Rastpay ltd, a private Corporation registered under BC Business Corporations Act, SBC 2002, Province of British Columbia, Canada, incorporation number BC1329022, MSB registration number M22435446, registered address 1055 West Georgia Street, Suite 2474, Vancouver, British Columbia, V6E 3P3, Canada, (“Rastpay”, “we”, “our” and “us”) publishes this notice to explain what personal data we collect, how we use it, and your rights in relation to your personal data. This notice only applies to personal data. It does not apply to company information. Sometimes, we may also provide you with additional privacy notices, explanations and information relating to specific processes requiring your personal data.

This policy is subject to change from time to time and we recommend that you review the Privacy Policy each time you visit the site to stay informed of our privacy practices. If we make changes, we will amend the date of approval of this policy. Any changes will become effective when we publish the revised policy. If we make any material changes, we will notify you by email, or through a notice on our website.

Where you no longer use our services or products, we will retain your personal information for the purposes disclosed in this policy in compliance with the applicable regulatory requirements.

1. What kinds of personal information we collect and why we collect it

“Personal information” is any information about you which, either on its own or in combination with other information, could be used to identify, contact or locate you, or could be linked to your personal identity.

We collect and use personal information to establish and manage our relationship with you and/or the merchant. Depending on the products and services you or the merchant use, the personal information we collect can include:

• Contact information such as your name, residential addresses, title, phone number, email address – we use this to verify your identity, conclude and perform agreements with you, to communicate with you and to comply with regulatory requirements under the applicable laws and rules of payment networks.
• Identity information such as your date of birth, gender, social insurance number, copies of government identification documents, copies of proof of address, and information about other financial accounts – we use this to establish and verify your identity and to comply with regulatory requirements under the applicable laws and rules of payment networks.
• Location Information, specifically your Internet Protocol (IP) address – we use this to mitigate fraud and comply with regulatory requirements under the applicable laws and rules of payment networks.
• Biometric information such as measurements or characteristics about your physical or behavioral traits, including but not limited to, your facial features, voice patterns, fingerprints and pattern movements – we use this to verify your identity or to protect your account via external service providers and to comply with regulatory requirements under the applicable laws and rules of payment networks. 
• Financial information – such as your banking information, accounts and tax status – we use this to assess your (and the merchant’s) eligibility to receive our services, mitigate our credit risks and to comply with regulatory requirements under the applicable laws and rules of payment networks.
• Information about how you use our products and services – such as information about your use of the Merchant Portal and our website – we use this to provide these products and services to you, to protect us and your (and merchant’s) account (by spotting unusual activity), and to notify you about changes that will impact products and services used by you or the merchant. We also use this to provide you (and the merchant) with personalized products and services, to better understand your (and merchant’s) needs and preferences (including through data analytics), to personalize your experience on our website, and to provide you with tailored communications and offers.

2. How we collect personal information

We collect information from a variety of resources – and may be limited in our ability to provide you and/or the merchant with certain products and/or services if you decline to provide us with information that is essential for provision of these products and/or services. 

Sources of personal information include:

• Directly from you: We receive some of the personal information we collect about you directly from you. For example, if you (directly or on behalf of your company) apply for one of our services or communicate with us, you are providing us with your personal information.
• From third parties: In some cases, we may collect information from third parties outside Rastpay, including:
• Current and prospective merchants that apply for the services provided by Rastpay (for example, if you are a representative, responsible employee, director, shareholder or ultimate beneficial owner of such merchant);
• financial institutions where you have accounts (for example, when we perform due diligence on our current or prospective merchant);
• credit bureaus, credit reporting agencies, and credit insurers;
• persons authorized to act on your behalf under a power of attorney or other legal authority;
• service providers, including technology service providers, introducers, referral agents, and other organizations with whom you or we conduct business;
• for products or services provided by third parties and integrated with the services and products provided by Rastpay, we receive information (such as your name, contact information, date of birth, tax identification or social insurance number etc.), information to verify your identity, other information you supply with your application, and information about your transactions and use of the products - from the third party we work with to enable these third-party products and services.
• government agencies, public registries, and information available from open sources (for example, an Internet search).

