Privacy Policy

Last Updated: December 18, 2025

This Privacy Policy is designed to inform you about how Flying Fox Blockchain Solutions Ltd. (“Flying Fox”or “we”) collects, uses, and shares your Personal Data in compliance with international data protection laws, including Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA“) and the EU’s General Data Protection Regulation (“GDPR”). The purpose of this policy is to ensure transparency and to provide you with a clear understanding of our data processing practices. As a user of our services, this Privacy Policy outlines your rights to your personal data and our commitment to protect it.

SCOPE AND APPLICABILITY

For the purposes of this policy, “Personal Data” refers to any information relating to an identified or identifiable natural person (such person a “Data Subject” or “you”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Privacy Policy applies to all Personal Data processed by Flying Fox in the course of its non-custodial virtual currency exchange services. This includes, but is not limited to, Personal Data that Flying Fox collects directly from Data Subjects or receives from its third-party service providers and strategic partners, including licensed money services businesses (MSBs) (collectively, “Third-Party Service Providers”), in the course of providing you with Flying Fox’s services.

LEGAL BASES FOR PROCESSING PERSONAL DATA

Flying Fox processes your Personal Data on the basis of the following legal grounds:

  • Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party (i.e., to provide you with our virtual currency exchange services).
  • Legal Obligation: Processing is necessary for compliance with legal obligations to which Flying Fox is subject, including anti-money laundering (AML), know-your-client (KYC), and other regulatory requirements.
  • Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by Flying Fox, such as fraud prevention, network and information security, and improving our services, except where such interests are overridden by your fundamental rights and freedoms.
  • Consent: In certain circumstances, Flying Fox may ask for your explicit consent to process your Personal Data for specific purposes not covered by the above legal bases. You have the right to withdraw your consent at any time by contacting us as set out at the end of this policy, although doing so may affect Flying Fox’s ability to deliver the services. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

DATA COLLECTION AND USE

Categories of collected Personal Data. Flying Fox may collect various types of Personal Data from Data Subjects to perform its services, including but not limited to:

  • Contact information (e.g., name, address, email, phone number).
  • Financial information (e.g., bank account details, wallet address, transaction history).
  • Identification information (e.g., passport number, national ID).
  • Technical data (e.g., IP address, browser information). 
  •  

Automatic data collection. Flying Fox may automatically log certain data about you, your computer or mobile device, and your interaction with the provided services, such as:

  • Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 5G), and general location information such as city, region, or general geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
  • Communication interaction data such as your interactions with our emails, or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.

Cookies and similar technologies. Some of the automatic collection described above is facilitated by the following technologies:

  • Cookies, which are small text files that websites store on user devices to allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our service providers place.
  • Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
  • Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

We may use cookies to allow the technical operation and enhance the functionality of our platform, and help us understand user activity.

  • To facilitate virtual currency exchange services.
  • To comply with legal and regulatory requirements, including any anti-money laundering (AML) or know-your-client (KYC) obligations, or for similar reasons to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
  • To improve and personalize the services offered to Data Subjects.
  • To send you direct marketing communications (which you may opt-out of at any time).
  • To communicate with Data Subjects regarding their transactions and any changes to services.

DATA SHARING AND THIRD-PARTY PROCESSORS

In the course of providing services to the Data Subject, Flying Fox may share Personal Data with certain Third-Party Service Providers for the purpose of enhancing and facilitating the services offered, particularly in the context of international payments. This sharing of data will be conducted in a manner that is consistent with the GDPR, PIPEDA, and any other applicable international data protection laws.

The types of Personal Data that may be shared include, but are not limited to, a Data Subject’s contact and location information, financial information, and identification information. The sharing of this data is necessary for the execution of transactions, provision of customer support, and improvement of service quality.

Before sharing any Personal Data with a Third-Party Service Provider, Flying Fox ensures that adequate data protection measures are in place and that the sharing is in compliance with applicable data protection laws, including the GDPR. The Data Subject will be informed of any significant changes to the list of third-party processors that may affect the processing of their Personal Data.

