Privacy Policy
Last updated: 04 March 2026
Introduction
This Privacy Policy explains how Eive Consulting Limited, trading as Orchid ("Orchid", "we", "us", "our"), collects, uses, stores, transfers and shares personal data when you access or use the Orchid website, web application, mobile application or related services (together, the "Platform"). Eive Consulting Limited is registered in Jersey, Channel Islands under registration number 164299, with registered address at Glendale, Green Road, St. Clement, JE2 6QA, Jersey.
Certain regulated payment and financial services made available through or in connection with the Platform are provided under the licence and regulatory framework of Kanzum Pay Limited ("Kanzum"), a company registered in Canada under company number BC1400258, with registered address at 305 Suite, South Tower, 5811 Cooney Road, Richmond, BC V6X 3M1, Canada. Kanzum and duly authorised partner financial institutions or service providers involved in regulated services may process personal data under their own privacy notices and legal obligations.
This Privacy Policy applies unless a separate privacy notice is expressly presented for a specific product, feature, partner service or jurisdiction. Where a separate notice applies, that notice will govern to the extent of any inconsistency for the processing it specifically covers.
Certain regulated payment and financial services made available through or in connection with the Platform are provided under the licence and regulatory framework of Kanzum Pay Limited ("Kanzum"), a company registered in Canada under company number BC1400258, with registered address at 305 Suite, South Tower, 5811 Cooney Road, Richmond, BC V6X 3M1, Canada. Kanzum and duly authorised partner financial institutions or service providers involved in regulated services may process personal data under their own privacy notices and legal obligations.
This Privacy Policy applies unless a separate privacy notice is expressly presented for a specific product, feature, partner service or jurisdiction. Where a separate notice applies, that notice will govern to the extent of any inconsistency for the processing it specifically covers.
1. Who is responsible for your personal data
1.1 Orchid is the primary controller for personal data processed to operate, administer, support and improve the Platform, including website and app operation, account administration, product communications, general customer support, platform security, analytics, service improvement and internal business administration.
1.2 Kanzum is generally an independent controller for personal data processed in connection with regulated payment and financial services carried out under its licence and regulatory framework, including customer due diligence, identity verification, sanctions and AML screening, fraud prevention, transaction monitoring, safeguarding, settlement, reporting and compliance with legal and regulatory obligations.
1.3 Duly authorised partner financial institutions, payment service providers, card issuers, banking partners, verification providers and other service partners may also process personal data as independent controllers where they provide regulated or specialist services in their own name or under their own legal obligations.
1.4 Where Orchid processes personal data on behalf of Kanzum or a regulated partner for a defined regulated-services purpose, Orchid will do so in accordance with applicable contractual restrictions and security obligations. Where Orchid, Kanzum and/or a regulated partner each determine their own purposes and means of processing, each acts independently for its own processing activities.
1.5 This Privacy Policy should be read together with the applicable Terms and Conditions, Partner Terms and any product-specific disclosures made available through the Platform.
1.2 Kanzum is generally an independent controller for personal data processed in connection with regulated payment and financial services carried out under its licence and regulatory framework, including customer due diligence, identity verification, sanctions and AML screening, fraud prevention, transaction monitoring, safeguarding, settlement, reporting and compliance with legal and regulatory obligations.
1.3 Duly authorised partner financial institutions, payment service providers, card issuers, banking partners, verification providers and other service partners may also process personal data as independent controllers where they provide regulated or specialist services in their own name or under their own legal obligations.
1.4 Where Orchid processes personal data on behalf of Kanzum or a regulated partner for a defined regulated-services purpose, Orchid will do so in accordance with applicable contractual restrictions and security obligations. Where Orchid, Kanzum and/or a regulated partner each determine their own purposes and means of processing, each acts independently for its own processing activities.
1.5 This Privacy Policy should be read together with the applicable Terms and Conditions, Partner Terms and any product-specific disclosures made available through the Platform.
2. Scope
2.1 This Privacy Policy applies to personal data processed in connection with your access to and use of the Platform, including pre-onboarding enquiries, account creation, onboarding, use of services, customer support, communications, compliance checks, payment-related interactions and complaint handling.
2.2 This Privacy Policy does not apply to third-party websites, apps or services that are not operated by Orchid, even if they are linked from the Platform. Those third parties are responsible for their own privacy practices.
2.3 You are responsible for ensuring that the information you provide to us is accurate, complete and up to date, and for promptly notifying us of any relevant changes.
