sign up
back to home

PRIVACY POLICY

ARDENTPAY LTD.

Registration number: 1001134063

KEY INFORMATION

Effective Date: 20.02.2026
Next Review Date: 20.02.2027

 

CONTENTS

General provisions
Definitions and abbreviations
PIPEDA compliance statement
FINTRAC & AML reporting disclosure
Data Controller
What personal data we collect & why
Mandatory collection of personal information under the PCMLTFA
Consequences of not providing data
How we use personal data
Automated decision-making & profiling
Cross-border data transfers
Law enforcement and regulatory cooperation
Customer rights under the general data protection regulation (GDPR)
Data security measures
Record retention under PCMLTFA
Complaint process and privacy inquiries
Data breach notification
Withdrawal of consent vs legal obligation
Service providers & outsourcing
Contacts

1. GENERAL PROVISIONS

1.1. Our Company (“the Company,” “we,” “us,” or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how the Company collects, uses, stores, and shares your personal information when you use our website, mobile application, and payment services. By using our services, you agree to this Privacy Policy. If you do not agree, please stop using our services.

1.2. Our Company collects personal information that you provide when using our services, including but not limited to your name, date of birth, contact information, identification documents, payment details, and transaction history. We may also collect information automatically through your use of our website or application, such as IP addresses, device information, and usage data.

1.3. Our Privacy Policy is beyond standard GDPR language and incorporate requirements under:

1.3.1. The Personal Information Protection and Electronic Documents Act (PIPEDA)

1.3.2. Applicable provincial privacy laws (e.g., Québec Law 25, if operating in Québec)

1.3.3. FINTRAC reporting obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

1.3.4. Sanctions and regulatory disclosure obligations.

2. DEFINITIONS AND ABBREVIATIONS

2.1. Account – means an account opened within our Company in the name of the Customer with the aim to receive the services. Online Account means the result of registration in the computer system or Application, during which personal data of the registered Customer is saved, a login name is assigned and the rights of the Client in the System are defined.

2.2. Business – means the sole proprietorship, freelancer, limited liability company, corporation, partnership, charity or trust as applicable.

2.3. Business Day – means a day, when our Company provides its services, set by our Company. Our Company is entitled to set different business days for different services.

2.4. Company – ARDENTPAY LTD., Ontario Business Corporation with registration number 1001134063.

2.5. Customer / Client – a legal entity, organization, company or individual, who uses the Website and/or familiarizes himself with the provisions of the Website, this Policy and the provisions of other documents, and intends to register on the Website to receive the services.

2.6. Consent – means the voluntary agreement of an individual to the collection, use, or disclosure of their personal information for specified purposes.

2.7. Data Breach – means the loss, unauthorized access, or disclosure of personal information that creates a real risk of significant harm to the individual, as defined under applicable Canadian privacy laws.

2.8. Regulatory Authority – means any government or official body that has legal authority to require the collection, use, disclosure, or reporting of personal information, including but not limited to FINTRAC (Financial Transactions and Reports Analysis Centre of Canada).

2.9. Personal Information – means any information about an identifiable individual, including but not limited to name, contact details, financial information, identification numbers, or transaction history, as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA).

2.10. Electronic Money – means money credited/ transferred to and held on Account for executing Payment Services via the System.

2.11. Payment Operation – means a money transfer, payment or withdrawal initiated by a payer or a payee.

2.12. Payment Order – means an order from the Client for the execution of the Payment Operation.

2.13. Payment Service – means services provided by our Company and all products, content, features, technologies, or functions offered by us and all related websites, applications (including the App), and service models (including the Website and via an API Partner), and including the Account, the currency conversion, and Money Transfer offerings.for example, but not limited: (i) execution of payment transactions, including transfers of funds on a payment account with the payment service provider of the payment service user or with another payment service provider: execution of direct debits, including one-off direct debits, execution of payment transactions through a payment card or a similar device and/or execution of credit transfers, including standing orders; and/ or (ii) issuing of payment instruments and/ or acquiring of payment transactions; and/ or (iii) money remittance; and/ or (iv) services enabling cash to be placed on a payment account as well as all the operations required for operating a payment account; and/ or (v) services enabling cash withdrawals from a payment account as well as all the operations required for operating a payment account.

