Privacy Policy

Definitions and Terminology

The following definitions apply throughout this Privacy Policy. Personal Information means any information about an identifiable individual, including but not limited to name, address, email address, telephone number, government-issued identification, banking or payment details, merchant onboarding documentation, and transactional information. This term corresponds to Personal Data under the EU General Data Protection Regulation and has the same meaning as in section 2(1) of the Personal Information Protection and Electronic Documents Act. Company, Organization, We, Us, or Our refers to Ex Payments Ltd, a company incorporated in British Columbia under number BC1517261, responsible for determining the purposes and means of processing Personal Information in accordance with applicable privacy and AML legislation. Website refers to the Company’s online platform and related digital interfaces, including www.ex-payments.com and any associated merchant portals, dashboards, APIs, or mobile extensions. Controller means the entity that determines the purposes and means of processing personal data under Article 4(7) of the GDPR, applicable where the Company processes data of individuals located in the European Economic Area. Processor means any third party that processes Personal Information on behalf of the Company pursuant to a written agreement. PIPEDA refers to the Personal Information Protection and Electronic Documents Act of Canada. AML refers to Anti-Money Laundering laws and regulations, including the Proceeds of Crime Money Laundering and Terrorist Financing Act and applicable FINTRAC guidance. KYC refers to Know Your Customer procedures designed to verify identity and assess customer risk. Identification Data includes name, date of birth, residential or business address, government-issued identification number, business registration documents, beneficial ownership details, and tax identification numbers where required. Transaction Data refers to information generated in connection with payment processing, including transaction identifiers, merchant IDs, amounts, currencies, payment methods, counterparties, timestamps, and settlement details. Account Information includes login credentials, email addresses, phone numbers, billing information, and merchant onboarding documentation. Device and Usage Data refers to IP address, browser type, operating system, device identifiers, and interaction logs collected automatically when using the Website. Consent means voluntary, informed, and meaningful permission for the collection, use, or disclosure of Personal Information. Individual or Data Subject means a natural person whose Personal Information is processed by the Company. Safeguards mean administrative, technical, and physical security measures implemented to protect Personal Information.

Introduction

Ex Payments Ltd recognizes the importance of protecting Personal Information and is committed to maintaining its confidentiality, integrity, and security. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard Personal Information in connection with our merchant account services, payment gateway solutions, card acquiring services, API integrations, analytics tools, and related financial technology services. Ex Payments Ltd is incorporated in British Columbia, Canada under company number BC1517261 and operates from 2709b 43rd Avenue, Vernon, British Columbia, V1T 3L2, Canada. Ex Payments Ltd is registered as a Money Services Business (MSB) with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and operates in compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), PIPEDA, and other applicable Canadian regulatory requirements. Where services are offered to individuals in the European Economic Area, this Policy also reflects relevant GDPR requirements. By accessing our Website or engaging our services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of Personal Information as described herein, unless otherwise permitted or required by law.

Categories of Personal Information We Collect

Identification and Onboarding Information

We collect Identification Data necessary to onboard merchants, verify identity, assess risk, and comply with AML and KYC obligations. This may include:

• Full legal name and business name
• Residential and business addresses
• Government-issued identification
• Corporate registration documents
• Beneficial ownership information
• Source of funds declarations
• Tax identification numbers Identification and onboarding documentation may be stored within secure internal systems and may also be processed or hosted by authorized third-party compliance service providers engaged by Ex Payments Ltd for identity verification and regulatory compliance purposes.

Transaction Information

We collect and process Transaction Data generated through payment processing services, including:

• Transaction amounts and currencies
• Card and payment method identifiers
• Merchant identifiers
• Authorization and settlement records
• Chargeback and dispute data
• Fraud screening results

Account and Communication Information

When you create or maintain an account with us, we collect Account Information such as:

• Email address
• Phone number
• Login credentials
• Linked financial accounts
• Support correspondence
• Compliance documentation

Device and Usage Data

When you access our Website or merchant portal, we automatically collect Device and Usage Data for security, fraud prevention, and system optimization purposes.

Purposes of Processing

We process Personal Information for the following purposes:

• Establishing and managing merchant relationships
• Verifying identity and conducting KYC checks
• Assessing risk and underwriting merchant accounts
• Processing and settling payment transactions
• Preventing fraud and chargebacks
• Monitoring compliance with card scheme and regulatory requirements
• Maintaining accounting and audit records
• Complying with AML, sanctions, and legal reporting obligations
• Improving platform functionality and security
• Establishing and enforcing contractual rights
• Managing disputes and chargebacks

Disclosure of Personal Information

We do not sell Personal Information. We may disclose Personal Information to:

• Acquiring banks
• Payment processors
• Card scheme operators such as Visa and Mastercard
• Fraud prevention and risk monitoring providers
• Identity verification, AML, and compliance service providers, including third-party onboarding and verification platforms engaged to perform KYC, sanctions screening, and risk assessments on our behalf
• Cloud hosting and infrastructure providers
• Legal, accounting, and compliance advisors
• Regulatory authorities, including FINTRAC, where required under Canadian AML legislation All third-party recipients are bound by contractual confidentiality obligations and required to implement appropriate Safeguards.

Cross-Border Transfers

Due to the international nature of payment processing and the use of specialized compliance service providers, Personal Information, including identification documentation and onboarding materials, may be processed or stored outside Canada. Where Personal Information is transferred to service providers located in other jurisdictions, it may be subject to the laws of those jurisdictions. Ex Payments Ltd implements contractual safeguards and due diligence measures to ensure that third-party processors provide a level of data protection consistent with Canadian privacy requirements.

Data Retention

We retain Personal Information only as long as necessary for the purposes described in this Policy or as required by law. In accordance with Canadian AML recordkeeping requirements, identification and transaction records may be retained for a minimum of five years following the end of the business relationship or the completion of a transaction. After the retention period expires, data is securely deleted or anonymized.

Individual Rights

Under PIPEDA, you have the right to:

• Request access to your Personal Information
• Request correction of inaccurate information
• Withdraw Consent where applicable
• Challenge our compliance with privacy obligations Requests must be submitted in writing and will be addressed within thirty days, subject to legal limitations. Individuals located in the European Economic Area may also have rights under the GDPR, including rights of erasure, restriction, objection, and data portability where applicable.

Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to ensure secure access, improve functionality, and analyze usage. You may manage cookie preferences through your browser settings. Disabling certain cookies may impact Website functionality.

Security Measures

We implement appropriate administrative, technical, and physical Safeguards to protect Personal Information against unauthorized access, misuse, alteration, or loss. These measures include access controls, encryption where appropriate, secure hosting environments, internal policies, and staff training. KYC documentation and sensitive identification records are subject to enhanced access controls and are accessible only to authorized personnel with compliance or operational responsibilities.

Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be published on our Website with a revised last updated date. Where changes materially affect your rights or the purposes of processing, we will provide appropriate notice.

Contact Information

If you have questions about this Privacy Policy or your Personal Information, please contact: Ex Payments Ltd 2709b 43rd Avenue Vernon, British Columbia, V1T 3L2 Canada Phone: +1 778 744 4578 Email: info@ex-payments.com