2.2 This Privacy Policy does not apply to third-party websites, apps or services that are not operated by Orchid, even if they are linked from the Platform. Those third parties are responsible for their own privacy practices.
2.3 You are responsible for ensuring that the information you provide to us is accurate, complete and up to date, and for promptly notifying us of any relevant changes.
3. Personal data we collect
Depending on the nature of your relationship with us and the services you use, we may collect and process the following categories of personal data:
3.1 Identity, profile and contact data, such as your full name, date of birth, nationality, residential address, business address, phone number, email address, username, account credentials and profile information.
3.2 Business and corporate data, such as business name, incorporation details, company number, registered office, operational address, ownership and control information, beneficial ownership information, director and authorised signatory information, and documents relating to corporate structure and authority.
3.3 Financial and transaction data, such as bank account details, payment instrument details, transaction amounts, transaction dates, transaction references, counterparty details, settlement information, wallet details where relevant, and records of payments, refunds, reversals, chargebacks or disputes.
3.4 Compliance and verification data, such as identification documents, proof of address, selfies or liveness checks where used, tax-related information where required, source-of-funds or source-of-wealth information, sanctions and PEP screening results, AML risk indicators, fraud checks and other information required for onboarding or ongoing compliance reviews.
3.5 Communications and support data, such as emails, chat messages, customer support requests, complaints, survey responses, call recordings or transcripts where lawful, and other records of communications with us or with service providers acting on our behalf.
3.6 Technical, device and usage data, such as IP address, device identifiers, browser type, operating system, language settings, access dates and times, app events, log data, error reports, clickstream data and other interaction data relating to use of the Platform.
3.7 Cookie and similar-technology data, such as identifiers, preferences, analytics data and security-related data collected through cookies, SDKs, pixels, local storage and similar technologies, subject to your settings and applicable law.
3.8 Information from third parties, such as data received from identity verification providers, fraud and sanctions screening providers, payment partners, banks, card schemes, public registers, analytics providers and professional advisers, where lawful and necessary for the purposes described in this Privacy Policy.
3.1 Identity, profile and contact data, such as your full name, date of birth, nationality, residential address, business address, phone number, email address, username, account credentials and profile information.
3.2 Business and corporate data, such as business name, incorporation details, company number, registered office, operational address, ownership and control information, beneficial ownership information, director and authorised signatory information, and documents relating to corporate structure and authority.
3.3 Financial and transaction data, such as bank account details, payment instrument details, transaction amounts, transaction dates, transaction references, counterparty details, settlement information, wallet details where relevant, and records of payments, refunds, reversals, chargebacks or disputes.
3.4 Compliance and verification data, such as identification documents, proof of address, selfies or liveness checks where used, tax-related information where required, source-of-funds or source-of-wealth information, sanctions and PEP screening results, AML risk indicators, fraud checks and other information required for onboarding or ongoing compliance reviews.
3.5 Communications and support data, such as emails, chat messages, customer support requests, complaints, survey responses, call recordings or transcripts where lawful, and other records of communications with us or with service providers acting on our behalf.
3.6 Technical, device and usage data, such as IP address, device identifiers, browser type, operating system, language settings, access dates and times, app events, log data, error reports, clickstream data and other interaction data relating to use of the Platform.
3.7 Cookie and similar-technology data, such as identifiers, preferences, analytics data and security-related data collected through cookies, SDKs, pixels, local storage and similar technologies, subject to your settings and applicable law.
3.8 Information from third parties, such as data received from identity verification providers, fraud and sanctions screening providers, payment partners, banks, card schemes, public registers, analytics providers and professional advisers, where lawful and necessary for the purposes described in this Privacy Policy.
4. How we use personal data and our legal bases
We use personal data only where we have a lawful basis to do so under applicable law. Depending on the relevant jurisdiction and processing activity, the legal basis may include performance of a contract, steps taken before entering into a contract, compliance with legal or regulatory obligations, our legitimate interests where those interests are not overridden by your rights, and your consent where consent is required.
4.1 To provide, operate and administer the Platform, including account creation, authentication, service access, account management and customer support.
4.2 To assess applications, onboard users and businesses, verify identity and authority, perform know-your-customer and know-your-business checks, and conduct risk-based due diligence.
4.3 To provide or support payment and regulated financial services, including transaction processing, settlement, safeguarding, operational support, reconciliation and dispute handling, where applicable.
4.4 To detect, prevent and investigate fraud, abuse, misuse, suspicious activity, sanctions exposure, money laundering, terrorist financing, security incidents and other unlawful or prohibited conduct.
