Harbour and Hills Canada Privacy Policy Statement

Harbour and Hills Financial Services Limited (“We”, “Us” or “Our”) is headquartered in British Columbia, Canada, and is committed to protecting the personal information of our clients and website visitors.

As a registered Money Services Business (MSB), we are heavily regulated by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Our privacy practices are designed to comply with British Columbia’s Personal Information Protection Act (PIPA), the federal Personal Information Protection and Electronic Documents Act (PIPEDA) where applicable, and the strict anti-money laundering (AML) and anti-terrorist financing (ATF) requirements under the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

This statement outlines how we collect, use, disclose, and protect your personal information.

1. Interpretation and Definitions

Interpretation The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.
• Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to H&H Canada, [170-422 Richards ST, Vancouver BC V6, Canada].
• Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
• Device means any device that can access the Service such as a computer, a cell phone or a digital tablet.
• Service refers to the H&H Canada website, H&H Canada account portal and related services.
• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
• Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
• Website refers to the H&H Canada website, accessible from https://www.harbourandhills.com/ca/
• You mean the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

2. Accountability

We are responsible for the personal information under our control. We have designated a Privacy Officer who is accountable for our compliance with this statement, privacy policy and applicable privacy laws. Contact information for our Privacy Officer is located at the end of this webpage.

3. Information We Collect

To provide you with our financial services and to meet our strict legal obligations, we collect the following types of personal information:

Personal Information is any information that relates to an identified or identifiable individual. Personal data may include, but is not limited to:

• Full name
• Address
• Email address
• Phone number
• Date of birth
• Occupational data (Occupation, employer details etc)
• Identification documents (e.g., passport, ID card, driver’s license)
• Proof of address (e.g., bank statement, utility bill)
• Financial information (e.g., bank account details, credit card information)

Information about user transactions with us, including transaction history, such as frequency of use and transaction amounts, is also collected.

Business information: For operating your corporate accounts, business data may include, but is not limited to:

• Business name
• Registration number
• Registration Address
• Country of incorporation
• Financial details (e.g., business bank account details)
• Company Profile (e.g., nature of business, targeted country, etc)

Transactional Information: In order to provide You a Service and fulfill your requests we may collect information about the transactions you conduct through our services, including, but not limited to:

• Payment details
• Transaction history
• Other (e.g., transaction related documents, information, etc)

Information collected automatically: When you use the Services we may automatically collect: IP address, device and browser identifiers, MAC address, mobile carrier, approximate location derived from IP address, user settings, the pages you visit and links you click, and the frequency and duration of your activity. We collect this information using cookies, pixel tags, web beacons, local storage and similar technologies (“Technologies”).

4. Purpose of Collection

We will not use your personal information for any purpose other than those outlined below without obtaining your further consent. We collect your data to:

• Process your financial transactions and provide the services you request.
• Verify your identity, conduct customer due diligence and prevent fraud, deception and other unlawful activities.
• Comply with our legal and regulatory obligations, including those relating to anti-money laundering, counter-terrorist financing, sanctions, tax reporting and record-keeping.
• Secure the Website, our systems and your account, and to detect and respond to security incidents.
• Communicate with you regarding your account, transactions, and security updates.

5. Legal Basis and Consent

In accordance with Canadian privacy legislation, including the Personal Information Protection Act (British Columbia), your knowledge and consent are generally required for the collection, use, and disclosure of your personal information. Consent may be expressed or implied, determined by the sensitivity of the information and reasonable expectations.

In certain circumstances permitted or mandated by applicable law—particularly our regulatory obligations as a Money Services Business under anti-money laundering and anti-terrorist financing legislation—we may collect, use, or disclose personal information without your consent. This includes actions necessary to comply with FINTRAC regulations, investigate or prevent fraud, or respond to lawful demands from authorities.

You reserve the right to withdraw your consent at any time, subject to overarching legal or contractual restrictions. Should you choose to withdraw consent, we will inform you of the consequences, which will include our inability to continue providing you with our services. Please be advised that withdrawal of consent does not affect the lawfulness of prior processing, nor does it override our statutory obligations to retain specific financial and identity records as mandated by Canadian law.

6. Retention of Your Personal Information and Recordkeeping

FINTRAC regulations impose strict record-keeping requirements that supersede standard privacy requests. We are legally mandated to retain your (but not limited to) client identification records, account files, and transaction histories for a minimum of five (5) years after your account is closed or your last transaction is completed.

For greater clarity, we do not retain personal information longer than necessary. However, certain records, including identity-verification, AML/KYC, sanctions-screening and transaction records, may be subject to mandatory statutory retention periods even after an account is closed or the business relationship has ended. During such retention periods, we may be unable to delete or anonymize those records, even if a deletion request is made. This is because doing so violates our 5-year retention obligation under the PCMLTFA.

