Privacy Policy
Updated: June 2026
This Privacy Policy forms part of, and should be read together with, the Elephants Inc Terms & Conditions (the “Agreement”) and the Elephants Inc Risk Disclosure Statement. Capitalised terms used but not defined here have the meanings given in the Agreement.
1. Who We Are and Scope of This Policy
This Privacy Policy (the “Policy”) explains how Elephants Growth Tech Ltd, a company incorporated in Canada and registered with FINTRAC as a Money Services Business (MSB Registration No. C10001690) and with the Bank of Canada as a Payment Service Provider under the Retail Payment Activities Act (the “Controller”, “Elephants”, “we”, “us” or “our”), collects, uses, discloses, transfers, stores and otherwise processes your personal data when you interact with our websites, the Elephants Inc App, our APIs and the Services.
Elephants Growth Tech Ltd is the entity responsible for your personal data as the Contracting Entity for the Services. Certain processing is carried out with the support of Supporting Entities in the Elephants group (including Elephants AI Global Pte. Ltd. (Singapore) and Elephants (HK) Limited (Hong Kong), each of which holds, at group level, the master Partner relationships supporting the card programmes and certain compliance functions of the Services) and by licensed third-party Partners, each as described in the Agreement and in Annex 1 (Sub-processor Register) to this Policy.
2. Legal Framework and Your Jurisdiction
The Services are available to both business and individual (retail) users. The data-protection law that applies to you depends on your country of residence and the jurisdiction in which the relevant Elephants entity processes your data. This Policy is intended to operate consistently with, in particular:
Canada — the Personal Information Protection and Electronic Documents Act (PIPEDA), as the primary regime applicable to Elephants Growth Tech Ltd;
Singapore — the Personal Data Protection Act 2012 (PDPA);
Hong Kong — the Personal Data (Privacy) Ordinance (PDPO);
Australia — the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs); and
the European Economic Area and the United Kingdom — the General Data Protection Regulation (GDPR) and UK GDPR, where applicable to individual users in those territories.
Where the law of your jurisdiction grants you rights or protections that this Policy does not expressly describe, those rights and protections continue to apply. Where you use the Services as a consumer, nothing in this Policy or the Agreement excludes or limits any non-waivable right available to you under the law of your country of residence.
3. Personal Data We Collect
We collect personal data that is reasonably necessary for our functions and activities, to provide and secure the Services, and to meet our legal and regulatory obligations. The categories of personal data we process include:
Identity and contact data. Name, email address, postal address, telephone number, date of birth (for identity verification), nationality and residency, and government identification details (such as passport or national identity document).
Business data. Where you act for an entity: business name, registered address, business registration number and details of authorised persons. Business information used solely for business-to-business transactions is treated in accordance with applicable law.
Verification and compliance data. Information collected to perform Know Your Customer (KYC), Know Your Business (KYB), sanctions screening, anti-money-laundering and counter-terrorist-financing checks, including identity-document images and, where you expressly consent, biometric data used to verify your identity.
Account and transaction data. Account number and credentials, Wallet Balance, load, withdrawal, conversion and Card Transaction records, and information about your dealings with and through the Services (“Transaction Data”).
Recipient and third-party data. Information about a payment recipient or third party that we require to process a transaction or perform compliance checks (“Third-Party Data”). Where you provide such data, you confirm you are authorised to do so and that it is accurate.
Technical and usage data. IP address, device and browser identifiers, operating-system information, cookie data, and information about how you interact with our websites and App.
Communications data. The content and metadata of your communications with us through our contact forms, email, messaging channels and social-media or professional-networking platforms.
Sensitive data. We do not seek to collect special-category or sensitive data except where it is necessary for, and proportionate to, our identity-verification and compliance obligations, and then only with your express consent or as otherwise permitted by law. Biometric data is collected only with your explicit consent and only to verify your identity.
Personal data marked as mandatory at the point of collection must be provided for us to open an Account or provide the relevant Service. We collect screening and eligibility information through our KYC onboarding and verification process, and not by geolocation or IP-based screening.
4. How and Why We Use Your Personal Data
We use your personal data for the purposes below. Where the GDPR or UK GDPR applies to you, the lawful basis for each purpose is indicated; in other jurisdictions we rely on the corresponding basis permitted by local law (including consent, performance of a contract, compliance with legal obligation, and legitimate interests).
