Quickei - Privacy Policy

Last updated: February 2026

This Privacy Policy (hereinafter the "Policy") describes in detail how Quickei (hereinafter "Quickei", "we", "our" or "us") collects, processes, stores, shares and protects the personal data of users of its digital financial services platform (hereinafter the "Platform"). This Policy applies to all services accessible through our website, mobile applications and application programming interfaces (APIs).

By creating an account, accessing the Platform or using any of our services, you acknowledge that you have read this Policy and agree to the processing of your personal data as described herein. If you do not agree to these terms, you must discontinue use of our services.

1. Definitions

"User": any natural person holding a personal account on the Platform to carry out financial transactions on an individual basis.
"Agent": any natural or legal person holding an Agent account on the Platform, acting as an intermediary to provide deposit, withdrawal and transfer services on behalf of Users.
"Merchant": any natural or legal person holding a Merchant account on the Platform, using our services to receive payments in the course of their commercial activity, including through dedicated APIs, payment links and QR codes.
"Personal Data": any information relating to an identified or identifiable natural person.
"Processing": any operation performed on personal data (collection, recording, storage, alteration, consultation, disclosure, erasure, etc.).
"KYC" (Know Your Customer): identity verification process required by financial regulations.
"AML" (Anti-Money Laundering): the set of measures aimed at combating money laundering.

2. Data Controller

The data controller responsible for your personal data is:

Quickei
9165 rue Lennon Suite 714, Brossard, QC, J4Z0N9, Canada
Fintrac Registration : M22203044
Email: privacy@quickei.com

3. Personal Data Collected

We collect different categories of personal data depending on your profile (User, Agent or Merchant), the services used and applicable regulatory obligations.

3.1 Identification and Account Creation Data

Data	User	Agent	Merchant
Full name (first and last)	✓	✓	✓
Username (unique identifier)	✓	✓	✓
Email address	✓	✓	✓
Phone number (country code + number)	✓	✓	✓
Password (encrypted)	✓	✓	✓
Transaction PIN code	✓	✓	✓
Profile photo	✓	✓	✓
Full mailing address	✓	✓	✓
Business name / trade name		✓	✓

3.2 Identity Verification Data (KYC)

In compliance with applicable financial regulations, we collect the following data as part of the identity verification process:

Identity documents: copy of passport, national identity card, driver's license or any other official identification document
Proof of address: utility bill, bank statement or official document confirming your address
Biometric data: facial photograph (verification selfie), facial images collected as part of KYC verification with certain virtual card providers
Date of birth: collected in particular for virtual card issuance
Additional information: any document or information required by the KYC fields configured for your account type

KYC documents and data undergo a verification process. Their status may be: unverified, pending, approved or rejected. In the event of rejection, the reason will be communicated to you.

3.3 Financial and Transactional Data

Wallet data: balance, currency, transaction history
Complete transaction history: money transfers (sent and received), currency exchanges, international transfers (remittances), payments, fund deposits, withdrawals, bill payments, mobile top-ups, gift card purchases, P2P transactions, marketplace operations
Payment card data: processed through our secure payment providers (we do not store full card numbers on our servers)
Bank details: IBAN, account number, bank name (for wire transfers and remittances)
Virtual card data: card number, expiration date, CVV, spending limits, transaction history
Payment links and QR codes: data associated with payments received
Fees and commissions applied to each transaction

3.4 Technical and Connection Data

With each login and transaction, we automatically collect:

IP address
Geolocation data: city, country, GPS coordinates (latitude/longitude), timezone — inferred from your IP address
Device data: device type, device identifier, operating system, browser, device language
Device tokens: push notification tokens, platform (iOS, Android, Web)
Login logs: date, time, IP address, browser and operating system for each account login
Transaction logs: device data recorded for each financial operation performed

3.5 Merchant-Specific Data

In addition to the above data, Merchants provide:

