01Information We Collect
We collect the following categories of personal information in the course of providing our Services, in each case limited to what is reasonably required for the purposes identified in this Policy:
| Category | Examples | Source |
|---|---|---|
| Identity & contact information | Full name, date of birth, address, phone number, email address, government-issued ID | Directly from you |
| Identity verification (KYC/AML) | ID document images, selfie/biometric verification, proof of address, occupation, source of funds | Directly from you; identity verification service providers |
| Financial & transaction information | Account and payment details, transaction history, wallet addresses, virtual currency transaction data | Directly from you; generated through use of the Services |
| Device & usage information | IP address, browser type, device identifiers, log data, cookies (see our Cookie Policy) | Automatically collected |
| Communications | Customer support correspondence, call recordings (where disclosed), survey responses | Directly from you |
02How We Use Your Information
We use personal information for the following purposes:
- Identity verification, customer due diligence, and ongoing monitoring required under the RPAA, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and FINTRAC guidance;
- Opening, administering, and closing accounts, and providing payment and virtual currency services you request;
- Processing and settling transactions, including virtual currency transactions;
- Detecting, investigating, and preventing fraud, money laundering, terrorist financing, sanctions violations, and other financial crime;
- Safeguarding end-user funds and meeting our regulatory obligations as an RPAA-registered payment service provider;
- Responding to customer support inquiries and communicating with you about your account;
- Complying with legal and regulatory obligations, including reporting to FINTRAC, the Bank of Canada, and other competent authorities, and responding to lawful requests from law enforcement or regulators;
- Improving and securing our website and platform, including through analytics described in our Cookie Policy;
- With your consent, sending you marketing communications about our products and services, which you may opt out of at any time.
03Our Legal Basis for Processing
Under PIPEDA, we collect, use, and disclose personal information based on your knowledge and consent, which may be express or implied depending on the sensitivity of the information and the circumstances. In limited circumstances permitted by law, we may collect, use, or disclose personal information without consent — for example, to comply with a legal or regulatory obligation (such as FINTRAC reporting), to investigate a suspected offence, or in an emergency threatening life, health, or safety.
04Disclosure of Personal Information
We do not sell personal information. We may disclose personal information to the following categories of recipients, only as reasonably necessary for the purposes described in this Policy:
- Regulators and government authorities, including FINTRAC, the Bank of Canada, and law enforcement, where required or permitted by law;
- Service providers and processors who support our operations, such as identity verification vendors, payment processors, cloud hosting providers, and professional advisors, under contractual confidentiality and data protection obligations;
- Corporate affiliates within the DaisyLink group structure, including our intermediate holding company Cowley Holdings Limited (Hong Kong), for group governance, risk management, and administrative purposes;
- A successor entity in connection with a merger, acquisition, financing, or sale of some or all of our assets;
- Other parties with your consent or at your direction.
05Cross-Border Storage and Transfer
Personal information may be collected, used, processed, or stored outside of Canada, including in jurisdictions such as Hong Kong, given our corporate affiliation with Cowley Holdings Limited, and other jurisdictions where our service providers operate. Personal information transferred outside Canada may be accessible to foreign courts, law enforcement, and regulatory authorities under the laws of those jurisdictions. Where we transfer personal information outside Canada, we take reasonable contractual and organizational steps to require a comparable level of protection to that required under PIPEDA.
06Retention of Personal Information
We retain personal information only for as long as necessary to fulfil the purposes described in this Policy, including to satisfy legal, regulatory, accounting, and reporting requirements. Given our obligations as an RPAA-registered payment service provider and FINTRAC-registered money services business, certain identity verification and transaction records are retained for a minimum period required under the PCMLTFA and its regulations, currently five years from the date the relevant record was created.
07Security Safeguards
We maintain physical, organizational, and technological safeguards appropriate to the sensitivity of the personal information we hold, including encryption of data in transit and at rest, access controls, and employee training, consistent with our Operational Risk Management Framework. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
08Your Rights and Choices
Subject to certain exceptions permitted by law, you have the right to:
- Access the personal information we hold about you;
- Request correction of inaccurate or incomplete personal information;
- Withdraw consent to our collection, use, or disclosure of your personal information, subject to legal, contractual, or regulatory restrictions (for example, we cannot delete identity verification records we are required to retain under the PCMLTFA);
- Ask questions about our privacy practices or file a complaint.
To exercise any of these rights, please contact our Privacy Officer using the details in Section 12 below. We may need to verify your identity before responding to your request.
10Children's Privacy
Our Services are intended for use by individuals who meet the applicable age of majority and account eligibility requirements. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete it.
11Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal and regulatory requirements. We will post the revised version on our website with an updated “Last Updated” date, and where changes are material, we will provide additional notice as appropriate.
12How to Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to make a complaint, please contact our Privacy Officer:
Email: privacy@daisylink.ca
If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC), the federal regulator responsible for overseeing compliance with PIPEDA.