Privacy Policy.

ElionMT is a commodity trading brand based in the province of Québec, Canada. This Policy governs our handling of personal information across the elionmt.com website and the counterparty workflows connected to it.

Questions, requests or concerns about this Policy can be sent to our designated privacy contact at info@elionmt.com. Any material change is reflected in a new review date at the top of this page.

This Policy applies to elionmt.com and every subdomain, as well as to personal information we receive through direct correspondence, onboarding workflows and counterparty due diligence. It covers website visitors, prospective and existing counterparties, suppliers, service providers and candidates for employment.

This Policy should be read together with our Terms of Service, which govern use of the site, and with contractual terms that may apply to specific engagements.

We collect only what we need to operate, to meet legal obligations and to serve our counterparties. Depending on the relationship, this can include:

• Identification data — name, title, employer, business email, telephone, language preference.
• Onboarding and KYC data — identification documents, beneficial ownership information, politically-exposed-person status, sanctions-screening outcomes, and, for corporate counterparties, banking references.
• Commercial data — contract negotiation correspondence, transaction documentation, instructions and related communications.
• Technical data — IP address, device identifiers, browser type, referrer, session duration and cookie identifiers collected when you visit our site.
• Recruitment data — résumés, cover letters and information shared during hiring processes.

We do not knowingly collect sensitive categories of personal information unless strictly necessary and supported by an explicit legal basis.

We obtain personal information from four principal sources:

• Directly from you, when you contact us or submit information through the website.
• From the organisation you represent, when you act on behalf of a counterparty.
• From public registers and regulated data providers, such as the Registraire des entreprises du Québec, company registries in other jurisdictions, and sanctions and politically-exposed-person databases.
• From cookies and similar technologies when you interact with the website.

We process personal information for the following purposes, relying on the legal bases recognised under Law 25, PIPEDA and, where applicable, the EU and UK General Data Protection Regulations:

• Performance of contract — to negotiate, execute and administer commodity transactions and related services.
• Legal obligation — to meet anti-money-laundering, sanctions-screening, tax and record-keeping requirements.
• Legitimate interests — to prevent fraud, secure our systems, manage counterparty risk and communicate with professional contacts about our activities.
• Consent — for optional communications such as marketing updates, which you can withdraw at any time.

We share personal information only where it is necessary and with recipients bound by appropriate confidentiality and data-protection commitments. Categories of recipients include:

• Business partners and counterparties, strictly to the extent needed to execute a transaction or service.
• Service providers acting on our instructions (hosting, email delivery, document exchange, KYC and screening tools, professional advisers).
• Banks, insurers, inspection agencies and logistics providers involved in a specific transaction.
• Regulators, tax authorities, courts and law-enforcement bodies when we are legally required to respond.
• Advisers and counterparties in the context of a contemplated corporate transaction, subject to confidentiality undertakings.

We do not sell personal information, and we do not use it for automated decision-making that produces legal effects without human review.

Our activities are international. Personal information may be transferred to, or accessed from, jurisdictions outside Québec and Canada — including the United States, the United Kingdom, the European Union and Singapore — where our partners, service providers or counterparties operate.

Before any significant transfer, we assess the level of protection afforded in the destination jurisdiction in accordance with section 17 of Law 25, and we rely on contractual safeguards (such as standard contractual clauses) where necessary. A summary of the safeguards applicable to a specific transfer is available on request.

We retain personal information only for as long as it is needed for the purposes set out in this Policy or required by law. Indicative periods include:

• Website contact requests — up to 24 months after the last interaction.
• KYC and onboarding records — a minimum of five years following the end of the business relationship, in line with Canadian anti-money-laundering obligations.
• Contract and transaction records — seven years following the end of the engagement, in line with fiscal and audit obligations.
• Recruitment files — up to twelve months after the hiring decision, unless retained with consent for future opportunities.

Once the applicable retention period expires, we destroy or anonymise the information.

Subject to the limits set by applicable law, you can exercise the following rights in respect of your personal information:

• Access — obtain confirmation of the information we hold about you and a copy of that information.
• Rectification — ask us to correct information that is inaccurate, incomplete or out of date.
• De-indexing and erasure — ask us to cease disclosure, de-index from search engines or delete information in the conditions set out by law.
• Portability — receive certain information in a structured, commonly used technological format (Law 25).
• Withdrawal of consent — withdraw consent previously given, without affecting processing carried out before withdrawal.
• Automated decisions — be informed if a decision about you is based exclusively on automated processing, and request human review.

To exercise these rights, write to info@elionmt.com. We respond within 30 days of a complete request and may ask for reasonable verification of your identity.

We use a limited set of cookies and similar technologies. They fall into three categories:

• Strictly necessary — required to operate the site, maintain preferences such as theme or language, and safeguard security.
• Preference — remember display choices you have made across sessions.
• Analytics — aggregated, privacy-respecting measurement of how the site is used, deployed only where the local regime permits.

You can manage cookies through your browser at any time. Disabling strictly necessary cookies may limit the operation of the site.

We apply technical and organisational measures proportionate to the sensitivity of the information we process. These include encryption in transit and at rest for critical data, restricted access on a need-to-know basis, multi-factor authentication for sensitive systems, written confidentiality obligations for personnel and contractors, and due diligence on service providers.

No transmission over the Internet or storage system is ever completely secure. We do not guarantee absolute security, but we respond promptly to any suspected incident affecting personal information.

The elionmt.com website and our services are intended for professional use and are not directed at persons under the age of eighteen. We do not knowingly collect personal information from minors. If you believe a minor has submitted information to us, contact info@elionmt.com and we will delete it.

We review this Policy at least once a year and whenever our practices or the applicable law change materially. The review date shown at the top of the page always reflects the latest version. Where a change is significant, we will take additional steps to notify counterparties concerned.