Privacy Policy

1. Introduction

Glacierpay Inc. (“Glacierpay,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal and business information entrusted to us by our clients, their directors, officers, beneficial owners, and authorised representatives.

Glacierpay is a Money Services Business registered with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) under Registration No. 1001308627. We are incorporated in the Province of Ontario, Canada, and provide over-the-counter (“OTC”) fiat-to-crypto conversion, crypto-to-fiat conversion, and payment processing services exclusively to business clients (“B2B”).

This Privacy Policy explains what information we collect, how we use it, who we share it with, how we protect it, and what rights you have in relation to your information. It applies to all information collected through our website at glacier-pay.com (the “Website”), our trading platform (the “Platform”), and any other interactions you have with us.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Privacy Policy, you should not use our Services.

Note:This Privacy Policy is the customer-facing policy published on our Website. For our internal data protection procedures and GDPR compliance framework, please refer to our separate Internal Data Protection & GDPR Compliance Policy (Document 05).

2. Information We Collect

We collect information necessary to provide our Services, comply with our legal and regulatory obligations, and protect against fraud and financial crime. The types of information we collect are described below.

2.1 Information You Provide

When you apply for an account, complete our Know Your Business (“KYB”) onboarding process, or interact with us, you provide us with information including:

• Business registration documents: Certificate of incorporation, articles of association, business registry extracts, licences, and regulatory registrations;
• Director and Ultimate Beneficial Owner (“UBO”) identity documents: Full legal name, date of birth, nationality, residential address, government-issued photo identification (passport, national identity card, or driver’s licence), and proof of address;
• Authorised signatory information: Full legal name, role, contact details, and scope of authorisation;
• Financial information: Bank account details, financial statements, bank statements, source of funds declarations, and source of wealth declarations;
• Contact information: Business email addresses, telephone numbers, registered office address, and principal place of business;
• Business activity information: Nature of business, expected transaction volumes, business plans, and intended use of our Services;
• Correspondence: Any communications you send to us, including emails, support requests, and feedback.

2.2 Transaction Data

When you use our Services, we collect data about your transactions, including:

• Trade details: Trade history, including the type, amount, date, and time of each transaction;
• Asset information: Digital Assets traded, Fiat Currencies involved, exchange rates, and fees applied;
• Wallet addresses: Blockchain wallet addresses used to send or receive Digital Assets;
• Transaction hashes: On-chain transaction identifiers for blockchain transactions;
• Settlement details: Bank account details and wire transfer reference numbers for fiat settlements;
• IP addresses: The IP address from which transactions and orders are submitted.

2.3 Technical Data

When you access our Website or Platform, we may automatically collect certain technical information, including:

• Browser information: Browser type and version, browser language, and plug-ins;
• Device information: Device type, operating system, screen resolution, and unique device identifiers;
• IP address: Your Internet Protocol address and approximate geographic location;
• Access logs: Pages visited, time and duration of visits, click patterns, and referral sources;
• Cookies: Information collected through cookies and similar tracking technologies, as described in Section 9.

2.4 Third-Party Data

We may receive information about you from third-party service providers we engage for verification and compliance purposes, including:

• KYB verification results from Sumsub: Identity verification outcomes, document authenticity assessments, sanctions screening results, PEP screening results, and adverse media findings;
• Blockchain analytics from Chainalysis: Wallet address risk scores, exposure analysis, transaction tracing results, and associations with known illicit activity;
• Banking partner information: Payment confirmation details and account verification data;
• Public sources: Information from public registries, open-source intelligence, and publicly available databases.

3. How We Use Your Information

We use the information we collect for the following purposes:

4. Legal Basis for Processing

Our processing of personal information is grounded in the legal bases applicable to the jurisdictions in which we operate.

4.1 PIPEDA (Canada)

For individuals in Canada, we process personal information in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Under PIPEDA:

• Consent: We obtain your meaningful consent for the collection, use, and disclosure of personal information at the time of KYB onboarding. Consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual;
• Exceptions to consent: Certain processing may occur without consent where permitted or required by law, including for the prevention and detection of fraud and financial crime, compliance with court orders or subpoenas, and reporting to FINTRAC.

4.2 GDPR (European Union)

For individuals in the European Economic Area (“EEA”) and the United Kingdom, we process personal data in accordance with the General Data Protection Regulation (“GDPR”) and the UK GDPR. Our legal bases include:

• Performance of a contract: Processing necessary for the performance of our Services agreement with you, including account management, transaction processing, and settlement (GDPR Article 6(1)(b));
• Legal obligation: Processing necessary for compliance with our legal obligations, including AML/CFT regulations, sanctions compliance, record keeping, and regulatory reporting (GDPR Article 6(1)(c));
• Legitimate interests: Processing necessary for our legitimate interests or those of a third party, including fraud prevention, security, service improvement, and the establishment, exercise, or defence of legal claims (GDPR Article 6(1)(f)). We balance our interests against your fundamental rights and freedoms;
• Consent: Where no other legal basis applies, we may seek your explicit consent for specific processing activities. You may withdraw consent at any time, though this will not affect the lawfulness of processing carried out prior to withdrawal.