3. How we use your personal information

Rastpay collects your personal information to manage our relationship with you (and our current or prospective merchant) and to enable consistent delivery of our products and services. Here are some examples of why we collect personal information and how we use it:

• evaluate the merchant's application for the services and products provided by Rastpay;
• to underwrite the merchant account and provide merchant account servicing;
• to process (and keep track of) the merchant’s transactions;
• to manage billing and record-keeping processes;
• to enable fraud protection and risk management processes;
• to enable access to products and services provided by third parties;
• to verify your identity, including to meet our ‘know your client’, anti-money laundering, sanctions and other compliance obligations;
• to communicate with you about your (or the merchant’s) products and services;
• to make changes you or the merchant request;
• to analyze information to determine what relevant products and services are offered to you or the merchant – without using automatic decision-making processes (unless we separately notified you otherwise).
• to provide you and the merchant with products and services, or information about products and services, that have been requested by you and/or that we believe may be of interest to you and provide value to you - subject to your right authorize commercial electronic messages or to unsubscribe from receiving marketing or commercial communications;
• to inform you about new business initiatives including contacting you or the merchant to obtain your views and to encourage you to express your views about them - subject to your right authorize commercial electronic messages or to unsubscribe from receiving marketing or commercial communications.
• to offer you the opportunity to participate in contests, giveaways or other promotions - subject to your right authorize commercial electronic messages or to unsubscribe from receiving marketing or commercial communications;
• to conduct research and generate statistics related to our business, products and services;
• for business purposes, such as data analysis, audits, developing new products, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of our promotional campaigns, and operating and expanding our business activities;
• to help manage and assess our risks, operations, and relationship with you and the merchant;
• to obtain and maintain our insurance coverage;
• to fulfill any other purpose for which you provide us with your consent.

4. Who we share your personal information with and why

We may share your personal information in the following ways:

• With companies affiliated with Rastpay: To assist us with offering the best services to you or the merchant, we may share your personal information with our affiliates.  
• With our employees: While performing their duties, our authorized employees may have access to personal information and other confidential information.  Employees may only access personal information strictly necessary to perform their duties.  All employees that are likely to have access to personal information must commit to maintaining its confidentiality.  
• With third-party product and service providers: We may disclose personal information to certain third-party product and service providers, to assist in providing you with products and services, or to perform certain specialized services to assist us in our business. These providers can include: without limitation: (i) payment networks, and the members of such networks; (ii) clearing, settlement and payment processing contractors of Rastpay; (iii) service companies that perform business operations for Rastpay, including but not limited to account statement preparation, mailing services, fraud prevention, regulatory compliance assistance, identification and verification services and secured data management and storage; (v) our marketing partners who will advise you of new products and services from Rastpay to assist in the growth and development of your business; (vi) courts, independent auditors, law enforcement agencies and other governmental authorities, bodies or agencies in response to subpoenas, to prevent fraud, during the course of an audit or examination or as required by law; and (vii) collection agencies, credit reporting agencies, business credit bureaus or other parties associated in collecting any debt owed by the merchant to us.
• We only disclose to these providers the specific information they require to perform their services. Before we release any personal information to them, each of our providers must undertake to use the information solely to carry out the services they have been retained to provide and must agree to safeguard and respect the confidentiality of the information.
• When we use these providers, we may process, store, and transfer your personal information in and to a foreign country, with different privacy laws that may or may not be as comprehensive as Canadian law. In these circumstances, the governments, courts, law enforcement, or regulatory agencies of that country may be able to obtain access to your personal information through the laws of the foreign country.
• If the merchant or you are receiving products and services provided by third parties via integration with Rastpay: We receive information about you from that provider and use it in connection with those products or services. In addition, you should be aware that:
• This information is received by the third parties to allow them to carry out servicing of merchant’s (or your) account, such as identification and client verification, to communicate with you regarding merchant’s (or your) account, debit or credit merchant’s (or your) accounts appropriately, to present accurate account information to you or the merchant, and to conduct such other activities as may be described in merchant’s (or your) agreement with the respective third party.
• These parties are independent from us, and we do not control all manners in which they may process your personal information. In addition to servicing merchant’s (or your) account, they may also process your personal information under their own privacy policies, any consent you have provided to them, and for other products or services they provide to you or the merchant. We do not control and are not responsible for their actions.
• You have an independent relationship with the third parties providing services via integration with Rastpay, and you should read their privacy policy, as well as ours, to understand how they may process your personal information. If you have any questions or concerns regarding how the third party providers processes your personal information, you should contact them directly.