4.5 To comply with legal, tax, accounting, audit, regulatory, court, law-enforcement and reporting obligations, including record-keeping, disclosure and cooperation duties.
4.6 To send service-related messages, operational notices, transaction notifications, security alerts, policy updates and other communications necessary for the Platform or services.
4.7 To improve, test, monitor and develop the Platform, including troubleshooting, diagnostics, analytics, quality assurance, product development and service optimisation.
4.8 To exercise and defend legal rights, manage complaints and disputes, enforce agreements, pursue recoveries and support internal governance and business administration.
4.9 Where permitted by law, to send marketing or promotional communications relating to our services. Where consent is required for marketing, we will ask for it and you may withdraw it at any time.
4.10 We may use automated tools to support identity verification, sanctions screening, fraud detection, transaction monitoring and service security. We do not intend to make legally significant decisions based solely on automated processing where prohibited by applicable law.
4.1 To provide, operate and administer the Platform, including account creation, authentication, service access, account management and customer support.
4.2 To assess applications, onboard users and businesses, verify identity and authority, perform know-your-customer and know-your-business checks, and conduct risk-based due diligence.
4.3 To provide or support payment and regulated financial services, including transaction processing, settlement, safeguarding, operational support, reconciliation and dispute handling, where applicable.
4.4 To detect, prevent and investigate fraud, abuse, misuse, suspicious activity, sanctions exposure, money laundering, terrorist financing, security incidents and other unlawful or prohibited conduct.
4.5 To comply with legal, tax, accounting, audit, regulatory, court, law-enforcement and reporting obligations, including record-keeping, disclosure and cooperation duties.
4.6 To send service-related messages, operational notices, transaction notifications, security alerts, policy updates and other communications necessary for the Platform or services.
4.7 To improve, test, monitor and develop the Platform, including troubleshooting, diagnostics, analytics, quality assurance, product development and service optimisation.
4.8 To exercise and defend legal rights, manage complaints and disputes, enforce agreements, pursue recoveries and support internal governance and business administration.
4.9 Where permitted by law, to send marketing or promotional communications relating to our services. Where consent is required for marketing, we will ask for it and you may withdraw it at any time.
4.10 We may use automated tools to support identity verification, sanctions screening, fraud detection, transaction monitoring and service security. We do not intend to make legally significant decisions based solely on automated processing where prohibited by applicable law.
5. Sharing of personal data
5.1 We do not sell personal data. We also do not disclose personal data for cross-context behavioural advertising or equivalent profiling-based advertising practices.
5.2 We may share personal data, where necessary and lawful, with the following categories of recipients:
(a) Kanzum, where regulated payment or financial services are provided under Kanzum's licence and regulatory framework;
(b) banks, payment institutions, e-money institutions, card issuers, card schemes, correspondent providers and other regulated financial institutions involved in a transaction or service;
(c) identity verification, compliance, screening, fraud prevention, cybersecurity, hosting, analytics, communications and customer-support service providers;
(d) professional advisers, including lawyers, auditors, accountants, insurers, consultants and external compliance specialists;
(e) competent authorities, regulators, courts, tax authorities, law enforcement bodies and other public authorities, where disclosure is required or reasonably necessary under applicable law or legal process;
(f) a purchaser, investor, lender, successor or transaction counterparty in connection with a merger, financing, acquisition, reorganisation, sale of assets or similar corporate event, subject to confidentiality and applicable legal safeguards.
5.3 Where recipients process personal data on our behalf, we require them to process it only for authorised purposes and to apply appropriate confidentiality and security measures. Where recipients act as independent controllers, their own privacy notices and legal obligations apply to their processing.
5.2 We may share personal data, where necessary and lawful, with the following categories of recipients:
(a) Kanzum, where regulated payment or financial services are provided under Kanzum's licence and regulatory framework;
(b) banks, payment institutions, e-money institutions, card issuers, card schemes, correspondent providers and other regulated financial institutions involved in a transaction or service;
(c) identity verification, compliance, screening, fraud prevention, cybersecurity, hosting, analytics, communications and customer-support service providers;
(d) professional advisers, including lawyers, auditors, accountants, insurers, consultants and external compliance specialists;
(e) competent authorities, regulators, courts, tax authorities, law enforcement bodies and other public authorities, where disclosure is required or reasonably necessary under applicable law or legal process;
(f) a purchaser, investor, lender, successor or transaction counterparty in connection with a merger, financing, acquisition, reorganisation, sale of assets or similar corporate event, subject to confidentiality and applicable legal safeguards.