2.14. Payment Instrument – means any payment instrument which allows to link to the Account and perform payment transfers using this payment instrument.

2.15. Privacy Officer – means the individual designated by our Company to oversee privacy compliance, manage privacy-related inquiries, and handle requests regarding personal information.

2.16. PIPEDA – means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), the federal Canadian privacy law governing the collection, use, and disclosure of personal information in the course of commercial activities.

2.17. PCMLTFA – means the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17), the federal Canadian law requiring certain reporting, record-keeping, and compliance obligations for Money Services Businesses (MSBs) to prevent money laundering and terrorist financing.

2.18. Money Transfer – means a direct transfer of funds paid by you, without using funds in your Account, to a designated recipient that is sent using our Services. In some currencies, you may only be able to convert and send funds using your Account and cannot make a direct Money Transfer.

2.19. Outsourcing – means the engagement of Service Providers, including those located outside of Canada, to perform services or process personal information on behalf of our Company.

2.20. Legal Obligation – means a duty imposed on our Company by applicable laws, regulations, or regulatory authorities to collect, use, retain, or disclose personal information.

2.21. Website means any our webpage, including but not limited to ardentpay.io, where we provide the Services to you.

2.22. Withdrawal of Consent – means the act by which an individual revokes their previously given consent for the collection, use, or disclosure of personal information, subject to legal or contractual obligations.

3. PIPEDA COMPLIANCE STATEMENT

3.1. Our Company collects, uses, discloses, retains, and safeguards personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. The Company recognizes its responsibility to protect personal information and has implemented policies, procedures, and safeguards designed to ensure compliance with Canadian privacy law.

3.2. In accordance with PIPEDA, the Company adheres to the Ten Fair Information Principles, which govern the collection and handling of personal information in Canada. These principles include accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

3.3. The Company collects personal information only for purposes that are identified at or before the time of collection. Such purposes may include providing financial services, verifying identity, complying with anti-money laundering and counter-terrorist financing legislation, preventing fraud, meeting regulatory reporting obligations, and fulfilling contractual commitments. Personal information is limited to what is necessary for these identified purposes.

3.4. Consent is obtained for the collection, use, and disclosure of personal information, except where otherwise permitted or required by law. In certain circumstances, including compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and related regulations, the Company may collect, use, or disclose personal information without knowledge or consent where legally authorized or required.

3.5. The Company limits the use and disclosure of personal information to the purposes for which it was collected, unless additional consent is obtained or disclosure is required by law. Personal information is retained only for as long as necessary to fulfill identified purposes and to comply with statutory record-keeping obligations.

3.6. The Company maintains administrative, technical, and physical safeguards appropriate to the sensitivity of the information to protect against loss, theft, unauthorized access, disclosure, copying, use, or modification.

3.7. Individuals have the right to request access to their personal information and to request correction of inaccurate or incomplete information, subject to limited exceptions permitted by law. Requests may be submitted to the Company’s designated Privacy Officer.

3.8. The Company has established procedures for receiving and responding to complaints or inquiries regarding privacy practices. Individuals who are not satisfied with the Company’s response may contact the Office of the Privacy Commissioner of Canada.

 

4. FINTRAC & AML REPORTING DISCLOSURE

4.1. Our Company is registered as a Money Services Business with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and is subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its associated Regulations. As a reporting entity, the Company is legally required to collect, verify, retain, analyze, and, in certain circumstances, disclose personal information to FINTRAC and other competent authorities in order to prevent and detect money laundering and terrorist financing activities.

