ScopeX
About usBlogsHelpContact us

Privacy Policy

These will help you better understand how we collect, use, and share your personal information

Table Of Content

  1. Who We Are
  2. Personal Data We Collect
  3. How We Use Your Personal Data
  4. How We Share Your Personal Data
  5. International Data Transfers
  6. Automated Decision-Making & Profiling
  7. Cookies & Tracking Technologies
  8. Data Retention
  9. Data Security
  10. Your Privacy Rights
  11. Children's Privacy
  12. Data Breach Notification
  13. Third-Party Links & Services
  14. Changes to This Policy
  15. Contact & Data Protection Officer

Jurisdiction-Specific Appendices

1. Who We Are

1.1 About ScopeX

ScopeX is a cross-border payment platform that enables individuals in the European Economic Area ("EEA"), United Kingdom ("UK"), United States ("US"), and Canada to send money to India. We use licensed payment infrastructure and modern settlement technology to deliver fast, low-cost international remittances.

This Privacy Policy (the "Policy") applies to all personal data collected through our website at scopex.money, our iOS and Android mobile applications, our customer support channels, and any other services we provide (collectively, the "Platform").

1.2 Our Corporate Structure

ScopeX Technologies Limited (Canada) is the sole global data controller for all personal data collected through the Platform, regardless of the user's location.

EntityJurisdictionRegistrationRole
ScopeX Technologies LimitedOntario, CanadaCorp. No. OCN 1001126446Primary Data Controller — Global
ScopeX, Inc.Delaware, USAFile #10308679Holding company — no data processing

1.3 Our Regulatory Model

ScopeX acts as a technology intermediary connecting users to licensed financial partners. Currency conversion, fund transmission, and payment execution are carried out exclusively by our licensed partners operating under their own regulatory authorisations. ScopeX does not hold, transmit, or have access to user funds at any point in the payment process.

Regulated activities — including identity verification (KYC), AML screening, and payment execution — are performed by our licensed partners, who act as independent data controllers for the personal data they process under their own regulatory licences. Each partner's privacy policy governs that partner's processing.

1.4 Payment Corridors Covered by This Policy

Sending Country / RegionReceiving CountryData ControllerRegulatory Framework
European Economic Area (Germany, France, Netherlands, Austria, Belgium, and additional EEA states)IndiaScopeX Technologies Limited (Canada)GDPR, PSD2, AML5/6, MiCA (Regulation (EU) 2023/1114), TFR (Regulation (EU) 2023/1113)
United KingdomIndiaScopeX Technologies Limited (Canada)UK GDPR, DPA 2018, DUAA 2025, PSRs 2017
United StatesIndiaScopeX Technologies Limited (Canada)CCPA/CPRA, GLBA, FinCEN BSA/AML, GENIUS Act 2025, State Privacy Laws
CanadaIndiaScopeX Technologies Limited (Canada)PIPEDA, Quebec Law 25, FINTRAC PCMLTFA

2. Personal Data We Collect

2.1 Information You Provide Directly

a) Account Registration & Identity Data

  • Full legal name (first, middle, surname) as it appears on government-issued identification
  • Date of birth
  • Nationality and country of residence
  • Email address (primary contact and account recovery)
  • Mobile phone number (two-factor authentication and transaction notifications)
  • Residential address (street, city, state/province, postal code, country)
  • Occupation and employer (where required for source-of-funds assessment)
  • Purpose of remittance (e.g., family support, education, medical expenses)

b) Identity Verification Documents

To comply with AML regulations and our licensed partners' KYC obligations, we collect:

  • Government-issued photographic identification: Passport, national identity card, or driving licence
  • Proof of address: Utility bill, bank statement, or government correspondence dated within three months
  • Selfie photograph or video: Used for liveness detection and facial-match verification
  • Source-of-funds documentation: Payslips, employment contracts, tax returns, or bank statements where required for enhanced due diligence

c) Biometric Data

When you complete identity verification, our third-party identity verification partner (such as Onfido, Veriff, or Sumsub) may extract biometric identifiers — specifically, a mathematical representation (faceprint) of your facial features — from the selfie or video you provide.

⚠️ Biometric Data Notice

Biometric data is classified as special category data under GDPR and as sensitive personal information under applicable US state biometric privacy laws including Illinois BIPA (740 ILCS 14), Texas CUBI (Tex. Bus. & Com. Code § 503.001), Washington RCW § 19.375, and Colorado's biometric provisions (Colo. Rev. Stat. § 6-1-1314). We process biometric data only with your explicit consent or where otherwise required by law. Your biometric data is processed exclusively by our identity verification partner and is not stored by ScopeX. The verification partner retains biometric data for no longer than 30 days following the verification check (or one year under Texas CUBI, whichever is the more restrictive). You may withdraw consent at any time, though this may prevent identity verification from being completed.