Special categories of data: We do not intentionally collect special categories of personal data (e.g., racial or ethnic origin, political opinions, health data). If such data is incidentally contained in documents you submit (e.g., identification documents), we process it solely for verification purposes under applicable legal obligations.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the circumstances described below and only to the extent necessary for the stated purpose.

5.1 Service Providers

We engage trusted third-party service providers to assist in delivering our Services and meeting our compliance obligations. These providers are contractually bound to protect your information and may only use it for the purposes we specify:

We conduct due diligence on all service providers to ensure they maintain appropriate technical and organisational security measures. Where required, we enter into Data Processing Agreements (“DPAs”) that comply with GDPR Article 28.

5.2 Regulators & Law Enforcement

We may disclose your information to regulatory authorities and law enforcement agencies where required or permitted by law, including:

• FINTRAC (Canada):Suspicious Transaction Reports (“STRs”), Large Cash Transaction Reports, Electronic Funds Transfer Reports, and Terrorist Property Reports;
• EU Financial Intelligence Units (“FIUs”): Suspicious Activity Reports as required by applicable EU AML Directives and Member State legislation;
• Other regulatory authorities: Responses to lawful requests, inquiries, audits, examinations, or orders from securities regulators, tax authorities, and other governmental bodies;
• Law enforcement: Cooperation with criminal investigations, court orders, subpoenas, and other compulsory legal process.

Where legally permissible, we will notify you before disclosing your information to regulators or law enforcement. However, we are prohibited from providing such notification where doing so would constitute “tipping off” under applicable AML legislation.

5.3 EMI Partner

Fiat currency settlements are processed through our EMI Partner, BCB Group. We share transaction details, settlement amounts, and beneficiary bank account information with BCB Group to the extent necessary to complete fiat settlements. BCB Group processes this information in accordance with its own privacy policy and applicable regulatory requirements.

5.4 No Sale of Personal Data

Glacierpay does not sell, rent, lease, or trade your personal information to any third party for marketing, advertising, or any other commercial purpose. We never have and never will. Your data is used solely for the purposes described in this Privacy Policy.

6. International Data Transfers

Glacierpay is incorporated in Canada and our primary systems and data are hosted in Canada. However, in providing our Services and meeting our compliance obligations, your information may be transferred to, stored in, or accessed from countries outside Canada, including countries within the European Union and the European Economic Area.

Canada–EU Adequacy

The European Commission has recognised Canada as providing an adequate level of data protection for transfers of personal data from the EEA to Canadian organisations subject to PIPEDA. Accordingly, transfers of personal data from the EEA to Glacierpay in Canada are made on the basis of this adequacy decision.

Standard Contractual Clauses

Where personal data is transferred to countries that have not received an adequacy decision from the European Commission, we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (“SCCs”), to ensure your data receives an equivalent level of protection. We assess transfer risks and supplement SCCs with additional technical and organisational measures where necessary.

Other Safeguards

Regardless of where your data is transferred, we ensure that appropriate security measures are in place, including encryption in transit and at rest, access controls, and contractual obligations on recipients to protect the data.

7. Data Retention

We retain your information only for as long as necessary to fulfil the purposes for which it was collected, comply with our legal obligations, and resolve disputes.

When the retention period expires, we securely delete or anonymise the data so that it can no longer be associated with you. Anonymised data that cannot be used to identify any individual may be retained indefinitely for analytical and statistical purposes.

8. Your Rights

Depending on your jurisdiction, you may have certain rights in relation to the personal information we hold about you. We are committed to facilitating the exercise of these rights, subject to applicable legal limitations.

8.1 Right of Access

You have the right to request a copy of the personal information we hold about you. We will provide you with the requested information in a commonly used electronic format, along with details of the purposes of processing, the categories of data processed, and the recipients or categories of recipients to whom your data has been disclosed.

8.2 Right to Correction

You have the right to request that we correct any personal information that is inaccurate or incomplete. We will promptly update our records upon receipt of a valid correction request and verification of the corrected information.

8.3 Right to Deletion

You have the right to request that we delete your personal information where:

• The information is no longer necessary for the purpose for which it was collected;
• You withdraw your consent (where processing is based on consent);
• You object to the processing and there are no overriding legitimate grounds;
• The information has been unlawfully processed.

Important: We may be unable to delete certain information where retention is required by law (e.g., AML/CFT record-keeping requirements under the PCMLTFA, which mandate five-year retention). In such cases, we will inform you of the specific legal basis preventing deletion and will delete the data as soon as the legal retention period expires.

