The Company is fully committed to protecting your individual rights and keeping your personal data safe. This Privacy Policy explains how we collect personal data about you when you use our Services, how we use that information, the conditions in which we may disclose it to others, and how we keep it secure. The data controller will be the Company that is processing your Personal Data.

This Privacy Policy describes our obligations and your rights under the DPA, GDPR and PIPEDA. By using our services and consenting to the Company processing your data, you are agreeing to this Privacy Policy.

  1. What personal data we collect

    Personal Data is in most cases collected directly from you or generated as part of the use of our Services. Sometimes additional information is required to keep information up to date or to verify information we collect.

    The Personal Data we collect can be grouped into the following categories:

    • Identification information including your full name and date of birth.
    • Contact information including your home address, e-mail address and phone numbers.
    • Financial information including your bank’s name, account number and account type.
    • Payment transaction information including the name of the online merchant you are using our services to pay, your login details, transaction history, transaction limits and account balance.
    • Information about you from third parties including credit bureaus and identity verification services.
    • Information about your use of our systems.
    • Information related to legal requirements, customer due diligence and/or anti-money laundering requirements.

    Personal data we may collect from you:
    We collect information you provide directly to us when you visit our websites or use any of the Company’s services. For example, when you select our Services from a merchant’s payment page, we may collect your Personal Data to be able to provide you with the Services.

    Personal data that we may collect from third parties:
    We may collect Personal Data from other sources, including but not limited to the following:

    • Publicly available information from external sources;
    • Registers held by governmental agencies (such as company registration offices, enforcement authorities, etc.);
    • Sanction lists (held by international organizations such as the EU and UN as well as national organizations such as OFAC;
    • Registers held by credit-rating agencies and other commercial information providers providing information e.g., beneficial owners and politically exposed persons;
    • In connection with payments, we collect information from remitters, banks, payment service providers and others;
    • From any of the Company’s related-companies, affiliates and/or subsidiaries; and/or
    • Other third parties with which we contract with to provide the services.
  2. How we may use your Personal Data and the lawful basis for doing so

    We use your Personal Data to comply with legal and contractual obligations as well as to provide you with Services.

    Performance of a contract
    As a processor of payment transactions, we have entered into agreements with online merchants to process online payment transactions on behalf of their customers. The main purpose for using your Personal Data is to process payments between you and these online merchants.

    Examples of the performance of a contract:

    • Verify your identity and provide our Services and process your transactions.
    • Provide customer service, including troubleshooting service issues you are having.
    • Reconcile payments, settle transaction disputes or address errors.

    Legal obligation
    In addition to the performance of the contract, we process your Personal Data to fulfil our obligations under law, other regulations or as required by regulatory authorities.

    Examples of processing due to legal obligations:

    • Preventing, detecting, and investigating money laundering, terrorist financing, fraud or other potentially prohibited or illegal activities.
    • Reporting to police authorities, enforcement authorities, supervisory authorities.
    • Payment service requirements and obligations.

    Legitimate interest
    Personal Data is processed in the context of marketing, product and customer analysis. This processing forms the basis for marketing, process, business and system development, including testing.

    We have a legitimate interest to prevent or remediate violations of policies or applicable agreements, to manage and protect our information technology infrastructure and to use profiling for example when conducting customer analysis for monitoring transactions in order to detect fraud.

    Consent
    There are situations when we will ask for your consent to process your Personal Data. Examples of such situations are processing of payment transaction data for marketing purposes, or for some processing of special categories of data. The consent will contain information on that specific processing activity. If you have given consent to a processing of your Personal Data, you can always withdraw your consent.

  3. Who we may disclose your personal data to

    We may share your Personal Data with others such as authorities, any of the Company’s related-companies, affiliates and/or subsidiaries, suppliers, payment service providers and business partners. Before sharing we will always ensure that we respect relevant financial industry secrecy obligations.

