Data Privacy and Consent Policy
Purpose
E-xact Transactions (Canada) Ltd. (“the Company”, “E-xact”, “we”, “our”) is committed to protecting the privacy and confidentiality of all customer and merchant information handled through our platforms.
E-xact operates as a payment gateway, a technology platform that securely transmits electronic payment authorization messages between a merchant’s point of sale or online checkout and the merchant’s payment processor or acquiring bank. We facilitate the communication of transaction data so that payments can be authorized, declined, or referred in real time. E-xact does not move, hold, settle, or have custody of funds at any point in the transaction lifecycle.
This policy outlines how we collect, use, store, disclose, and protect personal and financial data, ensuring compliance with:
Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law, including the 10 Fair Information Principles.
General Data Protection Regulation (GDPR), EU Regulation 2016/679, where applicable to EU-based data subjects.
Canada’s Anti-Spam Legislation (CASL), governing commercial electronic messages.
Retail Payment Activities Act (RPAA), Bank of Canada oversight of payment service providers. E-xact has filed its application for registration under the RPAA and is currently pending approval.
Payment Card Industry Data Security Standard (PCI-DSS), as a validated payment gateway handling cardholder data.
This policy applies to all products and services, including:
Hosted Checkout (HCO): our PCI-DSS validated hosted payment page.
Real-time Payments Manager (RPM): merchant portal for reporting and refunds.
Application Programming Interfaces (APIs): for merchant system integrations.
Corporate Website: e-xact.com and all associated subdomains.
Scope
This policy applies to:
Data Subjects: Customers making payments, merchants using our services, visitors to our website, and end-users of merchant systems integrated with E-xact.
Personal Data: Financial information, payment credentials, personally identifiable information (PII), and business information transmitted through our systems.
Employees, Contractors, and Vendors: All individuals involved in the handling, transmission, or storage of data within the scope of E-xact’s operations.
PIPEDA 10 Fair Information Principles
E-xact Transactions is committed to compliance with the 10 Fair Information Principles set out in Schedule 1 of PIPEDA. The table below summarizes how each principle is addressed within this policy and our operations.
| Principle | How We Comply |
|---|---|
| 1. Accountability | E-xact Transactions has designated the Group Head of IT Security as the individual accountable for compliance with PIPEDA. All inquiries may be directed to support@e-xact.com. |
| 2. Identifying Purposes | The purposes for which personal information is collected are identified at or before the time of collection. These purposes are described in the Data Use policy. |
| 3. Consent | The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Consent mechanisms are described in the Data Collection and Consent policy. |
| 4. Limiting Collection | The collection of personal information is limited to that which is necessary for the purposes identified. Only data required for payment authorization message routing and compliance is collected. |
| 5. Limiting Use, Disclosure, and Retention | Personal information is not used or disclosed for purposes other than those for which it was collected, except with consent or as required by law. Retention periods are defined in the Data Minimization & Retention policy. |
| 6. Accuracy | Personal information is kept as accurate, complete, and up to date as necessary for the purposes for which it is used. |
| 7. Safeguards | Personal information is protected by security safeguards appropriate to the sensitivity of the information, as described in the Security of Data policy. |
| 8. Openness | Information about policies and practices relating to the management of personal information is made readily available through this policy, published on the company website. |
| 9. Individual Access | Upon request, individuals are informed of the existence, use, and disclosure of their personal information and are given access to that information. See Data Subject Rights. |
| 10. Challenging Compliance | Individuals may challenge the company’s compliance with these principles by contacting the Group Head of IT Security at support@e-xact.com or by filing a complaint with the Office of the Privacy Commissioner of Canada. |
Cookies
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer’s hard drive.
Like many sites, we use “cookies” to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of the Site.