Privacy Policy

Business Model Overview

Bandra Railz Finance Inc. (“Bluerails” , “Company” , PSP, “We" , “Us” , “Our”) is a money services business (“MSB”) which is registered with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”). The Company is also a Payment Service Provider (PSP) registered with the Bank of Canada (“Bank”). The company intends to provide four core services to its customers:

• Foreign Exchange Dealings

• Money Transferring

• Virtual Currency Dealings

• Payment Processing

Purpose

At Bluerails your privacy is of utmost importance to us. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal information when you use our payment services. We ensure that your privacy is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and other relevant Canadian privacy laws and regulations.

This policy applies to all employees, contractors, third-party service providers, and any other personnel with access to Bluerails’ information systems.

Regulatory Overview

Introduction

This Privacy Policy is intended to help you understand how Bluerails (“the Company” , “we” , “us” or “our”), collect, use, and disclose your personal information (as defined below) when you access the company’s or any of our associated websites and mobile applications (collectively, the “Site”), and use the services that we provide via the Site (the “Services”). Our Privacy Statement is our commitment to you that we will handle your personal information with care and in accordance with applicable privacy legislation.

We will treat personal information in a manner consistent with the Privacy Policy under which it was collected and our privacy practices, unless we have your consent to treat it differently. This Privacy Statement applies to any information we collect or receive about you, from any source.

How We Collect Your Personal Information

We collect your personal information in various ways, depending on your interactions with our services. Below are the primary methods through which we gather personal information:

• Account Creation and Registration: When you create an account, sign up for our services, or register on our platform, we collect personal information such as your name, email address, phone number, and any other information you choose to provide.

• Transaction Information: We collect information related to transactions you make using our services, including payment details, transaction history, and financial account information.

• Customer Support Interactions: If you contact us for customer support, we collect information that you provide during the interaction, such as your name, contact details, and details about your inquiry or issue.

• Surveys and Feedback: We may collect personal information when you participate in surveys, provide feedback, or complete questionnaires that we distribute.

• Consent-Based Collection: In some cases, we may ask for your consent to collect personal information not covered by the scenarios listed above. For example, if we wish to use your data for a new purpose, we will seek your explicit consent before doing so.

The personal information we collect allows us to provide, maintain, and improve our services, ensure compliance with legal obligations, protect against fraud, and enhance your user experience. We collect only the information that is necessary for these purposes and to handling your data in accordance with our Privacy Policy.

Information Bluerails Collects

We may collect the following types of personal information:

• Contact Information: Name, email address, phone number, mailing address.

• Identity Verification Information: Date of birth, social insurance number (SIN), passport number, driver's license, or other government-issued identification.

• Financial Information: Bank account details, credit/debit card numbers, transaction history.

• Technical Information: IP address, device information, browser type, and cookies.

• Usage Information: Information about how you interact with our services, including transaction data and customer support interactions.

How Bluerails Uses Your Personal Information

We use your personal information for the following purposes:

• Service Delivery: To provide, operate, and maintain our payment services.

• Identity Verification: To verify your identity and prevent fraud.

• Transaction Processing: To process payments and other transactions you initiate.

• Customer Support: To provide customer support and respond to your inquiries.

• Compliance: To comply with legal and regulatory obligations, including anti-money laundering (AML) and anti-fraud requirements.

• Marketing and Communication: To send you promotional materials, updates, and other information relevant to our services (with your consent). You can unsubscribe from marketing communications at any time by following the instructions in our emails or by contacting us directly.

How we store your personal information

The Company ensures that your personal information is stored securely and in compliance with applicable privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA). Below is an overview of how we store your personal information:

Secure Data Storage

• Digital Storage: Personal information is stored on secure servers that are protected by industry-standard security measures, including firewalls, encryption, and access controls. These servers are located in secure data centers with restricted access to authorized personnel only.

• Physical Storage: If any personal information is stored in physical form (e.g., paper records), it is kept in secure, locked facilities that are accessible only to authorized personnel. Physical documents are stored in locked cabinets or rooms with additional security controls.

Backup and Recovery

• Regular Backups: We perform regular backups of our data, including personal information, to ensure that it can be restored in case of accidental loss, data corruption, or other incidents. These backups are encrypted and stored securely.

• Disaster Recovery: We have a disaster recovery plan in place to ensure that personal information is protected and recoverable in the event of a major incident, such as a natural disaster, cyber-attack, or system failure.

Data Security

We take reasonable steps to protect your personal information from unauthorized access, use, or disclosure. These measures include encryption, access controls, and regular security audits.

1. Encryption

• Data in Transit: We use industry-standard encryption protocols (such as TLS/SSL) to protect personal information while it is being transmitted over the internet.

• Data at Rest: Personal information stored on our servers is encrypted using advanced encryption standards to prevent unauthorized access.

2. Access Controls

• Role-Based Access: Access to personal information is restricted to authorized personnel who need it to perform their job functions. Access is granted based on roles and responsibilities, ensuring that only those with a legitimate business need have access to sensitive data.

• Multi-Factor Authentication: We implement multi-factor authentication (MFA) for access to our systems to add an additional layer of security.

