MostPay Privacy Policy
1. Who we are and what this Policy does
This Privacy Policy explains how MostPay (“MostPay”, “we”, “us”, “our”) collects, uses, discloses, protects, and retains personal information in connection with:
  • our website [https://mostpay.eu] (the “Website”);
  • our provision of payment processing and related services to merchants (the “Services”); and
  • your communications and interactions with us.
This Policy is drafted for a Canadian entity and is intended to comply with:
  • PIPEDA – the Personal Information Protection and Electronic Documents Act (Canada); laws-lois.justice.gc.ca
  • applicable substantially similar provincial private-sector privacy laws where relevant (e.g. Alberta PIPA, BC PIPA, Quebec private sector law); DLA Piper Data Protection
  • where we process personal data of individuals in the EEA/UK in the context of offering services or monitoring behavior, the EU/UK GDPR.
If this Policy conflicts with mandatory provisions of applicable law in a given jurisdiction, those provisions prevail for individuals in that jurisdiction.

2. Roles: when MostPay is controller or processor
MostPay’s role depends on context:
  1. Merchant & Website interactions – Controller
  2. We act as a controller/organization when we determine why and how we collect and use your personal information, including:
  • Website visitors
  • Prospective and existing merchants and their representatives
  • Individuals who contact us or receive our marketing
  1. Payment processing for merchants – Processor / Service Provider
  2. When we process payments and related data on behalf of merchants, we act as a processor / service provider in accordance with our contracts with those merchants and applicable law.
  3. In that case, the merchant’s privacy policy explains how your personal information (e.g. as a cardholder or customer) is used. We process it strictly according to the merchant’s instructions and applicable payment scheme / legal requirements.

3. What personal information we collect
The types of information we collect depend on your relationship with us.
3.1 Website visitors
When you visit or use our Website, we may collect:
  • Technical and usage data: IP address, device and browser type, operating system, language preferences, referring URLs, pages viewed, links clicked, time and duration of visits.
  • Online identifiers: cookie IDs, pixels/tags, analytics identifiers (e.g. Google Analytics ID).
  • Communication data: information you submit via contact forms, chat, or email (name, business name, email address, phone number, message content).
We use cookies and similar technologies for functionality, security, analytics, and (where permitted) marketing. Where required by law, we will obtain your consent before setting non-essential cookies. You can manage cookies via your browser or our cookie banner.
3.2 Merchants and merchant representatives
If you apply to become a merchant or act on behalf of a merchant, we may collect:
  • Identification details: full name, position, contact details.
  • Verification/KYC data (for individuals / UBOs / directors where applicable): date of birth, nationality, address, identification documents, beneficial ownership information.
  • Business information: company name, registration details, tax/VAT numbers, corporate structure, merchant website, product/service details, MCC, risk profile.
  • Financial information: bank account details, payout details, creditworthiness information where permitted.
  • Account & usage data: login credentials (hashed), logs of access to our systems, settings, internal risk and compliance notes related to onboarding and monitoring.
We may obtain this information directly from you, from the merchant you represent, and from third-party sources such as:
  • credit and fraud prevention agencies,
  • sanctions and watchlist providers,
  • corporate registries and public records,
  • payment schemes and partner institutions,
  • all in line with applicable laws (including AML/CTF regulations).
3.3 End customers / payers
If you are a customer of a merchant and a transaction is processed via MostPay, information processed may include:
  • Transaction data: transaction amount, currency, date and time, merchant, payment method, partial card details (e.g. BIN and last 4 digits), authorization codes, device and technical information.
  • Anti-fraud and risk data: risk scores, flags, and checks generated by our systems or third-party tools (no profiling beyond what is necessary and proportionate for fraud prevention and compliance).
In this context:
  • We typically act as processor / service provider for the merchant.
  • We may act as controller/organization for limited purposes (e.g. compliance with AML, sanctions, scheme rules, fraud monitoring, security).
3.4 Marketing contacts and communications
If you subscribe to our updates, download materials, attend events, or otherwise engage with our marketing, we may collect:
  • Name, role, company, email address, phone number.
  • Marketing preferences and interaction history (opens, clicks, responses).
You can opt out of marketing at any time (see Section 10).

4. Why we use personal information (purposes & legal bases)
We only collect, use, and disclose personal information for purposes a reasonable person would consider appropriate in the circumstances, in line with PIPEDA’s fair information principles.
4.1 Service provision & contracts
  • Assess and onboard merchants (including KYC and due diligence).
  • Provide, operate, support, and improve our payment and related services.
  • Authenticate users, provide merchant dashboards, and manage accounts.
  • Handle inquiries, support requests, disputes, and chargebacks.
Legal bases (where applicable):
  • Performance of a contract or pre-contractual steps.
  • Our legitimate interests in operating a secure and effective payment platform.
  • Compliance with legal/regulatory obligations.
4.2 Compliance, risk management & fraud prevention
  • Perform AML/CTF checks, sanctions screening, and ongoing monitoring.
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our terms or scheme rules.
  • Respond to lawful requests from regulators and law enforcement.
Legal bases:
  • Compliance with legal obligations (AML/CTF, financial, record-keeping).
  • Legitimate interests in safeguarding our services, merchants, and end users.
  • Where required, your consent.
4.3 Website operation & analytics
  • Ensure the Website functions securely and properly.
  • Understand how our Website and Services are used.
  • Develop, test, and improve features and user experience.
Legal bases:
  • Legitimate interests in running and improving our business.
  • Where required (e.g. certain analytics/marketing cookies), consent.
4.4 Marketing & business development
  • Send information about MostPay products, features, events, and offers.
  • Communicate about partners, integrations, or promotions relevant to you.
  • Measure and improve the effectiveness of our campaigns.
We will:
  • rely on implied or express consent where required by law; or
  • rely on our legitimate interests where local law allows, always offering an easy opt-out.
4.5 Corporate transactions & legal rights
  • Manage business continuity, restructuring, mergers, acquisitions, or asset sales.
  • Establish, exercise, or defend legal claims.

