A. Legal basis for processing

We process Personal Data only where a legal basis applies, including the following:

• Consent: where you have given us your explicit consent to process your Personal Data for one or more specific purposes. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

• Contractual necessity: where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into a contract.

• Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights and freedoms which require protection of Personal Data.

• Legal obligations: where processing is necessary to comply with a legal or regulatory obligation, including cooperation with law enforcement or regulators, or the exercise or defense of legal claims.

B. Collection of personal data

Depending on how you use the Products and Services, we may collect the following categories of Personal Data:

• Identification and contact information, such as name, address, email address, telephone number, account credentials, membership or loyalty numbers and similar identifiers, which we use to process your requests, manage your account and deliver the Products and Services.

• Data collected for the provision of Products and Services, including any content or information necessary for us to fulfil your instructions or to provide specific functions.

• Connection and device data, such as IP address, device identifiers, browser type, operating system, geo‑location data, web pages viewed, browsing time, click activity, redirects and the pages visited before landing on our website.

• Cookie and tracking data, collected by us and our service providers through cookies and similar technologies to better understand how you access and use the Products and Services (see Section D below).

• Transaction and purchase data, such as purchase history, delivery information, payment methods and limited payment instrument details (as necessary to complete a transaction).

• User‑generated data that you voluntarily provide, including reviews, feedback, survey responses, support requests, and any other interactions you have with us in relation to the Products and Services.

• Data used for detection, investigation or prevention of fraud, misuse of our Products and Services, or other violations of Applicable Laws or our terms and conditions.

We may also collect other Personal Data provided to us for specific purposes that we explain to you at the time of collection. Personal Data may additionally be provided to us by Clients or third parties who, to the best of our knowledge, have the right to share that data with us under Applicable Laws.

Some of the above Personal Data is processed by us on behalf of our Clients, for their own purposes, where we act as a data processor and the Client is the data controller.

C. Use of personal data

Depending on the Products and Services used, we may collect, use and otherwise process Personal Data for the following purposes:

• To provide, operate and maintain the Products and Services, including our software applications and chatbots.

• To evaluate, customize and improve the Products and Services and the user experience.

• To provide customer service and technical support to Clients.

• To analyze usage, performance and trends relating to the Products and Services.

• To personalize the Products and Services, including by presenting features, content or advertisements that are tailored to your interests and preferences.

• To detect, investigate and manage any abusive, unlawful or dishonest use of the Products and Services, or any violations of our terms and conditions or Applicable Laws.

• To prepare and deliver push notifications, marketing content, promotions, rewards or other offers that may match your interests and preferences, subject to your marketing preferences and Applicable Laws.

• To improve the safety, security and reliability of our Products and Services.

• To comply with our legal and regulatory obligations and to protect our legal rights.

• To conduct research and development in order to enhance or develop new services.

• For any other purposes described in this Policy or otherwise notified to you at the time of collection, where permitted by Applicable Laws.

With your express consent, we may also use your Personal Data for direct marketing and promotional purposes (see Section E).

D. Cookies and similar technologies

We use cookies, analytics tools and other automated tracking technologies provided by us or by third parties to understand how the Products and Services are used and to improve their performance and your experience.

Cookies are small files or similar technologies that are stored on your device when you access our Products and Services (“Cookies”). You can choose whether to allow Cookies by adjusting your browser or device settings, including to accept, reject, or receive alerts before Cookies are stored. If you disable Cookies, some parts of the Products and Services may not function properly.

Broadly, we use Cookies to:

• distinguish users of our Products and Services;

• collect information about Clients’ interests and behavior when viewing and using our Products and Services to improve them;

• optimize our own, and our partners’, marketing and advertising campaigns.

E. Direct marketing

With your explicit consent, we may use your name, email address and mobile phone number to send you marketing communications including news, offers, promotions and joint marketing offers that we consider may be of interest to you. You can withdraw your consent and opt out of direct marketing at any time, free of charge, by following the unsubscribe instructions in our communications or by contacting us using the details in Section P.

