What personal information does TODA Pay collect?

TODA Pay collects registration and use information (name, address, email, IBAN, identification), transaction and usage information, participant information for fund transfers, and information from third-party sources. Additional information may be collected for enhanced services.

Why does TODA Pay process personal data?

TODA Pay processes personal data to operate services, manage business needs, manage risk and prevent fraud, deliver marketing materials, provide personalized services, comply with legal obligations, facilitate connections between users, and respond to user requests.

How does TODA Pay share personal data?

TODA Pay may share personal data with corporate family members, third-party service providers, partnered financial institutions, transaction participants, and other third parties for business purposes or as required by law. Personal data is not shared with third parties for marketing purposes without consent.

What privacy choices are available to users?

Users have the right to request access, transfer, correction, or erasure of personal data. They can manage communication preferences, opt out of marketing communications, manage cookie preferences, control location data, and manage account connections with third-party platforms.

How does TODA Pay protect user data?

TODA Pay maintains technical, physical, and administrative security measures including firewalls, data encryption, physical access controls to data centers, information access authorization controls, and encrypted visitor connections to protect personal data.

Privacy Policy

Last updated: May 2026

1. Overview

This Privacy Policy describes how CARDSTREAM PAYMENT SYSTEMS LTD (MSB registration number: C100000953), incorporated in Canada under company registration number 1001161051, with registered office at 1907 Baseline Road, Unit 104, Ottawa, Ontario, K2C0C7, Canada (hereinafter "Cardstream", "we", "us", or "our"), collects, uses, stores, and protects personal data in connection with the operation of our services and website at cardstreampayments.com.

Cardstream acts as the data controller in respect of personal data processed under this Policy. We are committed to protecting your privacy and handling personal data responsibly, in compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK General Data Protection Regulation (UK GDPR), where applicable.

By engaging with our services or website, you acknowledge that your personal data will be processed in accordance with this Policy. If you do not agree with the terms of this Policy, please do not use our services or website.

This Policy is not a framework contract for the purposes of the EU Payment Services Directive (PSD2) or any national implementation thereof.

2. Who This Policy Applies To

This Policy applies to personal data we process in relation to:

Clients and prospective clients, including legal entities and their authorised representatives, directors, shareholders, and ultimate beneficial owners
Individuals interacting with our website or submitting enquiries
Any other individuals whose personal data we receive in the course of providing our services

Where Cardstream processes personal data of individuals on behalf of its clients in the context of payment services, Cardstream may act as a data processor. In such cases, processing is governed by the applicable service agreement and the instructions of the relevant data controller.

3. Personal Data We Collect

We collect personal data that is necessary for the purposes described in this Policy. This may include:

Identity information: full name, date of birth, nationality, and identification document details
Contact information: email address, postal address, and telephone number
Business information: company name, registration details, business description, and role within an organisation
Financial information: details necessary to assess risk, process transactions, and comply with our legal obligations
Verification information: data collected during identity and due diligence checks, including information obtained from third-party sources
Technical data: IP address, browser type, device information, and usage data collected when you visit our website
Communications: records of correspondence between you and Cardstream

We may also receive personal data about you from third-party sources, including public registries, sanctions screening providers, credit reference agencies, and other lawful sources, where permitted by applicable law.

Providing personal data to us is voluntary, but a refusal to provide information we are legally or operationally required to obtain may prevent us from entering into or continuing a business relationship with you.

4. How We Use Personal Data

We process personal data for the following purposes:

To provide and administer our services in accordance with our terms and applicable agreements
To verify your identity and conduct client due diligence and ongoing monitoring in accordance with our AML/CTF obligations
To assess and manage risk, including fraud prevention and the detection of suspicious activity
To comply with our legal and regulatory obligations, including reporting requirements under applicable law
To communicate with you about your account, our services, and matters relevant to our relationship
To improve and maintain the functionality and security of our website and systems
To respond to your enquiries and provide customer support
To pursue our legitimate business interests, where such interests are not overridden by your rights and freedoms

We will not use your personal data for purposes incompatible with those for which it was originally collected, unless we have a lawful basis to do so or have obtained your consent.

