Privacy Policy
Last Updated: December 1, 2025
1. INTRODUCTION
1.1 Our Commitment to Privacy
Unicorn Currencies Limited (Canada) and Unicorn Currencies Ltd (United Kingdom) (collectively "Unicorn", "we", "us", or "our") are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our foreign exchange and payment services.
1.2 Scope of This Policy
This Privacy Policy applies to all personal data processed by Unicorn in connection with:
(a) Our website at www.unicorncurrencies.com (the "Website");
(b) Our foreign exchange, payment processing, and treasury management services (the "Services");
(c) Client onboarding, account management, and ongoing relationship activities;
(d) All communications between you and Unicorn.
1.3 Regulatory Framework
Unicorn operates across multiple jurisdictions and complies with applicable data protection laws including:
(a) UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 for clients of Unicorn Currencies Ltd (UK);
(b) Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation for clients of Unicorn Currencies Limited (Canada);
(c) European Union General Data Protection Regulation (EU GDPR) where applicable to EU residents.
1.4 Data Controllers
For the purposes of data protection law:
(a) Unicorn Currencies Limited (British Columbia, Canada; Incorporation No: BC1473865; registered address: 5577 153A Street, Suite 207, Surrey, V3S 5K7, British Columbia, Canada) is the data controller for Canadian and US clients.
(b) Unicorn Currencies Ltd (England & Wales; Registration No: 14325478; registered address: 4th Floor, Silverstream House, Fitzroy Street, London, W1T 6EB, United Kingdom; ICO Registration No: ZB534346) is the data controller for UK, EU, and Rest of World clients.
2. WHAT PERSONAL DATA WE COLLECT
2.1 Categories of Personal Data
We collect and process the following categories of personal data:
2.1.1 Identity Information
(a) Full legal name (including previous names);
(b) Date of birth;
(c) Gender;
(d) Nationality and country of residence;
(e) Government-issued identification numbers (passport number, driver's license number, national insurance number, social insurance number, tax identification number);
(f) Copies of identity documents (passport, driver's license, national ID card);
(g) Photographs and biometric data (where required for identity verification);
(h) Digital identity verification results from third-party providers.
2.1.2 Contact Information
(a) Residential address and proof of address documents (utility bills, bank statements);
(b) Business address (for corporate clients);
(c) Email address(es);
(d) Telephone number(s) (mobile and landline);
(e) Preferred communication channels and language.
2.1.3 Financial Information
(a) Bank account details (account number, sort code, IBAN, SWIFT/BIC code);
(b) Payment card information (where applicable);
(c) Transaction history (amounts, currencies, beneficiary details, purpose of payments);
(d) Source of funds and source of wealth information;
(e) Income and employment information;
(f) Expected transaction volumes and patterns;
(g) Credit history and references (where applicable for credit products).
2.1.4 Business Information (Corporate Clients)
(a) Company registration details (incorporation number, registered address, jurisdiction);
(b) Business activities and nature of business;
(c) Corporate structure and ownership information;
(d) Beneficial ownership details (names, addresses, ownership percentages of ultimate beneficial owners);
(e) Directors, officers, and authorized signatories information;
(f) Financial statements and business documentation;
(g) Professional references and trade references.
2.1.5 Device and Technical Information
(a) IP address and geolocation data;
(b) Browser type, version, and operating system;
(c) Device identifiers (unique device ID, advertising ID);
(d) Login credentials and authentication data;
(e) Cookies and similar tracking technologies (see Section 10);
(f) Website usage data (pages visited, time spent, clickstream data);
(g) Application logs and error reports.
2.1.6 Communications and Support Data
(a) Records of correspondence (emails, live chat transcripts, letters);
(b) Telephone call recordings (customer service and transaction execution calls);
(c) Survey responses and feedback;
(d) Social media interactions (where you contact us via social media).
2.1.7 Compliance and Risk Data
(a) Sanctions screening results;
(b) Politically Exposed Person (PEP) status;
(c) Adverse media screening results;
(d) Enhanced due diligence reports;
(e) Suspicious activity monitoring and flagging information;
(f) Regulatory reports and disclosures;
(g) Litigation and insolvency records (where relevant).
2.2 Special Categories of Personal Data
In limited circumstances, we may process special categories of personal data (known as "sensitive personal information" under PIPEDA), including:
(a) Biometric data for identity verification purposes;
(b) Criminal convictions and offenses data for compliance with anti-money laundering and sanctions obligations.
We process such data only where legally permitted and necessary for compliance with legal obligations, fraud prevention, or with your explicit consent where required.
2.3 Children's Data
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.
3. HOW WE COLLECT PERSONAL DATA
3.1 Information You Provide Directly
We collect personal data that you provide directly to us when you:
(a) Register for an account or apply for Services;
(b) Complete our Know Your Customer (KYC) or Know Your Business (KYB) verification process;
(c) Submit documents for identity or address verification;
(d) Execute foreign exchange transactions or payment instructions;
(e) Contact our customer support team;
(f) Subscribe to marketing communications;
(g) Participate in surveys, promotions, or events;
(h) Provide feedback or testimonials.
