Privacy Policy

1. Definitions and Terminology

The following terms are used in this Privacy Policy and have the meanings set forth below:

• Personal Data: Any information relating to an identified or identifiable natural person, such as name, address, email address, phone number, payment information, or financial details, as defined under Article 4(1) of the GDPR.
• Controller: ORION TRANSACT INC., the entity that determines the purposes and means of processing Personal Data, as defined under Article 4(7) of the GDPR.
• Processor: An entity that processes Personal Data on behalf of the Controller, as defined under Article 4(8) of the GDPR.
• Website: The website located at https://flexify.finance/, operated by ORION TRANSACT INC.
• GDPR: Regulation (EU) 2016/679, the General Data Protection Regulation, which governs the processing of Personal Data within the European Economic Area.
• Identification Data: Information used to identify an individual, such as name, address, phone number, email address, social security number, or taxpayer identification number.
• Transaction Information: Data related to financial transactions, including payment details, payment amounts, recipient details, and other transaction-related information.
• Account Information: Data provided during account registration, such as email address, phone number, date of birth, bank account details, and credit/debit card information.
• Device and Usage Data: Information about a user’s device (e.g., IP address, device type, browser) and their interaction with the Website or services.
• Anti-Money Laundering (AML): Regulatory requirements aimed at preventing money laundering and related financial crimes.
• Know Your Customer (KYC): Processes to verify the identity of customers to prevent fraud, money laundering, and other illegal activities.
• Third Parties: Entities or individuals outside ORION TRANSACT INC. that process Personal Data on our behalf or receive Personal Data to provide services, such as payment processors or compliance service providers.
• Payment Processors: Third-party entities that handle payment transactions to facilitate the transfer of funds.
• PIPEDA: Law “On the Protection of Personal Information and Electronic Documents” of Canada.
• Acquiring Banks: Financial institutions that process card payments on behalf of merchants, enabling the acceptance of credit and debit card transactions.
• Identity Verification and AML Service Providers: Third-party platforms (e.g., KYC compliance platforms) that verify user identities and ensure compliance with AML regulations.
• Credit Bureaus: Agencies that collect and maintain credit information about individuals, used for assessing creditworthiness or fraud prevention.
• Card Scheme Operators: Entities, such as Visa or Mastercard, that manage payment card networks and set rules for card transactions.
• Data Processing Agreements: Contracts between ORION TRANSACT INC. and Third Parties, as required under Article 28 of the GDPR, ensuring that Personal Data is processed securely and in compliance with applicable laws.
• Standard Contractual Clauses (SCCs): Agreements approved by the European Commission to ensure adequate protection of Personal Data transferred outside the European Economic Area.
• Binding Corporate Rules (BCRs): Internal policies adopted by multinational companies to ensure compliance with GDPR for intra-group data transfers.
• Cookies: Small text files stored on a user’s device to enhance functionality, ensure security, and analyze usage of the Website.
• Consent: A freely given, specific, informed, and unambiguous agreement by the user to the processing of their Personal Data, as defined under Article 4(11) of the GDPR.
• Legitimate Interests: A legal basis for processing Personal Data under Article 6(1)(f) of the GDPR, where processing is necessary for the purposes of ORION TRANSACT INC.’s interests, provided it does not override the user’s rights and freedoms.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed, as defined under Article 4(1) of the GDPR.
• Data Subject Rights: Rights granted to Data Subjects under GDPR, including the right to access, correct, delete, restrict processing, object to processing, and data portability.
• Data Protection Officer (DPO): An individual appointed by ORION TRANSACT INC. to oversee compliance with GDPR and other data protection laws, as required under Article 37 of the GDPR.

2. Introduction

ORION TRANSACT INC. recognizes the importance of privacy standards and is committed to protecting all personal data processed in the course of providing services, conducting business correspondence or interacting via web resources.

This Privacy Policy sets forth the terms that apply to the website https://flexify.finance/ (hereinafter referred to as the "Website").

The controller and processor of personal data collected through this Website is ORION TRANSACT INC. and is registered under number BC 1367563 by the BC Registry Services, British Columbia, (hereinafter referred to as the "Company", "we", "us", or "our"). We are responsible for ensuring compliance with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and relevant national regulations.

This Privacy Policy complies with applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) and the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada.