• As Required by Law: In certain instances, we may be required or permitted to disclose information about you in response to a legally valid demand, inquiry, proceeding, or other order, or for the purposes of investigating a breach of an agreement or contravention of law or to detect, suppress, or prevent fraud. We reserve the right to comply with any valid third-party demand issued under the applicable laws, or any court or regulatory order we receive, in respect of your accounts or any information we hold about you.  You agree that we will not be liable to you in any way for complying with any such third-party demands or court orders issued on or against your accounts or products. In these cases, we take steps to assess if the request is valid and we only disclose the specific information necessary to satisfy the inquiry or order.
• Transfers of Business: As we continue to grow, we may expand or sell our businesses or part of it. In such a case, the personal information we hold may be among the assets transferred. 
• Additional Disclosures: We may also disclose personal information:
• with your consent;
• to the merchant that identified you as its employee, representative, member/shareholder or ultimate beneficial owner;
• to help us collect a debt or enforce an obligation owed to us by you or the merchant;
• if required or permitted by law;
• to credit reporting agencies (and similar service providers) to maintain merchant’s (or your) credit history (note- if you (or the merchant) fail to meet your obligations to us, we may a file a negative report, and your credit score may suffer).
• to other financial institutions to provide you with the services.

5. How we store your personal information

The personal information you provide to us is primarily stored on servers in countries that offer safeguards comparable to those required under the Canadian privacy laws.

Information we collect in Quebec, will be communicated outside of Quebec. We assess privacy risks and take measures to ensure that your personal information is protected and kept confidential, if it is transferred outside of Quebec and Canada.

Personal information collected by us under this privacy policy may be stored, by us or our service providers, and may be subject to disclosure under the laws of the jurisdictions where such personal information data is stored.

In these circumstances, the governments, courts, law enforcement, or regulatory agencies of other countries may be able to obtain access to your personal information through the laws of the foreign country. Rastpay will disclose personal information as required by law.

6. How we protect your personal information

We protect your personal information with a variety of security measures, which may vary based on the information being processed. These include:

• physical security measures such as restricted access facilities and locked filing cabinets;
• shredding of documents containing personal information
• electronic security measures for computerized personal information such as password protection, database encryption, and personal identification numbers;
• organizational processes such as limiting access to your personal information to a selected group of individuals;
• requiring third parties given access to your personal information to protect, secure and appropriately dispose your personal information;

The safeguards employed by us to protect your personal information depend on the sensitivity, amount, distribution, format, and storage of the personal information.

Although technologies can make it easier for fraud to occur, we employ around-the-clock monitoring systems and controls to help detect and prevent fraudulent activity. We also build fraud prevention measures into our due diligence processes and regularly update our fraud detection/prevention methods.

While we take precautions to help protect your personal information from loss, theft, alteration, or misuse, no system or security measure is completely secure. Any transmission of your personal information is at your own risk and we expect that you will use appropriate measures to protect your own personal information.

In addition to the steps we take to safeguard your personal information, we believe there are measures you should take to protect yourself, such as:

• Not sharing any personal or financial information with others unless you clearly understand the purpose of them requesting the information and you have confirmed you are dealing with a legitimate contact.
• Not sharing any significant personal or financial information via email or voicemail.

7. Our communications with you

Using Email to communicate with us

If you choose to communicate with us electronically, we strongly recommend that you use our the contact form on our website for sending us comments, questions or instructions that are more secure than email.

Generally, email is not secure since it passes through many points on its route from you to us. If you are using email to communicate with us, we strongly recommend that you do not include personal financial information (such as account numbers or passwords) within the email as we cannot guarantee its confidentiality en route to us.

Canada’s Anti-Spam Legislation (“CASL”)

Rastpay complies with CASL and we are committed to making sure you only receive the email communications that you want from us. Rastpay will not send you unsolicited emails in connection with the marketing of Rastpay, its services or products. We may occasionally contact you to notify you about updates to the website or new products or services offered by us or to deliver targeted information that may be of interest to you, when we have your consent to do so. No matter how you join our list or provide us with your consent to receive communications, at the bottom of all our commercial emails, you will find a clear, easy way to amend consent or unsubscribe.