3.2 Information We Collect Automatically
We automatically collect certain data when you access or use our Website and Services, including:
(a) Technical information about your device and internet connection;
(b) Usage data through cookies and similar technologies;
(c) Geolocation data (with your consent where required);
(d) Transaction metadata and timestamps.
3.3 Information from Third-Party Sources
We collect personal data from third-party sources including:
(a) Identity Verification Providers (e.g., Onfido, Jumio, Trulioo, GB Group) who verify your identity documents and conduct electronic identity checks;
(b) Credit Reference Agencies (e.g., Equifax, Experian, TransUnion) for credit assessments and fraud prevention;
(c) Sanctions and PEP Screening Providers (e.g., Dow Jones, World-Check, ComplyAdvantage) who screen against global sanctions lists, PEP databases, and adverse media;
(d) Banking Partners and Payment Networks who provide transaction status updates and payment confirmation data;
(e) Corporate Registry Databases (e.g., Companies House, BC Corporate Registry) for verification of corporate clients;
(f) Publicly Available Sources including government registries, court records, and public databases for due diligence purposes;
(g) Referral Partners and Introducers (accountants, FX brokers, business advisors) who may provide your contact information and basic business details when referring you to our Services.
4. WHY WE USE YOUR PERSONAL DATA (LEGAL BASIS AND PURPOSES)
4.1 Legal Bases for Processing
We process your personal data on the following legal bases:
4.1.1 Contractual Necessity
Processing is necessary to perform our contract with you (the Master Services Agreement) or to take steps at your request prior to entering into a contract. This includes:
(a) Opening and maintaining your account;
(b) Executing foreign exchange transactions and payments;
(c) Providing customer support;
(d) Processing your instructions.
4.1.2 Legal Obligation
Processing is necessary for compliance with legal obligations to which we are subject, including:
(a) Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) and Money Laundering Regulations 2017 (UK);
(b) Know Your Customer (KYC) and Customer Due Diligence requirements imposed by FINTRAC and the Financial Conduct Authority (FCA);
(c) Economic Sanctions Compliance including screening against OFAC (USA), OFSI (UK), UN, and EU sanctions lists;
(d) Suspicious Activity Reporting to Financial Intelligence Units (FINTRAC in Canada, National Crime Agency in UK);
(e) Record-keeping obligations requiring retention of financial records for specified periods;
(f) Tax reporting including Common Reporting Standard (CRS) and Foreign Account Tax Compliance Act (FATCA) requirements;
(g) Responding to lawful requests from law enforcement, regulators, and government authorities.
4.1.3 Legitimate Interests
Processing is necessary for our legitimate business interests (or those of a third party), provided such interests are not overridden by your rights. Our legitimate interests include:
(a) Fraud prevention and security: Detecting, preventing, and investigating fraud, money laundering, and other financial crimes;
(b) Risk management: Assessing credit risk, transaction risk, and reputational risk;
(c) Service improvement: Analyzing usage patterns to enhance our Website and Services;
(d) Business analytics: Understanding customer behavior and market trends;
(e) Direct marketing: Sending relevant communications about our Services (subject to your right to opt out);
(f) Operational efficiency: Managing our banking relationships and payment networks;
(g) Legal claims: Establishing, exercising, or defending legal claims.
4.1.4 Consent
In certain circumstances, we rely on your explicit consent, including:
(a) Processing special categories of data (biometric data, criminal records) where not otherwise permitted by law;
(b) Marketing communications where required by law;
(c) Use of certain cookies and tracking technologies;
(d) International data transfers where consent is the appropriate legal mechanism.
You may withdraw consent at any time, but this will not affect the lawfulness of processing based on consent before withdrawal.
4.2 Purposes of Processing
We use your personal data for the following purposes:
4.2.1 Account Management and Service Delivery
(a) Verifying your identity and eligibility for Services;
(b) Opening and maintaining your account;
(c) Processing foreign exchange transactions;
(d) Executing international payment instructions;
(e) Providing forward contracts and hedging products;
(f) Managing treasury management services and reporting;
(g) Communicating with you about your account and transactions;
(h) Providing customer support and responding to inquiries.
4.2.2 Compliance and Regulatory Obligations
(a) Conducting Know Your Customer (KYC) and Know Your Business (KYB) verification;
(b) Performing ongoing Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD);
(c) Screening transactions and parties against sanctions lists;
(d) Monitoring transactions for suspicious activity;
(e) Filing Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs);
(f) Responding to regulatory inquiries and examinations;
(g) Maintaining audit trails and compliance records;
(h) Reporting to tax authorities under CRS/FATCA.
4.2.3 Fraud Prevention and Security
(a) Detecting and preventing fraud, money laundering, and financial crime;
(b) Protecting against unauthorized access to accounts;
(c) Monitoring for unusual or suspicious activity patterns;
(d) Investigating suspected security incidents;
(e) Sharing fraud intelligence with industry partners and law enforcement;
(f) Implementing security measures and access controls.
4.2.4 Business Operations and Partnerships
(a) Managing relationships with banking partners and payment networks;
(b) Facilitating transactions through Authorized Partners;
(c) Reconciling accounts and managing financial operations;
(d) Conducting internal audits and quality assurance;
(e) Training staff and monitoring service quality;
(f) Business planning and strategic decision-making.