8.4 Right to Data Portability

Where processing is based on consent or performance of a contract and is carried out by automated means, you have the right to receive the personal information you have provided to us in a structured, commonly used, and machine-readable format, and to request that we transmit this data directly to another controller where technically feasible.

8.5 Right to Object

You have the right to object to the processing of your personal information where we rely on legitimate interests as the legal basis. Upon receiving a valid objection, we will cease processing unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.

8.6 Right to Restriction

You have the right to request that we restrict the processing of your personal information where:

• You contest the accuracy of the data (restriction applies during verification);
• The processing is unlawful, but you prefer restriction over deletion;
• We no longer need the data, but you require it for legal claims;
• You have objected to the processing (restriction applies pending verification of our legitimate grounds).

8.7 Exercising Your Rights

To exercise any of the rights described above, please contact us at [email protected]. We will:

• Acknowledge your request within five (5) Business Days;
• Verify your identity before processing the request. We may require you to provide additional information to confirm your identity, particularly where the request relates to sensitive data or is submitted by a representative;
• Respond to your request within thirty (30) days of receipt. If the request is complex or we receive a large number of requests, we may extend the response period by an additional sixty (60) days, with prior notice to you;
• Provide the requested information or action free of charge. Where requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act, with an explanation of the reasons.

If you are not satisfied with our response, you have the right to lodge a complaint with the applicable supervisory authority:

• Canada: Office of the Privacy Commissioner of Canada (www.priv.gc.ca)
• EU/EEA: The supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement

9. Cookies

Our Website uses cookies and similar tracking technologies to ensure essential functionality and improve your experience.

What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work, improve efficiency, and provide information to website operators.

Cookies We Use

We do not currently use advertising or tracking cookies. If we introduce analytics or other non-essential cookies in the future, we will update this Privacy Policy and, where required, implement a cookie consent mechanism before deploying such cookies.

For detailed information about the specific cookies we use, please refer to our separate Cookie Policy, which will be published on our Website when non-essential cookies are introduced.

Managing Cookies

You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may impair the functionality of our Website and Platform.

10. Security Measures

Glacierpay implements robust technical and organisational security measures to protect your information against unauthorised access, alteration, disclosure, destruction, and loss.

Technical Measures

• Encryption: All data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). Sensitive fields, including identity documents and bank account details, are subject to additional field-level encryption;
• Multi-factor authentication: All Authorised User accounts and internal administrative accounts are protected by mandatory multi-factor authentication;
• Network security: Firewalls, intrusion detection and prevention systems, and network segmentation to protect our infrastructure;
• Secure development: Security-first software development practices, including code reviews, vulnerability testing, and secure deployment procedures;
• Monitoring: Continuous security monitoring, log analysis, and automated alerting for suspicious activities and potential security incidents.

Organisational Measures

• Access controls: Role-based access controls ensuring that employees and contractors can only access information necessary for their specific role. Access is reviewed regularly;
• Employee training: All employees receive data protection and information security training upon onboarding and at regular intervals;
• Vendor management: Third-party service providers are subject to due diligence, contractual data protection obligations, and periodic security reviews;
• Incident response: A documented incident response plan is in place to detect, respond to, and recover from data security incidents. In the event of a personal data breach, we will notify the applicable supervisory authority within 72 hours (where required by the GDPR) and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Business continuity: Regular backups, disaster recovery planning, and business continuity procedures to ensure the availability and resilience of our systems.

No system is perfectly secure. While we take extensive measures to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incident and taking all reasonable steps to mitigate its impact.

11. Children’s Privacy

Glacierpay provides Services exclusively to business clients (B2B). Our Services are not directed at, and are not intended for use by, individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18.

If we become aware that we have inadvertently collected personal information from an individual under 18, we will promptly delete such information from our systems. If you believe that we may have collected information from or about a child under 18, please contact us immediately at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Services, applicable laws, or for other operational, legal, or regulatory reasons.

For material changes, we will provide you with thirty (30) days’ prior notice before the changes take effect, through one or more of the following methods:

• Posting a prominent notice on our Website;
• Sending an email notification to the contact address associated with your account;
• Displaying a notification within the Platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

The “Effective Date” at the top of this Privacy Policy indicates the date of the most recent revision. Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

Non-material changes (such as corrections, clarifications, and formatting updates) may be made without prior notice.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the information below:

Postal Address

Glacierpay Inc.
Province of Ontario
Canada

Response Times

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt. For urgent matters, please indicate the urgency in your subject line and we will endeavour to respond as quickly as possible.

Supervisory Authorities

If you are not satisfied with our response to a privacy inquiry or complaint, you may contact the applicable supervisory authority:

• Canada: Office of the Privacy Commissioner of Canada — www.priv.gc.ca — Toll-free: 1-800-282-1376
• EU/EEA: The data protection supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement

Last Updated: April 2026 | Version: 1.0
This Privacy Policy is published at glacier-pay.com/privacy and forms part of the Terms and Conditions governing the use of Glacierpay’s Services.