Cashi — Privacy Policy

1. Effective Date; Scope; Relationship to Terms

Effective Date: 13 Mar 2026

This Privacy Policy (hereinafter referred to as the “Policy”) sets out how GBP Payments Corp., a corporation duly incorporated under the laws of Canada, together with its affiliates operating under the brand name “Cashi” (hereinafter collectively referred to as “Cashi,” “we,” “us,” or “our”), collects, uses, processes, discloses, retains, and safeguards personal data and other information obtained in connection with the provision of our Services.

This Policy applies to all individuals who access or use any Cashi Services, including but not limited to the Cashi platform, the Custodial Wallet, the Card, and any related products or features (hereinafter collectively referred to as the “Services”). This Policy should be read in conjunction with our Terms and Conditions, which govern your access to and use of the Services. Capitalised terms not separately defined in this Policy shall have the meanings ascribed to them in the Terms and Conditions.

By accessing or using any of our Services, you acknowledge that you have read, understood, and consent to the practices described in this Policy, and represent and warrant that you have the valid consent and authority from any Relevant Persons (defined below) for us to collect, use, disclose, and process Personal Data as described herein. If you do not agree with any provision of this Policy, you must discontinue use of the Services immediately.

In the course of delivering our Services, Cashi engages certain third-party service providers who may collect, process, or otherwise handle your personal data on our behalf or in connection with their own services. These third-party providers may include, without limitation, card issuing partners, payment networks, payment processors, identity verification providers, and blockchain analytics providers. Each of these third parties maintains its own independent privacy policy governing the collection, use, and processing of your data. Cashi is not responsible for the privacy practices of such third parties, and you are encouraged to review their respective privacy policies separately. Where required by applicable law, details of specific third-party providers may be made available upon request.

You agree that Cashi may update this Policy at any time by posting the amended version on our website or mobile application, or by notifying you via email. Your continued use of the Services following any such amendment shall constitute your acceptance of the updated Policy.

2. Information We Collect

We may from time to time collect, process, and store personally identifiable information that can be used to contact or identify you and your beneficial owners, directors, officers, authorised signatories, employees, representatives, and other natural persons related to you (the “Relevant Persons”) via your use of the Services or where you have given your consent (collectively, the “Personal Data”). Such Personal Data may include the following categories:

2.1 Personal Identifying Information

When you register for an Account and undergo identity verification, we may collect the following:

• Full legal name (including any former names, and names in English and other languages if applicable)

• Date of birth

• Place of birth

• Gender

• Nationality

• Residential address

• Country or state of residence

• Government-issued identification documents (e.g., passport, national ID card, driving licence)

• Identification document type and number

• Photographs or selfies for biometric verification

• Email address

• Phone number

• Blockchain wallet addresses

• Any additional personal data or documentation as may be required at the discretion of our compliance team

2.2 Personal Financial Information

To comply with our regulatory obligations and to assess risk, we may collect information relating to your financial profile, including: total net wealth (approximately in USD or equivalent), purpose of account opening, initial and ongoing sources of wealth or income, nature and details of your business, occupation, or employment, source of funds or digital assets, credit history and score (where applicable), transaction history and spending patterns, bank account information, and anticipated level of activity on the platform.

2.3 Transaction and Wallet Data

We collect information about your transactions and Custodial Wallet activity, including: deposit and withdrawal addresses, transaction amounts and timestamps, blockchain transaction hashes, Card transaction details (merchant name, amount, date, location), account balances, and swap transaction records.

2.4 Device and Usage Information

We may automatically collect technical information about your device and how you interact with our Services, including: IP address, device type, operating system, browser type, unique device identifiers, location data, usage patterns, and access logs.

2.5 Sensitive Personal Information

In certain cases, we may collect “Sensitive Personal Information” as defined under applicable laws (e.g., the GDPR, PDPA, or equivalent legislation). This may include biometric data (such as facial recognition data used for identity verification), data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or criminal records. We collect and use Sensitive Personal Information only to the limited extent necessary for specific, lawful purposes, and where we have obtained your explicit consent or are otherwise permitted by applicable law.

2.6 Communications

If you contact our support team or communicate with us through any channel, we may collect the content of those communications, including any attachments, metadata, and records of correspondence.

3. How We Use Your Information

We may also use your Personal Data to carry out any other purpose(s) described to you at the time the data was collected, provided such purpose is consistent with this Policy and applicable law., we have identified the legal basis upon which we rely for each category of processing.

