Privacy Policy

Davila Financial Ltd.

Last updated on: 29th March 2026

Introduction

This Privacy Policy (the "Policy") is used between Davila Financial Ltd. and any of our subsidiaries and affiliated companies ("we," "our," "us," or "Davila") and the user ("users", "you", "your") to describe our use of your personal information when you use our services and/or visit our website (the "Services") to the extent available in your jurisdiction.

We are firmly committed to safeguarding your personal information and ensuring the confidentiality, integrity, and security of all data collected from our website www.ortix.com. We process such data in accordance with applicable data protection laws and in line with the highest standards of privacy and security. This Policy is designed to provide you with a clear, comprehensive, and transparent understanding of our data practices. It outlines the types of personal data we collect, the lawful bases and purposes for which such data is processed, the methods by which it is collected and used, and the measures we implement to protect it. It further explains your rights in relation to your personal data and the manner in which you may exercise those rights. Therefore, we encourage you to read it carefully.

This Policy does not apply to the processing of personal information carried out by certain third parties, including, but not limited to, governmental authorities and other financial institutions. Such third parties act as independent data controllers and process your information in accordance with their own applicable privacy policies and legal obligations. Accordingly, we do not accept any responsibility or liability for the privacy practices of such third parties, and we strongly encourage you to review their respective privacy policies and to familiarize yourself with your rights and protections under those policies prior to engaging or interacting with them.

We may revise this Policy from time to time to reflect changes to our business, Services, or applicable laws. If the revised version requires notice in accordance with applicable law, we will provide you with 30 days' prior notice by posting notice of the change on our website, otherwise the revised Policy will be effective as of the published effective date.

We are committed to processing personal information in full compliance with all applicable data protection, anti-money laundering, and regulatory requirements. In particular, our data handling practices are designed to align with the requirements of the Personal Information Protection and Electronic Documents Act ("PIPEDA"), the General Data Protection Regulation ("GDPR"), and the rules, guidance, and reporting obligations issued by the Financial Transactions and Reports Analysis Centre of Canada ("FINTRAC") in relation to anti-money laundering and counter-terrorist financing ("AML/CTF"). Where applicable, we also comply with relevant provincial privacy legislation in Canada, including statutes deemed substantially similar to PIPEDA, as well as any other laws and regulations that may impose additional or more stringent requirements with respect to the collection, use, disclosure, retention, and safeguarding of Personal Information.

For the purposes of the GDPR, where it applies, we ensure that personal information is processed lawfully, fairly, and in a transparent manner, collected for specified and legitimate purposes, limited to what is necessary, kept accurate and up to date, retained only for as long as necessary, and protected through appropriate technical and organizational measures, in accordance with the core data protection principles set out therein.

Where required by law, we may collect, use, or disclose personal information without consent, including in circumstances involving fraud prevention, law enforcement requests, or compliance with court orders and regulatory directives.

Categories of Personal Information Collected

When you use our Services, we limit the collection of personal information to that which is necessary, which includes the following type of information:

Identification Data:This includes information necessary to verify your identity, such as your full name, date of birth, nationality, and government-issued identification details (e.g., passport, national ID, or other official documentation that we may require from you).

Contact Information:This includes your contact details, such as your residential or mailing address, telephone number, and email address.

Financial Information:This includes information relating to your financial accounts and transactions, including, but not limited to, your bank account details, payment instruments, credit or debit card details, and transaction history, as necessary to facilitate and administer the Services.

KYC / AML Information:In order to comply with applicable know-your-customer ("KYC") and anti-money laundering ("AML") requirements, we may collect additional information, including:

Technical & Usage Data:This includes information collected automatically through your interaction with the Services, such as your IP address, device type, operating system, browser type, and usage data, as well as cookies and similar tracking technologies used to enhance functionality, security, and user experience.

Communications:This includes records of communications between you and us, including emails, chat messages, customer support interactions, support tickets, and, where applicable, call recordings, which may be retained for quality assurance, training, dispute resolution, and compliance purposes.

Purposes of Processing

We collect and process personal information solely for specified, legitimate, and lawful purposes, including the following:

Provision of Services:To deliver, operate, and maintain our Services, including the facilitation of payments, transfers, foreign exchange (FX), and related financial activities.

Identity Verification (KYC):To verify your identity and conduct customer due diligence in accordance with applicable know-your-customer requirements.

AML/CTF Compliance:To comply with applicable anti-money laundering and counter-terrorist financing obligations, including monitoring, record-keeping, and reporting requirements imposed by FINTRAC.

