================================================================================ PRIVACY NOTICE — PAREX FINANCE INC. Текст для размещения на parex.finance/privacy Стилистика согласована с существующим Terms of Service (Tilda) Дата подготовки: 27 апреля 2026 ================================================================================ ИНСТРУКЦИИ ДЛЯ ВЕБМАСТЕРА: - Создать новую страницу /privacy в той же стилистике, что /terms - Шапка по образцу Terms: "Legal" → H1 "Privacy Notice" → подзаголовок-описание - Effective date / Last updated / Version — как в Terms - Table of contents с anchor-ссылками на 14 разделов - Body: H2 для разделов, H3 для подразделов, definition lists для определений - В footer добавить ссылку: "Privacy Notice" рядом с "Terms of Service" - В навигации главной страницы желательно добавить "Privacy" (опционально) ================================================================================ МЕТАДАННЫЕ СТРАНИЦЫ ================================================================================ Раздел сайта: Legal H1: Privacy Notice Описание под H1: How Parex Finance Inc. collects, uses, and protects personal information — for website visitors, business contacts, and Merchants. Effective date: 1 March 2026 Last updated: 1 March 2026 Version: 1.0 ================================================================================ TABLE OF CONTENTS (для anchor-навигации) ================================================================================ 1. Who we are 2. Scope of this Notice 3. Personal information we collect 4. How we use personal information 5. Legal bases for processing 6. How we share personal information 7. International data transfers 8. Data retention 9. Data security 10. Your rights 11. Cookies and similar technologies 12. Children's data 13. Automated decision-making 14. Changes to this Notice 15. How to contact us and lodge complaints ================================================================================ ВВОДНЫЙ АБЗАЦ (под Table of Contents, перед Разделом 1) ================================================================================ This Privacy Notice (the "Notice") explains how Parex Finance Inc. ("Parex", "we", "us") collects, uses, discloses, and protects personal information when you interact with our website, communicate with us, or receive our services. We respect your privacy and are committed to handling personal information in accordance with applicable data-protection laws, including the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), and the United Kingdom General Data Protection Regulation as incorporated into the laws of England, Wales, Scotland and Northern Ireland ("UK GDPR"). This Notice should be read together with our Terms of Service. ================================================================================ 1. WHO WE ARE ================================================================================ The data controller responsible for personal information processed under this Notice is: Parex Finance Inc. 1907 Baseline Road, Unit 104 Ottawa, Ontario, K2C 0C7 Canada Ontario Corporation No.: 1001302786 Business Number: 78157 9032 FINTRAC MSB Licence: C10001707 We have appointed a Data Protection Officer ("DPO") who oversees compliance with this Notice and applicable data-protection laws. Our DPO can be reached at privacy@parex.finance. ================================================================================ 2. SCOPE OF THIS NOTICE ================================================================================ This Notice applies to personal information we process in the following contexts: * visitors to our website at parex.finance and any related domains we operate; * prospective merchants and business contacts who reach out to us, attend our meetings, or exchange commercial correspondence with us; * merchants who enter into a Merchant Agreement with us, together with their directors, ultimate beneficial owners, authorised representatives, and other individuals associated with merchant entities; * individuals whose personal information we process incidentally in the course of providing our services (for example, cardholders whose payment data flows through transactions we process, where we act as a processor on behalf of a merchant or acquirer). This Notice does not apply to personal information processed by third parties whose websites we may link to or who provide services to our merchants under separate agreements. ================================================================================ 3. PERSONAL INFORMATION WE COLLECT ================================================================================ We collect the following categories of personal information, depending on how you interact with us. 3.1. Information you provide directly When you contact us, request onboarding, or correspond with us, you may provide: * identification data — full name, date of birth, nationality, government- issued identification numbers (passport, national ID, tax ID); * contact data — email address, telephone number, business address, residential address; * professional data — job title, employer, role within the merchant entity, ownership percentage, source of funds and source of wealth declarations; * commercial data — information about your business, products, target markets, expected transaction volumes, and counterparty relationships; * communications — content of emails, messages, calls, and meeting notes exchanged with our team. 3.2. Information collected automatically When you visit our website, we automatically collect limited technical information through our hosting provider: * server-log data — IP address, browser type and version, operating system, pages visited, timestamps, and referring URLs; * device data — screen resolution, language settings, and similar device characteristics. 