Privacy Policy

1. Who We Are

B2M Asia Inc. ("B2M Asia", "we", "our", or "us") is a financial technology company incorporated under the laws of Ontario, Canada, with its principal place of business in Toronto, Ontario. We operate the platform available at b2masia.com and provide cross-border B2B payment services, foreign exchange (FX) conversion, AI-driven FX hedging, multi-currency account management, and related financial technology services to businesses operating internationally, with a focus on trade corridors between Canada and the Asia-Pacific region.

B2M Asia acts as the data controller in respect of personal information collected through our website and platform. Where we engage third-party processors to handle data on our behalf, we ensure appropriate data processing agreements are in place.

2. Scope of This Policy

This Privacy Policy applies to all personal information collected by B2M Asia through:

• Our website at b2masia.com and any subdomains
• Our web-based and mobile payment platform and dashboard
• Our application programming interfaces (APIs)
• Email, telephone, and other direct communications with our team
• Account registration, onboarding, and know-your-business (KYB) processes

This policy is governed primarily by the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada and, where applicable to residents of the European Economic Area, the General Data Protection Regulation (GDPR). Where provincial privacy legislation applies — including the Quebec Act Respecting the Protection of Personal Information in the Private Sector — we comply with those requirements as well.

3. Information We Collect

We collect personal and business information in several categories depending on your relationship with us:

A. Account and Identity Information

• Full legal name and contact details (email address, telephone number, mailing address)
• Username, password (stored in hashed form), and account preferences
• Date of birth and government-issued identification documents where required for identity verification
• Photograph or selfie for biometric identity verification, where applicable

B. Business and Corporate Information

• Legal business name, registered address, and business registration or incorporation number
• Industry sector, nature of business, and description of trade activities
• Names, roles, and identifying documents of directors, beneficial owners, and authorized signatories
• Corporate documents including articles of incorporation, shareholder agreements, and proof of address
• Tax identification numbers and HST/GST registration numbers

C. Financial and Transaction Information

• Bank account details, including account numbers, institution numbers, and transit numbers
• Transaction records including payment amounts, currencies, dates, beneficiary details, and reference numbers
• FX conversion history, hedging positions, and account balances
• Source of funds declarations and supporting documentation where required by applicable law
• Billing information and fee payment records

D. Technical and Usage Information

• IP address, device type, operating system, browser type and version
• Pages visited, features used, time spent on platform, and click-path data
• Login timestamps, session identifiers, and authentication logs
• API request logs including endpoints accessed and parameters submitted
• Error logs and crash reports to support platform stability and debugging

E. Communications and Correspondence

• Emails, chat messages, and support tickets exchanged with our team
• Responses to surveys, feedback forms, and research requests
• Records of telephone conversations where permitted by applicable law and prior notice is given

4. How We Collect Information

We collect information through the following means:

• Directly from you: When you register for an account, complete our KYB verification process, submit contact forms, initiate transactions, or communicate with our team.
• Automatically: When you use our website or platform, we automatically collect technical and usage information through cookies, server logs, and similar technologies.
• From third parties: We may receive information from identity verification providers, credit reference agencies, financial crime screening services, banking partners, and publicly available corporate registries to fulfil our compliance obligations.
• From your authorized representatives: Directors, administrators, or other authorized users of your business account may submit information about your organization and its personnel.

5. Purposes for Collecting and Using Information

B2M Asia collects and uses personal information only for the specific purposes described below, in accordance with the principle of purpose limitation under PIPEDA:

• Account creation and management: To register your business, maintain your account, authenticate your identity, and manage your access to our platform.
• Provision of payment and FX services: To process cross-border transactions, execute currency conversions, manage FX hedging positions, and maintain multi-currency account balances on your behalf.
• Know Your Business (KYB) and identity verification: To verify the identity of your business, its directors, and beneficial owners as required by Canadian financial regulations, including the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
• Anti-Money Laundering (AML) and financial crime compliance: To screen transactions and parties against applicable sanctions lists, monitor for suspicious activity, and fulfill mandatory reporting obligations to FINTRAC and other regulatory bodies.
• Risk management and fraud prevention: To detect, investigate, and prevent fraudulent activity, unauthorized access, and misuse of our platform.
• Customer support: To respond to your inquiries, resolve disputes, and provide technical assistance related to your account and transactions.
• Service improvement: To analyze usage patterns, identify product issues, conduct internal research, and improve the functionality, security, and performance of our platform.
• Communications and marketing: To send you transactional notifications, platform updates, and — where you have provided consent — marketing communications about our services, promotions, and industry news. You may withdraw consent for marketing communications at any time.
• Legal and regulatory compliance: To comply with applicable laws, regulations, court orders, and requests from competent regulatory and law enforcement authorities.

