Englishعربي
Log InOpen Account
Legal

Privacy Policy

Last updated: February 2026

Introduction

Uptex is committed to protecting your personal information and ensuring privacy and confidentiality in line with all applicable laws. This Privacy Policy explains how Uptex collects, uses, discloses, and safeguards personal data when you use our services. It is designed to meet the requirements of both Oman's Personal Data Protection Law (Royal Decree No. 6/2022) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), reflecting Uptex’s operations in Oman, Canada, and other jurisdictions. Our goal is to handle your data lawfully, fairly, and transparently, following industry standards for financial institutions.

Scope and Applicability

This Policy applies to all personal data processed by Uptex and its affiliated group companies in connection with Uptex Bank, Uptex Broker, and related services. It covers clients in Oman, Canada, and worldwide. Uptex (referred to as “we” or “us”) includes the entities operating under the Uptex brand, notably Oliver Business Development SPC in Oman and Xellar Payment Solutions Inc. in Canada. These entities work together within the Uptex group structure to deliver seamless financial services. Regardless of which entity handles your information, we protect your data consistent with this Policy and applicable Omani and Canadian law.

Data Collection and Use (Lawful Basis)

What We Collect:

We collect only the personal information necessary for our services and legal obligations. This typically includes:

  • Identification Data: Full name, date of birth, nationality, government-issued identification details (e.g. passport or ID card numbers), and proof-of-address documents.
  • Contact Information: Phone number, email address, and mailing address.
  • Financial Information: Bank account details, payment card information, account balances, transaction history, trading activity (for Uptex Broker), and sources of funds as needed for compliance checks.
  • Digital Usage Data: Login credentials, security questions, device identifiers, IP addresses, and usage logs of our website or apps.
  • Verification Data: Copies of ID documents, photographs or selfies for identity verification, and biometric identifiers used for verification (as explained below).

How We Use Your Data:

We use personal data for specific, disclosed purposes and only when we have a lawful basis to do so. The purposes include:

  • Providing Services: To open and operate your multi-currency bank accounts, process payments and transfers, execute trades or investments you request, and generally deliver the Uptex Banking and Broker services you sign up for.
  • Fulfilling Contracts: Your data is used to perform our agreements with you – for example, using your account details to carry out a funds transfer or executing a trade you’ve authorized. This is a primary legal basis for processing, as it’s necessary to provide the services you request.
  • Legal Compliance: We process personal information to meet our legal and regulatory obligations. This includes verifying identity and financial history for Know-Your-Customer (KYC), anti-money laundering (AML), fraud prevention, and sanctions screening requirements under Omani and Canadian laws. We may also use data to fulfill any reporting duties to regulators or law enforcement, where required by law.
  • Consent-Based Activities: In jurisdictions like Oman where explicit consent is generally required for personal data processing, we obtain your written consent for collecting and using your information, unless an exception applies. For example, when you register, we may ask you to sign or agree to a consent form or tick a box acknowledging this Policy. In Canada, we seek your consent (explicit or implied as appropriate) for the collection, use, or disclosure of your personal information, except where otherwise permitted by law. You have the right to withdraw consent at any time (see Individual Rights below). We will not use your data for new purposes without informing you and getting any required consent.
  • Legitimate Business Use: We may process certain data for our legitimate business interests – such as improving our services, performing analytics, preventing security threats, or personalizing your user experience – but only in ways that do not override your privacy rights. In all cases, we adhere to the principles of purpose limitation and data minimization, meaning we limit data collection and use to what is relevant and necessary for the identified purposes.

We will always be transparent about why we are collecting your information. If we need to process your data for any purpose not outlined in this Policy, we will inform you and, if required, seek your consent. We do not sell or rent personal information to third parties for their own marketing. Any sharing of data is done strictly as described below, for legitimate purposes and with safeguards in place.

International Data Transfers and Third-Party Sharing

Uptex operates a borderless financial platform, which means your personal data may be transferred or accessed internationally in order to serve you. We take special care to comply with cross-border data transfer rules under Omani and Canadian law. Any time your data leaves your home jurisdiction, we ensure appropriate protections are in place. Key circumstances where we transfer data across borders include working with trusted partner services and intra-group sharing:

Within the Uptex Group:

We share personal data between our Oman operations and our Canadian operations (and any other group affiliates) as needed to provide a unified service. For example, an Omani client’s transaction might be processed through our Canadian MSB arm, or a Canadian client’s request might be supported by our team in Oman. Such transfers are done securely and only among entities bound by equivalent privacy and security standards. If you are in Oman, know that your data will not be transferred outside Oman unless we have obtained your express consent and determined the recipient country or entity has an adequate level of data protection in line with Article 23 of the Omani PDPL. If you are in Canada, your information may be transmitted to our servers or affiliates abroad, but always under our control and with measures to ensure it remains protected to Canadian standards.