Keeping your information up to date

Keeping your personal information up to date and accurate helps us to serve you better. You can assist us by updating your personal information (e.g. change of address or telephone number) when it changes by contacting us. 

8. How you can access and request changes to your information

Access and rectification

You can request access to your personal information kept by Rastpay at any time.  You may request any of the following:

• What types of personal information we have on record or in our control, how it is used and to whom it may have been disclosed.
• Reasonable access to your personal information so you can review and verify its accuracy and completeness.
• Updates or corrections to your personal information. Rastpay reserves the right to decline to make a requested correction where the accuracy of the change is in question but will append a notation to the record of your requested alternative information.

Your request is subject to applicable exceptions under applicable laws, such as where the information requested includes the personal information of another person. For your protection, we may require you to confirm your identity before providing access to your personal information.

Your request must be made in writing and provide us with sufficient detail to enable us, with reasonable effort, to identify you and your personal information.  We will inform you within thirty days what personal information we have, how we collected it, how we used it, and to whom it has been disclosed.  If we need to extend the time, or we must refuse your request, we will tell you why, subject to any legal restrictions, and will notify you of the new deadline, the reason for the extension, and of your right to contact the federal or provincial privacy commissioner applicable in your jurisdiction.

You will not be charged a service fee for these requests, however, we may seek to recover costs incurred (for example, photocopying costs). You will be notified and asked to agree to such charges in advance of us incurring necessary costs.

For deceased individuals, their close family members and other interested parties may have the right to make a written request for access which we will also consider in line with applicable laws. 

Limiting or withdrawing consent

You may choose to restrict the collection or use of your personal information in the following ways:

• You may write to or email us at [email protected] to withdraw your consent to us using your personal information for purposes other than those that are required to provide our services (for example, direct marketing purposes).
• If you receive commercial email from us, you can also unsubscribe using the unsubscribe tool we provide in such messages.

Please note that if you seek to withdraw consent to our collecting and processing information that we must process to provide our services, we may not be able to provide those services to you or the respective merchant. For example, you cannot withdraw consent to ongoing collection, use and disclosure of personal information needed in connection with administering of the payment services provided by us. Similarly, you may not be able to withdraw consent for us to collect, use or disclose information we need for compliance purposes.

If you or the merchant cancel your services or products with us, we will consider this to be a withdrawal of your consent for us to collect, use and disclose your personal information and we will anonymize or delete it on completion of the relevant retention period.

General Data Protection Regulation (GDPR) and DPA2018 – Applicable to European Economic Area (EEA) and UK residents only

European Commission considers Canada as providing an adequate level of protection for personal data transferred from the European Economic Area. The United Kingdom considers personal data transferred from the UK subject to Canada's Personal Information Protection and Electronic Documents Act as covered by an adequate level of protection.

Under the GDPR, EEA residents, have certain data specific rights. As an EEA resident, you have: 

• the right to access your personal information that we hold;
• the right to request the rectification of your personal information that we hold;
• the right to request the erasure of your personal information that we hold;
• the right to request to restrict the processing of your personal information;
• the right to object to the processing of your personal information by us;
• the right to request to transfer your personal information that we hold (i.e., data portability);
• the right to file a complaint to a supervisory authority in your jurisdiction; and
• the right to withdraw consent.

Rastpay takes reasonable steps to allow you to correct, amend, delete or limit the use of your personal information. We have appointed a privacy officer to handle any data questions or concerns.

If you wish to be informed about what personal information we hold about you or if you want it to be removed from our systems, please contact us at [email protected].

9. How we collect, use and disclose non-personal information

Non-personal information is any information that does not reveal your identity or directly relate to you as a person. Non-personal information may also include personal information we have de-identified or aggregated, to the point where it no longer identifies a particular individual.

We may anonymize any personal information (i.e. render it so that it irreversibly no longer allows the person to be identified directly or indirectly) and may use or share that anonymized data with third parties for any purposes we deem appropriate. We may also make certain aggregated non-personal information available to strategic partners and third-party service providers that work with us, to provide or support products and services, to conduct data analysis, to develop and improve products and services, and to determine the effectiveness of promotional campaigns. We reserve the right to use and share any non-personal information with third parties for any lawful purpose.

If we ever combine non-personal information with any personal information, we will obtain your consent and treat it as personal information is treated under this Policy. 

