Privacy Policy

Introduction

This Personal Information Protection Policy (the "Policy") establishes guidelines and procedures for FASTCAD SOLUTIONS LTD. (the "Company") to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada.

The purpose of this Policy is to:

• Outline how the Company collects, uses, discloses, and protects personal information
• Ensure compliance with PIPEDA's 10 fair information principles
• Establish clear procedures for managing personal information throughout its lifecycle
• Define roles and responsibilities for privacy compliance within the organization

Scope and Definitions

This Policy applies to:

• All personal information collected, used, or disclosed by the Company in the course of commercial activities
• All employees, contractors, and third-party service providers who handle personal information on behalf of the Company
• All customers, representatives, and beneficial owners whose personal information is processed by the Company

Key Definitions

"Personal information" means information about an identifiable individual, including but not limited to:

• Name, address, email, phone number
• Date of birth
• Government-issued identification information
• Financial information including transaction records
• Employment information
• IP address and device identifiers
• Photos and video recordings obtained during customer verification

"Privacy Officer" refers to the designated individual responsible for ensuring the Company's compliance with this Policy and applicable privacy laws. The Compliance Officer shall act as the Privacy Officer unless otherwise designated.

Privacy Principles

1. Accountability

The Company is responsible for personal information under its control and has designated a Privacy Officer accountable for the organization's compliance with this Policy.

Our Privacy Officer:

• Develops and maintains the Company's privacy policies and procedures
• Ensures staff receives appropriate privacy training
• Responds to privacy inquiries and complaints
• Conducts regular privacy impact assessments
• Reports privacy matters to Senior Management

Third-party service providers must provide contractual guarantees to maintain appropriate safeguards for personal information.

2. Identifying Purposes

The Company identifies the purposes for which personal information is collected at or before the time of collection.

The purposes for collecting personal information include:

• Verifying customer identity as required by AML/CTF regulations
• Facilitating virtual currency exchange transactions
• Screening transactions for suspicious activities
• Managing the customer relationship
• Complying with legal and regulatory requirements

3. Consent

The Company obtains meaningful consent for the collection, use, and disclosure of personal information.

• Express consent is obtained during the onboarding process
• Consent language is clear, accessible, and appropriate
• Customers have the right to withdraw consent, subject to legal or contractual restrictions
• Enhanced consent is obtained for any use beyond providing services (e.g., marketing)

4. Limiting Collection

The Company limits the collection of personal information to what is necessary for the identified purposes.

• We only collect personal information required to fulfill KYC/AML obligations, provide services, and comply with regulations
• We do not collect sensitive personal information unless required by law or necessary for service provision
• We regularly review data collection practices to ensure they remain necessary and proportionate

5. Limiting Use, Disclosure, and Retention

The Company does not use or disclose personal information for purposes other than those for which it was collected, except with consent or as required by law. Personal information is retained only as long as necessary for fulfillment of the stated purposes.

Retention periods:

• Customer identification information: 5 years after the termination of the business relationship
• Transaction records: 5 years from the transaction date
• Records of suspicious transaction reports: 5 years from the reporting date
• Other personal information: As required by applicable laws or for the purpose it was collected

6. Accuracy

The Company ensures that personal information is as accurate, complete, and up-to-date as necessary for the purposes for which it is used.

• We implement processes to verify the accuracy of personal information during collection
• We provide mechanisms for customers to update their personal information
• We regularly review and update personal information, particularly before making decisions based on it

7. Safeguards

The Company protects personal information with security safeguards appropriate to the sensitivity of the information.

Our safeguards include:

• Technical safeguards: Encryption, secure access controls, security updates, secure backups, and network monitoring
• Administrative safeguards: Privacy training, background checks, confidentiality agreements, need-to-know access, and regular assessments
• Physical safeguards: Secure facilities, visitor management, and secure disposal of records
• Third-party management: Security assessments of service providers and contractual privacy requirements

8. Openness

The Company makes information about its policies and practices relating to the management of personal information readily available.

• We publish a clear, accessible privacy policy on our website
• This policy includes contact information for the Privacy Officer, types of information collected, how information is used, and more
• We notify customers of changes to privacy practices

9. Individual Access

Upon request, the Company informs individuals of the existence, use, and disclosure of their personal information and gives them access to that information. Individuals can challenge the accuracy and completeness of the information and have it amended as appropriate.

• We respond to access requests within 30 days
• We provide information in a form that is generally understandable
• We verify the identity of individuals requesting access
• We correct inaccurate information when appropriate

10. Challenging Compliance

The Company has established procedures for receiving and responding to complaints or inquiries about its policies and practices relating to the handling of personal information.

• Our Privacy Officer is responsible for receiving and investigating privacy complaints
• We document all complaints received and actions taken
• We investigate all complaints thoroughly and take appropriate measures to resolve them
• We inform complainants of the outcome of investigations

Special Provisions for Virtual Currency Exchange Service

Collection During Onboarding

The Company collects personal information during the onboarding process through SumSub's software, including:

• First and last names
• Date of birth
• Employment information
• Place of residence
• Expected transaction volumes
• Real-time photos of identity documents
• Real-time photos of the customer (selfies)
• Documents proving address
• Evidence of source of wealth/funds
• Device ID and IP address

This information is processed in accordance with this Policy and PIPEDA requirements.

Transaction Monitoring and Screening

When monitoring transactions for AML/CTF purposes, the Company:

• Only collects and uses the personal information necessary for compliance purposes
• Retains records in accordance with legal requirements
• Ensures appropriate security measures for sensitive information
• Limits access to personal information to authorized personnel
• Provides clear information to customers about monitoring practices

Data Sharing with Third Parties

When sharing personal information with third parties, such as SumSub, the Company:

• Ensures appropriate contractual protections are in place
• Limits the information shared to what is necessary
• Verifies the third party maintains adequate security safeguards
• Obtains customer consent when required
• Documents all third-party data sharing arrangements

Data Breach Response

In the event of a privacy breach involving personal information, the Company will:

1. Contain the breach to prevent further unauthorized access
2. Assess the risks associated with the breach
3. Notify affected individuals if there is a risk of significant harm
4. Notify the Privacy Commissioner of Canada if appropriate
5. Notify other organizations that may help reduce the risk of harm
6. Take steps to prevent future breaches

Contact Information

For questions or concerns about our privacy practices, please contact our Privacy Officer:

FASTCAD SOLUTIONS LTD.
Attention: Privacy Officer
142 757 West Hastings Street
Vancouver, BC V6C 1A1, Canada
Email: info@fastcad.org

Policy Updates

This Policy is reviewed by Senior Management as needed (e.g., before start of provision of a new service or change in services already being provided). We will notify customers of material changes to this policy.

Effective Date: February, 2025

Next Review Date: January, 2026