Service Provider Partnerships:

Uptex relies on several specialized third-party partners to fulfill our services. These partners may be located in various countries. We share only the necessary information with them under strict data protection agreements. Our key partners include:

  • SumSub (Identity Verification): We send identification documents and biometric data to SumSub, our KYC/KYB/AML technology partner, to verify your identity, perform biometric facial matching, and screen for fraud or financial crime. SumSub may process this data outside of your country (for example, on secure servers in the EU or UK). We ensure such transfers are lawful – for Omani residents, we obtain your explicit consent for this verification step and ensure no transfer occurs that would violate Omani security or public interests. SumSub is contractually bound to use your data only for verification and to protect it in compliance with rigorous security standards.
  • Currencycloud (Payments and FX): To facilitate international money transfers and currency exchange, we share necessary data (like your name, account number, and transfer details) with Currencycloud, our global payments and foreign exchange partner. Currencycloud may process payments through banking networks worldwide. We ensure that any personal data shared (for example, beneficiary details or transfer references) is handled securely and only to carry out your requested transactions.
  • Xoala (Multi-Currency Accounts): Xoala is an international e-money and account management platform that we partner with to offer multi-currency accounts and handle certain cross-border transactions. If you utilize features that involve Xoala’s infrastructure, your relevant account data or transaction information may be processed by Xoala’s systems (which could be located in the EU or other regions). We require that Xoala protects your information to standards equivalent to our own. If you are an Omani user, we will seek your consent before enabling any data transfer to Xoala’s systems abroad, unless an exception under PDPL applies.
  • GCEX (Brokerage Liquidity Provider): For Uptex Broker services, we work with prime brokerage and liquidity partners like GCEX to execute trades in digital assets, forex, CFDs, or other instruments. This means that when you place trades or hold brokerage accounts with us, some of your personal data (such as your name, date of birth, account ID, and trading activity necessary for compliance checks) may be shared with GCEX’s platforms or related clearing/custodial partners. GCEX operates in other jurisdictions (e.g., the UK or EU), so we ensure any transfer of personal data for trade execution or settlement meets the cross-border transfer requirements of applicable law. These partners will use the information solely for trade execution, liquidity provision, and regulatory compliance (for instance, trade reporting and anti-fraud measures), and they must safeguard your data under strict confidentiality and security obligations.

We carefully select and routinely vet all third-party service providers. Each partner is bound by contracts that include privacy and confidentiality commitments. We require them to only use personal data for the specific purposes we stipulate, and to apply robust security measures. Wherever possible, we also implement data transfer mechanisms appropriate for the jurisdiction – for example, standard data protection clauses or equivalent safeguards – especially when transferring data from Oman or Canada to service providers in countries that may not have the same privacy laws. Our goal is to ensure that no matter where your data is processed, it remains protected to the high standards of Oman's PDPL and Canada’s PIPEDA.

Important: By using Uptex services, you acknowledge that your personal information may be transferred to or stored in countries outside of your own. While these regions may have different privacy laws, we will always handle your data as described in this Policy. If you have any questions about cross-border data handling, you can contact us using the details at the end of this Policy. We will also seek your explicit consent for international transfers whenever required (for instance, for Omani customers, we obtain consent before allowing your data to leave Oman, unless another legal basis applies). Your trust is paramount to us, and we do not transfer data to any third party unless it is necessary for providing our services or fulfilling our legal obligations, and even then, under monitored conditions.

Third-Party Data Sharing

Uptex shares personal data with the following third-party partners to deliver our services. Each partner is bound by strict data protection agreements and may only use your data for the specific purposes outlined below.

  • Tuum (Core Banking Platform) - Account and transaction data for banking services.
  • Currencycloud (FX & Cross-Border Payments) - Payment and transaction data for international transfers.
  • Lorum (Correspondent Institution) - Transaction data for correspondent banking services.
  • Thunes (Global Payout Network) - Payment data for cross-border payouts.
  • Narvi (EU Payment Services / BaaS) - Account and payment data for EU/UK banking operations.
  • Xoala (European EMI Partner) - Payment data for European electronic money services.
  • Sumsub (KYC/KYB & Compliance) - Identity documents, biometric data, and screening data for compliance.
  • GCEX (VARA & MiCA Licensed Partner) - Trading and account data for regulated crypto/trading services.

We do not share client data with any partners beyond those listed above for the stated purposes. All data sharing is conducted in compliance with applicable data protection laws and is subject to our strict security and confidentiality standards.

