Privacy Policy

At XEPPT Inc. (XEPPT), we respect the privacy rights of individuals, and we are committed to keeping personal information accurate, confidential, and secure. We have adopted the following Privacy Policy to ensure that XEPPT continues to meet its commitment to privacy.


XEPPT provides a variety of products and services to the public, including but not limited to the processing of payments in connection with the use of debit cards and credit cards. XEPPT is both a vendor of processing equipment and a processor of payments for merchants who have purchased and are using our processing equipment.

In the course of providing these products and services to merchants (e.g. retailers), XEPPT may collect, with consent, certain personal information about its merchants. In addition, XEPPT may receive personal information from customers of merchants while providing XEPPT’s payment processing services. XEPPT is responsible for personal information that it collects, uses, or discloses as well as personal information that it receives from the customers of its merchants.

“Personal Information” means information about an identifiable individual. This may include, without limitation, the individual’s name, home address, age, income, health, or financial information. Personal Information does not include the name, title, business address or telephone number of an employee of an organization.

The XEPPT Privacy Policy is based on Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”).

This Privacy Policy describes the ten principles that XEPPT follows to ensure that we protect Personal Information that we receive, collect, use, or disclose in the course of carrying on our business. All XEPPT employees who have access to Personal Information must adhere to the XEPPT Privacy Policy and related procedures. To this end, XEPPT has appointed a Chief Privacy Officer (CPO) to ensure compliance by all XEPPT employees and to address privacy concerns.

By submitting your Personal Information to XEPPT, you signify your consent to the collection, use and disclosure of your Personal Information in accordance with this Policy. If you do not agree with the terms of this Privacy Policy, please do not provide any Personal Information to XEPPT.


The following ten principles govern our actions as they relate to the use of Personal Information:

  • Principle 1 – Accountability
  • Principle 2 – Identifying Purposes
  • Principle 3 – Consent
  • Principle 4 – Limiting Collection
  • Principle 5 – Limiting Use, Disclosure and Retention
  • Principle 6 – Accuracy
  • Principle 7 – Safeguarding Personal Information
  • Principle 8 – Openness
  • Principle 9 – Access
  • Principle 10 – Addressing Complaints

Principle 1 – Accountability

XEPPT has designated a CPO. The CPO is ultimately responsible for Personal Information under the control of XEPPT and is accountable for compliance with the terms and procedures of this Privacy Policy. Any individual that wishes to challenge XEPPT’s procedures or wishes to make a complaint about XEPPT’s Personal Information handling practices should contact the CPO. For contact information, please refer to “Principle 10 – Addressing Complaints” below.

Principle 2 – Identifying Purposes

XEPPT informs individuals of the purposes for which it is collecting Personal Information, before or at the time the information is collected from such individuals.

XEPPT informs merchants of the purposes for which it uses its Personal Information and the Personal Information of such merchant’s customers, before or at the time the information is received by XEPPT.

Principle 3 – Consent

XEPPT will obtain an individual’s consent before or when it collects, uses, or discloses Personal Information. In obtaining consent, XEPPT will use reasonable efforts to ensure that such individual is advised of the identified purposes for which Personal Information will be used or disclosed. In determining the appropriate form of consent, XEPPT will consider the sensitivity of the Personal Information and the reasonable expectations of a reasonable person. Consent will not be obtained through deception.

Consent can be express, implied, or given through an authorized representative. Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. XEPPT will inform an individual of the implications of such withdrawal. However, XEPPT may collect, use, or disclose Personal Information without an individual’s knowledge or consent in exceptional circumstances where such collection, use or disclosure is permitted or required by law.

When Personal Information is received by XEPPT for processing from a merchant, the responsibility for obtaining consent for the provision of Personal Information to XEPPT rests with the referring merchant. XEPPT expects that merchant’s customers will understand that such merchant may forward the Personal Information of its customers for processing and thus assumes the implied consent of the merchant’s customer when XEPPT receives the Personal Information.

Principle 4 – Limiting Collection

The information collected by XEPPT will be limited to those details necessary for the purposes it has identified to the individual or the merchants to perform the services requested. Information will be collected by fair and lawful means.

