Privacy Policy

1. INTRODUCTION

1.1 Our Commitment to Privacy

Unicorn Currencies Limited (Canada) and Unicorn Currencies Ltd (United Kingdom) (collectively "Unicorn", "we", "us", or "our") are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our foreign exchange and payment services.

1.2 Scope of This Policy

This Privacy Policy applies to all personal data processed by Unicorn in connection with:

• (a) Our website at www.unicorncurrencies.com (the "Website");
• (b) Our foreign exchange, payment processing, and treasury management services (the "Services");
• (c) Client onboarding, account management, and ongoing relationship activities;
• (d) All communications between you and Unicorn.

1.3 Regulatory Framework

Unicorn operates across multiple jurisdictions and complies with applicable data protection laws including:

• (a) UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 for clients of Unicorn Currencies Ltd (UK);
• (b) Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation for clients of Unicorn Currencies Limited (Canada);
• (c) European Union General Data Protection Regulation (EU GDPR) where applicable to EU residents.

1.4 Data Controllers

For the purposes of data protection law:

• (a) Unicorn Currencies Limited (British Columbia, Canada; Incorporation No: BC1473865; registered address: 5577 153A Street, Suite 207, Surrey, V3S 5K7, British Columbia, Canada) is the data controller for Canadian and US clients.
• (b) Unicorn Currencies Ltd (England & Wales; Registration No: 14325478; registered address: 4th Floor, Silverstream House, Fitzroy Street, London, W1T 6EB, United Kingdom; ICO Registration No: ZB534346) is the data controller for UK, EU, and Rest of World clients.

2. WHAT PERSONAL DATA WE COLLECT

2.1 Categories of Personal Data

We collect and process the following categories of personal data:

2.1.1 Identity Information

• Full legal name (including previous names); date of birth; gender; nationality and country of residence;
• Government-issued identification numbers (passport, driver's license, national insurance, social insurance, tax ID);
• Copies of identity documents; photographs and biometric data (where required); digital identity verification results.

2.1.2 Contact Information

• Residential and business address, proof of address; email address(es); telephone number(s); preferred communication channels and language.

2.1.3 Financial Information

• Bank account details (account number, sort code, IBAN, SWIFT/BIC); payment card information (where applicable); transaction history; source of funds and source of wealth; income and employment; expected transaction volumes; credit history (where applicable).

2.1.4 Business Information (Corporate Clients)

• Company registration details; business activities; corporate structure and ownership; beneficial ownership; directors, officers, authorized signatories; financial statements; professional and trade references.

2.1.5 Device and Technical Information

• IP address and geolocation; browser and OS; device identifiers; login credentials; cookies and tracking (see Section 10); website usage data; application logs.

2.1.6 Communications and Support Data

• Records of correspondence; call recordings; survey responses; social media interactions.

2.1.7 Compliance and Risk Data

• Sanctions screening results; PEP status; adverse media; EDD reports; suspicious activity monitoring; regulatory reports; litigation and insolvency records (where relevant).

2.2 Special Categories of Personal Data

In limited circumstances we may process special categories (e.g. biometric data for identity verification; criminal convictions/offences for AML/sanctions). We process such data only where legally permitted and necessary for compliance or with your explicit consent where required.

2.3 Children's Data

Our Services are not intended for individuals under 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

3. HOW WE COLLECT PERSONAL DATA

3.1 Information You Provide Directly

We collect personal data when you: register or apply for Services; complete KYC/KYB; submit documents for verification; execute transactions or payment instructions; contact support; subscribe to marketing; participate in surveys or events; provide feedback.

3.2 Information We Collect Automatically

We automatically collect: technical information about your device and connection; usage data via cookies; geolocation (with consent where required); transaction metadata and timestamps.