Individual Rights and Choices

Uptex upholds the rights of individuals over their personal data, as provided under Omani and Canadian law. You have meaningful control over your personal information. Subject to certain legal exemptions or requirements, you can exercise the following rights:

  • Access Your Information: You have the right to request a copy of the personal information we hold about you and to obtain information about how we process it. We will provide this in a clear format, explaining the types of data, the purposes of processing, and the third parties with whom it’s shared, as required by law. (In Oman, “owners of personal data” can request access, and in Canada you have a similar right to access under PIPEDA.)
  • Rectification (Correction): If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if you change your phone number or identify an error in your information, let us know and we will rectify it promptly. We strive to keep all information accurate and up-to-date, and we may also reach out periodically to you to confirm key details.
  • Erasure (Deletion): You may request that we delete your personal information in certain circumstances. For instance, if the data is no longer needed for the purposes for which it was collected, or if you withdraw consent and we have no other legal ground to keep it, you can ask us to remove it. We will securely delete or anonymize the information upon a valid request, provided we do not have an overriding obligation to retain it (such as a legal requirement or if the data is needed to resolve disputes, enforce agreements, or for other legitimate reasons allowed by law). We will inform you if any information cannot be erased due to legal retention requirements.
  • Withdrawal of Consent: Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. For example, if you initially consented to receive marketing emails or to have your data shared with a particular partner, you can later change your mind. Once you withdraw consent, we will stop the processing that was based on consent. Please note that withdrawal of consent cannot retroactively undo processing already done, but we will honor your choice going forward. If withdrawing consent for a certain use of data means we can no longer provide you with a particular service (for example, if you withdraw consent for identity verification data usage, we may not be able to maintain your account), we will inform you of the consequences.
  • Data Portability: Omani law grants you the right to request a copy of your personal data in a machine-readable format for transfer to another service provider (data portability). Where applicable, we will provide your data in a structured, commonly used electronic format so that you can reuse it elsewhere. (While Canadian law doesn’t explicitly mandate portability, we will assist with such requests as part of our commitment to user rights, as long as it does not adversely affect the rights of others and is feasible to perform.)
  • Restriction and Objection: You have the right to object to or request restriction of certain processing activities. For example, you may object to processing based on our legitimate interests (if you contest that those interests are valid or that they infringe your rights), or you might request that we temporarily restrict processing if you’re verifying the accuracy of your data or the grounds for processing. We will evaluate such requests in line with applicable laws. In some cases, we may continue processing if we have compelling legitimate grounds or a legal obligation, but we will inform you of our decision and reasoning.
  • Marketing Communications: We will only send you promotional or marketing communications (such as newsletters or product updates) if you have explicitly opted-in to receive them, in accordance with Oman’s PDPL and Canadian anti-spam laws. If you have given consent and no longer wish to receive these messages, you can withdraw your consent at any time. Every marketing email from us will include an “unsubscribe” link, or you can contact us directly to opt out. Once you opt out, we will stop using your contact details for direct marketing.
  • Complaints and Remedies: If you believe your privacy rights have been violated or you have a concern about how we handle your data, you have the right to complain to us and/or to the relevant data protection authority. We encourage you to contact us first so we can address your concerns directly. Our Data Protection Officer or Privacy Officer will investigate and respond to any complaints. If you are not satisfied with our response, Omani residents can raise the issue with the Ministry of Transport, Communications and Information Technology (MTCIT) in Oman, and Canadian residents can contact the Office of the Privacy Commissioner of Canada. We will cooperate fully with any official investigations and follow the guidance of privacy authorities.

How to Exercise Your Rights:

You can exercise these rights at any time by contacting us (see Contact Information at the end of this Policy). We may need to verify your identity before fulfilling certain requests to ensure we don’t disclose data to the wrong person. For example, we might ask for account identifiers or a copy of a government ID for verification. This is to protect your security.

We will respond to your request as quickly as possible and within the timeframes required by law. In Oman, the PDPL requires us to respond to personal data requests within 45 days, and we aim to meet or beat that timeline. In Canada, we will respond within a reasonable time, generally within 30 days as encouraged by PIPEDA. If we need more time or if we must refuse your request due to a legal exception, we will inform you of the reason and of your options. Rest assured, there is no charge for making a reasonable request, though excessive or repetitive requests may incur a fee as permitted by law (we would inform you in advance in such cases).

Your privacy and control over your data are very important to us. We have dedicated processes to ensure your rights can be fully exercised. Our team is trained to assist you with any questions or needs regarding your personal data.

Data Retention and Secure Storage

Retention Policy:

We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. The exact duration will vary depending on the type of information and the reasons we collected it. For example:

  • For most account-related information, we retain your data while your Uptex account is active and for a period after you close your account. This post-closure retention is typically mandated by law – for instance, anti-money laundering regulations in Oman and Canada require financial institutions to retain customer identification records and transaction histories for a minimum period (commonly five years or more from the end of the customer relationship). We adhere to these legal requirements strictly.
  • If you applied for an account or service but did not complete the onboarding, we may retain the data you provided for a shorter period, in case you return to finish registration or to comply with recordkeeping rules on attempted sign-ups (for fraud prevention).
  • Personal data collected for a one-off purpose (say, a specific promotion or survey) will be kept only as long as needed for that purpose.

Once the retention period expires or the data is no longer needed, we will securely erase, delete, or anonymize the personal information so that it can no longer be associated with you. We define and periodically review our retention schedules to ensure we are not holding data longer than necessary. In doing so, we consider the sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes of processing, and any relevant legal requirements. When deleting data, we follow industry-standard practices to ensure it is safely and permanently removed from our systems.

