PRIVACY POLICY

SECTION A

1.Introduction

It is Our understanding and a valid legal opinion, to infer that Division 1.1., Article 10.1, Subsections (7) and (8)

Definition of significant harm

(7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Real risk of significant harm — factors

(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

(a) the sensitivity of the personal information involved in the breach;

(b) the probability that the personal information has been, is being or will be misused; and

Of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), is an explicit acknowledgement of categories of data and how relevant safeguarding, should be of utmost legal priority for any organization.

It is in recognition of such legal doctrine, and the affiliate legal frameworks such as the Electronic Payments Regulations (SOR/98-129), Competition Act (R.S.C., 1985, c. C-34) and Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17), that makes it safe to suggest, the Fintech industry, as extremely volatile and high risk industry, with possibilities of data breaches, non-dismissible.

It is therefore in recognition of these imminent risks, that OdumPay (or as would be otherwise referred to as; “we”, “us”, “our”), seek to uphold the sanctity of and respect of User data, pursuant to the legal doctrine of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5). This Act is enforceable and legally sufficient regardless of the jurisdictions our subsidiaries or operations may exist, except under circumstances it there would arise conflicts of law.

This policy, sets managerial protocols, in the management of “Clients or Users” Personal Data (Data Subjects). The preference of the term “Personal Data”, speaks to the need to acquire distinct or individualized data, that sets apart the identity of users from each other or could be easily accessed for identification.

Personal Data, includes Special Categories of user data, except those which have erased individual identities permanently erased.

The OdumPay Fintech Group website, which serves as the basis for the relevancy of the Privacy policy, is committed to protecting User privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the OdumPay Fintech website (www.odumpay.com) and governs data collection and usage.

By using the OdumPay Fintech website, you consent to the data practices described in this statement. (wherein “You”, refers to clients or users).

Your consent however, is entirely valid if it meets the requirements as set out in Division 1, Section 6.1 of PIPEDA, which states:

“For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting”.

It is therefore of utmost importance that you read, all the polices set out herein.

2. APPROPRIATE APPLICATION

It is understood, that although the Federal Personal Information Protection and

Electronic Documents Act, S.C. 2000, ch. 5 (“PIPEDA”), regulates federally-regulated business, its capacity to regulate interprovincial and international collection and use of data cannot be in doubt.

This notwithstanding does not limit the legal efficacy of existing provincial laws:

Alberta’s Personal Information Protection Act, S.A. 2003, ch. P-6.5 (“PIPA Alberta”);
British Columbia’s Personal Information Protection Act, S.B.C. 2003, ch. 63 (“PIPA BC”); and
Québec’s Protection of Personal Information in the Private Sector, R.S.Q., ch. P-39.1(“Québec Privacy Act”).

The Federal private sector law, PIPEDA, governs the interprovincial and international collection, use and disclosure of personal information, for which it is applicable to all class of personal information (including employee information) in the bosom of federally regulated businesses, such as telecommunications companies, banks, railways, airlines, and

internet service providers, across the country.

PIPEDA also applies generally to personal information (excluding employee information) that is collected, used and disclosed by organizations in the course of their pursuit of commercial activity which occur place within the jurisdictions of provinces that do not otherwise have “substantially similar” legislation.

The private sector privacy statutes in Alberta, British Columbia and Québec (referenced above) have each been deemed “substantially similar” to PIPEDA and, as such, PIPEDA will cease to apply to commercial organizations operating within their jurisdictions, with the exception of federally-regulated businesses which continue to be covered by PIPEDA regardless.

The “processing” of all “Personal Data”, involves, without limitation, the collection of personally identifiable information, such as a user’s email address, residential address, or postal address, where required, name or contact number, as legally permissible under Division 1, Section 7.2 (1) and (2) of PIPEDA. Anonymous demographic information, such as interests, favorites, city and/or country, which is not unique to “You”, is also collected by the OdumPay website.

This data retention process however, applies to past and current “Users” of the OdumPay Platform, except however that data “processing” and “retention” are subject to Article 8, paragraph 8, of PIPEDA and the applicable guidelines of the EU General Data Protection Regulation

“Processing by a processor shall be governed by a contract or other legal act under Union, Federal or Provincial State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”

Section 8, paragraph 8 of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), in relation to retention states:

“Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have”

Regarding Processing, Paragraphs 7.2 (1) and (2) applies and it states;

Prospective business transaction

7.2 (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

(a) the organizations have entered into an agreement that requires the organization that receives the personal information

(i) to use and disclose that information solely for purposes related to the transaction,

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

(b) the personal information is necessary

(i) to determine whether to proceed with the transaction, and

(ii) if the determination is made to proceed with the transaction, to complete it.

Completed business transaction

(2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if

(a) the organizations have entered into an agreement that requires each of them

(i) to use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

(c) one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).

Or in other exceptional circumstances as set out under paragraphs 7 (1) and (2), which primarily concerns:

(i) the prevention, detection, investigation, prosecution or punishment for an offence or breach of law,

(ii) the enforcement of a law which imposes a pecuniary penalty,

(iii) the enforcement of legislation that concerns protection of revenue collection,

(iv) the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated, or

(v) the protection of national security;

(d) preventing or mitigating a serious and imminent threat to

(i) public health or safety, or

(ii) the life or health of the data subject or another individual;

You must read, understand and comply with this Policy when processing Personal Data on our behalf and attend any training on its requirements.

3. COMPLIANCE WITH THIS POLICY

This Policy sets out what we expect from “You” (wherein “you” refers to users of OdumPay platform), in order for Us (referring to OdumPay Fintech), to comply with applicable law. Your compliance with this Policy is mandatory, but does not close the doors to a subscriber’s right to withdraw. It, together with Related Policies and Privacy Guidelines are available to you on Policy Hub or, via other means, to help you interpret and act in accordance with this Policy.

You are also required to comply with Related Terms and Conditions Policies and Privacy Guidelines. A breach of this Policy may result in appropriate consequences, as would be deemed fit by Us or if appropriate, effect termination, where applicable post review of all relevant breaches.

SECTION B

4. Privacy Policy

Our Privacy Policy was reviewed as of January 30, 2025.

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and relevant laws, that insulate You from data breaches or hold in sanctity Your right to data privacy or confidentiality.

For Users domiciled in Canada, how we use Your data, is effectively regulated by PIPEDA, and provincial privacy statutes, PIPA Alberta, PIPA British Columbia, and Quebec Privacy Act, and considering their sufficiency under the EU General Data Protection Regulation (GDPR), Users outside the domain of Canada are not excluded from the efficacy of GDPR.

We use Your Personal data, and information regarding Our platform usage, is to provide tailored services.

Users should be informed, that by using this platform, You agree to the collection and use of information in accordance with this Privacy Policy as defined by existing legal data protection framework of Canada, PIPEDA (Personal Information Protection and Electronic Documents Act), and provincial laws such as the PIPA Alberta, PIPA BC, Quebec Privacy Act.

5. Interpretation and Definitions

5.1. Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural, or their express absent mentions in PIPEDA, for as long as it is not in contravention with existing laws.

5.2. Definitions

For the purposes of this Privacy Policy:

“Processing”: Is not expressly defined under Canadian Privacy Statutes but, in practice, would include the collection, use, modification, storage, disclosure or destruction of personal information.

“Controller”: Is not expressly defined under Canadian Privacy Statutes. Canadian Privacy Statutes refer to “organizations” more generally, which include controllers.

“Processor”: Is not defined under Canadian Privacy Statutes. Canadian Privacy Statutes refer to “organizations” more generally, which include processors.

“Data Subject”: Is not defined under Canadian Privacy Statutes. Canadian Privacy Statutes refer to individuals.

