PRIVACY POLICY (“Policy”)
INTERNODE PAY LIMITED
DATE LAST MODIFIED: 30TH MAY 2025

This Privacy Policy (the “Policy”) represents the policy of Internode Pay Limited, a (together with all subsidiaries thereof, the “Company” or “we” or “us”or “our”) regarding the collection, use, and management of personal data belonging to: all visitors (“Site Visitors”) to our website located at misan.investbamboo.com (the “Website”) and any products, features, services, or any portion thereof (collectively, the “Service”); anyone who downloads or uses the Service (“Application Users”) the Company’s mobile application (the “Application” or “App”); anyone who enrolls for the Services of the Company (“Clients”); Site Visitors, Application Users, and Clients are referred to collectively as (“Users” or “You” or “your” or “you”).  

This Privacy Policy and our Terms of Service (the “Terms of Service”), which is incorporated herein by reference, are an agreement (collectively, this “Agreement”) between you and us. By using our Service, you acknowledge and agree to this policy, and consent to our use of cookies in accordance with the terms of this Agreement.

Please read this Policy carefully to understand our policies and practices for collecting, processing, and storing your personal data. If you do not agree with our policies and practices, your choice is not to use the Service. By accessing or using the Service, you indicate that you understand, accept, and consent to the practices described in this Policy. Unless an alternative lawful basis for processing personal data is available to Us, We require your permission to collect, use, and disclose personal data, with some exceptions. The exceptions are determined by applicable law and can include times where legal, medical, or security reasons make it impossible or impractical to seek consent.

What Data do we collect?

Generally, we collect personal information you provide to us. For example:

Personal identification information, such as name, date of birth, place of birth, nationality, gender, email, address, demographic information, and phone number.

Supplemental identification information, such as government-issued identity documents, live photo images captured, passport, driver’s license, taxpayer identification number or national insurance number, source of income and employment information including its status and history.

Financial information, including but not limited to income/wealth verification documents or bank account statements.

Information on your behavior on our website, including pages viewed, links clicked keystrokes, and actions taken including copy/paste functions or failure to verify the account or lack of transactions (dormant position) and similar activities carried out by you within the App. 

Transaction information, including information related to the use of the Services, types of Services requested, dates and times of such requests, payment methods, and other similar information.

User Generated Content, content that you submit to the Service or via links to social media networks, forums, blogs, message boards, chat rooms or similar functionality, including audio recordings, software code, videos, photos, images, text, information (including, without limitation, personal information), comments, and any other content (collectively, “User Content”).

Location data information about your computer and about your visits to and use of the Service including your Internet Protocol (IP) address, geographical location, browser type and version, devise characteristics, operating system, language preferences, referral source, and information on action taken on the Site, such as; length of visit, page views and website navigation paths.

Device and Usage Data, Information from and about the devices you use to access the Services, including attributes such as the operating system, hardware version, device settings, file and software names, types, battery and signal strength, device identifiers, device locations, specific geographic locations (such as GPS, Bluetooth, WiFi signals), connection information such as the name of your mobile operator or ISP, browser type, language, time zone, mobile phone number and IP address.

Communications data, information contained in or relating to any communication with us or our third-party service providers for customer support or other communications, including, without limitation, records and copies of correspondence and responses to surveys for research purposes;

Metadata, the Service may access metadata and other information associated with other files stored on your device. This may include, for example, photographs, audio and video clips, personal contacts and address book information;

Additional information required by the Company (in its sole discretion) to verify your identity, which may include capturing the image of your face in real time for facial matching and/or recognition.

Any personal information you may provide us through social media channels or promotions held by us or our partners;

Statistical Data, in connection with your visit or use of the Service, we may automatically collect information about our users, such as the numbers and frequency of users and their characteristics and information about similar groups of users, certain age groups or users that live in a particular geographical area. This data is only used in the aggregate as a statistical measure and not in a manner that would identify you personally. Aggregate information generally is collected through the use of cookies and beacons; and 

Any other personal information that you choose to send to us.

How Are We Allowed to Process your Data?

We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law. This includes instances such as when we have your consent, need to comply with laws, provide you with services to enter into or fulfill our contractual obligations, protect your rights, or fulfill our legitimate business interests.

Processing of Personal Information shall be lawful if at least one of the following applies: 

i. Consent: You have consented to the processing of your personal data for one or more specific purposes; 

ii. Contractual Necessity: Your information is needed to fulfil a contract that you are a part of or at your request prior to entering into a contract with you;

iii. Legitimate Interests: It is necessary to protect your Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:

  1. Send information about special offers and discounts on our products and services;

  2. Develop and display personalized and relevant advertising content;

  3. Analyze how our services are used so we can improve them;

  4. Support our marketing activities;

  5. Diagnose problems and/or prevent fraudulent activities; and

  6. Understand how our products and services are being used so we can improve service experience;

iv. Legal Obligations: where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved; an

v. Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.     

