Contact us
Personal
Business
Sign InSign Up

Privacy Policy

Privacy Statement

General

Guava Pay Canada Inc. and its affiliates (hereinafter 'we', 'us', or 'our') are committed to ensuring that your personal data is used correctly and in accordance with the highest standards of Data Protection Law.

This Privacy Policy applies specifically to Guava Pay Canada Inc., a company registered as a Money Services Business (MSB) under the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how we collect, use and disclose personal information in the course of our commercial activities in Canada. In addition, as a regulated MSB, we collect personal information in accordance with our obligations under Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). 

Guavapay Group means Guavapay Limited, Finbloom Inc., Guava Pay Canada Inc., Guavapay Currency (United Kingdom, Canada, Poland respectively) and their branches, subsidiaries, affiliates and sister companies.   

When this Policy mentions “Guavapay,” “we,” “us,” or “our,” it refers to the Guavapay company that you have contacted (or been contacted by) or contracted with.  

This Privacy Policy (“Policy”) explains in detail the types of personal data we may collect about you and what we do with your personal data. It also sets out what we do to keep your personal data secure, as well as your rights in relation to the personal data we hold about you. If you are a Guavapay Currency client, please visit our Privacy Policy here. If you are a Guavapay Limited client, please click here. 

For the purposes of Data Protection Law, Guavapay will be deemed a Controller or Joint Controller of your personal data unless you are a Guavapay client’s recipient/beneficiary in which case, Guavapay is a Processor of your personal data.  

Please see the “Definitions and Glossary” section to understand the meaning of some of the terms used in this Policy. 

Please read this Policy carefully as it will help you understand what we do with the information we collect.

 

What personal data do we collect?

Information you provide us when you use our Services or contact our team:

  • Information such as your name, residential address, date of birth, telephone number, mobile number, email address, occupation, bank account details, information contained in your identification documentation (e.g. passport, social insurance number or other tax identification number), utility bill, and/or driver’s licence, visa and copies of any other documents you provide to prove your age or identity so we can satisfy our ‘Know Your Customer’ checks. This includes requirements under Canadian AML/CTF legislation.

  • If you have a MyGuava account online, login credentials such as your username, password, passcode and security question answers.

  • To comply with anti-money laundering (AML) and counter-terrorist financing  (CTF) legislation, assess creditworthiness, and process payments and transactions we may collect financial information such as credit or debit card numbers, credit information or reports and tax information.

  • When you book transactions with us, we need to collect information about the other parties involved in the transaction, including beneficiary name, account number, address (“Beneficiary Details”), the source of the funds, the reason for the transaction and the devices and payment methods used to complete transactions. – Note: by providing this information to Guavapay, you agree to have obtained the payee’s consent to their personal data being processed by Guavapay in its capacity as a Processor. This is necessary for us to make a payment to them, and you confirm that you know they agree or that you are otherwise allowed to give us this information and will inform them of the contents of this Policy.

  • If you are using our services on behalf of a business entity, we need to collect information about the business including the organisational structure of the company and individuals involved in the business including their name, address, job title of signatory, email, phone, Identity documents of signatory, proof of bank account details and similar details of other authorised personnel. We may also collect entity formation documents or other corporate records such as company registration details, etc. 

 

Guavapay is required under AML/ CTF laws to collect Personal Data of individuals who ultimately own or control corporate clients, directly or indirectly (“Beneficial Owners”). This is to ensure that they have authority to act on behalf of the business entity and provide that information. Such information may include the Beneficial Owner’s name, date of birth, title, mailing address, phone number, email address, nationality, occupation and social insurance number or other tax identification number. You confirm that you know the Beneficial Owners agree or that you are otherwise allowed to give us this information and will inform the Beneficial Owners of the contents of this Privacy Policy.  

  • To the extent permitted by applicable law, we may obtain, in the course of providing you with the services you request, background check reports from public records of criminal convictions and arrest records. Some jurisdictions require us to obtain your consent. Where you refuse to provide consent, we may be unable to provide services to you. 

  • We may collect any other Personal Data you provide to us when you update your account information, respond to surveys, post to third party community forums hosted by Guavapay and thirdparties, participate in contests or promotions, or use any other feature of our products or services.

 

Information we collect about you when you use our Services or contact our team:

  • Details of the transactions you carry out when using our Services, including geographic location from which the transaction originates. 

  • Your image(s) in photo (for example, where required as part of our Know-Your-Customer (“KYC”) checks, to verify your identity where you upload a photo to your Guavapay account and any photographs from IDs such as a driver’s licence or passport). Such processing may be required under Canadian AML/CTF regulations. 