Secure Storage and Protection:

Uptex maintains robust security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. We treat data security with the same rigor as the safety of your financial assets. Our safeguards include:

  • Encryption: We use strong encryption protocols to protect personal and financial information. Data is encrypted both at rest (when stored in databases or backups) and in transit (when transmitted between your device and our servers, or between our systems and our partners). This means that even if data were intercepted or accessed without authorization, it would be unreadable and unusable to an attacker.
  • Access Controls: We restrict access to personal data strictly to authorized personnel who need it to perform their job duties. Uptex employees and contractors are granted access on a need-to-know basis, and only after they have undergone background checks and privacy training. High-sensitivity information (such as identity documents or biometric data) is accessible to an even more limited subset of staff, and often only through our secure partner platforms (like SumSub) rather than directly. Administrative access to systems is protected by multi-factor authentication, strict password policies, and monitoring of access logs.
  • Secure Infrastructure: We host our systems in secure, monitored data centers with strong physical security and cybersecurity controls. This includes firewalls, intrusion detection systems, anti-malware protection, and continuous network monitoring to detect and block threats. Some of our data storage may be on cloud servers provided by reputable cloud providers who comply with internationally recognized security standards (such as ISO 27001). We ensure any cloud or hosting providers we use have data centers with robust security and, where possible, data residency that aligns with our operational needs (for example, storing Middle East client data in regional data centers, and Canadian data in Canada or in trusted jurisdictions).
  • Testing and Audits: We regularly test our systems, processes, and security controls. This includes conducting vulnerability assessments, penetration testing by independent experts, and routine security audits. In Oman, we comply with Article 16 of the PDPL by engaging an external auditor (approved by the MTCIT) to evaluate our data protection mechanisms and certify that we meet Omani data protection standards. Similarly, in Canada, we align with best practices and any regulatory guidance for financial institutions to ensure ongoing compliance. Our internal risk and compliance team also performs checks and monitors adherence to privacy procedures.
  • Organizational Measures: All Uptex staff are trained in confidentiality and data protection obligations. We have internal policies in place (such as data handling guidelines, incident response plans, and an Information Security Policy) that all employees must follow. Employees who handle personal data undergo specialized privacy and security training. We also include confidentiality and data protection clauses in employment contracts to reinforce these obligations.

Despite our strong safeguards, no method of transmission over the Internet or electronic storage is 100% secure. However, we continuously update and refine our security practices to mitigate emerging threats. If we ever identify specific risks (such as a new software vulnerability or industry threat), we act swiftly to address them – whether by patching systems, adding new controls, or providing guidance to our customers on how to protect their accounts (for example, encouraging use of strong passwords and alerting you to known phishing scams).

Our commitment is to handle your data with the same care we handle your finances. We invest significantly in security to earn and maintain your trust.

Automated Decision-Making

As a modern financial platform, Uptex uses technology, including automated systems, to help us make efficient, fair, and secure decisions. However, we understand the importance of transparency and human oversight in these processes, especially where decisions may significantly impact you. Here is how we approach automated decision-making and what it means for you:

  • Use of Automated Systems: We employ automated decision-making in limited scenarios. For example, when you sign up, our systems (including third-party tools like SumSub) automatically check the authenticity of your ID documents and compare your selfie to your ID photo using biometric algorithms. Similarly, our transaction monitoring systems automatically flag unusual account activity that might indicate fraud or money laundering (using rules or machine learning models). These automated checks are essential for us to provide fast and compliant services – they allow us to on-board clients 24/7 and catch potential issues immediately.
  • Human Involvement: While automation assists in our decision processes, we do not rely solely on algorithms for decisions that produce legal or significant effects for you. In practice, this means that if an automated system flags something about your application or account, human analysts from our compliance or risk team will review the case and the underlying data before any final decision is made (such as rejecting an account opening, blocking a transaction, or closing an account). The automated tools provide recommendations or risk scores, but a qualified Uptex employee evaluates the context and makes the ultimate determination in significant matters. This hybrid approach ensures accuracy and fairness, reducing errors that pure automation might cause.
  • Your Rights Regarding Automation: You have the right to know if a significant decision about you was based on automated processing and to request further information about the logic involved. If you believe that you have been adversely affected by a fully automated decision, you can contact us to contest the decision and ask for human review. For instance, if your application for an Uptex account was denied and you suspect an automated system decision, let us know – we will have a person re-evaluate your application and provide you with an explanation. This is in line with the spirit of data protection laws that seek to protect individuals from unjustified automated decisions.
  • Transparency and Fairness: We design and test our algorithms to avoid bias and discrimination. The criteria used in automated checks (for example, in fraud detection) are based on legitimate factors like transaction patterns and document security features, not on sensitive characteristics such as race, ethnicity, or religion. We periodically audit our automated tools to ensure they remain fair and effective. If any automated process were to use sensitive personal data, we would do so only in compliance with the law and with your explicit consent (when required). Currently, our automated identity verification does involve biometric data (your facial image) to compare with your ID photo, which is considered sensitive - we handle this with utmost care and legal compliance as described in the next section.

