Security & Privacy Policy | CastleFX — Castle Currency Exchange Inc.

1. Overview

Castle Currency Exchange Inc. (“CastleFX,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the personal and business information you share with us. This Security & Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at castlefx.com or use our currency exchange, advisory, and subscription services.

As a registered money services business operating in Canada, we are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation. We are also bound by record-keeping and reporting obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).

By using the CastleFX website or services, you consent to the practices described in this policy. If you do not agree with these practices, please do not use our website or services.

2. Information We Collect

We collect information in several ways depending on how you interact with us.

Information you provide directly:

Contact details: name, business name, email address, phone number, and mailing address
Account registration information, including login credentials
Identity verification documents required under KYC/AML obligations (government-issued ID, business registration documents)
Banking and payment details required to process currency transactions
Communications you send us via our contact form, email, or phone
Registration details for workshops, webinars, or consulting sessions
Subscription preferences and service configuration settings

Information collected automatically:

IP address, browser type, and operating system
Pages visited, time spent on pages, and referring URLs
Device identifiers and approximate geographic location (country/region level)
Cookies and similar tracking technologies (see Section 9)

3. How We Use Your Information

We use the information we collect for the following purposes:

To provide currency exchange, payment processing, and advisory services you have requested
To verify your identity and satisfy our regulatory obligations under the PCMLTFA, including KYC and AML requirements
To manage your account, process transactions, and communicate account-related updates
To deliver currency strategy subscription content, rate alerts, and educational materials
To respond to your inquiries, support requests, or feedback
To process payments for subscriptions and consulting services via our payment processor (Stripe)
To schedule and deliver booked consulting appointments and workshops
To improve our website, services, and communications based on usage analytics
To send you relevant service announcements and, with your consent, marketing communications
To comply with applicable legal, regulatory, and reporting obligations
To detect, investigate, and prevent fraudulent transactions or other prohibited activities

We do not sell your personal information to third parties for their own marketing purposes.

4. Legal Basis for Processing

Under PIPEDA and applicable privacy law, we process your personal information based on the following grounds:

Contractual necessity: Processing required to deliver the services you have requested or to fulfill our agreement with you
Legal obligation: Processing required to comply with Canadian regulatory obligations, including PCMLTFA record-keeping, identity verification, and reporting requirements
Legitimate interests: Processing necessary for fraud prevention, security, improving our services, and communicating relevant service information
Consent: Processing based on your explicit consent, including optional marketing communications, you may withdraw consent at any time

5. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your information with the following categories of parties only as necessary to deliver our services or meet our obligations:

Settlement and banking partners: We work with regulated financial institutions and a Fortune 500 settlement partner to process currency transactions. These partners receive only the information necessary to complete your transactions.
Payment processor: Stripe, Inc. processes subscription and consulting payments on our behalf. Stripe maintains its own privacy and security practices; we do not store full payment card details on our servers.
Scheduling services: Calendly may receive your name and email address when you book a consultation or free currency review.
Form and communication services: Web3Forms processes form submissions from our website and may temporarily store submission data to deliver it to us.
Regulatory authorities: We are required to report certain transactions and provide records to FINTRAC and other regulatory bodies as mandated by Canadian law.
Professional advisors: Lawyers, accountants, and auditors who are bound by confidentiality obligations.
Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction.

All third-party service providers are contractually required to handle your information securely and in a manner consistent with this policy.

6. Security Measures

Protecting your information is a fundamental part of how we operate. We implement industry-standard safeguards appropriate to the sensitivity of the information we hold, including:

Encryption in transit: All data transmitted between your browser and our website is encrypted using TLS (Transport Layer Security / HTTPS)
Access controls: Access to personal and transaction data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and authentication requirements
Secure payment processing: Payment card data is handled exclusively by Stripe, a PCI DSS-compliant processor - we do not store, process, or transmit cardholder data on our own systems
Form protection: Our web forms use hCaptcha to prevent automated abuse and spam submissions
Monitoring: We maintain logs and monitoring to detect unauthorized access or suspicious activity
Staff training: Employees who handle personal information receive privacy and security training

While we take reasonable measures to protect your information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you use our website and services at your own risk with respect to internet-based threats.

In the event of a security breach that poses a real risk of significant harm to individuals, we will notify affected individuals and report to the Office of the Privacy Commissioner of Canada as required under PIPEDA.

7. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal obligations:

Account and transaction records: As a registered money services business, we are required by the PCMLTFA to retain certain transaction records and client identification information for a minimum of five years from the date of the last transaction
Active account data: Retained for the duration of your relationship with CastleFX and for a reasonable period thereafter to handle any disputes or follow-up inquiries
Contact and inquiry records: Retained for up to three years unless you request deletion and there is no legal basis requiring continued retention
Website analytics data: Aggregated and anonymized data may be retained indefinitely; identifiable log data is typically retained for up to 12 months

When retention periods expire, information is securely deleted or anonymized.

8. Your Privacy Rights

Subject to applicable legal limitations, you have the following rights with respect to your personal information:

Access: You may request a copy of the personal information we hold about you
Correction: You may request that we correct inaccurate or incomplete information
Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time - this will not affect the lawfulness of processing prior to withdrawal
Unsubscribe: You may opt out of marketing communications at any time by clicking the unsubscribe link in any email or contacting us directly
Complaint: You have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated

Please note that certain information cannot be deleted where retention is required by Canadian law, including records mandated under the PCMLTFA. We will inform you if a deletion request cannot be fulfilled and explain the reason.

To exercise any of these rights, please contact us using the details in Section 14.

9. Cookies and Tracking

Our website uses cookies and similar technologies to improve your browsing experience and help us understand how the site is used.

Types of cookies we use:

Essential cookies: Required for basic website functionality, navigation, and security. These cannot be disabled.
Analytics cookies: Help us understand how visitors interact with our website (e.g., pages visited, time on site). Data is aggregated and used only to improve the site.
Third-party cookies: Services embedded on our site, including TradingView charts, the Calendly scheduling widget, and hCaptcha, may set their own cookies governed by their respective privacy policies.

You can control cookies through your browser settings. Disabling certain cookies may affect website functionality. We do not use cookies to deliver targeted advertising.

10. Third-Party Services

Our website integrates services provided by third parties. When you interact with these services, their own privacy policies apply:

TradingView - live currency chart widgets embedded on our Live Charts page
Calendly - appointment scheduling for free currency reviews and consulting sessions
Stripe - payment processing for subscriptions and consulting services
Web3Forms - web form submission handling
hCaptcha - bot and spam protection on contact and registration forms
Google Fonts - typography resources loaded from Google servers

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before using those services.

11. Children’s Privacy

Our website and services are intended for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will take appropriate steps to delete it.

12. Cross-Border Data Transfers

Some of our third-party service providers process data in the United States or other jurisdictions outside Canada. When your information is transferred outside Canada, it may be subject to the laws of those jurisdictions, which may differ from Canadian privacy law.

We take steps to ensure that third parties receiving your data outside Canada provide a comparable level of protection, including through contractual safeguards. By using our services, you consent to the transfer of your information to these jurisdictions as described in this policy.

13. Changes to This Policy

We may update this Security & Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the CastleFX website or services following any update constitutes your acceptance of the revised policy.

14. Contact Us

If you have questions, concerns, or requests related to this Security & Privacy Policy or how we handle your personal information, please contact our Privacy Officer:

Castle Currency Exchange Inc.
Email: info@castlefx.com
Phone: 888-956-2423

If you are not satisfied with our response, you have the right to contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.

For Terms of Use, please see our Terms of Use page.