PRIVACY POLICY

1. INTRODUCTION

UNIGOX NETWORK CORP. (“UNIGOX”, “we”, “us”, or “our”) is a Canadian Money Services Business registered with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) under registration number C100001069, incorporated in British Columbia, Canada (Registration No. BC1532559). UNIGOX operates a cross-border automated crypto-fiat payment platform providing infrastructure services to individuals and businesses.

This Privacy Policy (“Policy”) describes how UNIGOX collects, uses, discloses, retains, and protects personal information in connection with your use of our platform, website, applications, and APIs (collectively, the “Services”). It applies to individual users, business clients, vendors, API partners, and any other person whose personal information we process.

By accessing or using our Services, or by submitting personal information to us, you acknowledge that you have read and understood this Policy. If you do not agree, you should not use our Services.

Our primary privacy obligations arise under the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada. Where our Services are used by individuals in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) may also apply. Please see Section 14 for GDPR-specific information.

2. CORPORATE DETAILS AND DATA CONTROLLERS

The entities responsible for processing your personal information are:

2.1 UNIGOX Canada (Primary Data Controller)

Legal name: UNIGOX NETWORK CORP.

Jurisdiction: British Columbia, Canada

Registration number: BC1532559

FINTRAC MSB number: C100001069

Registered address: C/O Snap Incorporations, 302-540 Lawrence Avenue, Kelowna, British Columbia V1Y 6L7, Canada

Privacy contact: support@unigox.com

2.2 UNIGOX Panama (Crypto-Side Services)

Certain crypto-side services are provided by UNIGOX NETWORK CORP., a company registered in Panama (Registration No. 155761779, RUC 155761779-2-2025), with registered address at Province of Panama, District of Panama, Betania, Via Ricardo J. Alfaro, PH The Century Tower, Office 317. Where UNIGOX Panama processes personal data in connection with crypto-side transactions, UNIGOX Canada remains the primary contact for all privacy inquiries.

3. INFORMATION WE COLLECT

We collect different categories of personal information depending on whether you use our Services as an individual user or as a business client.

3.1 Individual User Information (KYC)

To verify your identity and comply with our Know Your Customer (“KYC”) obligations, we collect:

•Full legal name, date of birth, and nationality

•Government-issued identification documents (passport, national ID, driver’s licence)

•Residential address and proof of address documents

•Selfie or photograph for facial verification purposes

•Tax identification number or equivalent, where applicable

•Source of funds and source of wealth declarations

•Contact details: email address and phone number

3.2 Business Client Information (KYB)

For corporate and API clients undergoing Know Your Business (“KYB”) due diligence, we collect:

•Company legal name, jurisdiction, and registration number

•Certificate of Incorporation and corporate organizational documents

•Shareholding structure and ultimate beneficial ownership (UBO) information

•Personal identification documents for directors, officers, and UBOs

•Business description, expected transaction purpose and volumes

•AML/CFT compliance program details and questionnaires

•Regulatory licensing and status information

•Contact details of authorized representatives

3.3 Transaction and Financial Data

In connection with transactions conducted through our Services, we collect:

•Cryptocurrency wallet addresses (sending and receiving)

•Transaction amounts, dates, currencies, and blockchain network details

•Bank account details and IBAN information for fiat transactions

•Payment confirmation records and transaction identifiers

•Exchange rates applied and fees charged

3.4 Technical and Usage Data

When you interact with our platform, we automatically collect:

•IP address and approximate geolocation data

•Device type, operating system, browser type and version

•Platform access times, session duration, and navigation patterns

•API request logs, identifiers, and error records

•Cookie and tracking data (see Section 11)

3.5 Communications Data

We retain records of your communications with us, including support tickets, email correspondence, and any information you provide when contacting our team.

4. HOW WE USE YOUR INFORMATION

We use the personal information we collect for the following purposes:

4.1 Service Delivery

To create and manage your account, process transactions, operate escrow mechanisms, execute fiat on/off-ramp services, and provide customer support.

4.2 Identity Verification and Due Diligence

To conduct KYC/KYB verification via our authorized identity and compliance providers, assess risk, and make onboarding decisions in accordance with our AML/CFT compliance program.

4.3 Compliance with Legal Obligations

To comply with our obligations under FINTRAC, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Retail Payment Activities Act (RPAA, administered by the Bank of Canada), and other applicable laws and regulations. This includes mandatory transaction reporting to FINTRAC. UNIGOX Canada monitors its RPAA obligations and will complete any required registration under that Act before offering payment services subject to it. See Section 13.