10. Use of our Merchant Portal

This section of the privacy describes how your personal information is collected, used and disclosed when using or visiting our website, including without limitations the Merchant Portal. 

We will provide current and prospective merchants to communicate with us and manage various aspects of the Services via interactive user interface on our website merchant.rastpay.com (the “Merchant Portal”). If you are an authorized representative of our current or prospective merchant and received verification codes and any other credentials provided by us to access Merchant Portal (“Security Credentials”), then the terms below additionally apply to you.

1. Controlled Access to your Information

The Security Credentials are individual to each authorized user of the Merchant Portal. You should be the only person accessing your personal information through the Merchant Portal. Only you should know your Security Credentials - do not provide them to anyone else. Our representatives will not ask you to reveal it. If someone does ask you to provide your Security Credentials to them, we ask that you refuse to do so and contact us immediately.

1. Services available via the Merchant Portal

Our Merchant Portal has many transactional functions, such as transfers between accounts. These transactions are all logged so that merchants’ accounts are debited or credited appropriately, and a history of each transaction is available. We store and use your use of the Merchant Portal in the same fashion as if you performed these activities at a branch or any other service channel.

1. Online Security

We provide online application forms at the Merchant Portal. These forms capture personally identifiable information that we use to provide merchants with the products and services that they have requested. This information is processed in a similar way to that of application forms received through our other channels and is used and shared for the purposes described in this privacy policy.

We use security processes wherever we process data internally or transfer or exchange data with third parties.

You acknowledge that despite implementation of adequate security measures to protect the Merchant Portal, our systems could be compromised by parties seeking unauthorized access to our data or users’ data, by a technological malfunction, or in error by an employee, vendor, or contractor. Also, the transmission of information via the Internet or mobile data networks could be intercepted by third parties. As a result, our efforts to protect our data and users’ data from unauthorized access may be unsuccessful and we cannot assure you that the security measures we have adopted will provide absolute certainty. Any transmission by you is at your own risk. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us via the Merchant Portal, contact form on our website or at [email protected].  If we learn of a security systems breach, we will inform you and the appropriate authorities of the occurrence of the breach as required by applicable law.

1. Usage Statistics

To continually improve our website and the Merchant Portal, we often collect information about how users are using them. These usage statistics are only viewed in the aggregate – and are never tied to an individual.

We use this information for purposes such as improving the pages where users are having difficulties, having the appropriate infrastructure in place to service future needs, managing, assessing risk, and protecting against theft, fraud, and error.

The information collected may include your general region location as determined by your IP address, your browser type, and your operating system, as well as data that is passively generated as you browse, such as the number and types of pages visited, and the length of time spent per page and on the Merchant Portal and our website overall.

We may also collect certain personal information about the device you use and your location, if you have enabled location-based and other services on your device.

1. Our use of Cookies

We also use a key web technology called cookies. A cookie is a small information token that sits on your computer or mobile device. As you use any financial services offered through our website or the Merchant Portal, cookies are passed back and forth between our server and your browser. While cookies can be used for a variety of reasons, we only use cookies where they are of benefit to our customers.

Our use of the cookies is described in a separate Cookie Policy on our website.

1. Data stored on your devices

You should only allow storage of Security Credentials and the Merchant Portal data on devices to which you control access - you should not use it on public or shared devices.

1. Logout Button

To help prevent unauthorized people from accessing your personal information, always exit your online account using the logout button.

1. Automatic Session Time-outs

If you leave your device without logging out, the Merchant Portal may end your session automatically if our system detects that you haven’t provided any instructions or used the browser buttons to navigate for several minutes. To restart the session, you will need to provide your Security Credentials again.

1. Links to Other Sites

Our website and the Merchant Portal may also contain links to other websites or internet resources. However, Rastpay has no responsibility or liability for or control over these other websites or internet resources or their collection, use and disclosure of your personal information. Always review the privacy statements of the sites that you are viewing.

11. How to contact us

If you have any questions, concerns or complaints about our privacy policies or are uncomfortable with any information or requests you receive from Rastpay via phone, fax or email, we encourage you to contact us immediately at [email protected]. 

If you are not satisfied with how we have attempted to resolve your questions, concerns or complaints, please consult the federal or provincial privacy commissioner whose information can be found online at the below sites.

Canada www.priv.gc.ca
British Columbia www.oipc.bc.ca

Revised 02.12.2024.