Privacy Notice

Version 1.0 — Effective 23 June 2026

I. Introduction

Compose Finance Ltd., a company incorporated pursuant to the laws of British Columbia, Canada with incorporation number BC1578019 and registered office at 2nd Floor, Suite 201, 343 Railway St, Vancouver, BC V6A 1A4 ("Compose Finance", “we”, or “us”), recognises the importance of protecting the privacy and personal data of the people whose data we process. This Privacy Notice (“Notice”) describes how we collect, use, process, share and protect personal data, and the rights you have in relation to that data.

This Notice applies to the processing activities in which Compose Finance acts as data controller. It covers your interactions with us through our website, applications, emails and social media pages, and your access to or use of our products and services.

II. Categories of Personal Data We Collect

We collect and process personal data about you when you interact with us or access or use our products and services. This includes:

  1. Identity Information: Your name and surname, username and password (or other login credentials), date of birth, gender, citizenship/nationality, facial biometric data (based on your ID and provided selfie/video), any details from an identity document you provide to us.
  2. Contact Information: residential address (and address history), email address, phone number.
  3. Financial Information: bank account details, wallet address details, transaction history and transaction details.
  4. Device & Web Information: IP address and other online identifiers, browser type, operating system, device information, full URLs and clickstream to/through/from our site, length of visits, page-interaction information (scrolling, clicks, mouse-overs) and methods used to browse away.
  5. Usage Information: Information about how you use our website, applications or services, and how you interact with us.
  6. KYC and Compliance Information: Documents and information for identity verification (e.g. passport or ID copies) as required by AML/CTF laws, information from investigations we conduct such as due diligence checks, sanctions, PEP and risk-screening results, information collected and used for other regulatory and compliance checks.
  7. Support and Complaints Information: Details of your queries or complaints and their progress and outcome.
  8. Marketing Information: Your marketing preferences, including any consents you have given us.

III. Sources of Personal Data

We collect personal data directly from you when you register, transact, verify your identity, contact us, or otherwise use our services.

We also receive personal data from third parties and public sources, including:

  • Third-party partners — where you access our services via a financial-institution or a partner, that partner provides us with data about you such as your name, contact details and the transactions you are seeking to perform.
  • Identity-verification and fraud-prevention providers.
  • Public sources and databases — including news reports that may link a person to fraud, money laundering or crime, sanctions lists (e.g. United Nations Sanctions Lists), and sources used to identify politically exposed persons.
  • Regulators and law-enforcement agencies.
  • Public blockchain data.

IV. Purposes of Processing

We process your personal data to:

  • register and create your account on our platform;
  • provide our products and services, including enabling you to exchange or transact in virtual currencies and related services;
  • verify your identity and carry out KYC, AML, sanctions and counter-terrorism checks;
  • verify that your accounts, device, phone number and email belong to you and are not being used for fraud, terrorism, money laundering or crime;
  • monitor accounts to prevent, investigate and report fraud, security incidents or crime;
  • manage our relationship with you and provide customer support;
  • communicate with you about updates or changes to our services;
  • comply with legal and regulatory obligations and respond to requests from authorities, courts and tribunals;
  • protect and enforce our rights, property, security and safety and those of our customers and others;
  • establish, exercise or defend legal claims and carry out contracts;
  • carry out audit and investigative activities;
  • operate, maintain and improve our website and services and inform our marketing strategy;
  • carry out statistical analysis;
  • as set out in our Cookie Policy.

V. Data Sharing and Disclosure

We may share personal data with the following categories of recipients:

  • Regulatory authorities — to meet our regulatory obligations.
  • Service providers and processors — for KYC/AML checks, identity verification, fraud prevention, website hosting and maintenance, customer service and communications.
  • Banking and payment partners and third-party partners — to execute transactions and fulfil our contractual obligations, and, where you access our services via a third party, to enable provision of those services.
  • Law-enforcement and fraud-prevention agencies — to prevent, investigate and report fraud, security incidents or crime.
  • Legal or governmental authorities — pursuant to a subpoena, court order, governmental inquiry or other legal process, or as otherwise required by law, or to protect rights, safety or security.
  • A prospective buyer or successor — in the event of a sale, merger or reorganisation of our business, in which case data may be disclosed to advisers and the prospective purchaser and passed to the new owners.

VI. Legal Basis for Processing

We collect, use and disclose your personal data with your knowledge and consent, except where we are permitted or required by law to do so without consent.

We obtain your express, opt-in consent before collecting, using or disclosing sensitive personal data — including your biometric and financial information — and before sending you marketing communications.

For non-sensitive data, we may rely on implied consent where the purpose is obvious and you voluntarily provide the data.

