1. What personal data we collect.
2. How we may use your personal data and the lawful basis for doing so.
3. Who we may disclose your personal data to.
4. How we protect your personal data.
5. Your privacy rights.
6. How long we keep your personal data.
8. Contacting us or the data protection authority.
PayDirect Billing Solutions Inc (“PayDirect”) is fully committed to protecting
your individual rights and keeping your personal data safe. This Policy
explains how we collect personal information about you when you use our
services, how we use that information and the conditions in which we may
disclose it to others, and how we keep it secure.
This Policy describes our obligations and your rights under applicable
Canadian privacy legislation as well as the General Data Protection
Regulation (the “GDPR”). For purposes of the GDPR, PayDirect is the data
controller that is processing your personal information. By using our services
and consenting to PayDirect processing your data, you are agreeing to this
Policy. If you have any questions, please email the following address:
1. What personal data we collect
Personal data is in most cases collected directly from you or generated as
part of the use of our services. Sometimes additional information is required
to keep information up to date or to verify information we collect.
The personal data we collect can be grouped into the following
Identification information including your full name, date of birth and
government issued identification such as passport, driver’s license,
national insurance or social security numbers.
Contact information including your home address, e-mail address and
Financial information including your bank’s name, account number and
Payment transaction information including the name of the online
merchant you are using our services to pay and transaction history.
Information about you from third parties including credit bureaus and
identity verification services.
Information about your use of our systems.
Information related to legal requirements: customer due diligence and
anti-money laundering requirements.
Personal data we may collect from you:
We collect information you provide directly to us when you visit our website
or use any PayDirect service. For example, when you select one of our
payment services from a merchant’s payment page, we may collect personal
data, such as your name, address, government identification numbers, date
of birth, e-mail address, phone number and bank details to be able to provide
you with the payment service. We also collect information which you provide
us with, such as messages you have sent us, e.g. feedback or a request in
our digital channels. Calls and chat conversations with you may also be
recorded and logged for verification of transaction information,
documentation, and for quality and improvement purposes.
Personal data that we may collect from third parties:
Publicly available and other external sources; register held by
governmental agencies (such as company registration offices,
enforcement authorities, etc.), sanction lists (held by international
organizations such as the EU and UN as well as national organizations
such as Office of Foreign Assets Control (OFAC)), registers held by
credit-rating agencies and other commercial information providers
providing information on e.g. beneficial owners and politically exposed
In connection with payments, we collect information from remitters,
banks, payment service providers and others.
From other entities which we collaborate with.
2. How we may use your personal data and the lawful basis for doing so
We use your personal data to comply with legal and contractual obligations
as well as to provide you with services.
Performance of a contract
As a processor of payment transactions, we have entered into agreements
with online merchants to process online payment transactions on behalf of
their customers. The main purpose for using your personal data is to process
payments between you and these online merchants.
Examples of the performance of a contract:
Verify your identity and provide our services and process your
Provide customer service, including troubleshooting service issues you
Reconcile payments, settle transaction disputes or address errors.
In addition to the performance of contract, we process your personal data to
fulfil our obligations under law, other regulations or as required by regulatory
Examples of processing due to legal obligations:
Preventing, detecting, and investigating money laundering, terrorist
financing, fraud or other potentially prohibited or illegal activities.
Reporting to police authorities, enforcements authorities or supervisory
Payment service requirements and obligations.
Personal data is processed in the context of marketing, product and customer
analyses. This processing forms the basis for marketing, process, business
and system development, including testing.
We have a legitimate interest to prevent or remediate violations of policies or
applicable agreements, to manage and protect our information technology
infrastructure and to use profiling for example when conducting customer
analysis for monitoring transactions in order to detect fraud.
There are situations when we will ask for your consent to process your
personal data. Examples of such situations are processing of payment
transaction data for marketing purposes, or for some processing of special
categories of data. The consent will contain information on that specific
processing activity. If you have given consent to a processing of your
personal data you can always withdraw the consent.
3. Who we may disclose your personal data to
We may share your personal data with others such as authorities, affiliated
companies, suppliers, payment service providers and business partners.
Before sharing we will always ensure that we respect relevant financial
industry secrecy obligations.