To provide the Services (performance of a contract). Opening and administering your Account, processing loads, withdrawals, conversions and Card Transactions, and providing customer support.
To meet legal and regulatory obligations (legal obligation). KYC/KYB, sanctions screening, AML/CTF monitoring, Travel Rule compliance, record-keeping, tax reporting and responding to lawful requests from regulators and authorities.
To secure the Services and prevent harm (legitimate interests / legal obligation). Detecting, preventing and investigating fraud, illicit activity and breaches of the Agreement, and protecting the security and integrity of our systems.
To improve and develop the Services (legitimate interests). Analysing usage, measuring performance and improving the design and content of the Services, using aggregated or de-identified data where practicable.
To communicate with you (performance of a contract / consent). Sending transactional and administrative messages (which we may send without separate marketing consent), and, where you have consented, marketing communications you may withdraw at any time.
Where we rely on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing before withdrawal, and may mean we can no longer provide some or all of the Services.
5. How We Share Your Personal Data
We do not sell your personal data. We share it only as described in this Policy, including with:
Supporting Entities and licensed Partners (Sub-processors) who perform parts of the Services on our behalf, including identity verification, transaction monitoring, card issuance, wallet and fiat account infrastructure, payment processing, hosting and customer support - as listed in Annex 1;
regulators, law-enforcement and government authorities, where required or permitted by law;
professional advisers, and prospective or actual purchasers, in connection with a corporate transaction, subject to appropriate confidentiality protections; and
a Referrer, limited to the information necessary to verify referral rewards (such as completion of a qualifying transaction), and not your transaction history, balances or itemised spending.
Each Sub-processor is bound by contract to process personal data only on our instructions and to maintain appropriate security. Where we share data with third-party messaging platforms to support customer communications, those platforms process your data under their own terms, which we do not control.
6. International Transfers of Personal Data
Because Elephants operates across Canada, Singapore, Hong Kong, Australia and other jurisdictions, and uses Sub-processors located in various countries, your personal data may be transferred to, stored in and processed in countries other than your own, including Canada, Singapore, Hong Kong, the United Kingdom, the European Union, the United States and Australia.
Where we transfer personal data to a country that does not provide a level of protection comparable to that of your jurisdiction, we put in place appropriate safeguards, such as Standard Contractual Clauses or equivalent data-transfer agreements, and take reasonable steps to ensure recipients protect your data to a comparable standard. You may contact our Privacy Officer for information about the safeguards that apply to a particular transfer.
7. Your Rights
Subject to the law applicable to you, you have rights in relation to your personal data, which may include the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure (the “right to be forgotten”); object to or restrict certain processing; withdraw consent; request data portability; and opt out of direct marketing. The precise scope of these rights depends on your jurisdiction.
To exercise a right, contact our Privacy Officer (Section 13). We will verify your identity before responding. We aim to respond within the time required by the law applicable to you, and in any event without undue delay (for example, within 30 days under PIPEDA, one month under the GDPR, and within the period prescribed by the PDPA, PDPO and APPs).
We may decline or limit a request where the law permits or requires us to do so — for example, where retention is required for AML/CTF or other legal obligations, where a regulator directs us not to comply, where complying would affect the safety of any person or prejudice an investigation, or where we cannot verify your identity. We will explain our reasons to the extent the law requires. If you are not satisfied, you may lodge a complaint with the data-protection regulator in your jurisdiction.
8. Security of Personal Data
We maintain technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration and loss. No system is completely secure, and we cannot guarantee absolute security, particularly for data in transit over third-party networks. Where a personal-data breach is likely to result in a risk to your rights, we will notify you and the relevant regulator as required by applicable law. You are responsible for keeping your access credentials secure.
9. Retention
We retain personal data for as long as your Account is active and as necessary to provide the Services, and thereafter for the period required to meet legal, regulatory, accounting and audit obligations. Transaction, identity verification, and compliance records are retained for a minimum of five years following the end of our relationship, or longer where required by applicable law. When personal data is no longer required, we erase, de-identify or destroy it by reasonable means.
10. Cookies and Tracking
We use cookies and similar technologies to keep you signed in, remember your preferences, measure performance and improve our websites and Services. You can manage cookies through your browser settings, though disabling them may affect some features. Third-party cookies are governed by the relevant third party’s own policy, and some third parties may not respond to “Do Not Track” signals.
