PRIVACY POLICY

Last updated: March 2026

Legal Entity: SAMNA FINANCE LTD

Registered Office: 7-2070 Harvey Ave. Unit #173, Kelowna, BC V1Y 8P8, Canada

Registration Number: BC1348845

Website: https://samna-finance.com/

Privacy Contact: compliance@samna-finance.com

1. Definitions

In this Policy, the following terms have the meanings set out below. Capitalized terms not defined in this Policy have the meanings given to them in the Terms of Service.

“Merchant Account" means an account maintained by Samna Finance for a Merchant, created upon successful registration and verification, through which payment processing and settlement services are provided.

"Applicable Law" means all applicable federal, provincial, and territorial laws, regulations, rules, and orders of Canada, including but not limited to the PCMLTFA, the RPAA, RPAR, PIPEDA, the Criminal Code (Canada), the Special Economic Measures Act, and Canada’s Anti-Spam Legislation (CASL).

"Data Protection Laws" means PIPEDA, the EU General Data Protection Regulation (Regulation (EU) 2016/679), and any other applicable federal, provincial, state, or international legislation governing the protection of personal data, in each case as amended from time to time.

"Merchant" means any legal entity that has entered into an agreement with Samna Finance for the purpose of accepting payments, processing transactions, or receiving settlement services.

"You" means any natural person whose personal information is collected, used, or disclosed by Samna Finance in connection with the Services, including but not limited to: (a) End-users and Cardholders who make payments through a Merchant’s E-shop; (b) directors, officers, authorized signatories, and beneficial owners of a Merchant; and (c) visitors to the Website.

"End-user" means a natural person who makes a payment to a Merchant through the Services; Samna Finance has no direct contractual relationship with End-users.

"Merchant Website" means the online electronic environment (website) of a Merchant through which goods or services are offered to End-users and Card payments are accepted.

"Card" means a valid credit, debit, pre-paid, charge, or payment card branded as Visa, Mastercard, American Express, or any other card scheme accepted by Samna Finance.

"Cardholder" means a natural person to whom a Card is issued or who is otherwise authorized to use a Card.

"FINTRAC" means the Financial Transactions and Reports Analysis Centre of Canada, established under the PCMLTFA.

"MSB" means Money Services Business, as defined in the PCMLTFA.

"PCMLTFA" means the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17, as amended from time to time, and all regulations made thereunder.

"PIPEDA" means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, as amended from time to time.

"Policy" means this Privacy Policy, as amended from time to time.

"PSP" means Payment Service Provider, as defined in the RPAA.

"RPAA" means the Retail Payment Activities Act, S.C. 2021, c. 23, s. 177, as amended from time to time.

"RPAR" means the Retail Payment Activities Regulations, SOR/2023-229, as amended from time to time.

"Samna Finance" means SAMNA FINANCE LTD, a limited liability company incorporated under the laws of Canada (Registration Number: BC1348845).

"Services" means the payment processing, acquiring, settlement, and related financial services provided by Samna Finance, as described in the Terms of Service.

"Terms of Service" or "Terms" means the Terms of Service governing the use of the Services, available on the Website.

"Travel Rule" means the requirements under the PCMLTFA and its associated Regulations requiring the transmission of originator and beneficiary information in connection with transfers of electronic funds and virtual currency of CAD 1,000 or more. Transfers of electronic funds and virtual currency of CAD 10,000 or more are subject to mandatory reporting to FINTRAC. Personal information of the originator and beneficiary (including but not limited to name, account, bank account or wallet address, and address,) is collected, transmitted, and disclosed to counterparties and to FINTRAC as required by the PCMLTFA; this disclosure is mandatory and is exempt from consent requirements under PIPEDA (s. 7(3)(d)).

"Website" means the website located at https://samna-finance.com/, including all pages, features, and content made available through it.

2. Introduction

This Privacy Policy (“Policy”) describes how SAMNA FINANCE LTD (“Samna Finance”, “we”, “us”, “our”) collects, uses, discloses, retains, and protects personal information in connection with the services we provide through our website at https://samna-finance.com/ (the “Website”) and our payment processing, acquiring, and settlement services (the “Services”).