“Sensitive Personal Data”: Is not defined under Canadian Privacy Statutes. PIPEDA provides that “any information can be sensitive depending on the context”.

“Data Breach” PIPEDA defines a “breach of security safeguards” as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards”. PIPA AB does not define “Data Breach” but requires notification to the Alberta Information and Privacy Commissioner who may in turn require notification to affected individuals “of any incident involving the loss of, or unauthorized access to, or disclosure of, the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure”.

“Account” means a unique account created for You to access our Platform or parts of our Service.

Commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

“Fintech Company” (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to OdumPay

For the purpose of the PIPEDA, the Company is the Data Controller.

“Cookies” are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.

“Data Controller“, for the purposes of the PIPEDA (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.

“Device” means any device that can access the Service such as a computer, a cell phone or a digital tablet.

“Do Not Track” (DNT)” is a concept, that has been promoted by European Data Regulatory Bodies, under the General Data Protection Regulation (“GDPR”), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.

“Personal Data” is any information that relates to an identified or identifiable individual.

Pursuant to the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You, except as otherwise prohibited by Section 38.13 or 38.41 of the Canada Evidence Act

For the purposes of PIPEDA, and provincial Canadian Privacy Statutes; PIPA Alberta, PIPA BC, Quebec Privacy Act and GDPR, “Sale“, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer’s personal information to another business or a third party for monetary or other valuable consideration.

“Service” refers to the Website.

“Service Provider” means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used. For the purpose of the GDPR, Service Providers are considered Data Processors.

“Usage Data” refers to data collected automatically, either generated by the use of the

Service or from the Service infrastructure itself (for example, the duration of a page visit).

“Website” refers to OdumPay, accessible from https://odumpay.com/

“You” means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Under PIPEDA, or EU GDPR (General Data Protection Regulation), “You” can be referred to as the Data Subject or as the User as you are the individual using the Service.

6.0. How We Collect and Use Your Personal Data

How we collect or obtain information about you:
- when you provide it to us (e.g. by contacting us, signing up as a new member, co-author, lecturer, student, conducting transactions via our website and by signing up to your e-newsletter and/or surveys),
- from your use of our website, using cookies and similar technologies, and
- occasionally, from third parties.

6.1. Types of Data Collected

6.1.1. Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

IP address
Cookies
Information about your computer or device (e.g. device and browser type)
Information about how you use our platform (number of times viewed, pages viewed, services clicked on, and geographical location from which you accessed our website). Email address
First name and last name
Phone number
Address, State, Province, ZIP/Postal code, City
Credit or debit card details (if applicable)
VAT number (if applicable)
Company name or business name (if applicable)

6.1.2. Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

We are however minded and guided by Section 1, Article 7.2 paragraphs (1) and (2), to use for the very purposes intended, the information collected, as guaranteed by the legal architecture of PIPEDA.

6.1.3. Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. The technologies We use may include:

Cookies or Browser Cookies. A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service. Unless you have adjusted Your browser setting so that it will refuse Cookies, our Service may use Cookies.
Web Beacons. Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs)

that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser.

We use both Session and Persistent Cookies for the purposes set out below:

Necessary / Essential Cookies

Type: Session Cookies

Administered by: Us

Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

Tracking and Performance Cookies

Type: Persistent Cookies

Administered by: Third-Parties

Purpose: These Cookies are used to track information about traffic to the Website and how

users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features or new functionality of the Website to see how our users react to them.

For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy or the Cookies section of our Privacy Policy.

7.0. Use of Your Personal Data

The Company may use Personal Data for the following purposes:

To provide and maintain our Service, including to monitor the usage of our Service.
To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have patronized or of any other contract with Us through the Service.
To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
To provide You with news, special offers and general information about services and events which we offer and are similar to those that you have already engaged with or enquired about unless You have opted not to receive such information.
To manage Your requests: To attend and manage Your requests to Us.
For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

We may share Your personal information in the following situations:

With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, for payment processing, to contact You.
For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our subsidiaries, joint venture partners or other companies that We control or that are under common control with Us (equity shareholdings)
With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
With Your consent: We may disclose Your personal information for any other purpose with Your consent.

The management of User data as spelt out herein, is entirely subject to Section 1, Article 7.2, paragraphs (1) and (2), of PIPEDA, which states:

Prospective business transaction

(a) the organizations have entered into an agreement that requires the organization that receives the personal information

(i) to use and disclose that information solely for purposes related to the transaction,

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

(b) the personal information is necessary

(i) to determine whether to proceed with the transaction, and

(ii) if the determination is made to proceed with the transaction, to complete it.

Completed business transaction

(2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause,

if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if

(a) the organizations have entered into an agreement that requires each of them

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

The legal language or doctrine of Article 7.2, “Data minimization”, under the PIPEDA, and provincial laws, PIPA Alberta, PIPA BC, and Quebec Privacy Act, all Canadian Privacy Statutes, generally require that the collection, use and disclosure of personal information be limited (both in type and volume) to the extent to which it is necessary to fulfil the purposes identified by the organization. This seeks to imply further, that Personal information shall not be retained longer than necessary to fulfil those purposes, which corroborates the doctrine of Article 8, in which is reposed, the doctrine of “Data Retention”.

7.1. Retention of Your Personal Data

Pursuant to Section 1, Article 8 of PIPEDA which reads:

“Retention of information

(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have”.

It is Our understanding that the viability of data and legality of its retention is subject to the time elapse of its relevance to the interest of Our business objectives.

Although, it must be admitted that under the elapse of contractual agreements, the legality of retention becomes null and void, We recognize that, the forfeiture of such legal entitlement, as Data Controllers and processors, may not be subject to exhaustive overhaul, if

The prolonged retention of data is reasonably necessary for a lawful undertaking of an activity
That the retention of data is required by virtue of a contract between parties to the contract
That the Data subject consents to the retention of the Data.

Although the retention of data, is backed by PIPEDA, except as provided exceptional circumstances, the period of retention shall be defined by the terms of the contract validity and for purposes as set out under Section 1, Article 8, of PIPEDA.

7.3. Transfer of Your Personal Data

We are minded by the provisions of the of the Data Protection Act 2012, Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

SECTION C

DATA SECURITY PROTOCOLS

8.0. Data Integrity and Security

Although the, Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), does not expressly categorize the classes of data, such circumstances are defined as set out in Division 1.1, Article 10.1, subsections (7) and (8), which reads:

Definition of significant harm

(7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or

relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of

property.

Real risk of significant harm — factors

(8) The factors that are relevant to determining whether

a breach of security safeguards creates a real risk of significant harm to the individual include

(a) the sensitivity of the personal information involved in the breach;

(b) the probability that the personal information has

been, is being or will be misused; and

(c) any other prescribed factor.

Or as stated in Schedule 1 of PIPEDA, Article 4.1, paragraph (3),

(3) The Commissioner and every person acting on behalf or under the direction of the Commissioner, in carrying out their functions under this Part, shall not disclose information subject to a certificate issued under section 38.13 or 38.41 of the Canada Evidence Act, and shall take every reasonable precaution to avoid the disclosure of that information.

The implied suggestion herein, would be that there is an implicit categorization of information or data based on its sensitiveness.

It therefore, raises every necessary expectation, that We, would employ relevant measures, to regulate organizational behavior and operational integrity on the development of supplementary internal operational framework, on the foundations of an

ISO 27001 policy, to reduce the risk of potential liabilities that may arise.

8.1. ISO 27001 Data Management Policy

8.1.1. Policy Purpose

We, shall ensure the efficient handling, and safe processing of user data or personal data, and shall at all times, guarantee, the completeness of data, its integrity and reduce the risk of potential breaches.

