Privacy Policy
Effective Date: June 2, 2026
Last Updated: June 2, 2026
This Privacy Policy ("Policy") outlines the practices, procedures, and policies of PrivatePay ("Company", "we", "our", or "us"), operating via the website privatepay.io and associated subdomains, applications, APIs, and payment infrastructure (collectively, the "Services"), regarding the collection, use, processing, storage, disclosure, and protection of Personal Information (as defined below) provided by users, merchants, customers, and visitors ("you", "your", or "User").
We are fully committed to protecting your privacy and ensuring the confidentiality of your data. This Policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), the Canadian Anti-Spam Legislation (CASL), and, where applicable, provincial privacy legislations (such as Alberta's PIPA, British Columbia's PIPA, and Quebec's Act Respecting the Protection of Personal Information in the Private Sector), as well as international standard data protection practices suitable for financial services and payment processing entities.
By accessing our website, registering for an account, utilizing our payment infrastructure, or integrating our Services, you explicitly acknowledge and agree to the terms of this Privacy Policy. If you do not agree with any terms herein, you must immediately cease all use of our website, infrastructure, and Services.
1. Definitions and Interpretation
For the purposes of this Policy, the following definitions shall apply:
- "Personal Information" means any information about an identifiable individual, including but not limited to name, address, email address, financial account details, government-issued identification numbers, and digital footprint, but does not include aggregated or anonymized business contact information used solely to communicate with an individual in their professional capacity.
- "Merchant" refers to any business entity, organization, or sole proprietor that integrates PrivatePay infrastructure to accept payments or manage financial transactions.
- "End User" or "Customer" refers to an individual who initiates a payment transaction, sends funds, or interacts with a Merchant platform utilizing PrivatePay processing services.
- "Applicable Laws" refers to all federal, provincial, state, and international statutes, regulations, or rules concerning data privacy, financial compliance, and anti-money laundering (AML) applicable to PrivatePay.
2. The Core Privacy Principles We Follow
PrivatePay strictly adheres to the ten fair information principles established under Schedule 1 of PIPEDA:
- Accountability: We are responsible for all Personal Information under our control and have designated a Privacy Officer to oversee compliance.
- Identifying Purposes: The purposes for collecting Personal Information will be identified before or at the time of collection.
- Consent: Your knowledge and consent are required for the collection, use, or disclosure of Personal Information, except where legally exempted.
- Limiting Collection: Collection is strictly limited to the specific data necessary for the purposes identified by the Company.
- Limiting Use, Disclosure, and Retention: Data will not be used or disclosed for purposes other than those for which it was collected, except with your consent or as required by law. Data is retained only as long as necessary.
- Accuracy: Personal Information will be kept as accurate, complete, and up-to-date as necessary for its intended purposes.
- Safeguards: Personal Information will be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: We make specific information about our policies and practices relating to the management of Personal Information readily available.
- Individual Access: Upon request, you will be informed of the existence, use, and disclosure of your Personal Information and given access to it.
- Challenging Compliance: You can address a challenge concerning compliance with the above principles to our Privacy Officer.
3. Information We Collect
To provide high-security payment processing services and comply with stringent Canadian financial regulations (including FINTRAC mandates), we collect several categories of information, depending on whether you are a Merchant, an End User, or a Website Visitor.
3.1. Information Provided Voluntarily by You
- Registration and Account Set-up: Full legal name, date of birth, business name, corporate registration documents, tax identification numbers, physical address, mailing address, telephone number, and email address.
- Financial and Underwriting Data: Bank account numbers, routing numbers, credit card data, merchant account histories, processing volume estimates, corporate financial statements, and related underwriting information.
- Verification and Compliance Data (KYC): Government-issued identification (e.g., driver's license, passport, or permanent resident card), beneficial ownership structures, and photographic verification documentation required under Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) protocols.
- Customer Support and Communications: Records of correspondence, support tickets, chat logs, email threads, and phone call recordings conducted with our operations or technical support teams.
3.2. Information Collected Automatically Through Technology
- Transaction Details: Amount of transaction, currency type, payment method utilized, date and timestamp of transaction, terminal details, product description, and status of payment execution.
- Technical and Device Information: Internet Protocol (IP) addresses, device hardware models, operating system versions, unique device identifiers, browser types, language preferences, and mobile network configurations.