  • Information about other people (such as a joint account holder, your spouse or family) when we ask you to give us this information to enable us to comply with our obligations under KYC/AML/CTF legislation and to assist with fraud monitoring. 

  • Personal Data derived from money transfers, payments, membership programmes including various referrals, previous use of our service history and/or marketing choices generated or collected in virtue of the relationship between Guavapay and you.

  • When you access our services or products via our online channels, we collect website behaviour and store user data for session statistics (pages visited, clicks, referral sources, etc.), approximate geolocation, browser, device information, server logs, which may include information such as IP address, access times and dates, pages viewed.

  • We may obtain information about the devices you use to access our website - through, for example, Google Analytics which may include details of the device used (mobile, desktop, tablet), the brand of the device (iPhone, Galaxy, etc.), the OS, and the browser used.

We will update the information we hold on you as and when you provide it to us during our communications with you. However, wherever possible, you should advise us if information we hold on you needs updating or is no longer accurate. 

 

When do we collect personal data about you? 

We will collect your Personal Data from you when it is reasonable or practicable to do so, or is authorised by applicable laws, including Canadian privacy and AML/CTF regulations. 

We collect Personal Data and other information from you when you: 

  • Visit any of our websites or download and install the Myguava app;

  • Complete an application or form, register for a Myguava user account;  

  • Submit to our verification procedures, apply for additional account features or services or conduct transactions; 

  • Raise an enquiry on the Guavapay website, respond to our emails, messages or surveys or communicate with us by email and online via Guavapay website or App;

  • Sign up to receive our general marketing from us; 

  • Report a problem, make a query or issue a complaint about our Services;  

  • Download our marketing materials online; 

  • Connect with us via your social media account. 

 

Information collected from Third Parties 

We collect Personal Data about you from third parties and other sources, including government agencies, identity verification and fraud detection service providers and databases, credit bureaus, credit reporting bodies, credit reference agencies, community forums used to post ratings or reviews, social media platforms, advertising, advertising technology and market research companies, third-party sales lead sourcing companies, demographic & profile data brokers including companies that publish marketing and advertising materials that you interact with, Guavapay business partners and associates through which you access our services.

Where applicable, such third-party sources are used in accordance with Canadian law.

The ”lawful basis” we rely on to process your personal data 

Data Protection Law sets out the key, lawful basis that organisations, businesses and governments can rely on to collect and process personal data. Guavapay predominantly relies on the following:  

1. Consent 

This means processing your personal data where you have explicitly given us permission to do so. 

2. Performance of a Contract 

This means processing your personal data in order to fulfil our contractual obligations with you.  

3. Legal Obligations 

This means processing your personal data where it is necessary for compliance with a legal or regulatory obligation to which we are subject. In Canada, this includes obligations under PIPEDA and PCMLTFA. 

4. Legitimate Interests 

This means processing your personal data where we or a third party have a legitimate interest to do so. We make sure we consider and balance any potential impact on your rights before we process your personal data for our legitimate interests. Where our interests are overridden by a negative impact on your privacy rights, we will not process your personal data. 

 

How do we use your personal data? 

We may process your personal data for the following purposes, depending on how you interact with us.

  1. To complete the delivery of our Services

 

Without your personal data, we would not be able to open your MyGuava account or complete the delivery of our Services. 

As part of our online account opening process, we will send you a one-off follow up registration email should you not complete the second page of the online account registration page. We will do this on the basis of our legitimate interests. 

Throughout the relationship, Guavapay may also be required to send you communications known as ‘service messages’ in order to inform you about changes to the services we provide you. These service messages will not include any promotional content and cannot be unsubscribed from.

2.       To respond to your queries and complaints

Without your personal data, we would not be able to effectively respond and handle queries or complaints. We may keep a record of our correspondence to demonstrate how we communicated with you throughout. We will do this on the basis of our legitimate interests and our legal obligations.

  1. To comply with our legal and regulatory obligations

To comply with laws, regulations, codes of conduct, binding determinations or to respond to government authorities, to address disputes or resolve claims related to the use of our services, to enforce our terms and conditions, to verify your identity or authenticate your right to access an account or other information, and to conduct manual or automated monitoring in order to meet our legal and regulatory requirements, we are required to carry out regulatory checks in order to prevent and detect fraud, money laundering, identity theft and other crimes. 

This includes compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) in Canada.

