1. Introduction
This Privacy Policy (“Policy”) sets out the principles and practices governing the collection, use, disclosure, retention, and safeguarding of personal information by Korrency Exchange Inc. (“Korrency,” “we,” “our,” or “us”). The Policy is intended to provide transparency to individuals and businesses engaging with Korrency regarding how their personal information is managed in compliance with applicable privacy, data protection, and anti-money laundering laws. The Policy applies to all personal information processed by Korrency in connection with the provision of its products and services, including but not limited to multi-currency wallets, cross-border transfers, foreign exchange transactions, and related financial technology solutions. It is drafted to ensure compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws in Canada, as well as to anticipate requirements of the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable international data protection frameworks as Korrency expands its operations.
Korrency recognises that the responsible handling of personal information is fundamental to maintaining trust with its clients, regulators, and partners. We are committed to:
- Limiting the collection of personal information to what is necessary for defined, lawful purposes.
- Using personal information only for the purposes for which it was collected, or for uses otherwise permitted or required by law.
- Maintaining appropriate technical, organisational, and contractual safeguards to protect personal information against loss, misuse, unauthorised access, disclosure, alteration, or destruction.
- Retaining personal information only for as long as required to fulfil the purposes of collection and to satisfy applicable legal and regulatory obligations.
- Providing clear and accessible information regarding our privacy practices, and responding to inquiries or complaints in a timely and transparent manner.
This commitment extends not only to compliance with statutory obligations but also to the adoption of industry best practices in privacy and data protection.
This Policy applies to:
- Individual clients: persons who register with Korrency, complete identity verification (KYC), and use our services to hold, exchange, or transfer funds.
- Business clients: legal entities engaging Korrency for cross-border transactions, and their directors, officers, beneficial owners, and authorised representatives.
- Website and application users: individuals accessing Korrency’s website, mobile applications, or digital interfaces, regardless of whether they have created an account.
- Partners, vendors, and other stakeholders: third parties who interact with Korrency in the course of commercial, contractual, or regulatory relationships.
This Privacy Policy forms an integral part of Korrency’s contractual framework with its clients. It should be read in conjunction with Korrency’s Terms and Conditions, which govern the general use of our products and services. In the event of any inconsistency between this Policy and the Terms and Conditions, the provisions of the Terms and Conditions shall prevail with respect to service use, while this Policy shall govern the collection, use, and protection of personal information.
2. Who We Are
Korrency Exchange Inc. (“Korrency”) is a corporation duly incorporated under the laws of the Province of Ontario, Canada, with its principal office in Markham, Ontario. Korrency operates as a financial technology provider specialising in cross-border payment services, multi-currency wallets, and related financial solutions.
Korrency is registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as a Money Services Business (MSB) pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). This registration obligates Korrency to establish and maintain policies and procedures for client identification, recordkeeping, reporting, transaction monitoring, and ongoing compliance with anti-money laundering and counter-terrorist financing (AML/CTF) requirements.
As Korrency expands into additional jurisdictions, including but not limited to the United Kingdom and the European Union, it will obtain the requisite authorisations and licences from competent supervisory authorities such as the Financial Conduct Authority (FCA) in the United Kingdom and the relevant financial regulators within the European Economic Area. Updates to this Policy will be made to reflect such authorisations when granted.
Korrency’s head office and principal place of business is located at:
Korrency Exchange Inc.
7030 Woodbine Avenue
Markham, Ontario L3R 6G2
Canada
Individuals wishing to obtain further information about Korrency’s privacy practices, exercise their data protection rights, or raise concerns regarding the handling of their personal information may contact us as follows:
- Privacy Office (for privacy-related inquiries): privacy@korrency.com
- Customer Support (for general service matters): support@korrency.com
- Mail correspondence: Korrency Exchange Inc. — Privacy Office, 7030 Woodbine Avenue, Markham, Ontario L3R 6G2, Canada
Where required by applicable law, Korrency will designate a Data Protection Officer (DPO) to oversee compliance with data protection laws and act as a contact point for individuals and regulators. In the event that Korrency processes personal data of individuals located in the European Union or the United Kingdom, and such processing triggers the appointment requirement under the GDPR or UK GDPR, Korrency will also designate a local representative in those jurisdictions. The identity and contact details of such representatives will be published in the most recent version of this Policy.