7. Disclosure of Your Personal Information

We may disclose your personal information:

• With Service Providers: We may share Your personal information with Service Providers who perform services on our behalf, such as cloud hosting, payment processing, identity verification, fraud prevention, analytics, customer support, marketing, advertising, and communications, under written contracts that require them to protect the information and use it only for the purposes we specify.
• For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
• With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include entities under common ownership or control with us.
• For Legal Reasons: To comply with legal obligations (to respond to subpoenas, court orders or regulatory requests), to cooperate with law enforcement agencies and government authorities, to protect and defend the rights or property of the Company, to prevent or investigate possible wrongdoing in connection with the Service, to protect the personal safety of Users of the Service or the public, to protect against legal liability.
• To Professionals: Professional advisors, including lawyers, accountants and auditors.
• With Your consent: We may disclose Your personal information for any other purpose with Your consent.

8. Cross-Border Processing and Data Storage

As an international Money Services Business, facilitating your transactions often requires us to transmit personal and financial information across borders (for example, to foreign correspondent banks, payment networks, or compliance partners). Additionally, we or our service providers may process and store your data on servers located outside of Canada.

Your consent to this Privacy statement followed by Your submission of such information represents Your agreement to that transfer.

When your personal information is transferred to another country, it becomes subject to the laws of that jurisdiction. This means foreign courts, governments, and law enforcement agencies may be able to lawfully access your data under their local laws. Despite this, we remain accountable for your personal information. We utilize robust contractual and organizational safeguards to ensure that any foreign service providers we use provide a level of data protection comparable to the strict standards required under Canadian law.

9. Security Safeguards

We take the protection of your financial and identity data seriously. We utilize robust administrative, physical, and technical safeguards to prevent unauthorized access, disclosure, copying, or modification. These measures include secure server hosting, encrypted data transmissions, and restricted internal access limited only to authorized compliance and operational staff.

10. Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information:

• Strictly Necessary Cookies: Essential for the operation and security of our financial services. These cookies authenticate your identity, maintain secure login sessions during your transactions, and power our core anti-fraud features. Because they are critical to the safety and functionality of the platform, they cannot be disabled.
• Analytics and Performance Cookies: Deployed to aggregate statistical data regarding user interactions with the Website, enabling us to optimize performance and usability. These insights may be facilitated by third-party analytics providers, such as Google Analytics.
• Functionality Cookies: Utilized to retain your specific user preferences—such as regional settings or language selections—ensuring a consistent and tailored operational experience across the platform.

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser.

11. Channels of Your Personal Data Collecting

We may collect information from and about you through:

• Direct Interactions: Information you explicitly provide to us, such as when you create an account, complete identity verification forms, initiate a transaction, or contact our support team via email.
• Automated Technologies: Data we collect automatically to secure and maintain our platform while you browse. This includes technical details gathered via cookies, server logs, and device identifiers during your use of the Services.
• Third-Party Sources: Information we acquire from external partners to fulfill our regulatory requirements and operate our business. This includes data from identity verification services, public databases (such as PEP/sanctions lists), financial partners, and advertising networks.

12. Children’s Privacy

Our Service does not address anyone under the age of 18.  We do not open accounts for any individual who is not entitled to use the Services under applicable law and our onboarding rules.  Where relevant, we assess an individual’s capacity to provide meaningful consent in accordance with applicable law.  When we become aware that we have collected Personal Data from anyone under the age of 18 without verification of parental consent, we will take steps to remove that information from our servers. If we learn that we have collected personal information from a minor without the appropriate consent, we will promptly delete it. Parents or guardians who believe that their child has provided personal information to us may contact our Privacy Officer.

13. Data Breach Notification

In accordance with applicable laws, including PIPEDA, should a privacy breach occur that creates a real risk of significant harm to You, We will notify You.

Changes to this Privacy Policy

We may update this Privacy statement from time to time to reflect changes in our practices or legal requirements. The updated version will be posted on the Website with a revised “Last updated” date. Where the changes are material, we will provide additional notice as required by law.    Your continued use of our services after any changes to this Privacy Statement will constitute your acknowledgment of the changes and your consent to abide and be bound by the modified Privacy Policy.

You are advised to review this Privacy Statement periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. The courts of British Columbia have exclusive jurisdiction over any dispute arising out of or relating to this Privacy Policy, subject to any mandatory rights you may have under the privacy laws of your province of residence.

15. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, You can contact us by email at dawa.lama@harbourandhills.com

16. Privacy Officer

To ensure accountability, We have designated a Privacy Officer responsible for overseeing compliance with this Privacy Policy. You may direct all privacy-related inquiries or complaints to our Privacy Officer at dawa.lama@harbourandhills.com