At Fluxpay Ltd. (the “Fluxpay”), we value your privacy and are committed to maintaining the confidentiality and security of your personal information. This Privacy Policy (the “Policy”) is designed to provide you with clear and transparent information about how we collect, use, and protect your data in line with data protection laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), and the General Data Protection Regulation (GDPR) and other applicable laws and regulations.
We encourage you to read this Policy carefully to understand our practices and how they affect you, before you begin using our website https://fluxpays.com/ (the “Website”) or our Services.
The terms used in this Policy shall have the same meaning as they defined in Terms and Conditions, unless another directly defined herein.
By accessing or using the Website or Services, you acknowledge that you have read, understood, and agree to this Policy and our Cookie Policy. If you have any questions or concerns about any aspect of our privacy practices, please do not hesitate to contact us using the following details:
Fluxpay Ltd.
Address:
E-mail: dpo@fluxpays.com
2. Information we process
2.1. For the purposes outlined in this Policy, we may collect data that mainly falls under the following categories:
a. ID-Related Data: name, surname, government-issued ID number, date of birth, nationality, ID document details, country of residence, and other similar data
b. Contact Information: email address, phone number, residential address, and other similar information.
c. Customer Information: name of the Customer, account preferences, etc.
d. Customer Activity Information: for example, login and session data, usage patterns, activity logs, clickstream data, etc.
e. Financial Information: bank account information, source of funds, income level, transaction history, other similar information.
f. Transaction Information: history and details of transactions made through our System, information about the recipient and sender, information about the purpose of the transaction, current balance, portfolio details and similar information.
g. Payment Information: bank account information, payment card details, billing address, payment confirmation, etc.
h. Information related to Risk Assessment: for example, risk profile.
i. Technical and Device Information: IP address, browser type, device type, operating system, information related to interactions with our Website or System, cookies, information about technical problems and other similar information.
j. Communication Preferences: for instance, Customer preferences for marketing communications.
k. Communication Data: for example, details of customer’s interactions with customer support, records of incoming and outgoing audio calls with Fluxpay.
l. Feedback and Customer Data: for example, Customer feedback, usage patterns, preferences.
m. Legal and Regulatory Compliance Information: information and documents necessary for compliance with Anti-Money Laundering (AML), Know Your Customer (KYC) and other similar legal and regulatory requirements (including without limitations identity verification information, proof of address (for example, utility bills, bank statements, etc.), photographic evidence (for example, photographs or scans of ID documents, selfies for facial recognition purposes, etc.), sanctions and watchlist screening information, etc.).
n. Information related to Claims and Disputes: for example, information about the nature and specifics of the claim or dispute, information about how the claim or dispute was resolved, etc.
3. Sources of Information
3.1. At Fluxpay, we may collect personal data from various sources to fulfill the purposes outlined in this Policy. The sources of personal data may include:
a. Information Provided by You: for example, when you open an Account with us or use our Services; when you make Transactions using our System; when you communicate with us or provide feedback on our Services; other similar cases.
b. Automated Technologies: for example, some information is collected through automated technologies (such as cookies and log files) as you interact with our Website.
c. Third-Party Sources: in some cases, we may also receive information from third-party sources, such as payment processors or identity verification services, or collect information that is publicly available.
4. Purpose and Legal Basis of Data Processing; Data Retention
4.1. General information
4.1.1. The processing of your personal information by Fluxpay is guided by clear and specific purposes, each rooted in a lawful basis as required by data protection laws. We are committed to ensuring that your data is processed transparently, fairly, and only for the purposes for which it was collected. In general, the legal bases for processing personal information are as follows:
a) Performance of the Contractual Obligations (Contractual Necessity): processing may be necessary for the performance of a contract with you or to take steps at your request before entering into a contract;
b) Legal Obligations: we may process your data to comply with legal obligations, such as tax or regulatory requirements.
c) Legitimate Interests: processing may be necessary for our legitimate interests or those of a third party, provided that your fundamental rights and freedoms do not override those interests.
d) Consent: we may process your data based on your explicit consent, which you can provide when using certain features or services. You have the right to withdraw your consent at any time.
e) Vital Interests: In certain situations, we may process your data to protect your vital interests or those of another person.
f) Public Task: processing may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
4.2. Specifics
4.2.1. To provide you with a comprehensive understanding of how we process your personal data, we have outlined the various purposes and their corresponding legal bases in the table below. This table details the specific reasons for which we collect and process your data, along with the legal foundations that guide these practices and retention period. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations.