d) Financial & Payment Data

  • Bank account details: bank name, account holder name, IBAN or account number, BIC/SWIFT code, sort code
  • Debit or credit card details: processed securely by our PCI-DSS compliant payment processor — we do not store full card numbers
  • Payment instrument identifier: a reference identifier associated with your chosen payment method for the purposes of processing your transfer
  • Transaction details: amount sent, amount received, exchange rate, fees, date and time, transaction reference number

e) Recipient (Beneficiary) Data

  • Recipient's full name
  • Recipient's bank account number and IFSC code, or UPI ID
  • Recipient's phone number (for UPI transfers and delivery notifications)
  • Relationship to recipient (required under Indian FEMA regulations)

f) Regulatory Transfer Compliance Data

Where required by applicable law — including Regulation (EU) 2023/1113 (Transfer of Funds Regulation) and equivalent FATF obligations — we and our licensed payment partners are required to collect and transmit the following for certain payment transactions:

  • Originator information: Full name, account or payment instrument identifier, and an additional identifier (national identifier, date and place of birth, or address)
  • Beneficiary information: Full name and account or payment instrument identifier

This data is transmitted to our licensed payment partners and, where required by law, to Financial Intelligence Units and competent authorities. The legal basis is compliance with a legal obligation (GDPR Art. 6(1)(c)).

g) Communications Data

  • Messages and enquiries via in-app chat, email (support@scopex.money), or social media
  • Customer support call recordings and transcripts (you will be informed at the start of any recorded call)
  • Feedback and survey responses
  • Referral programme data (names and contact details of persons you refer, with their knowledge)

2.2 Information We Collect Automatically

a) Device & Technical Data

  • IP address (including derived approximate geolocation — city/region level)
  • Device identifiers: unique device ID, advertising ID (IDFA/GAID)
  • Browser type, version, and language settings
  • Operating system type and version
  • Screen resolution, device manufacturer and model
  • Time zone, local time, and mobile network operator
  • App version and installation metadata

b) Usage & Behavioural Data

  • Pages and screens viewed, features used, in-app navigation patterns
  • Session duration, frequency, and timestamps
  • Referral source (search engine, social media, referral link, advertisement)
  • In-app actions: button clicks, form completions, transaction initiations, abandoned flows
  • Push notification interactions
  • App crash reports and performance diagnostics

c) Location Data

  • Approximate location (city/region level) derived from your IP address — used for fraud prevention, localisation, and relevant corridor display
  • Precise GPS location: We do not collect precise GPS location unless you explicitly grant permission for a specific feature described at the time of request

2.3 Information We Receive from Third Parties

  • Identity Verification Partners: Document validation results, liveness check outcomes, facial-match confidence scores, and flags for manual review
  • Fraud Prevention & Financial Crime Databases: Screening results from OFAC, EU Consolidated Sanctions, UN Security Council sanctions lists; PEP registries; adverse media databases; fraud-risk scoring platforms
  • Licensed Payment Partners: Transaction status updates (completed, pending, failed, returned), compliance check results, settlement confirmations
  • Publicly Available Sources: Company registries, court records, media articles for enhanced due diligence
  • Social Sign-In Providers: If you register via Google Sign-In or Apple ID, we receive your name, email address, and profile picture. We do not receive your password or social media account content.

3. How We Use Your Personal Data

We process your personal data only when we have a valid legal basis. Under the GDPR, UK GDPR, PIPEDA, and applicable US privacy laws, the legal bases we rely on are: performance of a contract, compliance with a legal obligation, your consent, and our legitimate interests (balanced against your rights).

PurposeData Categories UsedLegal Basis
Create and manage your accountIdentity, contact, device dataContract — necessary to provide our services
Process your transactionsIdentity, financial, recipient, transaction dataContract — necessary to execute the payment service
Regulatory transfer compliance (TFR/FATF)Originator and beneficiary identity and payment identifier dataLegal obligation (Regulation (EU) 2023/1113; FATF obligations)
Verify your identity (KYC)Identity documents, biometric dataLegal obligation (AML regulations); Consent (for biometric data)
Prevent fraud and financial crimeIdentity, financial, device, usage, third-party screening dataLegal obligation (AML/CTF); Legitimate interests
Comply with regulatory obligationsAll categories as requiredLegal obligation
Digital payment regulatory complianceTransaction data, payment instrument identifiersLegal obligation (GENIUS Act 2025; applicable stablecoin and digital payment regulations)
Communicate with youIdentity, contact, transaction dataContract; Legitimate interests
Improve our PlatformUsage, device, behavioural data (aggregated where possible)Legitimate interests
Marketing and promotionsIdentity, contact, usage dataConsent (EEA, Canada); Legitimate interests (US/UK, subject to opt-out)
Customer support qualityCommunications data, identity dataLegitimate interests
Legal claims and disputesAll data categories relevant to the claimLegitimate interests; Legal obligation
Corporate transactionsAggregated/anonymised business data; identity/financial data under strict confidentialityLegitimate interests

3.1 Legitimate Interests Balancing

Where we rely on legitimate interests, we have conducted a balancing assessment ensuring our interests do not override your fundamental rights. Documented assessments are available for review upon request to dpo@scopex.money.

3.2 Withdrawing Consent

Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing. Withdraw marketing consent via the "Unsubscribe" link in any marketing email, through your account settings under "Notification Preferences," or by emailing dpo@scopex.money.