The Kind of Information We Collect

XEPPT receives from merchants, Personal Information including a merchant’s and/or its principal’s name, contact information, home address, date of birth, and bank account information, so that the information may be used to perform a credit check prior to accepting the merchant as a purchaser of XEPPT’s payment processing equipment.

XEPPT also receives from merchants, Personal Information regarding such merchants’ customers, pursuant to such customers’ use of XEPPT’s payment processing terminal. This Personal Information includes such customers’ name, home address, bank account information, debit or credit card information and related purchase details, all of which is encrypted.

XEPPT gathers and uses Personal Information to provide the products and services requested. XEPPT may also use Personal Information to update our services and to offer additional products or services that our customers may be interested in.

If you visit XEPPT websites, we do not collect personally identifiable information about you unless you provide it. All information that you do provide us with is securely maintained and kept strictly confidential. This Privacy Policy does not apply to aggregated data from which it is not possible to determine the identity of a specific individual. XEPPT reserves the right to use aggregated data in any manner that it determines is reasonable and/or appropriate. By accessing and browsing our website, you agree that we may collect, use, and disclose any Personal Information about you through our website as described in this Policy.

Anonymous Information and “Cookies”

XEPPT may collect anonymous information about you. This means that the information collected cannot be traced back to a specific person. For example, our web servers may record certain information automatically when you visit XEPPT websites. This information is collected using “cookies” and might include the pages you visited, your IP (Internet Protocol) address and other site usage statistics. This anonymous information is used for research and analytical purposes only (like evaluating how many visitors our websites receive or which pages they visit most often). It does not reveal any Personal Information about you, the user. This aggregate data may be disclosed to third parties, but never with personally identifying information.

“Cookies” are small text files that contain a unique identification number that allows our computers to identify your web browser (but not you) each time you visit one of our websites that uses cookies. The information helps XEPPT improve the functionality of the site and enhance the navigation and security of your session. Most major websites use this technology, and most browsers are set up to accept them.

Principle 5 – Limiting Use, Disclosure and Retention

Personal Information will only be used or disclosed for the purpose for which it was collected or received unless the individual has otherwise consented. Personal Information may only be retained for the time needed to fulfil the purpose for which it was collected or received.

In certain exceptional circumstances, XEPPT may have a legal duty or right to disclose Personal Information without an individual’s knowledge or consent.

How We Use Your Information

At XEPPT we may use Personal Information to carry out one or more of the following:

  • To communicate with customers to provide our products and services.
  • To assist in the development and marketing of our products and services.
  • To conduct credit investigations and collect financial information from credit reporting agencies.
  • To forward to financial institutions and debit and credit card associations (including Visa, Mastercard and Interac).
  • To establish and maintain relations with customers, suppliers, financial institutions, and affiliates, and to provide ongoing products and services, administer accounts, make, and receive payments, engage in leasing arrangements, and fulfill contractual obligations.
  • To develop, enhance, market, sell, provide, and inform our customers of products and services of third parties, including our affiliates with whom XEPPT has a commercial relationship.
  • To update and verify our databases and information provided by third parties.
  • To engage in business transactions, including without limitation, the reorganization, purchase, sale, lease, merger, amalgamation or any other type of acquisition, disposition, securitization, or financing involving XEPPT or its affiliates.

We will only use Personal Information for the purpose that we have previously disclosed. If we want to use the information for a different purpose, we will notify the individual or merchant and obtain their consent first.

When We are Permitted to Disclose Information

(i) When Authorized

Many of the services offered by XEPPT require us to use Personal Information to perform the services we have been engaged to provide. We will always obtain consent first, and we will never use the information for purposes other than those we have previously disclosed.

Consent may be withdrawn at any time, subject to any legal or contractual implications (which we will inform you about). In some cases, if you do not consent to our use or disclosure of certain Personal Information, we may be unable to continue to provide all or part of the services you have requested.

(ii) When Required by Law

In some cases, such as under a court order, we may be required to disclose certain information to persons specified in the court order. We will only provide the specific information requested and only upon being satisfied that the authorities have legitimate grounds to request the information.

(iii) When Permitted by Law

The legislation has provided certain situations where XEPPT is legally permitted to disclose Personal Information without your consent. Examples for the disclosure of Personal Information include situations involving the collection of debt in arrears, medical emergencies, or suspicion of illegal activities.

