At MetaX Payments Ltd, we understand that trust is fundamental to our relationship with our customers. This Privacy and Data Protection Policy reflects our commitment to protecting your privacy while providing high-quality financial services. We believe in complete transparency about how we collect, use, and protect your information.

A. Company Information and Status

MetaX Payments Ltd operates as a registered Money Services Business (MSB) in British Columbia, Canada. We are authorized to provide various financial services including money transfers, currency exchange, and payment services. Our operations are subject to oversight by multiple regulatory bodies, including the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and provincial regulators.

As a financial institution operating both domestically and internationally, we maintain strict standards of data protection and privacy that meet or exceed regulatory requirements across all jurisdictions where we operate.

B. Purpose of Policy

This policy serves multiple purposes:

• To clearly explain how we handle your personal and business information
• To outline your rights regarding your information
• To describe our security measures and data protection practices
• To inform you about how we comply with various legal and regulatory requirements
• To maintain transparency about our information handling practices

C. Scope of Application

This policy applies to all information we collect through:

• Our website and mobile applications
• Telephone and email communications
• Business relationships and transactions
• Third-party service providers acting on our behalf

The policy covers both our Canadian operations and our international services, ensuring consistent protection of your information regardless of where you interact with us.

D. Definitions and Key Terms

To help you better understand this policy, we use these key terms:

• "Personal information" means any information about an identifiable individual
• "Business information" refers to information about commercial entities
• "Processing" includes collecting, using, sharing, storing, or disposing of information
• "Service providers" are third parties who help us deliver our services
• "Regulatory authorities" include government agencies and financial regulators who oversee our operations

2. Legal and Regulatory Framework

A. Federal Laws (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) forms the foundation of our privacy practices. Under PIPEDA, we adhere to these key principles:

• Accountability: We are responsible for all personal information under our control, including information transferred to third parties for processing. We have appointed a Privacy Officer to ensure compliance with privacy obligations.
• Identifying Purposes: We clearly identify why we collect personal information at or before the time of collection. We document all purposes for which information is collected, used, or disclosed.
• Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information. We explain the implications of consent, and we respect your right to withdraw consent, subject to legal or contractual restrictions.
• Limiting Collection: We collect only the information necessary for the purposes we have identified. We collect information by fair and lawful means.

B. Provincial Laws (PIPA)

As a British Columbia-based organization, we comply with the Personal Information Protection Act (PIPA), which provides additional privacy protections. PIPA requires:

• Specific consent requirements for collecting, using, and disclosing personal information
• Enhanced protection for employee personal information
• Strict rules about marketing and promotional communications
• Specific requirements for information disclosure and retention

C. International Standards

Our global operations require compliance with international data protection standards, including:

• International data transfer requirements
• Cross-border privacy rules
• Global security standards
• International banking protocols

D. Industry-Specific Regulations

As an MSB, we adhere to specialized regulations including:

• Anti-Money Laundering (AML) requirements
• Counter-Terrorist Financing (CTF) regulations
• Know Your Customer (KYC) standards
• International sanctions compliance

3. Personal Information Collection

A. Individual Customers

We collect personal information necessary to provide our services and meet regulatory requirements. Our collection practices are designed to gather essential information while respecting your privacy.

Identity Information

Basic identification information includes:

• Full legal name
• Date of birth
• Contact information
• Residential address
• Government-issued identification

Financial Information

To process transactions and maintain your account, we collect:

• Banking information
• Transaction history
• Source of funds information
• Financial profile information

Transaction Data

For each transaction, we record:

• Transaction amounts and currencies
• Purpose of transaction
• Payment details
• Transaction patterns

Digital/Technical Data

When you use our online services, we collect:

• Device information
• IP addresses
• Login information
• Usage patterns

B. Corporate Customers

For business clients, we collect information necessary to establish and maintain business relationships while meeting regulatory requirements.