5. Legal Basis for Processing

Where the GDPR or UK GDPR applies, we process personal data on the following legal bases:

Contractual necessity: processing required to enter into or perform a contract with you or your organisation
Legal obligation: processing necessary to comply with our obligations under applicable law, including AML/CTF, sanctions, and financial regulation
Legitimate interests: processing necessary for our legitimate business interests, such as fraud prevention, risk management, and improvement of our services, provided those interests are not overridden by your rights
Consent: where you have provided explicit consent to a specific processing activity, which you may withdraw at any time without affecting the lawfulness of prior processing

6. Sharing of Personal Data

We may share your personal data with third parties in the following circumstances:

With service providers and data processors acting on our behalf, who are contractually bound to process data only as instructed and to maintain appropriate security measures
With financial institutions, card schemes, acquiring partners, and other counterparties to the extent necessary to process transactions or fulfil our obligations
With regulatory authorities, law enforcement agencies, FINTRAC, and other competent authorities where required or permitted by law
With sanctions screening, identity verification, and compliance service providers in connection with our due diligence obligations
With professional advisers, including legal counsel and auditors, subject to obligations of confidentiality
In connection with a merger, acquisition, or restructuring of our business, subject to appropriate confidentiality obligations

We do not sell or rent personal data to third parties for their own marketing purposes.

7. International Transfers of Personal Data

Cardstream operates internationally and your personal data may be transferred to, stored in, or processed in countries outside the European Economic Area (EEA) or the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place to protect your personal data in accordance with applicable law.

Such safeguards may include standard contractual clauses approved by the European Commission or the UK Information Commissioner’s Office, adequacy decisions, or other lawful transfer mechanisms. You may request further information about the safeguards applicable to a specific transfer by contacting us at the details provided in this Policy.

8. Data Retention

We retain personal data for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation. In particular, we are required under the PCMLTFA and other applicable regulations to retain client and transaction records for a minimum of five years following the end of the business relationship.

Where personal data is no longer required, we take reasonable steps to securely delete or anonymise it. Retention periods may be extended where required by ongoing legal proceedings, regulatory investigations, or other lawful obligations.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures are designed to ensure a level of security appropriate to the risk associated with the processing.

You are responsible for maintaining the confidentiality of any credentials used to access our services. We are not responsible for unauthorised access resulting from a failure on your part to maintain such confidentiality.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website. For detailed information about how we use cookies, the types of cookies we deploy, and how you can manage your preferences, please refer to our Cookies Policy available at cardstreampayments.com.

11. Your Rights

Subject to applicable law and certain conditions, you may have the following rights in relation to your personal data:

The right to access the personal data we hold about you
The right to request correction of inaccurate or incomplete personal data
The right to request erasure of your personal data, subject to our legal retention obligations
The right to restrict or object to certain processing activities
The right to data portability, where processing is based on consent or contractual necessity and is carried out by automated means
The right to withdraw consent at any time, where processing is based on consent
The right to lodge a complaint with the competent data protection authority in your jurisdiction

To exercise any of these rights, please contact us using the details below. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

Please note that certain rights may be limited where we are required to retain or process data in order to comply with a legal obligation or to establish, exercise, or defend legal claims.

12. Children

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that we have inadvertently collected personal data from a minor, please contact us and we will take steps to delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or regulatory requirements. The updated Policy will be posted on our website with the date of the most recent revision. Where changes are material, we will provide notice in accordance with applicable law. We encourage you to review this Policy periodically.

If you disagree with the terms of this Policy, please discontinue use of our services and website.

14. Contact

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal data, please contact:

CARDSTREAM PAYMENT SYSTEMS LTD

1907 Baseline Road, Unit 104, Ottawa, Ontario, K2C0C7, Canada

Legal and data protection enquiries: legal@cardstreampayments.com

General enquiries: info@cardstreampayments.com