Korrency provides regulated financial services, including but not limited to:
- Establishing and maintaining multi-currency wallets for clients.
- Facilitating cross-border transfers to supported countries and corridors.
- Providing foreign exchange services at competitive rates.
- Processing funding and payout transactions via banking networks, payment processors, and mobile wallet partners.
- Administering promotional and referral programs as part of client engagement.
- Providing onboarding and verification services for individual and business clients, including Know Your Customer (KYC) and Know Your Business (KYB) checks.
Korrency does not process or facilitate cryptocurrency or other virtual asset transactions. Its services are limited to fiat currency operations conducted in accordance with applicable financial regulations.
3. What Information We Collect
In the course of providing financial services, Korrency collects and processes various categories of information relating to individual and business clients. The scope of collection is determined by the nature of the services requested, legal and regulatory obligations applicable to Korrency as a FINTRAC-registered Money Services Business, and the need to secure our platform and prevent misuse.
The categories of information we collect are as follows:
To satisfy statutory Know Your Customer (KYC) and anti-money laundering (AML) requirements, Korrency collects personal identification data including, without limitation:
- Full legal name;
- Date and place of birth;
- Nationality and citizenship information;
- Government-issued identification documents (passport, driver’s licence, national ID, residence permit), including document number, issuing authority, expiry date, and embedded security features;
- Residential address, supported by acceptable documentation (utility bill, bank statement, or government correspondence);
- Occupation, employer information, and, where required, details of source of funds or source of wealth;
- Politically Exposed Person (PEP) and Head of International Organisation (HIO) status; and
- Results of mandatory sanctions and adverse media screening.
This information is mandatory for account creation and ongoing service provision.
For communication and account administration purposes, Korrency collects:
- Email addresses (primary and recovery, where applicable);
- Mobile and/or fixed telephone numbers;
- Residential and/or mailing addresses; and
- Results of mandatory sanctions and adverse media screening.
Contact data is used for transaction confirmations, regulatory notices, service updates, and customer support.
In delivering wallet and payment services, Korrency processes financial information, including:
- Wallet identifiers, balances, and transactional history;
- Bank account details, such as account numbers, IBAN, SWIFT/BIC codes, routing or sort codes, and associated account holder information;
- Beneficiary details (name, account number, bank or mobile wallet provider) provided for transfers;
- Details of transfers, deposits, withdrawals, foreign exchange transactions, and applied spreads or fees;
- Refunds, reversals, chargebacks, or disputed transaction records; and
- Records of promotional credits, rewards, or referral payments.
This information is retained in accordance with statutory recordkeeping obligations under the PCMLTFA and related regulations.
When clients interact with Korrency’s digital platforms, we automatically collect technical information, including:
- Device identifiers (model, operating system, device ID);
- Internet protocol (IP) address and associated geolocation data;
- Browser type, settings, and session information;
- Security telemetry, including indicators of VPN, proxy use, or unusual login patterns;
- Error, crash, and diagnostic logs; and
- Cookies and similar technologies used for authentication, functionality, security, analytics, and, where lawful, marketing purposes.
Technical data is essential for platform security, fraud prevention, and ensuring service integrity.
Korrency analyses usage data to monitor service engagement and detect irregularities. This may include:
- Frequency and timing of logins;
- Use of specific features (e.g., wallet funding, send money, exchange rate calculator);
- Typical corridors, currencies, and transaction values;
- Interaction with in-app messages, notifications, or communications; and
- Participation in promotions or referral programs.
Behavioral data assists in improving product functionality and detecting anomalous or potentially fraudulent activity.
We retain records of communications between clients and Korrency, including:
- Emails, in-app chats, or telephone calls with customer support;
- Call recordings and transcripts, where legally permissible and disclosed;
- Complaints, disputes, and correspondence relating to transaction issues; and
- Participation in promotions or referral programs.
These records support service quality, compliance with regulatory complaint-handling obligations, and risk monitoring.
Certain information collected by Korrency is classified as sensitive under applicable laws. This includes:
- Biometric identifiers (selfie photographs, liveness checks, facial vectors) used solely for identity verification and fraud prevention;
- Sanctions, politically exposed person (PEP), and adverse media screening outcomes; and
- Fraud or risk scores generated by compliance systems.
