Home
Legal

Policies

The agreements, policies, and disclosures that govern your use of Next Solutions Corp services.

Privacy Policy

Last updated: 13 May 2026.

This Privacy Policy explains how Next Solutions Corp., an Ontario corporation with registered office at 300 Supertest Road, Unit 1, North York, Ontario, M3J 2M2, Canada ("Next Solutions Corp", "we", "us", "our"), collects, uses, discloses and protects personal information when you visit nextsolutionscorp.com (the "Website") or use the exchange services made available through it (the "Platform").

This Privacy Policy is governed by the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and by applicable provincial privacy laws, including Quebec's Act respecting the protection of personal information in the private sector ("Quebec Law 25") where it applies to you. Where we provide services to a customer located in the European Economic Area on a reverse-solicitation basis, we also act consistently with the EU General Data Protection Regulation (Regulation (EU) 2016/679); this is described in section 8.

If anything in this Privacy Policy is unclear, write to our Privacy Officer at privacy@nextsolutionscorp.com.

1. Who is responsible

Next Solutions Corp is the controller of personal information collected through the Platform. Our designated Privacy Officer is responsible for compliance with this Privacy Policy and with applicable privacy law. The Privacy Officer can be reached at privacy@nextsolutionscorp.com, or by writing to the registered office at the address above.

2. What personal information we collect

We collect only what we need to operate the Platform, satisfy our legal obligations and protect against fraud and financial crime. The categories below describe the maximum scope of what may be collected; not every category applies to every customer.

Identification and verification data. Full legal name, date of birth, nationality, residential address, government-issued identification document (passport, driving licence, national identity card), document number and expiry date, a live facial image or short video used for biometric comparison against the document photo, and the result of the comparison. We use biometric data only for identity verification at onboarding and for re-verification where required by our compliance procedures; we do not use it for any other purpose.

Contact data. Email address, mobile telephone number.

Account data. Username, hashed password, two-factor authentication settings, account creation date, language and notification preferences, and history of communications with our support team.

Transaction data. Order details (currency pair, amount, time, status), payment method used, blockchain destination and origin addresses, transaction hashes, network and service fees, and originator or beneficiary information collected to comply with the Travel Rule (see the AML and KYC Policy).

Payment data. Where you pay by card, the card brand, the last four digits of the card number, expiry date and cardholder name. Full card numbers are processed by our PCI-DSS-compliant payment processors and are not retained on our systems. Where you pay by bank transfer, the bank name and account identifier.

Source-of-funds and source-of-wealth data. Where required by our AML procedures or by the risk profile of your activity, documents and information evidencing where your funds came from (for example, payslips, tax returns, sale-of-asset documents, inheritance or gift documents).

Tax-residency data. In line with the Canadian implementation of the OECD Crypto-Asset Reporting Framework ("CARF"), we may collect your country (or countries) of tax residence and tax-identification numbers.

Device and technical data. IP address (and geolocation derived from it), device type, operating system, browser type and version, language settings, screen resolution, time zone, and information about how you interact with the Website (pages visited, time on page, referring URL). Some of this is collected through cookies and similar technologies — see our Cookie Policy.

Risk-screening data. Outputs of sanctions, politically-exposed-person ("PEP"), adverse-media and blockchain-analytics screening that we perform as part of our compliance programme, including risk scores assigned to wallet addresses you interact with.

Communications. Records of correspondence with our support and complaints teams, including timestamps and the content of messages.

3. Where we obtain personal information

We obtain personal information:
- directly from you when you register, complete verification, initiate an Order, contact our support team, or respond to our questions;
- from third-party verification providers we engage to confirm identity documents, perform biometric checks, screen against sanctions, PEP and adverse-media databases, and provide blockchain analytics on wallet addresses;
- from public blockchains when you transact through us — public ledgers reveal transaction history and balances associated with addresses, and we analyse this information for compliance purposes;
- from your payment provider or bank when you fund or receive a payment, including limited information about the source account and any responses to authorisation requests; and
- from cookies and similar technologies on the Website (see the Cookie Policy).