4.2.5 Marketing and Communications
(a) Sending promotional materials about our Services (subject to opt-out rights);
(b) Conducting market research and customer satisfaction surveys;
(c) Personalizing content and offers based on your profile and preferences;
(d) Analyzing marketing campaign effectiveness.
4.2.6 Legal and Dispute Resolution
(a) Establishing, exercising, or defending legal claims;
(b) Enforcing our Master Services Agreement and other legal rights;
(c) Resolving disputes and complaints;
(d) Complying with court orders and legal processes.
5. WHO WE SHARE YOUR PERSONAL DATA WITH (DATA DISCLOSURE)
5.1 Disclosure to Third Parties
We share your personal data with the following categories of third parties only to the extent necessary for the purposes described in this Privacy Policy:
5.1.1 Banking Partners and Payment Service Providers
Purpose: Transaction execution, payment processing, and safeguarding of client funds.
Recipients: We share your identity information, financial information, and transaction details with:
(a) Authorized Partners (FCA-regulated Payment Institutions and Electronic Money Institutions in the UK and EU, including but not limited to Equals Money, Clear Currency, Moneycorp);
(b) Correspondent Banks (SWIFT member banks facilitating international payments);
(c) Beneficiary Banks (receiving banks where you instruct us to send funds);
(d) Payment Networks (SWIFT, SEPA, Faster Payments, Fedwire, ACH);
(e) Safeguarding Account Banks (Canadian chartered banks and UK/EU banks holding segregated client funds).
Data Shared: Full name, date of birth, address, account numbers, transaction amounts, currencies, payment references, and purpose of payment.
Legal Basis: Contractual necessity (to execute your payment instructions) and legitimate interests (to maintain banking relationships essential for service delivery).
Partner Obligations: Our banking partners are contractually obligated to process your data in accordance with applicable data protection laws and only for the purpose of facilitating transactions. They may be required to conduct their own AML/KYC checks and retain records in accordance with their regulatory obligations.
5.1.2 Regulatory Bodies and Government Authorities
Purpose: Compliance with legal obligations, AML/CTF reporting, sanctions enforcement, and responding to lawful requests.
Recipients: We share personal data with:
(a) Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) – Canada's Financial Intelligence Unit;
(b) National Crime Agency (NCA) – UK's Financial Intelligence Unit;
(c) Financial Conduct Authority (FCA) – UK financial services regulator;
(d) Canada Revenue Agency (CRA) and HM Revenue & Customs (HMRC) – for tax reporting under CRS/FATCA;
(e) Office of Foreign Assets Control (OFAC), Office of Financial Sanctions Implementation (OFSI), and other sanctions authorities;
(f) Law Enforcement Agencies (Royal Canadian Mounted Police, UK Police Forces, FBI, Interpol) pursuant to criminal investigations;
(g) Courts and Tribunals pursuant to court orders and legal processes;
(h) Other Regulatory Authorities with jurisdiction over our activities.
Data Shared: Full KYC/KYB data, transaction history, source of funds information, beneficial ownership details, and any information relevant to compliance or investigation.
Legal Basis: Legal obligation (mandatory reporting under AML/CTF laws) and legitimate interests (cooperating with law enforcement and regulatory authorities).
Important: We are legally prohibited from informing you when we file a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) or disclose your data pursuant to certain legal processes. Such disclosures are made confidentially and override any confidentiality obligations to you.
5.1.3 Identity Verification and Compliance Vendors
Purpose: Verification of identity documents, electronic identity checks, sanctions screening, and fraud prevention.
Recipients: We share identity information and personal data with:
(a) Identity Verification Providers: Onfido, Jumio, Trulioo, GB Group (IDology), Veriff;
(b) Sanctions and PEP Screening Providers: Dow Jones Risk & Compliance, Refinitiv World-Check, ComplyAdvantage, LexisNexis;
(c) Credit Reference Agencies: Equifax, Experian, TransUnion;
(d) Fraud Prevention Services: CIFAS (UK), Kount, Sift, Signifyd;
(e) Document Verification Services: Providers that authenticate government-issued documents and detect forgeries.
Data Shared: Name, date of birth, address, identity document images (passport, driver's license), document numbers, biometric data (facial recognition), and screening results.
Legal Basis: Legal obligation (KYC requirements), contractual necessity (to verify your eligibility for Services), and legitimate interests (fraud prevention).
Vendor Obligations: Our identity verification and compliance vendors act as data processors and are contractually obligated to:
Process data only on our instructions;
Implement appropriate security measures;
Not use data for their own purposes (except where they act as independent data controllers for fraud prevention databases);
Delete or return data upon termination of services (subject to legal retention requirements).
International Transfers: Many identity verification providers are based in the United States or process data through US infrastructure. We ensure appropriate safeguards are in place (see Section 7).
5.1.4 Technology and Service Providers
Purpose: IT infrastructure, cloud hosting, software development, customer support, and business operations.
Recipients: We share personal data with:
(a) Cloud Hosting Providers: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform;
(b) Customer Relationship Management (CRM) Systems: Salesforce, HubSpot, Zoho CRM;
(c) Communication Platforms: Intercom, Zendesk, Twilio (for SMS/email notifications);
(d) Analytics Providers: Google Analytics, Mixpanel, Segment;
(e) Payment Processing Infrastructure: Stripe, Plaid (for bank account verification);
(f) Security and Monitoring Services: Cloudflare, Sentry, Datadog;
(g) Software Development Partners: Third-party developers providing technical support and platform maintenance.
