- What personal data we collect
- How we may use your Personal Data and the lawful basis for doing so
- Who we may disclose your personal data to
- How we protect your Personal Data
- Your privacy rights
- How long we process your personal data
- Contacting us or the data protection authority
- Contact Us
What personal data we collect
Personal Data is in most cases collected directly from you or generated as part of the use of our Services. Sometimes additional information is required to keep information up to date or to verify information we collect.
The Personal Data we collect can be grouped into the following categories:
- Identification information including your full name and date of birth.
- Contact information including your home address, e-mail address and phone numbers.
- Financial information including your bank’s name, account number and account type.
- Payment transaction information including the name of the online merchant you are using our services to pay, your login details, transaction history, transaction limits and account balance.
- Information about you from third parties including credit bureaus and identity verification services.
- Information about your use of our systems.
- Information related to legal requirements, customer due diligence and/or anti-money laundering requirements.
Personal data we may collect from you:
We collect information you provide directly to us when you visit our websites or use any of the Company’s services. For example, when you select our Services from a merchant’s payment page, we may collect your Personal Data to be able to provide you with the Services.
Personal data that we may collect from third parties:
We may collect Personal Data from other sources, including but not limited to the following:
- Publicly available information from external sources;
- Registers held by governmental agencies (such as company registration offices, enforcement authorities, etc.);
- Sanction lists (held by international organizations such as the EU and UN as well as national organizations such as OFAC;
- Registers held by credit-rating agencies and other commercial information providers providing information e.g., beneficial owners and politically exposed persons;
- In connection with payments, we collect information from remitters, banks, payment service providers and others;
- From any of the Company’s related-companies, affiliates and/or subsidiaries; and/or
- Other third parties with which we contract with to provide the services.
How we may use your Personal Data and the lawful basis for doing so
We use your Personal Data to comply with legal and contractual obligations as well as to provide you with Services.
Performance of a contract
As a processor of payment transactions, we have entered into agreements with online merchants to process online payment transactions on behalf of their customers. The main purpose for using your Personal Data is to process payments between you and these online merchants.
Examples of the performance of a contract:
- Verify your identity and provide our Services and process your transactions.
- Provide customer service, including troubleshooting service issues you are having.
- Reconcile payments, settle transaction disputes or address errors.
In addition to the performance of the contract, we process your Personal Data to fulfil our obligations under law, other regulations or as required by regulatory authorities.
Examples of processing due to legal obligations:
- Preventing, detecting, and investigating money laundering, terrorist financing, fraud or other potentially prohibited or illegal activities.
- Reporting to police authorities, enforcement authorities, supervisory authorities.
- Payment service requirements and obligations.
Personal Data is processed in the context of marketing, product and customer analysis. This processing forms the basis for marketing, process, business and system development, including testing.
We have a legitimate interest to prevent or remediate violations of policies or applicable agreements, to manage and protect our information technology infrastructure and to use profiling for example when conducting customer analysis for monitoring transactions in order to detect fraud.
There are situations when we will ask for your consent to process your Personal Data. Examples of such situations are processing of payment transaction data for marketing purposes, or for some processing of special categories of data. The consent will contain information on that specific processing activity. If you have given consent to a processing of your Personal Data, you can always withdraw your consent.
Who we may disclose your personal data to
We may share your Personal Data with others such as authorities, any of the Company’s related-companies, affiliates and/or subsidiaries, suppliers, payment service providers and business partners. Before sharing we will always ensure that we respect relevant financial industry secrecy obligations.
Third parties and companies
We may pass your information to our third-party service providers, agents, subcontractors and any of the Company’s related-companies, affiliates and/or subsidiaries for the purpose of completing tasks and providing Services to you on our behalf. However, when we use third party service providers, we disclose only the personal data that is necessary to deliver the service that you need, and we have contracts in place that require each third-party provider to keep your information secure and not to use it for their own direct marketing purposes or any other purpose. We will not release your information to third parties beyond those that we have such a contractual relationship with – unless you have specifically requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. In such circumstances, we will take steps with the aim of ensuring that your privacy rights continue to be protected.
