PRIVACY POLICY

This Privacy Policy describes how Silverleaf E-Money Services Limited dba PayitFast ("PayitFast", "we", "us", or "our") collects, uses, discloses, retains, and protects personal information in connection with our financial products and services. PayitFast operates as an Electronic Money Institution (EMI)/Money Services Business (MSB) and is therefore required to comply with:

• The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law governing private-sector collection, use, and disclosure of personal information.
• Applicable provincial privacy legislation, where relevant.
• The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations, which require identity verification, recordkeeping, ongoing monitoring, and reporting obligations as defined by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada).
• Any additional cybersecurity, data protection, and financial industry standards that apply to electronic money, prepaid card programs, and payments infrastructure.

This Policy explains:

• What personal information we collect;
• How and why we use it;
• When we may disclose it;
• How we safeguard it;
• How long we retain it; and
• Your rights and choices under Canadian privacy law.

By accessing our website, using our services, or submitting personal information to us, you acknowledge and agree to the practices described in this Privacy Policy.

This Privacy Policy applies to all products, platforms, technologies, and services offered by PayitFast (Silverleaf E-Money Services LTD) in the course of operating as an Electronic Money Institution (EMI) and Money Services Business (MSB). This includes, but is not limited to:

• Electronic money accounts and stored-value balances
• Prepaid, virtual, and physical card programs
• Digital wallet services and payment functionalities
• Identity verification and customer onboarding processes, including Know-Your-Customer (KYC) and Know-Your-Business (KYB) requirements
• Transaction processing, payment initiation, and card network interactions
• Anti-money laundering and anti-terrorist financing compliance activities, ongoing monitoring, sanctions screening, and fraud-prevention operations
• Customer support interactions, communications, and dispute resolution
• Websites, mobile applications, APIs, and any other online interfaces operated by or on behalf of PayitFast

This Policy governs the handling of personal information related to individual customers, business clients, beneficial owners, authorized representatives, and users who interact with PayitFast in any capacity. It applies regardless of whether users access our services through a browser, mobile device, integrated partner platform, or other digital channel.

This Policy does not apply to aggregated or anonymized information that cannot reasonably identify an individual.

As part of providing electronic money services, payment processing, identity verification, and regulatory compliance functions, PayitFast collects several categories of personal and business information. The types of information we collect include the following:

This includes information used to identify or contact an individual, such as:

• Full legal name
• Date of birth
• Residential and mailing address
• Phone number and email address
• Government-issued identification (e.g., passport, driver's licence, national ID)
• Selfie or biometric verification results (processed by a third-party identity verification partner)

This information is collected to meet onboarding, identity verification (KYC), and legal compliance obligations under PCMLTFA.

For corporate clients, we may collect:

• Incorporation and registration documents
• Business address and contact information
• Corporate structure and authorized signatories
• Beneficial ownership information
• Tax identification numbers and regulatory identifiers

This information is required for Know-Your-Business (KYB) verification and AML/ATF due diligence.

To operate e-money accounts, prepaid/virtual cards, and payment services, we collect:

• Payment transfers, loads, withdrawals, and payouts
• Merchant details, transaction locations, currency, and amounts
• Card usage information, including authorizations, settlements, refunds, and chargebacks
• Account balances, funding sources, and repayment history

This information is necessary for providing financial services, preventing fraud, and meeting regulatory reporting requirements.

When you access PayitFast platforms, we automatically collect certain technical information, including:

• IP address and geolocation indicators
• Device identifiers, browser type, operating system
• Session logs, clickstream data, and usage analytics
• Cookies and similar tracking technologies

This information supports security monitoring, fraud detection, and performance optimization.

To comply with Canadian AML/ATF regulations and industry standards, we may collect and generate:

• Sanctions screening results (e.g., OSFI lists, global sanctions databases)
• Politically Exposed Person (PEP) and Head of International Organization (HIO) status
• Adverse media findings and risk-rating indicators
• Fraud-risk scoring and transaction-monitoring alerts
• Ongoing monitoring information, including enhanced due diligence (EDD) results

This information is required by law under the PCMLTFA and FINTRAC guidance for reporting entities.