    Third parties and companies
    We may pass your information to our third-party service providers, agents, subcontractors and any of the Company’s related-companies, affiliates and/or subsidiaries for the purpose of completing tasks and providing Services to you on our behalf. However, when we use third party service providers, we disclose only the personal data that is necessary to deliver the service that you need, and we have contracts in place that require each third-party provider to keep your information secure and not to use it for their own direct marketing purposes or any other purpose. We will not release your information to third parties beyond those that we have such a contractual relationship with – unless you have specifically requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. In such circumstances, we will take steps with the aim of ensuring that your privacy rights continue to be protected.

    Transferring your information outside of European Economic Area
    As part of our Services to you, the information which you provide to us may be transferred to countries outside the EEA. By way of example, this may happen if any of our servers are from time to time located in a country outside of the EU. These countries may not have equivalent data protection laws. By submitting your personal data, you’re agreeing to this transfer, storing and/or processing. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken and we remain compliant with the GDPR, with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Policy. If you use our Services while you are outside the EU, your information may be transferred outside the EEA in order to provide you with those Services.

  4. How we protect your Personal Data

    Keeping your Personal Data safe and secure is at the centre of how we do business. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.

  5. Your privacy rights

    You as a data subject have rights in respect of the Personal Data, we hold of yours. You have the following rights:

    • The right of access to your personal data. You have a right to access the Personal Data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for the Company’s business concept and business practices. If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
    • The right of rectification to request correction of incorrect or incomplete data. When you believe we hold inaccurate or incomplete personal data about you, you may exercise your right to correct or complete this data. This may be used with the right to restrict processing to make sure that incorrect/incomplete information is not processed until it is corrected.
    • The right to erasure (the ‘right to be forgotten’). Where no overriding legal basis or legitimate reason continues to exist for processing Personal Data, you may request that we delete the Personal Data. This includes Personal Data that may have been unlawfully processed. We will take all reasonable steps to ensure erasure.
    • The right to withdraw your consent. You have the right to withdraw any consent you have previously given us to handle your information. Examples include where:
      • you object to the processing and there is no justified reason for continuing the processing;
      • you object to processing for direct marketing; and/or
      • processing is unlawful;

    If you withdraw your consent, this will not affect the lawfulness of our use of your information prior to the withdrawal of your consent.

    • Right to restrict processing of your Personal Data. You may ask us to stop processing your Personal Data. We will still hold the data but will not process it any further. This right is an alternative to the right to erasure. If one of the following conditions applies you may exercise the right to restrict processing:
      • The accuracy of the Personal Data is contested;
      • Processing of the Personal Data is unlawful;
      • We no longer need the Personal Data for processing, but the Personal Data is required for part of a legal process; or
      • The right to object has been exercised and processing is restricted pending a decision on the status of the processing;
    • Right to object to processing of your Personal Data where we are relying on a legitimate interest to process your data. You can always object to the processing of Personal Data about you for direct marketing and profiling in connection to such marketing.
    • The right to data portability. You have a right to ask for information you have made available to us to be transferred to you or a third party in machine-readable formats. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.

    These rights are not absolute: they do not always apply, and exemptions may be engaged. We may, in response to a request, ask you to verify your identity and to provide information that helps us to understand your request better. If we do not comply with your request, we will explain why.

  6. How long we process your personal data

    We will hold your Personal Data on our systems for the longest of the following periods:

    • a minimum of six (6) years;
    • as long as is necessary for the relevant activity or as long as is set out in any relevant agreement;
    • the length of time it is reasonable to keep records to demonstrate compliance with professional or legal obligations;
    • any retention period that is required by law; or
    • the end of the period in which litigation or investigations might arise in respect of the services that we provide to you;
  7. How changes to this Privacy Policy will be made

    We are constantly working on improving and developing our services, products and websites, so we may change this Privacy Policy from time to time. We will not diminish your rights under this Privacy Policy or under the DPA, GDPR or PIPEDA. Please review this Privacy Policy from time to time to stay updated on any changes.

  8. Cookies

    What is a Cookie?
    A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to “remember” your actions or preferences over time. It is sent to your browser and stored on your computer’s hard drive. When you visit our website, we may collect information from you automatically through cookies. Most Internet browsers support cookies; however, users can set their browsers to decline certain types of cookies or specific cookies. Further, users can delete cookies at any time.