6. Legal Basis for Processing

Under Canadian privacy law (PIPEDA), we rely on the following grounds to collect, use, and disclose personal information:

• Consent: You provide express or implied consent when you create an account, submit information, use our services, or agree to our Terms of Service. You may withdraw consent at any time, subject to legal and contractual obligations, by contacting us at privacy@b2masia.com.
• Contractual necessity: Processing is necessary to perform our obligations under our Terms of Service and to provide the payment and FX services you have requested.
• Legal obligation: Processing is necessary to comply with our obligations under PCMLTFA, FINTRAC reporting requirements, and other applicable financial regulations in Canada and the jurisdictions in which we operate.
• Legitimate interests: Where permitted by law, we process certain information on the basis of our legitimate interests in operating a secure financial platform, preventing fraud, and improving our services, provided such interests are not overridden by your privacy rights.

For users in the European Economic Area, the legal bases under the GDPR correspond to: Article 6(1)(a) (consent), Article 6(1)(b) (contract performance), Article 6(1)(c) (legal obligation), and Article 6(1)(f) (legitimate interests).

7. Sharing and Disclosure of Information

B2M Asia does not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share information only in the following circumstances:

• Banking and payment partners: We share transaction information with correspondent banks, payment processors, and financial institutions necessary to execute and settle your cross-border payments and currency conversions.
• Identity verification providers: We engage regulated third-party identity verification and KYB service providers to verify the identity of your business and its representatives. These providers operate under strict confidentiality and data processing agreements.
• Compliance and sanctions screening: We share information with financial crime compliance services to screen parties and transactions against international sanctions lists maintained by OFAC, the United Nations, and Canadian authorities.
• Regulatory and law enforcement authorities: We are required by law to disclose certain information to regulators including FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada, and other competent authorities. We may also disclose information in response to lawful requests, subpoenas, or court orders.
• Technology and infrastructure providers: We use cloud hosting, data storage, analytics, and security services provided by third parties who process data on our behalf under written data processing agreements that restrict how they may use your information.
• Professional advisors: We may share information with our legal counsel, accountants, auditors, and insurers where necessary for the proper conduct of our business, subject to professional confidentiality obligations.
• Business transfers: In the event of a merger, acquisition, sale of assets, reorganization, or financing, your information may be transferred to the relevant parties as part of that transaction. We will notify you of any material change in the controller of your information.
• With your consent: We may share your information with other third parties where you have provided express consent to do so.

8. International Data Transfers

B2M Asia is headquartered in Canada and primarily processes data within Canada. However, given the nature of cross-border financial services, information may be transferred to and processed in countries outside Canada, including countries in the Asia-Pacific region such as China, Taiwan, Japan, South Korea, and Hong Kong, as well as the United States and the United Kingdom.

When we transfer personal information internationally, we take steps to ensure an adequate level of protection is maintained, including:

• Transferring to countries recognized as having adequate data protection standards
• Implementing contractual safeguards with data recipients, including standard contractual clauses where required by applicable law
• Relying on derogations permitted under applicable privacy law, including where the transfer is necessary to perform the cross-border payment contract you have requested

Please be aware that laws governing the protection of personal information in some jurisdictions may differ from those in Canada. By using our services, you acknowledge that your information may be transferred and processed internationally as described in this policy.

9. Data Retention

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, to maintain accurate business and financial records, and to comply with our legal and regulatory obligations. Specific retention periods are as follows:

• Active account data: Retained for the duration of your account relationship with B2M Asia.
• Transaction records and KYB documentation: Retained for a minimum of seven (7) years following the date of the relevant transaction or the closure of your account, as required by PCMLTFA and FINTRAC guidelines.
• Identity verification documents: Retained for a minimum of five (5) years from the date of verification or the end of the business relationship, in accordance with applicable anti-money laundering regulations.
• Marketing and communications data: Retained until you withdraw your consent or request deletion, subject to any overriding legal retention requirements.
• Technical logs: System logs and security records are typically retained for up to twelve (12) months for operational and security purposes.