Sensitive data is collected and processed strictly where necessary for legal and regulatory compliance, and is subject to enhanced safeguards.
For corporate and institutional clients, Korrency collects information to satisfy Know Your Business (KYB) requirements, including:
- Legal entity name, incorporation number, jurisdiction of formation, and tax identification numbers;
- Registered office and principal place of business;
- Articles of incorporation, certificates of good standing, shareholder registers, and similar corporate documentation;
- Details of directors, officers, and authorised representatives, including identification documents;
- Ultimate Beneficial Owner (UBO) information, including names, nationalities, ownership percentages, and verification documents;
- Nature of business activity, anticipated transaction volumes, and geographic exposure; and
- Regulatory licences or authorisations where applicable.
This information is required to assess legal capacity, ownership structure, and AML/CTF risk.
In addition to directly collected information, Korrency may generate derived data, such as:
- Risk assessments and fraud scores;
- Segmentation models categorising client activity by corridor or transaction type; and
- Aggregated statistics and anonymised datasets used for compliance reporting, business analytics, or service improvement.
Derived and aggregated data that cannot reasonably identify an individual is not treated as personal information. Where pseudonymisation is used, such data remains subject to applicable legal protections.
4. How We Collect Information
Korrency collects personal and business information through multiple channels. The method of collection depends on the type of service requested, the regulatory requirements applicable to the transaction, and the technical operation of our platforms. Information is collected only to the extent necessary to fulfil lawful purposes, and in all cases subject to safeguards appropriate to its sensitivity.
Information is collected directly from individual and business clients in the following circumstances:
- Registration and account creation: when you complete sign-up forms, provide contact details, and establish login credentials.
- Onboarding and verification: when you submit government-issued identification, proof of address, corporate formation documents, or other materials necessary for KYC or KYB verification.
- Transactions and funding: when you provide bank account details, Interac information, payment instructions, or beneficiary information in order to execute transfers.
- Customer support and communications: when you engage with us via email, telephone, in-app messaging, or other communication channels.
- Promotions and referrals: when you voluntarily participate in marketing programs, surveys, or beta testing initiatives.
This collection is carried out with your knowledge and, where required by law, your express consent.
When you interact with Korrency’s digital platforms, certain information is collected automatically through technical means. This includes:
- Device identifiers, operating system information, and browser configurations;
- Internet protocol (IP) addresses, connection timestamps, and related geolocation indicators;
- Usage logs, including session length, feature access, and navigation paths;
- Error reports, crash diagnostics, and system telemetry; and
- Cookies and similar technologies used for authentication, functionality, performance analytics, and, subject to consent, marketing or preference management.
Automated collection is essential for fraud detection, maintaining platform security, ensuring operational continuity, and enhancing user experience.
Korrency also receives information from third parties where necessary to deliver its services and comply with regulatory obligations. These include:
- Verification providers, who authenticate government IDs, perform biometric liveness checks, and validate corporate documentation;
- Banking and payment partners, who provide settlement records, confirmation of transfers, and account validation data;
- Sanctions and compliance screening services, which check clients and transactions against international watchlists, politically exposed person (PEP) databases, and adverse media sources;
- Regulators and competent authorities, when we are required by law to obtain, verify, or confirm information in connection with supervision, reporting, or investigation; and
- Marketing and referral partners, when you choose to register through a promotional channel, referral link, or campaign partner, subject always to your consent.
All third-party providers engaged by Korrency are subject to contractual obligations to handle information securely, confidentially, and solely for the purposes defined.
For business clients, Korrency may obtain corporate and beneficial ownership information from publicly available or government-maintained registries. These may include corporate registries, beneficial ownership databases, and official gazettes. Such information is used to validate legal existence, corporate structure, and the identity of directors and shareholders.
5. How We Use Information
Korrency processes personal and business information solely for purposes that are lawful, necessary, and proportionate to the services provided and to the regulatory obligations we are subject to. The principal purposes for which information is used are outlined below.
We use personal and business information to deliver the financial services you request, including:
- Establishing and maintaining multi-currency wallets;
- Executing deposits, withdrawals, transfers, and foreign exchange transactions;
- Recording transaction details, reference numbers, and settlement information;
- Crediting or applying referral rewards, promotional offers, or incentives; and
- Maintaining accurate records of beneficiaries to whom you direct payments.
