Privacy Policy

Gnarnia Holdings Inc. is the data controller responsible for your personal information collected through the Platform. We are incorporated in Canada and operate the Platform from British Columbia, Canada.

For privacy-related inquiries, contact our Privacy Officer at: privacy@tipdrop.com

We use personal information for the following purposes:

• Platform operations — creating and managing your account, processing tip transactions, generating QR codes, and enabling payouts
• Payment processing — facilitating the transfer of tips between Tippers and Workers via Stripe
• Fraud prevention and chargeback defence — using transaction telemetry, IP data, and card details to identify fraudulent activity and respond to payment disputes
• Security — detecting, investigating, and preventing unauthorized access, abuse, and illegal activity
• Legal compliance — meeting our obligations under applicable law, including responding to lawful requests from regulators and law enforcement
• Platform improvement — analyzing usage patterns to improve features and performance (using aggregated or de-identified data where possible)
• Communications — sending transactional emails, account notices, and (where you have opted in) product updates

We and our payment processor (Stripe) use automated processing — including machine learning models and rule-based systems — to screen transactions and accounts for fraud, money laundering, and other prohibited activity. This automated processing may result in:

• a tip payment being declined or flagged for review;
• a Worker account being suspended or placed under enhanced monitoring;
• payout delays while a transaction is under review; or
• account termination where automated signals indicate a high risk of fraud or policy violation.

Where a decision resulting from automated processing has a significant effect on you, you may contact us at privacy@tipdrop.com to request human review. Note that Stripe's automated decisions regarding identity verification and payout eligibility are governed by Stripe's policies and are outside our direct control.

Depending on your location, our processing of your personal data is based on one or more of the following legal grounds:

• Performance of a contract — processing necessary to provide the Platform services and fulfill our obligations under the Worker Terms of Service
• Legitimate interests — fraud prevention, chargeback defence, platform security, and improving our services, where these interests are not overridden by your privacy rights
• Legal obligation — processing required to comply with applicable laws and regulations
• Consent — where we rely on your consent, such as for optional profile information or marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing

For users in Canada, our processing is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. For users in the European Economic Area or United Kingdom, processing is also subject to the General Data Protection Regulation (GDPR) or UK GDPR.

We share personal information with the following categories of third-party service providers who process data on our behalf:

We do not sell your personal information to third parties. We do not share your personal information with third parties for their own marketing purposes.

We may disclose personal information to law enforcement, regulators, or other third parties where required by law, court order, or where we believe disclosure is necessary to protect the rights, property, or safety of TipDrop, our users, or the public.

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including:

• Worker account data — retained for the life of your account and for seven (7) years following account closure, to satisfy financial recordkeeping and legal obligations
• Transaction records and telemetry — retained for seven (7) years to support chargeback defence, fraud investigation, and legal compliance
• Authentication data — managed by Clerk according to their retention policies
• Waitlist data — retained until you are onboarded or request deletion, whichever is earlier

When data is no longer required, we securely delete or anonymize it.

TipDrop operates from Canada. Your personal information may be transferred to, stored, and processed in Canada, the United States, or other countries where our service providers — including Stripe and Clerk — operate their infrastructure. These countries may have data protection laws that differ from those in your home jurisdiction, and your data may be accessible to foreign governments, courts, law enforcement, and regulatory authorities under the laws of those countries.

In particular, Stripe processes payment and identity data in the United States. As a condition of using Stripe as our payment processor, we are contractually required to disclose that your financial and identity information provided during Stripe Connect onboarding will be processed in the United States and subject to U.S. law, including U.S. government access requests. By registering as a Worker and connecting a Stripe account, you consent to this cross-border transfer.

Where required by applicable law, we implement appropriate safeguards for international transfers, including data processing agreements and, where applicable, standard contractual clauses approved by relevant supervisory authorities. By using the Platform, you acknowledge that your information may be transferred internationally as described in this Policy.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — the right to request a copy of the personal information we hold about you
• Correction — the right to request correction of inaccurate or incomplete information
• Deletion — the right to request deletion of your personal information, subject to legal retention obligations
• Portability — the right to receive your personal information in a structured, machine-readable format
• Objection — the right to object to processing based on legitimate interests
• Restriction — the right to request that we restrict processing of your information in certain circumstances
• Withdrawal of consent — where processing is based on consent, the right to withdraw at any time

To exercise any of these rights, contact us at privacy@tipdrop.com. We will respond within 30 days. We may need to verify your identity before processing your request. Note that some rights are subject to limitations under applicable law — for example, we may be required to retain transaction records regardless of a deletion request.

The Platform uses session cookies and similar technologies necessary for authentication and security. These are strictly necessary for the Platform to function and cannot be disabled without preventing you from using the service.

We do not currently use advertising cookies, third-party tracking pixels, or behavioral analytics tools. If this changes, we will update this Policy and provide appropriate notice and controls.

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission (TLS), access controls, and secure credential management through our service providers.

No system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant authorities as required by applicable law.

The Platform is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@tipdrop.com and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Platform at least fourteen (14) days before the changes take effect. The updated Policy will be identified by a new version number and effective date at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

For questions, concerns, or to exercise your privacy rights, contact our Privacy Officer:

If you are located in the EEA or UK and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection supervisory authority. In Canada, complaints may be directed to the Office of the Privacy Commissioner of Canada.