Flash Solutions Inc | Privacy Policy

Privacy Policy

Last updated: 13 May 2026.

This Privacy Policy describes how Flash Solutions Inc., a company incorporated in the Province of Ontario whose registered office is at 220 Coronation Road, Whitby, Ontario, L1P0H7, Canada ("Flash Solutions", "we", "us", "our"), collects, uses, discloses and safeguards personal information when you visit flashsolutions.io (the "Website") or use the exchange services provided through it (the "Platform").

This Privacy Policy is governed by Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and by the provincial privacy laws that apply, including Quebec's Act respecting the protection of personal information in the private sector ("Quebec Law 25") where it is relevant to you. Where we serve a customer located in the European Economic Area on a reverse-solicitation basis, we also act in a manner consistent with the EU General Data Protection Regulation (Regulation (EU) 2016/679); section 8 covers this.

If any part of this Privacy Policy is unclear to you, please contact our Privacy Officer at privacy@flashsolutions.io.

1. Who is responsible

Flash Solutions is the controller of the personal information gathered through the Platform. Our appointed Privacy Officer is responsible for ensuring compliance with this Privacy Policy and with the privacy laws that apply. You can reach the Privacy Officer at privacy@flashsolutions.io or by writing to the registered office at the address set out above.

2. What personal information we collect

We collect only what is necessary to run the Platform, meet our legal duties and guard against fraud and financial crime. The categories below set out the widest range of information that may be collected; not every category applies to every customer.

Identification and verification data. Full legal name, date of birth, nationality, home address, government-issued identity document (passport, driving licence or national identity card), document number and expiry date, a live facial image or short video used for biometric comparison with the document photo, and the outcome of that comparison. We use biometric data only to verify identity at onboarding and to re-verify it where our compliance procedures call for it; we put it to no other use.

Contact data. Email address and mobile telephone number.

Account data. Username, hashed password, two-factor authentication settings, the date the account was created, language and notification preferences, and the record of your dealings with our support team.

Transaction data. Order details (currency pair, amount, time, status), the payment method used, blockchain destination and origin addresses, transaction hashes, network and service fees, and originator or beneficiary information collected to satisfy the Travel Rule (see the AML and KYC Policy).

Payment data. Where you pay by card: the card brand, the last four digits of the card number, the expiry date and the cardholder name. Full card numbers are handled by our PCI-DSS-compliant payment processors and are not stored on our systems. Where you pay by bank transfer: the bank name and the account identifier.

Source-of-funds and source-of-wealth data. Where our AML procedures or the risk profile of your activity require it, documents and information showing where your funds came from (for example, payslips, tax returns, asset-sale documents, or inheritance or gift documents).

Tax-residency data. Consistent with Canada's implementation of the OECD Crypto-Asset Reporting Framework ("CARF"), we may collect your country or countries of tax residence and your tax-identification numbers.

Device and technical data. IP address (and the location estimated from it), device type, operating system, browser type and version, language settings, screen resolution, time zone, and details of how you use the Website (pages viewed, time spent on a page, the referring URL). Some of this is gathered through cookies and similar technologies — see our Cookie Policy.

Risk-screening data. The results of the sanctions, politically-exposed-person ("PEP"), adverse-media and blockchain-analytics screening we carry out as part of our compliance programme, including risk scores given to the wallet addresses you deal with.

Communications. Records of your correspondence with our support and complaints teams, including timestamps and the content of messages.

3. Where we obtain personal information

We obtain personal information:
- directly from you when you register, complete verification, start an Order, contact our support team or answer our questions;
- from third-party verification providers that we engage to check identity documents, run biometric checks, screen against sanctions, PEP and adverse-media databases, and provide blockchain analytics on wallet addresses;
- from public blockchains when you transact through us — public ledgers expose the transaction history and balances tied to addresses, and we examine this for compliance purposes;
- from your payment provider or bank when you fund or receive a payment, including limited details about the source account and any responses to authorisation requests; and
- from cookies and similar technologies on the Website (see the Cookie Policy).

We do not buy or rent personal information from data brokers. We do not gather personal information about you from social-media networks.

4. Why we use personal information

We use personal information for the following purposes only:

To provide the Platform. Open and run your Account; verify your identity as the PCMLTFA requires; process Orders; confirm payments; settle transactions; deal with support and complaints requests; send you operational information about your Account and Orders.

To comply with the law. Meet our duties under the PCMLTFA and FINTRAC guidance (record-keeping, transaction monitoring, the Travel Rule, suspicious transaction reporting, large virtual currency transaction reporting), Canadian sanctions law, tax law (including CARF), consumer-protection law, and law-enforcement requests; cooperate with regulators and courts.

To prevent financial crime and protect the Platform. Screen against sanctions, PEP and adverse-media lists; examine blockchain addresses for connections to illicit activity; detect and prevent fraud, account takeover, money-mule activity and use of the Platform in breach of these Terms; look into complaints and chargebacks.

To run and improve our business. Keep the Platform secure and intact; debug and enhance our systems; review usage on an aggregate basis to understand performance; manage our books and records.

To send service communications. Send transactional emails about your Account, security alerts, changes to these Terms or other policies, and any other messages needed to provide the Platform.

To send marketing communications (only with your consent). Send information about new features, newly listed assets or other things we think may interest you, where you have opted in. You may withdraw your consent at any time by using the "unsubscribe" link in any marketing email or by writing to privacy@flashsolutions.io. Withdrawing marketing consent has no effect on service communications, which are necessary to operate your Account.

We will not use personal information for any other purpose without your consent, unless the law otherwise permits.

5. Legal bases (where they apply)

We rely on the following legal bases when we process personal information (the terms are drawn from PIPEDA and, where it applies, the GDPR):
- Performance of a contract: to provide the Platform and process Orders;
- Legal obligation: to comply with the PCMLTFA, FINTRAC guidance, sanctions law, tax law (including CARF) and other legal requirements;
- Legitimate interest: to prevent fraud, keep the Platform secure, defend legal claims and run our business. We weigh these interests against your own interests and fundamental rights;
- Consent: for marketing communications, optional cookies, and any other processing for which we expressly request your consent.

6. Disclosure of personal information

We disclose personal information only in the ways described below.

To service providers, under written contracts that oblige them to protect the information and to use it solely for the purposes for which we engage them. The categories include:
- identity-verification and biometric-check providers;
- sanctions, PEP and adverse-media screening providers;
- blockchain-analytics providers;
- payment processors and acquiring banks;
- cloud-hosting and infrastructure providers;
- email and customer-support platforms; and
- professional advisers (auditors, accountants and lawyers).

To regulators and authorities, where the law requires it, including mandatory filings to FINTRAC (Suspicious Transaction Reports, Large Virtual Currency Transaction Reports and other reports prescribed by the PCMLTFA), CARF reporting to the Canada Revenue Agency, and responses to court orders, production orders, regulatory demands or requests from law-enforcement agencies. We may also share information with authorities abroad where this is required under mutual-assistance arrangements or applicable treaties (for instance, under the OECD common reporting and CARF exchange frameworks).

To counterparties under the Travel Rule. Where we send a virtual currency transfer of CAD 1,000 or more on your behalf, the PCMLTFA requires us to pass your name, address and a reference number to the receiving entity. Where we receive a transfer for you, we must take reasonable steps to confirm that the matching information about the originator was transmitted.

In a corporate transaction. If we take part in a merger, acquisition, financing or sale of assets, personal information may be disclosed to the other party as part of that transaction, subject to confidentiality protections and applicable law.

With your consent, to anyone you have authorised in writing.

We do not sell personal information.

7. International transfers and where information is processed

Our infrastructure and some of our service providers sit outside Canada, including in the United States and the European Economic Area. When personal information is moved outside the province where you live, it becomes subject to the laws of the place where it is processed, including any lawful access by authorities there.

We apply commercially reasonable measures to protect transferred information, including written agreements, encryption in transit and at rest, and, where the recipient is in a jurisdiction that requires them, EU-approved standard contractual clauses or an equivalent mechanism.

8. Customers located in the EEA

If you are a customer located in the EEA and we have agreed to serve you on a reverse-solicitation basis (see section 4.2 of the Terms and the Reverse Solicitation Notice), we handle your personal information in a way that is consistent with the GDPR. In addition to the rights set out in section 11, you have:
- the right to be given transparency information about how we process your data (this Privacy Policy is meant to supply it);
- the right to lodge a complaint with the data-protection authority in your country of residence; and
- the right to object to processing that is based on our legitimate interests.

We are based in Canada and have no establishment in the EU or the UK. We have not appointed an Article 27 representative because we do not direct services to the EEA or the UK. If you live in the EEA or the UK and wish to exercise GDPR rights, write to privacy@flashsolutions.io.

9. Retention

We keep personal information for as long as applicable law requires. Under the PCMLTFA and its regulations, records about a customer and about transactions must be kept for at least five years from the later of (a) the date of the last business transaction and (b) the closure of the Account.

Once the retention period ends, we delete or anonymise personal information, unless a separate legal duty requires us to retain it (for example, in connection with current or anticipated litigation, an open regulatory enquiry, or CARF reporting duties for a relevant reporting period).

10. Security

We put in place administrative, technical and physical safeguards designed to protect personal information against loss, theft, and unauthorised access, disclosure or alteration. These include encryption in transit and at rest, access controls built on the principle of least privilege, multi-factor authentication for staff, logging and monitoring, regular security testing, and written confidentiality undertakings from staff and service providers. We support two-factor authentication for customers and encourage you to turn it on in your Account settings.

No safeguard is flawless. You have a part to play in protecting your information by choosing a strong, unique password, never sharing your credentials, enabling two-factor authentication, and keeping your devices and software up to date. The account-security obligations that apply to you are set out in section 6 of the Terms and Conditions.

11. Your rights

You have the following rights in relation to the personal information we hold about you. Some are statutory rights under PIPEDA or Quebec Law 25; others apply only if you are in the EEA or the UK.
- Access: ask for a copy of the personal information we hold about you.
- Correction: ask us to correct information that is inaccurate or incomplete.
- Deletion: ask us to delete information we no longer have a lawful basis to keep. We may be unable to comply where the PCMLTFA, CARF or another law requires us to retain it.
- Portability (where Quebec Law 25 or the GDPR applies): receive certain information in a structured, commonly used, machine-readable format.
- Restriction and objection (EEA/UK only, under the GDPR): ask us to limit how we use your information, or object to processing based on legitimate interests.
- Withdraw consent: where we rely on consent (for example, for marketing communications or optional cookies), withdraw it at any time. Withdrawal does not affect processing already carried out.
- Complain: lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), with the Commission d'accès à l'information du Québec if you are in Quebec (cai.gouv.qc.ca), or, if you are in the EEA or the UK, with the data-protection authority in your country.

To exercise any of these rights, write to privacy@flashsolutions.io. We may need to confirm your identity before acting on your request. We respond within 30 days, or sooner where the law requires.

12. Automated decision-making

We use automated tools to support our compliance processes, including sanctions and PEP screening, transaction monitoring, and blockchain-analytics risk scoring. These tools may cause an Order to be held for human review or to be refused. A decision to refuse an Order or to close an Account is never taken by automated means alone; a member of our compliance team reviews the matter before any final decision is made. If you believe a decision has treated you unfairly, you can contact us under the Complaints Policy and ask for a human review.

13. Children

The Platform is not aimed at, and is not intended for use by, anyone under the age of 18 (or under the age of majority where you live). We do not knowingly collect personal information from minors. If we learn that we have done so, we delete the information and close the related account.

14. Changes to this Privacy Policy

We may revise this Privacy Policy from time to time. The "Last updated" date at the top of the page shows when it was last changed. We will announce material changes by email or by a prominent notice on the Website before they take effect.

15. Contact

For any privacy question, including to exercise any of the rights described in section 11, write to:

Privacy Officer
Flash Solutions Inc.
220 Coronation Road
Whitby, Ontario L1P0H7
Canada
privacy@flashsolutions.io