1. Definitions and Terminology
The following definitions apply throughout this Privacy Policy.
Personal Information means any information about an identifiable individual, including but not limited to name, address, email address, telephone number, government-issued identification, banking or payment details, and transactional information. This term corresponds to Personal Data under the EU General Data Protection Regulation (GDPR) and has the same meaning as in section 2(1) of the Personal Information Protection and Electronic Documents Act (PIPEDA).
Organization, Company, or We refers to ORION TRANSACT INC., a money services business registered in British Columbia under number BC1367563, responsible for determining the purposes and means of processing Personal Information in accordance with PIPEDA and applicable AML/CTF laws.
Controller means the entity that determines the purposes and means of processing personal data under Article 4(7) of the GDPR, applicable only where the Company processes data of EU residents.
Processor means any external service provider that processes Personal Information on behalf of the Company in accordance with written contractual terms and privacy safeguards.
Website refers to the Company's online platform and related digital interfaces, including https://flexify.finance/ and its mobile or API-based extensions.
GDPR refers to Regulation (EU) 2016/679, applicable to the processing of Personal Data of individuals located within the European Economic Area, insofar as the Company offers services to or monitors the behavior of such individuals.
PIPEDA refers to the Personal Information Protection and Electronic Documents Act of Canada, the principal law governing the collection, use, and disclosure of Personal Information in the course of commercial activities.
Identification Data means information used to confirm identity, including name, date of birth, residential address, identification document number, and taxpayer or business registration number, as required for compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations.
Transaction Data refers to information generated in connection with the execution of financial or remittance operations, including transaction identifiers, amounts, counterparties, payment methods, and timestamps.
Account Information means data provided by an individual when creating or maintaining an account with the Company, including login credentials, contact details, and associated banking or payment instrument information.
Device and Usage Data means technical information collected automatically when accessing or using the Website, such as IP address, browser type, device identifiers, and log data related to interactions with the platform.
Cookies are small data files placed on a user's device to maintain session integrity, enhance website performance, enable analytics, and ensure secure functionality in accordance with applicable privacy laws and the Canada Anti-Spam Legislation (CASL).
AML means Anti-Money Laundering laws and regulations that require MSBs to prevent, detect, and report suspicious financial activity in accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC guidance.
KYC refers to Know Your Customer procedures aimed at verifying customer identity and assessing risk as part of AML compliance obligations.
Third Parties means independent entities or individuals engaged by the Company to provide specific services, such as payment processing, identity verification, data hosting, or compliance screening, who process Personal Information under contractual safeguards.
Payment Processors refers to regulated entities authorized to facilitate the transfer of funds or process payment card transactions on behalf of the Company and its clients.
Acquiring Banks refers to financial institutions authorized to process card payments for merchants under applicable card network rules.
Card Scheme Operators means organizations such as Visa or Mastercard that establish standards and infrastructure for card transactions.
Identity Verification and AML Service Providers refers to platforms or systems used to authenticate user identity, screen against sanctions or politically exposed persons lists, and ensure AML compliance.
Consent means voluntary, informed, and meaningful permission provided by an individual for the collection, use, or disclosure of their Personal Information, obtained prior to or at the time of collection, in accordance with PIPEDA and, where applicable, Article 4(11) of the GDPR.
Data Subject or Individual means a natural person whose Personal Information is collected, used, or disclosed by the Company.
Data Protection Officer or Privacy Officer means the person designated by the Company to oversee privacy governance, respond to access requests, and ensure compliance with PIPEDA, FINTRAC recordkeeping requirements, and, where relevant, GDPR obligations.
Breach means an incident involving unauthorized access to, disclosure, alteration, or loss of Personal Information that may compromise its confidentiality, integrity, or availability.
Safeguards means the administrative, technical, and physical measures implemented by the Company to protect Personal Information against unauthorized access, misuse, or disclosure.
2. Introduction
ORION TRANSACT INC. acknowledges the importance of privacy protection and is committed to maintaining the confidentiality, integrity, and security of all "Personal Information" collected and processed in the course of providing financial and money service business (MSB) operations, maintaining business relationships, and operating our online platforms. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard "Personal Information" in connection with the website https://flexify.finance/ and any related mobile or digital interfaces operated by ORION TRANSACT INC. (hereinafter referred to as the ""Company"", ""we"", ""us"", or ""our"").
The Company is registered under number BC1367563 with the BC Registry Services in British Columbia, Canada. As a regulated money services business, we are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and all relevant guidance issued by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Where applicable, this Policy also reflects the requirements of the General Data Protection Regulation (EU) 2016/679 (GDPR) for individuals located in the European Economic Area whose personal data may be processed by the Company.
This Privacy Policy applies to all "Personal Information" collected through our "Website", our communication channels, partner integrations, or any other interactions with our products and services. By visiting our "Website" or using our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your "Personal Information" in accordance with its terms, unless otherwise permitted or required by law.