5.3 Where recipients process personal data on our behalf, we require them to process it only for authorised purposes and to apply appropriate confidentiality and security measures. Where recipients act as independent controllers, their own privacy notices and legal obligations apply to their processing.
6. International transfers
6.1 Your personal data may be transferred to, stored in or accessed from jurisdictions outside Jersey, the United Kingdom, the European Economic Area and/or Canada, including jurisdictions in which Orchid, Kanzum, our group companies, service providers or partners operate.
6.2 Where required by applicable law, we implement appropriate safeguards for international transfers. Depending on the transfer, these safeguards may include contractual protections, transfer assessments, intra-group arrangements, adequacy-based mechanisms or other legally recognised transfer tools.
6.3 You may contact us for further information about the safeguards applicable to a particular transfer, subject to confidentiality, privilege and legal restrictions.
6.2 Where required by applicable law, we implement appropriate safeguards for international transfers. Depending on the transfer, these safeguards may include contractual protections, transfer assessments, intra-group arrangements, adequacy-based mechanisms or other legally recognised transfer tools.
6.3 You may contact us for further information about the safeguards applicable to a particular transfer, subject to confidentiality, privilege and legal restrictions.
7. Data retention
7.1 We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, maintain records, resolve disputes, enforce agreements and comply with legal, regulatory, tax, accounting, audit and reporting obligations.
7.2 Retention periods vary depending on the type of data, the service involved, the sensitivity of the data, applicable limitation periods and whether the data relates to regulated financial services.
7.3 In particular, personal data used for identity verification, customer due diligence, transaction monitoring, sanctions screening, fraud prevention, accounting and regulatory reporting may need to be retained for at least five years, and sometimes longer, where required by applicable law, regulatory expectation, litigation hold, complaint handling or an ongoing investigation.
7.4 Where retention is no longer necessary, we will delete, anonymise or securely archive personal data in accordance with our retention procedures and applicable law.
7.5 You may request deletion of your account or certain personal data, but we may refuse or defer deletion where we must retain information to comply with law, prevent fraud, protect legal rights or complete an ongoing transaction or investigation.
7.2 Retention periods vary depending on the type of data, the service involved, the sensitivity of the data, applicable limitation periods and whether the data relates to regulated financial services.
7.3 In particular, personal data used for identity verification, customer due diligence, transaction monitoring, sanctions screening, fraud prevention, accounting and regulatory reporting may need to be retained for at least five years, and sometimes longer, where required by applicable law, regulatory expectation, litigation hold, complaint handling or an ongoing investigation.
7.4 Where retention is no longer necessary, we will delete, anonymise or securely archive personal data in accordance with our retention procedures and applicable law.
7.5 You may request deletion of your account or certain personal data, but we may refuse or defer deletion where we must retain information to comply with law, prevent fraud, protect legal rights or complete an ongoing transaction or investigation.
8. Security and incident management
8.1 We use appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
8.2 These measures may include access controls, role-based permissions, encryption where appropriate, secure development practices, vendor due diligence, logging, monitoring, incident response procedures, staff confidentiality obligations and internal governance controls.
8.3 No method of transmission over the internet or method of electronic storage is completely secure. While we take reasonable steps to protect personal data, we cannot guarantee absolute security.
8.4 Where required by applicable law, we will notify affected individuals and/or competent authorities of certain personal-data breaches or security incidents.
8.2 These measures may include access controls, role-based permissions, encryption where appropriate, secure development practices, vendor due diligence, logging, monitoring, incident response procedures, staff confidentiality obligations and internal governance controls.
8.3 No method of transmission over the internet or method of electronic storage is completely secure. While we take reasonable steps to protect personal data, we cannot guarantee absolute security.
8.4 Where required by applicable law, we will notify affected individuals and/or competent authorities of certain personal-data breaches or security incidents.
9. Your rights
9.1 Depending on your location and applicable law, you may have the right to request access to personal data, correction of inaccurate or incomplete data, deletion, restriction of processing, objection to certain processing, data portability and withdrawal of consent where processing is based on consent.
9.2 You may also have the right to complain to a competent data protection authority or regulator.
9.3 Some rights are not absolute and may be limited by applicable law, including where restrictions are necessary to comply with legal obligations, preserve privilege, protect the rights of others, prevent fraud or maintain records required for regulated services.