Even if you opt out of marketing, we may still send you service‑related or transactional communications that are necessary for us to provide the Products and Services (for example, service notifications, security alerts or billing information).

F. Retention of personal data

We retain Personal Data only for as long as necessary for the purposes for which it was collected, and in accordance with Applicable Laws (“Retention Period”).

Without limiting the general rule above, we typically retain and store Personal Data:

• where collected on behalf of Clients, until the Client instructs us to delete or return such Personal Data, or for the period agreed with the Client;

• for as long as is reasonably necessary to provide the Products and Services to you;

• for the time needed to respond to and manage your requests or queries;

• for the period required to comply with legal and regulatory obligations or to protect our legal rights.

At the end of the applicable Retention Period, or upon a Client’s valid request and subject to Applicable Laws, we will delete Personal Data or irreversibly anonymize it so that it can no longer be used to identify an individual. Retention periods may change if you cancel or re‑enroll in the Products and Services, or if Applicable Laws require a longer or shorter retention period.

G. Sharing and transfer of personal data

We may share Personal Data with third parties on a need‑to‑know basis, where Clients have asked or consented to such sharing, or where permitted or required by Applicable Laws. Categories of recipients include:

• Service providers and sub‑processors that process Personal Data on our behalf for the purposes described in Section C or for the purposes of our Clients, such as:

  • cloud service providers, including Google Cloud Platform located in the United States, Canada and Hong Kong;

  • legal, accounting and other professional advisers located in Canada;

  • payment gateway or payment processing providers located in the United States;

  • customer relationship management and support service providers located in the United States and Canada.

• Governmental, regulatory or law enforcement authorities, where required by Applicable Laws.

• Assignees, successors or purchasers (and their advisers) in connection with any corporate transaction, restructuring or transfer of our business.

When transferring Personal Data, including cross‑border transfers, we protect the data as described in this Policy and comply with Applicable Laws that require appropriate safeguards for such transfers. We have data processing addenda in place with our trusted partners, which form part of our service agreements and set out obligations for data protection and security.

Our support, development and other team members may be located in different countries and may access Personal Data from outside your country in order to provide timely support and maintain the Products and Services. By using the Products and Services, you acknowledge that your Personal Data may be processed in countries that may not offer the same level of data protection as your home country; however, any such transfers will be made in compliance with Applicable Laws.

We have taken reasonable contractual and organizational measures to ensure that our subcontractors process Personal Data only on our documented instructions, for the purposes set out in this Policy, and that they are prohibited from using Personal Data for their own purposes without the data subject’s consent.

H. Security of personal data

We use appropriate technical and organizational measures to protect Personal Data against loss, destruction, alteration, and unauthorized, unlawful or abusive access or use. We impose similar obligations on our subcontractors who process Personal Data on our behalf.

Personal Data is encrypted in our databases at rest and in transit, and access to Personal Data is restricted to personnel who need it to perform their duties and who are subject to confidentiality obligations. In the event of a data breach or other security incident affecting Personal Data, we will activate our incident response plan to contain and mitigate the incident and will notify you and any relevant authorities as required, for example through push notifications, public announcements or direct communications.

To the extent permitted by Applicable Laws, we shall not be liable for any direct or indirect loss, damage or cost incurred by you as a result of a data breach or any unauthorized use, access, deletion or alteration of Personal Data that arises from circumstances beyond our reasonable control.

I. Your data protection rights

Subject to Applicable Laws and any exemptions, you may have the following rights:

• Right to be informed: to receive clear information about how we collect, use, disclose and protect your Personal Data, as set out in this Policy.

• Right of access: to request confirmation whether we process Personal Data about you and, if so, to obtain a copy of that Personal Data and information about how we use and share it.

• Right to rectification: to request correction of inaccurate Personal Data and completion of incomplete Personal Data that we hold about you.

