Legal

Privacy policy

What we collect, why, and how it's protected. Plain English.

Last updated · June 2026

1. What we collect 2. Why we collect it 3. Who we share it with 4. How long we keep it 5. Your rights 6. How we protect it 7. Changes

1. What we collect

To run a regulated remittance service in Canada, we need to know who's using it. Specifically:

  • Identity: full name, date of birth, address, government ID, selfie. Provided directly to Sumsub during KYC.
  • Account: email, password (hashed), phone, occupation, source of funds.
  • Recipients: names and bank/mobile-money details of people you send money to.
  • Transactions: amounts, corridors, timestamps, on-chain transaction hashes.
  • Device: IP address, user agent, referrer, basic analytics for fraud detection.

2. Why we collect it

  • Legal obligation: FINTRAC requires identity verification, transaction records, and suspicious activity reporting for every Canadian MSB.
  • Fraud prevention: we monitor for stolen accounts, identity theft, and unusual activity patterns.
  • Service delivery: we can't send money to your mom if we don't know your mom's account details.
  • Improvement: aggregate, de-identified usage to make the product better.

3. Who we share it with

  • Sumsub — identity verification.
  • Paytrie — Canadian dollar on-ramp.
  • Circle — customer wallet provisioning.
  • Local mobile money & bank rails — to deliver funds to your recipient.
  • FINTRAC — only when legally required (suspicious transaction reports, large cash transactions, etc.).
  • Google Cloud, Firebase, Vercel, Supabase — our infrastructure providers, all under data processing agreements.

We do not sell your data. We do not share it with advertisers. We do not let third parties run analytics scripts on logged-in surfaces.

4. How long we keep it

FINTRAC requires us to retain transaction records and identity-verification records for 5 years after the relationship ends. Beyond that requirement, we delete data when it's no longer needed. Sumsub deletes raw ID photos after we approve you; we keep only the verification result and the FINTRAC-required record fields.

5. Your rights

Under Canadian privacy law (PIPEDA, plus Alberta PIPA and Quebec Law 25 where applicable), you can:

  • Ask us what data we hold about you.
  • Correct inaccuracies.
  • Withdraw consent (which usually means closing your account).
  • Request deletion, except where retention is legally required.
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these, email privacy@coynitt.ca. We respond within 30 days.

6. How we protect it

See our Security page for the full picture. The short version: encrypted in transit and at rest, scoped service-account access with no shared secrets, signed webhooks with replay protection, MFA available on every account.

7. Changes

If we materially change how we handle data, we'll email you and show the change on first sign-in. Minor edits get noted in the "last updated" line at the top of this page.

Questions? privacy@coynitt.ca.