Data Shared: Contact information, account data, transaction metadata, device information, and usage analytics.
Legal Basis: Contractual necessity and legitimate interests (to operate our technology infrastructure and deliver Services efficiently).
Processor Obligations: These service providers act as data processors and are bound by Data Processing Agreements (DPAs) requiring compliance with GDPR/PIPEDA standards.
5.1.5 Professional Advisors and Auditors
Purpose: Legal advice, accounting, auditing, and corporate transactions.
Recipients: We may share personal data with:
(a) Legal Counsel: External law firms providing legal advice;
(b) Accountants and Auditors: Firms conducting financial audits and regulatory compliance reviews;
(c) Tax Advisors: Consultants advising on tax compliance and reporting;
(d) Insurance Brokers: For professional indemnity and cyber insurance purposes;
(e) Corporate Transaction Advisors: In connection with potential mergers, acquisitions, or sale of business (subject to confidentiality obligations).
Data Shared: Limited to data necessary for the specific advisory or audit purpose.
Legal Basis: Legal obligation (audit requirements) and legitimate interests (obtaining professional advice and managing corporate transactions).
Confidentiality: Professional advisors are bound by professional secrecy obligations and confidentiality agreements.
5.1.6 Referral Partners and Introducers
Purpose: Managing referral relationships and commission arrangements.
Recipients: Where you were referred to us by an accountant, FX broker, or business advisor, we may share limited information with the referrer including:
(a) Confirmation that you have opened an account;
(b) Transaction volumes (aggregated, not detailed transaction data);
(c) Status of your account (active, dormant, closed).
Data Shared: We do NOT share detailed transaction data, account balances, or sensitive personal information with referral partners without your explicit consent.
Legal Basis: Legitimate interests (managing commercial partnerships) and contractual necessity (where referral agreements include commission arrangements).
Opt-Out: You may request that we do not share your information with referral partners by contacting us using the details in Section 13.
5.1.7 Business Transfers and Corporate Transactions
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or part of our business or assets, your personal data may be transferred to the successor entity or purchaser. We will notify you of any such change and ensure the recipient is bound by equivalent privacy protections.
Legal Basis: Legitimate interests (facilitating business transactions and ensuring continuity of Services).
5.2 No Sale of Personal Data
We do NOT sell your personal data to third parties for monetary or other valuable consideration. Any sharing of data is limited to the purposes described in this Privacy Policy and is subject to contractual and legal safeguards.
5.3 Your Rights Regarding Data Sharing
Under GDPR, you have the right to object to processing based on legitimate interests. Where we rely on legitimate interests as the legal basis for sharing data (e.g., fraud prevention, marketing), you may object, and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests or we require the data for legal claims.
6. HOW WE PROTECT YOUR PERSONAL DATA (SECURITY MEASURES)
6.1 Security Commitment
We implement robust technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, destruction, or loss.
6.2 Technical Security Measures
(a) Encryption at Rest: All personal data stored in databases is encrypted using AES-256 encryption or equivalent industry-standard encryption algorithms.
(b) Encryption in Transit: Data transmitted over networks is protected using TLS 1.2 or higher encryption protocols.
(c) Access Controls: Role-based access controls (RBAC) ensure that only authorized personnel can access personal data, and access is limited to the minimum necessary for their role.
(d) Multi-Factor Authentication (MFA): Administrative access to systems containing personal data requires multi-factor authentication.
(e) Firewall and Intrusion Detection: Network security appliances monitor and block unauthorized access attempts.
(f) Regular Security Audits: We conduct periodic penetration testing, vulnerability assessments, and security audits by independent third parties.
(g) Secure Development Practices: Code reviews, security testing, and secure coding standards are integrated into our software development lifecycle.
(h) Data Pseudonymization and Anonymization: Where feasible, we pseudonymize or anonymize personal data used for analytics and testing purposes.
6.3 Organizational Security Measures
(a) Employee Training: All employees receive mandatory data protection and information security training.
(b) Confidentiality Agreements: Employees and contractors sign confidentiality agreements and are subject to disciplinary action for data breaches.
(c) Background Checks: Employees with access to sensitive personal data undergo background checks (where legally permitted).
(d) Incident Response Plan: We maintain a documented data breach response plan to detect, contain, and remediate security incidents.
(e) Vendor Management: Third-party service providers are assessed for security compliance and are contractually obligated to implement equivalent security measures.
(f) Physical Security: Data centers and offices have physical access controls including security personnel, surveillance, and access card systems.
6.4 Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:
(a) Notify the relevant supervisory authority (ICO in UK, Privacy Commissioner in Canada) within 72 hours of becoming aware of the breach;
(b) Notify affected individuals without undue delay if the breach is likely to result in a high risk to rights and freedoms;
(c) Provide information about the nature of the breach, likely consequences, and measures taken to address the breach and mitigate harm.