4.4 Anti-Money Laundering, Sanctions Screening, and Fraud Prevention

To monitor transactions for suspicious activity, screen users and transactions against applicable sanctions lists (the Canadian Consolidated Autonomous Sanctions List, UN Security Council, U.S. OFAC/SDN, UK OFSI/HMT, EU Consolidated List), detect fraud, and investigate unusual activity.

4.5 Platform Security and Integrity

To protect the security and integrity of our platform, detect and prevent unauthorized access, and respond to security incidents.

4.6 Service Improvement

To analyze platform usage, diagnose technical issues, conduct research and development, and improve the functionality and user experience of our Services.

4.7 Communications

To send service-related notices, transaction confirmations, and compliance updates. Where you have provided consent, we may also send marketing or promotional communications. You may opt out of marketing communications at any time by contacting us at support@unigox.com.

5. LEGAL BASIS FOR PROCESSING

We process personal information on the following legal bases:

5.1 Contractual Necessity

Processing required to enter into or perform a contract with you, including account creation, transaction execution, and service delivery.

5.2 Legal Obligation

Processing required to comply with our mandatory obligations under PIPEDA, PCMLTFA, FINTRAC regulations, FATF recommendations, applicable sanctions regimes, and other applicable law.

5.3 Legitimate Interests

Processing necessary for our legitimate interests in fraud prevention, platform security, risk management, and improvement of our Services, provided those interests are not overridden by your fundamental privacy rights.

5.4 Consent

Where processing is based on consent (for example, optional marketing communications), you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.

6. INFORMATION SHARING AND DISCLOSURE

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information in the following circumstances:

6.1 Regulatory and Law Enforcement Authorities

We are required by law to disclose certain information to FINTRAC and, where required by applicable legal process, to other regulatory bodies, law enforcement agencies, and courts. Such disclosures are mandatory under the PCMLTFA. In certain circumstances we are legally prohibited from informing you that a report has been made. See Section 13.

6.2 Service Providers and Data Processors

We share personal information with trusted third-party service providers who assist in delivering our Services, under appropriate data processing agreements. The list of active providers may change over time. Provider categories include:

•Identity and compliance providers: KYC/KYB verification, sanctions screening, and AML compliance services

•Payment and fiat providers: licensed payment institutions, EMIs, PSPs, banks, and local payment rails supporting fiat on/off-ramp and payment infrastructure

•Infrastructure providers: cloud hosting, analytics, and security services

All third-party providers are contractually bound to process your information only as instructed by UNIGOX and to maintain security standards appropriate to the nature of the data processed.

6.3 Affiliated Entities

We may share information between UNIGOX Canada and UNIGOX Panama to the extent necessary to deliver integrated Services, subject to appropriate safeguards.

6.4 Travel Rule

For UNIGOX’s crypto swap and bridge operations, transactions are executed via self-executing smart contracts. UNIGOX does not initiate or send virtual asset transfers on behalf of users in these flows, and accordingly the FATF Travel Rule does not apply to UNIGOX in this capacity. For fiat-side electronic funds transfers, such transfers are initiated and processed by licensed third-party payment institutions who carry their own Travel Rule obligations. Where UNIGOX collects originator or beneficiary information in connection with such transfers, it does so to support the compliance obligations of those regulated counterparties.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of the transaction. We will provide advance notice before your information becomes subject to a different privacy policy.

6.6 Legal Proceedings

We may disclose personal information where required by court order, subpoena, production order, or other legal process, or where we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. INTERNATIONAL DATA TRANSFERS

Our primary data processing takes place in Canada (British Columbia). Some of our service providers in categories such as identity verification and fiat payment infrastructure may process your personal information in other jurisdictions.

All cross-border transfers of personal information are conducted in accordance with PIPEDA’s cross-border transfer requirements. We require contractual safeguards from service providers in other countries to ensure your information receives protection consistent with Canadian privacy standards.

For users in the European Economic Area, transfers are subject to appropriate safeguards, which may include Standard Contractual Clauses or other recognized GDPR transfer mechanisms. See Section 14 for further detail.

8. DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations. Our standard retention periods are:

•KYC/KYB records and identity verification data: minimum five (5) years from account closure, as required by FINTRAC under the PCMLTFA

•Transaction records: minimum five (5) years from the date of the transaction, as required by FINTRAC

•Account information: duration of the business relationship plus five (5) years

•Communications and support records: two (2) years

•Technical logs and usage data: twelve (12) months

Retention may be extended where required for ongoing regulatory investigations or legal proceedings. When personal information is no longer required, we securely delete or anonymize it.

