Effective date: April 1, 2026
Novobill Ltd ("Company", "we", "us", or "our") is committed to protecting the privacy and personal information of individuals who access or interact with our website and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with the Service.
This Privacy Policy applies to:
This Privacy Policy does not apply to third-party websites, platforms, or services that may be linked to or integrated with the Service. The Company is not responsible for the privacy practices of third parties.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, you should discontinue use of the Service.
In processing personal information, the Company complies with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian federal and provincial privacy legislation, which serves as the Company's primary standard. Additionally, the Company adheres to all applicable privacy and data protection laws in the jurisdictions in which it operates or processes personal information, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the US California Consumer Privacy Act (CCPA), and other applicable state, national, or regional privacy laws. The Company also complies with the instructions of applicable supervisory and regulatory authorities, including FINTRAC in its capacity as a registered Money Services Business.
Where the Company processes personal information relating to individuals in other jurisdictions, applicable local privacy laws may apply. The Company endeavours to meet applicable legal standards in all jurisdictions in which it operates. In the event of a conflict between applicable laws, the stricter standard will generally prevail.
The Company collects personal information only where necessary for legitimate business, operational, or regulatory purposes. The categories of personal information we may collect include:
The Company may collect sensitive personal information where required for regulatory compliance, identity verification, fraud prevention, or risk management purposes, including information contained in government-issued identification documents or compliance screening results. Such information is collected only where necessary, processed in accordance with applicable privacy laws, and protected using appropriate safeguards.
The Company collects and uses personal information for the following purposes:
The Company will not use personal information for purposes other than those identified above without obtaining consent, except as required or permitted by applicable law.
The Company processes personal information on the following legal bases:
Where processing is based on consent, individuals may withdraw their consent at any time, subject to legal and contractual restrictions and reasonable notice. Withdrawal of consent may affect the Company's ability to provide services.
The Company does not sell personal information to third parties. The Company may disclose personal information in the following circumstances:
The Company may share personal information with third-party service providers who assist in the delivery of payment processing services, including technology providers, banking partners, payment networks, identity verification providers, and data analytics providers. Such service providers are required to handle personal information in accordance with the Company's instructions and applicable privacy legislation.
The Company is legally required to disclose certain personal information and transaction data to FINTRAC pursuant to its mandatory reporting obligations under the PCMLTFA. The Company may also disclose personal information to other regulatory authorities, law enforcement agencies, or courts where required by applicable law, court order, or legal process. Such disclosures are mandatory and cannot be waived by agreement or instruction.
The Company may share information with sanctions screening providers or regulatory bodies as part of its obligations to screen against applicable sanctions lists and report designated persons or entities.
In connection with a merger, acquisition, sale of assets, reorganization, or other business transfer, personal information held by the Company may be transferred to the successor entity, subject to applicable legal requirements and the terms of this Privacy Policy.
The Company may disclose personal information to other third parties where the individual has provided express consent.
The Company retains personal information only for as long as necessary to fulfill the purposes for which it was collected, including to comply with legal, regulatory, accounting, compliance, and reporting obligations.
In particular, the Company may retain personal information relating to customer identification, compliance and KYC documentation, transaction records, communications, and investigation materials for the duration of the business relationship and for a reasonable period thereafter, or for any longer period required under applicable law, including obligations under the PCMLTFA and FINTRAC requirements.
Where personal information is no longer required for these purposes, the Company will securely delete, anonymize, or de-identify such information in accordance with its internal policies and applicable law. Certain information may be retained where required for legal, regulatory, fraud prevention, dispute resolution, or legitimate business purposes.
The Service uses cookies, web beacons, pixels, and similar tracking technologies to enhance functionality, analyze usage, and support the delivery and security of the Service.
Where required by applicable law, the Company will obtain consent before placing non-essential cookies or similar tracking technologies on your device. You may manage, withdraw, or modify your consent through the cookie preference settings available on the Service or by adjusting your browser settings.
Disabling certain cookies may affect the availability or functionality of parts of the Service.
In the course of its operations, the Company may store, process, or transfer personal information using servers, infrastructure, and third-party service providers located outside Canada, including in the United States and other jurisdictions. The Company does not represent that personal information is stored exclusively within Canada.
Such transfers may occur in connection with the provision of payment processing services, merchant onboarding, identity verification, data analytics, cloud infrastructure, or other operational purposes. Personal information may be accessible to third-party service providers, banking partners, payment networks, or technology providers located in jurisdictions outside Canada.
