Version: 1.2 | Effective Date: 2025-08-01

1. Introduction This Privacy Policy (“Policy”) explains how Paysection Inc. (“Paysection,” “we,” “us,” or “our”) collects, uses, discloses, and protects your personal information when you access or use our services—including our payment processing platform—and how we comply with applicable data protection laws (such as the UK GDPR/EU GDPR, PIPEDA, CCPA, LGPD, etc.). This Policy is incorporated by reference into our Terms and Conditions. By using our services, you agree to the practices described herein.

2. Definitions and Scope Personal Data: Any information relating to an identified or identifiable natural person. Processing: Any operation or set of operations performed on Personal Data, whether automated or not (e.g., collection, recording, storage, use, disclosure, erasure). Services: All products and services offered by Paysection, including our websites, business services, and end‑user services. User Categories: You may be identified as a Customer (direct individual user), Representative (acting on behalf of a business), or Visitor (accessing our sites without registration). Roles: We act as a Data Processor for client end‑customer data handled on our clients’ instructions, and as a Data Controller for our own business contacts and for client staff who use our platform.

3. Information We Collect We collect various categories of information to deliver our services and comply with legal obligations: Personal Information Directly Provided Data: Your name, email address, phone number, address, financial details (such as bank account information and payment data), identification numbers, and company information. Sensitive Data: We do not intentionally collect special‑category data. If a client instructs us to handle such data, we will do so only with a valid legal basis and appropriate safeguards. Transactional Data Details about transactions conducted via our platform, including amounts, dates, payment methods, and related metadata. Technical Data Information automatically collected through cookies and other tracking technologies, including your IP address, browser type, device identifiers, operating system, usage data, and location data. Cookies & Tracking: We use cookies to improve your experience, authenticate you, perform analytics, and enhance service performance. You can manage these settings through your browser. Additional Data Any other information necessary to provide, secure, or improve our services.

4. How We Use Your Information Service Provision: To deliver, maintain, and improve our services. Transaction Management: To process payments, manage settlements, and perform billing functions. Identity Verification & Compliance: To verify identities and comply with regulatory requirements (including AML/CTF and KYC obligations). Communication: To send account updates and notifications (and marketing with consent where required). Analytics & Service Improvement: To monitor usage, analyze trends, and enhance our services. Legal and Contractual Obligations: To enforce our Terms, protect our rights, and respond to legal obligations or requests from regulatory authorities.

5. Data Sharing & Third‑Party Processors Service Providers: Third‑party vendors (e.g., infrastructure, payment partners) under strict contractual safeguards. Regulatory Authorities: When required by law or to comply with legal obligations. Business Transfers: In the event of mergers, acquisitions, or asset sales—provided the recipient agrees to protect your data. Subprocessors: We may engage subprocessors for specific functions while ensuring they adhere to data protection standards. We do not sell your Personal Data to third parties.

6. Cross‑Border Data Transfers Your Personal Data may be transferred to and processed in countries outside your jurisdiction. Where personal data is accessed outside the UK/EEA, we use appropriate safeguards such as the UK Addendum/IDTA and/or EU Standard Contractual Clauses, adequacy decisions (where available), or certified frameworks where applicable, and we apply contractual and technical measures to protect the data.

7. Data Security We implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction, including encryption in transit and at rest, role‑based access with multi‑factor authentication for administrative access, and logging/monitoring of access. While we strive for strong security, no transmission method over the internet or electronic storage system is completely secure.

8. Data Retention We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected and to meet legal requirements. Certain AML/CTF records are retained for a minimum of five (5) years. When data is no longer needed, it is returned or securely deleted unless the law requires longer retention.

9. Legal Bases for Processing (For UK/EU) Consent: Where you have provided explicit consent. Contractual Necessity: To perform a contract with you or the Client. Legal Obligation: To comply with legal requirements. Legitimate Interests: Where processing is necessary for our legitimate interests, provided these do not override your fundamental rights.

10. Breach Notification In the event of a personal data breach that poses a risk to rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals where required by law.

11. Confidentiality and Non‑Disclosure Confidential Information: Any non‑public information provided by you or collected through our services—including Personal Data and proprietary business information—is considered confidential. Obligations: Both Paysection and you agree to keep such information confidential and use it solely for fulfilling our contractual obligations. Disclosure is permitted only when required by law or with appropriate safeguards. Exceptions: Confidentiality obligations do not apply to information that (i) becomes public through no fault of the receiving party, (ii) is obtained from a third party without breach of confidentiality, or (iii) is independently developed without reference to the confidential information.

12. Cookies and Tracking Technologies We use cookies and similar technologies to: Improve user experience and authenticate users. Perform analytics and enhance service performance. You can adjust your cookie preferences through your browser settings; however, disabling cookies may impact functionality.