Entity Documentation

Standard business documentation includes:

• Registration information
• Corporate structure documents
• Business licenses
• Industry certifications

Ownership Structure

To understand business ownership, we collect:

• Ownership information
• Control structure details
• Relationship information
• Group structure documentation

Management Information

For key individuals in the business, we require:

• Basic identification information
• Role and responsibility details
• Authorization documentation
• Contact information

Business Activity Data

To understand your business operations, we collect:

• Business type and activity information
• Industry classification
• Transaction patterns
• Business relationships

All information collection is conducted in accordance with applicable laws and regulations, with appropriate security measures in place to protect your data. We regularly review our collection practices to ensure they remain necessary and proportionate to our services and regulatory obligations.

4. Purpose and Legal Basis for Processing

A. Primary Purposes

Your trust is essential to our business, and we want you to understand exactly how and why we process your information. Our primary purposes for processing personal and business information are directly connected to providing our financial services and meeting our regulatory obligations.

Service Provision

We process your information to:

• Facilitate your financial transactions securely and efficiently
• Maintain accurate records of your account and transaction history
• Provide you with account statements and transaction confirmations
• Respond to your inquiries and service requests
• Verify your identity for each transaction as required by law
• Process currency exchanges and international transfers
• Manage your account preferences and settings

For example, when you initiate an international money transfer, we process your identification information to verify your identity, your financial information to execute the transfer, and your recipient's information to ensure accurate delivery of funds.

Regulatory Compliance

As a regulated financial institution, we are legally required to:

• Verify the identity of our customers (KYC requirements)
• Monitor transactions for suspicious activity
• Report certain types of transactions to regulatory authorities
• Maintain records for prescribed periods
• Conduct regular compliance assessments
• Respond to regulatory inquiries and audits

Risk Management

To protect both you and our institution, we process information to:

• Detect and prevent fraudulent activities
• Assess and manage financial risks
• Verify the authenticity of provided documents
• Monitor for unauthorized account access
• Evaluate transaction patterns for unusual activity
• Maintain the security of our systems and services

B. Secondary Purposes

Beyond our primary purposes, we may process your information for additional purposes that support and improve our services.

Service Improvement

We analyze service usage patterns to:

• Enhance our service offerings
• Improve user experience
• Streamline transaction processes
• Develop new features and services
• Resolve technical issues
• Optimize our platforms and systems

Marketing and Communications

With your explicit consent, we may use your information to:

• Inform you about new services and features
• Share relevant product updates
• Provide educational content about financial services
• Invite you to participate in customer surveys
• Send service-related notifications
• Keep you informed about important changes

You can opt out of marketing communications at any time while continuing to receive essential service-related communications.

Analytics and Research

We conduct analysis and research to:

• Understand customer needs and preferences
• Improve our service efficiency
• Develop market insights
• Enhance security measures
• Identify emerging trends
• Plan future service offerings

5. Data Sharing and Disclosure

A. Internal Usage

Within our organization, we maintain strict controls on internal access to your information:

• Access is granted only to employees who need it to perform their jobs
• Different levels of access are assigned based on job responsibilities
• All internal access is logged and monitored
• Regular access reviews are conducted
• Employees receive ongoing privacy and security training

B. Third-Party Service Providers

We carefully select and monitor third-party service providers who help us deliver our services. These may include:

Essential Service Providers

• Payment processing services
• Identity verification services
• Technology infrastructure providers
• Security monitoring services
• Customer support systems

Professional Services

• Legal advisors
• Auditors
• Compliance consultants
• Technology consultants

All service providers are bound by:

• Strict confidentiality agreements
• Data protection requirements
• Security standards
• Regular performance monitoring
• Audit requirements

C. Regulatory Reporting

As a regulated financial institution, we are required to share certain information with regulatory authorities:

Mandatory Reporting

We report to various regulatory bodies including:

• Financial intelligence units
• Banking regulators
• Tax authorities
• Law enforcement agencies (when legally required)