PayitFast processes personal information only where permitted under applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA), relevant provincial laws, and regulatory obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and FINTRAC guidance. We rely on the following legal bases:

We collect and process personal information with your knowledge and consent, except where otherwise permitted or required by law. Consent is obtained during account creation, onboarding, or when you voluntarily provide information.

We process information as necessary to:

• Open and maintain accounts
• Verify identity (KYC/KYB)
• Provide electronic money, card, and payment services
• Process transactions and fulfill the terms of service

Without this processing, we would be unable to deliver our services.

As a regulated entity under the PCMLTFA, PayitFast is required by law to:

• Conduct identity verification
• Maintain KYC/KYB records
• Perform sanctions/PEP screening
• Monitor transactions
• Report suspicious transactions, large virtual currency transactions, and related information to FINTRAC

These activities are mandatory and cannot be opted out of.

We process certain information to support:

• Fraud detection and financial crime prevention
• Platform and account security
• System monitoring and performance optimization
• Internal audit, compliance reviews, and risk assessment

These interests are balanced against user privacy rights and supported by appropriate safeguards.

While all personal information is stored securely in Canada, certain operational and compliance functions require processing by vetted and contractually-bound service providers located in other jurisdictions:

(a) United Kingdom (UK) — SumSub

Identity verification provider handling:

• Document verification
• Biometric comparison
• Sanctions and PEP screening
• KYC/KYB compliance processing

(b) United Arab Emirates (UAE) — Code Structure

Infrastructure and technology partner supporting:

• Backend systems
• Platform operations
• Secure development functions

(c) United States (US) — Rail

Payments and card program infrastructure provider supporting:

• Transaction routing
• Card issuing operations
• Settlement and network connectivity

All international processing is governed by strict contractual safeguards, encryption, limited-access permissions, and compliance with applicable Canadian requirements regarding cross-border data handling.

PayitFast uses personal information only for purposes that a reasonable person would consider appropriate in the circumstances, as required under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws. As a regulated Electronic Money Institution (EMI) and Money Services Business (MSB), we use personal and business information for the following purposes:

We use personal and business information to:

• Verify the identity of individuals and businesses
• Authenticate documents and biometric information
• Confirm beneficial ownership
• Assess onboarding risk
• Determine eligibility for our services

These activities are required under the PCMLTFA and enforced through FINTRAC guidance applicable to reporting entities.

We process information to fulfill mandatory obligations including:

• Sanctions and Politically Exposed Person (PEP) screening
• Ongoing monitoring and risk scoring
• Enhanced due diligence (EDD) where required
• Recordkeeping and retention requirements
• Mandatory reporting to FINTRAC (e.g., STRs, LCTRs, LVCTRs, TPRs)

These activities cannot be opted out of, as they are required by law.

We use information to:

• Operate electronic money accounts
• Issue, load, and manage prepaid/virtual cards
• Process payments, transfers, and settlements
• Validate and authorize transactions
• Maintain accurate account and transaction records

Information processed in this category is necessary to provide core financial services.

We use personal and technical data to:

• Detect suspicious activity
• Prevent account takeover, misuse, or unauthorized transactions
• Monitor system integrity and platform security
• Conduct investigations related to fraud or regulatory risk

This processing supports legal obligations and our legitimate interest in maintaining secure financial operations.

We use information to:

• Respond to inquiries and resolve issues
• Provide notifications regarding accounts or transactions
• Improve products, services, and user experience
• Train support teams and enhance quality assurance

We use information for:

• Internal and external audits
• Regulatory inspections and compliance reviews
• Legal claims, dispute resolution, and enforcement of agreements
• Reporting required by FINTRAC, card networks, banking partners, or other authorities

PayitFast shares personal information only where necessary to provide our services, fulfill legal and regulatory obligations, prevent fraud, or operate our platform securely. We do not sell personal information. Information may be shared with the following categories of authorized third parties:

We share limited personal and transactional information with banking partners and financial institutions involved in:

• Issuing prepaid or virtual cards
• Maintaining electronic money accounts
• Processing deposits, loads, transfers, and settlements

These partners require this information to fulfill their regulatory and operational responsibilities.

We share data related to:

• Card authorizations and settlements
• Merchant interactions
• Payment routing and clearing

Card networks and processors require this information to enable secure payment transactions and comply with network rules.