- Geolocation Data: Approximate or precise geographical location determined via IP address, GPS, Wi-Fi access points, or cellular triangulation, primarily utilized for fraud prevention and localization constraints.
- Cookies and Tracking Technologies: Web beacons, pixels, and HTTP cookies deployed to preserve user sessions, store dashboard settings, evaluate marketing efficacy, and secure authentication workflows.
3.3. Information Obtained from Third-Party Sources
- Credit Bureaus and Risk Agencies: Credit histories, risk scores, bankruptcy checks, and credit worthiness indicators pulled from authorized bureaus (e.g., Equifax, TransUnion) during Merchant onboarding.
- Sanctions and Watchlists: Public records, politically exposed persons (PEP) lists, global sanctions lists, and law enforcement databases utilized to meet legal anti-fraud and anti-terrorism filtering rules.
- Identity Verification Partners: Third-party verification databases used to validate the accuracy of credentials, addresses, and corporate standings provided to us.
4. How We Use Your Information
PrivatePay processes Personal Information based on legitimate business purposes, legal compliance obligations, contractual performance requirements, and user consent. Specifically, information is processed to:
- Execute Payment Services: Process, authorize, clear, settle, and reconcile electronic financial transactions initiated through our gateway infrastructure.
- Manage Accounts and Portals: Maintain Merchant dashboards, administer profiles, authenticate system administrators, and provide analytical data interfaces.
- Mitigate Risk and Prevent Fraud: Perform real-time fraud monitoring, evaluate chargeback risks, detect system anomalies, prevent unauthorized network access, and block illicit actors.
- Fulfill Legal Regulatory Frameworks: Comply with requirements imposed by FINTRAC (Financial Transactions and Reports Analysis Centre of Canada), the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), tax reporting to the Canada Revenue Agency (CRA), and standard corporate governance guidelines.
- System Optimization and Operations: Diagnose technical bugs, enhance website UI/UX layout, scale load-balancing capabilities, and evaluate feature performance across different user archetypes.
- Communications and Updates: Deliver critical system status updates, immediate transaction receipts, modifications to Terms of Service, security alerts, and legislative notifications.
- Marketing and Promotions (With Opt-Out): Send newsletters, professional insights, product announcements, and cross-service invitations, strictly governed by CASL compliance (with clear unsubscribe mechanisms included in every commercial electronic message).
5. Disclosure and Sharing of Personal Information
PrivatePay does not sell, lease, rent, or trade your Personal Information to third parties for commercial profit or marketing gain. We only disclose or share information under the following limited circumstances:
- Financial Partners and Networks: Banking institutions, acquiring banks, credit card associations (Visa, Mastercard, American Express, Discover), Interac Association, and clearinghouses involved in the settlement pipeline of your transactions.
- Service Providers and Data Processors: Trusted technical third parties operating under strict contractual limitations, including cloud hosting providers (e.g., secure server clusters), database management platforms, fraud assessment tools, customer service software, and system telemetry suppliers.
- Corporate Restructuring: In the event of an asset sale, merger, consolidation, acquisition, corporate reorganization, or dissolution, Personal Information may be securely transferred as part of standard due diligence and business asset integration.
- Legal Mandates and Law Enforcement: If required to do so by an authorized subpoena, search warrant, court order, or official request by FINTRAC, provincial securities commissions, or law enforcement bodies when we believe in good faith that disclosure is necessary to comply with prevailing law or defend against legal claims.
- Protection of Rights: To protect the vital interests, physical safety, legal property rights, or financial security of PrivatePay, our employees, our Merchants, or the general public.
6. International Data Transfers and Storage
PrivatePay primarily utilizes secure data centers located within Canada. However, our technical infrastructure, service partners, and payment processing nodes may utilize server infrastructure located in the United States or other foreign jurisdictions.
Consequently, your Personal Information may be securely transferred, stored, or processed outside of Canada. When data resides outside Canadian borders, it becomes subject to the legal systems, local courts, and national security provisions of that foreign jurisdiction, meaning local law enforcement or regulatory authorities may be authorized to access it under applicable local statutes.
Regardless of jurisdiction, PrivatePay enforces strict contractual data protections, encryption requirements, and confidentiality standards with all global infrastructure providers to ensure your data maintains equivalent protection to that mandated by PIPEDA.
