Privacy Policy.

February 9, 2023 | Previously updated: October 7, 2022


OTT Pay Inc. (OTT) is subject to, and adheres to, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) which governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities.


OTT enforces PIPEDA’s 10 fair information principles in the manner listed below. These principles form the ground rules for the collection, use and disclosure of PI as well as for providing access to PI and giving individuals control over how their PI is handled.


OTT is responsible for PI in its possession. The Chief Compliance Officer is OTT’s designated Privacy Officer and is mandated to ensure the OTT Privacy Policy is maintained and carried out. OTT has policies and procedures in place to ensure that PI is handled in accordance with PIPEDA’s fair information principles. The policies and procedures involve physical security measures, technological safeguards and policy safeguards.

OTT has achieved PCI DSS certification for OTT’s application and security systems. This certification demonstrates OTT’s commitment to ensuring the protection of sensitive customer information and maintaining the highest level of security standards in the payment card industry.

OTT values and respects the privacy of employee data. OTT’s Human Resources Department (HR) ensures that all employees’ PI is handled with care, confidentiality, and in accordance with applicable laws. OTT’s HR has implemented strict policies and procedures to protect employees’ PI, and this includes, but is not limited to, data collected during the recruitment process, employment records, and benefits information.

Identifying Purposes:

The purposes for which OTT collects PI is identified on the Merchant Service Application & Agreement (Agreement), the document that initiates the business relationship between the Applicant or Client and OTT. By completing and signing the Agreement, the Applicant’s or Client’s Signatory affirms that the Signatory has read and understood the purposes for collection of PI by OTT:

  • to understand Applicant’s requirements and assess eligibility for OTT’s services;
  • to identify the Merchant as a Client and create a Client Record in OTT’s systems;
  • to maintain an ongoing business relationship with the Client;
  • to administer the Client’s account and to provide settlement services requested by Client and to execute Client’s transactions through OTT’s service providers;
  • to address disputes or resolve claims related to use of OTT’s services;
  • to verify credit information and identity of Merchant’s name and all associated names and to verify Client’s and associated officers’ identities and to verify accuracy of information related to Client;
  • to establish client’s creditworthiness;
  • to perform screening of Merchant’s name and associated officers’ names against applicable sanctions and industry watch lists;
  • to issue Transaction Notifications, Receipts and all transaction-related information;
  • to contact Client by telephone, mail and/or electronic means in order to provide customer service;
  • to comply with all applicable laws and payment regulations and rules;
  • for reporting purposes under applicable laws;
  • to meet legal, regulatory, audit, processing, and security requirements;
  • to detect, investigate, prevent, reduce, or otherwise address fraud, criminal activity, security or technical issues;
  • to mitigate fraud risk and risk exposure to both Client and OTT;
  • to share Client and Transaction information during audits and examinations as required by law;
  • for marketing purposes to determine Merchant eligibility for, and to offer additional products, services or business opportunities that may be of interest to Merchant;
  • to perform statistical analysis, research, and development activities or to evaluate OTT Merchant portfolio;
  • in connection with an actual or potential sale, reorganization, consolidation, merger or amalgamation of OTT’s business;
  • to enhance or improve OTT’s or OTT Affiliates’ products or services


OTT obtains the consent of the Client Signatory of the Agreement for the collection, use and disclosure of the PI for the purposes stipulated on the Agreement. Where PI is collected about persons who are not signatories on the Agreement, OTT obtains attestation by the signatory that the appropriate consent has been obtained from those individuals. Client or associated officers may wish to withdraw consent, however, without the required PI, OTT would not be able to maintain Client’s account or provide Client with the services requested.

Consent and children: obtain consent from a parent or guardian for any individual unable to provide meaningful consent themselves (the Office of the Privacy Commissioner of Canada takes the position that, in all but exceptional circumstances, this includes anyone under the age of 13), and ensure that the consent process for youth able to provide consent themselves reasonably considers their level of maturity.

When communicating with Client for the Identifying Purposes listed in the principle above, client consent is obtained for the Client to receive account information, transactions or service-related communications from OTT in any form, including mail, email, phone call, or internet.

Unless Client has opted out for marketing communications, OTT may consult Client’s PI from time to time in order to determine Client’s suitability for, and occasionally offer Client, additional products and services.