To comply with PCMLTFA identity verification requirements, we share information with trusted, audited service providers, including:

• SumSub (UK) for document verification, biometric comparison, sanctions and PEP screening, and KYC/KYB compliance checks.

These partners process data strictly for compliance and authentication purposes.

We share certain technical, transactional, or behavioral indicators with fraud-prevention and analytics providers that support:

• Fraud detection and mitigation
• Transaction monitoring
• Risk scoring
• Account security operations

These providers help maintain the integrity of our platform and reduce financial crime risk.

We may share limited information with infrastructure partners who support system operations, including:

• Code Structure (UAE) for backend systems, operational monitoring, and secure platform infrastructure
• Rail (US) for payments infrastructure, transaction routing, and card program operations

These partners operate under strict contractual data-protection obligations and access controls.

We are required by law to disclose certain information to:

• FINTRAC for mandatory reporting (e.g., suspicious transaction reports, large virtual currency transaction reports, other regulatory filings)
• Other regulators as required under applicable laws

These disclosures occur only where mandated by legislation.

We may disclose information to law enforcement, courts, or government authorities when:

• Required under a lawful order, subpoena, or warrant
• Necessary to investigate fraud, financial crime, or safety concerns
• Needed to protect the rights, property, or security of PayitFast or its users

We review all requests to ensure they comply with applicable legal standards.

PayitFast stores all personal information securely within Canada using infrastructure that meets financial-industry security and availability standards. Data residency in Canada ensures compliance with applicable privacy and financial regulatory requirements, including PIPEDA and the PCMLTFA.

Although all information is stored in Canada, certain operational, compliance, and technology functions require limited processing by carefully vetted third-party service providers located in other jurisdictions. These providers perform essential services on behalf of PayitFast, and only the minimum necessary information is made accessible to them.

All customer and business information is hosted and stored on secure servers located in Canada. These environments are subject to:

• Strong encryption (in transit and at rest)
• Access controls based on least privilege
• Network segmentation and monitoring
• Regular security audits and assessments

Some data may be processed — but not stored — outside Canada by trusted, contractually bound partners:

i. United Kingdom (UK) — SumSub (Identity Verification Provider)

SumSub performs identity verification and regulatory screening functions, including:

• Verification of government-issued identification
• Biometric comparison
• Sanctions and PEP list screening
• KYC/KYB compliance processing

This processing supports mandatory onboarding requirements under PCMLTFA and FINTRAC guidance.

ii. United Arab Emirates (UAE) — Code Structure (Technology & Infrastructure Partner)

Code Structure provides secure infrastructure and development support, including:

• Backend systems and operational monitoring
• Platform maintenance and system reliability functions
• Secure development and technical integration

Access is restricted, controlled, and monitored to ensure confidentiality and integrity.

iii. United States (US) — Rail (Payments & Card Program Infrastructure)

Rail supports electronic money and card program functionality, including:

• Transaction routing and payment processing
• Card issuing network connectivity
• Settlement and authorization processes

This ensures reliable and compliant operation of PayitFast's e-money and card products.

All cross-border processing is protected through:

• Contractual data-protection agreements aligned with Canadian privacy requirements
• Encryption and secure transmission protocols
• Role-based and limited-permission access controls
• Ongoing vendor due diligence and security assessments
• Regulator-aligned oversight, including AML/ATF screening and technical safeguards

These measures ensure that any data processed outside Canada receives a level of protection comparable to Canadian privacy standards.

PayitFast maintains a comprehensive security program designed to protect personal information against loss, unauthorized access, misuse, alteration, and disclosure. Our safeguards meet or exceed the expectations set out under PIPEDA, financial-industry best practices, and applicable regulatory guidance for Electronic Money Institutions (EMIs) and Money Services Businesses (MSBs). These measures include administrative, technical, and physical controls such as:

We implement policies, procedures, and governance frameworks to support secure handling of personal information, including:

• Access-control and authorization policies
• Mandatory employee security and AML/ATF training
• Confidentiality obligations and role-based permissions
• Vendor due-diligence and oversight programs
• Incident response and breach management protocols
• Internal audit and compliance reviews

Technical protections secure data throughout its lifecycle, including:

• Encryption in transit and at rest
• Multi-factor authentication (MFA) for administrative and account access
• Secure system architecture and hardened infrastructure
• Firewalling, network segmentation, and intrusion-detection systems
• Continuous monitoring for anomalous or suspicious activity
• Regular vulnerability assessments and penetration testing
• Tokenization or pseudonymization for sensitive data, where appropriate

Where payment card data is handled, PayitFast and its partners comply with:

• PCI-DSS (Payment Card Industry Data Security Standard) requirements for the protection of cardholder information

Physical protections include:

• Secure data-center environments with controlled access
• Environmental controls, redundancy, and monitoring
• Hardware access restrictions and secure device management

When trusted service providers process data on our behalf (e.g., SumSub, Code Structure, Rail), we require:

• Contractual data-protection obligations
• Encryption and secure transmission standards
• Restricted, role-based access controls
• Independent audits and security certifications
• Continuous oversight and periodic risk evaluations

These controls ensure that personal information handled by third parties receives the same high level of protection as information managed directly by PayitFast.

PayitFast retains personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, and to support legitimate operational needs. Retention periods differ based on the type of information and applicable laws.

In accordance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and related regulations, PayitFast is required to retain all identity verification records, KYC/KYB documentation, beneficial ownership information, and related due-diligence materials for a minimum of five (5) years from:

• The date the record was created, or
• The date the customer relationship ended

These records must remain accessible for audit and regulatory review by FINTRAC.

Transactional information, including payments, loads, withdrawals, card activity, settlement data, and monitoring alerts, is retained to:

• Meet statutory reporting requirements
• Support dispute resolution
• Maintain accurate accounting and reconciliation
• Fulfill card-network and financial-institution obligations

These records are typically retained for a minimum of five (5) years, or longer where legally required.

Suspicious transaction reports, risk assessments, ongoing monitoring logs, sanctions screening results, and related compliance records are retained as required under AML/ATF regulations and internal compliance policies. These may also be retained for five years or more, depending on the nature of the record.

Information used for customer support, service improvement, system monitoring, or internal governance is retained only for as long as necessary to:

• Fulfill operational requirements
• Maintain platform integrity
• Enforce agreements
• Manage risk and security

Where possible, data is anonymized or pseudonymized once it is no longer needed in identifiable form.

If PayitFast is involved in an audit, investigation, regulatory inquiry, or legal claim, certain information may be retained beyond standard retention periods until the matter is resolved.

Once retention periods expire and data is no longer required, PayitFast securely destroys the information using:

• Cryptographic erasure
• Secure deletion protocols
• Certified destruction methods for physical media

PayitFast uses cookies and similar tracking technologies to ensure the secure and efficient operation of our platforms, to enhance user experience, and to support fraud-prevention and compliance functions. These technologies help us recognize your device, understand usage patterns, and improve our services.

i. Essential Cookies

These cookies are required for the website and platform to function properly. They enable:

• Secure login and session management
• Core payment and account features
• Fraud-prevention and authentication processes

These cookies cannot be disabled because they are necessary for service delivery and platform security.

ii. Analytics and Performance Cookies

These cookies help us understand how users interact with our website and applications, including:

• Page performance and loading times
• Clickstream data and navigation patterns
• Device and browser information

Analytics cookies allow us to improve platform functionality and enhance overall user experience.

iii. Security and Fraud-Prevention Cookies

These cookies support:

• Detection of unusual or high-risk behavior
• Prevention of unauthorized access
• Continuous monitoring for fraud and abuse

They play a critical role in maintaining the safety and integrity of financial services.

Some analytics, verification, or security tools used by PayitFast may deploy their own cookies or device identifiers. These third-party technologies help support:

• Identity verification (e.g., document and biometric checks)
• Transaction risk analysis
• Platform monitoring and diagnostics

Any third-party cookie usage is governed by strict contractual and technical safeguards.

You may manage or disable cookies through your browser settings. However:

• Disabling essential or security cookies may prevent the platform from functioning correctly.
• Some features (such as logging in or completing transactions) may not be available if cookies are disabled.

You may also clear existing cookies at any time using your browser or device controls.