INTERNATIONAL DATA TRANSFERS

Flying Fox commits to ensuring the secure and lawful transfer of Personal Data across international borders in a secure and legally compliant way. Accordingly, Flying Fox will employ one or more of the following mechanisms for international data transfers, ensuring an adequate level of protection for the Personal Data:

  • Entering into Standard Contractual Clauses (SCCs) as contemplated under the GDPR, which provide specific data protection guarantees.
  • Transferring Personal Data to countries that have been deemed to provide an adequate level of data protection under the GDPR or PIPEDA.
  • Using other supplementary data protections measures, methods, or mechanisms permitted by, or that would be required to comply with, applicable regulations in the relevant jurisdiction(s).

Before any international transfer of Personal Data, Flying Fox will conduct a thorough assessment to ensure that all necessary safeguards are in place and that the rights of Data Subjects are fully protected.

DATA SUBJECT RIGHTS

In accordance with the GDPR and PIPEDA, Data Subjects may have the following rights regarding their Personal Data, depending on their country of residence:

  • Right of Access: Data Subjects have the right to obtain confirmation from Flying Fox as to whether or not Personal Data concerning them is being processed, and, where that is the case, access to the Personal Data and the following information: the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipient to whom the Personal Data have been or will be disclosed. Data Subjects also have the right to obtain information about the safeguards in place for international transfers of their Personal Data, upon request.
  • Right to Rectification: Data Subjects have the right to rectify inaccurate Personal Data concerning them, or have incomplete Personal Data completed, and may request Flying Fox to do so at any time.
  • Right to Erasure (‘Right to be Forgotten’): Data Subjects may request erasure of Personal Data concerning them without undue delay under certain conditions, including if the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the Data Subject withdraws consent on which the processing is based.
  • Right to Restriction of Processing: Data Subjects have the right to restrict data processing under certain conditions, such as if they contest the accuracy of their Personal Data, for a period enabling Flying Fox to verify the accuracy of the Personal Data.
  • Right to Data Portability: Data Subjects have the right to receive the Personal Data concerning them, which they have provided to Flying Fox, in a structured, commonly used and machine-readable format, and have the right to transmit that data as they see fit.
  • Right to Object: Data Subjects may object to the processing of Personal Data concerning them. If they do so, Flying Fox will no longer process their Personal Data unless it has a legally justifiable reason to do so.
  • Right to Withdraw Consent: Where processing is based on consent, Data Subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent, Data Subjects may contact Flying Fox as indicated at the end of this policy.
  • Right to Not be Subject to Automated Decision-making, Including Profiling: Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Flying Fox may use automated systems to assess transaction risk and detect fraud or money laundering as part of its AML/KYC compliance obligations. However, any decisions that have legal or similarly significant effects on Data Subjects involve human review and intervention.

Data Subjects can exercise these rights by contacting Flying Fox directly as indicated at the end of this policy.

DATA RETENTION

Flying Fox retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, and contractual obligations. Specifically:

  • Transaction and KYC/AML Data: Flying Fox retains transaction records and identification information for a minimum of 5 years from the date of the last transaction or account closure, or such longer period as may be required by applicable anti-money laundering, counter-terrorist financing, or other financial regulations.
  • Marketing and Communications Data: If you have consented to receive marketing communications, Flying Fox will retain your contact information until you withdraw your consent or opt-out of such communications.
  • Technical and Cookie Data: Technical data and cookies are typically retained for shorter periods as described in our cookie settings, generally not exceeding 24 months.
  • Legal Claims: In some circumstances, Flying Fox may retain Personal Data for longer periods where necessary to establish, exercise, or defend legal claims.

At the end of the applicable retention period, Flying Fox will securely delete or anonymize your Personal Data in accordance with applicable laws and our internal data retention policies.

DATA SECURITY MEASURES

In compliance with data protection laws, Flying Fox is committed to implementing and maintaining comprehensive data security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Ensuring that all Personal Data is stored in secure, encrypted databases.
  • Employing industry-standard cybersecurity practices, including firewalls, intrusion detection systems, and regular security audits.
  • Limiting access to Personal Data to authorized personnel only, based on the principle of least privilege.
  • Training employees on data protection best practices and the importance of maintaining the confidentiality and security of Personal Data.
  • Using Secure Sockets Layer (SSL) technology for encrypting data during transmission.
  • Implementing robust procedures for detecting, reporting, and investigating Personal Data breaches.
  • Engaging with Third-Party Service Providers that adhere to equivalent standards of data protection.