4. How We Share Your Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

4.1 Licensed Payment Partners

To process your cross-border transfers, we share your identity, financial, and transaction data with licensed financial partners who perform currency conversion, settlement, and payment disbursement on your behalf. These partners hold their own regulatory licences and process your data as independent controllers under their own privacy policies. Links to our partners' privacy policies are available within your account settings under "Payment Partners" and are displayed at the point of transaction.

4.2 Identity Verification Providers

Your identity documents, selfie or video, and biometric data are shared with our KYC partner solely for document validation, liveness detection, and facial-match verification. The partner retains biometric data for no longer than 30 days post-verification (or the applicable statutory period under state biometric law).

4.3 Fraud Prevention & Financial Crime Agencies

We share identity and transaction data with sanctions screening providers, PEP databases, and fraud prevention agencies. Adverse findings may be recorded by these agencies. We are legally required to share certain information and cannot always inform you when we do so (e.g., SAR filing obligations).

4.4 Regulatory Transfer Data Counterparties

For applicable payment transactions, originator and beneficiary information required under Regulation (EU) 2023/1113 (Transfer of Funds Regulation), the FATF Travel Rule, and the GENIUS Act is transmitted to our licensed payment partners and, where required by law, to Financial Intelligence Units and competent authorities. This sharing is mandatory.

4.5 Service Providers (Data Processors)

Third-party processors acting under our instructions, bound by written data processing agreements:

  • Cloud hosting & infrastructure: Secure cloud providers with data centres in the EU and North America
  • Analytics providers: Google Analytics, Mixpanel (usage and performance analytics)
  • Customer support platforms: Intercom (support enquiry management)
  • Email and notification services: Transactional and (where opted in) marketing communications
  • Payment processors: PCI-DSS compliant processors for card payment data

4.6 Regulators, Law Enforcement & Government Authorities

We may disclose personal data where legally compelled, including in response to:

  • Court orders, subpoenas, or legal process
  • Financial regulators (FINTRAC, FinCEN, FCA, RBI, state regulators)
  • Obligations under AML/CTF laws, including SAR filings
  • Law enforcement agencies investigating criminal activity

4.7 Professional Advisers

Legal counsel, auditors, accountants, and insurers, subject to professional privilege and confidentiality obligations.

4.8 Business Transfers

In the event of a merger, acquisition, or restructuring, personal data may transfer to a successor entity. We will provide 30 days' notice before data becomes subject to a different privacy policy.

4.9 With Your Consent

We may share data with other parties where you have given explicit, informed consent. You may withdraw such consent at any time.

5. International Data Transfers

As a cross-border payment service, your personal data is transferred to and processed in countries outside your jurisdiction. We apply appropriate safeguards to ensure your data is protected consistent with this Policy and applicable law.

5.1 Transfer Safeguards

Transfer RouteSafeguard MechanismBasis
EEA / UK → CanadaEuropean Commission adequacy decision for Canada (commercial organisations under PIPEDA)Adequacy (GDPR Art. 45)
EEA → USEU–US Data Privacy Framework (DPF) where the US recipient is DPF-certified; otherwise EU Standard Contractual Clauses (SCCs) with supplementary measuresDPF (Art. 45) or SCCs (Art. 46(2)(c))
UK → USUK Extension to the EU–US DPF where applicable; otherwise UK IDTA or UK Addendum to EU SCCsUK IDTA / DPF Extension
EEA / UK → IndiaEU SCCs (2021 version) / UK IDTA, supplemented by Transfer Impact Assessment and technical measuresSCCs (Art. 46(2)(c)) / IDTA
Canada → USContractual data protection clauses consistent with PIPEDA s. 6.1PIPEDA s. 6.1
Canada → IndiaContractual clauses under PIPEDA s. 6.1, supplemented by technical measuresPIPEDA s. 6.1
US → IndiaContractual safeguards; Indian payment data processed exclusively by RBI-compliant licensed partnersContractual

5.2 DPF Risk Disclosure

⚠️ DPF Legal Uncertainty Notice

The EU–US Data Privacy Framework (DPF) was upheld by the General Court of the EU in Case T-553/23 (September 2025); however, an appeal is pending before the Court of Justice of the EU. As a precautionary measure, we maintain Standard Contractual Clauses (SCCs) as a parallel safeguard for all EU-to-US transfers. If the DPF is suspended or invalidated, we will rely on SCCs without interruption to data flows or service availability.

5.3 Supplementary Technical Measures

  • Encryption in transit: TLS 1.2 or higher on all data transfers
  • Encryption at rest: AES-256 encryption for all stored personal data
  • Pseudonymisation: Applied where technically feasible during transfer and storage
  • Access controls: Strict role-based access; only authorised personnel access personal data
  • Minimisation: Only the minimum data necessary for each transfer purpose is shared

5.4 Transfer Impact Assessments

We have conducted and documented TIAs for each transfer route above, evaluating the destination country's legal regime, government-access risks, and the effectiveness of supplementary measures. TIA summaries are available upon request to dpo@scopex.money.