Third parties and affiliated companies
We may pass your information to our third party service providers, agents,
subcontractors and affiliated companies for the purpose of completing tasks
and providing services to you on our behalf. However, when we use third
party service providers, we disclose only the personal information that is
necessary to deliver the service that you need, and we have contracts in
place that requires each third party provider to keep your information secure
and not to use it for their own direct marketing purposes or any other
purpose. We will not release your information to third parties beyond those
that we have such a contractual relationship with - unless you have
specifically requested us to do so, or we are required to do so by law, for
example, by a court order or for the purposes of prevention of fraud or other
crime. In such circumstances, we will take steps with the aim of ensuring that
your privacy rights continue to be protected.
For EU residents: Transferring your information outside of European Economic Area
As part of our services to you, the information which you provide to us may
be transferred to countries outside the European Economic Area (“EEA”). By
way of example, this may happen if any of our servers are from time to time
located in a country outside of the EU. These countries may not have
equivalent data protection laws. By submitting your personal data, you are
agreeing to this transfer, storing and/or processing. If we transfer your
information outside of the EEA in this way, we will take steps to ensure that
appropriate security measures are taken and we remain compliant with the
GDPR, with the aim of ensuring that your privacy rights continue to be
protected as outlined in this Policy.
If you use our services while you are outside the EU, your information may be
transferred outside the EEA in order to provide you with those services.
4. How we protect your personal data
Keeping your personal data safe and secure is at the centre of how we do
business. We use appropriate technical, organizational and administrative
security measures to protect any information we hold from loss, misuse, and
unauthorized access, disclosure, alteration and destruction.
5. Your privacy rights
You as a data subject have rights in respect of personal data we hold on you.
You have the following rights:
The right of access to your personal data. You have a right to access the
personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for PayDirect’s business concept and business practices. If there are exceptional circumstances that mean we can refuse to provide the information, we will explain them. If requests are frivolous or vexatious, we reserve the right to refuse them. If answering requests is likely to require additional time or occasions unreasonable expense (which you may have to meet), we will inform you.
The right of rectification to request correction of incorrect or
incomplete data. When you believe we hold inaccurate or incomplete
personal information about you, you may exercise your right to correct
or complete this data. This may be used with the right to restrict
processing to make sure that incorrect/incomplete information is not
processed until it is corrected.
The right to erasure (the ‘right to be forgotten’). Where no
overriding legal basis or legitimate reason continues to exist for
processing personal data, you may request that we delete the personal
data. This includes personal data that may have been unlawfully
processed. We will take all reasonable steps to ensure erasure.
The right to withdraw your consent. You have the right to withdraw
any consent you have previously given us to handle your information.
Examples include where-
you object to the processing and there is no justified reason for
continuing the processing,
you object to processing for direct marketing, or
processing is unlawful or
If you withdraw your consent, this will not affect the lawfulness of our
use of your information prior to the withdrawal of your consent.
Right to restrict processing of your personal data. You may ask us to stop
processing your personal data. We will still hold the data, but
will not process it any further. This right is an alternative to the right to
erasure. If one of the following conditions applies you may exercise the
right to restrict processing:
The accuracy of the personal data is contested.
Processing of the personal data is unlawful.
We no longer need the personal data for processing but the
personal data is required for part of a legal process.
The right to object has been exercised and processing is
restricted pending a decision on the status of the processing.
Right to object to processing of your personal data where we are relying on
a legitimate interest to process your data. You can always object to the processing of personal data about you for direct marketing and profiling in connection to such marketing.
The right to data portability. You have a right to ask for information you have
made available to us to be transferred to you or a third party in machine-readable formats. This right is only available if the original processing was on the basis of consent, the processing is by automated means and if the processing is based on the fulfilment of a contractual obligation.
These rights are not absolute: they do not always apply and exemptions
may be engaged. We may, in response to a request, ask you to verify your
identity and to provide information that helps us to understand your
request better. If we do not comply with your request, we will explain why.
6. How long we keep your personal data
We will hold your personal information on our systems for the longest of the
a minimum of six years;
as long as is necessary for the relevant activity or as long as is set out
in any relevant agreement;
the length of time it is reasonable to keep records to demonstrate
compliance with professional or legal obligations;
any retention period that is required by law; or
the end of the period in which litigation or investigations might arise in
respect of the services that we provide to you.
We are constantly working on improving and developing our services,
applicable data protection laws in the jurisdictions we operate. Please review
8. Contacting us or the data protection authority
always contact PayDirect’s customer service at
You can also lodge a complaint or contact the data protection authority in any
of the countries, states or provinces where we provide services or products to
Last Updated: January 2020