This Data Management Policy is to ensure the confidentiality, integrity, and availability of data, in circumstances where it becomes a necessity, under the Division 1 of PIPEDA, Sections 7, Paragraphs (1), (2) and (3), which seeks to disclosure without consent, as legally viable, to protect the interests of the company, its associates or affiliates, its clients, and the Canadian State where applicable.

The International Standard for information security management, specifically the IS0 27001, for as long as it remains a globally accepted and legally viable regardless of the jurisdiction, and as long as it remains legally sufficient under the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), shall become Our supplementary framework, to standardize our operational activities, as well as offer safeguard to our data managerial architecture.

It is intended to offer complementary roles, in the prevention of

(a) loss of, damage to, or unauthorized destruction; and

(b) unlawful access to or unauthorized processing of personal data,

By ensuring that as the “Data Controller”, We shall take the necessary steps to secure the integrity of personal data in the possession or control of a person or an entity, through the adoption of appropriate, reasonable, technical and organizational measures to prevent

(2) The data controller shall take reasonable measures to:

(a) identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;

(b) establish and maintain appropriate safeguards against the identified risks;

(d) ensure that the safeguards are continually updated in response to new risks or deficiencies.

(3) A data controller shall observe

(a) generally accepted information security practices and procedure, and

(b) specific industry or professional rules and regulations.

8.1.1.1. Scope

This policy shall apply to all employees, contractors, consultants, and third parties with access to the company’s information systems, whether working onsite or remotely. It encompasses all data, including client data, internal records, and third-party information.

8.1.2. Roles and Responsibilities

Data Owner: Shall be responsible for defining data classification, access levels, and retention requirements.
Data Custodian: Shall ensure data is stored securely and access controls are applied.
Employees and Contractors: Shall comply with this policy and report any data management issues or breaches.
Information Security Officer: Shall oversee the implementation and monitoring of this policy.

OdumPay, in accordance with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), shall assume the duties and responsibilities of a Data Controller, opening itself up to labilities, while invoking the doctrine of “liability limitation” where circumstantially applicable.

8.1.3. Data Classification

All data shall be classified into the following categories:

Public: Data that can be freely shared without risk.
Internal Use: Data intended for employees or approved contractors or affiliates
Confidential: Sensitive client or company information requiring strict access controls.

8.1.4. Data Handling and Storage

Data shall be stored securely, utilizing encryption for confidential and sensitive information.
Access to data shall be granted on a need-to-know basis, with permissions reviewed quarterly.
Physical documents containing sensitive information shall be stored in locked cabinets and shredded when no longer needed.

8.1.5. Data Retention and Disposal

Pursuant to Division 1, Article 8, Paragraph 8, which reads;

Retention of information (8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have,

We shall, in accordance with the law as prescribed, not retain data, upon the elapse of its usefulness or binding contractual agreement, which offers data retention legality, except however, under the conditions of

State interest or national security
a lawful purpose related to a function or activity, or
Client personal interest

Upon reaching the end of the retention period, data must be securely disposed of through certified data destruction methods, as prescribed by law.

8.1.6. Access Control

Role-based access control (RBAC) must be implemented to limit data access.
Multi-factor authentication (MFA) is required for systems containing sensitive information.
User accounts are to be deactivated within 24 hours of employee termination.

8.1.7. Data Backup and Recovery

Regular backups must be conducted for critical data, stored securely, and tested periodically for recovery.
A disaster recovery plan must be in place to restore data and services in the event of a breach or loss.

8.1.8. Oversight and Compliance

Routine assessments and evaluations will be performed to verify compliance and detect vulnerabilities.
Failure to comply with these requirements may lead to disciplinary measures, including potential dismissal.

8.1.8.1. Policy Maintenance

This policy will undergo annual evaluation and revisions to reflect changes in legal, operational, or business obligations.

8.2. Disclosure of Your Personal Data

8.2.1. Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. However, We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy, in compliance with the legal framework of the Personal Information Protection and Electronic Documents Act, Paragraph 4 of Section 7.2 which reads:

(4) Subsections (1) and (2) do not apply to a business

transaction of which the primary purpose or result is the

purchase, sale or other acquisition or disposition, or

lease, of personal information.

It prohibits, or makes ineffective, subsections (1) and (2), which affords legality to “collection and usage of data without consent”.

However, in circumstances as would be applicable, as set forth in Section 7.2 subsections (1) and (2), Paragraph of 4 of Section 7.2, ceases to have a holding effect.

Section 7.2 (1) and (2) reads:

Prospective business transaction

(a) the organizations have entered into an agreement that requires the organization that receives the personal information

(i) to use and disclose that information solely for purposes related to the transaction,

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

(b) the personal information is necessary

(i) to determine whether to proceed with the transaction, and

(ii) if the determination is made to proceed with the transaction, to complete it.

The disclosure to third parties consisting of Our mutual partners, aligned with us in our business venture.

Completed business transaction

(a) the organizations have entered into an agreement that requires each of them

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

8.2.2. Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency), in compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17), and the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).

Canada’s anti-money laundering (AML) laws are governed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). The PCMLTFA aims to:

Detect and deter money laundering and terrorist financing
Investigate and prosecute money laundering and terrorist financing offenses
Establish record-keeping and client identification requirements
Report suspicious financial transactions
Respond to organized crime
Protect personal information

It is this regard, that information would disclosed without prior user consent if as set forth under Article 7, subsections (1), (2) of Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), which reads:

Collection without knowledge or consent

7 (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if

(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;

(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

(b.1) it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;

(b.2) it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;

(c) the collection is solely for journalistic, artistic or literary purposes;

(d) the information is publicly available and is specified by the regulations; or

(e) the collection is made for the purpose of making a disclosure

(i) under subparagraph (3)(c.1)(i) or (d)(ii), or

(ii) that is required by law.

Use without knowledge or consent

(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if

(a) in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;

(b) it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;

(b.1) the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;

(b.2) the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;

(c) it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used;

(c.1) it is publicly available and is specified by the regulations; or

(d) it was collected under paragraph (1)(a), (b) or (e).

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(a) made to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization;

(b) for the purpose of collecting a debt owed by the individual to the organization;

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province, or

(iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized

representative of an injured, ill or deceased individual;

(c.2) made to the government institution mentioned

in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by

that section;

(d) made on the initiative of the organization to a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a contravention of the laws of

Canada, a province or a foreign jurisdiction that has

been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a

province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

(d.3) made on the initiative of the organization to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and

(i) the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse,

(ii) the disclosure is made solely for purposes related to preventing or investigating the abuse, and

(iii) it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;

Applicability of the FATML/CFT Regulations

Canada’s Financial Action Task Force’s (FATF) Standards Against Money Laundering and Counter-terrorist Financing

The Financial Administration Act (R.S.C., 1985, c. F-11) and the Electronic Payments Regulations (SOR/98-129) of Canada, in compliance with the global FATML//CFT Regulations, regulate Our operations under the payor-payee transit relations.

As defined in the FATF AML/CTF regulations, Shell banks are described as

Banks with no physical presence in any country. This suggests thereof, that Shell Banking, in the broader context, consists of;
financial institution that is not physically present in any country and is not overseen by a banking authority.
A financial institution, not regulated to subject to the financial regime policies of a banking authority. This increases the likelihood of they being a key conduit in anti-money laundering regulations as they are often used in offshore centers.

As stated in the Revised-AML-CFT-Guideline, section, 1.21, Shell banks, sub-section (b), which states: “Financial institutions shall take all necessary measures to satisfy themselves that respondent financial institutions in a foreign country do not permit their accounts to be used by shell banks”.