SAMNA FINANCE LTD is registered with the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) as a Money Services Business (“MSB”) (registration number: M23973728) and has applied for license with the Bank of Canada as a PSP (“PSP”) with the Bank of Canada under the Retail Payment Activities Act, in accordance with applicable Canadian financial regulations.

3. Accountability

Samna Finance has designated a person accountable for privacy compliance in accordance with Principle 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Privacy inquiries may be directed to compliance@samna-finance.com.

We are responsible for personal information in our possession or custody, including information that has been transferred to third-party service providers for processing on our behalf. We require all such service providers to protect personal information in a manner consistent with this Policy through contractual means.

4. What Personal Information We Collect

The categories of personal information we collect depend on your relationship with us and the Services you use.

4.1 Information provided by Merchants during onboarding

• full legal name, date of birth, nationality, and residential address;

• government-issued identification documents (passport, national ID, driver’s licence) of individuals holding position of board members, shareholders, beneficiary;

• proof of address (utility bill, bank statement);

• for legal entities: articles of incorporation, certificate of registration, corporate structure, shareholder register, beneficial ownership declarations, director and officer information;

• business activity description, anticipated transaction volumes, and source of funds;

• bank account details, cryptocurrency wallet addresses designated for settlement;

• contact information (email address, telephone number);

• tax identification number (where required by Applicable Law).

4.2. Information that may be collected and shared on the Users in accordance with AML rules and laws including but not limited;

- personal data such as government-issued identification documents (passport, national ID, driver’s licence); proof of address (utility bill, bank statement);

- source of funds, source of wealth;

- information on payment instruments, payment transactions, and purpose of payment etc.

4.3. Information collected during the use of Services including but not limited to:

• transaction data: amounts, dates, times, originator and beneficiary information, wallet addresses, blockchain transaction hashes, transaction status, and associated metadata;

• Travel Rule information: originator name, account number or wallet address, address or date of birth, and beneficiary name and account number or wallet address, for transfers of electronic funds and virtual currency of CAD 1,000 or more;

• communication records: emails, support requests, and any correspondence with Samna Finance;

• Account activity: login history, password changes, Account settings modifications.

4.4 Information collected automatically through the Website

• IP address, browser type and version, operating system, device identifiers;

• pages visited, time spent on pages, referring URLs, click patterns;

• cookies and similar tracking technologies (see Section 12 below).

4.5 Information from third-party sources, including but not limited to:

• identity verification results from KYC/KYB service providers;

• sanctions screening results (OFAC, EU, UN, Canadian sanctions lists);

• blockchain analytics data from transaction monitoring service providers;

• publicly available information (corporate registries, adverse media, PEP databases).

5. Purposes of Collection, Use, and Disclosure

We collect and use personal information for the following purposes:

5.1 Providing and operating the Services

Processing transactions, executing settlements, managing your Account, providing customer support, and communicating with you about the Services.

5.2 Legal and regulatory compliance (PCMLTFA / FINTRAC)

As a registered MSB, we are required by the PCMLTFA and its associated Regulations to: (a) verify the identity of our clients before providing services; (b) conduct ongoing monitoring of business relationships; (c) keep prescribed records of client identification, transactions, and suspicious transaction reports; (d) report suspicious transactions, terrorist property, large cash transactions, and large virtual currency transactions to FINTRAC; and (e) comply with the Travel Rule by collecting and transmitting originator and beneficiary information for electronic funds and virtual currency transfers of CAD 1,000 or more. These obligations are mandatory and override any withdrawal of consent (see Section 5 below).

5.3 Legal and regulatory compliance (RPAA / Bank of Canada)

As a registered PSP, we are required to maintain a risk management and incident response framework, which involve the processing of personal information related to transactions, incidents, and fund movements. We may also be required to provide information to the Bank of Canada in connection with examinations, reporting, and supervisory activities.

5.4 Sanctions screening

We screen Users and transactions against applicable sanctions lists maintained under the Special Economic Measures Act, the Criminal Code (Canada), and the United Nations Act, as well as international sanctions lists. This may involve sharing personal information with sanctions screening service providers.