Fraud Detection and Prevention:To detect, investigate, and prevent fraud, unauthorized transactions, and other illegal or prohibited activities.

Transaction Processing:To process, validate, and execute transactions, and to maintain accurate records of such transactions.

Customer Support:To provide customer service, respond to inquiries, resolve complaints, and otherwise communicate with you in relation to your use of the Services.

Legal and Regulatory Compliance:To comply with applicable laws, regulations, court orders, and regulatory requirements, and to respond to lawful requests from competent authorities.

Internal Analytics and Service Improvement:To analyze usage patterns, improve the functionality, security, and performance of our Services, and develop new products or features.

Marketing Communications (where applicable):To send you marketing, promotional, and informational communications, where you have provided your consent or where otherwise permitted by applicable law.

The collected personal information will not be used for purposes other than those identified hereabove in this policy, except as permitted or required by law.

Legal Basis for Processing

We process your personal information in accordance with applicable legal requirements, including PIPEDA and, where applicable, GDPR, and only where a valid legal basis exists. Such legal bases include the following:

Consent:We collect, use, and disclose personal information with your knowledge and consent, which may be express or implied depending on the sensitivity of the information and your reasonable expectations. Under GDPR, consent must be freely given, specific, informed, and unambiguous.

Legal and Regulatory Obligations:We may process personal information where necessary to comply with applicable laws and regulatory requirements, including anti-money laundering and counter-terrorist financing obligations, as well as reporting requirements to FINTRAC and other competent authorities.

Performance of a Contract:We may process personal information where such processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.

Legitimate Interests:Where permitted by applicable law, we may process personal information for our legitimate business interests, provided that such interests are not overridden by your fundamental rights and freedoms. This includes processing that is proportionate, limited to what is necessary, and subject to appropriate safeguards.

Vital Interests and Public Interest:In limited circumstances, we may process personal information where necessary to protect your vital interests or those of another individual, or where processing is carried out in the public interest or in the exercise of official authority, in accordance with applicable law.

Consent

Obtaining Consent:Your consent to the collection, use, and disclosure of your personal information may be obtained through various means, including during onboarding processes, through application forms, contractual documentation, and via our website or digital platforms. Consent may be express or implied, depending on the nature and sensitivity of the personal information and the context in which it is collected.

Withdrawal of Consent:You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. However, please note that in certain circumstances, we may be required to continue processing your personal information without your consent where such processing is necessary to comply with applicable legal and regulatory obligations, including anti-money laundering and counter-terrorist financing requirements.

Consequences of Refusing or Withdrawing Consent:Where you choose not to provide, or subsequently withdraw, your consent, we may be unable to provide you with certain or all of our Services. This may include the inability to establish or maintain a business relationship, process transactions, or comply with applicable legal and regulatory requirements.

Disclosure of Personal Information

We may disclose your personal information to third parties only where such disclosure is necessary for legitimate business purposes, the provision of our Services, or to comply with applicable legal and regulatory obligations. All disclosures are carried out in accordance with applicable laws, including PIPEDA and, where applicable GDPR, and are subject to appropriate safeguards. Such disclosures may include the following:

Regulatory Authorities and Government Bodies:We may disclose personal information to competent authorities, including FINTRAC, law enforcement agencies, courts, supervisory authorities, and other regulatory bodies, where such disclosure is required to comply with applicable laws, regulations, or lawful requests, including AML/CTF obligations.

Service Providers (Data Processors):We may engage trusted third-party service providers to support the operation of our Services, including payment processors, cloud service providers, and KYC/identity verification vendors. Such providers process personal information on our behalf and are bound by contractual obligations to ensure confidentiality, security, and compliance with applicable data protection laws. Where required under GDPR, data processing agreements are implemented to ensure appropriate safeguards.

Financial Institutions and Partners:We may share personal information with banks, correspondent financial institutions, and other financial partners as necessary to facilitate transactions, provide our Services, and comply with applicable financial and regulatory requirements.

Corporate Transactions:In the event of a merger, acquisition, restructuring, financing, or sale of all or part of our business or assets, personal information may be disclosed to relevant parties, subject to appropriate confidentiality obligations and safeguards, and only to the extent necessary for the purposes of such transaction.

Legal and Compliance Requirements:We may disclose personal information where required or permitted by law, including in response to subpoenas, court orders, regulatory inquiries, or other legal processes, or where such disclosure is necessary to establish, exercise, or defend legal rights, or to prevent fraud or other unlawful activities.