Part 2, Section 12 (1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17), states:

Reporting

Currency and monetary instruments

12 (1) Every person or entity referred to in subsection (3) shall report to an officer, in accordance with the regulations, the importation or exportation of currency or monetary instruments of a value equal to or greater than the prescribed amount.
Limitation

(2) A person or entity is not required to make a report under subsection (1) in respect of an activity if the prescribed conditions are met in respect of the person, entity or activity, and if the person or entity satisfies an officer that those conditions have been met.

Who must report

(3) Currency or monetary instruments shall be reported under subsection (1)

- (a) in the case of currency or monetary instruments in the actual possession of a person arriving in or departing from Canada, or that form part of their baggage if they and their baggage are being carried on board the same conveyance, by that person or, in prescribed circumstances, by the person in charge of the conveyance;
- (b) in the case of currency or monetary instruments imported into Canada by courier or as mail, by the exporter of the currency or monetary instruments or, on receiving notice under subsection 14(2), by the importer;
- (c) in the case of currency or monetary instruments exported from Canada by courier or as mail, by the exporter of the currency or monetary instruments;
- (d) in the case of currency or monetary instruments, other than those referred to in paragraph (a) or imported or exported as mail, that are on board a conveyance arriving in or departing from Canada, by the person in charge of the conveyance; and
- (e) in any other case, by the person on whose behalf the currency or monetary instruments are imported or exported.

This compliance is to ensure We suffer not, any liabilities under the legal doctrine of “abetment” as clearly echoed in the Criminal Code (R.S.C., 1985, c. C-46), Sections 19, 21, 22

Ignorance of the law

19 Ignorance of the law by a person who commits an offence is not an excuse for committing that offence.

R.S., c. C-34, s. 19

Parties to offence

21 (1) Every one is a party to an offence who
- (a) actually commits it;
- (b) does or omits to do anything for the purpose of aiding any person to commit it; or
- (c) abets any person in committing it.
Common intention

(2) Where two or more persons form an intention in common to carry out an unlawful purpose and to assist each other therein and any one of them, in carrying out the common purpose, commits an offence, each of them who knew or ought to have known that the commission of the offence would be a probable consequence of carrying out the common purpose is a party to that offence.

R.S., c. C-34, s. 21

Person counselling offence

22 (1) Where a person counsels another person to be a party to an offence and that other person is afterwards a party to that offence, the person who counselled is a party to that offence, notwithstanding that the offence was committed in a way different from that which was counselled.
Idem

(2) Everyone who counsels another person to be a party to an offence is a party to every offence that the other commits in consequence of the counselling that the person who counselled knew or ought to have known was likely to be committed in consequence of the counselling.

Definition of counsel

(3) For the purposes of this Act, counsel includes procure, solicit or incite.

Offences of negligence — organizations

22.1 In respect of an offence that requires the prosecution to prove negligence, an organization is a party to the offence if

(a) acting within the scope of their authority
- (i) one of its representatives is a party to the offence, or
- (ii) two or more of its representatives engage in conduct, whether by act or omission, such that, if it had been the conduct of only one representative, that representative would have been a party to the offence; and
(b) the senior officer who is responsible for the aspect of the organization’s activities that is relevant to the offence departs — or the senior officers, collectively, depart — markedly from the standard of care that, in the circumstances, could reasonably be expected to prevent a representative of the organization from being a party to the offence.

2003, c. 21, s. 2

Other offences — organizations

22.2 In respect of an offence that requires the prosecution to prove fault — other than negligence — an organization is a party to the offence if, with the intent at least in part to benefit the organization, one of its senior officers

(a) acting within the scope of their authority, is a party to the offence;
(b) having the mental state required to be a party to the offence and acting within the scope of their authority, directs the work of other representatives of the organization so that they do the act or make the omission specified in the offence; or
(c) knowing that a representative of the organization is or is about to be a party to the offence, does not take all reasonable measures to stop them from being a party to the offence.

Electronic Payments Regulations (SOR/98-129)

Electronic instruction for payment means an instruction for payment referred to issued electronically on media or by on-line transfer, to a financial institution to credit the account of a particular payee with a specific payment.

Financial institutionmeans an institution, corporation or other entity, incorporated, continued or formed by or under an Act of Parliament or the legislature of a province or under the laws of a foreign state or a political subdivision of a foreign state, that holds deposits and honours cheques and other payment instructions on behalf of its clients and includes a bank, a trust company and a cooperative credit society.
Payeemeans a person to whom a payment is to be made by means of an electronic instruction for payment. (bénéficiaire)
Payment datemeans the date on which payment is to be made to the payee. (date de paiement)
Revokemeans to issue an instruction to a financial institution countermanding a particular electronic instruction for payment. (annuler)

Application

(2) These Regulations apply to every payment made out of the Consolidated Revenue Fund by means of an electronic instruction for payment.

Issuing Electronic Instructions for Payment

(3) Every electronic instruction for payment must

(a) be issued by or under the direction and control of the Receiver General;
(b) include
- (i) the amount of the payment,
- (ii) the payment reference number,
- (iii) the name of the payee,
- (iv) the payee’s financial institution number, branch number and account number, and
- (iv) the payment date; and
(c) when issued by on-line transfer, be authorized by a digital signature.

4 The Receiver General shall take all necessary measures to ensure

(a) the security of the system used for the transmission of electronic instructions for payment to financial institutions;
(b) the confidentiality, authenticity and integrity of the data while it is under the control of the Receiver General or being transmitted to a financial institution; and
(c) the security, integrity and safekeeping of the media used to issue an electronic instruction for payment while the media are under the control of the Receiver General or in transit to a financial institution for processing.

Authentication

5 (1) All media used to issue an electronic instruction for payment must
- (a) contain internal labels that identify the media by setting out
  - (i) the originating data centre,
  - (ii) the processing data centre,
  - (iii) the file creation date and file number,
  - (iv) the date and time of release of the media, and
  - (v) the system, file identification number, volume serial number and sequence of the originator’s file.
- (b) when delivered to a financial institution for processing, be accompanied by a transmittal document, signed by the Deputy Receiver General or by a person authorized by the Deputy Receiver General in writing, that contains the information described in subparagraphs (a)(i) to (v).
(2) The Deputy Receiver General shall provide to a financial institution the names and specimen signatures of all persons authorized to sign a transmittal document addressed to that financial institution.
(3) Every electronic instruction for payment issued by on-line transfer shall be acknowledged by the financial institution that receives it and every electronic authorization shall be verified by the financial institution to ensure the integrity of the instruction.

Acceptance

(6) A financial institution that accepts an electronic instruction for payment shall make the funds available for withdrawal or other use by the payee

(a) not later than the opening of business on the payment date, if the electronic instruction for payment is received by the financial institution before the payment date; or
(b) on receipt of the electronic instruction for payment, if it is received on or after the payment date.

Replacement Payments

(7) Where it has been confirmed with the applicable financial institution that a payment to be made by means of an electronic instruction for payment has not been credited by the payment date to the account designated by the payee, in accordance with the procedures set out in the agreement with the financial institution for such designation, a replacement payment may be issued to the payee in the same amount as the original payment if

(a) the electronic instruction for payment is revoked; and
(b) the amount already paid to the financial institution, if any, is recovered through chargeback or by other means.

Electronic money issuers in Canada are subject to federal regulation under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). They must register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as Money Services Businesses (MSBs).

Established Internal Protocols

Customer Due Diligence (CDD): The Company shall conduct thorough KYC (Know Your Client) checks during customer onboarding, verifying identification and assessing risk profiles based on factors such as business type, transaction history, and geographical location.

Risk-Based Approach: A risk-based approach, shall be employed to monitor and assess customers and their transactions continuously, adjusting the level of scrutiny based on their risk classification (low, medium, or high), in compliance with Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17)

Detection of Suspicious Transactions:

Red Flags: Specific red flags are defined for detecting suspicious activities, such as unusual transaction sizes, patterns inconsistent with a customer’s profile, or transactions involving high-risk jurisdictions or entities.