Where personal information is transferred outside of Canada or the European Economic Area, the Company implements appropriate safeguards designed to ensure that personal information receives a comparable level of protection. These safeguards may include:
The Company takes reasonable steps to ensure that third-party recipients process personal information only for authorized purposes and in accordance with applicable privacy and data protection laws.
You acknowledge that personal information transferred to or stored in foreign jurisdictions may be subject to the laws of those jurisdictions, including laws that may permit access, disclosure, or retention of personal information by foreign governments, regulatory authorities, or courts. The Company remains responsible for personal information transferred to third parties, subject to applicable legal limitations and contractual obligations.
The Company implements reasonable physical, technical, and organizational safeguards to protect personal information against unauthorized access, use, disclosure, modification, or destruction. These measures include access controls, encryption of data in transit, internal security policies, and staff training on privacy obligations.
However, no method of transmission over the Internet or electronic storage is completely secure. The Company cannot guarantee absolute security of personal information transmitted to or through the Service. Individuals should exercise caution when transmitting sensitive information electronically.
In the event of a privacy breach involving personal information under the Company's control that creates a real risk of significant harm, the Company will notify affected individuals and, where required, the relevant supervisory authority, in accordance with applicable breach notification requirements.
Subject to applicable law and regulatory restrictions, individuals whose personal information is held by the Company may have the following rights. The availability and scope of these rights depends on your jurisdiction of residence and the applicable privacy laws in that jurisdiction. Not all rights listed below will apply to every individual.
Right of Access. The right to request access to personal information held by the Company about you, and to receive information about how it is collected, used, and disclosed.
Right to Correction. The right to request correction of personal information that is inaccurate, incomplete, or outdated.
Right to Erasure / Deletion. The right to request deletion of personal information where it is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where processing is otherwise unlawful.
Right to Restrict Processing. The right to request that the Company restrict the processing of your personal information in certain circumstances, including where the accuracy of the information is contested or where you object to its processing.
Right to Data Portability. The right to receive personal information you have provided to the Company in a structured, commonly used, and machine-readable format, and to request that it be transmitted to another organization where technically feasible.
Right to Object to Processing. The right to object to the processing of your personal information where processing is based on legitimate interests or is carried out for direct marketing purposes.
Right to Withdraw Consent. The right to withdraw consent to the collection or use of your personal information at any time, subject to legal and contractual limitations. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to withdrawal.
Right to Opt Out of Sale or Sharing. The right to opt out of the sale or sharing of your personal information for commercial or advertising purposes. The Company does not sell personal information.
Right Against Automated Decision-Making. The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you. Where such processing occurs, you have the right to request human review, to express your point of view, and to contest the decision.
Right to Complain. The right to lodge a complaint with the relevant privacy or data protection supervisory authority in your jurisdiction if you believe your privacy rights have been violated.
Please note that certain rights may be limited or overridden by the Company's legal and regulatory obligations. Where the Company is required by applicable law to retain, process, or restrict access to personal information, it will not be able to fulfill a request that conflicts with those obligations. The Company will notify you where a request cannot be fulfilled and provide reasons to the extent permitted by law.
To exercise any of the above rights, please contact the Company using the contact details set out in Section 14 of this Privacy Policy. The Company will respond to all requests within the timeframe required by applicable law, and in any event within 30 calendar days of receipt of a written request. Where a longer period is required, the Company will notify you and provide reasons for the extension.
The Service is not directed at individuals under the age of 18. The Company does not knowingly collect personal information from minors. If the Company becomes aware that personal information has been collected from a minor without verifiable parental consent, it will take steps to delete such information. If you believe a minor has provided personal information to the Company, please contact us using the details in Section 14.
The Company reserves the right to update or modify this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, or the Company's practices. Where material changes are made, the Company will provide notice by posting an updated version of this Privacy Policy on the Service with a revised effective date, and where reasonably practicable, by providing direct notice to affected individuals at least 30 calendar days prior to the changes taking effect.
Your continued access to or use of the Service following the posting of an updated Privacy Policy constitutes your acceptance of the revised terms. The current version of this Privacy Policy will always be available on the Service.
If you have questions, concerns, or requests regarding this Privacy Policy or the Company's handling of personal information, please contact:
Novobill Ltd
807 – 130 Spadina Avenue, Toronto, Ontario, Canada, M5V 2L4
Email: legal@novobill.net
If you are not satisfied with the Company's response to a privacy inquiry or complaint, you may contact the Office of the Privacy Commissioner of Canada:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec, K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca