Data & Compliance
Effective Date: April 1, 2026 · Last Updated: April 1, 2026
SYNC-Gift operates as a financial services platform and is subject to regulatory obligations across Canada, the United States, and other jurisdictions. This page outlines our compliance posture, security practices, and data governance standards.
1. Financial Regulatory Compliance
Canada
- FINTRAC (Financial Transactions and Reports Analysis Centre of Canada): SYNC-Gift complies with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its associated regulations. We report prescribed transactions and suspicious activity to FINTRAC as required.
- PIPEDA / Bill C-27: We comply with the Personal Information Protection and Electronic Documents Act and Canada's evolving privacy legislation framework.
- OSFI: We adhere to applicable Office of the Superintendent of Financial Institutions guidelines for financial technology companies.
United States
- FinCEN: For US users, we comply with the Bank Secrecy Act (BSA), FinCEN regulations, and Money Services Business (MSB) requirements.
- CCPA / CPRA: We comply with California Consumer Privacy Act and California Privacy Rights Act for California residents.
- State Money Transmitter Laws: We operate in compliance with applicable state-level money transmitter licensing requirements.
European Union / UK
- GDPR: We comply with the General Data Protection Regulation for users in the EU and EEA.
- UK GDPR / Data Protection Act 2018: We comply with UK data protection law for UK users.
- PSD2: For EU payment services, we align with Payment Services Directive 2 requirements.
2. Know Your Customer (KYC) & Anti-Money Laundering (AML)
- All users are subject to identity verification before accessing wallet and transfer features.
- Enhanced due diligence is applied for high-value transactions and politically exposed persons (PEPs).
- We screen all users against OFAC, UN Security Council, EU, and OSFI sanctions lists.
- Transaction monitoring systems flag unusual patterns for review by our compliance team.
- We maintain records of all identity verification and transaction data for the periods required by law.
3. Payment Card Industry (PCI DSS)
SYNC-Gift uses Stripe as our payment processor. Stripe is a PCI DSS Level 1 Service Provider — the highest level of payment card security certification. SYNC-Gift does not store, process, or transmit raw card numbers on our servers. All payment card data is encrypted and handled entirely within Stripe's certified environment.
4. Data Security Measures
- Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2+ (HTTPS).
- Encryption at rest: Sensitive data is encrypted at rest using AES-256.
- Authentication: PIN-based authentication with bcrypt hashing (minimum 10 rounds). Session tokens are cryptographically random.
- Access controls: Role-based access control (RBAC) limits employee access to data on a need-to-know basis.
- Penetration testing: We conduct regular security assessments and penetration tests.
- Vulnerability management: Dependency auditing and security patch management are ongoing processes.
- Audit logging: All administrative actions and sensitive data access are logged and monitored.
5. Data Breach Response
In the event of a confirmed personal data breach:
- We will notify affected users without undue delay and within 72 hours of becoming aware of the breach (as required by GDPR Article 33).
- We will notify the appropriate supervisory authority (OPC in Canada, FTC/relevant state authority in the US, relevant EU/UK DPA) as required by applicable law.
- Notifications will describe the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
- To report a suspected security incident: legal@syncgift.com
6. Data Processors and Sub-processors
We work with the following categories of sub-processors, each bound by data processing agreements consistent with GDPR Article 28:
- Payment processing: Stripe, Inc. — PCI DSS Level 1, GDPR compliant
- Cloud infrastructure: Replit, Inc. / Amazon Web Services — ISO 27001, SOC 2 Type II
- SMS/Voice: Twilio, Inc. — GDPR DPA in place
- Email delivery: SendGrid / Twilio — GDPR DPA in place
- Identity verification: Third-party KYC provider — compliant with applicable identity regulations
7. Data Minimisation & Purpose Limitation
We collect only the personal data necessary for the specific purposes described in our Privacy Policy. Data collected for one purpose is not used for incompatible purposes without your consent or another lawful basis.
8. Rights and Requests
To exercise your data rights, submit a verifiable request to privacy@syncgift.com. We will verify your identity before processing requests. Response times: 30 days (GDPR), 45 days (CCPA), with possible extensions notified to you.
9. Cookie Consent and Opt-Outs
We obtain consent for non-essential cookies and tracking technologies before activation. You can manage your preferences at any time via our in-app consent manager or by contacting us. We honour Global Privacy Control (GPC) signals for California users.
10. Contact Our Compliance Team