Suspicious Activity Reports (SARs):

Reporting of Suspicious Transactions:
- Internal Reporting: If a suspicious transaction is identified, it is reported internally within the compliance department. The compliance team reviews the case and determines whether it meets the criteria for reporting to external authorities.
- External Reporting: Reports of suspicious transactions are filed with the relevant authorities, namely the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as per local regulations. These reports include detailed information about the transaction, the reasons for suspicion, and any actions taken by the Company.
- Record Keeping: All reports of suspicious activity, along with the supporting documentation and actions taken, are retained, for the duration, as would be permissible under Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), specifically Section 1, Article 8, which states:

Retention of information

This suggests thereof, that for as long as there exists no relevant use of the information, its retention period elapses, or ceases to exist.

Ongoing Monitoring and Review:
- Periodic Reviews: Regular audits and assessments, shall be carried out to ascertain policy effectiveness.
- Continuous Improvement: OdumPay shall update its policies regularly to account for regulatory changes, emerging risks, and feedback from monitoring activities.

These policies ensure that OdumPay, can effectively detect and prevent suspicious transactions, comply with regulatory reporting requirements, and mitigate risks related to money laundering and terrorist financing.

8.2.2.1. Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

Comply with a legal obligation
Protect and defend the rights or property of the Company
Prevent or investigate possible wrongdoing in connection with the Service
Protect the personal safety of Users of the Service or the public
Protect against legal liability

8.3. Security of Your Personal Data

The security of Your Personal Data is important to Us, but we do not seek to offer the false impression that data transmission over the Internet, or method of electronic storage is infallible. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Except however, in compliance with Section 1.1, Clause 10.1, paragraphs (3), (4), (5), We shall accordingly comply in respect of any breach as set forth:

“Notification to individual

(3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

Contents of notification

(4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

Form and manner

(5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner”.

It is in regard also, that as set forth in Clause 10.3 of PIPEDA, Paragraph (1);

“10.3 (1) An organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control”

That we would strive to make appropriate determines of personal information that are at risk of breach as set out in Section 1.1, Article 10.1, paragraphs (7) & (8) and provide adequately improved internal security structures to safeguard as such.

Section 1.1, Article 10.1, paragraphs (7) & (8), reads:

“(7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Real risk of significant harm — factors

(8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

(a) the sensitivity of the personal information involved in the breach;

(b) the probability that the personal information has been, is being or will be misused; and

(c) any other prescribed factor”.

8.3.1. Detailed Information on the Processing of Your Personal Data

The Service Providers We use may have access to Your Personal Data. These third-party vendors collect, store, use, process and transfer information about Your activity on Our Service in accordance with their Privacy Policies.

8.3.1.1. Analytics

Our web analytics service, Google Analytics collects information such as your location (based on your IP address) and your behavior (based on cookies) when you access our website (such as the pages you visit and what you click on. We will only process information from cookies if you have consented to us setting cookies on your computer in accordance with our cookies policy www.OdumPay.com/cookies-policy

Logic involved:

By automatically analyzing and categorizing information such as the location (based on IP address) as well as the behavior and devices of visitors to our website (using cookies), we are able to gain a better understanding of what our website visitors want (in terms of the content of our website and our products), how to improve our website and how to advertise and market our services to them.

Significance and envisaged consequences:

Cookies will be used to track and store information about your behavior and device on our website (unless you have opted out from receiving such cookies by using our cookie management tool) and your location will be analyzed based on your IP address.

Legal basis for processing: our legitimate interests as safeguarded by Section 7.2, subsections (1) and (2) of PIPEDA, as well as the applicable legal sufficiency as spelt out in Article 6(1)(f) of the EU General Data Protection Regulation.

Legitimate interest:

Improving our website for our website users and getting to know our website users’ preferences so our website can better meet their needs and desires.

We may use third-party Service providers to monitor and analyze the use of our Service, which again is not in contravention of the

8.3.1.1.1. Email Marketing

We use web beacons in our marketing emails to analyze who opens our emails and what actions they take (for example, what they click on). We will only process information from web beacons if you have consented to their use in accordance with our cookies policy www.OdumPay.com/cookies-policy

Logic involved: By analyzing how our email recipients respond to our emails, we are able to improve the content and effectiveness of our emails and gauge who is most interested.

Significance and envisaged consequences: your behavior when you open our emails will be tracked using small gif files (web beacons), including open rates, and click through rates.

How to object: You can object to our use of web beacons by emailing info@OdumPay.com

Legal basis for processing: legitimate interests, as set out in Section 7.2, paragraphs (1) and (2), as well as, Article 6(1)(f) of the General Data Protection Regulation).

Legitimate interest: analyzing the level of engagement and effectiveness of our marketing emails and content.

We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.

We are mindful however, of the legal language of Section 1, Article 7.1, paragraph (2)

Collection of electronic addresses,

(2) Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of:

(a) the collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or

(b) the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a).

Which affords us the legal backing in the collection of data for commercial marketing purposes.

Despite this legal support, We aver our minds, to the Canadian Anti-Spam Legislation which strongly prohibits:

The sending of commercial electronic messages without express or implied consent (e.g., spam);
The installation of computer programs on another person’s computer system without express consent (e.g., malware, spyware);
False or misleading electronic representations used to promote a product, service or business interest; and
The unauthorized collection of electronic addresses and the collection of personal information by accessing a computer system in contravention of an Act of Parliament (e.g., address harvesting), which is expressly forbidden by the legal language of Section 1, Article 7.1, paragraph or subsection 3 of PIPEDA, and it reads:

Accessing a computer system to collect personal information

(3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

(a) the collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; or

(b) the use of personal information that is collected in a manner described in paragraph (a).

It is under such conditions that Division 1, Section 7, paragraphs (1) and (2) which allows for data collection and use without consent, ceases to hold a legal effect or becomes null and void.

The Competition Act (R.S.C., 1985, c. C-34), acts in the following capacities:

Effectively addresses false or misleading representations and deceptive marketing practices in the electronic marketplace, including false or misleading sender or subject matter information, electronic messages, and locator information such as URLs and metadata.

Metadata simply suggests that the background information that provides further details about one or more aspects of the data, including means of creation of the data, purpose of the data, time and date of creation and the creator or author of the data.

It embodies technology-neutral language that makes it applicable, to all emerging technologies.

Technology-neutral implies that all means of telecommunications are captured under the Competition Act, including Short Message Services (SMS or text messaging), social media, websites, uniform resource locators (URL) and other locators, applications, blogs, and Voice over Internet Protocol (VoIP).

8.3.2. Payments

We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).

We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

The PCI-DISS framework ensures that the following standard procedures, as would be found below, are adhered to safeguard the data integrity of all users who engage in financial transactions:

maintaining secure systems,
using antivirus software,
encrypting transmitted cardholder data,
regularly testing security systems,
documenting policies,
tracking network access,
configuring secure passwords, and
performing regular security assessments,

These are applicable third party payment platforms:

Flutterwave, PayPal, expressPay, myghpay

Currencies Accepted for transactional purposes:

United States Dollar (USD)
Euro (EUR)
British Pound (GBP)
Canadian Dollar (CAD)
Australian Dollar (AUD)
Japanese Yen (JPY)
Swiss Franc (CHF)
Chinese Yuan (CNY)
South African Rand (ZAR)
Nigerian Naira (NGN)

The Company retains the sole right to revise charges on transactions. at any time prior to transactional activities. The charges quoted may be revised by the Company subsequent to conducting transactions, in the event of any occurrence affecting monetary policies, caused by government action, variation in customs duties, higher foreign exchange costs and/or any other matter beyond the control of the Company. In that event, You will have the right to cancel Your Transaction.