How we Disclose your Data? 

Some of the Company’s products, Services, and features require that we share data with other parties. As such, we may share the data, which may include personal data, we collect, or you provide as follows: 

Service Providers - we engage service providers to perform functions and provide services to us. We may share your private personal information with such service providers subject to obligations consistent with this Privacy Policy and any other appropriate confidentiality and security measures, and on the condition that the third parties use your private personal data only on our behalf and pursuant to our instructions.

Authorized Personnel. Our employees, agents, consultants, contractors, or other authorized personnel, including those of our contractors, service providers, subsidiaries and affiliates, may have access to your information as necessary in the normal course of our business.

Business Transfers. In some cases, we may choose to buy or sell assets, or have engaged in discussions with a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about our Service users is among the assets transferred. In these types of transactions, user information is typically one of the business assets that is transferred. Moreover, if the Service, the Company, or substantially all of its assets, were acquired, liquidated, or dissolved, personal information would be one of the assets that is transferred.

Government, Law Enforcement or Third Parties. We may disclose any information, including, without limitation, Personal Information that we deem necessary, in our sole discretion and without your prior permission, to comply with any applicable law, regulation, legal process or governmental request. We also may exchange information, including, without limitation, Personal Information, with other companies and organizations to protect the rights, property, or safety of the Company and its affiliates, personnel, users, third parties, or others. We reserve the right to disclose Your Personal Information if we believe, in good faith, that You are in violation of the Terms of Service, even without a subpoena, warrant or other court order.

Social Media Networks. We may include applications or widgets from social media networks that allow interaction or content sharing by the users of these networks. These widgets, such as a Facebook “Share” or “Like” button, are visible to you on the web page you visit. Integration between the Service and social media networks such as Facebook, Twitter and others may allow social media networks in which you participate to collect information about you, even when you do not explicitly activate the network’s application or widget. Please visit the applicable social media network’s privacy policy to better understand their data collection practices and choices they make available to you. The privacy policy of the social media network controls the collection, use and disclosure of all personal information transmitted to that network.

What are your Data Protection rights?

 It is important that the personal data that we hold about you is accurate and current. You should keep the Company informed if your personal data changes. By law, you may have certain rights regarding the personal data that the Company holds about you and may be entitled to the following:

The right to access - You may have the right to request from us copies of your personal data. We may charge you a small fee for this service.

The right to rectification - You may have the right to request that we correct any information you believe is inaccurate. You also have the right to request us to complete information you believe is incomplete.

The right to erasure - You may have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing - You may have the right to request that we restrict the processing of your personal data, under certain conditions.

The right to object to processing - You may have the right to object to us processing of your personal data, under certain conditions.

The right to data portability - You may have the right to request that we transfer the data collected to another organization, or directly to you, under certain conditions.

Users who voluntarily provide their personal data in order for the Company to provide Services do so pursuant to the Company’s Terms of Service. The retention, return, transfer, and destruction of personal data provided for such purposes is subject to this Policy and Terms of Service. If you make a request, the Company will respond to you within the period prescribed by applicable privacy law. If you would like to exercise any of these rights, please contact us at the information provided below.

You may exercise any of your rights by contacting our Data Protection Officer at victoria@investbamboo.com or getmisan@investbamboo.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may refuse to comply with your request if it is clearly unfounded, repetitive, or excessive. 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How Are We Allowed to Process your Data?
We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e.,
legal basis) to do so under applicable law. This includes instances such as when we have your consent, need to
comply with laws, provide you with services to enter into or fulfill our contractual obligations, protect your
rights, or fulfill our legitimate business interests.
Processing of Personal Information shall be lawful if at least one of the following applies:
i. Consent: You have consented to the processing of your personal data for one or more specific
purposes;
ii. Contractual Necessity: Your information is needed to fulfil a contract that you are a part of or at
your request prior to entering into a contract with you;

3
iii. Legitimate Interests: It is necessary to protect your Legitimate Interests. We may process your
information when we believe it is reasonably necessary to achieve our legitimate business interests and
those interests do not outweigh your interests and fundamental rights and freedoms. For example, we
may process your personal information for some of the purposes described in order to:
a. Send information about special offers and discounts on our products and services;
b. Develop and display personalized and relevant advertising content;
c. Analyze how our services are used so we can improve them;
d. Support our marketing activities;
e. Diagnose problems and/or prevent fraudulent activities; and
f. Understand how our products and services are being used so we can improve service
experience;
iv. Legal Obligations: where we believe it is necessary for compliance with our legal obligations, such
as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or
disclose your information as evidence in litigation in which we are involved; and
v. Vital Interests. We may process your information where we believe it is necessary to protect your
vital interests or the vital interests of a third party, such as situations involving potential threats to the
safety of any person.