6. Automated Decision-Making & Profiling

We and our licensed partners use automated systems to make decisions that may significantly affect you.

6.1 Types of Automated Decisions

Automated ProcessPurposePotential Impact on You
Identity verificationAutomated document validation and facial-match comparison during KYCAccount approval may be declined if documents cannot be validated or liveness check fails
Sanctions & PEP screeningReal-time screening against global sanctions lists and PEP registriesTransactions may be blocked or delayed pending manual review
Transaction monitoringPattern analysis to detect suspicious transactions by amount, frequency, destination, and behavioural signalsTransactions may be flagged, delayed, or blocked; account may be suspended pending investigation
Fraud detectionAnalysis of device fingerprinting, IP geolocation, login patterns, and behavioural signalsSuspicious logins may be blocked; additional verification may be required
Customer risk scoringAssignment of a risk level based on profile characteristics, transaction history, and geographic factorsHigher risk scores may trigger enhanced due diligence requirements

6.2 Your Rights Regarding Automated Decisions

Under GDPR Article 22, UK GDPR, and applicable law, you have the right to:

  • Be informed that an automated decision has been made
  • Receive a meaningful explanation of the logic and significance of the decision
  • Request human review of any automated decision that has significantly affected you
  • Express your point of view and contest the decision

To exercise these rights, contact dpo@scopex.money or use in-app support chat. We will acknowledge within 72 hours and arrange human review.

6.3 EU AI Act (Regulation 2024/1689)

ScopeX's automated decision-making systems for identity verification, fraud detection, and transaction monitoring may constitute AI systems within the meaning of the EU AI Act. We comply with AI literacy requirements applicable since 2 February 2025 (Article 4). We are implementing high-risk AI system obligations applicable from 2 August 2026, including risk management, data governance, transparency, and human oversight requirements. From 2 August 2026, you will have the right to an explanation of any individual decision made by a high-risk AI system (Article 86), supplementing existing GDPR rights under Articles 13–15 and 22.

7. Cookies & Tracking Technologies

Our Platform uses cookies and similar technologies for functionality, analytics, and (where consented) marketing.

7.1 Categories of Cookies

CategoryPurposeExamplesConsent Required?
Strictly NecessaryCore functionality: authentication, session management, security, load balancingSession cookies, auth tokensNo
Performance & AnalyticsTraffic measurement, usage pattern analysis, error identificationGoogle Analytics, Mixpanel, SentryYes
FunctionalPreference retention: language, currency display, corridor historyLanguage preference, feature flagsYes
Marketing & AdvertisingAdvertising effectiveness measurement and retargetingGoogle Ads, Meta Pixel, Appsflyer, AdjustYes

7.2 Consent & Preferences

A cookie consent banner is displayed on first visit. Change preferences at any time via "Cookie Settings" in the website footer. Full details, including specific cookie lifetimes, are in our Cookie Policy.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Data CategoryRetention PeriodLegal / Regulatory Basis
Account & identity dataDuration of account + 5 years after closureFINTRAC PCMLTFA; AML Directive 5/6; UK MLR 2017
Transaction records5–7 years from transaction dateAML record-keeping; tax reporting (CRA, IRS, HMRC)
KYC verification documents (partner-held)5–10 years per partner regulatory obligationPartner regulatory licences
KYC verification results (ScopeX-held)Duration of account + 5 yearsAML record-keeping; dispute resolution
Biometric data (IDV partner-held)30 days post-verification check (Texas CUBI: 1 year from purpose expiry; Illinois BIPA: earlier of 3 years or purpose fulfilment)BIPA; Texas CUBI; Colorado biometric rules; consent
Regulatory transfer compliance data5 years from transaction dateRegulation (EU) 2023/1113 Art. 16; FATF obligations
Customer support communications3 years from last interactionService quality; dispute resolution
Marketing preferencesUntil consent withdrawn or account closureConsent-based
Technical & usage logs12 months from collectionSecurity monitoring; fraud investigation
Cookie dataPer cookie — see Cookie PolicyConsent-based (non-essential)

Upon expiry, data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for statistical purposes.

9. Data Security

9.1 Technical Measures

  • Encryption in transit: TLS 1.2+ enforced across all endpoints; HTTPS and HSTS
  • Encryption at rest: AES-256 for all databases and file storage
  • Key management: Secure key management infrastructure with regular rotation
  • Network security: WAF, IDS/IPS, DDoS mitigation, continuous monitoring
  • Application security: Regular penetration testing, vulnerability scanning, secure SDLC
  • Database security: Databases isolated in private networks; authenticated and authorised connections only

9.2 Organisational Measures

  • Access controls: RBAC with quarterly access review
  • MFA: Required on all internal systems handling personal data
  • Employee training: Mandatory data protection training on onboarding and annually
  • Confidentiality: All employees, contractors, and service providers under confidentiality obligations
  • Vendor security assessments: Due diligence on all third-party providers before granting data access
  • Incident response: Documented security incident response plan with defined escalation procedures
  • Business continuity: Regular backups and disaster-recovery testing

9.3 Your Responsibility

Protect your account with a strong unique password, enable two-factor authentication (available in account settings), keep your device software updated, and never share your login credentials. ScopeX will never ask for your password or full banking credentials via email, phone, or chat.