Custom payment gateway configuration
Developer API keys (for integrating our payment services)
Merchant QR codes for receiving payments
Commission and fee settings

3.6 Referral Data

Referral identifier
Referrer-referee relationships
Referral commissions and earnings history

4. Purposes and Legal Bases for Processing

Purpose	Details	Legal Basis
Account creation and management	Registration, authentication, profile management, email and SMS verification	Performance of contract
Execution of financial services	Sending/receiving money, currency exchange, remittances, bill payments, mobile top-ups, virtual cards, gift cards, marketplace, P2P trading, payment links	Performance of contract
Regulatory compliance (KYC/AML/CFT)	Identity verification, transaction monitoring, detection of suspicious operations, regulatory reporting, compliance with international sanctions	Legal obligation
Fraud prevention	Detection of fraudulent activities, transaction pattern analysis, geographic consistency checks (IP vs. declared location), device tracking	Legitimate interest / Legal obligation
Platform security	Two-factor authentication, session management, access logging, intrusion detection	Legitimate interest
Transactional notifications	Transaction confirmations via email, SMS, instant messaging and push notifications; security alerts (unusual login, password change)	Performance of contract
Virtual card issuance	Creation, funding, management and closure of virtual cards through our issuing partners; transmission of KYC data required by those partners	Performance of contract
Real-time exchange rates	Querying third-party services for up-to-date exchange rates	Legitimate interest
Referral program management	Tracking referral relationships and calculating commissions	Performance of contract
Service improvement	Anonymized usage analysis, performance optimization, feature development	Legitimate interest
Marketing communications	Promotions, newsletters, personalized offers (only with your prior consent)	Consent
Dispute management	Complaint handling, dispute resolution, debt recovery	Legitimate interest / Legal obligation

5. Data Sharing with Third Parties

We never sell, rent or trade your personal data. Your data may be shared with the following categories of recipients, strictly within the scope of the purposes described above and subject to contractual confidentiality obligations.

5.1 Payment Service Providers

To process your financial transactions, your data is transmitted to secure third-party payment gateways, selected based on your chosen payment method and geographic region. These providers are PCI-DSS certified and subject to the financial regulations of their respective jurisdictions.

Data transmitted: transaction amount, currency, transaction identifier, and depending on the provider: bank details, card data (via secure tokenization), or crypto wallet address.

5.2 Virtual Card Issuers

For the issuance and management of your virtual cards, your data is transmitted to licensed card-issuing partners. Depending on the issuer, this may include:

Personal data and identity verification data
Biometric data: identity images and facial photographs for provider-specific KYC verification required by certain issuers
Civil status information (first name, last name, date of birth) and card tier

5.3 Telecommunications and Billing Services

The execution of mobile top-ups and bill payments requires the transmission of certain data to our specialized providers: phone number, operator, amount, account information for bills.

5.4 Communication Services

For sending transactional and security notifications, your data is transmitted to specialized providers based on the communication channel:

SMS: phone number and message content, transmitted to third-party SMS delivery platforms
Instant messaging: phone number, message templates and language preference, transmitted to third-party messaging platforms
Email: email address and message content, transmitted to third-party email delivery services

5.5 Push Notification Services

To deliver notifications to your devices, we use third-party push notification services. Data transmitted includes: device token, device identifier, platform and notification content.

5.6 Geolocation Services

We use IP address resolution services to determine the approximate location associated with your logins and transactions (IP address transmitted; city, country, coordinates received in return).

5.7 Currency Exchange Services

To obtain real-time exchange rates, we query third-party financial data providers. Only currency pairs are transmitted; no personal data is shared.

5.8 Social Authentication (optional)

If you choose to log in via a social network or third-party identity provider, the following data may be received: email address, name and profile photo. This feature is optional and subject to your explicit consent.