Our approach to privacy is based on transparency, accountability, and proportionality. We collect and process "Personal Information" only for lawful and clearly identified purposes, and we apply security "Safeguards" appropriate to the sensitivity of the information. The Policy outlines the legal basis and purposes for processing, retention periods, data subject rights, and the procedures we follow to ensure fair and responsible handling of "Personal Information".
If you have any questions about this Privacy Policy, our privacy practices, or your rights under PIPEDA or other applicable legislation, you may contact our Privacy Officer at [email protected].
3. Categories of Personal Information We Collect
The Company collects and processes only the "Personal Information" that is necessary to deliver its services, meet legal and regulatory obligations, and maintain secure and compliant operations. "Personal Information" refers to any data about an identifiable individual, whether collected directly from you or through lawful "Third Parties" sources. Such information is handled in accordance with the principles of PIPEDA, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and where applicable, the General Data Protection Regulation (GDPR).
3.1. Types of Personal Information Collected
"Identification Information" includes your full name, residential address, date of birth, contact details, and other identifiers that allow us to establish your identity. This may include government-issued identification numbers, business registration data, or tax numbers where required to meet legal and contractual obligations. "Transaction Information" refers to all data generated through your use of our payment or remittance services, including transaction amounts, currencies, payment methods, sender and recipient details, reference numbers, timestamps, and corresponding account identifiers.
"Account Information" encompasses details provided when creating or maintaining an account with the Company, such as your email address, phone number, account credentials, linked payment instruments, and verification records. "Device and Usage Data" refers to technical data automatically collected when you interact with our "Website" or applications, including your IP address, browser type, device model, operating system, session identifiers, and activity logs, which are used for security monitoring and service optimization.
"Compliance and Verification Data" include documents and information obtained for customer identification, screening, and due diligence purposes under AML and KYC obligations. This may involve scans of identification documents, facial images, proof of address, corporate ownership structures, beneficial ownership information, and source-of-funds declarations.
"Third-Party Information" refers to data about other persons or entities involved in your transactions, such as payment recipients or authorized representatives, where you provide their details in connection with a legitimate business relationship. By submitting such information, you confirm that you have obtained their "Consent" or have the legal right to share it. "Communication Information" includes correspondence exchanged with us via email, live chat, or other communication channels, including complaints, support requests, or onboarding documentation. Additional Information may be collected if necessary to verify your identity, process payments, or comply with applicable legislation, and may include location data, IP-based geolocation indicators, and behavioral data relating to service usage.
The Company does not knowingly collect or store information from individuals under the age of 13. If you are under 13 years old, you must not provide any "Personal Information" to us. Parents or legal guardians who believe that a child has submitted information without proper "Consent" may contact us to review, correct, or delete such data. Upon confirmation, any such information will be permanently erased from our records.
3.2. Purposes of Processing Personal Information
We process "Personal Information" only for lawful and specific purposes directly related to the delivery of our services and compliance with applicable regulatory frameworks. These purposes include establishing and managing customer relationships, verifying identity and eligibility to use our services, executing and monitoring payment and remittance transactions, fulfilling obligations under AML, CTF, and sanctions screening regimes, preventing fraud and unauthorized use of our systems, maintaining accurate accounting and audit records, and improving the functionality, performance, and security of our platforms. Where required by law, we may also process information to cooperate with competent authorities or to comply with reporting obligations to FINTRAC or other regulators.
3.3. Data Retention
"Personal Information" is retained only for as long as necessary to achieve the purposes for which it was collected or as required by law. In accordance with FINTRAC recordkeeping requirements, identification, transaction, and verification records are generally maintained for a minimum of five years after the completion of the last transaction or the termination of the business relationship. Once the retention period has expired, the data is securely deleted, anonymized, or destroyed in a manner that prevents unauthorized access or reconstruction.
3.4. Individual Rights
Under PIPEDA, you have the right to access your "Personal Information", to request corrections to any inaccuracies, and to challenge our compliance with applicable privacy obligations. Upon receiving a written request, we will respond within thirty days, providing access to the information we hold about you, unless restricted by law or regulatory duty. You also have the right to withdraw "Consent" where "Consent" forms the basis of processing, subject to contractual and legal limitations. For individuals located in the European Economic Area, the additional rights set out under Articles 15 to 22 of the GDPR may apply, including the right to erasure, data portability, and restriction or objection to processing, provided such rights are compatible with Canadian legal obligations regarding record retention and reporting.
Requests relating to these rights may be submitted to the "Privacy Officer" at the contact details provided in this Policy. We will ensure that all requests are handled promptly, transparently, and in accordance with our legal and regulatory obligations.