You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, using the contact details in Section XVI. Withdrawing consent for processing necessary to provide our services or that we are legally required to perform (such as KYC/AML record-keeping) may mean we can no longer provide some or all of our services.

VII. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Notice or as required by law. We consider our legal and regulatory obligations and our legitimate interests (such as fraud prevention, responding to regulatory inquiries, handling complaints, and managing legal claims) when deciding retention periods.

Specific periods include:

  • Transaction data: 5 years from the date of the transaction.
  • KYC/AML documentation: 5 years after termination of the business relationship.
  • Account data: for as long as the account is open and for a further 5 years after closure (and longer where we have a lawful basis, including at the request of a supervisory authority).
  • Data processed on the basis of consent: until you withdraw consent, plus a short period to implement your request; we keep a record of opt-out requests so we can honour them.

VIII. Data Security Measures

We implement technical and organisational measures to protect personal data against unauthorised access, loss or misuse, including: encryption of sensitive data; secure storage systems; access controls and authentication mechanisms; regular security assessments and audits; and staff training on data protection.

If a breach of security safeguards involving your personal data creates a real risk of significant harm to you, we will notify you and report the breach to the relevant authorities as soon as feasible. We maintain a record of all such breaches.

IX. Third party tools

We use a third-party identity-verification provider, Sumsub, to verify your identity and confirm that it matches your provided identity document, in order to comply with AML/CTF and fraud-prevention obligations. Further information is available in that provider's own privacy policy. The solution may compare a live photo or video of your face with your provided ID. The result of the comparison (match or non-match) is stored only as long as necessary to carry out the verification and for the period required by AML/CTF legislation.

Our website may contain links to other third-party websites or apps. Any interaction you have with third-party companies, and any use of their features, is governed by those companies' own privacy policies. We encourage you to read carefully the privacy policies of any account you create or use.

X. Your Rights

Subject to applicable law, you have the right to:

  • Access — obtain confirmation of, and a copy of, your personal data;
  • Rectification — have inaccurate or incomplete data corrected;
  • Erasure — request deletion of your data in certain circumstances ("right to be forgotten"), subject to our legal obligations;
  • Restriction — request that we limit processing in certain circumstances;
  • Portability — receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller where technically feasible;
  • Objection — object to processing based on our legitimate interests, and to direct marketing;
  • Withdraw consent — at any time, where processing is based on consent, without affecting the lawfulness of prior processing.

These rights may be limited — for example, where fulfilling your request would reveal another person's data, where we are required or have compelling legitimate grounds to retain information, or to protect the prevention, investigation or prosecution of criminal offences.

To exercise your rights, contact us using the details in Section XVI. We will respond within 30 days, unless otherwise required by law.

XI. Cookies

Our website uses cookies to enhance user experience and analyse traffic.

  1. The cookies we use fall under the category of site-navigation and authentication cookies and expire after 60 minutes (unless sessions are extended due to recent activity).
  2. Browser fingerprinting is used within cookies to prevent cookie theft and re-use on other devices.
  3. Where we use analytics or marketing cookies that are not strictly necessary, we do so on the basis of your consent. You can manage your preferences through our cookie banner and your browser settings.

XII. Direct Marketing

If you are our Client, we may use your contact details to market our own similar products and services, giving you a clear, free and easy way to opt out, provided you have not already objected.

In all other cases, we send direct marketing only with your prior consent.

Service-related communications — such as order and transaction confirmations, account messages, and communications relating to contracts between us — are not direct marketing.

You have a right to opt out of direct marketing at any time, by using the unsubscribe link in any electronic marketing message or by contacting us using the details in Section XVI.

XIII. Storage and cross-border processing

We and our service providers may store and process your personal data outside your province and outside Canada, where it may be accessible to governments, courts or law enforcement under local laws. We remain accountable for data transferred to our service providers and use contractual and other measures designed to ensure comparable protection.

XIV. Complaints

If you have a concern about how we handle your personal data, please contact our Privacy Officer using the details in Section XVI first so we can try to resolve it. You may also complain to the relevant regulator: the Office of the Privacy Commissioner of Canada; in British Columbia, the Office of the Information and Privacy Commissioner for BC.

You may also lodge a complaint with a supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.

You may also seek judicial remedy against a legally binding decision of the supervisory authority concerning you.

XV. Updates to This Privacy Notice

We may update this Notice from time to time to reflect changes in legal requirements or our practices. The latest version will always be available on our website, and we will notify you of any material changes.

XVI. Contact Us

For any questions about this Notice or to withdraw consent, or to request access or correction, contact our Privacy Officer at [email protected].

Move faster with Compose.

Get startedContact Us
    Privacy Policy | Compose Finance