Category of Personal Data	Specific Purposes	Legal Basis
A. Personal Identifying Information	Identity verification and account setup; providing and personalising Services; communicating with you; compliance with KYC/AML regulations; fraud detection and security.	Contractual necessity, your consent where applicable, legal obligations, and legitimate interests such as ensuring security.
B. Personal Financial Information	Processing payments, deposits, withdrawals, and transactions; risk assessment and credit analysis; generating statements, invoices, and reports; monitoring fraud or suspicious activity; internal audits and compliance.	Contractual necessity, legal obligations such as AML requirements, and legitimate interests such as risk management.
C. Transaction and Wallet Data	Processing and recording transactions; monitoring for suspicious or anomalous activity; compliance with AML/CTF obligations; generating account statements and transaction records.	Contractual necessity, legal obligations, and legitimate interests.
D. Device and Usage Information	Detecting and preventing fraud; enhancing user experience; compliance reporting; security monitoring and incident response.	Legitimate interests such as ensuring security, and your consent for precise location data where applicable.
E. Sensitive Personal Information	Enhanced identity verification; fraud prevention where required by law or regulation.	Your explicit consent and legal obligations, such as those for high-risk KYC procedures.

In addition to the purposes outlined in the table above, we may also use collected Personal Data:

To provide and manage our Services: To make decisions relating to the provision or continued provision of the Services; to verify or maintain the quality or safety of the Services; to administer, operate, deliver, improve, and personalise the Services; and to provide customer service, process payments and transactions, and verify customer information.

For security and fraud prevention: To monitor and record usage of the Services and communications with you; to detect, prevent, and address technical issues and security incidents; and to resist malicious, deceptive, fraudulent, or illegal actions.

For risk management: To conduct risk assessment and data analysis, anti-money laundering and credit analyses, internal management, and internal and external audits.

For communication: To communicate with you and your representatives in relation to events, our Services, and other products or services offered by Cashi or its affiliates, unless you have opted not to receive such information; and to provide statements, invoices, receipts, and related information.

For marketing and analytics: To conduct market research, surveys, promotions, and contests, and to analyse your preferences, interests, and behaviour in relation to the Services.

For compliance: To fulfil any applicable legal, regulatory, and compliance requirements, including anti-money laundering, counter-terrorist financing, sanctions screening, and tax obligations.

For legal purposes: To enforce or defend the rights or property of Cashi, its affiliates, and other users; and to establish, exercise, or defend legal claims.

We do not use or disclose Personal Data for any purpose other than those expressly permitted under this Policy and applicable law.

4. How We Share Your Information

We may share your Personal Data with the following categories of recipients, for the purposes described in this Policy:

Identity Verification and Compliance Providers: We share your Personal Data with Know Your Customer (KYC), blockchain analytics, and other compliance service providers to verify your identity, screen transactions, and comply with anti-money laundering and sanctions regulations.

Payment Processors and Financial Institutions: We share your Personal Data with card networks, banks, financial institutions, payment processors, and merchants to facilitate deposits, withdrawals, card transactions, and other payment services.

IT and Infrastructure Providers: We share your Personal Data with service providers that provide website hosting, data analysis, information technology, cloud storage, telecommunications, and data processing services.

Marketing and Analytics Partners: We may share your Personal Data with social media platforms, online platforms, or third-party analytics providers for marketing, advertising, or promoting our Services, but only where you have provided your prior express consent for such sharing.

Professional Advisers: We share your Personal Data with our legal, accounting, tax, and other professional advisers as necessary to help administer, operate, deliver, and improve the Services, or to comply with applicable legal or regulatory obligations.

Cashi’s Affiliates: We share your Personal Data with any actual or proposed assignee, business transferee, or affiliate of Cashi that is under a duty of confidentiality to the disclosing entity.

Governmental and Regulatory Authorities: We may disclose your Personal Data to any governmental, regulatory, law enforcement, or judicial authority where required by applicable law, regulation, court order, or governmental request, or where we reasonably believe such disclosure is necessary to protect our rights, your safety, or the safety of others.

Others: We may share your Personal Data with persons or entities that you authorise or consent to receive your Personal Data, such as your authorised representatives, agents, advisors, or beneficiaries.

We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

5. International Data Transfers

Your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. Please note that we may transfer your Personal Data, including to jurisdictions outside your own, and process it there. Your consent to this Policy and your submission of such information represent your agreement and consent to that transfer. Information you provide to us may also be stored on our and/or third-party cloud servers.