6.5 Your Security Responsibilities
You are responsible for:
(a) Maintaining the confidentiality of your account credentials (username, password);
(b) Using strong, unique passwords and enabling multi-factor authentication where available;
(c) Promptly notifying us if you suspect unauthorized access to your account;
(d) Keeping your contact information up to date so we can reach you regarding security issues;
(e) Not sharing your account access with unauthorized persons.
7. INTERNATIONAL DATA TRANSFERS
7.1 Cross-Border Data Flows
Due to the nature of our business, personal data may be transferred to, processed, and stored in jurisdictions outside your country of residence, including:
(a) Between Canada and the United Kingdom: Data is transferred between our Canadian Entity and UK Entity for operational purposes, group reporting, and consolidated compliance functions.
(b) To the United States: Many of our technology service providers (cloud hosting, identity verification, payment processing infrastructure) are based in or process data through the United States.
(c) To Other Jurisdictions: Data may be processed in jurisdictions where our banking partners, payment networks, or service providers operate, including the European Union, Singapore, Australia, and other countries.
7.2 Adequacy Decisions and Safeguards
Where we transfer personal data outside the European Economic Area (EEA) or UK to countries that do not have an adequacy decision from the European Commission or UK government, we implement appropriate safeguards including:
(a) Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (also known as Model Clauses) approved for data transfers, ensuring equivalent protection to GDPR.
(b) UK International Data Transfer Agreement (IDTA): For transfers from the UK, we use the UK IDTA or UK Addendum to EU SCCs.
(c) Adequacy Decisions: Canada has been recognized by the European Commission as providing adequate protection for personal data transferred from the EU (under PIPEDA). Transfers from the EEA to Canada benefit from this adequacy decision.
(d) Supplementary Measures: Where required by European Data Protection Board (EDPB) guidance, we implement supplementary technical and organizational measures (encryption, access controls, contractual restrictions) to ensure equivalent protection.
7.3 US-Based Service Providers
Many identity verification, cloud hosting, and technology providers are US-based. We ensure these providers:
(a) Enter into Standard Contractual Clauses with us;
(b) Implement robust security measures equivalent to GDPR standards;
(c) Limit access to personal data to authorized personnel only;
(d) Commit to transparency regarding government access requests (to the extent legally permissible).
US Government Access: Under US law (including FISA Section 702 and Executive Order 12333), US intelligence agencies may access data held by US companies under certain circumstances. We mitigate this risk through encryption, contractual restrictions, and selecting providers with strong transparency records. However, we cannot eliminate the possibility of government access to data transferred to the US.
Your Rights: If you have concerns about international data transfers, you may exercise your right to object (see Section 8). However, international transfers are often necessary to provide our Services, and objecting may limit our ability to serve you.
7.4 Transfers for Legal Compliance
Data may also be transferred internationally to comply with legal obligations, including:
(a) Sharing data with SWIFT (headquartered in Belgium) for international payment messaging;
(b) Responding to foreign court orders or regulatory requests (subject to applicable legal frameworks);
(c) Sanctions screening through global databases maintained by providers in various jurisdictions.
8. YOUR PRIVACY RIGHTS
8.1 Overview of Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
8.1.1 Right of Access (GDPR Article 15, PIPEDA)
You have the right to:
(a) Obtain confirmation whether we are processing your personal data;
(b) Access your personal data and receive a copy;
(c) Receive information about the purposes of processing, categories of data, recipients, retention periods, and your rights.
How to Exercise: Submit a Subject Access Request (SAR) using the contact details in Section 13. We will respond within one month (GDPR) or 30 days (PIPEDA), extendable in complex cases.
Verification: We will verify your identity before providing access to prevent unauthorized disclosure.
Limitations: Access may be restricted or denied where disclosure would adversely affect the rights of others, reveal trade secrets, compromise law enforcement investigations, or is prohibited by law (e.g., we cannot disclose that a SAR/STR has been filed).
8.1.2 Right to Rectification (GDPR Article 16, PIPEDA)
You have the right to:
(a) Correct inaccurate or incomplete personal data;
(b) Request that we update your information.
How to Exercise: Contact us with documentation supporting the correction. We will update your data promptly and notify relevant third parties where necessary.
8.1.3 Right to Erasure / "Right to be Forgotten" (GDPR Article 17)
You have the right to request deletion of your personal data in certain circumstances, including:
(a) Data is no longer necessary for the purposes for which it was collected;
(b) You withdraw consent (where consent is the legal basis);
(c) You object to processing based on legitimate interests and there are no overriding grounds;
(d) Data was unlawfully processed;
(e) Deletion is required to comply with a legal obligation.
CRITICAL LIMITATION – FINANCIAL RECORD RETENTION REQUIREMENTS:
YOUR RIGHT TO ERASURE IS SIGNIFICANTLY LIMITED IN THE FINANCIAL SERVICES SECTOR.
We are legally obligated to retain financial records, transaction data, and KYC/KYB documentation for a minimum of seven (7) years from the date of account closure or last transaction under:
(a) Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) – Section 6;
(b) Money Laundering Regulations 2017 (UK) – Regulation 40;
(c) FINTRAC guidance requiring retention of client records and transaction records for 7 years;
(d) FCA Handbook requiring retention of records for regulatory inspection and dispute resolution.