4.2. In accordance with Canadian law, the Company must submit mandatory reports to FINTRAC, which may include Suspicious Transaction Reports, Large Cash Transaction Reports, Large Virtual Currency Transaction Reports, Electronic Funds Transfer Reports, and Terrorist Property Reports. These reports may contain personal information, transaction details, identification information, account information, and other data required by law.

4.3. The Company may disclose personal information to FINTRAC without notifying the individual concerned where such disclosure is required or authorized under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Canadian law prohibits the Company and its personnel from informing any individual that a Suspicious Transaction Report or certain other regulatory reports have been filed. This prohibition is commonly referred to as the “anti-tipping off” requirement.

4.4. The Company is also required to conduct ongoing monitoring of business relationships and transactions. This may involve automated screening, transaction analysis, risk scoring, sanctions screening, and Politically Exposed Person determinations. Personal information processed for these purposes may be retained for the minimum statutory retention period prescribed under Canadian AML legislation, even if the business relationship has ended.

4.5. Where required by law, the Company may also disclose personal information to law enforcement agencies, regulatory authorities, courts, or other governmental bodies in connection with investigations relating to money laundering, terrorist financing, sanctions evasion, fraud, or other financial crimes. Such disclosures may occur without additional notice to the individual where legally authorized or required.

4.6. Failure to provide information required under Canadian AML legislation may result in the Company being unable to establish or maintain a business relationship, process transactions, or provide services. In certain circumstances, the Company may be legally obligated to refuse, suspend, or terminate services where required compliance information cannot be obtained or verified.

5. DATA CONTROLLER

5.1. The controller of your personal data is ARDENTPAY LTD., Ontario Business Corporation with registration number 1001134063. For communications, please be advised to use the following email address: support@ardentpay.io or use chat available in your personal Account.

6. WHAT PERSONAL DATA WE COLLECT & WHY

6.1. The Company collects different categories of personal data depending on how you interact with our services. Identity Data includes your name, surname, date of birth, nationality, personal identification number, identity documents such as passport or ID, and video recordings. This information is collected to verify your identity and comply with anti-money laundering (AML) regulations. The legal basis for processing this data under GDPR is a legal obligation (Art. 6(1)(c)).

6.2. Contact Data includes your email address, phone number, and physical address. This data is used to contact you for service updates, notifications, and security alerts. The legal basis for processing contact data under GDPR is the performance of a contract (Art. 6(1)(b)).

6.3. Financial Data covers payment details, IBAN, and transaction history. The Company processes this data to facilitate transactions and detect fraud. The legal basis under GDPR is the performance of a contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)).

6.4. Technical Data consists of IP addresses, browser type, operating system, cookies, and device identifiers. This data is used to prevent fraud, improve security, and enhance the user experience. The legal basis for processing technical data is legitimate interest (Art. 6(1)(f)).

6.5. Regulatory Data includes KYC documents, PEP status, and sanctions screening data. This information is collected to comply with AML and other financial regulations. The legal basis under GDPR is a legal obligation (Art. 6(1)(c)).

6.6. Finally, Marketing and Communication Data comprises email preferences and customer survey responses. This data is used to send promotional messages, but only if you have provided your consent. The legal basis under GDPR for this data is consent (Art. 6(1)(a)).

7. MANDATORY COLLECTION OF PERSONAL INFORMATION UNDER THE PCMLTFA

7.1. As a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations, the Company is legally required to collect, verify, and retain certain personal information in order to prevent, detect, and deter money laundering, terrorist financing, and sanctions evasion. The collection of this information is mandatory and is not optional where a business relationship is established or a reportable transaction is conducted.

7.2. The Company is required to obtain and verify identity information prior to opening an account, establishing a business relationship, or processing certain transactions. This may include full legal name, date of birth, residential address, occupation, identification numbers, government-issued identification documents, and other information necessary to verify identity using prescribed methods under Canadian law.

7.3. For business customers, the Company must collect information regarding the legal name, business number, address, nature of business, and ownership structure. The Company is further required to identify and verify the identity of beneficial owners who directly or indirectly own or control a prescribed percentage of the entity, as well as individuals who exercise control over the entity.