    How do we use cookies?
    Our Company uses cookies to improve your experience by learning and understanding how you use our website.

    Why do we use cookies?
    We use cookies to learn how you interact with our content and to improve your experience when visiting our website(s). For example, some cookies remember your language or preferences so that you do not have to repeatedly make these choices when you visit one of our websites. Cookies allow us to serve you specific content.

    What types of cookies do we use?

    Session Cookies
    Session cookies are temporary cookies that are used to remember you during the course of your visit to the website, and they expire when you close the web browser.

    Persistent Cookies
    Persistent cookies are used to remember your preferences within the website and remain on your desktop or mobile device even after you close your browser or restart your computer. We use these cookies to analyze user behavior to establish visit patterns so that we can improve our website functionality for you and others who visit our website(s). These cookies also allow us to serve you with targeted advertising and measure the effectiveness of our site functionality and advertising. The cookie retention is time limited and set to 2 hours.

    How are cookies used for advertisement purposes?
    Cookies and ad technology such as web beacons, pixels, and anonymous ad network tags help us serve relevant ads to you more effectively. They also help us collect aggregated audit data, research, and performance reporting for advertisers. Pixels enable us to understand and improve the delivery of ads to you and know when certain ads have been shown to you. Since your web browser may request advertisements and web beacons directly from ad network servers, these networks can view, edit, or set their own cookies, just as if you had requested a web page from their site.

    Although we do not use cookies to create a profile of your browsing behavior on third-party sites, we do use aggregate data from third parties to show you relevant, interest-based advertising. We do not provide any personal information that we collect to advertisers. You can opt out of off-site and third-party informed advertising by adjusting your cookie settings. Opting out will not remove advertising from the pages you visit, but, instead, opting out will result in the ads you see not being matched to your interests. This implies that the ad(s) you see will not be matched to your interests by those specific cookies.

    How do I delete cookies?
    You can choose to reject or block all or specific types of cookies set by virtue of your visit to our website by clicking on the cookie preferences on our website(s). You can change your preferences, our website websites and/or the websites by changing your browser settings. Please note that most browsers automatically accept cookies. Therefore, if you do not wish cookies to be used, you may need to actively delete or block the cookies. If you reject the use of cookies, you will still be able to visit our websites but some of the functions may not work correctly. You may also visit www.allaboutcookies.org for details on how to delete or reject cookies and for further information on cookies generally. By using our website without deleting or rejecting some or all cookies, you agree that we can place those cookies that you have not deleted or rejected on your device.

    How to manage cookies
    You can set your browser not to accept cookies, and also to remove cookies for this website.

  9. Contacting the data protection authority

    You can lodge a complaint or contact the data protection authority in any of the countries, states or provinces where we provide services or products to you.

    United Kingdom – ico.org.uk/global/contact-us
    European Union – Complaints | European Data Protection Supervisor (europa.eu)
    Canada – File a formal privacy complaint – Office of the Privacy Commissioner of Canada

  10. Contact Us

    If you have any questions, please email support@paramountcommerce.com or write to Legal and Compliance Team, 720 King St W Suite 510, Toronto, Ontario M5V2T3.

  11. Definitions

    Company means Element Financial Technology Inc., doing-business-as Paramount Commerce.

    DPA means the Data Protection Act 2018 (c.12). The DPA is a United Kingdom Act of Parliament which updates data protection laws in the United Kingdom. It is a national law which complements the EU GDPR and replaces the Data Protection Act 1998.

    GDPR means the European Union Regulation No. 2016/679 of 27 April 2016, known as the General Data Protection regulation (the EU GDPR) and the EU GDPR as retained in the laws of the United Kingdom further to the European Union (Withdrawal) Act 2018 (the UK GDPR).

    EEA means the European Economic Area.

    EU means European Union.

    OFAC means the Office of Foreign Assets Control.

    Personal Data means any information associated with a naturally identified or identifiable person and any information that could directly or indirectly reveal a person’s identity.

    PIPEDA means the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

    Privacy Policy means this policy.

    Services means any products, services, content, features, technologies, or functions, and all related websites, applications and services offered by the Company.

Last Updated: Sept 20, 2022