This retention obligation overrides your right to erasure under GDPR Article 17(3)(b) (processing necessary for compliance with legal obligations) and GDPR Article 17(3)(e) (establishment, exercise, or defense of legal claims).
During the retention period, we will:
(a) Restrict processing to storage, legal compliance, and defense of claims only;
(b) Not use your data for marketing or operational purposes;
(c) Continue to protect data with appropriate security measures;
(d) Permanently delete data once the legal retention period expires (unless there are ongoing legal claims requiring further retention).
After the 7-year retention period, we will permanently and securely delete your personal data unless:
(a) There are ongoing legal proceedings, regulatory investigations, or disputes requiring retention;
(b) We have a separate legal basis for continued retention (e.g., archived financial statements for corporate recordkeeping).
How to Exercise: Submit an erasure request. We will review whether erasure is legally permissible and inform you of the outcome. Where erasure is not possible due to retention requirements, we will explain the legal basis and restrict processing as described above.
8.1.4 Right to Restriction of Processing (GDPR Article 18)
You have the right to request that we restrict processing of your personal data in the following circumstances:
(a) You contest the accuracy of the data (restriction applies until accuracy is verified);
(b) Processing is unlawful but you prefer restriction instead of erasure;
(c) We no longer need the data but you require it for legal claims;
(d) You have objected to processing pending verification of overriding legitimate grounds.
Effect: When processing is restricted, we may only store the data and process it with your consent, for legal claims, to protect another person's rights, or for important public interests.
How to Exercise: Submit a restriction request. We will respond within one month.
8.1.5 Right to Data Portability (GDPR Article 20)
You have the right to:
(a) Receive personal data you provided to us in a structured, commonly used, machine-readable format (e.g., CSV, JSON);
(b) Transmit that data to another controller without hindrance.
Scope: This right applies only to data processed based on consent or contractual necessity and processed by automated means. It does NOT apply to data derived or inferred by us (e.g., risk scores, compliance assessments).
Portability Data Includes: Identity information, contact details, account settings, transaction history, payment instructions.
How to Exercise: Submit a data portability request specifying the format required. We will provide data within one month.
8.1.6 Right to Object (GDPR Article 21, PIPEDA)
You have the right to object to processing of your personal data in the following circumstances:
(a) Processing based on legitimate interests (including fraud prevention, direct marketing, profiling): We will cease processing unless we demonstrate compelling legitimate grounds that override your interests or we require the data for legal claims.
(b) Direct Marketing: You have an absolute right to object to marketing. We will cease all marketing communications immediately upon request.
(c) Automated Decision-Making and Profiling: Where we use automated systems for credit decisions, fraud detection, or risk assessment, you have the right to object, request human review, and challenge decisions.
How to Exercise: Submit an objection request or click "unsubscribe" in marketing emails. For direct marketing, we will implement opt-out immediately. For other objections, we will respond within one month.
8.1.7 Right to Withdraw Consent (GDPR Article 7(3), PIPEDA)
Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Impact: Withdrawing consent may limit or prevent our ability to provide certain Services. For example, withdrawing consent for identity verification would prevent account opening.
How to Exercise: Contact us using the details in Section 13 or use opt-out mechanisms provided (e.g., unsubscribe links).
8.1.8 Right to Lodge a Complaint (GDPR Article 77)
You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.
Relevant Supervisory Authorities:
(a) UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Email: casework@ico.org.uk
Phone: 0303 123 1113
(b) Canada: Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Email: info@priv.gc.ca
Phone: 1-800-282-1376
(c) EU: Your local Data Protection Authority (find at https://edpb.europa.eu/about-edpb/about-edpb/members_en)
Our Preference: We encourage you to contact us first to resolve any concerns. However, you have the right to lodge a complaint at any time without prejudice to other legal remedies.
8.2 How to Exercise Your Rights
To exercise any of the above rights, please:
(a) Email us at: privacy@unicorncurrencies.com
(b) Write to us at:
For UK Entity Clients:
Data Protection Officer
Unicorn Currencies Ltd
4th Floor, Silverstream House, Fitzroy Street
London, W1T 6EB
United Kingdom
For Canadian Entity Clients:
Privacy Officer
Unicorn Currencies Limited
5577 153A Street, Suite 207
Surrey, V3S 5K7, British Columbia
Canada
(c) Include in your request:
Full name and contact details;
Account details (if applicable);
Specific right you wish to exercise;
Clear description of your request;
Proof of identity (government-issued ID to prevent unauthorized access).
8.3 Response Timeframes
We will respond to rights requests:
(a) Within one month of receipt (GDPR);
(b) Within 30 days of receipt (PIPEDA);
(c) Extensions of up to two additional months (GDPR) or 30 days (PIPEDA) may apply for complex requests; we will notify you of any extension and the reasons.
8.4 Fees
We do not charge a fee for exercising your rights unless:
(a) Requests are manifestly unfounded or excessive (e.g., repetitive requests); or
(b) You request additional copies of data beyond the first free copy.
In such cases, we may charge a reasonable administrative fee or refuse the request.
9. DATA RETENTION
9.1 Retention Principles
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
9.2 Retention Periods
9.2.1 Active Client Data
While your account is active, we retain all personal data necessary to provide Services, comply with ongoing obligations, and maintain the client relationship.