3. Regular Security Audits

We conduct regular security audits and assessments to identify and address potential vulnerabilities in our systems. These audits include penetration testing, vulnerability scans, and security control reviews.

How we safeguard your personal information

Protecting your personal information is a top priority for us. We implement a variety of security measures to ensure that your data is safe from unauthorized access, disclosure, alteration, or destruction.We restrict access to your personal information on a need-to-know basis to employees and authorized service providers who require access to fulfill their job requirements.

While we take significant steps to protect your personal information, your role is also crucial. We encourage you to:

• Use Strong Passwords: Create strong, unique passwords for your accounts and update them regularly.

• Be Cautious of Phishing Scams: Be wary of unsolicited communications asking for your personal information. Always verify the legitimacy of such requests.

• Enable Security Features: Take advantage of security features we offer, such as multi-factor authentication, to add an extra layer of protection to your accounts.

Disclosure of Your Information

Except as set forth in this Privacy Policy or as required or permitted by law, we do not sell or share your personal information with third parties. Even when we do disclose your personal information, we will not disclose more personal information than necessary for the purpose of disclosure and in compliance with data protection legislation.

We may share your personal information with:

• Service Providers: We may transfer or otherwise make your personal information available to third-party service providers who provide services to us in accordance with our instructions and on our behalf. Our service providers are only given the personal information they need to perform their agreed-upon services, and are not authorized to use or disclose personal information for their own marketing or other purposes.Our service providers are third-party vendors who assist us in operating our business, such as identity verification services, payment processors, and IT service providers.

A complete list of our third-party service providers is available upon request.

• Regulatory Authorities: We can disclose personal information to regulatory authorities under specific circumstances, in accordance with Canadian privacy laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in cases when the Company is required to comply with legal and regulatory obligations. This includes requirements under anti-money laundering (AML) laws, anti-terrorism financing (ATF) laws, and other financial regulations, reporting suspicious transactions to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as mandated by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

• Business Partners: With your consent, we may share your information with business partners to offer joint services or products.

• Legal Requirements: We may disclose your information if required to do so by a court or in response to a subpoena, warrant, or other legally binding request from law enforcement agencies, or under international agreements or treaties we may disclose your information to foreign regulatory authorities or governments as part of cross-border investigations or regulatory enforcement actions.

• Business sale, merger, or acquisition: The Company may need to disclose personal information to potential buyers or merging entities to evaluate the business. However, this disclosure should be limited to what is necessary for the transaction. Wherever possible, the personal information should be anonymized or aggregated before disclosure to protect individual privacy. If specific personal information must be shared, it should be limited and protected by confidentiality agreements.

Retention and Deletion of Your Information

The Company will retain your personal information for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The retention period may vary depending on the nature of the information and the purpose for which it is used.

When personal information is no longer needed, we take steps to securely delete or anonymize it. Digital data is permanently erased using secure deletion methods, and physical documents are shredded or otherwise destroyed to prevent unauthorized access.

Training and Awareness

Our employees receive regular training on data security and privacy best practices to ensure that they understand their responsibilities in protecting personal information.

Your Rights

You have the following rights regarding your personal information:

Access

You have the right to request access to the personal information we hold about you. This right allows you to be informed about the data we have collected, how it is being used, and who it may be shared with. You can submit a written request to us to access your personal information. We will provide you with a copy of the information, along with details about how it is being used, within a reasonable timeframe, typically within 30 days. In some cases, access may be restricted due to legal reasons or to protect the privacy of others. If we cannot provide access, we will explain the reasons why.

Correction

If you believe that the personal information we hold about you is inaccurate, incomplete, or outdated, you have the right to request that we correct or update this information. You can contact us with details of the information you believe is incorrect and provide the correct information. We will promptly correct or update our records and notify any third parties who have received the incorrect information. However, we may require verification of the new information to ensure that the changes are accurate and that the request is legitimate.

Withdrawal of Consent

You have the right to withdraw your consent for us to collect, use, or disclose your personal information at any time. This right applies to information you have previously consented to share, and it allows you to control how your data is used. To withdraw your consent, you can contact us with your request. After which we will explain the consequences of withdrawing consent, which may include our inability to provide certain services to you.

In some cases, withdrawing consent may be subject to legal or contractual restrictions. For example, if we are legally required to retain certain information or if the information is necessary for the fulfillment of a contract, we may not be able to fully comply with your request.

Complaints

If you believe that your privacy rights have been violated or if you are unsatisfied with how we have handled your personal information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC). We are committed to addressing any concerns you may have and will assist you throughout the complaint process. However, before filing a complaint with the OPC, we encourage you to contact us directly to resolve the issue. If you remain dissatisfied, you can file a complaint with the OPC by visiting their website, submitting a complaint form, or contacting them by phone or mail.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our website. You can control the use of cookies through your browser settings. Please note that disabling cookies may affect the functionality of our services.

Updates and tests

This policy will be reviewed and updated from time to time, after any major changes to the business, or as needed to ensure its continued effectiveness and alignment with organizational objectives and regulatory requirements.