  1. To analyse, test and improve our systems and databases

We may use your personal data to ensure that our systems are tested thoroughly. This ensures that the system can cope with comparable volumes of information, that a wide range of realistic scenarios are covered, and that the test will reflect all the possible combinations that occur in the real environment.

  1. For training and quality purposes

 

We are continually reviewing the quality of the services we provide in order to improve your experience with Guavapay. We will do this on the basis of our legitimate interests.

 

Who do we share your personal data with?

With the exceptions described in this section, we do not make your personal data available to third parties unless you have expressly consented to it, if we are legally obligated to, or if this is necessary to enforce our rights concerning a contractual relationship. We will never sell your Personal Data to marketers or other third parties. 

We may share your personal data with the following entities for the purposes described in this Policy:

  1. Guavapay subsidiaries, overseas branches, affiliates and sister companies

A complete and up-to-date list can be found in the “Definition and Glossary” section of this Policy.

  1. Third party service providers

We engage a variety of service providers to enable us to provide our services to you. This includes:

• Payment processing service providers, intermediary banks and financial institutions to process your transactions. 

• Auditors and professional advisers such as lawyers and consultants.

• Banks and financial services.

• Companies who host, support and maintain our website, databases, archives and other business systems. 

• Companies that provide our email archiving and backup system.

• Companies who assist with providing our two-factor authentication security process.

 

  1. Public Authorities & Regulatory Bodies

This will only be in response to lawful requests made by public authorities and regulatory bodies. Where we believe it is necessary or appropriate, we may share your Personal Data with law enforcement officials, government authorities, regulatory bodies or other third parties, including for the purposes of: (i) enforcing our terms and conditions or other applicable agreements or policies; (ii) protecting our rights, property, privacy, or security, or that of others; or (iii) complying with applicable law, legal process, or government orders including any request made in order to meet national security, public interest or law enforcement requirements, including those under Canadian federal or provincial law, such as FINTRAC reporting obligations or PIPEDA.

 

Do we use cookies and other tracking technologies?

We use cookies and similar tracking technologies to enhance your experience on our website. Cookies are small text files stored on your device through your browser. When you visit our website, we may collect information automatically through cookies to provide a more user-friendly experience.

You can control cookie settings via your browser: 

  • Prevent Cookies: Adjust your browser settings to block cookies. 

  • Delete Cookies: Remove existing cookies through your browser settings or other software.

Most browsers allow these actions, but disabling cookies may affect the functionality of our website.

By continuing to use our website without changing your settings, you consent to our use of cookies as outlined in this policy. If you disagree, please adjust your browser settings accordingly or refrain from using our website.

 

How do we protect your personal data? 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Protections include, but are not limited to, two-factor authentication, robust access control (with strict procedures around privileged access), network segmentation, layered security appliances (firewalls).

We provide our employees with training and detailed information about our data handling practices through internal company policies such as our Data Protection Policy. All employees have to certify that they have read and understood the contents of our Data Protection Policy which is reviewed and updated on an annual basis. As well as our Data Protection Policy, which governs how we process data throughout the Guavapay Group, we have a separate suite of internal policies which govern areas such as information security and information classification.

 

How long we will keep your personal data? 

In accordance with our legal and regulatory obligations (for example, Canadian AML/CTF legislation including PCMLTFA), we will retain your personal data for a minimum period of six years from the closure of your account.

In some circumstances, such as an enquiry from a law enforcement agency, we may retain your personal data for a longer period of time.  We may also retain information if doing so protects our interests, for example, if legal proceedings are anticipated or on-going.   

When data falls outside Guavapay’s retention periods, we will take steps to delete it from our system. Where you have asked us not to contact you, we will retain that information on a ‘do not contact’ list to reduce the risk of us contacting you in the future.

 

Inactivate Accounts 

If you have not used your account for more than two years, it will be flagged as inactive and we may contact you to ask whether you want to close the account.

 

Closed Accounts

If you inform us that you longer wish to have a MyGuava account, we will close and deactivate your account.

At the end of the retention period, your personal data will either be anonymised (so that it can only be used in a non-identifiable way for statistical analysis and business planning), made inaccessible or unintelligible (for system integrity purposes) or deleted completely. However, we may retain your information beyond this retention period if we have a legitimate business interest to do so (or we can rely on another lawful basis).

Your data may be retained on offline backup systems for a longer period, however these backups are not part of our day to day processing.

 

Your data protection rights

 

You have a number of rights under Data Protection Law which, in certain circumstances, you may be able to exercise in relation to the personal data we process about you. This includes:

Right to Access: You have a right to receive a copy of the personal data we hold about you. This is commonly known as a data subject access request. Please note that you must verify your identity and request before further action is taken. As a part of this process, government identification may be required.