Without this processing, Korrency would be unable to perform its contractual obligations to clients.
As a FINTRAC-registered Money Services Business, Korrency is subject to stringent anti-money laundering and counter-terrorist financing obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and other applicable laws. To comply with these obligations, we use information to:
- Conduct KYC and KYB verification;
- Assess and document source of funds or source of wealth where appropriate;
- Screen clients against sanctions, politically exposed person (PEP), and adverse media databases;
- Monitor transactions for unusual or suspicious activity;
- Generate and file reports with FINTRAC and other regulators, including Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), and Electronic Funds Transfer Reports (EFTRs); and
- Maintain records for statutory retention periods.
Compliance-related processing is non-optional and forms a condition of accessing our services.
We use technical, behavioural, and transactional data to secure our systems and protect clients against fraud, including:
- Authenticating logins and detecting unauthorised access attempts;
- Identifying anomalies in transaction behaviour or device usage;
- Applying risk scoring to transactions and accounts;
- Temporarily restricting or blocking transactions pending review where fraud or misuse is suspected; and
- Supporting forensic investigations in the event of actual or attempted security breaches.
Such processing is necessary to protect both clients and the integrity of the financial system.
We use contact and communications data to manage our relationship with clients, including:
- Providing confirmations, receipts, and records of transactions;
- Delivering security alerts, account notices, and service updates;
- Responding to support inquiries and resolving disputes; and
- Complying with legal obligations to provide notices of changes to terms, policies, or service availability.
Certain communications, such as security alerts and regulatory notices, are mandatory and cannot be opted out of.
We analyse technical and behavioural data to enhance the functionality, reliability, and usability of our services. This may include:
- Monitoring platform performance and detecting errors;
- Conducting diagnostics and troubleshooting;
- Testing new features with limited user groups; and
- Analysing usage trends to inform product design and prioritisation.
Where feasible, data used for improvement purposes is pseudonymised or aggregated.
We may use aggregated or pseudonymised datasets for internal research, business intelligence, and innovation. Examples include:
- Analysing transaction corridors to anticipate liquidity requirements;
- Developing compliance and fraud detection models;
- Preparing anonymised reports for internal governance and oversight.
Such data does not identify individual clients and is processed subject to strict safeguards.
With your consent, we may use personal information to:
- Communicate information about new services, features, or supported corridors;
- Administer referral programs and promotional campaigns; and
- Provide targeted offers consistent with your service usage patterns.
You may withdraw consent to marketing communications at any time, without affecting your ability to continue using Korrency’s core services.
6. Legal Basis for Processing (Where Applicable)
Korrency processes personal and business information only where there is a lawful basis to do so. The applicable basis depends on the jurisdiction in which the data subject is located, the nature of the data, and the purpose of processing.
In Canada, Korrency processes personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, equivalent provincial legislation.
- Express consent: Obtained for the collection and use of sensitive information (e.g., biometric identifiers for identity verification) and for optional uses such as marketing communications.
- Implied consent: Relied upon for ordinary business purposes reasonably expected by the client (e.g., using residential address details to deliver transaction confirmations).
- Legal exceptions: Processing without consent may occur where permitted or required by law, including:
- Compliance with subpoenas, court orders, or law enforcement requests;
- Meeting FINTRAC reporting obligations;
- Detecting, investigating, or preventing fraud or financial crime;
- Ensuring the security of our systems and services.
For individuals located in the European Union and the United Kingdom, Korrency will rely on one or more of the following legal bases under the GDPR and UK GDPR:
- Contractual necessity: Processing required to perform our contract with you, such as executing transfers, maintaining wallets, or providing transaction confirmations.
- Legal obligation: Processing required to comply with AML/CTF, sanctions screening, and statutory recordkeeping obligations.
- Legitimate interests: Processing necessary to operate and improve services, detect fraud, and secure our systems, provided such interests are not overridden by the data subject’s rights.
- Consent: Processing undertaken with explicit consent, such as marketing communications, promotional activities, or optional use of cookies.
- Vital interests: In limited circumstances, processing necessary to protect the life or physical safety of an individual.
