Privacy Policy

Last Updated: 4 February 2026

1. DEFINITIONS AND INTERPRETATION
   
   • In this Privacy Policy (the “Policy”), unless the context otherwise requires:
     • “Controller” means FLOWA PAY INC., as defined in Clause 2.1.
     • “GDPR” means Regulation (EU) 2016/679.
     • “Personal Data” means any information relating to an identified or identifiable natural person.
     • “Services” means the payment processing, foreign exchange, virtual currency, and related services provided by Flowapay on a business-to-business basis.
     • “You” or “Data Subject” means any individual whose Personal Data is processed by Flowapay.
   • Headings are for convenience only and do not affect interpretation.
2. DATA CONTROLLER
   • The data controller for the purposes of the GDPR is FLOWA PAY INC., a company incorporated under the laws of British Columbia, Canada (Incorporation No. BC1521911), with its registered office at 997 Seymour St., Suite 250 – #1605, Vancouver, BC V6B 3M1, Canada (“Flowapay”, “we”, “us”, or “our”).
   • Flowapay is registered as a Money Services Business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) under MSB Registration Number C100000902 and is subject to applicable anti-money laundering and counter-terrorist financing legislation.
   • Flowapay is not a bank, electronic money institution, or deposit‑taking institution and does not issue electronic money or provide regulated payment services requiring licensing under EU or UK financial services legislation.
   • This Policy applies where Flowapay processes Personal Data of individuals located in the European Union or European Economic Area in accordance with Article 3(2) GDPR.
   • Payment card data is processed exclusively by PCI DSS Level 1 certified third-party service providers. Flowapay does not store, process, or transmit cardholder data directly. All card payment data is handled exclusively by PCI DSS Level 1 certified third‑party payment platforms.
3. SCOPE OF APPLICATION
   • This Policy applies to the processing of Personal Data relating to:
     • visitors to Flowapay’s website(s);
     • prospective and existing business customers;
     • directors, officers, shareholders, ultimate beneficial owners, and authorised representatives of business customers; and
     • individuals whose Personal Data is processed in connection with the Services, including for compliance, risk management, and regulatory purposes.
   • Flowapay provides Services exclusively on a business-to-business basis and does not provide services to consumers.
   • Where Flowapay processes Personal Data on behalf of a business customer acting as data controller, such processing may be further governed by contractual arrangements between Flowapay and that business customer. Flowapay does not determine the purposes or means of processing Personal Data relating to the Merchant’s customers, players, or end users, except where required for Flowapay’s own legal, regulatory, or compliance obligations.
4. CATEGORIES OF PERSONAL DATA
   • Subject to the principles of lawfulness, fairness, transparency, and data minimisation, Flowapay may process the following categories of Personal Data:
   • Business and Identification Data, including but not limited to:
     • company name, registration details, and tax identifiers;
     • names, titles, roles, and contact details of directors, officers, shareholders, and beneficial owners;
     • government-issued identification documents.
   • Compliance and Risk Data, including but not limited to:
     • know-your-business (KYB) and beneficial ownership data;
     • sanctions, politically exposed persons (PEP), and adverse media screening results;
     • fraud prevention and transaction monitoring data.
   • Transaction and Operational Data, including but not limited to:
     • transaction references, timestamps, amounts, and currencies;
     • merchant account identifiers and settlement references;
     • tokenised payment instrument data, where applicable.
   • Technical and Usage Data, including but not limited to:
     • IP address, device identifiers, browser type and version;
     • log files and access records;
     • cookie and similar tracking data.
   • Communications Data, including records of correspondence and support communications.
5. SOURCES OF PERSONAL DATA
   • Personal Data may be collected:
     • directly from You or Your organisation;
     • through use of Flowapay’s website or Services;
     • from third-party service providers, including AML, fraud prevention, and identity verification providers;
     • from publicly available sources, including corporate and regulatory registers;
     • through cookies and similar technologies.
6. PURPOSES AND LEGAL BASES OF PROCESSING
   • Flowapay processes Personal Data only where permitted by applicable law and on one or more of the following legal bases:
   • Performance of a Contract, where processing is necessary for the performance of a contract with a business customer or to take steps at the request of the Data Subject prior to entering into such contract.
   • Legal and Regulatory Obligations, where processing is necessary to comply with applicable legal or regulatory obligations, including obligations relating to anti-money laundering, counter-terrorist financing, regulatory reporting, and record-keeping applicable to Flowapay as a registered MSB.
   • Legitimate Interests, where processing is necessary for Flowapay’s legitimate interests, including fraud prevention, security, risk management, service improvement, and the establishment, exercise, or defence of legal claims, provided such interests are not overridden by the rights and freedoms of the Data Subject.
   • Consent, where required by law, in which case consent may be withdrawn at any time.
7. DISCLOSURE OF PERSONAL DATA
   • Flowapay may disclose Personal Data on a strictly need-to-know basis to:
     • banks, financial institutions, payment service providers, acquirers, and card networks;
     • AML, sanctions screening, fraud prevention, and identity verification service providers;
     • IT, cloud hosting, analytics, and infrastructure providers;
     • professional advisers, auditors, and legal counsel;
     • competent regulators, supervisory authorities, courts, and law enforcement agencies.
   • All recipients are required to implement appropriate technical and organisational measures to protect Personal Data.
8. INTERNATIONAL DATA TRANSFERS
   • Flowapay may transfer Personal Data outside the European Economic Area.
   • Canada benefits from an adequacy decision of the European Commission for commercial organisations.
   • Where Personal Data is transferred to jurisdictions not subject to an adequacy decision, Flowapay implements appropriate safeguards, including standard contractual clauses, in accordance with the GDPR.
9. DATA RETENTION
   • Personal Data shall be retained only for as long as necessary to fulfil the purposes for which it was collected.
   • Personal Data processed for AML, financial, and regulatory purposes is generally retained for a period of five (5) to seven (7) years, or longer where required by applicable law.
10. DATA SUBJECT RIGHTS
    • Data Subjects located in the EU/EEA have the rights set out in Articles 15–21 GDPR, including rights of access, rectification, erasure (where legally permissible), restriction, objection, data portability, and withdrawal of consent.
    • Requests may be submitted using the contact details in Clause 14.
    • Data Subjects have the right to lodge a complaint with a competent supervisory authority.
11. AUTOMATED DECISION-MAKING
    • Flowapay may use automated processing, including profiling, for risk assessment, fraud prevention, compliance, and onboarding purposes.
    • Where required by law, Data Subjects may request human intervention in respect of decisions producing legal or similarly significant effects.
12. SECURITY
    • Flowapay implements appropriate administrative, technical, and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
13. CHANGES TO THIS POLICY
    • Flowapay may amend this Policy from time to time. The current version shall be made available on Flowapay’s website and shall apply from the date of publication.
14. CONTACT DETAILS
    • For any questions regarding this Policy or the exercise of Data Subject rights, contact:
      • Email: privacy@flowapay.io
      • Postal Address:

        FLOWA PAY INC.
        997 Seymour St., Suite 250 – #1605
        Vancouver, BC V6B 3M1
        Canada