Purpose of data processing | Description | Legal Basis | Retention Period |
Service Provision | Customer’s personal data is processed to facilitate the provision of our Services, including processing transactions, managing Customer Account, and ensuring the functionality and security of our System. | Contractual Necessity | Retained for period necessary to fulfill contract obligations until the deletion or termination of the Agreement, unless further retention is required to comply with legal obligations or to resolve disputes |
Legal and Regulatory Compliance | Your data may be processed to fulfill legal obligations, such as compliance with financial reporting requirements, anti-money laundering (AML) regulations, and other legal mandates applicable to our business operations. | Legal Obligations; Public Task | Retained for 5 (five) years from the date of the transaction to comply with tax, accounting, and anti-fraud laws. This period may be extended if required by law |
Fraud Prevention | We process data to detect and prevent fraudulent activities, ensuring the security of our Services and protecting both Customer and our business from unauthorized access, misuse, or fraudulent transactions. | Legitimate Interests | For the term of duration of the Agreement and up to 3 (three) years after termination or expiration of the Agreement |
Service Improvement and Troubleshooting | We process Customer’s personal data to continually enhance and troubleshoot our Services. This involves analyzing Customer interactions, identifying areas for improvement, and addressing technical issues to ensure a seamless and reliable experience. By processing relevant data, we aim to refine our Services, optimize performance, and promptly resolve any challenges that may arise. | Contractual Necessity; Legitimate Interests | Retained for period necessary to fulfill contract obligations until the deletion or termination of the Agreement, unless further retention is required to comply with legal obligations or to resolve disputes |
Risk (including Business Risk) Management | We process Customer’s personal data as part of our comprehensive risk management strategy, which includes assessing and mitigating both operational and business-related risks. This involves analyzing patterns, detecting potential threats, and implementing measures to safeguard our business operations. By processing relevant data, we aim to proactively manage risks, ensuring the stability, resilience, and continuity of our Services. | Legitimate Interests | For the term of duration of the Agreement and up to 3 (three) years after termination or expiration of the Agreement |
Ensuring Security (including Physical Security and Information/Cyber Security) | We process data to ensure the security of our Services, encompassing both physical and information/cyber security measures. This includes monitoring and safeguarding against unauthorized access, fraud prevention, and maintaining the overall integrity of our platform. By processing relevant data, we can detect and mitigate security risks, protecting both your interests and the integrity of our Services. | Legitimate Interests; Legal Obligations | For the term of duration of the Agreement and up to 3 (three) years after termination or expiration of the Agreement |
Customer Support and Communication | We process your personal data to provide effective customer support and facilitate communication with you. This includes responding to inquiries, resolving issues, and delivering important service-related information. By processing relevant data, we aim to enhance your overall experience, address your concerns, and keep you informed about our services. | Contractual Necessity; Legitimate Interests | Retained for period necessary to fulfill contract obligations until the deletion or termination of the Agreement, unless further retention is required to comply with legal obligations or to resolve disputes |
Marketing | We may process your personal data for marketing purposes, aiming to provide you with relevant information about our products, services, promotions, and events. This may include personalized content and communications tailored to your preferences, helping you stay informed and engaged with our offerings. | Consent; Legitimate Interests | For the term of duration of the Agreement or until opt out by Customer
|
Research and Development | We process your personal data for research and development purposes, seeking to enhance and innovate our products and services. This involves analyzing aggregated and anonymized data to identify trends, gather insights, and explore new features. By processing relevant data, we aim to continuously improve our offerings, ensuring they meet the evolving needs and expectations of our Customers. | Legitimate Interests | For the term of duration of the Agreement and up to 3 (three) years after termination or expiration of the Agreement |
Resolution of Disputes and Legal Claims | We process your personal data when necessary to facilitate the fair and efficient resolution of disputes and legal claims. This includes the collection and analysis of relevant information to assess, address, and potentially settle legal matters. By processing appropriate data, we aim to ensure a transparent and just resolution process. | Legal Obligation; Legitimate Interests |
|
4.3. Retention Obligation
4.3.1. After the relevant retention period has passed, we securely delete or anonymize your data to protect your privacy. If you have any questions about our data retention practices, please do not hesitate to contact us via dpo@fluxpays.com. We are committed to transparency and to ensuring that your privacy is fully safeguarded.