Certain types of information processed by Korrency are considered “special category” or sensitive under privacy laws. These include biometric identifiers (e.g., facial images or liveness checks) and results of sanctions or politically exposed person (PEP) screening. Such data is processed only where:
- Explicit consent has been obtained from the individual; or
- The processing is strictly necessary to comply with legal obligations under AML/CTF legislation.
Special-category data is subject to heightened security and access restrictions.
Korrency employs automated systems to support fraud detection, transaction monitoring, and risk assessment. Automated processing may result in temporary holds or restrictions on transactions where anomalies are detected.
Where such processing has a significant effect on the individual, clients have the right to request human review of the decision. Automated processing is not used for marketing or profiling unrelated to fraud prevention or compliance.
When using Korrency’s digital platforms, cookies and similar technologies may be employed. The legal basis for their use depends on the category of cookie:
- Strictly necessary cookies: Processed under contractual necessity, as they are required for secure login and service delivery.
- Functional and performance cookies: Processed under legitimate interests, unless consent is required by applicable law.
- Analytics and marketing cookies: Processed only with the individual’s consent, in compliance with GDPR/UK GDPR and comparable regimes.
The provision of certain information is mandatory for regulatory and contractual reasons. Failure or refusal to provide such information, or withdrawal of consent for required processing, may result in:
- Inability to open or maintain an account;
- Restriction or suspension of services; or
- Termination of the client relationship, where required by law.
7. Data Sharing and Disclosure
Korrency discloses personal and business information only where such disclosure is necessary for the provision of services, required by applicable law, or otherwise permitted under this Policy. All disclosures are limited to the minimum information necessary for the stated purpose and are subject to appropriate contractual and technical safeguards.
To facilitate deposits, transfers, withdrawals, and currency exchanges, Korrency must share information with regulated financial institutions and payment partners. Such disclosures may include beneficiary details, account numbers, transaction amounts, and reference information required for execution and settlement. This may involve:
- Canadian and foreign correspondent banks;
- Payment processors and settlement agents;
- Mobile wallet operators and payout providers; and
- Payment networks (e.g., Interac, SEPA, FPS, CHAPS, BACS, SWIFT).
For client onboarding, ongoing monitoring, and compliance with AML/CTF obligations, Korrency engages third-party service providers to:
- Validate government-issued identification and biometric checks;
- Conduct politically exposed person (PEP), sanctions, and adverse media screening; and
- Provide fraud prevention and risk assessment services.
Information shared for these purposes is strictly limited to what is necessary for verification and compliance, and providers are contractually restricted from using it for any other purpose.
Korrency may disclose personal information to regulators, law enforcement agencies, or judicial authorities where legally required or permitted. Examples include:
- Reporting obligations to FINTRAC, such as Suspicious Transaction Reports (STRs), Large Cash Transaction Reports (LCTRs), and Electronic Funds Transfer Reports (EFTRs);
- Compliance with subpoenas, search warrants, or court orders; and
- Cooperation with domestic or foreign regulatory authorities in the context of supervision, audits, or investigations.
All such disclosures are reviewed to ensure they are lawful, properly authorised, and proportionate.
Korrency engages third-party vendors to provide operational and technical support. These include providers of:
- Cloud hosting and secure data storage;
- IT infrastructure and cybersecurity services;
- Customer support platforms and communication services; and
- Analytics and performance monitoring tools.
Vendors act as data processors on behalf of Korrency and are bound by contractual obligations to maintain confidentiality, implement appropriate safeguards, and process data only in accordance with Korrency’s instructions.
At present, Korrency does not share personal information with corporate affiliates for joint business purposes. Should such sharing occur in the future, it will be limited to clearly defined purposes consistent with this Policy, and subject to equivalent safeguards.
Where a client registers through a referral program or promotional campaign, Korrency may confirm limited information to the referring party, such as whether an account was successfully created or a referral reward earned. Such disclosures are made only with the client’s consent and do not include financial or sensitive personal information.
Korrency does not sell personal information to third parties. Personal information is not monetised through advertising networks, data brokers, or similar commercial arrangements.
Every disclosure of information by Korrency is subject to safeguards, including but not limited to:
- Data minimisation: limiting disclosures to the minimum information required for the stated purpose;
- Contractual protections: requiring third parties to comply with confidentiality, security, and data protection obligations;
- Technical safeguards: including encryption in transit and at rest;
- Due diligence and monitoring: assessing third parties for compliance with applicable laws and industry standards.