Cross-Border Data Transfers

International Transfers:Your personal information may be transferred to, stored in, or otherwise processed in jurisdictions outside of Canada, including by our affiliates and authorized third-party service providers. Such transfers may be necessary for the provision of our Services, operational efficiency, or compliance with applicable legal and regulatory obligations.

Safeguards and Accountability:

Where such transfers occur, we implement appropriate safeguards to ensure that your personal information remains adequately protected in accordance with applicable laws, including PIPEDA and, where applicable, GDPR. Such safeguards may include, without limitation:

We take reasonable steps to ensure that such information is protected in a manner consistent with this Policy.

GDPR-Specific Requirements (where applicable):

Where the GDPR applies, transfers of personal information outside the European Economic Area ("EEA") will only take place where:

Acknowledgment and Consent:By using our Services or otherwise providing us with your personal information, you acknowledge that your personal information may be transferred internationally as described above and, where required by applicable law, you consent to such transfers, including to jurisdictions with differing data protection standards.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, including to meet legal, regulatory, accounting, and operational requirements. Retention practices are implemented in accordance with applicable laws, including PIPEDA and, where applicable, GDPR.

Regulatory Retention Requirements:We retain certain records in accordance with applicable anti-money laundering and counter-terrorist financing obligations, including those prescribed by FINTRAC, which generally require retention for a minimum period of five (5) years. Where such legal obligations apply, personal information will be retained for the duration mandated by law, notwithstanding any request for deletion.

Retention Criteria

The duration for which personal information is retained is determined based on a range of factors, including:

Lawful Basis and Retention:

Where GDPR applies, personal information will be retained only for as long as the relevant lawful basis for processing exists, including:

Upon expiry of the relevant lawful basis, and subject to any overriding legal retention requirements, the Personal Information will be securely deleted or anonymized.

Secure Deletion and Anonymization:Upon expiry of the applicable retention period, or where personal information is no longer required for the purposes for which it was collected, we take reasonable and appropriate steps to securely delete, destroy, or irreversibly anonymize such information in accordance with applicable laws, regulatory requirements, and industry standards.

Data Security

We implement appropriate administrative, technical, and physical safeguards designed to protect personal information against loss, theft, unauthorized access, disclosure, alteration, or destruction. Such safeguards are proportionate to the sensitivity of the information and are aligned with applicable legal and regulatory requirements.

Administrative Safeguards:We maintain internal policies, procedures, and governance frameworks to ensure the proper handling of personal information. This includes employee training on data protection and confidentiality obligations, role-based access controls, and ongoing monitoring to ensure compliance with internal and external requirements.

Technical Safeguards:We employ industry-standard technical measures to secure personal information, including encryption of data in transit and at rest, firewalls, intrusion detection and prevention systems, and secure authentication mechanisms. These measures are regularly reviewed and updated to address evolving security risks.

Physical Safeguards:We implement physical security measures to protect systems and facilities where personal information is stored or processed. Such measures include secure premises, restricted access controls, and monitoring of physical access to sensitive areas.

Incident Response:We maintain procedures for the identification, assessment, and response to data security incidents. This includes breach detection mechanisms, internal escalation protocols, and, where required, notification to affected individuals and relevant authorities in accordance with applicable laws and regulations.

Data Breach Notification

We maintain comprehensive procedures to detect, investigate, assess, and respond to any actual or suspected breaches of security safeguards involving personal information. Such procedures are implemented in accordance with applicable legal and regulatory requirements, including PIPEDA and GDPR, as applicable. In the event of a data breach, the following measures will be undertaken:

Assessment of Risk:We will promptly assess the nature and scope of the breach, including the sensitivity of the Personal Information involved, the cause and extent of the incident, and the likelihood that the information has been or will be misused.

Notification to Individuals:We will notify affected individuals without undue delay where:

Regulatory Notification:Where required by law:

Record-Keeping:We maintain a record of all data breaches, including those that do not meet the notification threshold, in compliance with applicable legal obligations.

Mitigation and Remediation:We will take all reasonable steps to contain, mitigate, and remediate the effects of the breach, including preventing further unauthorized access and implementing corrective measures to reduce the likelihood of recurrence.

Individual Rights

Rights in Relation to Personal Information:Subject to applicable law, including PIPEDA and, where applicable, GDPR, you have the following rights in relation to your Personal Information:

Right of Access:To request access to the personal information we hold about you and to obtain information regarding the manner in which it is collected, used, disclosed, and otherwise processed.

Right to Correction (Rectification):To request the correction of inaccurate, incomplete, or outdated personal information, and to have such information updated where appropriate.