• Right to erasure and restriction: to request deletion of your Personal Data or restriction of its processing in certain circumstances, for example where there is no valid reason for us to continue processing it, subject to our rights and obligations under Applicable Laws (including retention obligations).

• Right to data portability: to receive a copy of certain Personal Data in a structured, commonly used and machine‑readable format and to request that we transmit that data to another controller, where technically feasible.

• Right to object: to object at any time, on grounds relating to your particular situation, to our processing of your Personal Data based on legitimate interests, and to object at any time to our use of your Personal Data for direct marketing.

• Right to be notified of breaches: to be notified, and for relevant regulators to be notified, in the event of certain personal data breaches, in accordance with Applicable Laws.

If you wish to exercise any of these rights, please contact us using the details set out in Section P. We may need to verify your identity before responding to your request and may charge a reasonable fee where permitted by Applicable Laws.

J. Children

Our Products and Services are not directed to individuals under 18 years of age (“Children”), and we do not knowingly collect, solicit, market to or process Personal Data of Children. If we become aware that Personal Data of a Child has been collected, we will take reasonable steps to delete it as soon as practicable, unless we are legally required to retain it.

K. Processing on behalf of clients

Some Clients regularly disclose to us Personal Data that they have collected from their own customers or users in connection with their use of our Products and Services. In these situations, the Client is the data controller and we act as a data processor, processing Personal Data solely on the Client’s documented instructions and for the purposes of providing the Products and Services.

Where we process Personal Data as a data processor for a Client, we will:

• process, use and disclose Personal Data only as necessary to perform our contractual obligations or as otherwise authorized by the Client;

• make no independent use of such Personal Data for our own purposes;

• act only in accordance with the Client’s instructions and requirements regarding such Personal Data;

• implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction or damage;

• ensure that all personnel who have access to Personal Data are subject to confidentiality obligations;

• notify the Client without undue delay after becoming aware of a personal data breach affecting Personal Data;

• on the Client’s written instructions, delete or return Personal Data and any copies, unless Applicable Laws require us to retain it;

• maintain records necessary to demonstrate compliance with these obligations.

L. Third‑party links

Our Products and Services may contain links to third‑party websites or services that are not governed by this Policy. We do not control, and are not responsible for, how such third parties collect, use or protect Personal Data, and we do not endorse or make any representations regarding their privacy practices.

You should review the privacy notices of any third‑party websites or services before providing Personal Data or using those services. We are not responsible for the use of Personal Data by such third parties and cannot guarantee that their privacy practices are equivalent to ours.

M. Changes to this policy

We may update or modify this Policy from time to time. When we make material changes, we will inform you through appropriate means, such as notices within the Products and Services, email notifications, or other communication channels, so that you are aware of the updated Policy. Unless otherwise stated, changes will take effect thirty (30) days after we notify you, and your continued use of the Products and Services after that time will constitute your acceptance of the updated Policy.

N. Severability

If any provision of this Policy is held to be invalid, illegal or unenforceable under Applicable Laws, that provision shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable, and the remaining provisions shall remain in full force and effect.

O. Governing law and dispute resolution

This Policy, and any non‑contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of Canada, without regard to conflict‑of‑laws principles.

Any dispute, controversy or claim arising out of or relating to this Policy, including its existence, validity, interpretation, performance, breach or termination, or any dispute regarding non‑contractual obligations arising out of or relating to it, shall be referred to and finally resolved by arbitration administered under the applicable Canadian arbitration rules in force when the Notice of Arbitration is submitted. The seat (legal place) of arbitration shall be Canada, the arbitration language shall be English, and the tribunal shall consist of one arbitrator.

P. Contacting us

If you have any questions or concerns about this Policy, or if you wish to exercise your data protection rights, please contact our Data Protection Officer:

• Name: Patrick Chan

• Address: 800‑136 Market Avenue, Winnipeg, Manitoba, Canada

• Email: cs@tmstream.com

• Telephone: +1 604 441 1198