These measures ensure that information remains protected regardless of the recipient or jurisdiction.
8. International Data Transfers
Korrency provides services that involve the movement of funds and information across multiple jurisdictions. As a result, personal information may be transferred to and processed in countries other than the one in which the client resides.
Korrency primarily hosts client information on secure cloud infrastructure located in Canada. However, information may also be processed in other jurisdictions where Korrency engages third-party service providers or where financial transactions are settled through correspondent banks and international payment networks.
Where personal information is transferred outside of Canada, the UK, or the EU to a jurisdiction that may not provide the same level of data protection, Korrency ensures that appropriate safeguards are in place. These may include:
- Adequacy decisions: reliance on determinations by competent authorities (e.g., the European Commission or the UK Secretary of State) that the recipient jurisdiction provides an adequate level of protection.
- Standard Contractual Clauses (SCCs): use of contractual provisions approved by regulators to ensure data protection obligations are maintained in cross-border transfers.
- Contractual protections under PIPEDA: where Canadian law applies, requiring foreign service providers to handle data in a manner consistent with Canadian privacy standards.
- Technical measures: encryption, access controls, and segregation of data to mitigate risk during and after transfer.
Certain transfers are inherent to Korrency’s services. For example:
- Beneficiary account information may be transmitted to payout partners located outside Canada;
- Transactions routed through intermediary banks may require disclosure of sender and beneficiary details to institutions in multiple jurisdictions; and
- Compliance screening may be conducted using international databases hosted outside the client’s home country.
In all such cases, Korrency discloses only the information strictly necessary for the transaction or compliance requirement and ensures that contractual or regulatory safeguards apply.
9. Data Retention and Deletion
Korrency retains personal and business information only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal, regulatory, and contractual obligations. Retention practices are guided by principles of necessity, proportionality, and regulatory compliance.
- Identification and KYC/KYB records: retained for a minimum of five (5) years after the end of the client relationship, in accordance with the PCMLTFA and equivalent AML/CTF legislation.
- Transaction records: retained for a minimum of five (5) years from the date of the transaction, as required by law.
- Communications and complaints: retained for periods necessary to evidence service delivery, regulatory compliance, and dispute resolution, generally not exceeding seven (7) years.
- Technical and behavioural data: retained for periods necessary to ensure system security and integrity, typically no longer than two (2) years, unless required for forensic or regulatory purposes.
- Marketing and referral data: retained until the client withdraws consent or until the campaign is concluded, whichever occurs earlier.
Where no statutory retention period applies, Korrency considers the following criteria in determining how long to retain information:
- The purpose for which the information was collected;
- The legal and regulatory obligations applicable in relevant jurisdictions;
- The limitation periods for potential legal claims; and
- The technical feasibility of securely storing and deleting the information.
At the end of an applicable retention period, personal information will be:
- Securely deleted from active systems and backups, using methods appropriate to the sensitivity of the data; or
- Anonymised or aggregated, such that it can no longer be used to identify an individual, and retained for statistical, compliance, or analytical purposes.
Deletion is carried out in accordance with documented procedures and is subject to audit.
Notwithstanding the above, Korrency may retain personal information beyond the standard retention periods where:
- A legal hold has been issued in connection with litigation, regulatory investigation, or dispute resolution;
- Applicable law or regulation requires extended retention; or
- Retention is necessary to evidence compliance with contractual or statutory obligations.
Once such exceptions cease to apply, the information will be deleted or anonymised in accordance with Korrency’s standard procedures.
10. Your Rights
Korrency recognises and upholds the rights of individuals in relation to their personal information. The scope of these rights depends on the jurisdiction in which you are located and the legal framework applicable to the processing of your information. This section outlines the principal rights available to you.
You have the right to request confirmation of whether Korrency holds personal information about you and, if so, to obtain access to such information. Subject to limited exceptions prescribed by law (e.g., information that would reveal confidential commercial information or information relating to another individual), we will provide you with access within the timelines required by applicable law.
You have the right to request correction of personal information that is inaccurate, incomplete, or outdated. Korrency will update or amend records as appropriate and notify third parties to whom the information has been disclosed, where feasible.
