PRIVACY POLICY

3.3 Financial and Transactional Information

To process transactions and comply with anti-money laundering regulations:

• Bank account details (account number, institution, account holder)
• Payment card information (processed securely and tokenized)
• Transaction history and patterns
• Source of funds documentation
• Purpose of transactions (invoices, contracts, supporting agreements)
• Transfer beneficiary information

3.4 Technical and Usage Information

We automatically collect:

• IP address and device identifiers
• Browser type and version
• Operating system
• Access dates and times
• Pages visited and interactions with our platform
• Geolocation data (with your consent)
• Session information and cookies

3.5 Biometric Verification Information

As part of our identity verification process through Sumsub, we collect:

• Facial images for liveness verification
• Biometric comparison with identity documents
• AI-powered document validation results

Specific Consent: By initiating the identity verification process, you grant your express consent for the collection and processing of your biometric data for the sole purpose of verifying your identity.

4.2 Specific Purposes of Use

4.2.1 Service Delivery

• Processing remittance payments and money transfers
• Facilitating currency exchange transactions
• Issuing and managing payment cards
• Operating electronic wallets and virtual IBANs
• Processing merchant payments
• Providing customer support

4.2.2 Regulatory Compliance

• Complying with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)
• Complying with the Retail Payment Activities Act (RPAA)
• Complying with PIPEDA and Quebec's Act 25
• Filing reports required by FINTRAC:
◦ Suspicious Transaction Reports (STR)
◦ Electronic Funds Transfer Reports (EFTR)
◦ Terrorist Property Reports (TPR)
• Complying with Canadian sanctions legislation
• Implementing anti-fraud and anti-money laundering programs

4.2.3 Identity Verification (KYC/KYB)

We verify your identity through our third-party verification provider, Sumsub, which performs:

• Document authenticity verification
• Biometric liveness checks
• Sanctions and watchlist screening
• Politically Exposed Person (PEP) checks
• Adverse media monitoring
• AI-powered document validation

4.2.4 Transaction Monitoring

• Detecting and preventing fraud
• Identifying suspicious activities
• Complying with Electronic Funds Transfer (EFT) reporting requirements
• Filing Suspicious Transaction Reports (STR) when required
• Monitoring unusual transaction patterns
• Detecting structuring (smurfing) and other illicit activities

4.2.5 Travel Rule Compliance

In accordance with FINTRAC regulations and FATF recommendations, for transfers of CAD $1,000 or more (or equivalent), we share the following information with receiving financial institutions:

Sender Information:

• Full name
• Account number
• Address
• Financial institution details

Beneficiary Information:

• Full name
• Account number
• Address
• Receiving financial institution details

Transaction Information:

• Transaction amount
• Transaction date

This disclosure is a mandatory legal requirement and does not require additional consent.

4.2.6 Business Improvement

• Analyzing service usage patterns
• Improving our products and services
• Conducting market research
• Personalizing user experience

5.3 Business Partners

We may share information with:

• Local pay-in and pay-out partners in applicable jurisdictions
• Correspondent banking partners
• Card acquiring and issuing partners
• Cash payout agents (where applicable)

5.4 Other Disclosures

We may disclose information:

• To protect our rights, privacy, safety, or property
• In connection with a merger, acquisition, or sale of assets (with prior notice)
• With your explicit consent
• To comply with court orders or legal processes

5.5 What We Do NOT Do

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6.2 Primary Destination Countries

Primary transfer destinations include (but are not limited to):

• Mexico
• Spain
• Peru
• Colombia
• Brazil
• Other LATAM and Caribbean countries

6.3 Safeguards for International Transfers

When transferring data internationally, we implement the following safeguards:

For transfers to the EU/EEA:

• Compliance with GDPR requirements
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Assessment of the destination country's level of protection

For transfers to other countries:

• Contractual agreements requiring equivalent protection
• Privacy risk assessment of the destination country
• Implementation of additional technical and organizational measures when necessary

6.4 Consent for International Transfers

By using our remittance services, you expressly consent to the transfer of your personal information and that of your beneficiaries to the destination countries necessary to complete your transactions.

7.2 Data Deletion

After the applicable retention period, we will securely delete or anonymize your personal information, unless:

• Longer retention is required by law
• It is necessary for ongoing legal proceedings
• You have requested continued retention

7.3 Dormant Accounts

Accounts that remain inactive for 365 days will be considered dormant. If you wish to reactivate a dormant account, a full KYC refresh will be required.