5.5 Fraud prevention and risk management

Detecting, preventing, and investigating fraud, unauthorized transactions, security incidents, and other potentially prohibited or illegal activities.

5.6 Improving the Services

Analyzing usage patterns, diagnosing technical issues, and improving the functionality, security, and performance of the Website and the Services.

5.7 Communications

Sending transactional messages (transaction confirmations, settlement notifications, security alerts), regulatory and compliance notices (changes to Terms or policies, verification requests), and service announcements. See our Terms of Service, Section 11, regarding your consent to electronic communications.

6. Consent

We obtain your consent for the collection, use, and disclosure of personal information in the following ways:

• Express consent is obtained at Account registration and onboarding for the collection of identification documents, KYC/KYB information, and financial information.

• Implied consent applies to the processing of personal information that is necessary to provide the Services you have requested (e.g., processing transactions, executing settlements).

When consent is not required. Under PIPEDA, consent is not required and cannot be withdrawn for the collection, use, or disclosure of personal information where: (a) it is required by law, including for PCMLTFA reporting to FINTRAC (suspicious transaction reports, terrorist property reports, large virtual currency transaction reports), sanctions screening, and responding to court orders or regulatory investigations; (b) it would compromise the availability or accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of a law; or (c) it is required for the detection and prevention of fraud.

Important: Samna Finance is prohibited by the PCMLTFA (section 8) from disclosing to any person, including the User, the existence or contents of a suspicious transaction report or a related report made to FINTRAC. This means that we cannot inform you if a report has been filed about your account or transactions.

You may withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions, by contacting compliance@samna-finance.com. However, withdrawal of consent may result in the suspension or termination of your Account and access to the Services, as certain information is required to provide the Services and comply with Applicable Law.

7. Disclosure of Personal Information

We may disclose your personal information to the following categories of recipients:

Recipient Purpose

FINTRAC Suspicious transaction reports, terrorist property reports, large virtual currency transaction reports, and other reports required by the PCMLTFA. These disclosures are made without notice to the User.

Bank of Canada Information required for RPAA supervisory activities, examinations, and annual reporting.

Law enforcement and regulatory authorities. When required by law, court order, or regulatory investigation.

Sanctions authorities. When a User or transaction is identified as involving a sanctioned person, entity, or jurisdiction.

Payment processors, acquirers, and liquidity providers. Transaction data necessary to process payments, execute settlements, and facilitate currency exchange where applicable.

Identity verification (KYC/KYB) service providers. Identification documents and personal data necessary to verify identity.

Blockchain analytics providers. Wallet addresses and transaction data for transaction monitoring and risk assessment.

Cloud and infrastructure providers. Personal information stored on secure cloud infrastructure for the provision of the Services.

Professional advisors. Legal counsel, auditors, and accountants, where necessary for legal, audit, or accounting purposes.

Corporate transactions. In connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal information may be transferred to the acquiring entity, subject to the same privacy protections.

We do not sell personal information to third parties. We do not disclose personal information for marketing purposes of third parties.

8. Cross-Border Transfers

Samna Finance operates across LATAM, the EU, and Asia, and uses service providers located in various jurisdictions. Your personal information may be transferred to, stored in, and processed in jurisdictions outside of Canada, including jurisdictions that may not provide the same level of protection for personal information as Canada.

Where personal information is transferred outside of Canada, we ensure that appropriate contractual safeguards are in place with each service provider to protect the information in a manner consistent with this Policy and PIPEDA. Samna Finance remains accountable for the protection of personal information regardless of where it is processed.

You acknowledge that personal information transferred to foreign jurisdictions may be accessible to law enforcement and government authorities in those jurisdictions under their local laws.

9. Retention of Personal Information

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by Applicable Law.

• PCMLTFA records: client identification records, transaction records, large virtual currency transaction reports, and suspicious transaction reports must be retained for a minimum of five (5) years after the day on which the last business transaction was conducted, or after the day on which the Account was closed.