5. Cookies and similar technologies
We use cookies, pixels, tags, scripts, and similar technologies to:
  • enable core site functionality and security;
  • compile statistics to understand and improve performance;
  • (where permitted) personalize content and marketing.
Details (categories, duration, and third parties) should be set out in a separate Cookie Policy or annex. Non-essential cookies are used only with applicable consent requirements.

6. How and with whom we share personal information
We do not sell your personal information.
We may disclose personal information to:
  1. MostPay group entities
  2. Affiliated or subsidiary companies involved in providing our Services, subject to this Policy and applicable law.
  3. Service providers & partners
  4. Providers of:
  • cloud hosting and infrastructure;
  • payment processing, banking, and card scheme services;
  • KYC/AML/fraud screening and monitoring tools;
  • analytics, communications, and customer support platforms;
  • legal, audit, and professional advisors.
  • These parties may only use personal information under our instructions and must protect it adequately.
  1. Merchants
  2. Where we act as a processor, transaction details and relevant risk/fraud information are shared with the relevant merchant to complete the transaction or investigate issues.
  3. Authorities & law enforcement
  4. Where required or permitted by law, for example:
  • AML/CTF reporting;
  • compliance with court orders, subpoenas, regulatory requests;
  • to detect or prevent fraud, crime, or security incidents.

7. International transfers
MostPay may transfer personal information to locations outside the province or country where it was collected (including outside Canada, the EU/EEA, and the UK). In such cases, we ensure that:
  • the recipient is in a jurisdiction recognized as providing an adequate level of protection; or
  • we implement appropriate safeguards (such as standard contractual clauses or equivalent mechanisms), together with technical and organizational measures.
For EU/UK data subjects, transfers are made in line with GDPR requirements on cross-border transfers.

8. How long we keep personal information
We retain personal information only for as long as necessary to fulfill the purposes for which it was collected and to meet legal, regulatory, accounting, or reporting obligations.
In particular (subject to applicable laws):
  • Merchant onboarding and relationship data: kept for the duration of the relationship and for up to 3 years after its end, where required for AML/CTF, financial, and record-keeping obligations or to handle potential claims.
  • Transaction data: retained for periods required by financial, tax, AML/CTF, and payment scheme rules (commonly up to 3 years from the relevant transaction), or longer where necessary to resolve disputes or legal claims.
  • Website & analytics data: retained for shorter periods reasonably necessary for the purposes described, typically in line with cookie lifetimes and internal retention rules.
  • Marketing data: retained until you opt out or until we no longer need the information for marketing, then we either anonymize or securely delete it.
When information is no longer required, we will anonymize or securely destroy it.

9. How we protect personal information
We implement appropriate technical and organizational measures designed to protect personal information against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These may include:
  • access controls and role-based permissions;
  • encryption and secure data transmission;
  • network and application security measures;
  • logging, monitoring, and incident response procedures;
  • employee confidentiality commitments and training;
  • vendor due diligence and contractual safeguards.

10. Your rights
Your privacy rights depend on your location and applicable law. We respect and enable the following, at minimum:
10.1 Under Canadian privacy laws
Subject to limited exceptions, you may:
  • Access your personal information held by us.
  • Request correction of inaccurate or incomplete information.
  • Withdraw consent for further collection, use, or disclosure where we rely on consent (subject to legal or contractual restrictions and reasonable notice).
  • Challenge our compliance with applicable privacy laws.
10.2 Under the GDPR (where applicable)
If the GDPR applies to our processing of your personal data, you may have the right to:
  • access your personal data;
  • request rectification or erasure;
  • request restriction of processing;
  • object to processing based on legitimate interests or direct marketing;
  • data portability (receive your data in a structured, commonly used, machine-readable format);
  • not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, and to obtain human review.
We do not use solely automated decisions that produce such effects without appropriate safeguards.
10.3 Exercising your rights
To exercise any of these rights, please contact us at:
📧 sales@mostpay.eu

11. Automated decision-making & profiling
We may use automated tools (e.g. risk scoring, fraud detection, transaction monitoring) to:
  • detect suspicious or fraudulent activity;
  • comply with AML/CTF obligations;
  • protect our Services and merchants.
These tools may influence decisions such as declining or flagging a transaction or requiring additional verification. You can contact us if you wish to obtain more information about such processing or request human review where required by law.

12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements.
When we make material changes, we will:
  • update the “Last updated” date at the top; and
  • take reasonable steps to inform you, where required (e.g. via our Website or email).
Your continued use of our Website or Services after an update constitutes acknowledgment of the revised Policy, to the extent permitted by law.

13. Contact us
If you have any questions, requests, or complaints regarding this Privacy Policy or our data protection practices, please contact:
MostPay LTD
422 Richards Street, Suite 170, Vancouver, British Columbia, V6B 2Z4, Canada
📧 sales@mostpay.eu

Made on
Tilda