How do we Secure your Data? 

We take the security of your personal data seriously and implement various safeguards to protect it from loss, misuse, or alteration.

Administrative, Technical, Organizational, and Physical Safeguards: we use a mix of safeguards tailored to the sensitivity of the data we collect. For example, we implement enhanced security measures for sensitive data such as health information, racial or ethnic origin, political views, or biometric data. Our technical safeguards include but are not limited to:

Encryption of sensitive data during transmission and storage; 

Role-based access controls to ensure only authorized personnel can access personal data; 

Data Masking: Concealing sensitive data to prevent exposure in non-production environments.

Account Security Enhancement We encourage you to use multi-factor authentication (MFA), where available, to add an extra layer of protection to their accounts.

Compliance with Legal and Regulatory Requirements we adhere to applicable laws such as PIPEDA to prevent unauthorized access, alteration, or destruction of your personal information. This includes providing employee training on proper data handling and privacy practices and requiring third-party providers to maintain the confidentiality and security of your data.

While we take reasonable measures to protect your personal information, you are responsible for maintaining the confidentiality of your account information and any activity that occurs under your account. It is important to:

Choose Strong Passwords: Use strong and unique passwords for your account, and change them regularly.

 Protect Your Credentials: Keep your login details confidential and do not share them with anyone.

 Monitor Your Account: Regularly review your account activity for any unauthorized actions.

 Log Out: Log out of your account when using shared or public devices to prevent unauthorized access.

If you believe your account has been compromised or notice any suspicious activity, please contact us immediately at getmisan@investbamboo.com to secure your account.

We understand that mistakes can happen, but Bamboo shall not be held liable for any damages, losses, or claims arising from the reckless, negligent, or intentional misuse of the Services. This includes, but is not limited to, unauthorized disclosure of personal information, failure to follow security protocols, or engaging in any activities that violate the terms and conditions set forth in this Privacy Policy or any applicable laws. You assume full responsibility for any harm or consequences resulting from such actions.

International Transfer of Data 

We may process, store, and transfer your personal data in and to a foreign country, with different privacy laws that may or may not be as comprehensive as the data privacy laws applicable to you. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal data through the laws of the foreign country.

Data Retention and Deletion

We are committed to the Limiting Retention Principle of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and will retain personal information only for as long as necessary to fulfill the identified purposes for which it was collected, or as required by applicable law or regulation. 

We retain your profile, transaction, and other personal information for as long as you maintain your account and except as otherwise permitted or required by applicable law or regulation, only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We may also retain certain information if necessary, for purposes of safety, security, and fraud prevention. For example, if we deactivate your account because of unsafe behavior or security incidents, we may retain certain information about that account to prevent you from opening a new account in the future.

You may request deletion of their account at any time. Following such requests,we delete the data that it is not required to retain for purposes of regulatory, tax, insurance, litigation, or other legal requirements. For example,we retain location, device, and usage data for these purposes for a minimum of 7 years; while we retain such data, it may also use it for purposes of safety, security, fraud prevention and detection, and research and development. In certain circumstances, we may be unable to delete your account, such as if there’s an outstanding credit on the account or an unresolved claim or dispute. Upon resolution of the issue preventing deletion, we will delete the account as described above.

Account Deletion Requests and Exceptions

You may request account deletion at any time. Upon a verified request, we will delete personal data unless retention is required for legal, financial, or business reasons (e.g., preventing fraud). If we cannot delete the data immediately, we will inform you and provide the reason. Deletion will proceed once the issue is resolved.

Secure Data Deletion Methods: We use reasonable and secure methods to delete personal data after the retention period ends or upon a valid request, including:

  • Anonymization: Making data untraceable to any individual.

  • Pseudonymization: Altering data to prevent identification, with safeguards in place.

  • Secure Erasure: Permanently removing data from our systems.

  • Encryption: Retaining encrypted data for legal or security reasons, accessible under specific conditions.

The deletion method will depend on the data type, storage, and technical capabilities.

Data Anonymization for Business Purposes: We may anonymize data for legitimate business purposes, including research and analytics, without further notice or consent.

Regular Review: We will periodically review our data retention and deletion policies to ensure compliance with PIPEDA and applicable laws.

Cookies

We may collect, store and use information obtained by automated means through the Service such as, cookies, web beacons, web server logs, JavaScript and similar technologies, including technologies designed to obtain information regarding your use of the Service:

(a)“Cookies” are alphanumeric identifiers that we transfer to your computer’s hard drive through your Web browser to enable our systems to recognize your browser and tell us how and when pages in the Service are visited and by how many people. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our Website. 