5. Your Consent
5.1. Should we rely on your consent for certain processing activities, such as marketing communications, you have the right to withdraw that consent at any time. Managing your preferences or withdrawing consent can typically be done through provided opt-out mechanisms or by contacting us directly.
6. Obligatory and Optional Data
In order to deliver our Services effectively, certain personal information is obligatory. This obligatory data, clearly identified during collection, is required for access to specific features and functions, required by legal, contractual, or regulatory obligations. Providing such information is a prerequisite for utilizing our services, without this information we will be unable to provide our services to you. Obligatory information will be clearly marked, where applicable.
On the other hand, optional data is not vital for service delivery and does not affect your ability to use our core Services. You are free to provide this data at your discretion, and it can be updated or managed through your Account settings at any time. If you have any questions about which data is required or optional, or need assistance managing your information, please feel free to reach out to us.
7. Automated Decision Making and Profiling
7.1. At Fluxpay we may use automated tools, including algorithms and machine learning, to help operate and improve our Services. We are committed to being transparent about how these tools influence your experience and to protecting your rights.
7.2. Fluxpay will not make decisions that produce legal effects concerning you or similarly significantly affect you based solely on automated processing, including profiling, without meaningful human involvement.
7.3. We may use automated processing to support decisions related to: (a) service eligibility and onboarding checks; (b) transaction monitoring, fraud detection, and abuse prevention; and (c) security, risk assessment, and service performance optimization. These tools surface indicators and recommendations for our teams. Final determinations include human review, considering relevant context and information.
7.4. We may create or use profiles—automated analyses of personal data—to evaluate or predict aspects related to your preferences, behavior, or interests. We use profiling to: (a) personalize features, content, and in‑app experiences; (b) provide tailored recommendations and communications; and (c) improve the relevance and quality of our services. We take steps to keep profiles accurate, up to date, and proportionate to the stated purposes.
7.5. To help ensure fair and unbiased outcomes, Fluxpay: (a) tests and monitors automated systems for accuracy, relevance, and potential bias; (b) applies data minimization and role‑based access controls; (c) regularly reviews model inputs, outputs, and performance; and (d) documents decision logic at an appropriate level of detail to support explainability.
7.6. Automated tools may use data you provide, data generated by your use of our Services (such as device, transaction, and usage data), and, where permitted by law, data from verified third‑party sources (for example, fraud‑prevention databases). We do not use special categories of personal data for automated decision support unless permitted by law and subject to heightened safeguards.
7.7. Where required, Fluxpay conducts and maintains data protection impact assessments for automated processing that is likely to result in a high risk to individuals’ rights and freedoms.
8. Data Sharing
8.1. Purpose of Sharing. To operate our business and provide the Services, Fluxpay may share personal data with carefully selected recipients that perform services on our behalf. We only share what is necessary for the stated purpose, under enforceable contracts that require confidentiality, security, and compliance with applicable data protection laws.
8.2. Categories of Recipients. We may share personal data with:
(a) Payment and Acquiring Service Providers, card networks, and banking partners to process transactions, verify payment details, and support settlement and chargeback handling;
(b) Fraud Prevention and Risk Management Providers to analyze Transactions, authenticate users, prevent fraud and abuse, and comply with legal and regulatory obligations (including anti‑money laundering and sanctions screening);
(c) IT, Hosting, and Support Providers that host, maintain, secure, back up, and support our Website, System, and related infrastructure;
(d) Analytics Providers to help us understand Website and app usage, improve performance, and diagnose issues;
(e) Marketing and Customer Engagement Partners to deliver in‑product communications, measure campaign effectiveness, and provide targeted content strictly within our Website or Services based on your browsing behavior and preferences. We do not permit third parties to use your personal data for their own marketing without your consent;
(f) Professional Advisors, Auditors, and Insurers where necessary for governance, audit, legal advice, insurance coverage, or the establishment, exercise, or defense of legal claims;
(g) Corporate Transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate confidentiality and data protection safeguards and, where required, notice to you.
8.3. Disclosures Required by Law. We may disclose personal data to courts, regulators, tax authorities, law enforcement, or other public bodies when required to do so by applicable law, regulation, subpoena, or court order, or when we believe disclosure is necessary to protect our rights, users, or the public.
8.4. Aggregated and De‑Identified Data. We may share aggregated or de‑identified statistics with third parties, including other businesses and the public, to describe how and when Customers use our Website and Services. This data does not identify you and cannot reasonably be used to re‑identify you. We will not attempt to re‑identify such data.