🚨 Security Incident?

If you believe your ScopeX account has been compromised or you have received a suspicious communication purporting to be from ScopeX, contact us immediately at security@scopex.money or via the in-app emergency support channel.

10. Your Privacy Rights

You have the following rights regarding your personal data. We honour these rights globally.

RightDescription
Right of AccessRequest a copy of the personal data we hold about you and how we process it
Right to RectificationRequest correction of inaccurate or incomplete data. Update some details directly in your account settings
Right to ErasureRequest deletion of your data where no compelling basis exists for continued processing. Subject to mandatory regulatory retention (Section 8)
Right to Restrict ProcessingRequest suspension of processing in certain circumstances, e.g., while accuracy is being verified
Right to Data PortabilityReceive your data in a structured, machine-readable format (CSV or JSON), or request transfer to another provider
Right to ObjectObject to processing based on legitimate interests or for direct marketing. Marketing objections are actioned immediately
Right to Human ReviewRequest human review of any automated decision that significantly affects you (see Section 6)
Right to Withdraw ConsentWithdraw consent at any time without affecting the lawfulness of prior processing

10.1 How to Exercise Your Rights

Contact our Data Protection Officer at dpo@scopex.money or use in-app privacy settings. We verify your identity before processing requests. We acknowledge within 72 hours and respond substantively within one calendar month. Extensions (up to two further months) are permitted for complex or high-volume requests; we will notify you within the initial month. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

⚠️ Regulatory Retention Limitation

Due to mandatory record-keeping obligations under AML laws (FINTRAC PCMLTFA, EU AML Directive, UK MLR 2017, FinCEN BSA), we may not be able to fully delete personal data associated with completed financial transactions. We will explain any specific limitations and delete all data not subject to a regulatory retention obligation.

10.2 Right to Complain

JurisdictionAuthorityContact
CanadaOffice of the Privacy Commissioner of Canada (OPC)priv.gc.ca · 1-800-282-1376
United KingdomInformation Commissioner's Office (ICO)ico.org.uk · +44 303 123 1113
EEAYour national Data Protection AuthorityEDPB member list
United StatesFederal Trade Commission (FTC)ftc.gov; or your state Attorney General
IndiaData Protection Board of India (DPBI)Operational from 13 May 2027 (Phase 3); interim: grievance@scopex.money

We encourage you to contact us first at dpo@scopex.money so we may resolve your concern directly.

11. Children's Privacy

Our Platform and services are not directed at individuals under the age of 18. We do not knowingly collect or process personal data from persons under 18. If you are a parent or guardian and believe your child has provided data to ScopeX, contact dpo@scopex.money immediately. We will investigate and delete such data without delay.

12. Data Breach Notification

12.1 Notification to Supervisory Authorities

We will notify the relevant data protection authority within 72 hours of becoming aware of a breach likely to result in a risk to rights and freedoms, as required under GDPR Article 33, UK GDPR, and PIPEDA. For breaches involving US residents, we comply with applicable state breach notification laws (typically 30–60 days, varying by state).

12.2 Notification to Affected Individuals

Where a breach is likely to result in a high risk to your rights and freedoms (e.g., financial fraud, identity theft), we will notify you without undue delay. Notification will include:

  • Nature of the breach and categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects
  • Contact details of our Data Protection Officer

12.3 Internal Documentation

All breaches (including sub-threshold incidents) are documented in our breach register, including facts, effects, and remedial actions, available for supervisory authority inspection.

13. Third-Party Links & Services

Our Platform may contain links to third-party websites or services. This Policy does not apply to third-party services. We are not responsible for their privacy practices. The inclusion of a link does not imply endorsement.

14. Changes to This Policy

14.1 Notification of Material Changes

For material changes — such as new data categories, processing purposes, or third-party disclosures — we will notify you at least 30 days in advance via:

  • A prominent notice on our website and/or within the app
  • An email to your registered email address
  • An in-app push notification

Where required by law, we will obtain renewed consent before implementing material changes.

14.2 Version History

VersionDateSummary of Changes
v3.0March 2026Initial full policy with all jurisdictional appendices
v3.1March 2026Single Canadian controller; BVI/India entity disclosures; MiCA, GENIUS Act, DUAA 2025, DPDPA Rules added
v3.2March 2026Simplified payment technology language; payment settlement described at a service level; BVI and India entity references removed; digital equivalent coin terminology adopted; improvement suggestions added

Previous versions are archived and available upon request to dpo@scopex.money.

15. Contact & Data Protection Officer

RoleContactDetails
Data Protection Officerdpo@scopex.moneyScopeX Technologies Limited, Ontario, Canada. Our DPO oversees compliance with this Policy across all ScopeX entities.
General Privacy Enquiriesprivacy@scopex.moneyFor all data protection questions, rights requests, and privacy concerns
Legal Departmentlegal@scopex.moneyLegal process, regulatory enquiries
Security Teamsecurity@scopex.moneySecurity vulnerabilities, suspected account compromise
India Grievance Officergrievance@scopex.moneyAcknowledged within 24 hours; resolved within 15 business days

We aim to acknowledge all enquiries within 72 hours and respond substantively within one calendar month.