13. Data Subject Rights Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your Personal Data, and to object to certain processing. To exercise these rights, please contact us at info@paysection.com. Where we act as a Processor on behalf of a client, we will notify and assist the client (Controller) and act on their instructions.

14. Children’s Privacy Our services are not directed to individuals under 18. We do not knowingly collect Personal Data from minors. If we learn that we have collected such data inadvertently, we will delete it promptly.

15. Changes to This Policy We may update this Policy from time to time. Material changes will be communicated via email or a notice on our website. Your continued use of our services constitutes acceptance of the updated Policy.

16. Contact Information Email: info@paysection.com Address: 49 High Street, 3rd Floor, L4N 5J4, Barrie, ON, Canada © 2025 Paysection Inc. All Rights Reserved.

Addendum B – Data Processing Addendum Effective Date: 2025/08/01 Version: v1.0

This Data Processing Addendum (“DPA”) forms part of the agreement between Paysection Inc. (“Processor”) and its clients (“Controller”) governing the use of Paysection’s services. It applies where the Controller’s use of the Services involves the Processing of Personal Data subject to UK GDPR/EU GDPR, PIPEDA, CCPA/CPRA, LGPD, or comparable laws.

1. Roles of the Parties Controller determines the purposes and means of Processing. Processor processes Personal Data only on documented instructions of the Controller. Where the Controller is a regulated financial institution, electronic money institution, or payment service provider, it remains solely responsible for safeguarding, AML/CTF, consumer protection, and financial services obligations.

2. Security Measures Paysection applies appropriate technical and organisational measures proportionate to the risks, including encryption in transit and at rest, role-based access controls with multi-factor authentication, monitoring, backups, and incident response processes (see Annex II – TOMs).

3. Sub-Processors Paysection may use Sub-Processors as reasonably necessary to provide the Services. Paysection remains responsible for Sub-Processor compliance and imposes obligations no less protective than this DPA. Paysection provides prior notice of any material Sub-Processor changes (by email or secure portal). Upon written request, and subject to confidentiality, Paysection may disclose the identity of specific Sub-Processors where required for risk assessment or regulatory obligations. Sub-Processor information is treated as Confidential Information and not published publicly. Objection Right. The Controller may object on reasonable, documented data-protection grounds within ten (10) days of notice. If no resolution is feasible, the Controller may suspend or terminate the affected Services (not the Agreement in full) without penalty.

4. Breach Notification Paysection will notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed for the Controller.

5. Assistance to Controller At the Controller’s request (and cost, where applicable), Paysection will assist with: Data subject rights requests, Data protection impact assessments, Regulator inquiries, Retention of AML/CTF records as required by law.

6. International Transfers For EU data: EU Standard Contractual Clauses (2021/914) apply (Module Two: Controller → Processor). For UK data: UK Addendum or IDTA applies. For Swiss data: EU SCCs with Swiss modifications apply. Paysection also implements supplementary measures as appropriate. The Controller remains responsible for ensuring a lawful transfer basis for its data.

7. Return & Deletion On termination of Services or upon written request, Paysection will return or delete Personal Data (including backups on the next cycle), unless retention is required by law (e.g., AML/CTF minimum 5 years).

8. Audit Rights The Controller may audit Paysection once annually on at least 30 days’ notice (unless required by regulator or following a breach). Audits are limited to verifying compliance with this DPA and applicable law, not to financial or unrelated operational data.

9. Liability & Government Requests Liability remains as set in the master agreement. Paysection will not voluntarily disclose Personal Data to authorities and will limit disclosure to the minimum required by law.

10. Governing Law This DPA follows the governing law and dispute resolution provisions of the underlying agreement.

Annex I – Processing Details Subject matter & purpose: payout orchestration and related support. Data subjects: end-customers/beneficiaries; Merchant staff users.

Data categories: identity/contact details; payout execution fields; technical logs; compliance flags. Special categories: not intentionally processed. Retention: for the term of Services; AML/CTF data kept minimum 5 years.

Annex II – Technical & Organisational Measures (TOMs) RBAC, MFA, least privilege, encryption (AES-256, TLS 1.2+), monitoring, anomaly detection. Backups and disaster recovery with target RTO ≤ 24h where feasible. Vendor management with DPA requirements and onward-transfer restrictions. Security/privacy training for all staff. Documented incident response runbook and testing.

Annex III – Sub-Processors Paysection maintains an internal register of material Sub-Processing arrangements. Material changes are notified by email or secure portal. Upon request and subject to confidentiality, Paysection may provide specific Sub-Processor details to Controllers or regulators. Sub-Processor information is treated as Confidential Information of Paysection. Note: This online DPA is a convenience copy. If you have a signed Agreement that attaches Addendum B, the signed Addendum B controls.

© 2026 Paysection Inc. All Rights Reserved.