Right to Withdraw Consent:To withdraw your consent to the processing of your personal information at any time, subject to legal and contractual limitations, including obligations arising under applicable anti-money laundering and regulatory requirements.

Right to Challenge Compliance:To challenge our compliance with applicable data protection laws and to raise concerns regarding our data handling practices.

Additional Rights under GDPR (where applicable):

Where the GDPR applies, you may also have the right to:

Please note that certain rights may be restricted where the processing of personal information is required to comply with legal obligations, including AML/CTF requirements, or for the establishment, exercise, or defense of legal claims.

Submission of Requests and Response Timelines:Requests to exercise your rights may be submitted in writing using the contact details set out in this Policy. We may require verification of your identity prior to processing such requests. We will respond to all valid requests within the timeframes prescribed by applicable law, including those set out under PIPEDA and, where applicable, the GDPR.

Accuracy of Information

We take reasonable steps to ensure that personal information is accurate, complete, and up to date for the purposes for which it is used. You are responsible for informing us of any changes to your personal information and for ensuring that the information you provide is accurate and current.

Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and improve our Services. These may include:

Strictly Necessary Cookies:Required for the operation and security of the Services;

Functional Cookies:To remember your preferences and settings;

Analytics Cookies:To collect information about usage and performance; and

Marketing Cookies:To deliver relevant content and communications, where applicable.

Cookies are used for purposes including functionality, analytics, security, and, where permitted, marketing. You may control or disable cookies through your browser settings or other available opt-out mechanisms; however, doing so may affect the functionality of the Services.

Third-Party Links

Our Services may contain links to third-party websites or services that are not owned or controlled by us. This Policy does not apply to such external platforms. We are not responsible for the privacy practices or content of third-party websites, and we encourage you to review their respective privacy policies prior to providing any personal information.

Children's Privacy

Our Services are not intended for, and are not directed at, individuals under the age of majority in their jurisdiction. We do not knowingly collect personal information from minors. If we become aware that personal information has been collected from a minor without appropriate authorization, we will take steps to delete such information as soon as reasonably practicable.

Accountability & Governance

We are committed to maintaining a robust and effective privacy governance framework in accordance with applicable data protection laws, including PIPEDA and GDPR, as applicable. This framework is designed to ensure accountability, transparency, and ongoing compliance with our legal and regulatory obligations.

Privacy Officer / Data Protection Lead:We have designated a Privacy Officer responsible for overseeing compliance with applicable data protection laws, managing privacy risks, and serving as the primary point of contact for privacy-related inquiries and complaints. Where required under GDPR, we will appoint a Data Protection Officer ("DPO") or ensure that equivalent responsibilities are formally assigned, including oversight of data protection strategy and regulatory engagement.

Internal Compliance Program:We maintain and implement internal policies, procedures, and controls governing the collection, use, disclosure, retention, and protection of personal information. These measures are designed to ensure compliance with applicable legal requirements, including AML/CTF obligations, and to embed privacy-by-design and privacy-by-default principles into our operations, as required under GDPR.

Training and Awareness:Employees, contractors, and relevant personnel are required to undergo regular training on data protection, confidentiality, and information security obligations. Such training is tailored to roles and responsibilities and is periodically updated to reflect legal and regulatory developments.

Monitoring, Audits, and Continuous Improvement:We conduct periodic reviews, risk assessments, and audits of our privacy and security practices to ensure their effectiveness and to identify areas for improvement. Where necessary, we implement corrective actions to address identified risks or deficiencies.

Accountability for Third Parties:Where personal information is processed by third-party service providers, we ensure that such parties are subject to appropriate contractual obligations and safeguards, and we remain accountable for the protection of such data, in accordance with PIPEDA and GDPR requirements.

Updates to the Policy

We reserve the right to modify or update this Policy at any time to reflect changes in our practices, technologies, or legal requirements.

Where appropriate, we will notify you of material changes through our website, by email, or through other reasonable means. The "Effective Date" indicated in this Policy will reflect the date of the latest revision. Continued use of the Services following such updates constitutes your acknowledgment of the revised Policy.

Contact Information

We remain committed to keeping you informed of all your rights and the ways your data is processed, therefore, if you have any questions, concerns, or requests regarding this Policy or the processing of your personal information, we encourage you to contact our designated Privacy Officer by using the following email address: privacy@ortix.com

You also have the right to submit a complaint to the Office of the Privacy Commissioner of Canada if you believe that your personal information has been handled in a manner that does not comply with applicable law.

We will investigate and respond to all complaints in accordance with our internal procedures and applicable legal requirements.