9. Data Security
9.1. We maintain a comprehensive information security program designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Our controls are risk‑based, documented, and regularly reviewed for effectiveness.
9.2. Technical and Organizational Measures. Fluxpay implements appropriate technical and organizational measures, including:
(a) Encryption. Industry‑standard encryption for data in transit (e.g., TLS) and at rest, with robust key management and segregation of duties;
(b) Access Controls. Role‑based access, least‑privilege principles, strong authentication (including multi‑factor authentication for administrative access), and periodic access reviews;
(c) Network and Infrastructure Security. Layered defenses including firewalls, intrusion detection and prevention, endpoint protection, DDoS mitigation, and secure configuration baselines;
(d) Logging and Monitoring. Centralized logging, security event monitoring, and alerting with defined escalation paths and incident runbooks.
(e) Data Minimization and Retention. Collection limited to what is necessary for stated purposes and retention aligned to defined schedules. Secure deletion or anonymization upon expiry.
(f) Physical and Cloud Security. Use of secure data centers and cloud environments with audited controls, environmental safeguards, and access restrictions.
(g) Vendor and Subprocessor Management. Security due diligence, contractual security obligations, and ongoing oversight of service providers handling personal data.
(h) Certifications and Standards. Where applicable, Fluxpay and key processors maintain relevant industry standards or certifications (e.g., PCI DSS for payment processing).
(i) Security Assessments. We conduct regular risk assessments, vulnerability management, and independent audits or assessments to identify and remediate vulnerabilities and continuously improve our controls.
(j) Incident Response and Notification. In the event of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify affected users and, where required, regulators without undue delay, including details of the nature of the breach, likely consequences, and measures taken or proposed to address it.
9.3. Your Responsibilities. You play a critical role in keeping your data secure. You agree to: (a) use strong, unique passwords and keep credentials confidential; (b) enable multi‑factor authentication where available; (c) keep devices, browsers, and applications updated; (d) avoid using unsecured public networks for sensitive activities; (e) monitor account activity and promptly report suspicious activity; and (f) stay alert to phishing and social engineering; verify requests for sensitive information and avoid clicking suspicious links.
9.4. No Absolute Security. While we use commercially reasonable safeguards appropriate to the risk, no method of transmission or storage is completely secure. We continually improve our controls to address evolving threats.
9.5. If you believe your Account has been compromised or you need security guidance, contact us immediately at dpo@fluxpays.com.
10. Making Changes to Your Information
You retain control over the information you provide. If you have an Account with us, you can easily access and update your information through your account settings. For specific requests or assistance, please contact us using the details provided in Section 1.
11. Your Data Protection Rights
11.1. Overview. Subject to applicable data protection laws, you have the following rights regarding your personal data:
11.1.1. Right of Access. You may request confirmation of whether we process your personal data and obtain a copy, along with related information (e.g., purposes, categories, recipients, retention periods, and your rights).
11.1.2. Right to Rectification. You may request correction of inaccurate personal data and completion of incomplete data, taking into account the purposes of processing.
11.1.3. Right to Erasure (“Right to Be Forgotten”). You may request deletion of personal data where one of the grounds in law applies (e.g., data no longer needed, consent withdrawn, successful objection), subject to legal obligations and overriding legitimate grounds. We may retain certain records (e.g., transaction data) to comply with legal and regulatory requirements.
11.1.4. Right to Restrict Processing. You may request that we restrict processing where you contest accuracy, processing is unlawful and you prefer restriction over deletion, we no longer need the data but you require it for legal claims, or you have objected and verification is pending.
11.1.5. Right to Object. You may object at any time to processing based on our legitimate interests, including profiling on that basis. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is needed for legal claims. You may also object at any time to processing for direct marketing; we will then stop marketing to you.
11.1.6. Right to Data Portability. Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, commonly used, machine‑readable format and, where technically feasible, request transmission to another controller.
11.1.7. Right to Withdraw Consent. Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal. We will honor your updated preferences promptly.
11.1.8. Automated Decision‑Making and Profiling. Fluxpay does not make decisions producing legal or similarly significant effects based solely on automated processing (including profiling). If this changes, we will notify you and provide a way to exercise your rights, including the right to obtain human intervention, to express your view, and to contest a decision.