By accessing and using this Website, you acknowledge that you have read, understood, and agreed to the terms set out in this Privacy Policy, and you consent to the collection and use of your personal data as described herein.

We are committed to ensuring that the processing of personal data is transparent, lawful and secure. The policy covers all key aspects, from the grounds and purposes of processing to retention periods and the rights of data subjects.

If you have any questions about the contents of this Policy or wish to exercise your rights under data protection legislation, please contact us:

[email protected]

3. Categories of Personal Data We Collect

In accordance with the General Data Protection Regulation (GDPR), we only collect personal data that is necessary to fulfill our obligations to you and provide the services you request. We are committed to ensuring the protection of your data and using it exclusively in accordance with the law. Personal data refers to any information relating to an identified or identifiable natural person, such as your name, address, phone number, email address, payment information, and financial details ("Personal Data").

3.1. Types of Personal Data We Collect:

1. Identification Data
   We collect data that allows us to identify you, such as your name, address, phone number, and email address. We may also collect unique identifiers, such as social security numbers or taxpayer identification numbers, if required to fulfill our obligations to you.
2. Transaction Information
   As part of providing our services, we collect data related to your financial transactions, including payment details, payment amounts, recipient details, and other transaction-related information.
3. Account Information
   When you register for an account to use our services, we collect information such as your email address, phone number, date of birth, bank account details, and credit/debit card information.
4. Device and Usage Data
   We collect information about your device, such as your IP address, device type, browser, and data about how you use our website and interact with our services.
5. Data for Compliance with Legal Requirements
   In compliance with legal requirements, including Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, we collect data for verification purposes, such as government-issued ID numbers, photographs of your identification, and other supporting documents.
6. Third-Party Information
   If you provide us with Personal Data about a third party (e.g., payment recipient), you are responsible for ensuring that you have obtained their consent to process their data in accordance with this Privacy Policy.
7. Additional Data
   We may collect additional data that you provide in the course of using our services, such as information about your behavior on the website, your location data, and transaction-related information associated with your account.
8. Child
   We do not collect Personal Information from children under 13. If you are under 13, please refrain from sharing any information with us. Parents or legal guardians of a child who has provided Personal Information may request to review or delete it.
9. If we learn that we have inadvertently collected personal data from a child under the age of 13 without verifiable parental consent, we will delete that data promptly. Parents may contact us to access, review, or delete data collected from their child.

3.2. Purposes of Processing Personal Data

In accordance with GDPR, we process your Personal Data only for specific purposes, which include:

• Providing the services you request
• Processing transactions
• Complying with legal obligations, such as AML and KYC
• Protecting and improving our services

3.4. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes of processing, including compliance with legal obligations and tax or other regulatory requirements.

3.5. Data Subject Rights

In accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), you have the following rights regarding your Personal Data:

• The right to access your data
• The right to correct, delete, or restrict processing of your data
• The right to object to processing
• The right to data portability

Under PIPEDA, you have the right to access your personal information, request corrections to any inaccuracies, and challenge our compliance with applicable privacy obligations. We will respond to access requests within 30 days and provide information about our use and disclosure of your personal information, subject to legal limitations

We will respond to your requests regarding these rights within one month of receiving your request, as required by Article 12(3) of the GDPR. In complex cases, this period may be extended by an additional two months, and we will inform you of any such extension and the reasons for it.

4. Disclosure of Personal Data

As a regulated fintech company, we may disclose your personal data in limited and controlled situations, strictly in accordance with the General Data Protection Regulation (GDPR) and applicable financial laws. We ensure that all disclosures are lawful, secure, and proportionate to the purpose of processing.

4.1. Disclosure to Financial and Compliance Service Providers

We may share your personal data with third parties necessary to deliver our financial services, including:

• Payment processors and acquiring banks (e.g., Stripe, major banking partners)
• Identity verification and Anti-Money Laundering (AML) service providers (e.g., KYC compliance platforms)
• Credit bureaus and fraud prevention agencies
• Card scheme operators (e.g., Visa, Mastercard)
• Other financial institutions involved in processing transactions

These third parties process your data on our behalf under data processing agreements as required under GDPR Article 28. A full list of recipients is available upon request by contacting us at [insert contact email, e.g., [email protected]].