3.3. Information from third parties In the course of providing our services and meeting our regulatory obligations, we may obtain personal information from: * identity-verification, sanctions-screening, and politically-exposed- persons (PEP) databases, where required for KYC, KYB and AML compliance; * credit-reference agencies and corporate registries (such as the Ontario Business Registry, FINTRAC's MSB registry, and equivalent authorities in other jurisdictions); * card schemes, acquirers, and banking partners with whom we cooperate to deliver the services; * law-enforcement and regulatory authorities, where they make formal requests pursuant to applicable law. 3.4. Sensitive personal information We do not knowingly collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation), except where strictly necessary for legal-compliance obligations and where you have provided your explicit consent or another lawful basis applies under applicable law. ================================================================================ 4. HOW WE USE PERSONAL INFORMATION ================================================================================ We use personal information for the following purposes: * responding to enquiries and managing communications with you; * assessing and onboarding prospective merchants, including KYB, KYC, source-of-funds, source-of-wealth, and beneficial-ownership checks; * providing the services described in our Terms of Service, including transaction processing, settlement, reserve management, and (from Q2 2026) crypto on-ramp and off-ramp services; * meeting our regulatory obligations under the Canadian Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC guidance, the Retail Payment Activities Act, sanctions regimes, and equivalent legislation in jurisdictions where we operate; * preventing, detecting, and investigating fraud, money laundering, terrorist financing, sanctions violations, and other financial crime; * monitoring transactions and applying risk controls; * maintaining records, auditing, and managing complaints and disputes; * defending our legal rights, including in connection with litigation, arbitration, regulatory proceedings, or insolvency; * improving our website, services, and security posture; * sending operational and service-related communications. We do not use personal information for direct marketing without an appropriate lawful basis. If you provide your business email to us, we may contact you in a business-to-business capacity in connection with the service you have requested. ================================================================================ 5. LEGAL BASES FOR PROCESSING (GDPR / UK GDPR) ================================================================================ Where the GDPR or UK GDPR applies, we rely on the following lawful bases under Article 6: * (a) Consent — where you have given clear consent for us to process your personal information for a specific purpose. You may withdraw consent at any time; * (b) Contract — where processing is necessary to take steps prior to entering into a contract with you, or to perform a contract to which you are a party; * (c) Legal obligation — where processing is necessary to comply with a legal obligation to which we are subject, including AML/CTF, sanctions, tax, accounting, and financial-services regulation; * (f) Legitimate interests — where processing is necessary for our legitimate interests or those of a third party, provided your interests and fundamental rights do not override those interests. We rely on legitimate interests for activities such as fraud prevention, network and information security, defending legal claims, and improving our services. For PIPEDA-governed processing, we collect, use, and disclose personal information with consent, except where the law authorises us to do so without consent (for example, in response to law-enforcement requests, to detect or prevent fraud, or to comply with a court order). ================================================================================ 6. HOW WE SHARE PERSONAL INFORMATION ================================================================================ We share personal information only as necessary, with the following categories of recipients: * group entities — companies under common ownership or control, where required for service provision, group-level risk management, and regulatory reporting; * service providers and processors — IT-hosting providers, software vendors, identity-verification providers, sanctions-screening providers, professional advisers (lawyers, auditors, tax advisers), and similar third parties who process personal information on our behalf and under our written instructions; * banking and payment partners — acquirers, card schemes, settlement banks, and other financial institutions involved in delivering the services; * regulators and authorities — FINTRAC, the Office of the Superintendent of Financial Institutions (OSFI), the Bank of Canada, equivalent authorities in other jurisdictions, tax authorities, law-enforcement agencies, and courts, where required by law or regulation; * successors — in the event of a merger, acquisition, reorganisation, or sale of all or part of our business, we may transfer personal information to the relevant successor entity, subject to confidentiality protections. We do not sell personal information. Our website is hosted by Tilda Publishing UAB (Lithuania), which acts as our data processor in respect of website server logs and similar technical data. The