4. Disclosure of Personal Information
As a regulated money services business, the Company discloses "Personal Information" only in limited and clearly defined circumstances, ensuring that all such disclosures are lawful, proportionate, and subject to appropriate "Safeguards". We do not sell or otherwise commercially share "Personal Information". All disclosures are made in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), applicable FINTRAC guidance, and, where relevant, the General Data Protection Regulation (GDPR).
4.1. Disclosure to Financial and Compliance Partners
We may share "Personal Information" with "Third Parties" that are necessary for the execution of financial services and supporting our operations. Such "Third Parties" may include regulated "Payment Processors", "Acquiring Banks", "Card Scheme Operators", correspondent financial institutions, "Identity Verification and AML Service Providers", and anti-money laundering (AML) service providers. We may also share "Personal Information" with transaction monitoring and sanctions screening platforms, credit bureaus, fraud-prevention agencies, and professional or legal advisors engaged to ensure compliance with regulatory obligations.
In compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), all third-party service providers process "Personal Information" strictly under written agreements that ensure confidentiality, limit processing to the specified purposes, and guarantee compliance with applicable privacy and data protection standards. These "Third Parties" are required to implement appropriate "Safeguards" based on the sensitivity of the information they handle to protect your privacy. A list of such service providers and recipients can be obtained upon request by contacting us at [email protected].
4.2. Disclosure for Legal and Regulatory Purposes
The Company may disclose "Personal Information" to competent authorities when required or authorized by law. This includes mandatory disclosures to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) under the PCMLTFA, reporting of suspicious or large cash transactions, regulatory examinations, and responses to law-enforcement inquiries, court orders, or other lawful requests. Disclosures may also occur in connection with tax, sanctions, or anti-terrorist financing obligations, or to establish, exercise, or defend legal claims. In all cases, disclosures are limited to the minimum information necessary to meet the specific legal purpose and are properly documented in accordance with recordkeeping requirements.
4.3. Internal and Intra-Group Sharing
Where the Company operates within a group structure or maintains affiliated entities, "Personal Information" may be shared internally for centralized operational support, compliance oversight, consolidated risk management, audit, or reporting functions. All such intra-group transfers are governed by internal privacy controls, confidentiality agreements, and—where relevant—Standard Contractual Clauses (SCCs) or equivalent contractual "Safeguards" to ensure consistent protection across jurisdictions.
4.4. Cross-Border Data Transfers
"Personal Information" may be transferred, processed, or stored outside of Canada, including in jurisdictions such as the European Union, for purposes of transaction processing, technology hosting, or compliance review. While such information may be subject to access by foreign authorities under applicable local laws, the Company ensures that contractual, technical, and organizational "Safeguards" are in place to provide a level of protection consistent with Canadian privacy principles and, where applicable, the requirements of the GDPR. Transfers outside Canada occur only when necessary for service delivery or regulatory compliance, and every effort is made to ensure that recipients adhere to equivalent privacy protections. "Individuals" may request further details on cross-border "Safeguards" or obtain copies of relevant contractual protections by contacting the "Privacy Officer".
4.5. Corporate Transactions
In the event of a merger, acquisition, reorganization, financing arrangement, or sale of assets, "Personal Information" may be transferred to a successor entity or acquiring party, provided that the receiving organization agrees to handle the information in a manner consistent with this Policy and applicable privacy legislation. Any such transfer will occur only where it is reasonably necessary for the continuation of business operations and subject to assurances of confidentiality and ongoing protection.
5. Cookies and Tracking Technologies
Our "Website" uses "Cookies" and similar technologies to provide secure access, improve functionality, personalize user experience, and analyze the performance of our online services. "Cookies" are small text files placed on your device when you visit our "Website". They allow us to recognize returning users, remember preferences, enhance navigation, and collect aggregated data about site usage patterns.
"Cookies" may be placed by the Company directly (""first-party cookies"") or by external service providers (""third-party cookies"") that deliver analytics, security, or performance functionality on our behalf. We ensure that any third-party service provider processing cookie data does so in accordance with applicable privacy and data-protection laws.
"Cookies" used on our "Website" fall into the following categories. Essential "Cookies" enable basic website operations such as page navigation, secure access, and service continuity; they are required for the site to function properly and cannot be disabled in our systems. Functional "Cookies" allow us to remember your preferences, including language selection and regional settings, and to enhance the overall user experience. Analytical "Cookies" collect aggregated and anonymized data to help us understand how users interact with our "Website" and to improve its structure, content, and performance; these "Cookies" are activated only when you "Consent". Marketing or targeting "Cookies", if used, are applied to deliver relevant content or advertisements based on your browsing behavior and preferences, and they also require your explicit "Consent".
When you first visit our "Website", you will be presented with a cookie banner that provides clear information about the categories of "Cookies" we use and allows you to accept, reject, or customize your preferences. You may withdraw or modify your "Consent" at any time by adjusting your browser settings or using the cookie management tool available on the "Website". Please note that disabling certain types of "Cookies" may affect the proper functioning of some website features.