3.3 Information from Third-Party Sources

We collect from: Identity Verification Providers (e.g. Onfido, Jumio, Trulioo, GB Group); Credit Reference Agencies (Equifax, Experian, TransUnion); Sanctions and PEP Screening Providers (e.g. Dow Jones, World-Check, ComplyAdvantage); Banking Partners and Payment Networks; Corporate Registry Databases (Companies House, BC Corporate Registry); Publicly Available Sources; Referral Partners and Introducers.

4. WHY WE USE YOUR PERSONAL DATA (LEGAL BASIS AND PURPOSES)

4.1 Legal Bases for Processing

4.1.1 Contractual Necessity: To perform our contract (Master Services Agreement) or take steps at your request—account opening and maintenance; executing FX and payments; customer support; processing instructions.

4.1.2 Legal Obligation: AML/CTF (Proceeds of Crime Act Canada, Money Laundering Regulations 2017 UK); KYC and CDD (FINTRAC, FCA); sanctions (OFAC, OFSI, UN, EU); SAR/STR to FIUs; record-keeping; tax reporting (CRS, FATCA); responding to lawful requests from authorities.

4.1.3 Legitimate Interests: Fraud prevention and security; risk management; service improvement; business analytics; direct marketing (subject to opt-out); operational efficiency; legal claims.

4.1.4 Consent: Special categories where not otherwise permitted; marketing where required; certain cookies; international transfers where consent is the mechanism. You may withdraw consent at any time.

4.2 Purposes of Processing

We use your data for: Account Management and Service Delivery (verification, account opening, transactions, payments, hedging, treasury services, support); Compliance and Regulatory (KYC/KYB, CDD/EDD, sanctions screening, monitoring, SAR/STR, regulatory inquiries, audit trails, CRS/FATCA); Fraud Prevention and Security; Business Operations and Partnerships; Marketing and Communications (subject to opt-out); Legal and Dispute Resolution.

5. WHO WE SHARE YOUR PERSONAL DATA WITH (DATA DISCLOSURE)

5.1 Disclosure to Third Parties

We share data only to the extent necessary for the purposes in this Policy.

5.1.1 Banking Partners and Payment Service Providers: Authorized Partners (FCA-regulated PI/EMI); Correspondent Banks; Beneficiary Banks; Payment Networks (SWIFT, SEPA, etc.); Safeguarding Account Banks. Data shared: name, DOB, address, account numbers, transaction details. Legal basis: contractual necessity and legitimate interests.

5.1.2 Regulatory Bodies and Government Authorities: FINTRAC, NCA, FCA, CRA, HMRC, OFAC, OFSI, law enforcement, courts. We are legally prohibited from informing you when we file a SAR/STR or disclose pursuant to certain legal processes.

5.1.3 Identity Verification and Compliance Vendors: Onfido, Jumio, Trulioo, Dow Jones, Refinitiv World-Check, ComplyAdvantage, credit reference agencies, fraud prevention services. They act as data processors under our instructions.

5.1.4 Technology and Service Providers: Cloud (AWS, Azure, GCP), CRM, communication platforms, analytics, security—bound by DPAs.

5.1.5 Professional Advisors and Auditors: Legal, accounting, audit, tax, insurance—bound by confidentiality.

5.1.6 Referral Partners: Limited info (e.g. account opened, aggregated volumes). We do NOT share detailed transaction data without explicit consent. You may opt out.

5.1.7 Business Transfers: In merger, acquisition, or sale of assets, data may transfer to successor; we will notify and ensure equivalent protections.

5.2 No Sale of Personal Data

We do NOT sell your personal data. Any sharing is limited to this Policy and subject to contractual and legal safeguards.

5.3 Your Rights Regarding Data Sharing

Under GDPR you have the right to object to processing based on legitimate interests. Where we rely on legitimate interests for sharing (e.g. fraud prevention, marketing), you may object and we will cease unless we demonstrate compelling legitimate grounds or need for legal claims.