9.4 If your request relates primarily to personal data processed by Kanzum or a partner institution acting as an independent controller, we may direct you to the relevant entity or forward your request where appropriate.
9.5 We may ask you to verify your identity before taking action on a request. We will respond within the period required by applicable law, taking into account the complexity and scope of the request.
9.2 You may also have the right to complain to a competent data protection authority or regulator.
9.3 Some rights are not absolute and may be limited by applicable law, including where restrictions are necessary to comply with legal obligations, preserve privilege, protect the rights of others, prevent fraud or maintain records required for regulated services.
9.4 If your request relates primarily to personal data processed by Kanzum or a partner institution acting as an independent controller, we may direct you to the relevant entity or forward your request where appropriate.
9.5 We may ask you to verify your identity before taking action on a request. We will respond within the period required by applicable law, taking into account the complexity and scope of the request.
10. Cookies and similar technologies
10.1 We use cookies and similar technologies for strictly necessary functionality, security, fraud prevention, performance measurement, analytics and, where applicable, marketing or personalisation.
10.2 Where required by applicable law, we will ask for your consent before using non-essential cookies or similar technologies. You can manage your cookie preferences through our cookie controls where available and through your browser or device settings.
10.3 If you disable certain cookies or similar technologies, some features of the Platform may not function properly.
10.2 Where required by applicable law, we will ask for your consent before using non-essential cookies or similar technologies. You can manage your cookie preferences through our cookie controls where available and through your browser or device settings.
10.3 If you disable certain cookies or similar technologies, some features of the Platform may not function properly.
11. Third-party services and separate notices
11.1 Certain services made available through the Platform may be provided by third parties, including regulated financial institutions, payment service providers, identity-verification providers or other partners. Those providers may process personal data under their own privacy notices and legal obligations.
11.2 Where a third-party provider acts as an independent controller, we are not responsible for that provider's processing activities except to the extent required by applicable law.
11.3 The Platform may contain links to third-party websites or interfaces. We are not responsible for the privacy, security or content practices of those third parties.
11.2 Where a third-party provider acts as an independent controller, we are not responsible for that provider's processing activities except to the extent required by applicable law.
11.3 The Platform may contain links to third-party websites or interfaces. We are not responsible for the privacy, security or content practices of those third parties.
12. Changes to this Privacy Policy
12.1 We may update this Privacy Policy from time to time to reflect changes to the Platform, our processing practices, applicable law or regulatory requirements.
12.2 The latest version will be made available on the Platform and the "Last updated" date at the top of this Privacy Policy will indicate the date of the most recent revision.
12.3 Where required by applicable law, we will provide additional notice of material changes and, where necessary, obtain consent.
12.2 The latest version will be made available on the Platform and the "Last updated" date at the top of this Privacy Policy will indicate the date of the most recent revision.
12.3 Where required by applicable law, we will provide additional notice of material changes and, where necessary, obtain consent.
13. Contact us and complaints
13.1 If you have questions, concerns or requests relating to this Privacy Policy or personal data processed by Orchid in connection with the Platform, you may contact us at support@orchid.ch or write to Eive Consulting Limited, Glendale, Green Road, St. Clement, JE2 6QA, Jersey, Channel Islands.
13.2 If your request relates to regulated payment or financial services provided under the licence and regulatory framework of Kanzum, you may also contact Kanzum at info@kanzum.com or write to Kanzum Pay Limited, 305 Suite, South Tower, 5811 Cooney Road, Richmond, BC V6X 3M1, Canada.
13.3 If you believe your personal data has been processed unlawfully, you may also raise a complaint with a competent data protection authority. For processing carried out by Orchid as a Jersey entity, this may include the Jersey Office of the Information Commissioner. If the concern relates to processing carried out by Kanzum or another independent controller, the competent authority may differ depending on the relevant entity, service and jurisdiction.
13.2 If your request relates to regulated payment or financial services provided under the licence and regulatory framework of Kanzum, you may also contact Kanzum at info@kanzum.com or write to Kanzum Pay Limited, 305 Suite, South Tower, 5811 Cooney Road, Richmond, BC V6X 3M1, Canada.
13.3 If you believe your personal data has been processed unlawfully, you may also raise a complaint with a competent data protection authority. For processing carried out by Orchid as a Jersey entity, this may include the Jersey Office of the Information Commissioner. If the concern relates to processing carried out by Kanzum or another independent controller, the competent authority may differ depending on the relevant entity, service and jurisdiction.