In summary, automation helps Uptex deliver prompt and reliable services, but we always maintain human oversight. We disclose the use of these technologies to you, and we stand ready to intervene manually whenever needed to protect your rights and interests.

Digital Identity Verification Safeguards

One of the most sensitive aspects of our service is the digital identity verification process. Uptex takes strong measures to protect the data you provide for verification, especially biometrics and official documents, and to ensure compliance with privacy laws (which treat such data as highly sensitive). Here’s how we safeguard your information during identity verification:

  • Purpose of Collection: When you open an account or at certain security checkpoints, we will ask you to verify your identity. This typically involves providing a picture of your government-issued ID (such as a passport or national ID card) and a live selfie or short video. We collect this information only to confirm your identity, fulfill legal obligations (KYC/AML), and protect against impersonation or fraud. We do not use your identification photos or biometric data for any other purpose (such as marketing or unrelated analysis).
  • Use of SumSub: We have partnered with SumSub, a leading secure identity verification provider, to carry out these checks. SumSub acts as our data processor for this purpose, meaning they process your information strictly on our behalf and under our instructions. When you upload your ID and selfie through our app or website, that data is transmitted directly to SumSub’s secure verification system. SumSub uses automated and manual methods to verify the document’s authenticity (e.g., checking holograms, document database checks) and to perform a biometric comparison of the selfie to the ID photo to ensure they match. SumSub may also cross-check sanctions and watchlists as part of AML compliance.
  • Security Measures for Verification Data: The transfer of your documents and biometrics to SumSub is encrypted end-to-end. SumSub is compliant with stringent data security standards (such as ISO 27001) and privacy regulations. They store the data in encrypted form and maintain strict access controls - only authorized verification agents can access your information, and even then solely to perform the verification tasks. Uptex receives the results of the verification (e.g., pass/fail and any risk indicators) and a reference ID for the check. In some cases, to meet audit requirements, we may securely retrieve a copy of the verified document or data from SumSub, but this too is stored with high encryption on our side. We treat biometric information (your facial scan) as highly confidential; it is generally stored only within the SumSub system and not downloaded to Uptex systems unless necessary.
  • Legal Compliance for Sensitive Data: We recognize that biometric identifiers and official identity documents are sensitive personal data. Under Oman’s PDPL, processing of biometric data is prohibited unless certain conditions are met (such as obtaining the data subject’s explicit consent and regulatory permissions). Accordingly, we obtain your explicit consent before collecting your biometric data for verification. For Omani users, our onboarding process will ask you to affirmatively agree to the capture and use of your facial image and ID for verification purposes. Additionally, Uptex (through Oliver Business Development in Oman) adheres to any permit or approval requirements set by the MTCIT for handling biometric data. In Canada, while there isn’t a specific biometric law under PIPEDA, we treat your biometric and ID data with the highest security and confidentiality in line with OPC guidelines.
  • Limited Retention: We do not keep your identity verification data longer than necessary. SumSub and Uptex retain the verification records for the period required by compliance regulations (for example, Omani and Canadian AML laws might require us to keep a record that we verified your identity, including what document was used, for a number of years). However, this does not necessarily mean storing the biometric data that long. Typically, once your identity is verified, the biometric data (facial recognition data) is either deleted or stored in a form that cannot be used to recreate your image. We might keep a copy of the ID document image on file to meet know-your-customer documentation rules, but access to it is tightly restricted and it remains encrypted. Any biometric templates or analyses performed by SumSub are not used to profile you; they are solely to match your face to your ID at that moment. SumSub itself has strict retention limits and will purge personal data after a defined time unless needed for legal disputes or explicit regulatory reasons.
  • Ongoing Verification: In some cases, we may need to re-verify your identity or confirm specific transactions (for example, large withdrawals or changes in account details might trigger a verification step to protect you). The same safeguards and consents will apply to any such subsequent verification. We will clearly notify you when we need you to complete an identity or security step and will use the collected data only for that purpose.
  • No Unauthorized Use: Uptex does not use your verification photos or biometric information for any sort of automated decision beyond fraud prevention and identity confirmation. We do not use your biometric data for marketing, nor do we share it with any third parties except our verification provider (SumSub) and strictly for compliance purposes. Biometric data is never sold or shared for purposes like surveillance or non-essential identity checks.

Our digital identity verification process is designed to be secure and respectful of your privacy. We understand you are entrusting us with very sensitive personal documents and biometrics; therefore, we apply the highest level of care, security, and compliance in handling that data. If you have any questions about how your identity information is used or stored, please contact us – we will be happy to provide further details within the bounds of our security protocols.