7.4. The Company is also required to determine whether a customer, beneficial owner, or authorized signing officer is a Politically Exposed Person, a Head of an International Organization, or a family member or close associate of such persons. Where such status is identified, additional information including source of funds and source of wealth must be obtained and reasonable measures must be taken to establish the legitimacy of the funds involved.

7.5. In addition, the Company must collect information regarding the purpose and intended nature of the business relationship and conduct ongoing monitoring of transactions. This may involve collecting updated identification information, transaction explanations, supporting documentation, and additional due diligence materials where risk factors are identified.

7.6. The Company is required by law to retain certain identification records, transaction records, and business relationship documentation for a minimum period prescribed under Canadian AML legislation, even if the customer closes their account or terminates the relationship.

7.7. If a customer fails or refuses to provide the information required under the PCMLTFA, the Company may be legally prohibited from opening an account, processing transactions, or continuing to provide services. In certain circumstances, the Company may also be required to file a report with FINTRAC or take other regulatory action where compliance requirements cannot be satisfied.

7.8. The mandatory collection and retention of this information is undertaken solely to meet legal and regulatory obligations and to maintain the integrity and security of the financial system.

8. CONSEQUENCES OF NOT PROVIDING DATA

8.1. Some personal information is essential for the Company to provide its services. If you do not provide the required data: (1) KYC and AML Compliance: We will be unable to onboard you as a customer or permit any transactions, (2) Transaction Processing: Without complete payment information, we cannot process your transactions, (3) Security and Fraud Prevention: Missing device or IP details may lead to temporary blocks or restricted access for security reasons, (4) Marketing Communications: If consent is not given, we will not send promotional messages or offers.

8.2. Failure to provide information required by law or regulatory obligations may result in account limitations, denial of services, or reporting to relevant authorities.

9. HOW WE USE PERSONAL DATA

9.1. We do not retain personal data longer than necessary and process it in accordance with GDPR and applicable Lithuanian legal requirements. KYC and customer identification data is retained for eight years following account closure in compliance with AML legislation and Article 6(1)(c) of the GDPR. Transaction data is retained for seven years to meet tax and financial regulatory obligations. Communication records, including emails, chats, and call logs, are retained for five years based on our legitimate interest in maintaining service records and resolving disputes. Marketing data is retained until you withdraw your consent in accordance with Article 6(1)(a) of the GDPR. Website and cookie-related data is retained for varying periods as outlined in the Cookie Policy and is processed based on legitimate interest.

9.2. After the applicable retention period expires, personal data is securely deleted or anonymized unless continued retention is required by law or regulatory authorities.

10. AUTOMATED DECISION-MAKING & PROFILING

10.1. We use automated systems for fraud prevention and risk management. These processes include:

  • Fraud Prevention & Risk Scoring: We analyze your transactions, IP address, and device behavior to detect suspicious activity.

  • Sanctions & PEP Screening: Your identity is automatically checked against international watchlists.

  • Account Verification & KYC: Automated checks confirm your ID and financial history before approval.

10.2. What This Means for You:

  • If flagged as high-risk, your account or transactions may be blocked or delayed.

  • You have the right to request a manual review of any automated decision affecting your ability to use our services.

 

11. CROSS-BORDER DATA TRANSFERS

11.1. The Company may transfer, store, or process personal information outside of Canada in connection with the provision of its services. Such transfers may occur where the Company engages third-party service providers, cloud hosting providers, identity verification vendors, payment processors, compliance technology providers, or other operational partners located in foreign jurisdictions.

11.2. Where personal information is transferred outside Canada, it may be subject to the laws of the foreign jurisdiction in which it is processed or stored. As a result, personal information may be accessible to courts, law enforcement agencies, national security authorities, or regulatory bodies in accordance with the laws of that jurisdiction.