processor operates under a written data-processing agreement that meets the requirements of Article 28 GDPR. ================================================================================ 7. INTERNATIONAL DATA TRANSFERS ================================================================================ Personal information we process may be transferred to, stored in, or accessed from countries outside Canada, the European Economic Area (EEA), or the United Kingdom, including jurisdictions whose data-protection laws may differ from those of your country of residence. Where we transfer personal information from the EEA, the United Kingdom, or another jurisdiction with cross-border-transfer rules, we put in place appropriate safeguards, which may include: * transfers to jurisdictions deemed adequate by the European Commission, the UK government, or — for transfers from Canada — recognised by the Office of the Privacy Commissioner of Canada (Canada itself benefits from an EU adequacy decision in respect of commercial data); * Standard Contractual Clauses approved by the European Commission or the UK International Data Transfer Agreement / Addendum; * binding corporate rules, where applicable; * other lawful transfer mechanisms permitted under applicable law. You may request a copy of the safeguards we apply to a specific transfer by contacting our DPO. ================================================================================ 8. DATA RETENTION ================================================================================ We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, accounting, and reporting obligations, and to defend legal claims. Indicative retention periods: * website server-log data: up to 12 months; * business correspondence and enquiry records: up to 5 years from last contact; * merchant onboarding records (KYB, KYC, beneficial ownership, source of funds and wealth): a minimum of 5 years following the end of the business relationship, in line with the PCMLTFA and equivalent AML regimes; * transaction records: a minimum of 5 years following the date of the transaction, or longer where required by law; * records relating to suspicious-transaction reports, sanctions screening, and similar compliance activities: as required by applicable law and regulator guidance; * records subject to active or anticipated litigation, arbitration, or regulatory proceedings: for the duration of those proceedings plus any applicable appeal or limitation period. When personal information is no longer required, we securely delete or anonymise it. ================================================================================ 9. DATA SECURITY ================================================================================ We implement and maintain appropriate technical and organisational measures to protect personal information against unauthorised or unlawful access, loss, alteration, disclosure, or destruction. These measures include: * role-based access controls and the principle of least privilege; * encryption of data in transit and, where appropriate, at rest; * multi-factor authentication for systems handling personal information; * logging, monitoring, and incident-response procedures; * contractual security obligations imposed on processors and partners; * periodic review and testing of our security posture. Despite these measures, no information system can be guaranteed to be completely secure. In the event of a personal-data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the relevant supervisory authority and, where required, the affected individuals, in accordance with applicable law. ================================================================================ 10. YOUR RIGHTS ================================================================================ 10.1. Rights under the GDPR and UK GDPR If you are located in the EEA or the United Kingdom, you have the following rights, subject to applicable conditions and exceptions: * Right of access — to obtain confirmation of whether we process your personal information and, if so, a copy of that information; * Right to rectification — to correct inaccurate or incomplete information; * Right to erasure ("right to be forgotten") — to request deletion in certain circumstances; * Right to restriction — to request that we restrict processing in certain circumstances; * Right to data portability — to receive certain personal information in a structured, commonly used, and machine-readable format; * Right to object — to object to processing based on legitimate interests or for direct-marketing purposes; * Right not to be subject to automated decision-making — including profiling that produces legal or similarly significant effects; * Right to withdraw consent — at any time, where processing is based on consent; * Right to lodge a complaint — with a supervisory authority (see Section 15). 10.2. Rights under PIPEDA (Canada) If you are located in Canada, you have the right to: * access the personal information we hold about you; * request the correction of inaccurate or incomplete information; * withdraw consent, subject to legal or contractual restrictions and reasonable notice; * file a complaint with the Office of the Privacy Commissioner of Canada (see Section 15). 