 Right to Data Portability: You have a right to receive certain information you have provided to us in a ‘machine-readable’ format and/or request that we transmit it to a third party.

Right to Erasure: You have a right to request that we erase your personal data. However, we may not always be able to comply with your request forerasure for specific legal and regulatory reasons which will be notified to you, if applicable, at the time of your request. 

Right to Object: In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection authority. Further details can be found in the “Contact Us” section of this Policy. If you are located in Canada, this is the Office of the Privacy Commissioner of Canada. 

Right to Rectification: Where your personal data is inaccurate, out-of-date or incomplete, you have the right to request an amendment to it. 

Right to Withdraw Consent:  Where you have given us your consent to process your personal data, you have the right to change your mind at any time and withdraw that consent.

 

If you wish to exercise any of these rights, please get in touch by using the details in the “Contact Us” section below. Please note we will ask you to verify your identity before proceeding with any request you make. Once we have verified your identity, we will endeavour to respond to your request within a month from receiving a valid request.

 

Managing your marketing preferences

 

There are a number of ways you can update or stop direct marketing communications from us:

Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further emails from that particular business entity of Guavapay. Please note that unsubscribe links are not included in service emails because you cannot unsubscribe from service emails.

If you have downloaded MyGuava’s App (UK only) and wish to disable push notifications, you can do this by following the below steps: 

For iOS Devices:

  • Open your Settings app and tap “Notifications”

  • Swipe up until you see the MyGuava App

  • Select the MyGuava App and tap the check box next to “Allow Notifications” to disable

For Android Devices:

  • Open your Settings app and tap “More”

  • Tap Application Manager and select “Downloaded”

  • Select the MyGuava App and tap the check box next to “Show Notifications” to disable

  • If you have opted in to receive MyGuava’s web notifications and wish to disable push notifications, you can do this by following the below steps:

For Chrome browsers:

  • Open your Settings app and click 'Advanced'.

  • Under 'Privacy and security', click Site settings.

  • 'Click Notifications'.

  • Choose to block or allow notifications:

(i)  Block all: Turn off 'Ask before sending'.

(ii)  Block a site: Next to 'Block', click 'Add'. Enter the site and click 'Add'.

(iii)  Allow a site: Next to 'Allow', click 'Add'. Enter the site and click 'Add'.

For Firefox browsers:

  • Click the menu button and select 'options'.

  • Click 'Privacy & Security' from the left pane.

  • Scroll to the Permissions section.

  • Click the 'Settings' button next to notifications.

  • Select the website.

  • Click the 'Remove Website' button.

Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.

Contacting the Regulator:

If you feel that your personal data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with your national Data Protection Authority.

 

In the UK, this is the Information Commissioner’s Office. You can contact them by visiting https://ico.org.uk/global/privacy-notice/how-you-can-contact-us/ 

 

For a complete list of all European Data Protection Authorities, click here: https://ec.europa.eu/ 

 

For Canadian customers, you have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada, or in some Canadian provinces, your local Privacy Commissioner. https://www.priv.gc.ca/en/contact-the-opc/

 

Changes

 

Last Modified: 22nd April 2025

 

 

We reserve the right to amend this Policy from time to time without notice in order to be consistent with applicable data protection law requirements. Where we do make significant changes to this Policy, we will take appropriate steps to bring those changes to your attention.

 

Glossary and Definitions

 

Controller or Joint Controller

This means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Protection Law

This includes the EU General Data Protection Regulation 2016/679 (GDPR), European Member States' national implementing legislation, the e-Privacy Directive 2002/58/EC (as amended), and Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy legislation.

European Economic Area

This means the countries of the European Union and members countries of the European Economic Association. A complete list of applicable countries can be found at: https://www.gov.uk/eu-eea 

Guavapay Group

This includes: Guavapay Limited (UK); Guavapay Currency (Poland); Guava Pay Canada Inc. (Canada), Finbloom Inc. (Canada), Guavatech Ltd (UK).

Personal Data

This means information that can be used to directly or indirectly identify a living person. Also referred to as ‘personal information’, ‘personally identifiable information’ and ‘non-public personal information’.

Processor

This means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Process, Processing, Processed

This means any operation or set of operations which are performed on data. This includes collecting, viewing, recording, organising, structuring, storing, using and destroying.

 

Contact Us

 

If you have any questions, comments, or concerns relating to this Privacy Policy or our data protection practices, please contact us at our email address info@guavapay.ca.