We do not buy or rent personal information from data brokers. We do not collect personal information about you from social-media networks.

4. Why we use personal information

We use personal information for the following purposes only:

To provide the Platform. Open and operate your Account; verify your identity as required by the PCMLTFA; process Orders; confirm payments; settle transactions; respond to support and complaints requests; communicate operational information about your Account and Orders.

To comply with law. Meet our obligations under the PCMLTFA and FINTRAC guidance (record-keeping, transaction monitoring, Travel Rule, suspicious transaction reporting, large virtual currency transaction reporting), Canadian sanctions law, tax law (including CARF), consumer-protection law, and law-enforcement requests; cooperate with regulators and courts.

To prevent financial crime and protect the Platform. Screen against sanctions, PEP and adverse-media lists; analyse blockchain addresses for links to illicit activity; detect and prevent fraud, account takeover, money-mule activity and use of the Platform in breach of these Terms; investigate complaints and chargebacks.

To run and improve our business. Maintain the security and integrity of the Platform; debug and improve our systems; analyse usage in aggregate to understand performance; manage our books and records.

To send service communications. Send transactional emails related to your Account, security alerts, changes to these Terms or other policies, and other communications necessary to provide the Platform.

To send marketing communications (only with your consent). Send information about new features, new asset listings or other matters we think may interest you, if you have opted in. You can withdraw consent at any time by clicking "unsubscribe" in any marketing email or by writing to privacy@nextsolutionscorp.com. Withdrawal of marketing consent does not affect service communications, which are necessary to operate your Account.

We will not use personal information for any other purpose without your consent or as otherwise permitted by law.

5. Legal bases (where they apply)

We rely on the following legal bases for processing personal information (terminology drawn from PIPEDA and, where it applies, the GDPR):
- Performance of a contract: to provide the Platform and process Orders;
- Legal obligation: to comply with the PCMLTFA, FINTRAC guidance, sanctions law, tax law (including CARF) and other legal requirements;
- Legitimate interest: to prevent fraud, secure the Platform, defend legal claims, and run our business. These interests are balanced against your interests and fundamental rights;
- Consent: for marketing communications, optional cookies, and any other processing for which we explicitly ask for your consent.

6. Disclosure of personal information

We disclose personal information only as follows.

To service providers, under written agreements that require them to protect the information and to use it only for the purposes for which we engage them. Categories include:
- identity-verification and biometric-check providers;
- sanctions, PEP and adverse-media screening providers;
- blockchain-analytics providers;
- payment processors and acquiring banks;
- cloud-hosting and infrastructure providers;
- email and customer-support platforms; and
- professional advisers (auditors, accountants, lawyers).

To regulators and authorities, where required by law, including mandatory filings to FINTRAC (Suspicious Transaction Reports, Large Virtual Currency Transaction Reports, and other reports prescribed by the PCMLTFA), CARF reporting to the Canada Revenue Agency, and responses to court orders, production orders, regulatory demands or requests from law-enforcement agencies. We may also share information with foreign authorities where required under mutual-assistance arrangements or applicable treaties (for example, under the OECD common reporting and CARF exchange frameworks).

To counterparties under the Travel Rule. Where we send a virtual currency transfer of CAD 1,000 or more on your behalf, the PCMLTFA requires us to transmit your name, address and reference number to the receiving entity. Where we receive a transfer for you, we must take reasonable measures to ensure the corresponding information about the originator was transmitted.

In a corporate transaction. If we are involved in a merger, acquisition, financing or sale of assets, personal information may be disclosed to the counterparty as part of the transaction, subject to confidentiality protections and applicable law.

With your consent, to anyone you have authorised in writing.

We do not sell personal information.

7. International transfers and where information is processed

Our infrastructure and some of our service providers are located outside Canada, including in the United States and the European Economic Area. When personal information is transferred outside the province in which you reside, it is subject to the laws of the jurisdiction in which it is processed, including any lawful access by foreign authorities.