• RPAA/RPAR records: records related to payment activities and fund safeguarding must be retained for a minimum of five (5) years.

• Breach records: records of all breaches of security safeguards must be retained for a minimum of twenty-four (24) months from the date of the breach, as required by PIPEDA.

• All other personal information: retained for the duration of the business relationship and for a reasonable period thereafter, not exceeding the longest applicable statutory retention period.

After the applicable retention period, personal information is securely destroyed or irreversibly de-identified.

10. Security Safeguards

Samna Finance implements technical, administrative, and physical security measures to protect personal information against unauthorized access, loss, theft, modification, disclosure, or destruction. These measures include:

• encryption of personal information in transit (TLS/SSL) and at rest;

• access controls and role-based permissions limiting access to personal information to authorized personnel on a need-to-know basis;

• multi-factor authentication for access to systems containing personal information;

• regular security assessments, vulnerability scanning, and penetration testing;

• employee and contractor training on data protection and information security;

• incident response procedures for detecting, containing, and remediating security incidents;

• logging and monitoring of access to systems containing personal information.

While we take reasonable steps to protect your personal information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data.

11. Breach of Security Safeguards

In the event of a breach of security safeguards involving personal information under our control that creates a real risk of significant harm to an individual, Samna Finance shall:

• report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible;

• notify affected individuals as soon as feasible, by email to the address on file or, if that is not possible, by other reasonable means;

• notify any other organization or government institution that may be able to reduce the risk of harm to affected individuals.

The notification to affected individuals will include: (a) a description of the breach; (b) the types of personal information involved; (c) a description of the steps we have taken or intend to take to reduce the risk of harm; (d) steps the individual can take to reduce the risk of harm; and (e) contact information for the person accountable for privacy compliance.

We maintain a record of every breach of security safeguards involving personal information under our control for a minimum of twenty-four (24) months, regardless of whether the breach triggers a notification obligation.

12. Cookies and Tracking Technologies

The Website uses cookies and similar technologies to enhance your experience, analyze usage, and support the security of the Website.

• Essential cookies: necessary for the operation of the Website (session management, authentication, security). These cannot be disabled.

• Analytics cookies: used to understand how visitors interact with the Website (pages visited, time on site, traffic sources). We may use third-party analytics services for this purpose.

• Functional cookies: used to remember your preferences and settings.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Website. We do not use cookies for advertising or marketing profiling purposes.

13. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights with respect to your personal information:

• Right of access: you may request access to the personal information we hold about you. We will respond to your request within thirty (30) days.

• Right to correction: you may request the correction of any personal information that is inaccurate or incomplete.

• Right to withdraw consent: you may withdraw consent to the collection, use, or disclosure of your personal information, subject to legal and contractual restrictions. In particular, you cannot withdraw consent for processing required by the PCMLTFA, RPAA, sanctions legislation, or other Applicable Law.

• Right to complain: if you are not satisfied with our handling of your personal information, you may file a complaint with the person designated as accountable for privacy compliance. If the complaint is not resolved to your satisfaction, you may file a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, please contact compliance@samna-finance.com. We may require you to verify your identity before processing your request.

Limitations: we may refuse access to personal information where permitted or required by law, including where disclosure would reveal personal information about a third party, where the information is subject to solicitor-client privilege, or where the information was collected in connection with an investigation into a breach of an agreement or a contravention of a law.

14. Children’s Privacy

The Services are not directed at individuals under the age of eighteen (18) or the age of majority in their jurisdiction of residence, whichever is greater. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor, we will take steps to delete that information promptly.

15. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will post the updated Policy on the Website, update the “Last updated” date, and, where required by Applicable Law, notify you by email or through your Account. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.

16. Contact Us

If you have questions, concerns, or complaints about this Policy or our handling of your personal information, please contact:

Person Designated as Accountable for Privacy Compliance SAMNA FINANCE LTD 7-2070 Harvey Ave. Unit #173 Kelowna, BC V1Y 8P8, Canada Email: compliance@samna-finance.com

If you are not satisfied with our response, you may file a complaint with:

Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: www.priv.gc.ca