4.2. Legal and Regulatory Disclosure

We may be required to disclose your personal data to government authorities, regulators, or courts, particularly in relation to:

• Compliance with financial laws and regulations
• Tax, anti-money laundering, and counter-terrorist financing obligations
• Requests from law enforcement or legal orders

Such disclosures are made under GDPR Article 6(1)(c) (legal obligation) or Article 6(1)(f) (legitimate interest).

4.3. Intra-Group and Affiliate Sharing

Where relevant, your personal data may be shared within our group of companies or affiliates for:

• Centralized customer support
• Risk and fraud monitoring
• Regulatory reporting and internal audits

All intra-group transfers are subject to internal data protection policies and, where required, Standard Contractual Clauses (SCCs).

4.4. Cross-Border Data Transfers

If we transfer your personal data outside the European Economic Area (EEA), we ensure adequate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision
• Binding Corporate Rules (BCRs), where applicable

Please note that if you are located in Canada, your Personal Information may be transferred to jurisdictions outside of Canada, including to the European Union or the United States, where it may be subject to access by local authorities under applicable laws. We take reasonable steps to ensure that transferred data is protected using appropriate safeguards, consistent with both GDPR and PIPEDA requirements.

You may request further information or copies of the safeguards by contacting us.

4.5. Business Restructuring or Transactions

In the event of a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the relevant successor entity. Such transfers will occur under conditions that ensure continued protection of your data in compliance with GDPR.

5. Cookie Notice

We use cookies and similar technologies to ensure secure access, enhance functionality, and improve your experience on our website. Cookies are small files stored on your device to recognize returning users, save preferences, and analyze usage.

Types of Cookies:

• Essential: Enable navigation and core platform functions.
• Analytics: Collect anonymized data to optimize performance (with consent).
• Functionality: Store settings (e.g., language) for personalization.
• Marketing (if applicable): Deliver tailored content/ads (with consent).

Your Choices: On your first visit, a cookie banner lets you accept, reject, or customize preferences. You can manage settings anytime via our cookie tool or browser options. Third-party cookies (e.g., analytics, payment providers) comply with data protection laws.

6. Legal Basis for Processing Personal Data

We process your personal data only based on one or more of the following legal grounds:

• Your Consent – For example, to send you marketing materials, communications, or other promotional content, where such consent is required by law. You may withdraw your consent at any time.
• Performance of a Contract – To fulfill the terms of our agreements with you, including providing services, processing payments, or managing your account.
• Our Legitimate Interests – To ensure security, prevent fraud, improve our services, and manage our business operations. This is done only when our legitimate interests do not override your rights and freedoms.
• Legal Obligation – If processing is necessary for compliance with applicable laws and regulations, such as Anti-Money Laundering (AML), Know Your Customer (KYC), and other legal or regulatory requirements.
• Protection of Vital Interests – When processing is necessary to protect your vital interests or the vital interests of another person, such as in emergency situations.
• Public Interest – In exceptional circumstances, when processing is necessary to carry out tasks in the public interest, such as cooperating with law enforcement or regulatory authorities to combat financial crimes or ensure compliance with relevant legal frameworks.

Under Canadian law (PIPEDA), we rely primarily on your meaningful consent for the collection, use, and disclosure of Personal Information. We ensure that such consent is informed, obtained prior to or at the time of collection, and may be withdrawn at any time. In some cases, we may collect or use Personal Information without consent if required or permitted by law (e.g., for fraud prevention, legal compliance, or emergencies).

We ensure that consent is meaningful, clear, and tailored to the sensitivity of the personal data collected. Users are informed of the purposes for which their information will be used in plain language.

We ensure that your rights and freedoms are always respected and will not process your personal data in ways that infringe upon these rights unless required by law.

7. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in applicable laws, regulations, or our business practices. When updates are made, we will post the revised version on our Website and, where required, notify you via email (to the address associated with your Account) or through a notice on our Website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Website or Services after any changes indicates your acceptance of the updated Privacy Policy, unless otherwise specified. In case of a conflict between versions of this Privacy Policy that you have accepted, the most recent version will prevail unless explicitly stated otherwise.

8. Contact Information

If you have any questions about our privacy policy or data practices, please contact us via email [email protected].

If you are located in Canada and have concerns about our handling of your personal information, you may contact the Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca/ or 1-800-282-1376."