Uptex Group Structure and Regional Data Handling

Uptex’s operations are carried out through distinct legal entities in different jurisdictions, but all operate under unified privacy and security standards. We want you to understand how our group structure affects your personal data, so that you know who is responsible for your information and how it flows within our organization:

  • Oliver Business Development SPC (Oman): This is the primary operating company behind the Uptex brand in Oman. Oliver Business Development (sometimes referred to as “Uptex Oman”) is responsible for Omani client relationships, regulatory compliance in Oman, and the overall management of the Uptex platform. When an individual in Oman uses Uptex services, Oliver Business Development SPC is typically the “data controller” under Omani law, meaning it determines the purposes and means of processing personal data. This company ensures that Omani customer data is handled in compliance with Royal Decree No. 6/2022 and other local regulations. It also coordinates with Omani authorities such as the Central Bank of Oman or the MTCIT as needed for data protection and financial oversight matters.
  • Xellar Payment Solutions Inc. (Canada): Xellar is a Canadian company within the Uptex group, serving as our arm for Canadian operations and cross-border payment processing. Xellar is registered as a Money Services Business (MSB) in Canada, authorized to conduct foreign exchange and funds transfer services. In practice, this means if you are a Canadian user, or if your transactions route through Canadian financial channels, Xellar may handle your personal data and transactions as the local operating entity. Xellar Payment Solutions acts as a data controller or data processor for Canadian customer data in accordance with PIPEDA and other Canadian laws. For example, if you initiate a cross-border transfer using Uptex, Xellar might be the entity executing that transfer through Canadian banking networks, and will handle your information (like sender/receiver name and account details) for that purpose under the safeguards of this Policy.
  • Intra-Group Data Sharing: Oliver Business Development and Xellar Payment Solutions (and any other Uptex affiliates that might be established in the future) share data with each other when necessary to provide services and maintain operations. This sharing is done on a minimal and need-to-know basis. For instance, core customer profile information and account details are in a central secure system accessible by authorized staff in both Oman and Canada, so that you receive consistent service. However, access controls ensure that each regional team accesses data only as needed for their duties. All internal data transfers are governed by our Inter-Affiliate Data Protection Agreement, which contractually binds each Uptex entity to uphold stringent privacy protections (mirroring the requirements of PDPL and PIPEDA). In other words, whether your data is handled by our Omani team or our Canadian team, the same rules and security measures apply.
  • Local Data Storage and Transfer: By default, we aim to store personal data in the region it originates (for example, Omani customer data is primarily stored on servers in Oman or secure cloud zones designated for the Middle East, and Canadian data on servers in Canada or nearby). However, as a global platform, some data may be accessed by either location for support or processing. We reiterate that for Omani data leaving Oman, we obtain explicit consent and ensure adequate protection as required by law. For Canadian data, transfers to our Oman headquarters or other locations are done in compliance with PIPEDA’s accountability principle – Xellar remains responsible for that data and ensures OBD or any recipient gives it an equivalent level of protection.
  • Group Accountability: Uptex has appointed a Data Protection Officer (DPO) (or equivalent Privacy Officer) to oversee compliance across the group. The DPO coordinates between Oliver Business Development, Xellar, and any other affiliates to ensure that any cross-border data issues are resolved and that both Omani and Canadian legal requirements are met. We consider Oliver Business Development SPC as ultimately accountable for the safekeeping of all Uptex customer data (being the parent operating company), and Xellar as accountable for compliance within Canada. Both entities, however, are jointly committed to the privacy safeguards in this Policy. If you are located in Oman, you can reach out to our Oman office for any privacy concerns; if you are in Canada, you can reach out to our Canadian office – in both cases, you will receive the same level of attention and protection.

By maintaining a clear group structure and internal agreements, Uptex ensures that your personal information is protected no matter which affiliate is handling it. We want you to have confidence that “Uptex” as a whole stands behind these commitments. We also make sure to meet any country-specific requirements – for example, registration with data protection authorities if needed, localization obligations, etc. – so that our operations in each jurisdiction are fully legal and respectful of your rights.

Data Breach Response and Notification

Despite strong security measures, incidents can still happen. Uptex has a detailed breach response plan to quickly address any security incidents involving personal data. In the unlikely event of a data breach, we are prepared to protect your interests and comply with all notification obligations. Our breach response protocol includes the following steps:

  • Immediate Containment and Assessment: The moment we suspect or become aware of a breach (such as unauthorized access, data leak, or ransomware attack), our incident response team is mobilized. This team includes IT security experts, legal/compliance officers, and management representatives. Their first task is to contain the breach – for example, isolating affected systems, revoking compromised credentials, or shutting down certain functions – to prevent further unauthorized activity. They simultaneously begin an investigation to determine the scope of the breach: what happened, what data is affected, which individuals are impacted, and how the breach occurred.
  • Internal Reporting and Recovery: All breaches or suspected breaches are escalated to Uptex senior management and our Data Protection Officer without delay. We document the incident and our response actions meticulously. Our IT team works to restore integrity to our systems – patching any vulnerabilities, rebuilding systems from clean backups if necessary, and monitoring for any continued threats. We also ensure evidence is preserved in case further analysis or law enforcement investigation is needed.
  • Notifying Authorities: We comply with legal requirements to report data breaches to regulators. Under Omani law (Article 19 of PDPL), if a breach has led to personal data being compromised (such as destroyed, altered, disclosed, or accessed unlawfully), we must inform the Ministry of Transport, Communications and Information Technology (MTCIT). In Canada, if a breach poses a “real risk of significant harm” to individuals, we must report it to the Office of the Privacy Commissioner (OPC). We prepare and send these notifications as soon as possible, typically within a few days of determining that a notifiable breach has occurred. Our notification includes all required details, such as the nature of the breach, the data involved, when and how it happened (if known), and what steps we are taking to address it. We also commit to follow up with authorities if further information becomes available as the investigation continues.
  • Notifying Affected Individuals: If your personal data is involved in a breach that triggers notification requirements, we will inform you promptly, in clear language. In Oman, PDPL gives individuals the right to be notified of breaches affecting their data. In Canada, PIPEDA mandates notification to individuals if the breach could result in significant harm (like identity theft, financial loss, or damage to reputation). Our notice to you will describe what happened in general terms, the type of information concerned, and our recommendations for your protection (for example, resetting passwords or being vigilant against scam contacts). We will also provide you with contact details for more information, and outline the steps we are taking to mitigate the harm and prevent a recurrence. We typically deliver such notices via email, app notification, or phone – whichever method is most likely to reach you quickly.
  • Support and Remediation: After a breach, we focus on helping affected clients. We might provide free credit monitoring services if financial data was exposed, or guidance on how to secure your other accounts if credentials were involved. Our customer support and security teams stand by to answer your questions and assist you in any necessary protective measures. Internally, we hold post-incident reviews to learn from the event. We will strengthen our controls and processes to avoid similar incidents in the future. This could involve updating software, enhancing employee training, or revising procedures as needed.
  • Record-Keeping: We maintain a register of all security incidents, regardless of severity. Even if a breach doesn’t require external notification (for example, a minor incident that was contained with no data leakage), we document what happened and how we resolved it. Canadian law specifically requires keeping records of all breaches for at least two years. We abide by this and Omani requirements by storing incident reports in a secure log. These records help us track patterns and demonstrate compliance to regulators.

Your trust is of utmost importance to Uptex. In the event of any incident compromising that trust, we will act with transparency and urgency. We hope to never have to send you a breach notification, but if we do, know that we are doing everything in our power to safeguard your information and prevent any harm. Our approach is always “privacy-first,” and this extends to how we handle and communicate about any security issues.

Special Provisions for Uptex Broker Services

Uptex offers not only digital banking services but also brokerage services (referred to as Uptex Broker) that allow clients to trade financial instruments such as forex, commodities, CFDs, and potentially cryptocurrencies or other digital assets. Because of the unique nature of brokerage operations, there are additional considerations and data handling practices of which you should be aware. This section outlines how we handle personal data in the context of Uptex Broker and how it may differ from (or add to) our banking services:

  • Additional Data Collection for Brokerage: When you sign up for or use Uptex Broker services, we may collect some extra information beyond what is needed for basic banking. This can include your investment profile (for example, your trading experience, knowledge of financial markets, risk tolerance, and investment objectives) as required by certain securities or derivatives regulations. We collect this information to ensure we comply with any “know-your-client” (KYC) or suitability obligations before enabling trading services. We might also ask for details about your source of funds or wealth in greater depth, since large or high-risk trading activities can mandate enhanced due diligence. All such information is treated as confidential and is used strictly for compliance and to serve you better (for instance, to provide appropriate risk disclosures or trading limits if applicable).
  • Brokerage Partner Involvement: Uptex Broker operates in conjunction with regulated brokerage partners to execute trades and provide market access. As mentioned, GCEX or Global DTT (or similar licensed partners) serve as our prime brokerage and liquidity providers. These partners are regulated financial institutions in their own right (for example, GCEX is a regulated entity that provides digital asset and FX liquidity). When you place a trade through Uptex, your order and necessary personal details are communicated to these partners for execution. This may involve sharing:
  • Your account identifier or an anonymized client ID (so the partner knows the trade is for an Uptex client without exposing your full profile unnecessarily).
  • Trade details like instrument, amount, and price.
  • In some cases, basic personal information for compliance, such as your country of residence or a confirmation that KYC has been completed, especially if the partner needs this for regulatory reporting.
  • If required by the partner’s regulator, we might share specific personal details for audit trail purposes (for example, some jurisdictions require brokers to report the names or IDs of clients for large trades or certain asset classes).

Rest assured, we share the minimum needed data and we have agreements in place to ensure our partners keep your information secure and confidential. They will not use your data for anything other than executing trades, clearing and settling transactions, and fulfilling regulatory duties (such as transaction reporting to financial authorities or calculating any tax implications where laws oblige them to do so).