Regulatory Compliance

Our reporting obligations include:

• Regular compliance reports
• Suspicious activity reports
• Large transaction reports
• Regulatory audits and examinations

D. International Transfers

When processing international transactions, information sharing across borders is necessary:

Cross-Border Services

We share information with:

• International banking partners
• Global payment networks
• Foreign financial institutions
• International service providers

Transfer Safeguards

All international transfers include:

• Data protection agreements
• Security protocols
• Privacy safeguards
• Monitoring systems

E. Banking Partners and Payment Networks

To provide our services, we work with various financial partners:

Financial Networks

We participate in:

• International banking networks
• Payment processing systems
• Currency exchange networks
• Settlement systems

Partner Requirements

All partners must maintain:

• Strong security measures
• Privacy protections
• Compliance programs
• Regular auditing

6. Data Protection Measures

A. Technical Security

We implement comprehensive technical measures to protect your information:

Infrastructure Security

Our systems include:

• Advanced encryption for data in transit and at rest
• Multi-layer firewall protection
• Intrusion detection and prevention systems
• Regular security updates and patches
• Continuous monitoring systems

Access Controls

We maintain strict access controls through:

• Multi-factor authentication
• Role-based access management
• Regular access reviews
• Activity logging and monitoring
• Secure access protocols

B. Organizational Security

Our organizational security measures include:

Policy Framework

We maintain:

• Comprehensive security policies
• Documented procedures
• Regular policy reviews
• Compliance monitoring
• Risk assessments

Physical Security

Our facilities are protected by:

• Access control systems
• Surveillance systems
• Secure storage areas
• Visitor management procedures
• Clean desk policies

C. Staff Training and Policies

We ensure our staff understand and follow security requirements:

Training Programs

All staff complete:

• Initial privacy training
• Regular security updates
• Compliance training
• Incident response training
• Social engineering awareness

Policy Enforcement

We maintain:

• Clear security procedures
• Regular compliance checks
• Disciplinary procedures
• Reporting mechanisms
• Continuous improvement processes

D. Incident Response

We maintain comprehensive incident response procedures:

Response Framework

Our response includes:

• Incident detection systems
• Response protocols
• Investigation procedures
• Notification processes
• Recovery plans

Management Procedures

We follow structured:

• Escalation procedures
• Communication protocols
• Documentation requirements
• Review processes
• Improvement mechanisms

E. Breach Management

In the unlikely event of a data breach:

Response Protocols

We will:

• Contain the breach
• Assess the impact
• Notify affected parties
• Implement corrective measures
• Report to authorities as required

Recovery Procedures

Our recovery includes:

• System restoration
• Data recovery
• Security enhancement
• Process improvement
• Preventive measures

7. Cross-Border Data Transfers

A. Legal Basis for Transfers

As a financial institution operating globally, we regularly transfer data across borders to provide our services. We ensure all international transfers have a proper legal foundation and appropriate safeguards.

Legal Framework

Our cross-border transfers are conducted under:

• International data protection agreements
• Standard contractual clauses
• Adequacy decisions by relevant authorities
• Binding corporate rules for internal transfers
• Specific consent where required

For example, when you initiate an international money transfer, your transaction information must flow through various jurisdictions to reach its destination. We ensure this process follows all applicable laws and regulations in both originating and receiving countries.

Compliance Mechanisms

For each transfer, we ensure:

• Proper documentation of transfer grounds
• Verification of recipient safeguards
• Assessment of destination country protections
• Implementation of necessary additional measures
• Regular review of transfer mechanisms

B. International Partners

We carefully select and monitor our international partners to maintain data protection standards across borders. All international partners must:

• Maintain adequate data protection standards
• Implement required security measures
• Follow agreed privacy practices
• Provide compliance documentation

C. Security Measures

Specific security measures protect data during international transfers:

Technical Protection

We implement:

• End-to-end encryption
• Secure transfer protocols
• Access controls
• Transfer monitoring
• Audit logging

Organizational Controls

We maintain:

• Transfer policies
• Staff training
• Documentation requirements
• Review procedures
• Incident response plans

D. Jurisdictional Considerations

We address varying privacy requirements across jurisdictions:

Compliance Framework

We maintain:

• Country-specific requirements mapping
• Regional compliance programs
• Local law adherence
• Regulatory reporting systems
• Updates for legal changes

8. Individual Rights

A. Access Rights

You have the right to understand and access your personal information in our systems.