11.3. The Company remains accountable for personal information transferred to third parties for processing and ensures that appropriate contractual and technical safeguards are implemented to protect such information. These safeguards may include data processing agreements, confidentiality obligations, access controls, encryption standards, security audits, and risk assessments proportionate to the sensitivity of the information involved.

11.4. Before transferring personal information across borders, the Company assesses the nature of the information, the purpose of the transfer, the risks associated with the destination jurisdiction, and the adequacy of security measures implemented by the recipient. Where required, the Company implements additional safeguards to ensure that personal information receives a level of protection comparable to that required under Canadian privacy laws.

11.5. Cross-border transfers may occur for purposes including identity verification, sanctions screening, transaction monitoring, fraud prevention, regulatory reporting support, customer support services, secure data hosting, and business continuity management.

11.6. By using the Company’s services, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside of your province or country of residence.

11.7. If you require additional information regarding cross-border data processing practices or the safeguards in place, you may contact the Company’s designated Privacy Officer.

12. LAW ENFORCEMENT AND REGULATORY COOPERATION

12.1. Our Company is subject to Canadian federal legislation governing anti-money laundering, counter-terrorist financing, sanctions compliance, fraud prevention, and financial crime reporting. As part of its legal and regulatory obligations, the Company may collect, use, and disclose personal information to law enforcement agencies, regulatory authorities, courts, and other governmental bodies where required or authorized by law.

12.2. The Company may disclose personal information to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations. Such disclosures may include identification records, transaction records, account information, beneficial ownership information, and other data required to fulfill statutory reporting obligations.

12.3. In addition, the Company may respond to lawful requests, production orders, subpoenas, search warrants, court orders, regulatory examinations, or similar legal processes issued by competent authorities. Where legally permitted, the Company will review the scope and validity of such requests to ensure that any disclosure is limited to what is required by law.

12.4. The Company may also voluntarily cooperate with law enforcement or regulatory authorities in circumstances involving suspected money laundering, terrorist financing, fraud, sanctions evasion, financial crime, or threats to the integrity of the financial system, where such cooperation is authorized by applicable law.

12.5. In certain cases, the Company may be legally prohibited from notifying the affected individual that their personal information has been disclosed. This includes circumstances involving Suspicious Transaction Reports or other confidential regulatory filings where “anti-tipping off” provisions apply.

12.6. The Company may further share information with domestic or foreign regulatory authorities in connection with compliance audits, supervisory examinations, enforcement proceedings, sanctions investigations, or cross-border financial crime inquiries, where such sharing is legally required or authorized.

12.7. All disclosures are made in accordance with applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act, and are subject to internal review processes designed to ensure compliance with legal standards and to protect the confidentiality of personal information to the extent permitted by law.

13. CUSTOMER RIGHTS UNDER THE GENERAL DATA PROTECTION REGULATION (GDPR)

13.1. Under the GDPR, individuals whose personal data is processed by the Company have the following rights:

13.2. Right to Be Informed. You have the right to receive clear, transparent, and easily understandable information about how your personal data is collected, used, stored, and shared. This right is fulfilled through this Privacy Policy and related disclosures.

13.3. Right of Access (Article 15 GDPR). You have the right to request confirmation as to whether we process your personal data and, if so, to obtain access to that data together with information about the purposes of processing, categories of data involved, recipients of the data, retention periods, and your available rights.

13.4. Right to Rectification (Article 16 GDPR). You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay.

13.5. Right to Erasure (“Right to Be Forgotten”) (Article 17 GDPR). You have the right to request deletion of your personal data where there is no lawful basis for continued processing. This right does not apply where retention is required to comply with legal obligations, including AML, tax, or financial regulations.

13.6. Right to Restriction of Processing (Article 18 GDPR). You have the right to request restriction of processing in certain circumstances, including where the accuracy of data is contested, processing is unlawful, or the data is required for the establishment, exercise, or defense of legal claims.

13.7. Right to Data Portability (Article 20 GDPR). You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and carried out by automated means.