5.9 Regulatory and Judicial Authorities

We may disclose your personal data to competent authorities in the following circumstances:

Reporting obligations related to anti-money laundering (AML) and counter-terrorism financing (CFT)
Judicial requisitions, warrants or court orders
Requests from financial regulators in the exercise of their supervisory duties
Compliance with international sanctions and asset-freezing lists

6. International Data Transfers

Due to the international nature of our services and the locations of our service providers, your personal data may be transferred to countries outside your jurisdiction of residence, including countries that may not provide an equivalent level of data protection.

Such transfers are governed by the following safeguards:

Standard Contractual Clauses (SCCs) approved by competent authorities
Adequacy decisions where the destination country has been recognized as providing an adequate level of protection
Certifications and codes of conduct of providers
Explicit consent for certain specific transfers, in particular the transmission of biometric data to virtual card issuers

You may obtain the list of countries to which your data may be transferred by contacting us at the address indicated in Section 14.

7. Data Retention Periods

Data Category	Retention Period	Justification
Account data (profile, identifiers)	Duration of contractual relationship + 5 years after account closure	Legal obligation (financial regulations)
KYC data and documents	5 years after the end of the business relationship	AML/CFT obligations (4th Anti-Money Laundering Directive and local regulations)
Biometric data (facial images)	Duration of associated virtual card validity + 1 year, or until consent is withdrawn	Performance of contract / Consent
Transaction history	10 years from the execution of the transaction	Accounting and tax obligations
Login logs and technical data	Rolling 12 months	Security and fraud prevention
Transaction geolocation data	5 years (linked to transactions)	AML obligation / Fraud prevention
Device tokens (push notifications)	Until device logout or account deletion	Performance of contract
Referral data	Duration of contractual relationship + 3 years	Performance of contract
Merchant API keys	Duration of contractual relationship, revoked upon closure	Performance of contract
Email and SMS logs	6 months	Quality of service and incident resolution

Upon expiration of retention periods, data is securely deleted or irreversibly anonymized for statistical purposes.

8. Data Security

We implement technical and organizational security measures in accordance with financial industry standards:

8.1 Technical Measures

Encryption in transit: all communications are protected by TLS 1.2+ protocol (HTTPS)
Encryption at rest: sensitive data (passwords, PIN codes) is encrypted using irreversible hashing algorithms (bcrypt)
Tokenization: payment card data is tokenized through our PCI-DSS certified providers; we never store full card numbers in plaintext
Strong authentication: two-factor authentication (2FA), email and SMS verification
Transaction PIN code: a separate code from the password required to authorize each financial operation
Anomaly detection: real-time monitoring of login attempts and suspicious transactions
Data compartmentalization: separation of production, testing and development environments
Secure webhooks: cryptographic validation of callbacks received from third-party providers

8.2 Organizational Measures

Principle of least privilege: access to personal data is strictly limited to staff members whose roles require it, controlled by a granular administrator permission system
Access logging: full traceability of data access by administrators
Confidentiality agreements: contractual confidentiality commitments for all employees and service providers
Incident management: security incident response procedure and data breach notification policy

9. Automated Decisions and Profiling

As part of our compliance and fraud prevention obligations, we may use automated processing, including:

Transaction limit checks: minimum and maximum amounts are automatically verified for each transaction type and currency, in accordance with configured regulatory parameters
Unusual behavior detection: analysis of login patterns (geolocation, device, frequency) and transactions to identify potential fraudulent activity
KYC status verification: automatic blocking of certain services if identity verification is incomplete or has been rejected
Automatic fee and commission calculation: application of charges and exchange rates according to parameters configured for each service type

You have the right to contest any solely automated decision that produces legal effects concerning you and to obtain human intervention. To exercise this right, contact us at the address indicated in Section 14.

10. Your Rights

In accordance with applicable data protection regulations, you have the following rights:

10.1 Right of Access

You have the right to obtain confirmation that your personal data is being processed and to receive a complete copy thereof, including: the categories of data processed, the purposes, the recipients, the retention periods and international transfers.