9. SECURITY MEASURES

We implement a range of technical and organizational measures to protect your personal information against unauthorized access, loss, alteration, or disclosure:

•Encryption: all sensitive data is encrypted during transmission (TLS/HTTPS) and at rest

•Access controls: role-based access controls limit personal data access to authorized personnel only

•Wallet key management: UNIGOX currently manages private keys for user wallets on a custodial basis. UNIGOX is actively migrating to a non-custodial architecture in which private keys will be held on the user-device side. The expected timeline for this migration will be announced separately.

•On-chain escrow: smart contract escrow mechanisms provide transparent, tamper-resistant transaction records on the blockchain

•Third-party security audits: regular independent audits of smart contracts and systems to identify and address potential vulnerabilities

•Employee training: all personnel with access to personal information receive privacy and security training

•Incident response: we maintain a formal incident response plan and will notify affected individuals and relevant regulators of material data breaches in accordance with applicable law

In the event of a data breach that creates a real risk of significant harm, we will notify affected individuals and the Office of the Privacy Commissioner of Canada as soon as feasible, and in any event within the timeframes required by applicable law. For EEA residents, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

While we apply commercially reasonable security measures, no system is completely secure, and we cannot guarantee the absolute security of information transmitted over the internet.

10. YOUR PRIVACY RIGHTS

10.1 Rights Under PIPEDA

In accordance with PIPEDA, you have the right to:

•Access: request access to the personal information we hold about you, subject to limited exceptions

•Correction: request that inaccurate or incomplete personal information be corrected

•Withdrawal of consent: where processing is based on consent, withdraw that consent at any time, subject to legal and contractual limitations

•Challenge compliance: challenge our compliance with PIPEDA by contacting us or filing a complaint with the Office of the Privacy Commissioner of Canada

Please note that certain rights are limited by our mandatory regulatory obligations. We cannot delete records we are required to retain under FINTRAC regulations.

10.2 Exercising Your Rights

To exercise any of the above rights, please contact our Privacy Officer using the details in Section 16. We will respond to verified requests within 30 days. We may require proof of identity before processing your request.

11. COOKIES AND TRACKING TECHNOLOGIES

When you use our website or web-based platform, we use cookies and similar technologies to operate and improve our Services.

11.1 Types of Cookies We Use

•Essential cookies: required for the platform to function, including session management, authentication, and security features

•Analytics cookies: help us understand how users interact with our platform, including pages visited and features used, to improve performance

•Functional cookies: remember your preferences and settings to provide a more personalized experience

11.2 Managing Cookies

You can control or disable cookies through your browser settings. Disabling essential cookies may impair your ability to use certain platform features. Our API-only services do not use cookies.

12. CHILDREN’S PRIVACY

Our Services are intended exclusively for individuals who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18. If we become aware of such collection, we will take immediate steps to delete that information. If you believe we have inadvertently collected information about a minor, please contact us at support@unigox.com.

13. FINTRAC AND MANDATORY REPORTING OBLIGATIONS

As a FINTRAC-registered Money Services Business, UNIGOX is subject to mandatory reporting obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). These obligations arise by operation of law and are not subject to your consent or our discretion.

13.1 Mandatory Reports to FINTRAC

We are required to submit the following reports to FINTRAC in specified circumstances:

•Suspicious Transaction Reports (STRs): where there are reasonable grounds to suspect that a transaction or attempted transaction is related to money laundering, terrorist financing, or sanctions violations

•Large Virtual Currency Transaction Reports (LVCTRs): for virtual currency transactions of CAD 10,000 or more received in a single transaction

•Electronic Funds Transfer Reports (EFTRs): for international electronic funds transfers of CAD 10,000 or more

•Terrorist Property Reports: where we know or believe we hold property owned or controlled by a listed terrorist entity

13.2 Tipping-Off Prohibition

Under the PCMLTFA, we are prohibited from informing any person that a Suspicious Transaction Report has been or will be submitted in relation to them. We therefore cannot confirm or deny the existence of any such report.

13.3 Sanctions Screening

We screen all users and transactions against applicable sanctions lists maintained by the Government of Canada under the Special Economic Measures Act and the United Nations Act (including the Consolidated Canadian Autonomous Sanctions List and lists administered by the Office of the Superintendent of Financial Institutions (OSFI)), the UN Security Council, the U.S. Office of Foreign Assets Control (OFAC/SDN), the UK Office of Financial Sanctions Implementation (OFSI/HMT), and the EU Consolidated Sanctions List. We may be required to freeze, block, or report assets or accounts in connection with sanctions compliance obligations.