With Whom We May Share Information

(i) XEPPT Employees

In the course of daily operations, access to Personal Information is limited to those employees with a legitimate reason for accessing it. As a condition of their employment, XEPPT employees are required to follow all applicable laws and regulations, including this Privacy Policy. Unauthorized use or disclosure of confidential Personal Information by any XEPPT employee is prohibited and may result in disciplinary measures.

(ii) XEPPT Affiliates

In order to better meet our customers’ needs, we may share some Personal Information with XEPPT affiliates. Should you not want to receive promotional materials from or have your Personal Information shared with XEPPT affiliates please contact the CPO as stated at the end of this Policy.

(iii) XEPPT Third Party Contractors

We may engage and coordinate third party contractors to provide you with certain services offered through XEPPT. Such contractors are only given the information that is needed to provide the specific service for which we contract them to provide. Contractors are obliged to protect the confidentiality of your Personal Information and are prohibited from doing anything with this information that we have not authorized them to do. They are required to treat your Personal Information in a manner consistent with the XEPPT Privacy Policy.

(iv) Sale of Business

We may transfer your Personal Information to a third party in connection with a reorganization, sale, merger or other disposition (whether of assets, stock or otherwise) of our business. Personal Information may be disclosed to a potential successor of our business, for the purpose of allowing the potential successor to assess and evaluate our operations.

Principle 6 – Accuracy

XEPPT will keep Personal Information as accurate, complete, and current as necessary to fulfil the identified purposes for which it was collected or received. You may have this information amended where it is found to be inaccurate or incomplete.

Principle 7 – Safeguarding Information

Personal Information is safeguarded using measures appropriate to the sensitivity of the information.

How We Safeguard Information

XEPPT will use reasonable efforts and security measures to protect Personal Information against loss or theft, as well as unauthorized access, use and disclosure. XEPPT has extensive controls in place to maintain the security of its information and information systems. Files containing Personal Information are stored according to the sensitivity of the information contained therein and are backed up at offsite locations. Appropriate technological controls (such as passwords, encryption, firewalls) are placed on our computer systems and data processing procedures. Physical controls (such as locked filing cabinets, restricting access to offices, alarm systems) are in place as are organizational controls (such as staff training and access on a “need to know basis”).

XEPPT may store and process your Personal Information at XEPPT’s offices in Canada, or elsewhere. To the extent XEPPT employs third-party service providers to store, handle or, process Personal Information on our behalf, we will use contractual and other means to provide a comparable level of protection. Service providers, however, may be located in various countries, so please be aware that authorized officials of governments in those countries may be lawfully able to access your Personal Information without your knowledge or consent pursuant to the laws of such countries.

Website Security

The XEPPT website may contain links to other websites, including those of its business partners. XEPPT is in no way responsible and cannot guarantee the content or privacy of other sites linked to our website.

Principle 8 – Openness

XEPPT will make available to its customers (including customers of merchants) information about the policies and procedures XEPPT uses to manage Personal Information.

Principle 9 – Access

Upon written request to XEPPT’s CPO, you will be informed of the existence, use and disclosure of your Personal Information and will be given access to it. You also have the right to verify or amend the information if it is shown to be inaccurate. XEPPT will respond to all such requests as efficiently as possible and no later than 30 days for a request for Personal Information. If XEPPT is prohibited from providing such access they will explain the reasons for the lack of access, except where prohibited by law.

Principle 10 – Addressing Complaints and Suggestions

You may challenge XEPPT’s compliance with this Privacy Policy. XEPPT has policies and procedures to receive, investigate and respond to complaints and questions regarding this Privacy Policy and our receipt, collection, use and disclosure of Personal Information. Complaints will be investigated and where a complaint is found to be justified, XEPPT will take appropriate measures, including amending our policies and practices, when necessary. You may contact XEPPT’s CPO to make a complaint, express any concerns or to request access to your Personal Information.

Questions, Concerns or Complaints

If you have any questions, concerns, or complaints about your Personal Information, or about the XEPPT Privacy Policy, please contact our CPO using the contact information provided below:

3-155 Edward Street
Aurora, ON L4G 1W3

Changes to this Privacy Policy

We may change this Privacy Policy from time to time. Any changes will be posted on our website at and will be made available upon request through our CPO.