8.4. GDPR Privacy Policy

8.4.1. Legal Basis for Processing Personal Data under GDPR

We may process Personal Data under the following conditions:

Consent: You have given Your consent for processing Personal Data for one or more specific purposes.
Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.
Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
Vital interests: Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.
Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.

In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

8.4.2. Your Rights under the GDPR

The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.

You have the right under this Privacy Policy, and by law if You are within the EU, to:

Request access to Your Personal Data. The right to access, update or delete the information We have on You. Whenever made possible, you can access, update or request deletion of Your Personal Data directly within Your account settings section. If you are unable to perform these actions yourself, please contact Us to assist You. This also enables You to receive a copy of the Personal Data We hold about You.
Request correction of the Personal Data that We hold about You. You have the right to have any incomplete or inaccurate information We hold about You corrected.
Object to processing of Your Personal Data. This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.
Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.
Request the transfer of Your Personal Data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.
Withdraw Your consent. You have the right to withdraw Your consent on using your Personal Data. If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.

8.4.2.1. Exercising of Your GDPR Data Protection Rights

You may exercise Your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.

You have the right to complain to a Data Protection Authority about Our collection and use of Your Personal Data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.

8.5. Categories of Personal Information Collected

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or Device. The following is a list of categories of personal information which we may collect or may have been collected, within the last twelve (12) months.

Please note that the categories and examples provided in the list below are those legally valid, under the PIPEDA, Electronic Payments Regulations (SOR/98-129) and GDPR. This does not mean that all examples of that category of personal information were in fact collected by Us, but reflects our good faith belief to the best of our knowledge that some of that information from the applicable category may be and may have been collected. For example, certain categories of personal information would only be collected if You provided such personal information directly to Us.

Category A: Identifiers.

Examples: A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, driver’s license number, passport number, or other similar identifiers.

Collected: Yes.

Category B: Personal information categories listed in the Electronic Payments Regulations (SOR/98-129), GPDR and CCPA as applicable.

Examples: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.

Collected: Yes.

Category C: Protected classification characteristics under Canadian State law.

Examples: Minors, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

Collected: No.

Category D: Transactional History.

Examples: Categories of transactions made, in terms of payment locations and quantum transacted.

Collected: Yes.

Category E: Biometric information.

Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

Collected: No.

Category F: Internet or other similar network activity.

Examples: Interaction with our Service or advertisement.

Collected: Yes.

Category G: Geolocation data.

Examples: Approximate physical location.

Collected: No.

Category H: Sensory data.

Examples: Audio, electronic, visual, thermal, olfactory, or similar information.

Collected: No.

Category I: Professional or employment-related information.

Examples: Current or past job history or performance evaluations.

Collected: No.

Category J: Non-public education information

Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

Collected: No.

Category K: Inferences drawn from other personal information.

Examples: Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Collected: No.

Under the PIPEDA, (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), personal information does not include, those not in line with the core principles of Our entity, and those prohibited under Section 38.13 or 38.41 of the Canada Evidence Act.

Under applicable non-Canadian legislations such as the EU General Data Protection Regulation, for which PIPEDA, is legally adequate under, the following cannot be classified as personal information

Publicly available information from government records
Deidentified or aggregated consumer information
Personal Information covered by certain sector-specific privacy laws

8.5.1. Sources of Personal Information

We obtain the categories of personal information listed above from the following categories of sources:

Directly from You. For example, from the forms You complete on our Service, preferences You express or provide through our Service, or from Your purchases on our Service.
Indirectly from You. For example, from observing Your activity on our Service.
Automatically from You. For example, through cookies We or our Service Providers set on Your Device as You navigate through our Service.
From Service Providers. For example, third-party vendors to monitor and analyze the use of our Service, third-party vendors for payment processing, or other third-party vendors that We use to provide the Service to You.

8.6. Use of Personal Information for Business Purposes or Commercial Purposes

We may use or disclose personal information We collect for “business purposes” or “commercial purposes”, in compliance with PIPEDA, Section 1, Clause 3 which states:

“(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”.

PIPEDA further requires in Clause 6.1 under Section 1 of Schedule 1 that:

“6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting”.

This suggests that a client, that a client’s access and use of Our Services, shall be deemed by Us as meeting the threshold of consent being legally valid, if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting”.

The following are legal purposes for which Your data is used:

which may include the following examples:

To operate our Service and provide You with our Service.
To provide You with support and to respond to Your inquiries, including to investigate and address Your concerns and monitor and improve our Service.
To fulfill or meet the reason You provided the information. For example, if You share Your contact information to ask a question about our Service, We will use that personal information to respond to Your inquiry. If You provide Your personal information to purchase a product or service, We will use that information to process Your payment and facilitate delivery.

To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations, as clearly stated under Clause 3 of Schedule 1 of PIPEDA, under the conditions as set forth:

(a) made to, in the Province of Quebec, an advocate or

notary or, in any other province, a barrister or solicitor who is representing the organization;

(b) for the purpose of collecting a debt owed by the individual to the organization;

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with

jurisdiction to compel the production of information,

or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that:

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating

to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province, or

(iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;

We shall under the sufficient legal threshold of “suspicious activity” and “national interest” comply with Clause 3 (c.2- d..2) of PIPEDA:

(c.2) made to the government institution mentioned

in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section;

(d) made on the initiative of the organization to a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

(d.1) made to another organization and is reasonable

for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and

it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the

fraud;

As described to You when collecting Your personal information or as otherwise set forth in PIPEDA, or provincial laws such as PIPA Alberta, PIPA BC, Quebec Privacy Act.

For internal administrative and auditing purposes.
To detect security incidents and protect against malicious, deceptive, fraudulent or illegal activity, including, when necessary, to prosecute those responsible for such activities.

Please note that the circumstances provided above are illustrative and not intended to be exhaustive. For more details on how we use this information, please refer to the “Use of Your Personal Data” section.

If We decide to collect additional categories of personal information or use the personal information We collected for materially different, unrelated, or incompatible purposes We will update this Privacy Policy.

8.6.1. Disclosure of Personal Information for Business Purposes or Commercial Purposes

We may use or disclose and may have used or disclosed in the last twelve (12) months the following categories of personal information for business or commercial purposes:

Category A: Identifiers
Category B: Personal information, except those as prohibited and set out under Sections 13 or 38.41 of the Canada Evidence Act or as defined and the applicable regulations of GDPR, for users beyond the jurisdiction of Canada, in the categories ofa child, under parental control, religious or philosophical beliefs, race, trade union membership, political opinions, health or sexual life, religious beliefs and or criminal behavior
Category D: Commercial information
Category F: Internet or other similar network activity

Please note that the categories listed above are those defined in the Data Protection Act 2012, and the General Data Protection Regulation. This does not mean that all examples of that category of personal information were in fact disclosed, but reflects our good faith belief to the best of our knowledge that some of that information from the applicable category may be and may have been disclosed.

As set forth under Section 7.2 (1) of Schedule 1 PIPEDA:

7.2 (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that

clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

(a) the organizations have entered into an agreement that requires the organization that receives the personal information

(i) to use and disclose that information solely for purposes related to the transaction,

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

(b) the personal information is necessary

(i) to determine whether to proceed with the transaction, and

(ii) if the determination is made to proceed with the transaction, to complete it

This provision as set forth offers Us, offers us legal immunity for as long as it in intended for the purposes as set out for.

As otherwise stated PIPEDA, or provincial laws; PIPA Alberta, PIPA BC, and Quebec Privacy Act, specifically Section 7.2, subsection 2, personal data may be processed, and would be considered legally undertaken, under the conditions of protecting Our legitimate activities, as set forth:

(2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause,

(a) the organizations have entered into an agreement that requires each of them

(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

(iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

Section 7, subsections 7(2) and (3), under Schedule1 of PIPEDA, sets out circumstances data can be collected or used without consent, for which Section or Clause

7.2 applies, without any risk of liability.