Appendix A — European Economic Area (GDPR)

If you are located in the European Economic Area, this appendix applies in addition to the main Policy.

Data Controller

ScopeX Technologies Limited, Ontario, Canada (FINTRAC MSB: C100000621), is the data controller for EEA users pursuant to GDPR. For EEA data protection matters, contact privacy@scopex.money.

Note on EU Representative: As a controller established outside the EU processing EEA personal data, ScopeX Technologies Limited is in the process of formally appointing an EU representative under GDPR Article 27. Until this appointment is completed, EEA users may direct all data protection enquiries to privacy@scopex.money, which is monitored on an expedited basis.

Legal Bases for Processing

As detailed in Section 3, we process your data on the following GDPR legal bases: performance of a contract (Art. 6(1)(b)), compliance with a legal obligation (Art. 6(1)(c)), your consent (Art. 6(1)(a)), and our legitimate interests (Art. 6(1)(f)). For special category data (biometric data), we rely on your explicit consent (Art. 9(2)(a)) or processing necessary for substantial public interest in fraud prevention (Art. 9(2)(g)).

Digital Payments and Transfer of Funds Regulation (TFR)

ScopeX's cross-border payment services may involve digital equivalent coins — electronically represented payment instruments classified as electronic money tokens (EMTs) under EU Regulation 2023/1114 (MiCA, applicable since 30 December 2024). Our licensed payment partners hold or are seeking the applicable regulatory authorisations under MiCA.

Where applicable, the Transfer of Funds Regulation (Regulation (EU) 2023/1113, "TFR") requires that originator and beneficiary information accompany certain payment transactions regardless of the payment instrument used. This information is collected and transmitted as described in Section 2.1(f) and Section 4.4. The legal basis is compliance with a legal obligation (Art. 6(1)(c)).

EU AI Act

ScopeX is preparing for high-risk AI system obligations under Regulation (EU) 2024/1689 applicable from 2 August 2026, including risk management, transparency, and human oversight for AI systems used in KYC, fraud detection, and transaction monitoring. See Section 6.3 for full details.

International Transfers

Transfers of EEA personal data outside the EEA are governed by the safeguards in Section 5, including the adequacy decision for Canada, the EU–US Data Privacy Framework (with SCCs as a parallel safeguard given the pending CJEU challenge), and SCCs for transfers to India.

Right to Lodge a Complaint

You may lodge a complaint with your national Data Protection Authority. See the EDPB member list.

Appendix B — United Kingdom (UK GDPR / DUAA 2025)

If you are located in the United Kingdom, this appendix applies in addition to the main Policy.

Data Controller

ScopeX Technologies Limited, Ontario, Canada, is the data controller for UK users under the UK General Data Protection Regulation (retained EU law) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025 ("DUAA 2025").

Note on UK Representative: As a controller established outside the UK processing UK personal data, ScopeX Technologies Limited is in the process of appointing a UK representative under UK GDPR Article 27. Until appointment is confirmed, UK users may direct all data protection enquiries to privacy@scopex.money.

Data (Use and Access) Act 2025

The DUAA 2025 received Royal Assent on 19 June 2025. Key provisions in force from 5 February 2026 that affect this Policy:

  • Automated Decision-Making. The DUAA 2025 amended the UK GDPR Article 22 framework. The general prohibition on solely automated decision-making now applies only where the decision is based on special category data. For ADM not involving special category data, ScopeX may rely on any lawful basis, provided: (i) you are informed that automated decision-making is being used; (ii) you may make representations; (iii) human intervention is available upon request. For ADM involving special category data, explicit consent or substantial public interest is required.
  • "Recognised Legitimate Interests." New Section 6(1)(ea) UK GDPR creates a lawful basis for specified activities — including detection and prevention of crime and safeguarding — requiring no balancing test. ScopeX relies on this basis for fraud detection and AML activities to the extent applicable.
  • Electronic Complaints Mechanism. From 19 June 2026, we will provide an accessible electronic mechanism for lodging data protection complaints. Until then, complaints may be submitted to dpo@scopex.money.

International Transfers

Following the DUAA 2025, the UK assesses adequacy on a "not materially lower" standard. Transfers from the UK to Canada continue to benefit from UK adequacy recognition. Transfers to the US and India use UK IDTA or UK Addendum to EU SCCs, supplemented by Transfer Impact Assessments.

Right to Lodge a Complaint

Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF — ico.org.uk — +44 303 123 1113.

Appendix C — United States

If you are a resident of the United States, this appendix applies in addition to the main Policy. ScopeX Technologies Limited (Canada) is the data controller for US users. Regulated payment activities are performed through our licensed payment partners who hold their own state money transmitter licences and FinCEN registrations.