9.2.2 Financial Records (7-Year Retention Requirement)
Following account closure or final transaction, we retain the following data for a minimum of seven (7) years:
(a) Identity verification documents (passport, driver's license, proof of address);
(b) Know Your Customer (KYC) and Know Your Business (KYB) documentation;
(c) Transaction records (dates, amounts, currencies, beneficiaries, purpose);
(d) Account opening documentation and due diligence records;
(e) Source of funds and source of wealth documentation;
(f) Beneficial ownership information (for corporate clients);
(g) Correspondence and communications related to compliance;
(h) Sanctions screening results and compliance assessments;
(i) Records of suspicious activity monitoring and reporting.
Legal Basis: Legal obligation under AML/CTF regulations (GDPR Article 17(3)(b)).
Jurisdictional Requirements:
Canada: Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires 5-year retention from transaction date; FINTRAC guidance recommends 7 years for robust compliance.
UK: Money Laundering Regulations 2017 require 5-year retention from end of business relationship; FCA Handbook and industry best practice support 7-year retention.
We adopt a 7-year standard to ensure compliance across all jurisdictions and to align with statute of limitations periods for potential legal claims.
9.2.3 Marketing and Communications Data
(a) Marketing Opt-Outs: Records of marketing preferences and opt-outs are retained indefinitely to honor your choices and prevent inadvertent re-marketing.
(b) Marketing Consent: Where marketing is based on consent, data is retained until consent is withdrawn, after which data is deleted within 30 days (unless required for other purposes).
9.2.4 Website Usage and Analytics Data
(a) Server Logs and IP Addresses: Retained for 12-24 months for security, fraud prevention, and technical troubleshooting.
(b) Analytics Data: Anonymized or pseudonymized analytics data may be retained indefinitely for business intelligence and service improvement.
9.2.5 Customer Support Records
(a) Support Tickets and Communications: Retained for 3 years for quality assurance, training, and dispute resolution.
(b) Call Recordings: Retained for 6-12 months unless relevant to a transaction (in which case the 7-year retention applies).
9.2.6 Legal Claims and Disputes
If there are ongoing legal proceedings, regulatory investigations, or unresolved disputes, we may retain relevant personal data beyond standard retention periods until the matter is fully resolved and any appeal periods have expired.
9.3 Deletion and Anonymization
Once retention periods expire, we will:
(a) Permanently Delete personal data using secure deletion methods (overwriting, degaussing, physical destruction of media);
(b) Anonymize data so it no longer identifies individuals, allowing retention for statistical and analytical purposes.
9.4 Archived Data
Data required for corporate recordkeeping (e.g., archived financial statements, audit trails) may be retained in restricted, encrypted archives beyond standard retention periods. Such archives are segregated from operational systems and access is strictly limited.
10. COOKIES AND TRACKING TECHNOLOGIES
10.1 What Are Cookies?
Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, enhance user experience, and provide analytics information.
10.2 Types of Cookies We Use
10.2.1 Strictly Necessary Cookies
Purpose: Essential for the Website to function. These enable core functionality such as security, network management, and accessibility.
Examples: Session cookies, authentication tokens, load balancing cookies.
Legal Basis: Legitimate interests (essential for service delivery). These cookies are exempt from consent requirements under GDPR and PECR.
Expiry: Session cookies (deleted when browser closes) or short-term persistent cookies (up to 30 days).
10.2.2 Performance and Analytics Cookies
Purpose: Collect information about how visitors use the Website, including pages visited, time spent, and error messages. Data is aggregated and anonymized.
Examples: Google Analytics, Mixpanel, Segment.
Legal Basis: Consent (where required) or legitimate interests (where anonymized).
Expiry: Up to 2 years.
Opt-Out: You can opt out of analytics cookies using our cookie consent banner or browser settings.
10.2.3 Functionality Cookies
Purpose: Remember your preferences and choices (e.g., language, region, display settings) to provide enhanced, personalized features.
Examples: Language preference cookies, user interface customization cookies.
Legal Basis: Legitimate interests (improving user experience).
Expiry: Up to 12 months.
10.2.4 Marketing and Advertising Cookies
Purpose: Track your activity across websites to deliver targeted advertising and measure campaign effectiveness.
Examples: Google Ads, LinkedIn Insight Tag, Facebook Pixel.
Legal Basis: Consent (required under GDPR and PECR).
Expiry: Up to 12-24 months.
Opt-Out: You can withdraw consent via our cookie consent banner, browser settings, or industry opt-out tools (e.g., Network Advertising Initiative at https://www.networkadvertising.org/choices/).
10.3 Third-Party Cookies
Our Website may include third-party content (e.g., embedded videos, social media plugins) that set their own cookies. We do not control these third-party cookies. Please review the privacy policies of third parties:
(a) Google: https://policies.google.com/privacy
(b) LinkedIn: https://www.linkedin.com/legal/privacy-policy
(c) Facebook: https://www.facebook.com/privacy/explanation
10.4 Managing Cookies
You can manage cookies through:
(a) Cookie Consent Banner: Displayed on first visit, allowing you to accept or reject non-essential cookies.