13.8. Right to Object (Article 21 GDPR). You have the right to object to processing of your personal data where processing is based on legitimate interest or for direct marketing purposes. If you object to direct marketing, your personal data will no longer be processed for that purpose.

13.9. Right to Withdraw Consent (Article 7(3) GDPR). Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

13.10. Rights Related to Automated Decision-Making and Profiling (Article 22 GDPR). You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, except where such processing is necessary for entering into or performing a contract, authorized by law, or based on explicit consent.

13.11. Right to Lodge a Complaint (Article 77 GDPR). You have the right to lodge a complaint with a competent supervisory authority if you believe that your personal data has been processed in violation of applicable data protection laws.

14. DATA SECURITY MEASURES

14.1. We use advanced security technologies to protect your data:

14.2. Encryption – All data is encrypted in transit & storage.

14.3. Multi-Factor Authentication (MFA) – Prevents unauthorized access.

14.4. Regular Security Audits – Ensures compliance with GDPR & financial regulations.

15. RECORD-KEEPING OBLIGATIONS UNDER THE PCMLTFA

15.1. As a reporting entity under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations, the Company is legally required to create, maintain, and retain specific records in connection with its anti-money laundering and counter-terrorist financing obligations. These record-keeping requirements are mandatory and apply regardless of whether the business relationship remains active.

15.2. The Company must retain identity verification records, business relationship information, beneficial ownership documentation, Politically Exposed Person determinations, transaction records, large cash transaction records, electronic funds transfer records, virtual currency transaction records, suspicious transaction documentation, and ongoing monitoring records. These records are maintained in accordance with statutory retention periods prescribed under Canadian law.

15.3. In general, most records required under the PCMLTFA must be retained for a minimum of five years from the date they are created or from the date the business relationship ends, whichever is later. In certain circumstances, other applicable laws, regulatory directives, tax legislation, litigation holds, or internal risk management considerations may require longer retention periods.

15.4. During the retention period, personal information contained in these records may not be deleted, anonymized, or destroyed, even if a customer requests erasure or account closure. The right to deletion under privacy legislation is subject to legal exceptions, including where continued retention is required to comply with statutory obligations.

15.5. The Company maintains secure storage systems and access controls to protect retained records against unauthorized access, disclosure, alteration, or destruction. Access to AML-related records is restricted to authorized personnel with a legitimate business or compliance need.

15.6. Upon expiration of the applicable retention period, records are securely destroyed or permanently anonymized in accordance with the Company’s records management and data destruction procedures, unless continued retention is required by law or regulatory authority.

15.7. The retention of records under the PCMLTFA is undertaken strictly to fulfill legal and regulatory obligations and to support the integrity of Canada’s financial system.

16. COMPLAINT HANDLING AND ESCALATION

16.1. The Company is committed to maintaining transparent and accountable privacy practices. Individuals who have questions, concerns, or complaints regarding the collection, use, disclosure, retention, or protection of their personal information may contact the Company’s designated Privacy Officer.

16.2. All privacy-related inquiries and complaints should be submitted in writing and should include sufficient detail to allow the Company to properly assess and investigate the matter. The Company may request additional information to verify the identity of the individual submitting the complaint in order to protect personal information and prevent unauthorized disclosure.

16.3. Upon receipt of a complaint, the Company will:

16.3.1. Acknowledge receipt within a reasonable timeframe;

16.3.2. Conduct an internal review of the relevant facts, systems, and records;

16.3.3. Assess compliance with applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial laws;

16.3.4. Respond in writing within a reasonable period, outlining findings and, where applicable, corrective actions taken.

16.4. Where a complaint is found to be substantiated, the Company will take appropriate remedial measures. Such measures may include correcting or updating personal information, revising internal procedures, enhancing safeguards, providing additional staff training, or implementing other compliance improvements.

16.5. If an individual is not satisfied with the Company’s response, they have the right to escalate the matter to the Office of the Privacy Commissioner of Canada.