10.3. How to exercise your rights To exercise any of these rights, please contact our DPO using the details in Section 15. We will respond within the time frame required by applicable law (generally one month under the GDPR / UK GDPR; thirty days under PIPEDA, with possible extensions where permitted). We may need to verify your identity before responding to a request, in order to protect your information from unauthorised disclosure. ================================================================================ 11. COOKIES AND SIMILAR TECHNOLOGIES ================================================================================ Our website uses a limited number of cookies and similar technologies provided by our hosting platform (Tilda Publishing UAB) for the following purposes: * strictly necessary cookies — required for the website to function correctly, including basic navigation and security; * preference cookies — to remember choices such as language settings. We do not currently use advertising cookies, third-party analytics cookies, or social-media tracking pixels. You can control cookies through your browser settings, including blocking or deleting cookies. Disabling strictly necessary cookies may affect the functionality of the website. If we introduce additional cookie technologies in the future (for example, analytics or marketing cookies), we will update this Notice and, where required by law, obtain your prior consent through a cookie-consent banner. ================================================================================ 12. CHILDREN'S DATA ================================================================================ Our services are directed exclusively at businesses and individuals of full legal capacity acting for business purposes. We do not knowingly collect personal information from children under the age of 18. If you become aware that a child has provided us with personal information, please contact us and we will take reasonable steps to delete it. ================================================================================ 13. AUTOMATED DECISION-MAKING ================================================================================ In the course of meeting our regulatory obligations, we may use automated tools to support sanctions screening, transaction monitoring, and fraud detection. Where such tools flag a result for further review, decisions are not made solely on the basis of automated processing — they are reviewed by qualified personnel before any action affecting an individual is taken. If a decision producing legal or similarly significant effects is taken solely by automated means in respect of you, you have the right to request human intervention, to express your point of view, and to contest the decision, in accordance with Article 22 GDPR / UK GDPR. ================================================================================ 14. CHANGES TO THIS NOTICE ================================================================================ We may update this Notice from time to time to reflect changes in our operations, the services we offer, or applicable law. The "Last updated" date at the top of this Notice indicates when it was most recently revised. Where changes are material, we will take reasonable steps to bring them to your attention, including by posting a prominent notice on our website or, where appropriate, by direct communication. ================================================================================ 15. HOW TO CONTACT US AND LODGE COMPLAINTS ================================================================================ For any question, request, or complaint relating to this Notice or the processing of your personal information, please contact our DPO: Parex Finance Inc. — Data Protection Officer Email: privacy@parex.finance Address: 1907 Baseline Road, Unit 104, Ottawa, Ontario, K2C 0C7, Canada We will acknowledge your enquiry and respond within the time frame required by applicable law. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority: * in Canada — the Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca; * in the European Economic Area — the data-protection authority of the EU member state where you reside, where you work, or where the alleged infringement took place. A list of authorities is available at edpb.europa.eu; * in the United Kingdom — the Information Commissioner's Office (ICO): www.ico.org.uk. We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority. ================================================================================ КОНЕЦ ТЕКСТА PRIVACY NOTICE ================================================================================ ================================================================================ ДОПОЛНИТЕЛЬНЫЕ ДЕЙСТВИЯ ПОСЛЕ РАЗМЕЩЕНИЯ ================================================================================ [ ] Создать почтовый алиас privacy@parex.finance, переадресующий на общий compliance inbox или назначенное внутреннее лицо [ ] Внести в footer сайта: добавить ссылку "Privacy Notice" рядом с "Terms of Service" [ ] В навигации главной страницы (опционально): добавить пункт "Privacy" [ ] Внутренне зафиксировать назначение DPO — письменным director's resolution или приказом по компании. Это нужно для GDPR Art. 37 evidence trail. Имя DPO в публичном Privacy Notice не указывается; публичный контакт остаётся privacy@parex.finance. [ ] Создать минимальный Records of Processing Activities (RoPA) под GDPR Art. 30 — простая таблица: цель обработки, категории данных, категории субъектов, получатели, retention. Хранить внутренне. [ ] Подписать DPA (Data Processing Agreement) с Tilda Publishing UAB, если ещё не подписан. Шаблон Tilda обычно предоставляет по запросу. [ ] Раздел 11 Terms of Service — синхронизировать ссылку на Privacy Notice. Сейчас там написано "is further described in our Privacy Notice" — корректно, но стоит сделать гиперссылку на /privacy. ================================================================================ КОНЕЦ ДОКУМЕНТА ================================================================================