logo

Quantoflow

Terms of Service

Quantoflow Data Privacy and Usage Document

Date: January 2, 2026

Data Security & Privacy

Data Storage & Security

All data is stored on a Cloud database located in Canada to ensure data sovereignty and compliance with Canadian regulations. The platform implements robust security measures including authentication protocols and client secrets to keep the database secure from unauthorized access.

Role-Based Access Control

The system employs different role-based access levels, ensuring that administrators have different rights and permissions compared to standard users within an organization. This ensures proper oversight and data governance.

Personal Identifiable Information (PII) Handling

Due to the regulatory nature of FINTRAC reporting, PII data may be present in the system, including sensitive identification information such as passport numbers or driver's license details. This information is collected and stored solely for the purpose of filing the required regulatory reports and is handled in accordance with applicable privacy and data protection requirements.

Data Breach Protocol

In the event of a data breach, you will be notified of their discovery. Our team will work closely with your organization to rectify the issue and implement necessary remediation measures to protect your data and maintain compliance.

Below is more details on data collection and how it is done. If additional security requirements are required, it is a conversation with Quantoflow's representatives.

Data Inventory & Third-Party Sharing

Based on the FINTRAC reporting requirements, here is how data is used in our system.

Transaction Data

Field NameSourcePurposeRetention Period
Transaction IDCustomer CSV/ImportUnique identifier for regulatory reporting5 years (FINTRAC requirement)
Transaction AmountCustomer CSV/ImportRequired for threshold reporting (LCTR, LVCTR, EFT)5 years
Transaction Date/TimeCustomer CSV/ImportRegulatory compliance and audit trail5 years
Transaction TypeCustomer CSV/ImportClassify report type (EFT, LCTR, LVCTR, STR)5 years
Currency Type and Exchange RateCustomer CSV/ImportRequired for FINTRAC schema5 years
Source of FundsCustomer CSV/ImportSTR and due diligence requirements5 years

Personal Identifiable Information (PII)

Field NameSourcePurposeRetention Period
Full NameCustomer CSV/ImportIdentity verification for FINTRAC reporting5 years
Government ID data (E.g. driver license, passport)Customer CSV/ImportRequired reporting field for ID verification.5 years
Address (Street, City, Province, Postal Code)Customer CSV/ImportRequired reporting field5 years
Phone NumberCustomer CSV/ImportContact information for reporting5 years
Email AddressCustomer CSV/ImportContact information for reporting5 years
OccupationCustomer CSV/ImportRisk assessment and STR filing5 years
Employer NameCustomer CSV/ImportDue diligence requirement5 years

Note: The data is collected as text data. No images of the IDs are collected for the purpose of the report when filed on Quantoflow's system.

Account/Organization Data

Field NameSourcePurposeRetention Period
Account NumberCustomer CSV/ImportLink transactions to accounts5 years
Account TypeCustomer CSV/ImportClassify account for reporting5 years
Organization NameCustomer CSV/ImportBusiness entity identification5 years
Organization Registration NumberCustomer CSV/ImportBusiness entity verification5 years
Business AddressCustomer CSV/ImportEntity verification5 years
Beneficial Owner InformationCustomer CSV/ImportRequired for entity reporting5 years

Note: This is required for FINTRAC Report Filed

User Authentication & Platform Data

Field NameSourcePurposeRetention PeriodThird Parties
Username/EmailUser RegistrationAccount access and authenticationDuration of account + 1 yearAWS
Password (hashed)User RegistrationAuthentication securityDuration of accountAWS
Client Secrets/API KeysSystem GeneratedDatabase security and API accessActive until rotatedAWS
User Role (Admin/User)Platform AssignmentRole-based access controlDuration of account + 1 yearAWS
Organization IDPlatform AssignmentMulti-tenant data segregationDuration of account + 1 yearAWS
Login TimestampsSystem LogsAudit trail and security monitoring2 yearsAWS, potentially CloudWatch
IP AddressSystem LogsSecurity monitoring and fraud detection1 yearAWS, potentially CloudWatch
Session TokensSystem GeneratedActive session managementDuration of session (24-48 hours)AWS

System Metadata & Operational Data

Field NameSourcePurposeRetention PeriodThird Parties
File Upload MetadataUser UploadTrack data imports and validation5 yearsAWS S3 (if file storage used)
Report Submission TimestampSystem GeneratedAudit trail for regulatory compliance5 yearsAWS, FINTRAC
Report Status (Submitted/Corrected/Rejected)System GeneratedTrack submission lifecycle7 yearsAWS, FINTRAC
Data Mapping Configuration (Brevo, Odu columns)User ConfigurationField mapping for FINTRAC schemaDuration of account + 1 yearAWS
Database Backup CopiesAutomated BackupDisaster recovery30-90 days (rolling)AWS S3, AWS Backup

Potential Blind Spots to Document

Field NameSourcePurposeRetention PeriodThird Parties
Analytics Events (if implemented)User InteractionsProduct improvement and usage tracking1-2 yearsPotential: Google Analytics, Mixpanel, Amplitude
Customer Support TicketsSupport ToolCustomer service and issue resolution3 yearsPotential: Intercom, Zendesk, Freshdesk
Error Monitoring LogsApplication ErrorsDebugging and performance monitoring90 daysPotential: Sentry, Datadog, New Relic
Email NotificationsSystem GeneratedUser alerts and confirmations1 yearPotential: AWS SES
Slack Alerts (if implemented)System MonitoringInternal team notifications90 daysSlack
GitHub Actions Logs (if CI/CD)Code DeploymentDevelopment and deployment tracking90 daysGitHub
Application Performance MonitoringSystem MonitoringPerformance optimization90 daysPotential: Datadog, New Relic

Third-Party Data Processors - Complete List

Primary Infrastructure

Top Tier Cloud Platform Canada Region

  • Purpose: Primary hosting, database storage (RDS/SQL), authentication services, API Services for providing report generation to FINTRAC format and submission process to FINTRAC API
  • Data Shared: All data listed above
  • Location: Canada
  • Duration: Active account + retention period

Regulatory Reporting

FINTRAC (Financial Transactions and Reports Analysis Centre of Canada)

  • Purpose: Regulatory compliance submissions
  • Data Shared: All transaction and PII data required for EFT, LCTR, LVCTR, STR reports
  • Location: Canada
  • Duration: As per FINTRAC retention requirements (5+ years)

Potential Additional Third Parties (to verify and document)

Customer Support Tool (e.g., Slack)

  • Purpose: Customer support ticket management
  • Data Shared: Customer files, support communications, potentially PII

Email Service Provider (e.g., Amazon Web Service SES)

  • Purpose: Emails and notifications
  • Data Shared: User email addresses, notification content, data in aggregate

Error Monitoring

  • Purpose: Application error tracking
  • Data Shared: Error logs, potentially including request data

Code Repository (e.g., GitHub)

  • Purpose: Source code management and CI/CD
  • Data Shared: Deployment logs, potentially configuration data

Data Retention Policy Summary

Regulatory Data (Transaction & PII)

  • Retention: 5 years from transaction date (FINTRAC requirement)
  • After 5 years: Secure deletion from production databases
  • Backup retention: Aligned with 5-year requirement

User Account Data

  • Retention: Duration of active account + 1 year
  • Upon account closure: 1-year retention for audit purposes, then secure deletion

System Logs & Monitoring

  • Error logs: 2 years
  • Performance monitoring: 90 days
  • Security logs: 1-2 years

Database Backups

  • Retention: 30-90 day rolling window
  • Ensure: Backups don't create indefinite retention beyond policy

Support Communications

  • Retention: 3 years from last interaction