Transferring your information outside of European Economic Area
How we protect your Personal Data
Keeping your Personal Data safe and secure is at the centre of how we do business. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.
Your privacy rights
You as a data subject have rights in respect of the Personal Data, we hold of yours. You have the following rights:
- The right of access to your personal data. You have a right to access the Personal Data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Company’s business concept and business practices. If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
- The right of rectification to request correction of incorrect or incomplete data. When you believe we hold inaccurate or incomplete personal data about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
- The right to erasure (the ‘right to be forgotten’). Where no overriding legal basis or legitimate reason continues to exist for processing Personal Data, you may request that we delete the Personal Data. This includes Personal Data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
- The right to withdraw your consent. You have the right to withdraw any consent you have previously given us to handle your information. Examples include where:
- you object to the processing and there is no justified reason for continuing the processing;
- you object to processing for direct marketing; and/or
- processing is unlawful;
If you withdraw your consent, this will not affect the lawfulness of our use of your information prior to the withdrawal of your consent.
- Right to restrict processing of your Personal Data. You may ask us to stop processing your Personal Data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:
- The accuracy of the Personal Data is contested;
- Processing of the Personal Data is unlawful;
- We no longer need the Personal Data for processing, but the Personal Data is required for part of a legal process; or
- The right to object has been exercised and processing is restricted pending a decision on the status of the processing;
- Right to object to processing of your Personal Data where we are relying on a legitimate interest to process your data. You can always object to the processing of Personal Data about you for direct marketing and profiling in connection to such marketing.
- The right to data portability. You have a right to ask for information you have made available to us to be transferred to you or a third party in machine-readable formats. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
These rights are not absolute: they do not always apply, and exemptions may be engaged. We may, in response to a request, ask you to verify your identity and to provide information that helps us to understand your request better. If we do not comply with your request, we will explain why.
How long we process your personal data
We will hold your Personal Data on our systems for the longest of the following periods:
- a minimum of six (6) years;
- as long as is necessary for the relevant activity or as long as is set out in any relevant agreement;
- the length of time it is reasonable to keep records to demonstrate compliance with professional or legal obligations;
- any retention period that is required by law; or
- the end of the period in which litigation or investigations might arise in respect of the services that we provide to you;
What types of cookies do we use?
There are a number of different types of cookies, however, our website uses:
- Advertising – Our Company uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Our Company sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
How to manage cookies
You can set your browser not to accept cookies, and also to remove cookies for this website.
Contacting us or the data protection authority
You can also lodge a complaint or contact the data protection authority in any of the countries, states or provinces where we provide services or products to you.
United Kingdom – ico.org.uk/global/contact-us
European Union – Complaints | European Data Protection Supervisor (europa.eu)
Canada – File a formal privacy complaint – Office of the Privacy Commissioner of Canada
If you have any questions, please email email@example.com or write to Legal and Compliance Team, 720 King St W Suite 510, Toronto, Ontario M5V 2T3.
Company means Element Financial Technology Inc., doing-business-as Paramount Commerce.
DPA means the Data Protection Act 2018 (c.12). The DPA is a United Kingdom Act of Parliament which updates data protection laws in the United Kingdom. It is a national law which complements the EU GDPR and replaces the Data Protection Act 1998.
GDPR means the European Union Regulation No. 2016/679 of 27 April 2016, known as the General Data Protection regulation (the EU GDPR) and the EU GDPR as retained in the laws of the United Kingdom further to the European Union (Withdrawal) Act 2018 (the UK GDPR).
EEA means the European Economic Area.
EU means European Union.
OFAC means the Office of Foreign Assets Control.
Personal Data means any information associated with a naturally identified or identifiable person and any information that could directly or indirectly reveal a person’s identity.
PIPEDA means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)
Services means any products, services, content, features, technologies, or functions, and all related websites, applications and services offered by the Company.
Last Updated: April 13, 2022