Octapex logo Octapex
Sign In Start

Privacy Policy

Privacy Policy

Effective Date: April 2026

1. Data Controller

This Privacy Policy describes how personal data is collected and processed by Geloro Pay Ltd, operating under the trade name Octapex, with its registered office at 1055 West Georgia Street, Suite 2100, Vancouver, British Columbia, Canada.

The Company operates as a registered Money Services Business in Canada and is subject to supervision by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). For the purposes of applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable, the Company acts as a data controller.

2. Scope of This Policy

This Policy applies to all personal data processed in connection with the provision of the Company’s services, including client onboarding, identity verification procedures, execution and settlement of transactions, compliance with anti-money laundering and counter-terrorist financing obligations, and the use of the Company’s website and related systems.

The Company provides crypto-asset conversion services strictly limited to the exchange of fiat currency for crypto-assets and crypto-assets for fiat currency. The Company does not provide crypto-to-crypto exchange services, nor does it offer custodial wallet services, asset storage, or investment-related services.

3. Non-Custodial Service Structure

The Company operates on a non-custodial basis. This means that it does not provide or maintain custody of client crypto-assets at any point, nor does it control or manage private keys associated with client wallets. Clients are required to use their own external wallets for the receipt and transfer of digital assets. This structure ensures that clients retain full control over their assets and reduces custody-related risks inherent in digital asset transactions.

4. Collection of Personal Data

In the course of providing its services, the Company may collect and process a range of personal data. This includes information necessary to identify and verify clients, such as names, dates of birth, nationality, and government-issued identification details. The Company also processes contact information such as email addresses, telephone numbers, residential addresses, and account identifiers.

In addition, transactional and financial data is collected, including payment information, transaction history, blockchain transaction identifiers, and, where required by law, information relating to the source of funds or wealth. For compliance purposes, the Company may also process data arising from sanctions screening, risk scoring, and identity verification procedures.

Technical data, such as IP addresses, device information, browser type, and system logs, may also be collected to ensure the security and integrity of the platform. Where applicable, blockchain-related data such as wallet addresses and transaction metadata is processed as part of transaction execution and compliance monitoring.

5. Purpose of Processing

Personal data is processed exclusively for lawful and clearly defined purposes. These include the establishment and maintenance of client relationships, the execution and settlement of transactions, and compliance with legal and regulatory obligations under applicable anti-money laundering and counter-terrorist financing laws.

The Company also processes personal data to conduct identity verification procedures, monitor transactions for suspicious activity, prevent fraud, ensure platform security, and maintain the integrity of its systems. In addition, data may be used to improve operational performance and enhance service quality.

The Company does not use personal data for automated decision-making that produces legal or similarly significant effects without appropriate human oversight.

6. Legal Basis for Processing

The processing of personal data is carried out on several legal bases depending on the context. Where required, processing is necessary for compliance with legal obligations, particularly those arising from anti-money laundering, counter-terrorist financing, and sanctions regulations.

Processing may also be necessary for the performance of a contract with the client, particularly in relation to the execution of requested transactions. In certain cases, data is processed based on the legitimate interests of the Company, including fraud prevention, cybersecurity, and risk management. Where applicable, consent may be relied upon for specific activities such as marketing communications or the use of non-essential cookies.

Failure to provide required information may result in the inability to access or use the Company’s services.

7. Disclosure of Personal Data

The Company only shares personal data where necessary and in accordance with applicable law. This may include disclosures to regulatory authorities such as FINTRAC, as well as to banking institutions, payment processors, and identity verification service providers involved in the execution of transactions and compliance processes.

Personal data may also be disclosed to law enforcement authorities where required by law or where there is a legal obligation to do so. The Company does not sell or rent personal data to third parties under any circumstances.

8. International Transfers

Where personal data is transferred outside of the jurisdiction in which it was originally collected, the Company ensures that appropriate safeguards are in place. Such safeguards may include standard contractual clauses approved by relevant regulatory authorities, transfer impact assessments, and other mechanisms designed to ensure that data is protected to a standard equivalent to that required under applicable data protection laws.

9. Data Retention

The Company retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, and operational requirements.

In general, identity verification and compliance-related data is retained for a period of five to ten years in accordance with applicable anti-money laundering legislation. Transactional data may be retained for up to ten years. Communication records are typically retained for a similar period where required for compliance purposes, while technical logs are retained for shorter durations, generally between twelve and twenty-four months.

After the expiration of applicable retention periods, data is securely deleted or anonymised.

10. Data Security

The Company implements appropriate technical and organisational measures to safeguard personal data against unauthorised access, loss, alteration, or disclosure. These measures include encryption of data in transit and at rest, multi-factor authentication, strict access controls based on job roles, continuous system monitoring, and regular security testing.

Employees and contractors are subject to confidentiality obligations and receive regular training on data protection and cybersecurity practices. Security controls are designed to align with regulatory expectations applicable to money services businesses and virtual asset service providers.

11. Cookies and Tracking Technologies

The Company uses cookies and similar technologies to ensure the proper functioning of its website, maintain security, and improve performance. Certain cookies are essential for the operation of the platform, while others may be used for analytics and service optimisation purposes.

Where required by law, non-essential cookies are only used with the consent of the user, which may be managed through browser settings or platform controls.

12. Data Subject Rights

Where applicable under data protection laws such as the GDPR, individuals may exercise rights in relation to their personal data, including the right to access, correct, or request deletion of their data, as well as the right to restrict or object to certain types of processing. Individuals may also have the right to data portability and the right to withdraw consent where processing is based on consent.

Requests relating to these rights may be submitted to the Company at compliance@octapex.com and will be handled within a reasonable timeframe, typically within one month, subject to legal and operational considerations.

13. Data Breach Notification

In the event of a personal data breach, the Company will take immediate steps to contain and investigate the incident. Where required, relevant supervisory authorities will be notified without undue delay, and affected individuals will be informed where the breach poses a significant risk to their rights or freedoms.

14. Applicable Legal Framework

This Policy is designed to comply with applicable data protection and financial regulatory frameworks, including the General Data Protection Regulation (GDPR) where applicable, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada), FINTRAC guidance for money services businesses, and relevant international standards such as the Financial Action Task Force (FATF) recommendations on virtual assets.

15. Contact

For any questions relating to this Privacy Policy or the handling of personal data, individuals may contact the Company at:

support@octapex.com