Limiting Collection:

The bulk of PI is collected by requesting it directly from the Client or the individual from whom it is collected. Providing OTT with PI is always the Client’s or individual’s choice. The request and the purpose are clear; therefore, the means of collection is fair and lawful.

Type of PI requested from the client or individuals are full name, date of birth, citizenship, address, phone number, email address, occupation, and the type, unique identifier number and expiry date of a government-issued identification document.

Other PI may be collected indirectly in OTT’s efforts to fulfill lawful business requirements. For example, if we submit a client name to a government record third-party service provider, and the third-party service provider provides a report that contains the name of a director that was not disclosed by the client as required upon request, we may thereby come into possession of the name of a director by indirect means.

Limiting Use, Disclosure and Retention:

PI will not be used, disclosed or retained for purposes other than those stated at the time of collection, except with the permission or consent of the Client, or as required by law. All the information provided to OTT by Clients is used only for the purposes disclosed in “Identifying Purposes”. PI shall only be retained as long as necessary for the fulfillment of those purposes and to meet retention required by law.


PI is obtained by OTT directly from the Client, with the consent of the individuals about whom the information pertains or through a Signatory who has obtained consent of other individuals. The expectation is that this information is accurate and up to date. Any PI drawn from a third-party source that differs from that provided by the Client will be verified with the Client and amended where necessary.

Safeguarding Information:

PI is protected in a number of ways as outlined below.

  • PI in hard copy is kept in filing cabinets that are locked after business The physical premises are also locked after hours and on weekends and is monitored by security staff.
  • PI in electronic form is protected in different ways, dependent on the location of the electronic information:
    • PI on shared drives is accessible only to those personnel who require it in the performance of their employment
    • PI on the client database is limited in accessibility with system user access
    • Access to PI is restricted to authorized employees who have a legitimate business purpose for accessing
  • As a condition of employment, all OTT employees are required to comply with the rules relating to PI as set out in OTT’s Policies and Procedures. To reinforce their understanding and commitment to upholding client and individual privacy and confidentiality, employees periodically receive training on OTT’s Privacy Policy.
  • File encryption is put in place to avoid unauthorized access, modification, or
  • Third-party service providers or business partners are required to take measures to secure
  • Disposing of or destroying PI as appropriate to prevent unauthorized access to


OTT shall make specific information, about its policies and practices relating to the management of PI, readily available to Clients.

This Privacy Policy is available on OTT’s website. Its existence and location are indicated on the OTT Pay Merchant Service Account Application & Agreement which all clients must read and sign to acknowledge the contents. The existence and contact information for the Privacy Officer is disclosed in this Policy, as well as the indication that complaints and inquiries can be made to this Officer. The types of PI collected are indicated in this Policy, as well as its use of, and to the type of organizations this information may be made available.

Updates to this Privacy Policy:

OTT Privacy Policy may be updated from time to time to reflect changes in OTT’s policies, applicable rules, regulations, or related compliance requirements. It is important for Clients to review this Privacy Policy by visiting OTT’s website or regularly as such changes may be made without prior notice.

Individual Access:

When a request in accordance with this Policy is made, an individual shall be informed of the existence, use and disclosure of his or her PI and shall be given access to that information. If an individual wishes to request access to their PI that OTT holds, a request can be sent by phone, fax, mail or email using the contact information listed at the end of this document. An individual shall be able to challenge the accuracy and completeness of the information and have it amended.

An exception to the free access to information regarding the disclosure of the individual’s information is if the information has been disclosed to law enforcement agencies where OTT may be prohibited by law from informing an individual that their PI or related information has been disclosed in this manner. If PI that has been gathered and disclosed further due to litigation or possible litigation and is subject to either solicitor-client privilege or litigation privilege, it will not be automatically disclosed to the individual pursuant to their request under this Policy.

Challenging Compliance:

An individual shall be able challenge OTT’s compliance with the principles of the PIPEDA. If an individual wishes to challenge OTT’s compliance with the Act, they may direct their challenge to OTT’s Privacy Officer at the Contact Information section at the end of this document. The request will be considered and any decisions made as a result of that consideration will be communicated to the individual.

Alternate Formats Available Upon Request:

If you have difficulty accessing this Privacy Policy because of a disability, please contact us and we will work with you to make the information available in the appropriate format.

Contact Information:

Telephone: (+1) 416-499-2258

Mail: 1123 Leslie Street, Toronto, Ontario M3C 2K5


Fax: (+1) 416-391-2992