As an individual whose personal information is handled by PayitFast, you have certain rights under PIPEDA and applicable provincial privacy laws. These rights allow you to understand and control how your information is collected, used, and disclosed. Because PayitFast operates as an Electronic Money Institution (EMI) and Money Services Business (MSB), some rights are subject to regulatory limitations, including mandatory record-keeping requirements under the PCMLTFA.

You may exercise the following rights, subject to identity verification and applicable legal exceptions:

You may request access to the personal information we hold about you, including:

• What information we have collected
• How it has been used
• With whom it has been shared

We will provide access unless restricted by law (e.g., information related to AML/ATF monitoring or ongoing investigations).

You may request that we correct or update any inaccurate, incomplete, or outdated personal information. Corrections may be refused if restricted by AML/ATF legislation or if doing so would interfere with regulatory compliance.

You may request deletion of your personal information. However, we cannot delete records that must be retained under the PCMLTFA, including:

• Identity verification records
• KYC/KYB documentation
• Transaction records
• Sanctions/PEP screening results
• Compliance monitoring logs

These records must be retained for a minimum of five years and cannot be removed upon request.

Where processing is based on consent (e.g., optional features), you may withdraw your consent at any time. Withdrawal does not apply to:

• Mandatory AML/ATF processing
• Legal and regulatory obligations
• Required operational processing tied to service delivery

In cases where withdrawal affects your ability to use the service, we will inform you.

You may request additional details about:

• How your personal information is processed
• The purposes for which it is used
• The categories of third parties with whom it is shared
• Cross-border processing and safeguards

We will provide this information unless restricted by legal or supervisory requirements.

To submit a request, you may contact us at:

• Email: privacy@payitfast.com
• Phone: +1 (778) 806-1367
• Mail:
  PayitFast (Silverleaf E-Money Services LTD)
  1090 Homer Street, Suite 300
  Vancouver, BC V6B 2W9
  Canada

We may require identity verification before responding to your request to protect your account and personal information.

Although PayitFast primarily operates under Canadian privacy and financial regulatory requirements, certain users may be entitled to additional rights based on their location or applicable legislation. Where relevant and required by law, PayitFast recognizes the following regional privacy rights:

Individuals located in the EU or UK may have rights under the General Data Protection Regulation (GDPR) or UK GDPR, including:

• Right of access
• Right to rectification
• Right to erasure (subject to AML/ATF legal retention obligations)
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

These rights apply only where GDPR jurisdiction is legally triggered.

California residents may have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what categories of personal information are collected or disclosed
• Right to request deletion (subject to financial regulatory retention requirements)
• Right to correct inaccurate information
• Right to opt out of any "sale" or "sharing" of personal information
• Right to non-discrimination for exercising privacy rights

PayitFast does not sell personal information.

PayitFast's services are intended for adults who are legally able to enter into financial and contractual relationships. Our products, electronic money services, and onboarding processes are not designed for or directed to individuals under the age of 18.

We do not knowingly:

• Collect personal information from minors
• Offer accounts or financial products to minors
• Permit the use of our services by individuals under 18

If we become aware that personal information has been collected from a person under the age of 18, we will:

• Close or restrict the associated account, and
• Delete the personal information, unless retention is required for fraud-prevention or legal purposes.

If you believe a minor has provided us with personal information, please contact us immediately using the details provided in Section 15.

PayitFast may update or modify this Privacy Policy from time to time to reflect changes in our services, legal or regulatory requirements, industry practices, or operational needs. When updates are made, we will revise the "Last Updated" date at the top of the Policy.

We may also provide additional notice of significant changes through:

• Email notifications
• Platform alerts or banners
• Other reasonable communication methods

Your continued use of PayitFast's services after any changes take effect will constitute your acceptance of the updated Privacy Policy. If you do not agree with the revised Policy, you must discontinue using our services.

If you have questions, concerns, or requests relating to this Privacy Policy or the handling of your personal information, you may contact us using any of the methods below. We will respond in accordance with applicable privacy and financial regulatory requirements.

PayitFast (Silverleaf E-Money Services LTD)
1090 Homer Street, Suite 300
Vancouver, BC V6B 2W9
Canada

Email: privacy@payitfast.com
Phone: +1 (778) 806-1367

You may also contact us to exercise your privacy rights, request additional information about our data-handling practices, or file a complaint regarding how your personal information has been managed.