Harbour and Hills Financial Services Inc

Privacy Statement for website

Last Updated: May 2026

Harbour and Hills Financial Services Limited (“We”, “Us” or “Our”) is headquartered in British Columbia, Canada, and is committed to protecting the personal information of our clients and website visitors.

We recognize that you trust us with your personal and financial information. This Privacy Policy explains how Harbour and Hills Financial Services Limited (“we,” “us,” and “our”) , may use and share information collected when consumers, customers, clients, and site visitors (“you” and “your”) visit or use our online services. This Privacy notice applies whether you visit or use our online services through your computer, smartphone, tablet, or other devices.

We will provide a link to this notice on our website homepage and will send a Customer Privacy Notice to active customers at least annually.

1. Information We Collect

As a regulated Money Services Business (MSB), we may collect personally identifiable financial information and other data about you, your device, and your company. This includes:

• Identifying Information: Name, alias, postal address, email address, telephone number, and assigned customer reference numbers.
• Government-Issued Identifiers: Social Security number, driver’s license, passport number, or employer identification number (EIN) required for federal identity verification.
• Cross-Border Transaction & FX Data: Information necessary to execute international remittances and foreign exchange, including beneficiary names, destination bank account details, routing codes (e.g., SWIFT/BIC), source of funds, and the designated purpose of the transaction.
• Account and Payment Information: Account names, passwords, security questions, payment history, and financial transactions.
• Company Information: Business contact information, billing addresses, formation documents, and purchasing histories.
• Biometric Data: Biometric information such as facial recognition data   for identity verification.
• Device and Network Activity: Internet Protocol (IP) addresses, device identifiers, browsing history, search history, and interactions with our websites or advertisements.
• Device and Network Activity: Internet Protocol (IP) addresses, device identifiers and interactions with our websites.

2. How We Collect Information

We collect information from various sources to better provide cross-border financial services to you:

• From You: Information you explicitly provide to us, such as when you create an account, complete identity verification forms, initiate a transaction, or contact our support team via email.
• From Transaction Parties: We may receive necessary data from correspondent banks, clearing networks, or beneficiaries involved in the routing and settlement of your international transfers.
• Through Tracking Technologies: Data we collect automatically to secure and maintain our platform while you browse. This includes technical details gathered via cookies, server logs, and device identifiers during your use of the Services.
• From Third Parties: Information we acquire from external partners to fulfill our regulatory requirements and operate our business. This includes data from identity verification services, public databases (such as PEP/sanctions lists), financial partners, and advertising networks.

3. How We Use Information

We utilize the information we collect to operate our business and improve your experience. We may use this information to:

• Offer and deliver financial services (execution of foreign exchange (FX) and the processing of cross-border money transmissions) to you.
• Operate, evaluate, and improve our existing and upcoming business services.
• Respond to requests, provide customer support, and manage your preferences.
• Detect and prevent fraud while enhancing the security of our online platforms.
• Comply with applicable legal requirements, industry standards, and contractual obligations, including the Bank Secrecy Act (BSA), Anti-Money Laundering (AML) mandates, Office of Foreign Assets Control (OFAC) sanctions screening, and our statutory obligations under the Gramm-Leach-Bliley Act (GLBA).

4. Disclosure of Information

In compliance with GLBA Title V, Subtitle A, we strictly limit the disclosure of nonpublic personal information. We do not share any non-public personal information with nonaffiliated third parties other than as permitted by standard regulatory exceptions. We may disclose information in different ways as permitted or required by law:

• With your explicit consent or to process transactions you have requested.
• With correspondent banks, financial market infrastructures (such as SWIFT), and foreign receiving institutions strictly as necessary to execute, route, and settle your cross-border and FX transactions.
• With our vendors, service providers, and affiliates strictly for everyday business purposes.
• With law enforcement, regulatory bodies, and governmental agencies to comply with relevant laws or official subpoenas.
• With our professional advisors, including lawyers, accountant, and auditors.

5. Cross-Border Transfers

The online services linking to this Privacy Policy are controlled and operated by us. However, To fulfill your requests for cross-border transactions and FX services, we and our service providers may transfer, store, or process your personal information in destination countries or other jurisdictions where we maintain facilities. When your personal information is transferred to another country, it becomes subject to the laws of that jurisdiction. This means foreign courts, governments, and law enforcement agencies may be able to lawfully access your data under their local laws. Despite this, we remain accountable for your personal information. We utilize robust contractual and organizational safeguards to ensure that any foreign service providers we use provide a level of data protection comparable to the strict standards required under USA law.

6. Consumer Opt-Out Rights & State Privacy Rights

Because we do not share your non-public personal information with nonaffiliated third parties outside of permitted legal exceptions, there is no requirement to opt-out of such sharing. However, depending on your state of residence (such as California, Virginia, Colorado, Connecticut, Utah, or Montana), you may have specific statutory rights to access, correct, delete, or port your personal data, as well as the right to appeal any denial of these requests. You can exercise applicable rights by utilizing the “Do Not Sell or Share My Personal Information” link located in the footer of the HNH USA website.

7. Data Security and Confidentiality

We recognize our duty to provide adequate safeguards for the data we collect and use. We use reasonable organizational, physical, technical, and administrative measures to protect personal information. Because no data transmission system is 100% secure, we encourage you to immediately notify our Fraud Department if you believe your interaction is no longer safe. We will never initiate an email request asking for your sensitive information, such as your Social Security number, password, or PIN.

8. Retention of Your Personal Information and Recordkeeping

We retain your personal information only for as long as it is reasonably necessary to fulfill the purposes for which it was collected, to provide our financial services, and to comply with our legal and regulatory obligations. Data and output will be retained and disposed of according to the requirements of our internal Policy and prevailing laws. Specifically, our retention practices are governed by the following parameters:

• Federal Recordkeeping Mandates: As a regulated Money Services Business (MSB) registered with FinCEN, we are required by federal law—including the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations—to retain certain records. This includes your identifying information, cross-border transaction history, and foreign exchange (FX) records for a minimum of five (5) years.
• Exceptions to Deletion Requests: Because financial institutions must comply with these federal laws, our strict statutory recordkeeping requirements supersede state-level privacy rights. If you submit a request to delete your personal data under a state law (such as the Montana Consumer Data Privacy Act), we will honor the request for non-essential marketing or browsing data, but we are legally required to retain your core financial and transactional data until the federal retention period expires.
• Secure Disposal: Once all legal, regulatory, and business retention periods have been satisfied, your personal data will be securely destroyed, deleted, or permanently anonymized so it can no longer be associated with you.

9. Children’s Privacy

Our Service does not address anyone under the age of 18.  We do not open accounts for any individual who is not entitled to use our services under applicable law and our onboarding rules.  Where relevant, we assess an individual’s capacity to provide meaningful consent in accordance with applicable law.  When we become aware that we have collected Personal Data from anyone under the age of 18 without verification of parental consent, we will take steps to remove that information from our servers. If we learn that we have collected personal information from a minor without the appropriate consent, we will promptly delete it. Parents or guardians who believe that their child has provided personal information to us may contact our Privacy Officer.

10. Changes to the Privacy Policy

We may update this Privacy Policy from time to time to accommodate new technologies, regulatory requirements, or industry practices. Should our privacy practices change regarding the disclosure of nonpublic information, we shall provide a revised notice and provide an opportunity to “opt-out” prior to enacting those changes. Any changes become effective when the revised policy is posted. By continuing to use the online services after these changes, you agree to accept the revised terms.

11. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy or HNH USA’s data practices, please contact our dedicated Privacy Office at privacy.us@harbourandhills.com.