(b) Browser Settings: Most browsers allow you to block or delete cookies. Refer to your browser's help function:
Chrome: https://support.google.com/chrome/answer/95647
Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
(c) Industry Opt-Out Tools:
Network Advertising Initiative: https://www.networkadvertising.org/choices/
Digital Advertising Alliance: https://youradchoices.com/
Impact of Blocking Cookies: Blocking strictly necessary cookies may impair Website functionality. Blocking analytics or marketing cookies will not affect core Services but may result in a less personalized experience.
10.5 Do Not Track (DNT)
Some browsers support a "Do Not Track" (DNT) signal. Our Website does not currently respond to DNT signals, as there is no industry-wide standard for interpreting DNT.
11. AUTOMATED DECISION-MAKING AND PROFILING
11.1 Use of Automated Systems
We use automated systems and algorithms for certain decision-making processes, including:
(a) Credit Risk Assessment: Automated scoring models evaluate creditworthiness for margin trading, forward contracts, and credit lines.
(b) Fraud Detection: Machine learning algorithms analyze transaction patterns to detect anomalies indicative of fraud or money laundering.
(c) Sanctions Screening: Automated systems screen names, addresses, and account details against sanctions lists and PEP databases.
(d) Transaction Monitoring: Automated systems flag unusual transaction patterns for manual review.
11.2 Solely Automated Decisions (GDPR Article 22)
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significantly affects you, unless:
(a) The decision is necessary for entering into or performing a contract;
(b) Authorized by law with suitable safeguards;
(c) Based on your explicit consent.
Our Practice: We do NOT make solely automated decisions with significant effects without human oversight. All automated assessments are reviewed by trained personnel before final decisions are made regarding:
Account application approvals/rejections;
Credit limit determinations;
Suspension or termination of Services;
Suspicious activity reporting.
11.3 Your Rights
You have the right to:
(a) Request human intervention in automated decision-making;
(b) Express your point of view and provide additional context;
(c) Contest the decision and request manual review.
How to Exercise: Contact us using the details in Section 13 if you believe you have been subject to an unfair automated decision.
12. CHANGES TO THIS PRIVACY POLICY
12.1 Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. The "Last Updated" date at the top of this Privacy Policy indicates when it was last revised.
12.2 Notification of Material Changes
For material changes that significantly affect your rights or how we process your personal data, we will provide prominent notice by:
(a) Posting a notice on the Website;
(b) Sending an email to your registered email address;
(c) Requiring acceptance of the updated Privacy Policy upon next login (for significant changes).
We will provide at least 30 days' notice for material changes where reasonably practicable.
12.3 Continued Use
Continued use of the Website or Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you do not agree to the updated Privacy Policy, you must cease using the Services and may close your account.
12.4 Version History
We maintain a version history of material changes to this Privacy Policy, available upon request.
13. CONTACT US
13.1 Data Protection Officer / Privacy Officer
If you have questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact:
For UK Entity Clients (UK, EU, Rest of World):
Data Protection Officer
Unicorn Currencies Ltd
4th Floor, Silverstream House, Fitzroy Street
London, W1T 6EB
United Kingdom
Email: privacy@unicorncurrencies.com | dpo@unicorncurrencies.com
Phone: +44 (20) 8064-0818
ICO Registration No: ZB534346
For Canadian Entity Clients (Canada, USA):
Privacy Officer
Unicorn Currencies Limited
5577 153A Street, Suite 207
Surrey, V3S 5K7, British Columbia
Canada
Email: privacy@unicorncurrencies.com
Phone: +1 (548) 488-0818
FINTRAC Registration No: C100000159
13.2 General Inquiries
For general questions about our Services, please contact:
Email: support@unicorncurrencies.com
Website: www.unicorncurrencies.com
13.3 Supervisory Authorities
You have the right to lodge a complaint with the relevant data protection authority:
UK: Information Commissioner's Office (ICO)
Website: https://ico.org.uk | Email: casework@ico.org.uk | Phone: 0303 123 1113
Canada: Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca | Email: info@priv.gc.ca | Phone: 1-800-282-1376
EU: Your local Data Protection Authority (directory: https://edpb.europa.eu/about-edpb/about-edpb/members_en)
14. GLOSSARY OF TERMS
AML/CTF: Anti-Money Laundering / Counter-Terrorist Financing
CDD: Customer Due Diligence
CRS: Common Reporting Standard (automatic exchange of financial account information for tax purposes)
Data Controller: An entity that determines the purposes and means of processing personal data
Data Processor: An entity that processes personal data on behalf of a data controller
EDD: Enhanced Due Diligence (additional verification for high-risk clients)
FATCA: Foreign Account Tax Compliance Act (US tax reporting regime)
FCA: Financial Conduct Authority (UK financial services regulator)
FINTRAC: Financial Transactions and Reports Analysis Centre of Canada
GDPR: General Data Protection Regulation
KYB: Know Your Business (verification process for corporate clients)
KYC: Know Your Customer (verification process for individual clients)
NCA: National Crime Agency (UK Financial Intelligence Unit)
PEP: Politically Exposed Person (individuals in prominent public positions)
PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
SAR/STR: Suspicious Activity Report / Suspicious Transaction Report
SWIFT: Society for Worldwide Interbank Financial Telecommunication (global payment messaging network)
© 2022 - 2025 Unicorn Currencies. All rights reserved.