In jurisdictions recognising this right (e.g., under the GDPR/UK GDPR), you may request deletion of your personal information where:
- The information is no longer necessary for the purposes for which it was collected;
- You withdraw consent and no other legal basis exists for the processing;
- You object to processing and no overriding legitimate grounds apply; or
- The information has been unlawfully processed.
This right is subject to statutory and regulatory retention obligations, including AML/CTF recordkeeping requirements.
You may request restriction of processing of your personal information where:
- You contest the accuracy of the information (pending verification);
- Processing is unlawful and you oppose erasure;
- Korrency no longer requires the information but you need it for legal claims; or
- You have objected to processing and verification of overriding legitimate grounds is pending.
Where processing is restricted, information will be retained but not further processed except as authorised by law.
Where recognised by law (e.g., GDPR/UK GDPR), you may request a copy of your personal information in a structured, commonly used, and machine-readable format, and you may request that we transmit this information to another service provider where technically feasible.
You may object, at any time, to:
- Direct marketing communications (including profiling related to marketing). Such objections will be respected without exception.
- Processing based on legitimate interests, where your rights and freedoms override our interests. Korrency will cease processing unless compelling legitimate grounds exist.
Where processing is based on your consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Certain withdrawals (e.g., for identity verification or AML/CTF purposes) may result in Korrency being unable to continue providing services.
Where decisions with legal or similarly significant effects are made solely through automated means, you have the right to request human intervention, express your point of view, and contest the decision. This right is particularly relevant to fraud detection and transaction monitoring systems.
- Canada: If you believe your rights under PIPEDA have been infringed, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC).
- United Kingdom: Complaints may be lodged with the Information Commissioner’s Office (ICO).
- European Union: Complaints may be filed with the supervisory authority in the Member State of your residence, place of work, or where the alleged infringement occurred.
- Other jurisdictions: You may have equivalent rights to lodge complaints with your local data protection authority.
Korrency encourages clients to raise concerns directly with our Privacy Office in the first instance, and we will make reasonable efforts to resolve issues promptly and fairly.
11. Children’s Privacy
Korrency’s services are intended for use only by individuals who are eighteen (18) years of age or older. We do not knowingly provide services to, or collect personal information from, individuals under the age of 18. By creating an account with Korrency, you represent and warrant that you meet the minimum age requirement.
If it comes to Korrency’s attention that personal information of an individual under the age of 18 has been collected inadvertently:
- The account associated with such information will be reviewed and, if appropriate, suspended or terminated;
- The information will be securely deleted from our systems, unless retention is required for compliance with legal obligations; and
- Parents or legal guardians may contact Korrency’s Privacy Office to request deletion of such information.
Korrency takes these measures to ensure compliance with applicable privacy laws and to safeguard the rights of minors.
13. Marketing and Communications
Korrency will only send marketing communications to individuals where we have obtained valid consent, or where applicable law permits such communications based on an existing customer relationship. Consent may be express (e.g., opting into promotional emails during onboarding) or implied (e.g., where permitted under Canadian law for existing customers).
Where a client participates in a referral or promotional program, Korrency may confirm to the referring client whether a referral was successful (e.g., whether the referee registered and completed a qualifying transaction). Beyond this confirmation, no financial or sensitive personal information is shared with the referrer.
Every marketing communication from Korrency will include a clear mechanism to opt out or unsubscribe. Clients may also withdraw consent to marketing at any time by adjusting their account preferences or contacting Korrency’s Privacy Office. Withdrawal of consent for marketing does not affect access to core services.
Korrency does not sell client information to advertisers and does not permit third-party targeted advertising on its platforms. Marketing conducted by Korrency is limited to our own services, features, and promotions, and may be based on client preferences and lawful analytics.
14. Data Security
Korrency takes the protection of client information seriously and employs a comprehensive security framework designed to prevent unauthorised access, misuse, or disclosure of personal and business data. While no system can be guaranteed to be entirely secure, Korrency maintains safeguards consistent with industry best practices.
- Encryption: Data is encrypted both in transit (e.g., TLS/SSL) and at rest using strong cryptographic protocols.
- Monitoring: Systems are continuously monitored for unauthorised access, suspicious activity, and vulnerabilities.
- Access controls: Role-based access is implemented, ensuring that only authorised personnel can access sensitive data.
- Secure hosting: Data is hosted in secure, audited data centres with redundancy and disaster recovery capabilities.
