Legal · EU/UK

GDPR notice

How we handle personal data of EU and UK residents under the General Data Protection Regulation (GDPR) and the UK GDPR. Read alongside our Privacy policy — this page is the EU/UK addendum.

Last updated · June 2026

1. When this applies 2. Data controller 3. Lawful basis 4. Your rights 5. International transfers 6. How to exercise rights 7. Right to complain

1. When this applies

Coynitt is a Canadian-incorporated business serving Canadian senders. EU/UK residents typically interact with Coynitt as recipients of transfers from Canada (e.g., a friend or family member in the EU receiving funds from a sender in Canada), or in limited cases as visitors to our website who provide data through a contact form.

This notice applies whenever we process personal data of someone in the EU or UK. The protections are the same regardless of whether you have a Coynitt account.

2. Data controller

The data controller is Coynitt Canada Inc., registered in Alberta, Canada. We do not currently maintain a representative in the EU/UK; if EU/UK regulators require one as we scale, we'll designate one and update this page.

Contact for GDPR matters: privacy@coynitt.ca.

3. Lawful basis for processing

We rely on the following lawful bases under Article 6 GDPR:

  • Contract necessity (Art. 6(1)(b)): processing transfer details to deliver funds you've been sent.
  • Legal obligation (Art. 6(1)(c)): retaining transaction records and identity-verification data for FINTRAC-equivalent reporting where applicable.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, transaction monitoring, and securing our infrastructure. We've conducted a balancing test and consider the impact on you proportionate to the public-interest goal.
  • Consent (Art. 6(1)(a)): for any direct marketing or non-essential cookies. Consent can be withdrawn at any time.

4. Your rights

Under GDPR Articles 15–22, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectification of inaccurate data (Art. 16).
  • Erasure ("right to be forgotten") where the data is no longer needed and no legal retention obligation applies (Art. 17). Note: FINTRAC-equivalent transaction records are retained for five years regardless.
  • Restrict processing in specific circumstances (Art. 18).
  • Data portability — receive your data in a structured, commonly-used format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Not be subject to solely automated decision-making with legal effects (Art. 22). Coynitt does not currently make solely-automated decisions about your access to services without human review.

5. International transfers

Personal data of EU/UK residents may be transferred outside the EEA/UK to:

  • Canada — where we operate. Canada has been recognised by the European Commission as providing an adequate level of data protection (commercial organisations under PIPEDA), so no additional safeguards are required.
  • United States — for some of our infrastructure providers (Google Cloud, Vercel, Firebase). Transfers are protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
  • Africa — to deliver funds to recipients via local mobile money or bank rails. Where adequacy decisions don't apply, we rely on SCCs with our local payment partners.

6. How to exercise your rights

Email privacy@coynitt.ca with the right you'd like to exercise and enough information for us to identify you. We respond within 30 days (extendable by a further two months for complex requests, with notice).

We will not charge a fee unless requests are manifestly unfounded or excessive.

7. Right to complain to a supervisory authority

If you believe we've handled your personal data unlawfully, you have the right to lodge a complaint with the data protection supervisory authority in the EU member state of your residence, place of work, or where the alleged infringement took place. You can find your authority through the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en.

UK residents can complain to the Information Commissioner's Office: ico.org.uk.

We'd appreciate the chance to address your concern first — privacy@coynitt.ca — but exercising the right to complain is yours, not contingent on going through us.

Questions? privacy@coynitt.ca.