a copy of this Policy or by continuing to engage in business with the Company, an individual will have consented to the collection, use and disclosure of their Personal Information as explained in this Policy.

An individual is entitled to change or withdraw their consent at any time, subject to legal or contractual restrictions (and reasonable notice), by contacting the Privacy Officer using the contact information set out below. In some circumstances, a change in or withdrawal of consent may limit the Company’s ability to provide products or services to, or acquire products or services from, that individual.

The work output of Representatives, whether in paper record, computer files, or in any other storage format belongs to the Company, and that work output, whether it is stored electronically, on paper, or in any other format, and the tools used to generate that work product, are always subject to review and monitoring by the Company.

Representatives should not have any expectation of privacy with respect to their use of the Company’s equipment or resources. This section is not meant to suggest that all Representatives will be monitored or their actions subject to constant surveillance – as the Company has no duty to monitor – it is meant to bring to each Representative’s attention the fact that such monitoring may occur and may result in the collection of Personal Information from Representatives (e.g. through their use of the Company’s
resources).

Any collection of Personal Information held or used in the course of monitoring will not be more than is necessary for the purpose of the monitoring. Monitoring is or will be done on an “as required” basis and will be in proportion to the risks that the Company faces. The Company will conduct any monitoring in the least intrusive way possible. In some instances, when reasonably necessary, the Company may supplement this monitoring notice with more specific policies or statements as appropriate (e.g. video surveillance).

The Company appreciates your interest in our website. Your privacy is important and we want you to understand our practices on gathering information from visitors to this site and the uses we make of that information.

When someone visits our website, our web servers automatically gather anonymous information that allows the site to communicate with the visitor’s computer during the visit. We also track the number of visits to the site and which parts of the site visitors select. We use that information for statistical purposes that help us improve and administer the site. That information does not include Personal Information that would permit us to identify and locate individual visitors.

Privacy concerns focus on personal information, that is, information that could identify a specific individual or entity such as names, email addresses, and telephone numbers. If during your visit to our website you complete any form or submit other information to us, you may provide us with Personal Information. With your consent, we may collect and use that Personal Information to provide you with services which we may think might be of interest to you, or to communicate with you for other purposes. Personal Information may also be used to obtain surveys or assessments concerning skills and competencies from participants in order to identify and enhance activities or practices.

The Company’s website have links to third party websites that Heritage Royalty does not own or maintain. We make no representations or warranties about the privacy practices of those sites.

There will be occasions where it will be necessary for the Company websites to disclose your Personal Information to third parties. Communicating via the internet and sending information, products, and/or services to you by other means necessarily involves your Personal Information passing through or being handled by third-parties. The Company does not use or distribute any Personal Information to third parties for purposes of allowing these third parties to market their products and services to you.

You may remove your personal information so you will not receive future communications, or you may modify your Personal Information that we have previously gathered.

The Company website operates secure data networks that are designed to protect your privacy and security.

It is essential that all Representatives understand and be responsible for abiding by and implementing this Policy.

Any violation of this Policy will result in discipline by the Company. If any Representative misuses the Personal Information of another Representative or third party, it will be considered a serious offence for which appropriate disciplinary action may be taken, up to and including termination of employment, the service agreement or court action. Any interpretation associated with this Policy will be made by the Privacy Officer, in conjunction with legal counsel. This Policy includes examples but is not intended to be restricted in its application to such examples, therefore where the word “including” is used, it shall mean “including without limitation”.

If a Representative has a question about the following:

• (a) access to Personal Information;
• (b) the collection, use, management or disclosure of Personal Information;
• (c) changing or withdrawing consent with respect to Personal Information; or
• (d) obtaining more information about this Policy or relevant legislation;

Please contact the office of the Privacy Officer by telephone, in writing or by e-mail at:
Addressed: Mr. Jim Dinning (Chair of Governance & Compensation Committee)
Telephone: (403) 243-1030 or (403) 807-1033
Email: whistleblower@heritageroyalty.ca
Postal Address
Marked Private and Confidential
Attn: Mr. Jim Dinning (Heritage Royalty)
710, 215 Second Street SW
Calgary, Alberta, T2P 1M4

The Company endeavours to answer all questions raised in a timely manner, and advise Representatives in writing of any steps taken to address an issue brought forward. If a Representative is not satisfied with the Company’s response, that Representative may be entitled to make a written submission to the privacy authority applicable for their jurisdiction.