- Limited employee access: Access to personal data is restricted to personnel who require it for legitimate business purposes.
- Background checks: Employees and contractors with access to sensitive data are subject to appropriate vetting.
- Training: Staff receive mandatory training on privacy, data protection, and information security practices.
Korrency employs automated and manual controls to detect and prevent fraudulent or suspicious activity. These include transaction monitoring, behavioural analytics, and anomaly detection tools designed to safeguard both the platform and its users.
In the event of a security incident, Korrency follows documented response protocols, including:
- Immediate containment and mitigation of the incident;
- Investigation and remediation of the root cause;
- Notification of affected individuals and regulators, where required by law;
- Implementation of corrective measures to prevent recurrence.
While Korrency employs robust measures to secure information, no system of transmission or storage can be guaranteed to be entirely secure. Clients acknowledge this limitation, while Korrency remains committed to maintaining the highest practicable level of protection.
15. Third-Party Services and Links
Korrency’s platforms may contain links to external websites, applications, or services operated by third parties. These links are provided for convenience only and do not constitute an endorsement or recommendation of the third party or its practices.
Korrency is not responsible for the privacy, security, or data protection practices of third parties. Once you leave Korrency’s platforms or interact directly with a third-party service provider, your use of that service is governed exclusively by the third party’s privacy policy and terms of service. We strongly encourage users to review those policies before providing any personal information to such third parties.
In certain cases, third-party services may be integrated into Korrency’s platform (for example, payment processors, identity verification providers, or referral partners). In such cases, these third parties act as processors or controllers of personal data under applicable law, and their access is strictly limited to the purposes for which they are engaged.
16. Changes to This Privacy Policy
Korrency reserves the right to update or amend this Privacy Policy at any time to reflect changes in legal, regulatory, or operational requirements, or to address evolving risks and business practices.
Where material changes are made, Korrency will provide notice in advance of the changes taking effect. Such notice may be provided through in-app notifications, email communication, or by posting a prominent notice on our website.
Each version of this Privacy Policy will be identified by its effective date. Continued use of Korrency’s services after the effective date constitutes acceptance of the revised Privacy Policy.
17. Contact Us
Korrency has established a dedicated channel for privacy-related inquiries, complaints, and requests to exercise rights under applicable privacy laws.
- Email: Clients may contact us at privacy@korrency.com for any privacy or data protection matter, including access requests, withdrawal of consent, or complaints.
- Mailing Address:
Korrency Exchange Inc.
7030 Woodbine Avenue
Markham, ON L3R 6G2
Canada - Data Protection Officer (DPO) / Representatives:Where required by applicable law, Korrency may appoint a Data Protection Officer (DPO) and, for UK and EU data subjects, a local representative. Contact details will be published and kept current on Korrency’s website and in this Privacy Policy.
We endeavour to respond to all requests within the timeframes prescribed by law and will provide explanations where a request cannot be fulfilled in full.
18. Country-Specific Disclosures
Korrency operates in multiple jurisdictions and complies with applicable privacy and financial services laws in each region where services are offered. The following additional disclosures apply:
- PIPEDA: Personal information is collected, used, and disclosed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and any substantially similar provincial privacy laws.
- AML/CTF Legislation: As a registered Money Services Business (MSB) with FINTRAC, Korrency is legally required to retain certain information and to submit reports, including:
- Suspicious Transaction Reports (STRs)
- Large Cash Transaction Reports (LCTRs)
- Electronic Funds Transfer Reports (EFTRs)
- Terrorist Property Reports (TPRs)
- Mandatory Retention: Transaction and identification records are retained for at least five years, even if an account is closed, as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
For clients located in the UK or EU, the following apply in addition to the rights and obligations described elsewhere in this Policy:
- GDPR / UK GDPR: Processing is carried out in accordance with the lawful bases set out in Articles 6 and 9 GDPR. Individuals have rights of access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority.
- Supervisory Authorities:
- In the UK, complaints may be filed with the Information Commissioner’s Office (ICO).
- In the EU, complaints may be lodged with the Data Protection Authority in the Member State of residence, place of work, or where the alleged infringement occurred.
- Data Transfers: Where personal data is transferred outside the UK/EU, Korrency relies on adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards as required under Articles 44–50 GDPR.
.svg)
.svg)