Our use of "Cookies" complies with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Canada Anti-Spam Legislation (CASL). We do not use "Cookies" to collect sensitive "Personal Information", nor do we use them to track users across unrelated third-party websites.
6. Legal Basis for Processing Personal Information
The Company processes "Personal Information" only where there is a lawful and clearly defined basis for doing so. In Canada, the primary legal foundation for processing is meaningful "Consent" as required by the Personal Information Protection and Electronic Documents Act (PIPEDA). In specific situations, additional grounds under other applicable laws, such as the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), may also apply. For individuals located in the European Economic Area, processing is aligned with the lawful bases set out in Article 6 of the General Data Protection Regulation (GDPR).
We collect, use, and disclose "Personal Information" for the following lawful bases. "Consent" is obtained when you voluntarily provide your information for specific purposes, such as registering an account, submitting verification documents, or receiving communications about our services. "Consent" is considered meaningful when you understand the nature, purpose, and consequences of sharing your information. You may withdraw your "Consent" at any time, subject to contractual or legal restrictions, by contacting our "Privacy Officer". Withdrawal of "Consent" may affect our ability to provide certain services that rely on that information.
Processing may also occur for the performance of a contract when it is necessary to establish, manage, or fulfill the contractual relationship between you and the Company, including processing payments, executing money transfers, maintaining accounts, and performing verification checks. Processing based on legal obligation applies where the Company must collect, retain, or disclose information to comply with statutory or regulatory requirements, including obligations under AML, KYC, taxation, or recordkeeping laws. These activities are not subject to "Consent", as they are mandated by law.
We may process information under the basis of legitimate business interests where necessary to ensure system security, prevent fraud, manage risk, enhance service quality, or maintain operational integrity, provided that such interests do not override your privacy rights and expectations. In limited and exceptional circumstances, "Personal Information" may also be processed without "Consent" if required to protect an "Individual's" vital interests, such as in cases of suspected fraud, security "Breaches", or potential harm.
Under PIPEDA, "Consent" is not required when the collection, use, or disclosure of information is authorized or required by law, including for the purposes of detecting or preventing fraud, complying with subpoenas, responding to lawful government requests, or fulfilling mandatory regulatory reporting obligations. In such cases, processing is limited strictly to the extent necessary to achieve the lawful objective, and "Safeguards" are applied to ensure proportionality and accountability.
The Company ensures that all processing activities are fair, transparent, and proportionate to their purpose. No "Personal Information" is processed in a manner that would infringe upon the fundamental rights and freedoms of "Individuals". All collection, use, and disclosure of data are conducted in good faith, under clear legal authority, and in accordance with the principles of necessity and minimality.
7. Changes to This Privacy Policy
The Company may amend or update this Privacy Policy from time to time to reflect changes in applicable legislation, regulatory requirements, industry standards, or internal operational practices. Any modification will be made in good faith and in accordance with the transparency principles established under the Personal Information Protection and Electronic Documents Act (PIPEDA).
When updates are introduced, the revised version will be published on our "Website" with a clearly indicated "last updated" date. Where a change materially affects how we collect, use, or disclose "Personal Information", we will take reasonable steps to notify affected "Individuals" in advance through the "Website", by email to the address associated with your account, or by another appropriate communication method. In situations where the modification introduces a new purpose for processing or substantially alters an existing one, we will obtain fresh "Consent" before applying the change to your information.
We encourage all users to periodically review this Policy to remain informed about how we protect and handle "Personal Information". Your continued use of our "Website" or services following the publication of an updated version constitutes your acknowledgment and acceptance of the revised Policy, unless otherwise specified. The most current version available on our "Website" shall prevail and supersede any earlier versions of this document.
8. Contact Information
If you have any questions, concerns, or requests relating to this Privacy Policy, the way we collect or process "Personal Information", or your rights under applicable privacy legislation, you may contact our "Privacy Officer" using the details below. The "Privacy Officer" is responsible for overseeing the Company's compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), addressing "Individual" inquiries, and ensuring that all privacy-related matters are handled promptly and transparently.
Privacy Officer
ORION TRANSACT INC.
Email: [email protected]
We will review and respond to all written inquiries in a timely manner, generally within thirty days of receipt, as required by PIPEDA.
If you are not satisfied with our response or believe that your privacy rights have been infringed, you may contact the Office of the Privacy Commissioner of Canada (OPC) for further assistance or to file a formal complaint.
Office of the Privacy Commissioner of Canada (OPC)
Website: https://www.priv.gc.ca/
Telephone (Toll-free): 1-800-282-1376
Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Website: https://www.fintrac-canafe.gc.ca/
Telephone (Toll-free): 1-866-346-8722
Email: [email protected]