11. Children
The Services are not directed to individuals under the age of 18 (or the higher age required in your jurisdiction to use the Services). We do not knowingly collect personal data from individuals below that age without verifiable parental or guardian consent where required by law. If you believe we hold such data without appropriate consent, please contact our Privacy Officer.
12. Use of Social and Messaging Channels
Where you communicate with us through messaging or social-media platforms (such as WhatsApp, Facebook Messenger or Instagram, operated by Meta Platforms, Inc. and Telegram), those platforms process your data under their own terms and privacy policies, which we do not control. Once your messages reach our systems, they are stored as part of our customer records. You should not send highly sensitive information (such as passwords, full card numbers or secret keys) through these channels; we will never request such details through them.
13. Contact, Complaints and Changes to This Policy
Our designated Privacy Officer can be contacted at legal@elephants.inc for any privacy inquiry, to exercise your rights, or to make a complaint. If you remain dissatisfied, you may contact the data-protection regulator in your jurisdiction.
We may update this Policy from time to time. We will indicate changes by revising the “Last Updated” date, and where changes are material we will provide additional notice (for example, by email or in-Service notification) as required by law.
Privacy Officer: Siriyupa Carl, Chief Legal & Compliance / Risk Officer. Elephants Growth Tech Ltd, 422 Richards St, Suite 170, Vancouver BC V6B 2Z4, Canada.. Email: legal@elephants.inc.
Where applicable, you may be asked to review and acknowledge a separate Biometric Data Consent and FATCA Declaration, each of which forms part of your onboarding documentation and should be read alongside this Policy.
Annex 1 — Sub-processor Register
This register lists the Sub-processors and Partners engaged to process personal data in connection with the Services. It is updated from time to time in accordance with Section 5 of this Policy.
Category | Partner / Entity | Purpose of processing | Data location | Privacy Notice |
|---|---|---|---|---|
Identity (KYC/KYB) | Sumsub | Identity verification and biometric matching | EU | |
Risk & Compliance | Elliptic | Blockchain transaction monitoring and AML screening | US | |
Card issuance | Sunrate Pte. Ltd. | Singapore BIN sponsorship and card issuance | Singapore | https://www.sunrate.com/wp-content/uploads/2023/05/SUNRATE-Privacy-Policy_EN_V3.0.pdf |
Card processing | Thredd (UK) Limited | Card processing services | UK | |
Card issuance (HK) | Reap Technologies Limited | Hong Kong BIN Sponsorship and card issuance | Hong Kong | |
Wallet Infrastructure | BitGo | Wallet infrastructure provider in respect of Virtual Assets | HK/US | |
Financial services | Tazapay Canada Corp | Cross-border payments, collection / payout, virtual account, remittance | Singapore / Canada | |
Financial services | Cross-border payments, collection / payout, virtual account, remittance | UAE/ Multiple jurisdictions | ||
Financial services | Ripple | Blockchain-based cross-border payments | Singapore / US | |
Financial services | Onerway | Cross-border payments, collection / payout, virtual account, remittance | UK/EU | |
Rewards | Passport | Rewards points management and redemption | Australia / US | |
https://passport-au.us.ascenda.com/en-AU/help-center/privacy-policy | ||||
Infrastructure | AWS (Amazon) | Cloud hosting, server infrastructure and storage | Singapore | |
Productivity | Google Workspace | Internal communications and document management | Global | |
Operations | Slack | Internal alerts for compliance and KYC monitoring | US | |
CRM & marketing | HubSpot | Customer relationship and communications management | US / EU | |
Messaging & support | Meta Platforms, Inc. | Customer communication and support via WhatsApp, Facebook, Instagram | US / Global | |
https://www.whatsapp.com/legal/business-data-processing-terms/ | ||||
Messaging & support | Telegram FZ-LLC | Customer communication and support | UAE/ Multiple jurisdictions | |
Communications | Mailchimp (Intuit) | Newsletters, marketing emails and product updates | US |
Where personal data is transferred to a country that does not provide an adequate level of protection, appropriate safeguards (such as Standard Contractual Clauses or data-transfer agreements) are put in place with the relevant Sub-processor.