The “Help” portion of the toolbar on the majority of browsers will direct you on how to prevent your browser from accepting new cookies, how to command the browser to tell you when you receive a new cookie, or how to fully disable cookies. We recommend that you leave the cookies activated because cookies allow you to use many features of the Service. For more information please refer to Section 5.2 of the Privacy Policy.

(b) “Web Beacons,” also known as Internet tags, pixel tags, single-pixel GIFS or clear GIFs, link web pages to web servers and their cookies. Web Beacons can be embedded in web pages, videos, or emails, to collect certain types of information from your browser, check whether you have viewed a particular web page or email message, and determine, among other things, the time and date on which you viewed the content, the IP address of your computer, and the Uniform Resource Locator (URL ) of the web page from which the content was viewed. We may use this information to reduce or eliminate messages sent to you. 

(c) “Web Server Logs,” including browser types, Internet service providers (ISPs), referring/exit pages, platform types, date/time stamps, number of clicks, and IP addresses. An IP address is a number that is automatically assigned to your computer whenever you access the Internet, which web servers use to identify where to send the information your computer requests. We may use IP addresses for a number of purposes, such as system administration, to report aggregate information to our business partners, or to audit the use of our Services.

(d) “Local Shared Objects,” sometimes known as Flash cookies, may be used to store your preferences or display content based upon what you have viewed on various websites to personalize your visit.

(e) “Ad IDs” and Other In-App Tracking Methods. There are a variety of tracking technologies that may be included in mobile applications, and these are not browser based like cookies and cannot be controlled by browser settings. Some use device identifiers, or other identifiers such as “Ad IDs” to associate app user activity to a particular app.

(f) “Google Analytics and DoubleClick.” We use Google Analytics (“Google Analytics”), a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies.” The information generated by the cookies about your use of the Service (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the Service, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this, you may not be able to use the full functionality of the Service. More information about how you can opt-out is set out below. By using the Service, you consent to the processing of data about you by Google in the manner and for the purposes set out above. We also use the services like Google DoubleClick in conjunction with Google AdSense on our service. To disable this cookie, visit Google’s webpage on the subject for further instructions:http://www.google.com/policies/privacy/ads/.

We may collect, store and use information obtained by automated means through the Service such as, cookies, web beacons, web server logs, JavaScript and similar technologies, including technologies designed to obtain information regarding your use of the Service. 

Opt-Out Rights

If you do not wish to receive offers or other notices from us in the future, you can "opt out" by contacting us as indicated at the end of this Privacy Policy or by following the "unsubscribe" instructions in any communication you receive from us. Please be aware that if you use our Platform, you are not able to opt out of receiving communications about your Account  or related transactions with us.

Children’s personal information

Our Service is not intended for persons under 18 years of age. No one under age 18 may provide any information to or on the Service. We do not knowingly collect personal information from persons under 18. As part of our registration process, we may require you to confirm your date of birth and to affirmatively indicate that they are 18 years of age or older by ticking a designated box. This serves as our initial age verification measure.  

If you are under 18, do not use or provide any information on this Service or through any of its features, register on the Service, make any purchases through the Service, use any of the interactive or public comment features of this Service, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or username you may use.  

If we learn we have collected or received personal information from a person under 18, we will reject the application or close the account and take steps to delete that information from our records.  

If you believe we might have any information from or about a child under 18, please contact us immediately at getmisan@investbamboo.com.

Privacy policies of other websites

The Site may contain links to other websites. This Policy applies only to the Site. If you navigate to any other website from a link on the Site, you should review the privacy policy of such website.

Changes to our privacy policy

We may change our Privacy Policy from time to time, however, if we make material changes to this Privacy Policy that affect how we process, use, or share your personal data, we will provide you with reasonable notice of such changes. This notice will be provided via email to the email address associated with your account, or through an in-app notification.  

We encourage you to frequently check this page for any changes to the Privacy Policy. Your continued use of the Service after any change in this Privacy Policy will constitute your acceptance of the changes. The date the privacy policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you and for periodically visiting this privacy policy to check for any changes.

How to contact us

If you have any questions about this Policy, the data we hold on you, or would like to exercise one of your data protection rights provided for under applicable privacy laws, please do not hesitate to contact our Data Privacy Officer at getmisan@investbamboo.com

If you wish to lodge a privacy complaint, please contact our Data Privacy Officer at the email address provided above with a detailed description of your concern. Our Data Privacy Officer will investigate your complaint and provide you with an initial response as quickly as reasonably possible.

If, after contacting us, you are not satisfied with our response or the resolution of your complaint, you have the right to escalate the matter to the Office of the Privacy Commissioner of Canada (OPC). The OPC is responsible for ensuring compliance with privacy laws in Canada and can provide guidance or investigate your concerns further. You can contact the OPC through their website at www.priv.gc.ca. or by writing to:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Canada