When personal information is no longer required, we securely delete, anonymize, or destroy it in accordance with our internal data disposal procedures.

10. How We Protect Your Information

B2M Asia implements a comprehensive set of technical, organizational, and physical safeguards designed to protect your personal and financial information against unauthorized access, disclosure, alteration, and destruction:

• Encryption: All data transmitted between your browser or application and our servers is protected using Transport Layer Security (TLS 1.2 or higher). Sensitive data at rest is encrypted using AES-256 encryption.
• Access controls: Access to personal information within B2M Asia is restricted to authorized employees and contractors who require it to perform their duties. We apply the principle of least privilege and conduct regular access reviews.
• Multi-factor authentication: All administrative access to our systems and all user logins to the platform require multi-factor authentication (MFA).
• Security monitoring: We continuously monitor our systems for anomalies, intrusion attempts, and suspicious activity using automated detection and alerting tools.
• Vulnerability management: We conduct regular security assessments, penetration testing, and code reviews. Software dependencies are monitored for known vulnerabilities and patched promptly.
• Incident response: We maintain a documented data breach response plan. In the event of a security incident that poses a real risk of significant harm, we will notify affected individuals and, where required, the relevant supervisory authority within the timeframe required by applicable law.
• Staff training: All B2M Asia employees and contractors who handle personal information receive mandatory privacy and data security training.

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, and we encourage you to take appropriate steps to protect your account credentials.

11. Cookies and Tracking Technologies

B2M Asia uses cookies and similar tracking technologies on our website and platform. Cookies are small text files placed on your device that help us recognize you, remember your preferences, and improve your experience.

We use the following categories of cookies:

• Strictly necessary cookies: Essential for the operation of our website and platform, including session management, authentication, and security. These cannot be disabled without affecting core functionality.
• Performance and analytics cookies: Help us understand how visitors use our website and platform by collecting aggregated, anonymized usage statistics. We use this data to improve our services and user experience.
• Functional cookies: Remember your preferences (such as language and display settings) to provide a more personalized experience.

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. For more information on managing cookies, refer to your browser's help documentation.

12. Your Privacy Rights

Subject to applicable law and certain exceptions, you have the following rights with respect to your personal information held by B2M Asia:

• Right of access: You have the right to request a copy of the personal information we hold about you and to receive information about how it is used and shared.
• Right to correction: You have the right to request that we correct inaccurate or incomplete personal information about you.
• Right to withdraw consent: Where our processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to erasure (right to be forgotten): In certain circumstances, you may request that we delete your personal information. This right is subject to our legal obligations to retain certain records, including our obligations under financial regulations.
• Right to data portability: Where technically feasible and required by applicable law, you may request that we provide your personal information in a structured, machine-readable format.
• Right to object: You may object to the processing of your personal information for direct marketing purposes at any time. You may also object to other forms of processing where our legal basis is legitimate interests.
• Right to lodge a complaint: If you believe your privacy rights have been violated, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or the relevant supervisory authority in your jurisdiction.

To exercise any of these rights, please submit a written request to privacy@b2masia.com. We will respond within thirty (30) days of receiving your request. We may need to verify your identity before processing your request.

13. Children's Privacy

B2M Asia's services are intended exclusively for businesses and business professionals. We do not knowingly collect personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@b2masia.com and we will promptly delete such information.

14. Third-Party Links and Services

Our website and platform may contain links to third-party websites or services that are not operated by B2M Asia. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party websites you visit. B2M Asia is not responsible for the privacy practices of third parties.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will notify you by:

• Posting a prominent notice on our website and platform at least 30 days before the changes take effect
• Sending an email notification to the address associated with your account

Your continued use of our services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must discontinue use of our services and may request account closure by contacting us.

16. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact our Privacy Officer:

We are committed to working with you to achieve a fair resolution to any privacy concern. If you are not satisfied with our response, you may escalate your complaint to the Office of the Privacy Commissioner of Canada at priv.gc.ca or call 1-800-282-1376.