Payment Technology Disclosure

ScopeX acts as a technology intermediary. Currency conversion and fund transmission are performed exclusively by our licensed payment partners. ScopeX does not hold or transmit user funds. ScopeX's own FinCEN Money Services Business registration status is under evaluation; all regulated money transmission activities are performed by licensed partners. This architecture is consistent with FinCEN guidance FIN-2019-G001.

GENIUS Act (Digital Payment Stablecoin Regulation)

The Guiding and Establishing National Innovation for U.S. Stablecoins Act of 2025 ("GENIUS Act," signed 18 July 2025) establishes a federal regulatory framework for payment stablecoins. Where our licensed payment partners use digital equivalent coins in processing your transfer, transaction data collected in connection with such payments may not be used for targeted advertising or shared with non-affiliated third parties without your consent, except as required by law. ScopeX is preparing to comply with applicable GENIUS Act requirements as implementing regulations are finalised (expected by July 2026).

California Consumer Privacy Act (CCPA / CPRA)

California residents have the following rights under the CCPA as amended by the CPRA:

  • Right to Know: Request disclosure of categories and specific pieces of personal information collected in the preceding 12 months, sources, purposes, and third parties with whom it was shared
  • Right to Delete: Request deletion subject to regulatory retention exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing: ScopeX does not sell your personal information and does not share it for cross-context behavioural advertising. No opt-out mechanism for sale or sharing is required at this time
  • Right to Limit Use of Sensitive Personal Information: Direct us to limit use of sensitive personal information to what is necessary for the collection purpose
  • Right to Non-Discrimination: We will not discriminate against you for exercising CCPA/CPRA rights

Categories of Personal Information Collected (CCPA Disclosure)

CCPA CategoryExamplesBusiness Purpose
IdentifiersName, email, phone, IP addressAccount creation, identity verification, communications
Personal information (Cal. Civ. Code § 1798.80)Bank account numbers, financial informationTransaction processing, regulatory compliance
Biometric informationFaceprint (via IDV partner)Identity verification
Internet/network activityBrowsing history, device data, app interactionsSecurity, fraud prevention, analytics
Geolocation dataIP-derived approximate locationFraud prevention, localisation
Professional/employmentOccupation (where collected for source of funds)Enhanced due diligence
Sensitive personal informationGovernment ID numbers, financial account numbers, biometric dataIdentity verification, transaction processing

Biometric Data — State Laws

In addition to California CPRA, ScopeX's identity verification processes are subject to the following state biometric privacy laws:

  • Illinois BIPA (740 ILCS 14): Destruction within 30 days or three years, whichever is first; written consent required
  • Texas CUBI (Tex. Bus. & Com. Code § 503.001): Destruction within one year after purpose expires; consent and notice required
  • Washington (RCW § 19.375): No enrolment in commercial database without notice and consent
  • Colorado (Colo. Rev. Stat. § 6-1-1314, effective 1 July 2025): Written retention schedule; informed written consent; security incident protocol

Applicable US State Privacy Laws

Residents of the following states may exercise rights including access, deletion, correction, and opt-out of certain processing by contacting dpo@scopex.money:

California (CCPA/CPRA) · Virginia (VCDPA) · Colorado (CPA) · Connecticut (CTDPA) · Utah (UCPA) · Iowa (ICDPA, eff. 1 Jan 2025) · Delaware (DPDPA, eff. 1 Jan 2025) · Nebraska (NEDPA, eff. 1 Jan 2025) · New Hampshire (SB 255, eff. 1 Jan 2025) · New Jersey (SB 332, eff. 15 Jan 2025) · Tennessee (TIPA) · Texas (TDPSA) · Oregon (OCPA) · Montana (MCDPA) · Indiana (SB 5, eff. 1 Jan 2026) · Kentucky (HB 15, eff. 1 Jan 2026) · Rhode Island (HB 7787, eff. 1 Jan 2026) · Maryland (MODPA) · Minnesota (MCDPA) · Florida (FDBR — applies to entities with $1B+ annual global revenue)

We monitor legislative developments and will update this list as additional states enact comprehensive privacy legislation.

Financial Privacy (GLBA)

To the extent the Gramm-Leach-Bliley Act applies to our licensed payment partners' services, non-public personal financial information is not disclosed to non-affiliated third parties for marketing purposes. Information shared with licensed partners is solely for transaction processing and regulatory compliance.

Nevada

Nevada residents may submit an opt-out request directing us not to sell their personal information. ScopeX does not sell personal information.

Appendix D — Canada (PIPEDA / Quebec Law 25)

If you are located in Canada, this appendix applies in addition to the main Policy. ScopeX Technologies Limited (FINTRAC MSB Registration: C100000621), incorporated in Ontario, is the data controller and the organisation accountable for your personal information.

Applicable Law

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs ScopeX Technologies Limited's collection, use, and disclosure of personal information in the course of commercial activity in Canada. Bill C-27 (which had proposed to replace PIPEDA with the Consumer Privacy Protection Act) did not complete the legislative process and was terminated when Parliament was prorogued in January 2025. As of the effective date of this Policy, PIPEDA remains the governing federal privacy law. ScopeX will update this Policy if and when successor legislation is enacted.