Information Access

You can request:

• Confirmation of what information we hold
• Copies of your personal information
• Details of how your information is used
• Lists of who has access to your information
• Information about automated processing

Access Process

To exercise your access rights:

1. Submit a request through our secure channels
2. Verify your identity
3. Specify the information you want to access
4. Receive response within mandated timeframes
5. Request clarification if needed

B. Correction Rights

You have the right to ensure your information is accurate and complete.

Correction Requests

You can request:

• Updates to outdated information
• Correction of inaccurate details
• Addition of missing information
• Removal of irrelevant data
• Updates to preferences

Correction Process

We will:

1. Review your correction request
2. Verify the requested changes
3. Update relevant systems
4. Notify relevant parties of changes
5. Confirm completion

C. Deletion Rights

You have certain rights to request deletion of your information, subject to legal requirements.

Deletion Scope

You can request deletion of:

• Outdated information
• Information no longer needed
• Information where consent is withdrawn
• Information not required by law

Retention Requirements

We must retain certain information:

• As required by law
• For regulatory compliance
• To protect legal rights
• To prevent fraud
• For business continuity

D. Complaint Procedures

We provide clear procedures for addressing privacy concerns.

Complaint Process

Our process includes:

1. Initial complaint submission
2. Acknowledgment and review
3. Investigation of concerns
4. Response and resolution
5. Appeal options if needed

Resolution Framework

We ensure:

• Timely responses
• Fair investigation
• Clear communication
• Appropriate remediation
• Process improvement

E. Exercise of Rights Process

We make it easy to exercise your privacy rights while maintaining security.

Request Procedures

To exercise your rights:

1. Contact our Privacy Office
2. Verify your identity
3. Specify your request
4. Provide necessary information
5. Receive confirmation

Response Timeline

We will:

• Acknowledge requests promptly
• Respond within legal timeframes
• Keep you informed of progress
• Explain any delays
• Document all actions

9. Data Retention

A. Retention Periods

We maintain clear retention schedules for all information we hold.

Standard Retention

We typically retain:

• Account information for the duration of the relationship plus required period
• Transaction records as required by law
• Communication records for service purposes
• Security logs for system protection

Legal Requirements

We must retain certain records:

• Financial records (typically 7 years)
• Identity verification records (5 years after last transaction)
• Regulatory reports (as required by law)
• Legal documents (as needed for claims)

B. Retention Justification

All retention periods are based on specific requirements or legitimate needs.

Retention Grounds

We retain information based on:

• Legal obligations
• Regulatory requirements
• Business needs
• Customer service
• Risk management

Regular Review

We conduct:

• Periodic retention reviews
• Necessity assessments
• Compliance checks
• Update procedures
• Documentation updates

C. Deletion Procedures

We follow structured procedures for secure data deletion.

Deletion Methods

We use:

• Secure deletion protocols
• Certified destruction methods
• Verified wiping procedures
• Physical destruction when needed
• Documented processes

Verification Process

We ensure:

• Complete deletion
• Proper documentation
• Audit trails
• Compliance verification
• Regular testing

D. Archiving Standards

We maintain secure archives for required retention periods.

Archive Security

Our archives have:

• Access controls
• Encryption
• Regular backups
• Integrity checks
• Recovery procedures

Archive Management

We maintain:

• Classification systems
• Retrieval procedures
• Access logs
• Regular reviews
• Destruction schedules