Privacy Policy
How we collect, use, and protect your personal data
Version 2.0 | Last updated: April 2026 | GaulBridge Ltd. | Data Controller
Contents
1. Introduction
GaulBridge Ltd. ("GaulBridge", "we", "us", "our") is incorporated in Canada (Company No. BC1533341) with its operational address at Office 301, 410 W Georgia Street, 5th Floor, Vancouver, British Columbia, V6B 1Z3, Canada.
This Privacy Policy explains how we collect, use, store, share, and protect personal data when you access our website or use our services. It applies to clients, prospective clients, website visitors, and any individual whose personal data we process in connection with our business.
For the purposes of applicable data protection laws — including PIPEDA (Canada), the GDPR (EU), and the UK GDPR — GaulBridge acts as the data controller in respect of personal data processed under this policy.
This policy should be read alongside our Terms and Conditions, Cookie Policy, and other relevant documents.
2. What data we collect
2.1 Data you give us
When you open an account or use our services, we collect:
- Identity data: full name, date of birth, nationality, government-issued ID (passport, driving licence)
- Contact data: email address, phone number, postal address
- Business data: company name, registration number, beneficial ownership information, director details
- Financial data: bank account details, transaction history, source of funds information
- Verification data: KYC documents, proof of address, selfies or biometric data where required for identity verification
2.2 Data we collect automatically
When you visit our website or use our platform, we may collect:
- Usage data: pages visited, features used, time spent, clicks and navigation
- Device data: IP address, browser type, operating system, device identifiers
- Location data: approximate location derived from IP address
- Cookie data: see our Cookie Policy for details
2.3 Data from third parties
We may receive personal data about you from:
- Identity verification providers (e.g. document verification services)
- Sanctions and PEP screening providers
- Credit reference or fraud prevention agencies
- Your employer or business (for business account applications)
- Publicly available sources such as company registries
3. How we use your data
We use your personal data to:
- Open and manage your GaulBridge account
- Process payment instructions and execute transactions
- Verify your identity and carry out KYC and AML/CTF due diligence
- Screen transactions and counterparties against sanctions lists
- Comply with our legal and regulatory obligations, including reporting to FINTRAC
- Detect, prevent, and investigate fraud, financial crime, and security incidents
- Communicate with you about your account, transactions, and our services
- Send marketing communications where you have consented or where permitted by law
- Improve our products, services, and platform through analysis and research
- Manage and resolve complaints and disputes
- Meet our contractual obligations to you
4. Legal basis for processing
We only process your personal data where we have a valid legal basis. The bases we rely on are:
| Legal basis | Examples of processing |
|---|---|
| Performance of a contract | Opening your account, processing payments, providing services under the Terms and Conditions |
| Legal obligation | AML/KYC checks, sanctions screening, FINTRAC reporting, record-keeping requirements |
| Legitimate interests | Fraud prevention, security, improving our services, business operations — where your rights do not override our interests |
| Consent | Marketing communications, optional cookies — you can withdraw consent at any time |
5. Who we share your data with
We do not sell your personal data. We share it only where necessary:
- Regulated financial partners: banks and custodians who hold client funds on our behalf
- Payment network partners: correspondent banks, SWIFT, card schemes, and other payment processors required to execute your transactions
- Identity verification providers: third-party KYC and document verification services
- Sanctions and fraud screening providers: to meet our AML/CTF obligations
- Digital asset partners: regulated third-party partners who deliver digital asset services where applicable
- Regulatory authorities: FINTRAC, law enforcement, tax authorities, and other regulators where required by law
- Professional advisers: lawyers, auditors, and accountants bound by confidentiality obligations
- Technology service providers: cloud hosting, analytics, customer support tools — under data processing agreements
All third parties who process personal data on our behalf are required to do so only on our instructions and in compliance with applicable data protection law.
6. How long we keep your data
We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations. Our standard retention periods are:
| Data type | Retention period | Basis |
|---|---|---|
| KYC and identity verification records | 5 years from end of business relationship | PCMLTFA requirement |
| Transaction records | 5 years from date of transaction | PCMLTFA requirement |
| Account data | 5 years from account closure | Legal obligation and legitimate interests |
| Compliance and AML records | 7 years (or longer if required by law) | Regulatory requirement |
| Marketing consent records | Until consent is withdrawn | Consent |
| Website usage data | Up to 2 years | Legitimate interests |
After the applicable retention period, data is securely deleted or anonymised.
7. Your rights
Depending on where you are located, you may have the following rights under applicable data protection law:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your data where there is no lawful reason to keep it |
| Restriction | Ask us to pause processing your data in certain circumstances |
| Portability | Receive your data in a machine-readable format and transfer it to another provider |
| Objection | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
| Complaint | Lodge a complaint with a supervisory authority (see Section 13) |
To exercise any of these rights, contact us at privacy@gaulbridge.com. We will respond within 30 days. We may ask you to verify your identity before processing your request. Some rights are subject to legal limitations — for example, we cannot delete data we are required to retain by law.
8. Direct marketing
Where permitted by law, we may send you service-related updates and, where you have consented, marketing communications about our products and services.
You can opt out of marketing at any time by:
- Clicking the unsubscribe link in any marketing email
- Updating your communication preferences in your account portal
- Contacting us at support@gaulbridge.com
Opting out of marketing does not affect service-related or legally required communications.
9. International data transfers
GaulBridge operates internationally. Your personal data may be transferred to and processed in countries outside Canada, the EU, or the UK — including countries that may not provide the same level of data protection as your home jurisdiction.
Where we transfer data internationally, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
- Adequacy decisions where applicable
- Contractual commitments from receiving parties to protect your data to the required standard
10. Security
We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect against unauthorised access, loss, destruction, or disclosure, including encryption, access controls, and regular security assessments.
No system is completely secure. If you believe your account or personal data has been compromised, contact us immediately at support@gaulbridge.com.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify you directly.
11. Minors
Our website and services are not intended for individuals under the age of 18. We do not knowingly collect or process personal data relating to minors. If we become aware that we have collected personal data from a minor, we will delete it promptly. If you believe we have inadvertently collected such data, please contact us at support@gaulbridge.com.
12. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our services. When we make material changes, we will notify you by email or through a prominent notice on our website. The updated policy will take effect from the date indicated at the top of the page.
Your continued use of our website or services after any update constitutes acceptance of the revised policy.
13. Contact and complaints
For questions about this policy, to exercise your rights, or to raise a data protection concern:
Post: GaulBridge Ltd., Office 301, 410 W Georgia St, 5th Floor, Vancouver, BC, V6B 1Z3, Canada
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- Canada: Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca
- UK: Information Commissioner's Office (ICO) — www.ico.org.uk
- EU: Your local Data Protection Authority in your EU member state
Office 301, 410 W Georgia St, 5th Floor, Vancouver, BC, V6B 1Z3, Canada