PRIVACY POLICY

Effective Date: 01 Jan 2026

1. Data Controller Details

This Privacy Policy governs the processing of personal data by:

Geloro Pay Ltd
Registered Headquarters: 2100-1055 West Georgia St, Vancouver, British Columbia, Canada, V6E 3P3
Website: Octapex.com

Geloro Pay Ltd, operating under the trade name “Octapex” (the “Company”), operates as a crypto-asset service provider and virtual asset service provider (VASP), facilitating the exchange of crypto-assets and fiat currency.

The Company acts as the Data Controller in accordance with the General Data Protection Regulation (GDPR).

2. Scope and Application

This Policy applies to all personal data processed by the Company in connection with:

  • Client onboarding and account management
  • Transaction processing
  • Regulatory compliance obligations
  • Use of the Company’s website and platform

It applies to all users interacting with the Company’s services, regardless of jurisdiction, subject to applicable law.

3. Data Subject Rights

Individuals are entitled to exercise the following rights under applicable data protection laws:

  • Right of access
  • Right of rectification
  • Right of erasure (subject to legal retention obligations)
  • Right of restriction of processing
  • Right to object
  • Right to data portability
  • Right to withdraw consent

Requests may be submitted to: compliance@octapex.com

The Company will respond within one (1) month, subject to legal and operational constraints.

4. Purposes of Processing

Personal data is processed strictly for legitimate and defined purposes, including:

  • Establishing and maintaining contractual relationships
  • Identity verification in accordance with AML/CFT obligations
  • Execution and settlement of crypto-asset transactions
  • Sanctions screening and compliance monitoring
  • Fraud detection, prevention, and investigation
  • Risk management and internal governance
  • Compliance with regulatory and legal obligations
  • Platform functionality, performance, and improvement

The Company does not rely on automated decision-making producing legal effects without appropriate safeguards.

5. Lawful Basis for Processing

Processing of personal data is carried out on the following legal bases:

  • Legal obligation (AML/KYC, Travel Rule, regulatory reporting)
  • Contract performance (service delivery and account management)
  • Legitimate interest (fraud prevention, platform security)
  • Consent (marketing and non-essential cookies, where applicable)

Failure to provide required personal data may result in refusal of service or termination of the relationship.

6. Categories of Personal Data

Identity Data
(e.g., name, date of birth, identification documents, biometric verification)

Contact Data
(e.g., email address, telephone number, wallet addresses)

Financial and Transaction Data
(e.g., bank details, transaction history, blockchain identifiers, source of funds)

Compliance and Risk Data
(e.g., sanctions screening, PEP status, risk profile, geolocation, IP address)

Technical and Usage Data
(e.g., device information, browser type, session activity, interaction logs)

7. Data Sharing and Disclosure

Personal data is disclosed strictly on a need-to-know basis to:

  • Regulatory and supervisory authorities
  • Financial institutions and payment providers
  • Compliance and verification service providers
  • Law enforcement agencies where legally required

The Company does not sell or monetize personal data.

8. International Data Transfers

Where personal data is transferred across borders:

  • Transfers are made to jurisdictions with recognized adequacy decisions; or
  • Standard Contractual Clauses (SCCs) are implemented
  • Transfer impact assessments are conducted

Equivalent data protection standards are ensured at all times.

9. Data Retention

Personal data is retained only for as long as necessary:

  • AML/KYC data: up to 10 years
  • Transaction data: up to 10 years
  • Communications: 5–10 years
  • Technical and analytics data: 12–24 months

Data is securely deleted or anonymized after retention periods expire.

10. Data Security

The Company implements robust safeguards, including:

  • Encryption of data in transit and at rest
  • Multi-factor authentication (MFA)
  • Role-based access control
  • Continuous monitoring and intrusion detection
  • Regular penetration testing
  • Secure infrastructure and hosting environments
  • Audit logging and access tracking
  • Employee training and confidentiality obligations

11. Cookies and Tracking Technologies

The Company uses cookies to:

  • Ensure platform functionality
  • Maintain security and prevent fraud
  • Analyze performance and usage

Non-essential cookies are used only with user consent. Users may manage preferences via browser settings.

12. Data Breach Notification

In the event of a personal data breach:

  • Authorities will be notified within 72 hours where required
  • Affected individuals will be informed without undue delay if high risk exists
  • Internal incident response procedures will be activated immediately

13. Applicable Legal Framework

This Policy is aligned with:

  • General Data Protection Regulation (GDPR)
  • FINTRAC Licences (Financial Transactions and Reports Analysis Centre of Canada requirements)
  • Regulation (EU) 2023/1113 (Travel Rule)
  • Applicable AML/CFT and data protection laws

14. Right to Lodge a Complaint

Individuals have the right to lodge a complaint with:

  • A competent data protection authority
  • Their local supervisory authority

15. Policy Updates

This Policy may be updated due to:

  • Regulatory developments
  • Operational or technological changes
  • Enhanced security practices

Continued use of services constitutes acceptance of updated terms.

Contact Information

support@octapex.com
business@octapex.com

© 2026 Octapex. All rights reserved.

This is a staging environment