In other circumstances special personal data may be processed when

the consent of the subject data, is impossible to be attained or even on their behalf
circumstances make it unreasonable for the Data controller to be able to obtain the consent of the subject data.

When We disclose personal information for a business purpose or a commercial purpose, We enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract, as set forth in paragraph 3 of Section 7.2, of PIPEDA:

Agreements binding

(3) An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).

However, under paragraph 4, the legal binding effect of Subsections (1) and (2) of Clause 7.2, ceases to exist or apply, suggesting the need for User consent, if

“there exists, a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information”.

8.7. Sale of Personal Information

As defined in Paragraph 4 of Section 7.2:

“(4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information”.

Although not expressly defined in PIPEDA, and other applicable jurisdictional laws and unless as otherwise there could arise potential legal contraventions, “sell” and “sale” mean selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for valuable consideration. This means that We may have received some kind of benefit, legally termed “contractual satisfaction” in return for sharing personal information, but not necessarily a monetary benefit.

Please note that the categories listed are in compliance with Federal Canadian Law, PIPEDA, and provincial laws, PIPA BC, PIPA Alberta, Quebec Privacy Act, and EU GDPR.

This does not mean that all examples of that category of personal information were in fact sold, but reflects our good faith belief to the best of our knowledge that some of that information from the applicable category may be and may have been shared for value in return and without breach to the laws as stipulated in the Personal Information Protection and Electronic Documents Act.

We may sell and may have sold in the last twelve (12) months the following categories of personal information:

Category A: Identifiers
Category B: Personal information categories listed, except in the circumstances as spelt out under the Canada Evidence Act, RSC 1985, c C-5

And applicable EU General Data Protection Regulations.

Category D: Commercial information, in compliance with paragraphs (1) and (2) of Section 7.2 of PIPEDA, in the safeguarding of business activities without any significant disruption, which could threaten the economy capacity of Canada.
Category F: Internet or other similar network activity, as set out in Paragraph 2 of 1

“(2) Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

(b) the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a)”.

This suggests however, that PIPEDA, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23), and most importantly the Canadian Anti-Spam Legislation, (CASL) prohibit:

“unsolicited “commercial electronic messages” (CEMs) sent without consent”

CEMs sent only when consent has been obtained and the message containing the prescribed information, as those legally permitted by the legal doctrine of under PIPEDA, citing Paragraph 2 of Section 7.1, which withdraws the legal immunity of “data collection and usage without consent”, as prescribed in paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) under prescribed or limited conditions.

Consent under CASL can be explicit or implicit. To obtain explicit consent under CASL the recipient must opt-in, the request must contain information on the purpose for consent, identify the sender (name, address/phone number or email) and notify the member that consent can be withdrawn.

Although CASL permits using both implicit and explicit consent to send CEMs, and in standing with good organizational practice, We shall, strive to obtain explicit consent as much as possible.

Explicit consent is the gold standard of consent and a valuable ethic we strive to retain, in the long term.

However, We seek to make known that, CASL (Canadian Anti-Spam Legislation), and Paragraph 2 of Section 7.1 of PIPEDA, fails to suffice under the following conditions:

Internal communications: Messages sent between employees within the same company regarding work matters.
Solicited messages: Emails sent in response to a customer inquiry or complaint.
Charity fundraising: Messages sent by registered charities primarily for raising funds.
Transactional emails: Messages necessary to manage an account or complete a transaction.

8.7.1. Share of Personal Information

We may share Your personal information identified in the above categories with the following categories of third parties:

Service Providers
Payment processors
Our affiliates
Our business partners
and Third party vendors to whom You or Your agents authorize Us to disclose Your personal information in connection with products or services We provide to You

This solely expressly in compliance with Sections 7(1)(a) to (d) and (2)(a) to (c.1), which sets out the legal doctrine, “data collection and usage without consent”, which solely suffices under compliance with intended business established operational principles.

8.7.1.1. Sale of Personal Information of Minors Under 16 Years of Age

We do not knowingly collect personal information from minors under the age of 16 through our Service, although certain third party websites that we link to may do so. These third-party websites have their own terms of use and privacy policies and we encourage parents and legal guardians to monitor their children’s Internet usage and instruct their children to never provide information on other websites without their permission.

We do not sell the personal information of Consumers We actually know are less than 16 years of age, unless We receive affirmative authorization (the “right to opt-in”) from either the Consumer who is between 13 and 16 years of age, or the parent or guardian of a Consumer less than 13 years of age. This is in compliance with section (a) of Article 6(1) of the GDPR, for users not within Canadian jurisdiction, and for which Canadian Law, PIPEDA, is “legally sufficient”, states,

“In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years”.

Consumers who opt-in to the sale of personal information may opt-out of future sales at any time. To exercise the right to opt-out, You (or Your authorized representative) may submit a request to Us by contacting Us.

If You have reason to believe that a child under the age of 13 (or 16) has provided Us with personal information, please contact Us with sufficient detail to enable Us to delete that information.

SECTION D

9.0. Your Rights under PIPEDA

The Data Protection Act, 2012, provides users, with specific rights regarding their personal information. You have the following rights:

The right to notice. You have the right to be notified which categories of Personal Data are being collected and the purposes for which the Personal Data is being used.

This set out explicitly under paragraph (3) of Article 7.2, which dictates that:

(3) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information

This provision sets aside Paragraphs 7.2 (1), and (2), which offers organizations the legal backing to collect and use information of Users without their consent.

The right to request: Under the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), Article 9, paragraph (2.1), states;

Information related to paragraphs 7(3)(c), (c.1) or (d)

(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

(a) inform the individual about

any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or or paragraph 7(3)(c.2) or (d), or

the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

(b) give the individual access to the information referred to in subparagraph (a)(ii).

However, under paragraph 2.2 of Article 9, it states:

Notification and response

(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

(b) shall not respond to the request before the earlier of

(i) the day on which it is notified under subsection (2.3), and

(ii) thirty days after the day on which the institution or part was notified.

Determination of Objection or Approval to information request

As defined in paragraph (2.3) of Article 9, of the PIPEDA,

(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the

request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;

(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

However, in line with the general legal doctrine, except wherein the conditions as set forth in paragraphs (2.3), do not suffice, You have the right, under the Privacy Act (R.S.C., 1985, c. P-21), and PIPEDA, (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)), to request that We disclose information to You about Our collection, use, sale, disclosure for business purposes and share of personal information. Once We receive and confirm Your request, We will disclose to You:

The categories of personal information We collected about You

○ The categories of sources for the personal information We collected about You

○ Our business or commercial purpose for collecting or selling that personal information

○ The categories of third parties with whom We share that personal information

○ The specific pieces of personal information We collected about You

○ If we sold Your personal information or disclosed Your personal information for a business purpose, We will disclose to You:

The right to say no to the sale of Personal Data (opt-out). You have the right to direct Us to not sell Your personal information. To submit an opt-out request please contact Us.
The right to delete Personal Data. You have the right to request the deletion of Your

Personal Data, subject to certain exceptions. Once We receive and confirm Your request, We will delete (and direct Our Service Providers to delete) Your personal information from our records, unless an exception applies. We may deny Your deletion request if retaining the information is necessary for Us or Our Service Providers to:

Complete the transaction for which We collected the personal information, provide a good or service that You requested, take actions reasonably anticipated within

the context of our ongoing business relationship with You, or otherwise perform our contract with You.

○ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

○ Debug products to identify and repair errors that impair existing intended functionality.

○ Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

○ Comply with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) and GDPR (General Data Protection Regulations), under the scope of Electronic Communications

○ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if You previously provided informed consent.

○ Enable solely internal uses that are reasonably aligned with consumer expectations based on Your relationship with Us.

○ Comply with a legal obligation.

○ Make other internal and lawful uses of that information that are compatible with the context in which You provided it.

These provisions are indeed not in contravention, with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), as stated in Sections 7, subsections (1), (2) and (3), as well as Article 7.2, paragraph (1) and (2).

The right not to be discriminated against. You have the right not to be discriminated against for exercising any of Your consumer’s rights, including by:
- Denying goods or services to You

○ Charging different prices or rates for goods or services, including the use of discounts or other benefits or imposing penalties

○ Providing a different level or quality of goods or services to You

○ Suggesting that You will receive a different price or rate for goods or services or a different level or quality of goods or services

9.1. Exercising Your Data Protection Rights

If you wish to exercise your rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) or the EU General Data Protection Regulation (GDPR) where applicable to individuals in Canada and the European Economic Area, you may contact us through the following channels:

Visit our website: www.odumpay.com
Send an email to: OdumPay@gmail.com

Only you, or an authorized representative registered with the California Secretary of State, may submit a verifiable request concerning your personal information.

Your request must:

Include enough information for us to confirm your identity or verify that you are authorized to act on behalf of the individual whose data we collected.
Provide clear and detailed instructions to help us fully understand and respond to your request.

We cannot process your request if:

We are unable to verify your identity or authority to make the request.
We cannot confirm that the personal information pertains to you.

Our response:

We will provide the requested information free of charge within 45 days of receiving a verifiable request.
If necessary, we may extend this period by an additional 45 days with prior notice.
Responses will only cover information from the 12 months preceding the date of your request.
For data portability requests, we will provide your information in a usable format that allows smooth transfer between entities.

9.2. Opt-Out of Personal Information Sales

You have the right to request that we do not sell your personal information. Upon receiving and verifying your request, we will cease any such activity. To exercise this right, please contact us directly.

Our third-party partners, including analytics and advertising providers, may use technology that constitutes a “sale” of personal information under the PIPEDA, which would require user consent, as prescribed under Section 7.2, paragraph 4 of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), which reads:

“Exception

(4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information”.

Subsections (1) and (2) of Article 7.2, allows for collection and use of User data without consent, under strictly specified conditions both without any cause of injury to the User and in the interest of business operational continuity.

Therefore, under the rights enshrined in PIPEDA, If you wish to opt out of the use of your data for personalized advertising or related sales as defined, please follow these steps:

· Follow the provided opt-out links or adjust your preferences via your browser settings.

9.2.1. Website Ads

You may choose to disable personalized advertising provided by our third-party partners by following the instructions below:

· Visit the NAI opt-out page: http://www.networkadvertising.org/choices/

· Explore the EDAA opt-out options: http://www.youronlinechoices.com/

· Use the DAA opt-out tool: http://optout.aboutads.info/?c=2&lang=EN

9.2.2. Mobile Devices

Your mobile device may give You the ability to opt out of the use of information about the apps You use in order to serve You ads that are targeted to Your interests:

“Opt out of Interest-Based Ads” or “Opt out of Ads Personalization” on Android devices
“Limit Ad Tracking” on iOS devices

You can also stop the collection of location information from Your mobile device by changing the preferences on Your mobile device.

9.3. Third-Party Websites Association Disclaimer

Although Our Service may contain links to other websites that are not operated by Us, We issue a disclaimer,

“That We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services, and you accept that accessing these links, are at your own risk”.

If You click on a third party link, You will be directed to that third party’s site. We therefore, strongly advise You to review the Privacy Policy of every site You visit.

9.4. Policy Modifications

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

10.0. Contact Us

If you have any questions about this Privacy Policy, You can contact us:

By visiting this page on our website: ………………

By sending us an email: ………………………………

Our Services

OdumPay offers a comprehensive suite of services designed to meet the diverse needs of our clients

Global Payments

Execute payments across borders with confidence, whether for goods, services, or payroll.

Foreign Currency Exchange

Exchange your currency at competitive rates, ensuring you receive the best value for your transactions.

Money Transferring

Send money quickly and securely to friends, family, or business partners anywhere in the world.

Why Choose Us

Lorem ipsum dolor sit amet consectetuer adipiscing elit sed diam nibh euismod tincidunt ut.

Responsive

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

Multiple Pages

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

Settings

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

Search Online

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

Support 24/7

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

Money Back

Lorem ipsum dolor sit amet adipiscing tincidunt ut laoreet dolore magna aliquam.

PRIVACY POLICY

SECTION A

1.Introduction

2. APPROPRIATE APPLICATION

3. COMPLIANCE WITH THIS POLICY

SECTION B

4. Privacy Policy

5. Interpretation and Definitions

5.1. Interpretation

5.2. Definitions

6.0. How We Collect and Use Your Personal Data

6.1. Types of Data Collected

6.1.1. Personal Data

6.1.2. Usage Data

6.1.3. Tracking Technologies and Cookies

7.0. Use of Your Personal Data

7.1. Retention of Your Personal Data

7.3. Transfer of Your Personal Data

SECTION C

8.0. Data Integrity and Security

8.1. ISO 27001 Data Management Policy

8.1.1. Policy Purpose

8.1.1.1. Scope

8.1.2. Roles and Responsibilities

8.1.3. Data Classification

8.1.4. Data Handling and Storage

8.1.5. Data Retention and Disposal

8.1.6. Access Control

8.1.7. Data Backup and Recovery

8.2. Disclosure of Your Personal Data

8.2.1. Business Transactions

8.2.2. Law enforcement

8.2.2.1. Other legal requirements

8.3. Security of Your Personal Data

8.3.1. Detailed Information on the Processing of Your Personal Data

8.3.1.1. Analytics

8.3.1.1.1. Email Marketing

8.3.2. Payments

8.4. GDPR Privacy Policy

8.4.1. Legal Basis for Processing Personal Data under GDPR

8.4.2. Your Rights under the GDPR

8.4.2.1. Exercising of Your GDPR Data Protection Rights

8.5. Categories of Personal Information Collected

8.5.1. Sources of Personal Information

8.6. Use of Personal Information for Business Purposes or Commercial Purposes

8.6.1. Disclosure of Personal Information for Business Purposes or Commercial Purposes

8.7. Sale of Personal Information

8.7.1. Share of Personal Information

8.7.1.1. Sale of Personal Information of Minors Under 16 Years of Age

SECTION D

9.0. Your Rights under PIPEDA

9.1. Exercising Your Data Protection Rights

9.2. Opt-Out of Personal Information Sales

You have the right to request that we do not sell your personal information. Upon receiving and verifying your request, we will cease any such activity. To exercise this right, please contact us directly.

“Exception

(4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information”.

Therefore, under the rights enshrined in PIPEDA, If you wish to opt out of the use of your data for personalized advertising or related sales as defined, please follow these steps:

· Follow the provided opt-out links or adjust your preferences via your browser settings.

9.2.1. Website Ads

You may choose to disable personalized advertising provided by our third-party partners by following the instructions below:

· Visit the NAI opt-out page: http://www.networkadvertising.org/choices/

· Explore the EDAA opt-out options: http://www.youronlinechoices.com/

· Use the DAA opt-out tool: http://optout.aboutads.info/?c=2&lang=EN

9.2.2. Mobile Devices

9.3. Third-Party Websites Association Disclaimer

9.4. Policy Modifications

10.0. Contact Us

Our Services

Global Payments

Foreign Currency Exchange

Money Transferring

Why Choose Us

Responsive

Multiple Pages

Settings

Search Online

Support 24/7

Money Back

Quick Links

Contact