16.6. If the Company conducts business in Québec or processes personal information of Québec residents, individuals may also file a complaint with the Commission “d’accès à l’information du Québec”, in accordance with applicable provincial legislation.

16.7. The Company does not charge a fee for handling privacy complaints unless a request is manifestly unfounded, excessive, or repetitive, in which case a reasonable administrative fee may be applied as permitted by law.

16.8. The Company maintains records of privacy complaints and their resolution as part of its accountability and compliance framework.

17. DATA BREACH NOTIFICATION AND REPORTING

17.1. We are committed to protecting the personal information of our clients and ensuring compliance with Canadian privacy laws. In the event of a data breach that involves your personal information, we will follow the requirements set out under the Personal Information Protection and Electronic Documents Act (PIPEDA).

17.2. A data breach occurs when personal information is lost, stolen, or accessed without authorization, potentially posing a real risk of significant harm to individuals. Personal information includes any data that can identify you, such as your name, contact information, financial details, or identification numbers.

17.3. If a breach occurs that meets the threshold for reporting, we will:

17.3.1. Notify affected individuals as soon as possible, providing sufficient information to allow you to take protective measures.

17.3.2. Report the breach to the Office of the Privacy Commissioner of Canada (OPC), if required by law.

17.3.3. Provide details of the breach, including:

  • The nature of the personal information involved.

  • Steps we are taking to mitigate potential harm.

  • Contact information for inquiries and assistance.

17.3.4. Review and strengthen security measures to prevent future breaches.

17.4. We take the security of your personal information seriously. Prompt reporting and transparent communication are central to our approach, ensuring you are informed and can take necessary steps to protect yourself.

18. WITHDRAWAL OF CONSENT VS LEGAL OBLIGATION

18.1. You have the right to withdraw your consent for the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions. If you choose to withdraw consent:

  • 18.1.1. We may no longer be able to provide certain services or products.

  • 18.1.2. Certain personal information we have already collected may still be retained or used to meet legal, regulatory, or contractual obligations.

  • 18.1.3. Withdrawal requests should be submitted to our Privacy Officer.

18.2. Legal Obligation: In some circumstances, we are required by law or regulation to collect, retain, or disclose certain personal information, even if you withdraw consent. These obligations include, but are not limited to:

  • 18.2.1. Reporting to FINTRAC (Financial Transactions and Reports Analysis Centre of Canada) and other regulatory authorities as a registered Money Services Business (MSB).

  • 18.2.2. Complying with anti-money laundering (AML) and anti-terrorist financing laws.

  • 18.2.3. Meeting requirements under tax, financial, or other applicable laws.

18.3. In such cases, your personal information may still be collected, used, or disclosed as legally required, and we will inform you to the extent permitted by law.

18.4. We respect your privacy choices and will only use your personal information for purposes consistent with this policy, unless otherwise required by law.

19. SERVICE PROVIDERS & OUTSOURCING

19.1. To provide our services efficiently, we may engage third-party service providers to perform functions on our behalf, including but not limited to:

  • 19.1.1. Transaction processing and payment services;

  • 19.1.2. IT hosting, data storage, and cybersecurity management;

  • 19.1.3. Customer support and verification services;

  • 19.1.4. Compliance and auditing services.

19.2. When we share your personal information with service providers:

  • 19.2.1. We ensure they are contractually obligated to protect your personal information in accordance with this privacy policy and applicable Canadian privacy laws.

  • 19.2.2. We require them to use personal information only for the purposes specified by us and not for their own purposes.

  • 19.2.3. We take reasonable steps to ensure they implement appropriate safeguards to prevent unauthorized access, use, or disclosure.

19.3. Outsourcing outside Canada: some service providers may be located outside of Canada. In such cases, we take additional measures to ensure that your personal information is protected to a standard comparable to Canadian privacy requirements, including contractual safeguards and security requirements.

20. CONTACTS

20.1. For communications, please be advised to use the following email address: support@ardentpay.io or use chat available in your personal Account.