We will take reasonable measures to ensure that your Personal Data is treated securely and in accordance with this Policy, and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place, including the security of your Personal Data and other personal information.

We rely on appropriate safeguards for data transfers, which may include:

Standard Contractual Clauses (SCCs): We use EU Standard Contractual Clauses approved by the European Commission for transfers from the EEA to third countries.

Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk processing activities, including transfers to countries without an adequacy decision, to ensure your data is protected.

Due Diligence: We conduct rigorous information security due diligence on all third-party vendors and sub-processors who will receive your data.

However, no data transfer mechanism can guarantee absolute security, and you acknowledge the inherent risks associated with cross-border data transfers.

6. Data Retention

6.1 General Retention Principles

Cashi retains your personal data for as long as reasonably necessary to fulfil the purposes described in this Policy, to comply with applicable legal and regulatory obligations, to resolve disputes, and to enforce our agreements. The specific retention periods applicable to each category of data are set out below.

6.2 Account and KYC Data

Personal data collected during account registration and identity verification, including but not limited to your name, date of birth, nationality, government-issued identification documents, proof of address, and any information obtained through customer due diligence or enhanced due diligence processes, shall be retained for the duration of your Account and for a minimum period of six (6) years following the date of account closure, or such longer period as may be required by applicable AML/CTF recordkeeping obligations in the relevant jurisdiction.

6.3 Transaction Data

Records of all transactions conducted through the Services, including but not limited to deposits, withdrawals, transfers, swaps, card transactions, and any associated metadata, shall be retained for a minimum period of seven (7) years from the date of the transaction, or such longer period as may be required by applicable law, regulation, or regulatory directive.

6.4 Device and Usage Data

Technical and behavioural data collected in connection with your use of the Services, including but not limited to device identifiers, IP addresses, browser type, operating system, access logs, and usage patterns, shall be retained for a period of up to two (2) years from the date of collection, or until no longer necessary for the purposes described herein, whichever is shorter, unless a longer retention period is required for the investigation or resolution of security incidents, fraud prevention, or compliance with applicable law.

6.5 Communications

Records of communications between you and Cashi, including but not limited to customer support enquiries, emails, in-app messages, and any other correspondence, shall be retained for a period of three (3) years following the date of the last communication. Communications relating to compliance matters, including but not limited to suspicious activity reports, regulatory enquiries, dispute resolution, and internal investigations, shall be retained in accordance with applicable AML/CTF recordkeeping requirements for a minimum period of six (6) years, or such longer period as may be required by applicable law.

6.6 Deletion and Anonymisation

Upon expiry of the applicable retention period, and subject to any overriding legal, regulatory, or contractual obligation requiring further retention, Cashi shall delete or irreversibly anonymise your personal data in accordance with our internal data management procedures. Where deletion or anonymisation is not immediately practicable due to technical constraints, Cashi shall ensure that such data is securely isolated and protected from any further processing until deletion or anonymisation can be completed.

6.7 Overriding Legal and Regulatory Obligations

Notwithstanding the foregoing, Cashi reserves the right to retain any data for such additional period as may be necessary to comply with applicable laws, regulations, court orders, or requests from governmental or regulatory authorities, or to establish, exercise, or defend legal claims.

7. Marketing Communications

We may communicate company news, promotions, and information relating to our products and Services provided by us. We may share Personal Data with our affiliates for the purpose of sending marketing communications. We will only send you marketing communications where we have received your prior express consent through the relevant channels within the Services.

If you change your mind and wish not to receive marketing communications, you may opt out at any time by following the unsubscribe instructions in those communications, or by contacting us at privacy@justcashi.com.

Please note that opting out of marketing communications does not affect service-related communications, such as transaction confirmations, security alerts, amendments to terms and conditions, platform updates, and compliance notifications. You understand that you will not be able to opt out of receiving such operational communications.

8. Security

Cashi implements reasonable technical and organisational measures designed to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, where appropriate:

• Encryption of data in transit and at rest, including the use of SSL/TLS protocols;

• Mandatory two-factor authentication (2FA) for account access;

• Strict access controls on a need-to-know basis;

• Regular security assessments, penetration testing, and vulnerability reviews;

• Periodic review of our data collection, storage, and processing practices; and

• Restricted access to your Personal Data to authorised personnel only.

However, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your information using commercially acceptable means, we cannot guarantee its absolute security. You are responsible for maintaining the security of your Account credentials and devices, as described in our Terms and Conditions.

9. Your Rights and Choices

9.1 Right of Access and Correction

Subject to applicable law, you may request access to the personal data we hold about you and request correction of any inaccurate or incomplete data. This includes the right to request disclosure of the categories of Personal Data collected, the categories of sources, the purposes for collection, the categories of third parties with whom we share data, and the specific pieces of Personal Data we hold about you.

9.2 Right to Deletion

Where applicable law provides a right to deletion, you may request that we delete your personal data. Please note that certain data may need to be retained for legal, regulatory, or compliance purposes (including AML/CTF recordkeeping). We will inform you if a deletion request cannot be fully accommodated and explain the reasons.

9.3 Right to Data Portability

Where applicable law provides a right to data portability, you may request a copy of your Personal Data in a structured, commonly used, and machine-readable format. To exercise this right, please contact us at privacy@justcashi.com.

9.4 Right to Restrict Processing

You have the right to request that we limit or restrict the processing of your Personal Data in certain circumstances, including where you contest the accuracy of the data, where the processing is unlawful, or where you have objected to processing pending verification of our legitimate grounds.

9.5 Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you have the right to withdraw your consent at any time. Please note that where you or a Relevant Person withdraws consent or fails to supply information required for us to provide our Services, we may be unable to provide or continue to provide certain Services to you. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

9.6 Marketing Opt-Out

If we send you marketing communications, you may opt out at any time by following the unsubscribe instructions in those communications or by contacting us at privacy@justcashi.com. Opting out of marketing does not affect service-related communications (e.g., transaction confirmations, security alerts, and compliance notifications).

9.7 Exercising Your Rights

To exercise any of the rights set out above, please contact us at privacy@justcashi.com. In order to process your request, we may need to verify your identity to ensure that the requesting party is legally entitled to make such a request. We will use reasonable efforts to respond to your request within fifteen (15) working days of receipt. While we aim to process requests free of charge, we reserve the right to charge a reasonable fee where requests are manifestly unfounded, excessive, or repetitive.

10. Children’s Privacy

Cashi Services are not directed at, and are not intended for use by, individuals under the age of eighteen (18) years or the minimum age required by the laws of your jurisdiction to form a binding contract, whichever is higher. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such data promptly. If you believe a child has provided us with personal data, please contact us at privacy@justcashi.com.

11. Cookies and Tracking Technologies

When you access or use the Cashi Services, we may place small data files on your computer or other device. These data files may include cookies, pixel tags, “Flash cookies,” or other local storage technologies provided by your browser or associated applications (collectively referred to as “Cookies”). We use Cookies to recognise you as a Cashi user, personalise the Services and content, measure the effectiveness of promotions, help ensure the security of your Account, and reduce risk and prevent fraud.

You may refuse or disable Cookies through your browser settings, unless such Cookies are strictly necessary to prevent fraud and/or ensure the security of the Services. However, please note that refusing or disabling Cookies may affect the functionality of the Cashi Services and your overall user experience.

12. Links to Other Sites

Our platform may contain links to other websites or services that are not operated by Cashi. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy policy of every site you visit. Cashi has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services.

13. Your Contact with Other Users

You understand and acknowledge that you are solely responsible for your interactions with other users of the Services. Cashi reserves the right, but has no obligation, to monitor disputes between you and other users.

14. Data Protection Officer and Complaints

14.1 Data Protection Officer

Cashi has appointed a Data Protection Officer (the “DPO”) who is responsible for overseeing questions, concerns, and complaints relating to this Policy and the handling of your Personal Data. If you wish to contact the DPO, please write to: privacy@justcashi.com.

14.2 Complaints

We are committed to resolving any complaints about our collection or use of your Personal Data in a timely manner. If you wish to make a complaint regarding data privacy, please contact the DPO at privacy@justcashi.com. We will acknowledge receipt of your complaint and endeavour to respond within fifteen (15) working days.

If you are not satisfied with our response, you may have the right to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction.

15. Language

The official and controlling language of this Policy is English. In the event that this Policy is translated into any other language, the English language version shall prevail to the extent of any inconsistency.

16. Updates to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will use reasonable efforts to notify you (for example, by email, in-app notification, or by posting a notice on the Cashi platform) prior to the changes taking effect. The “Last Updated” date at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: privacy@justcashi.com

Last updated: 13 Mar 2026