7. Data Security Safeguards
We maintain highly comprehensive technical, administrative, and physical safeguards constructed to shield Personal Information against unauthorized destruction, accidental loss, alteration, unauthorized dissemination, or illicit access.
- PCI-DSS Compliance: Our core payment gateway infrastructure adheres to the Payment Card Industry Data Security Standard (PCI-DSS) requirements. Sensitive cardholder data is securely tokenized, truncated, or heavily encrypted.
- Encryption Protocols: Data transmitted between your device and our servers is secured using robust transport layer security protocols (SSL/TLS). At-rest data inside our production clusters utilizes advanced AES-256 standard cryptographic encryption.
- Access Controls: Access to systems storing Personal Information is restricted via strict Role-Based Access Controls (RBAC) and protected by mandatory Multi-Factor Authentication (MFA). Only personnel with verified business needs are granted administrative capabilities.
- Continuous Audits: We execute internal threat monitoring, routine vulnerability scanning, independent penetration testing, and code audits to systematically mitigate cybersecurity structural gaps.
Disclaimer: While we implement highest industry standard protections, no method of transmission over the Internet or digital repository can guarantee absolute 100% security. You remain responsible for keeping your login credentials, API secret keys, and passwords fully confidential.
8. Data Retention Policies
PrivatePay retains Personal Information only for the timeframe necessary to accomplish the primary goals for which it was originally collected, or to comply with applicable statutory, fiscal, and regulatory retention requirements.
Because we operate inside the financial services and payment infrastructure sphere, we are required under Canadian federal tax laws and Anti-Money Laundering frameworks (FINTRAC) to retain complete transaction logs, financial records, identity verification data, and account settlement histories for a minimum period of seven (7) years following the formal closure of an account or termination of a business relationship.
Once the legal retention period expires and the information is no longer needed for regulatory compliance or operational defense, the data is permanently purged from our servers, destroyed using secure sanitization tools, or completely rendered anonymous so it can no longer be associated with an individual.
9. Your Rights and Access to Data
Under PIPEDA and regional Canadian data frameworks, you possess specific entitlements concerning the management of your Personal Information. You may exercise these rights at any time:
- Right of Access: You have the right to request a formal confirmation of whether we hold your Personal Information and to receive a legible copy of that specific information, alongside explanations of how it has been used or disclosed.
- Right of Correction/Rectification: You have the right to challenge the accuracy, completeness, or timeliness of the Personal Information under our control and request immediate amendments or updates where it is proven deficient.
- Right to Withdraw Consent: You may choose to withdraw your consent for the collection or processing of your data at any time (subject to applicable legal or contractual limitations and reasonable prior notice). Note that withdrawing consent may incapacitate our ability to provide you with the payment gateway services.
To submit an access or correction request, please transmit your written application directly to our Privacy Officer at the contact details provided in Section 11 below. We will demand identity verification before processing requests and aim to deliver a formal response within thirty (30) business days, as required under PIPEDA.
10. Cookies, Tracking, and Do-Not-Track Signs
Our website privatepay.io utilizes session and persistent cookies to evaluate user traffic patterns, retain chosen interface languages, prevent automated bot attacks, and measure campaign conversions. You have the choice to reject cookies by configuring your internet browser preferences. However, opting out of essential cookies may degrade your user experience or break necessary security components inside the Merchant Dashboard.
Our infrastructure currently does not alter its operational frameworks or automated data collection systems in response to "Do Not Track" browser signals, due to the lack of an industry-wide consensus standard for processing such requests.
11. Contact Us and Privacy Governance
PrivatePay has appointed a dedicated Privacy Officer tasked with monitoring systemic compliance, answering user inquiries, addressing disputes, and managing regulatory communications.
If you have any questions regarding our operational procedures, require data access, want to report a privacy concern, or wish to dispute a data management decision, please contact our Privacy Officer at:
PrivatePay Compliance Department
Attn: Privacy Officer
Email Address: [email protected]
Official Website: privatepay.io
If you remain unsatisfied with our internal response or resolution of your privacy dispute, you maintain the legal right to escalate the matter by filing a formal complaint with the Office of the Privacy Commissioner of Canada (OPC) via their official channels (www.priv.gc.ca) or contacting your relevant provincial Privacy Commissioner.