Users in Quebec are additionally subject to the Act Respecting the Protection of Personal Information in the Private Sector (Law 25), fully in force since September 2024, including the Privacy Impact Assessment (PIA) requirement for new technology projects and the obligation to publish a privacy policy.

PIPEDA Fair Information Principles

We comply with the ten fair information principles in Schedule 1 of PIPEDA:

  1. Accountability: ScopeX Technologies Limited is accountable for all personal information in its possession. Our DPO is the individual responsible for compliance.
  2. Identifying Purposes: Purposes are identified at or before the time of collection, as detailed in Section 3.
  3. Consent: We obtain knowledge and consent for collection, use, and disclosure, except where permitted by law. Consent may be withdrawn at any time with reasonable notice.
  4. Limiting Collection: We collect only what is necessary for the identified purposes.
  5. Limiting Use, Disclosure, and Retention: Personal information is used and disclosed only for identified purposes and retained only as long as necessary (Section 8).
  6. Accuracy: We take reasonable steps to ensure personal information is accurate, complete, and up-to-date.
  7. Safeguards: We protect personal information with security safeguards appropriate to sensitivity (Section 9).
  8. Openness: This Policy is our public statement of personal information practices.
  9. Individual Access: Upon request, we will inform you of the existence, use, and disclosure of your personal information and provide access to it.
  10. Challenging Compliance: Complaints about PIPEDA compliance may be directed to our DPO and, if unresolved, to the OPC.

Cross-Border Transfers

Under PIPEDA Section 6.1, where personal information is transferred to service providers outside Canada (including the US and India), we ensure through contractual and other means that a comparable level of protection applies. We inform you that your information may be processed outside Canada and may be subject to the laws of those jurisdictions.

Breach Notification (PIPEDA)

In the event of a breach of security safeguards creating a real risk of significant harm, we will notify you and report to the OPC as required under PIPEDA's breach notification provisions (Division 1.1), as soon as feasible.

Right to Complain

Office of the Privacy Commissioner of Canada (OPC): 30 Victoria Street, Gatineau, Quebec, K1A 1H3 — priv.gc.ca — 1-800-282-1376.

Commission d'accès à l'information (CAI — Quebec): www.cai.gouv.qc.ca — for Quebec Law 25 complaints.

Appendix E — India (DPDPA 2023 / DPDP Rules 2025)

If you are a resident of India or a beneficiary receiving funds through ScopeX, this appendix applies in addition to the main Policy.

Digital Personal Data Protection Act 2023 and DPDP Rules 2025

India's Digital Personal Data Protection Act, 2023 (DPDPA 2023) received presidential assent on 11 August 2023. The Digital Personal Data Protection Rules, 2025 were officially notified on 13 November 2025 and are being implemented in three phases:

PhaseTimelineKey Obligations
Phase 1From 13 November 2025Administrative setup; Data Protection Board constituted; notice and consent framework operative
Phase 2From 13 November 2026Consent managers; expanded DPBI powers; cross-border transfer restrictions in force
Phase 3From 13 May 2027Full enforcement; data principal complaint rights; penalties up to ₹250 crore per violation

ScopeX is implementing compliance measures aligned with this phased timeline. The Data Protection Board of India (DPBI) has been formally constituted as of 13 November 2025; full enforcement powers activate on 13 May 2027.

Your Rights Under DPDPA

  • Obtain information about what personal data is processed and for what purpose
  • Request correction and completion of inaccurate or incomplete data
  • Request erasure of your personal data, subject to regulatory retention obligations
  • Nominate another individual to exercise your rights in case of death or incapacity
  • Lodge a grievance with ScopeX (as Data Fiduciary) and, if unsatisfied, with the Data Protection Board of India once fully operational

Aadhaar Data

ScopeX does not collect Aadhaar numbers or Aadhaar-linked biometric data directly. Where our licensed Indian payment gateway partners require Aadhaar-based verification, this occurs under the partner's control, subject to their privacy policy and the Aadhaar Act 2016. You may provide alternative government-issued identification where available.

RBI Data Localisation

In compliance with the Reserve Bank of India's circular on Storage of Payment System Data (RBI/2017-18/153, April 2018) and the Payment Aggregator – Cross Border (PA-CB) framework (October 2023):

  • All payment system data relating to Indian transactions is stored on servers located within India by our licensed Indian payment gateway partners
  • ScopeX may retain transaction metadata (reference numbers, amounts, status) outside India solely for customer service, dispute resolution, and regulatory compliance in the sending jurisdiction

Foreign Exchange Management Act (FEMA)

All cross-border remittances to India are subject to FEMA 1999 and applicable RBI regulations, including Liberalised Remittance Scheme (LRS) limits and purpose codes. Purpose-of-remittance data is required for FEMA compliance and is shared with our Indian partners for regulatory adherence.

Grievance Officer

For complaints relating to data processing in India, contact our Grievance Officer at grievance@scopex.money. We acknowledge grievances within 24 hours and resolve within 15 business days.

© 2026 ScopeX Technologies Limited. All rights reserved.
Questions about your data? Contact us at dpo@scopex.money