Privacy Policy
1. Scope and purpose
1.1. This Policy explains how personal information is processed in connection with the website and interfaces of buycoin.online (the “Platform”).
1.2. It applies to visitors, registered users and verified clients of the Platform.
1.3. The operator of the Platform is EVERNORTH FINTECH INC. (hereinafter — “Evernorth”, “we”), which provides services for the exchange of fiat currency for virtual assets and of virtual assets for fiat currency, as well as the exchange of one virtual asset for another, acting as the counterparty to each operation. Evernorth does not hold client funds between operations. To provide its services, Evernorth engages third-party providers (verification, payment services, banks, blockchain analytics, etc.). Personal information is processed in accordance with this Policy and the Personal Information Protection and Electronic Documents Act (PIPEDA).
2. Responsible organisation and contact details
2.1. The organisation responsible for personal information is EVERNORTH FINTECH INC. (a Money Services Business registered with FINTRAC, MSB No. N300000091), 5343 Dundas Street West, Office #60, Etobicoke, Ontario, M9B 6H8, Canada. E-mail (privacy matters): info@buycoin.online.
2.2. Evernorth has designated a Privacy Officer responsible for compliance with PIPEDA, who can be contacted at the e-mail address above.
3. Roles in processing
3.1. Evernorth is the organisation responsible for personal information processed in connection with the operation of the Platform: account management, Platform navigation, order routing and execution, security, logging, communications and regulatory compliance.
3.2. Exchange/liquidity and payment-service providers, banks, verification providers, blockchain-analytics providers, IT contractors and other parties are engaged under contracts. Their role (independent responsible organisation or processor acting on behalf of Evernorth) is determined by law and by contract. Evernorth remains accountable for personal information transferred to providers for processing on its behalf.
4. Categories of personal information
Depending on your use of the Platform and the services chosen, we may process:
- Identification and contact data: first and last name, date of birth, nationality, residential/registration address, e-mail, phone.
- KYC/AML data: copies of identity documents (passport, identity card, driver’s license, residence permit), proof of address, selfie/video-selfie and liveness-check results, source-of-funds/wealth information, sanctions/PEP/adverse-media screening results, transaction-monitoring and risk-assessment outputs, data required for the Travel Rule.
- Operational data: order types and parameters, amounts, currencies/assets, payment-instrument details, wallet addresses (including network and memo/tag), statuses and timestamps, activity logs.
- Technical data: IP address, device/browser identifiers, interface language, cookies and similar identifiers, event logs.
- Communications: support correspondence, complaints/requests and their outcomes.
- Marketing preferences: opt-ins/opt-outs (where applicable).
5. Sources of data
We obtain data:
- directly from you;
- from providers involved in fulfilling your order;
- from KYC/AML and blockchain-analytics providers;
- from public registers and sanctions lists.
6. Purposes and basis for processing
6.1. Identified purposes. We process personal information for the following purposes: account creation and management; KYC for transactional access; processing and execution of orders; customer support; billing and notifications.
6.2. Consent. We process personal information with your consent, which may be express or implied from your use of the service for an identified purpose. You may withdraw consent subject to legal and contractual restrictions; withdrawal of consent may limit or prevent the provision of services.
6.3. Processing without consent, permitted or required by law. In the cases provided for by PIPEDA, we process personal information without consent, in particular to: comply with AML/CTF requirements, sanctions regimes, the Travel Rule and other legal and regulatory obligations; detect, prevent and investigate fraud or abuse; comply with court orders, warrants, subpoenas or lawful requests of competent authorities; and for other purposes for which PIPEDA permits processing without consent.
6.4. Marketing. Marketing communications are sent only with your consent, which may be withdrawn at any time.
7. Necessity of providing data
Data required for KYC/AML and for the execution of orders is a contractual and/or legal requirement. If you do not provide it, we cannot deliver services (your account or transactions may be limited or unavailable).
8. Categories of recipients
Disclosures are limited to what is necessary:
- exchange/liquidity and payment-service providers; payment providers and banks;
- KYC/AML, sanctions-screening, Travel Rule and blockchain-analytics providers;
- IT vendors (hosting, cloud, service desk, e-mail, security monitoring);
- auditors, legal advisers, insurers (where relevant).
Each recipient’s role (responsible organisation or processor) is determined by law and by contract.
9. International data transfers
9.1. Evernorth and the providers it engages may process and store personal information outside Canada (including in the EU, the United Kingdom, the United States and other jurisdictions).
9.2. While stored or processed in another country, personal information may be subject to the laws of that country, including possible lawful access by courts, law-enforcement and government authorities.
9.3. Evernorth applies contractual and organisational measures to ensure a comparable level of protection for transferred information. Information about key recipients and jurisdictions is available on request.
10. Retention periods
Retention depends on the category of data and legal requirements:
- KYC/AML and transaction data: at least 5 years after the end of the relationship/transaction (in accordance with the PCMLTFA), and longer where required (in view of limitation periods, tax requirements, or while inquiries or disputes remain open).
- Contractual/financial records: as required by accounting and tax law.
- Technical logs: for a reasonable period for security and audit purposes.
- Marketing: until consent is withdrawn or an objection is raised.
When the retention period expires, data is deleted or anonymised unless a lawful basis requires longer storage.
11. Automated decisions and profiling
To comply with AML/sanctions obligations and to prevent fraud, automated checks and risk-scoring may be used, which can affect access to services (e.g. manual review, suspension or refusal). You have the right to request human intervention in the decision, to express your view and to contest the decision — see the contacts in Section 18.
12. Cookies and similar technologies
We use strictly necessary cookies for the Platform to function and, with your consent, analytical/marketing cookies. Details and preference controls are set out in the Cookie Policy.
13. Data security
We implement organisational and technical measures commensurate with risk: need-to-know access controls; encryption in transit and at rest; access logging; anomaly/fraud monitoring; vulnerability management and testing; and contractual safeguards with providers. No system can be absolutely secure, but we maintain protection appropriate to the risks.
14. Age restrictions
The Platform’s services are intended solely for individuals aged 18 or over. If you are under 18, please do not use the Platform or submit personal information.
15. Your rights
15.1. Under PIPEDA you have the right to: access the personal information that Evernorth holds about you; request correction of inaccurate or incomplete information; withdraw consent (subject to legal and contractual restrictions); and challenge our compliance with personal-information protection requirements.
15.2. Requests are handled without undue delay, typically within 30 days (extendable, with notice, for complex or numerous requests in accordance with PIPEDA).
15.3. In certain cases, some information may be withheld where permitted or required by law (in particular where disclosure would reveal information about another individual, relates to legal privilege, or is connected to a suspicious transaction report that cannot be disclosed).
16. Complaints to a supervisory authority
You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC). We would appreciate the opportunity to address your concern first — please contact us.
17. Updates to this Policy
We may update this Policy periodically. The current version is published on the Platform. For material changes, we may post a notice and/or communicate through available channels where appropriate.
18. Contacts
For any questions about this Policy or the processing of your personal information, and to exercise your rights, please contact Evernorth’s Privacy Officer at: info@buycoin.online.