We use commercially reasonable measures to protect transferred information, including written agreements, encryption in transit and at rest, and, where the recipient is in a jurisdiction that requires them, EU-approved standard contractual clauses or equivalent mechanisms.

8. Customers located in the EEA

If you are a customer located in the EEA and we have agreed to provide services to you on a reverse-solicitation basis (see section 4.2 of the Terms and the Reverse Solicitation Notice), we process your personal information consistently with the GDPR. In addition to the rights described in section 11, you have:
- the right to receive transparency information about how we process your data (this Privacy Policy is intended to provide it);
- the right to lodge a complaint with the data-protection authority in your country of residence; and
- the right to object to processing based on our legitimate interests.

We are based in Canada and do not have an EU or UK establishment. We have not appointed an Article 27 representative because we do not direct services to the EEA or the UK. If you are an EEA or UK resident and wish to exercise GDPR rights, write to privacy@nextsolutionscorp.com.

9. Retention

We retain personal information for the period required by applicable law. Under the PCMLTFA and its regulations, records relating to a customer and to transactions must be retained for at least five years from the later of (a) the date of the last business transaction and (b) the closure of the Account.

After the retention period expires we delete or anonymise personal information, unless we have a separate legal obligation to keep it (for example, in connection with active or anticipated litigation, an outstanding regulatory enquiry, or CARF reporting obligations for a relevant reporting period).

10. Security

We implement administrative, technical and physical safeguards designed to protect personal information against loss, theft, unauthorised access, disclosure or alteration. These include encryption in transit and at rest, access controls based on the principle of least privilege, multi-factor authentication for staff, logging and monitoring, regular security testing, and written confidentiality undertakings from staff and service providers. We support two-factor authentication for customers and encourage you to enable it in your Account settings.

No security measure is perfect. You play a role in protecting your information by choosing a strong, unique password, never sharing your credentials, enabling two-factor authentication, and keeping your devices and software up to date. See section 6 of the Terms and Conditions for the account-security obligations that apply to you.

11. Your rights

You have the following rights in respect of your personal information held by us. Some of these rights are statutory under PIPEDA or Quebec Law 25; some apply only if you are in the EEA or the UK.
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to correct information that is inaccurate or incomplete.
- Deletion: ask us to delete information we no longer have a lawful basis to keep. We may not be able to comply where the PCMLTFA, CARF or another law requires us to retain the information.
- Portability (where Quebec Law 25 or the GDPR applies): receive certain information in a structured, commonly used and machine-readable format.
- Restriction and objection (EEA/UK only, under the GDPR): ask us to limit how we use your information, or object to processing based on legitimate interests.
- Withdraw consent: where we rely on consent (for example, marketing communications, optional cookies), withdraw it at any time. Withdrawal does not affect processing already carried out.
- Complain: lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Commission d'accès à l'information du Québec if you are in Quebec (cai.gouv.qc.ca), or, if you are in the EEA or the UK, with the data-protection authority in your country.

To exercise any of these rights, write to privacy@nextsolutionscorp.com. We may need to verify your identity before we act on the request. We respond within 30 days, or sooner where required by law.

12. Automated decision-making

We use automated tools to support our compliance processes, including sanctions and PEP screening, transaction monitoring, and blockchain-analytics risk scoring. These tools can result in an Order being held for human review or refused. A decision to refuse an Order or to close an Account is not made solely by automated means; a member of our compliance team reviews the matter before a final decision. If you believe a decision has affected you unfairly, you can contact us under the Complaints Policy and ask for a human review.

13. Children

The Platform is not directed at, and is not intended to be used by, persons under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we become aware that we have done so, we delete the information and close the related account.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the page reflects the most recent revision. Material changes will be communicated by email or by a prominent notice on the Website before they take effect.

15. Contact

For any privacy enquiry, including to exercise any of the rights described in section 11, write to:

Privacy Officer
Next Solutions Corp.
300 Supertest Road, Unit 1
North York, Ontario M3J 2M2
Canada
privacy@nextsolutionscorp.com