  • Regulatory Oversight and Compliance: Brokerage services often fall under additional regulatory scrutiny. Depending on your jurisdiction and the Uptex Broker product you use, there may be a financial regulator overseeing trading activities (for example, a securities commission or a financial market authority). Uptex and its partners comply with all such regulations. This means your personal data related to trading might be used in regulatory reports or audits. For instance, in Oman, if Uptex Broker is operating under a specific license or arrangement, we would report client trading activity to the Capital Market Authority (CMA) or other competent authority as required. In Canada, trading activity might be subject to reporting to IIROC or provincial securities regulators if applicable. Any such reporting will be done by us or our partners in a manner consistent with data protection laws – typically regulators require identified data, so we ensure those transmissions are secure and lawful. By using Uptex Broker, you consent to this necessary sharing with regulators and understand it’s to ensure a fair and compliant market environment.
  • Data Retention for Trading: Records of trades, statements, and related communications are kept in accordance with financial regulations, which often require longer retention. For example, brokerage records might need to be kept for seven years or more under certain laws. We store these records securely just like banking records. If you close your Uptex Broker account, we will still retain the historical trade data for the legally mandated period, but it will be archived and protected, and only accessed if needed for regulatory, tax, or legal inquiries.
  • Customer Communications (Recordings): In some cases, when you communicate with our brokerage support or trading desk (if we have such services), those communications may be recorded or logged. It’s common in brokerage industry to record phone calls or chats related to trade orders for dispute resolution and compliance. If we record a call with you, we will inform you at the start of the call. Any recorded calls or chat logs are considered highly confidential and are used only for the purposes of confirming transactions, ensuring quality of service, and complying with regulations. They are protected under the same security measures as other personal data.
  • Risk Warnings and Suitability: Uptex Broker may use the personal and financial information you provide to assess whether certain complex financial products are appropriate for you (suitability analysis). This might be partially automated or done by our compliance staff. If based on your profile we determine a product is not suitable (e.g., if you indicate no trading experience and request access to high-risk leveraged products, we might restrict that access), we will inform you and this decision is made in your interest. The data you provide about your financial situation and experience is critical for this process and is treated with sensitivity. We do not disclose this profile information to any third party except as needed to comply with audits or if a regulator asks to review how we ensure client suitability.
  • Integrated Privacy Protection: All provisions of this Privacy Policy apply equally to Uptex Broker services. We want to emphasize that using the Broker services does not in any way reduce your privacy rights or our obligations. In fact, because brokerages handle sensitive financial info and potentially sensitive market positions, we apply an extra layer of caution. Uptex Broker client data is accessible only to dedicated Broker unit staff and not to general banking staff, to minimize internal exposure. We also segregate duties and data internally to ensure that only those helping with trading have access to trading data. Our brokerage partners (like GCEX/Global DTT) have been mentioned earlier as recipients of some data; beyond those, we do not share your trading information with others. Within Uptex, we might use aggregated trading data to analyze product performance, but any such analysis is on an anonymized basis that does not identify individual clients.

By providing these special provisions, we aim to be transparent about how your data is handled in the context of trading and investment services. If you’re only using Uptex’s banking features, much of the above may not apply to you. If you do use Uptex Broker, you can feel confident that your personal information is guarded with the same care as all other data, with extra steps taken to comply with the specific rules of the financial markets. As always, if you have questions about Uptex Broker privacy matters, please reach out to us.

Contact Information

We encourage you to contact us with any questions, concerns, or requests regarding your personal data or this Privacy Policy. Uptex has appointed a Data Protection Officer (DPO) who oversees our privacy compliance and can be reached for any privacy-related matters. You can contact our DPO or our support team as follows:

Email: [email protected]

Oman (Head Office): Oliver Business Development SPC – Alfardan Heights, Al Maardh Street, Way No. 61, Muscat, Sultanate of Oman. Phone: +968-9199-1047. Attn: Data Protection Officer.

Canada Office: Xellar Payment Solutions Inc. – 1270 Central Parkway West, Unit 102, Mississauga, ON L5C 4P4, Canada. Attn: Privacy Officer.

If you are making a request to exercise your rights, please include your name and contact information and describe the nature of your request (e.g., you want to access your data, correct it, etc.). We may ask you for additional information to verify your identity before proceeding. We will respond within the timeframes discussed above (generally within 30-45 days).

You can also contact us if you need help understanding this Policy or if you require it in an alternative format for accessibility.

Uptex is dedicated to protecting your privacy. This Policy will be reviewed regularly and updated as needed to remain compliant with evolving laws and our services. If we make material changes, we will notify you through our app, website, or by email, and if required, obtain your consent for new uses of data. Please check back from time to time for any updates. Your continued use of Uptex services after updates signifies your acceptance of any revised Privacy Policy, to the extent permitted by law.

Thank you for trusting Uptex with your financial needs and personal data. We take that trust seriously and will always work to keep your information secure and your privacy rights respected.