Flying Fox also commits to regularly reviewing and updating its data security measures to adapt to new threats and ensure the ongoing protection of Personal Data.

DATA BREACH NOTIFICATION

In the event of a Personal Data breach, Flying Fox will act in accordance with the requirements of the data protection laws applicable to the jurisdiction of the breach (or the Data Subjects affected by the breach). In general, Flying Fox will use the following procedure:

  • Immediate Investigation: Upon becoming aware of a Personal Data breach, Flying Fox will promptly investigate the matter to determine the scope and impact of the breach.
  • Notification to Authorities: If the breach poses a risk to the rights and freedoms of Data Subjects, Flying Fox will promptly notify the relevant data protection authority as per applicable legal timelines.
  • Notification to Data Subjects: When the Personal Data breach is likely to result in a high risk of harm to Data Subjects, Flying Fox will communicate the breach to the affected Data Subjects without undue delay. This communication will describe in clear and plain language the nature of the Personal Data breach, the likely consequences of the breach, and the measures being taken to address the breach.
  • Documentation: All Personal Data breaches, regardless of their impact, will be documented, including the facts relating to the breach, its effects, and the remedial action taken.
  • Engagement of Third-Party Service Providers: If necessary, Flying Fox may engage Third-Party Service Providers to assist in the investigation and mitigation of the breach.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

Data Subjects have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of their habitual residence, place of work, or place of the alleged infringement if they believe that the processing of their Personal Data infringes applicable data protection laws.

For Data Subjects in Canada, complaints regarding Flying Fox’s compliance with PIPEDA may be submitted to the Office of the Privacy Commissioner of Canada.

For Data Subjects in the EU/EEA, complaints may be submitted to the relevant data protection authority in your jurisdiction. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en.

COMPLIANCE WITH THE CALIFORNIA CONSUMER PRIVACY ACT

Flying Fox is committed to complying with the California Consumer Privacy Act (“CCPA”) and protecting the privacy rights of California residents. Under the CCPA, California residents have the right to:

  • Know what Personal Data is being collected about them;
  • Know whether their Personal Data is sold or disclosed and to whom;
  • Access their Personal Data;
  • Request deletion of their Personal Data; and
  • Opt-out of the sale of their Personal Data.

Flying Fox does not sell Personal Data to third parties within the meaning of the CCPA. Data Subjects may exercise their rights under the CCPA by contacting Flying Fox directly as indicated at the end of this policy. Flying Fox will not discriminate against any Data Subject for exercising their CCPA rights. Flying Fox will respond to any request within the timeframes required by the CCPA (generally 45 days, with a possible 45-day extension where necessary).

POLICY UPDATES AND REVIEW

Flying Fox reserves the right to update and review this Privacy Policy periodically to reflect changes in legal requirements, our data collection and use practices, the features of our services, or advances in technology. The date of the last update will be indicated at the top of the Privacy Policy document. Flying Fox will provide notice to its Data Subjects of any significant changes.

It is the responsibility of the Data Subjects to review the Privacy Policy periodically and remain informed about any changes to it. Your continued use of the services provided by Flying Fox after any changes to the Privacy Policy take effect will constitute your acceptance of those changes.

CHILDREN’S PRIVACY

Flying Fox’s services are not directed to individuals under the age of 18 (or the age of majority in their jurisdiction of residence, whichever is greater). Flying Fox does not knowingly collect Personal Data from children. If Flying Fox becomes aware that a child has provided Personal Data, Flying Fox will take steps to delete such information promptly. If you believe that a child has provided Personal Data to Flying Fox, please contact us immediately using the contact information provided at the end of this policy.

CONTACT INFORMATION

In accordance with data protection laws, Flying Fox has designated a   to oversee compliance with data protection laws and regulations. Data Subjects may contact the DPO for any inquiries related to the processing of their Personal Data, or to exercise any of their rights under relevant data protection laws (all as described above).

The Data Protection Officer for Flying Fox can be reached at the following contact details:

Email: privacy@flyingfox.io

Postal Address: 5240 – 1A Street S.E., Unit 201, Calgary, Alberta, Canada, T2H 1J1

Data Subjects are encouraged to include their contact information and a brief description of their request or concern in their communication with the DPO to facilitate a prompt and accurate response.