6. HOW WE PROTECT YOUR PERSONAL DATA (SECURITY MEASURES)

6.1 We implement technical and organizational measures to protect against unauthorized access, disclosure, alteration, or loss.

6.2 Technical: Encryption at rest (AES-256); encryption in transit (TLS 1.2+); role-based access controls; MFA for admin access; firewall and intrusion detection; regular security audits; secure development; pseudonymization/anonymization where feasible.

6.3 Organizational: Employee training; confidentiality agreements; background checks where permitted; incident response plan; vendor management; physical security.

6.4 Data Breach: We will notify the relevant supervisory authority (ICO UK, Privacy Commissioner Canada) within 72 hours where there is a risk to rights and freedoms, and notify affected individuals without undue delay where high risk.

6.5 Your Responsibilities: Maintain confidentiality of credentials; use strong passwords and MFA; notify us of suspected unauthorized access; keep contact details up to date; do not share account access.

7. INTERNATIONAL DATA TRANSFERS

Personal data may be transferred to jurisdictions outside your country, including between Canada and UK for operations; to the US (many tech and verification providers); and to other jurisdictions where partners operate. Where we transfer outside EEA/UK to countries without adequacy, we use Standard Contractual Clauses (SCCs), UK IDTA, and supplementary measures. Canada has EU adequacy under PIPEDA. US providers may be subject to US government access (e.g. FISA 702); we mitigate via encryption and contractual restrictions but cannot eliminate this risk. You may object (Section 8), but transfers are often necessary to provide Services.

8. YOUR PRIVACY RIGHTS

8.1 Overview of Rights

Right of Access (GDPR Art. 15, PIPEDA): Confirmation of processing; access and copy; information on purposes, recipients, retention, rights. Submit SAR to privacy@unicorncurrencies.com. Response within one month (GDPR) or 30 days (PIPEDA). Access may be restricted where disclosure would affect others' rights, reveal trade secrets, or is prohibited by law (e.g. we cannot disclose that a SAR/STR was filed).

Right to Rectification (GDPR Art. 16, PIPEDA): Correct inaccurate or incomplete data.

Right to Erasure / "Right to be Forgotten" (GDPR Art. 17): Request deletion in certain circumstances. CRITICAL LIMITATION: We are legally obligated to retain financial records, transaction data, and KYC/KYB for a minimum of seven (7) years from account closure or last transaction under Canadian and UK AML/CTF law. This overrides the right to erasure under GDPR Art. 17(3)(b) and (e). During retention we restrict processing to storage and legal compliance only. After 7 years we permanently delete unless ongoing legal claims require retention.

Right to Restriction of Processing (GDPR Art. 18): Request restriction where accuracy contested, processing unlawful, we no longer need data but you need for claims, or you have objected pending verification.

Right to Data Portability (GDPR Art. 20): Receive data you provided in structured, machine-readable format and transmit to another controller. Applies to data processed by automated means under contract or consent.

Right to Object (GDPR Art. 21, PIPEDA): Object to processing based on legitimate interests; we cease unless compelling grounds or legal claims. Absolute right to object to direct marketing—we cease immediately. Right to object to automated decision-making and request human review.

Right to Withdraw Consent (GDPR Art. 7(3), PIPEDA): Withdraw consent at any time; does not affect lawfulness of prior processing. Withdrawal may limit our ability to provide Services.

Right to Lodge a Complaint (GDPR Art. 77): Lodge a complaint with a supervisory authority. UK: ICO — https://ico.org.uk, casework@ico.org.uk, 0303 123 1113. Canada: Office of the Privacy Commissioner — https://www.priv.gc.ca, info@priv.gc.ca, 1-800-282-1376. EU: Your local DPA (edpb.europa.eu).