11.2. How to Exercise Your Rights:
(a) Submit requests at dpo@fluxpays.com;
(b) We may request information necessary to verify your identity and to locate the data (for security and fraud prevention);
(c) We will explain any exemptions or limitations that apply (e.g., where honoring a request would adversely affect the rights and freedoms of others, conflict with legal obligations, or undermine fraud prevention or security);
(d) We will respond within the period required by law and inform you if additional time is needed due to request complexity or volume;
(e) Requests are typically free of charge. We may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.
11.3. Local Rights. Depending on your location, you may have additional rights under local law. You also have the right to lodge a complaint with your data protection authority.
12. International Transfers
12.1. While most processing occurs in Canada and the European Economic Area (EEA), your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction.
12.2. Where we transfer personal data internationally, we do so in compliance with applicable data protection laws and implement appropriate safeguards, such as: (a) an adequacy decision by the European Commission or other competent authority recognizing the destination country as providing an adequate level of protection; (b) Standard Contractual Clauses adopted by the European Commission (and, where relevant, the UK International Data Transfer Agreement/Addendum) with recipients, including subprocessors and affiliates; and/or (c) other lawful transfer mechanisms permitted by applicable law. Where required, we implement supplementary technical and organizational measures to ensure a level of protection essentially equivalent to that required under applicable law.
12.3. Transfers may involve our affiliates, cloud hosting and IT service providers, payment and acquiring partners, risk and fraud prevention providers, professional advisors, and support vendors located in jurisdictions in which we or our providers operate.
12.4. All recipients are bound by enforceable contractual obligations to protect personal data, including confidentiality, security, limited purpose use, onward transfer restrictions, and audit/assurance rights. We conduct transfer risk assessments and vendor due diligence and review safeguards periodically.
12.5. For transfers between the EEA and Canada, we rely, where applicable, on the European Commission’s adequacy decision for certain Canadian processing and on the safeguards described above for other transfers.
13. Dispute Resolution and Complaints
13.1. Contact Us First. If you have questions or concerns about how Fluxpay processes your personal data, please contact us using the details in Section 1 or via info@fluxpays.com. Our privacy team will review your inquiry and work to resolve it promptly and fairly.
13.2. Escalation. If we are unable to resolve your concern, you have the right to lodge a complaint with a competent data protection authority listed in Clause 13.3. You may do so without prejudice to any other rights or remedies available to you under applicable law.
13.3. Supervisory Authorities:
(a) Canada. You may contact the Office of the Privacy Commissioner of Canada (OPC): https://www.priv.gc.ca/ or your provincial privacy commissioner, where applicable.
(b) European Union/EEA. You may contact your local supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. A directory is available at: https://edpb.europa.eu/about-edpb/board/members_en.
(c) United Kingdom (if applicable). You may contact the Information Commissioner’s Office (ICO): https://ico.org.uk/.
(d) Other Jurisdictions. If you reside outside the above regions, please contact your local data protection or privacy regulator for guidance on filing a complaint.
13.4. Response Times. We aim to acknowledge and respond to privacy inquiries without undue delay and within the time limits required by law.
13.5. Using our internal process is encouraged but not required. You may contact a supervisory authority at any time.
14. Children’s Privacy
14.1. The Services are intended for individuals who are at least 18 years old. We do not knowingly collect or solicit personal data from anyone under 18. If you are under 18, do not use the Services or provide any personal data to us.
14.2. If you are a parent or legal guardian and believe your child under 18 has provided personal data to Fluxpay, please contact us immediately at dpo@fluxpays.com.
14.3. Upon becoming aware that we have collected personal data from a minor contrary to this section, we will take reasonable steps to: (a) delete the personal data and, where feasible, any associated account; (b) cease further processing of that data; and (c) notify the parent or guardian, where contact details are available.
14.4. In jurisdictions with different age thresholds for online consent or special protections for minors, we will apply the higher standard as required by local law and obtain verifiable parental consent where applicable.
14.5. We may request reasonable information to verify a requester’s parental or guardianship status before providing details or taking action on a minor’s data.
15. Updates to the Privacy Policy
15.1. We may update this Policy from time to time. Any changes will be posted on our website, and the date of the latest revision will be indicated. In the event of significant changes, we may, at our discretion, notify you using the contact details at our disposal.
15.2. However, it is your responsibility to review this Privacy Policy to stay informed about how we are protecting your personal information. If you do not agree with the changes, you should stop using our services and contact us if you have specific concerns.
Last Updated: 26.08.2025.