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Multi-Factor Authentication (MFA): Required for account access and critical systems
• Cloud Infrastructure: Amazon Web Services (AWS) with robust security protocols
• Security Assessments: Periodic penetration testing and vulnerability scans
• Endpoint Detection and Response (EDR): Continuous threat monitoring
• API Gateway: With rate limiting and attack protection
• Backups: Immutable backups and daily verification

8.2 Organizational Safeguards

• Role-Based Access Controls: Access limited based on business need
• Segregation of Duties: Multiple approvals for critical operations
• Four Eyes Principle: For high-risk transactions and changes
• Employee Training: Annual training on data protection and AML/CTF
• Independent Audits: External reviews every two years
• Whistleblower Program: Confidential channel for reporting irregularities

8.3 Document Storage

All customer documentation is stored securely in our document management system on AWS servers with:

• Industry-standard security frameworks
• Regular backups and routine monitoring
• Two-factor authentication for access
• Restricted access based on business need
• Immutable audit trails

• Notifying you without undue delay, but no later than 72 hours after determining the incident is material
• Informing you about:
◦ Date and time when the incident began
◦ Description of the incident and its impact
◦ Measures taken to respond to the incident
◦ Steps you can take to protect yourself
◦ Contact information for questions

• Bank of Canada: Within 48 hours for material incidents (RPAA)
• FINTRAC: As required
• Commission d'accès à l'information du Québec: Without delay for incidents presenting risk of serious harm (Act 25)
• Office of the Privacy Commissioner of Canada: As required by PIPEDA

9.2 Exceptions to Notification

We may delay notification if doing so within 72 hours would increase the risk of significant harm, including:

• Bodily harm
• Humiliation
• Damage to reputation or relationships
• Loss of employment or opportunities
• Financial loss
• Identity theft
• Negative effects on credit history

11.2 Identity Verification

To protect your privacy, we will verify your identity before processing your request. This may include:

• Confirming your account information
• Requesting additional identification documents
• Asking security questions

11.3 Response Times

11.4 Costs

Most requests are processed at no cost. However, we may charge a reasonable fee for:

• Manifestly unfounded or excessive requests
• Additional copies of information

We will inform you of any charges before processing your request.

• Implementing new services or products involving significant processing of personal data
• Making material changes to our data processing practices
• Implementing automated decision-making technologies
• Transferring data to new jurisdictions
• Sharing data with new categories of third parties

12.2 Assessment Elements

Our assessments include:

• Description of the proposed processing
• Assessment of necessity and proportionality
• Identification and evaluation of risks to individuals' rights
• Measures to address identified risks
• Data Protection Officer approval

13.1 Use of Automated Processing

13.2 Your Rights Regarding Automated Decisions

You have the right to:

• Be informed when a decision significantly affecting you is made automatically
• Request human intervention to review the decision
• Express your point of view and contest the decision
• Receive an explanation of the logic used

13.3 How to Request Human Review

If an automated decision negatively affects you, you can request human review by contacting:

Email: compliance@monitiva.com
Subject: Request for Automated Decision Review

We will respond within 5 business days.

14.1 Types of Cookies We Use

14.2 Cookie Management

You can manage your cookie preferences:

• Through the cookie banner on our website
• Through your browser settings
• By contacting us at privacy@monitiva.com

Note: Disabling certain cookies may affect the functionality of our services.

14.3 Third-Party Cookies

Our site may include cookies from:

Google Analytics (traffic analysis)
Payment service providers
Customer support tools

We will respond within 5 business days.

15.1 Service Communications

We will send you service-related communications without the need for additional consent, including:

• Transaction confirmations
• Security alerts
• Policy and terms updates
• Required regulatory notifications
• Information about changes to your account

15.2 Marketing Communications

We will only send you marketing communications if you have:

Provided your express consent ("opt-in")
Not previously withdrawn your consent

You can unsubscribe from marketing communications at any time:

We will only send you marketing communications if you have:

• By clicking the "unsubscribe" link in any marketing email
• By contacting us at privacy@monitiva.com
• By updating your preferences in your account

Unsubscribing from marketing communications will not affect essential service communications.

18.2 Notification of Changes

We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending an email notification
• Displaying a notice in our application
• For significant changes, requesting new consent when required

18.3 Version History

The "Effective Date" at the top of this policy indicates when it was last updated. Your continued use of our services after any changes constitutes acceptance of the updated policy.

19.1 Governance Framework

In accordance with Quebec's Act 25, we have established a data governance framework that includes:

• Designation of a Data Protection Officer
• Documented policies and procedures for personal information protection
• Employee training program
• Privacy impact assessment process
• Incident response procedures
• Audit and review program

19.2 Accountability

The Data Protection Officer is accountable to senior management and the board of directors for:

• Overseeing compliance with this policy
• Coordinating responses to privacy rights requests
• Managing data security incidents
• Maintaining records of processing activities
• Conducting privacy impact assessments

20.2 Supervisory Authorities

If you are not satisfied with our response, you may file a complaint with:

Canada:
Office of the Privacy Commissioner of Canada
www.priv.gc.ca
1-800-282-1376

Quebec:
Commission d'accès à l'information du Québec
www.cai.gouv.qc.ca
1-888-528-7741

European Union:
You may contact the data protection authority in your country of residence. A list is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

— End of Privacy Policy —

Document prepared in compliance with PIPEDA, PCMLTFA, RPAA, Quebec's Act 25, and GDPR.

Last reviewed: December 2025