8.2 How to Exercise Your Rights

Email privacy@unicorncurrencies.com. Or write: UK: Data Protection Officer, Unicorn Currencies Ltd, 4th Floor, Silverstream House, Fitzroy Street, London W1T 6EB, UK. Canada: Privacy Officer, Unicorn Currencies Limited, 5577 153A Street, Suite 207, Surrey, V3S 5K7, BC, Canada. Include name, contact details, account details (if any), specific right, description, and proof of identity.

8.3 Response Timeframes

One month (GDPR) or 30 days (PIPEDA); extendable for complex requests with notice.

8.4 Fees

No fee unless request is manifestly unfounded or excessive, or you request additional copies beyond the first.

9. DATA RETENTION

We retain data only as long as necessary for the purposes, legal obligations, disputes, and agreements. Active clients: all data necessary for Services. Financial records: minimum 7 years from account closure or last transaction (identity docs, KYC/KYB, transactions, due diligence, source of funds, beneficial ownership, correspondence, sanctions results, SAR/STR records). Marketing opt-outs: retained indefinitely to honor choices. Website/analytics: server logs 12–24 months; anonymized analytics may be retained longer. Support records: 3 years; call recordings 6–12 months (or 7 years if transaction-related). Legal claims: retained until resolved. After retention we permanently delete or anonymize. Archived data for corporate recordkeeping may be retained in restricted, encrypted archives.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Cookies are small text files placed on your device. We use them for functionality, analytics, and (with consent) marketing.

10.2 Types: Strictly Necessary—essential for the Website (session, auth, load balancing); exempt from consent. Performance/Analytics—how visitors use the site (e.g. Google Analytics); consent or legitimate interests; opt-out via cookie banner or browser. Functionality—preferences (language, region). Marketing/Advertising—targeting and measurement; consent required; opt-out via banner, browser, or NAI/ DAA tools.

10.3 Third-party cookies: Embedded content (e.g. videos, social plugins) may set their own cookies; see Google, LinkedIn, Facebook privacy policies.

10.4 Managing cookies: Cookie consent banner; browser settings (Chrome, Firefox, Safari, Edge); industry opt-out (e.g. networkadvertising.org/choices, youradchoices.com). Blocking necessary cookies may impair functionality.

10.5 Do Not Track: Our Website does not currently respond to DNT signals (no industry standard).

11. AUTOMATED DECISION-MAKING AND PROFILING

We use automated systems for credit risk, fraud detection, sanctions screening, and transaction monitoring. We do not make solely automated decisions with significant effects without human oversight. All automated assessments are reviewed by personnel before final decisions on account approval, credit limits, suspension/termination, or SAR/STR. You have the right to human intervention, to express your view, and to contest. Contact us (Section 13) to exercise.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Policy. The "Last Updated" date indicates the last revision. For material changes we will give prominent notice (Website, email, or acceptance on next login) and at least 30 days where practicable. Continued use after the effective date constitutes acceptance. If you do not agree, cease using the Services and you may close your account. Version history available on request.

14. GLOSSARY OF TERMS

AML/CTF

Anti-Money Laundering / Counter-Terrorist Financing

CDD

Customer Due Diligence

CRS

Common Reporting Standard (automatic exchange of financial account information for tax purposes)

Data Controller

Entity that determines the purposes and means of processing personal data

Data Processor

Entity that processes personal data on behalf of a data controller

EDD

Enhanced Due Diligence

FATCA

Foreign Account Tax Compliance Act

FCA

Financial Conduct Authority (UK)

FINTRAC

Financial Transactions and Reports Analysis Centre of Canada

GDPR

General Data Protection Regulation

KYB

Know Your Business

KYC

Know Your Customer

NCA

National Crime Agency (UK Financial Intelligence Unit)

PEP

Politically Exposed Person

PIPEDA

Personal Information Protection and Electronic Documents Act (Canada)

SAR/STR

Suspicious Activity Report / Suspicious Transaction Report

SWIFT

Society for Worldwide Interbank Financial Telecommunication

© 2022 - 2025 Unicorn Currencies. All rights reserved.