10.2 Right to Rectification

You may request the correction of any inaccurate or incomplete personal data. You may also update certain data directly from your account settings.

10.3 Right to Erasure ("Right to Be Forgotten")

You may request the deletion of your personal data. This right is subject to the following limitations:

Data subject to legal retention obligations (KYC, financial transactions) cannot be deleted before the expiry of regulatory time periods
Data necessary for the exercise or defense of legal claims will be retained until the final resolution of the dispute

10.4 Right to Restriction of Processing

You may request restriction of the processing of your data in the following cases: dispute regarding data accuracy, unlawful processing, data required for exercising legal claims, or objection to processing pending verification.

10.5 Right to Data Portability

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format (JSON, CSV), and to transmit it to another data controller. This right covers in particular: your profile data, transaction history and wallet data.

10.6 Right to Object

You may object to the processing of your data based on legitimate interest, including profiling. In the event of an objection, we will cease processing unless we demonstrate compelling legitimate grounds.

10.7 Withdrawal of Consent

Where processing is based on your consent (marketing communications, non-essential cookies, biometric data transmission), you may withdraw such consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

10.8 Right to Lodge a Complaint

If you believe that the processing of your personal data constitutes a violation of applicable regulations, you have the right to lodge a complaint with the competent supervisory authority in your country of residence.

Exercising Your Rights

To exercise any of these rights, send your request to privacy@quickei.com, specifying your identity (first name, last name, email associated with the account) and the right you wish to exercise. We will respond within 30 calendar days, which may be extended by 60 days in the case of complex requests (you will be informed accordingly).

11. Cookies and Tracking Technologies

11.1 Types of Cookies Used

Category	Purpose	Duration	Legal Basis
Strictly necessary cookies	Platform operation: authentication, session management, security (CSRF token), language and currency preferences	Session or until logout	Legitimate interest
Performance cookies	Audience measurement, analysis of pages visited, identification of technical errors	13 months maximum	Consent
Preference cookies	Remembering your settings: selected language, preferred currency, display mode (light/dark)	12 months	Consent

11.2 Managing Cookies

You can manage your cookie preferences at any time:

Through your browser settings (blocking or deleting cookies)
Through the cookie consent banner displayed on your first visit

Refusing strictly necessary cookies may prevent certain Platform features from functioning properly.

12. Protection of Minors

Quickei's services are intended exclusively for persons of legal age (18 years old or the age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If we discover that a minor has created an account, that account will be immediately suspended and the associated data deleted. If you become aware of the use of our services by a minor, please inform us at privacy@quickei.com.

13. Data Breach Notification

In the event of a personal data breach likely to pose a risk to your rights and freedoms, we commit to:

Notifying the competent supervisory authority within 72 hours of becoming aware of the breach
Informing you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, specifying the nature of the breach, the data concerned, the likely consequences and the measures taken or proposed
Documenting every breach in an internal register, whether or not it is subject to notification

14. Contact and Data Protection Officer

For any questions regarding this Policy, the protection of your personal data or to exercise your rights:

Data Protection Officer (DPO)
Email: privacy@quickei.com
Mailing address: [Quickei registered office address]

We commit to acknowledging receipt of any request within 5 business days.

15. Changes to This Policy

We reserve the right to modify this Policy at any time to adapt it to regulatory, technological or service developments. In the event of a substantial change:

You will be notified by email and/or by notification on the Platform at least 30 days before the changes take effect
A summary of changes will be made available
Your continued use of the services after the effective date will constitute acceptance of the new terms
If the changes affect processing based on your consent, fresh consent will be requested

16. Governing Law and Jurisdiction

This Policy is governed by the laws applicable at Quickei's registered office. Any dispute relating to the interpretation or performance of this Policy shall be submitted to the exclusive jurisdiction of the courts of Quickei's registered office, without prejudice to your right to lodge a complaint with the competent data protection supervisory authority.

Effective date: February 2026

Privacy Policy