13.4 Travel Rule

UNIGOX’s crypto swap and bridge operations execute via self-executing smart contracts; UNIGOX does not initiate or send virtual asset transfers on behalf of users in these flows, and the FATF Travel Rule does not apply to UNIGOX in this capacity. For fiat-side electronic funds transfers processed through licensed third-party payment institutions, those institutions carry their own Travel Rule obligations. Where UNIGOX collects and forwards originator or beneficiary data, it does so to support the compliance of those regulated counterparty institutions.

14. GDPR SUPPLEMENT (EU/EEA RESIDENTS)

This section applies to individuals located in the European Economic Area (EEA) whose personal information is processed by UNIGOX. Where there is a conflict between this section and the remainder of this Policy, this section prevails for EEA residents.

14.1 Data Controller for EEA Purposes

UNIGOX NETWORK CORP. (Canada) acts as data controller in respect of fiat-side and account-related data processing for EEA residents.

14.2 Legal Bases Under GDPR Article 6

•Article 6(1)(b) — Contract: processing necessary to perform a contract or to take pre-contractual steps

•Article 6(1)(c) — Legal obligation: processing required to comply with applicable legal obligations under EU and Canadian law

•Article 6(1)(f) — Legitimate interests: processing necessary for our legitimate interests in fraud prevention, platform security, and service improvement

•Article 6(1)(a) — Consent: where processing is based on consent, which may be withdrawn at any time

14.3 Additional Rights for EEA Residents

•Right of erasure (Article 17): request deletion of your personal data, subject to legal retention obligations

•Right to restriction (Article 18): request limitation of processing in certain circumstances

•Right to data portability (Article 20): receive your data in a structured, machine-readable format

•Right to object (Article 21): object to processing based on legitimate interests

•Right to lodge a complaint: file a complaint with your local data protection supervisory authority

14.4 Data Protection Officer

UNIGOX has not formally appointed a Data Protection Officer (DPO) as of the effective date of this Policy. Privacy requests from EEA residents should be directed to the Privacy Officer at the contact details in Section 16.

14.5 Biometric Data Processing

Where identity verification requires facial recognition or selfie matching, this processing involves biometric data, which is a special category of personal data under GDPR Article 9. This processing is carried out by our authorized third-party KYC provider (currently AiPrise) and is necessary for reasons of substantial public interest under Article 9(2)(g), specifically for the prevention of money laundering and terrorist financing as required by applicable law. UNIGOX does not store raw biometric data; biometric verification is performed by the KYC provider in accordance with its own data processing and retention policies.

14.6 Automated Decision-Making

UNIGOX may use automated systems for transaction monitoring, sanctions screening, risk scoring, and fraud detection. These systems may contribute to decisions that affect your access to the Services, including the suspension or restriction of your account. Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Where an automated decision materially affects you, you may request human review by contacting support@unigox.com.

14.7 Cookie Consent for EEA Users

For users located in the EEA, analytics and functional cookies (as described in Section 11) will only be placed with your prior consent, in accordance with the ePrivacy Directive. Essential cookies required for the platform to function do not require consent. You may withdraw your cookie consent at any time through the cookie settings on our website.

14.8 International Transfers

Transfers of EEA personal data to Canada benefit from the European Commission’s adequacy decision recognizing Canada’s PIPEDA framework. Where data is transferred to other third countries, we rely on appropriate safeguards, including Standard Contractual Clauses as approved by the European Commission.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Policy from time to time to reflect changes in our practices, technology, or applicable legal requirements. When we make material changes, we will post the updated Policy at www.unigox.com/privacy-policy and, where feasible, notify registered users by email at least 30 days prior to the changes taking effect.

Your continued use of our Services after any changes to this Policy constitutes acceptance of those changes. We encourage you to review this Policy periodically. The “Last Updated” date at the top of this document reflects the most recent revision.

16. CONTACT

If you have any questions about this Policy or how we handle your personal information, please reach out to us at support@unigox.com or via the live chat on our platform.

You may also contact our Privacy Officer in writing at UNIGOX NETWORK CORP., C/O Snap Incorporations, 302-540 Lawrence Avenue, Kelowna, British Columbia V1Y 6L7, Canada. If you are not satisfied with how we have handled your personal information, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (www.priv.gc.ca).