KORT Payments

(Privacy Policy revised to reflect CCPA/CPRA updates; last review/update June 9, 2025)

The KORT Privacy Policy (the “Privacy Policy”) is in compliance with federal legislation. The legislation establishes rules that govern the collection, use and disclosure of personal information by KORT.

“Personal Information” refers to information about an identifiable individual and does not include information about corporations or partnerships.  Examples of personal information within KORT include:

  • Information about merchants (including the information obtained through the Merchant Application process, credit bureaus, information collected during Fraud investigations, and information gathered as a result of customer service issues).

This policy outlines how KORT complies with the federal legislation and is organized around privacy pillars as follows:

Accountability

Summary:  KORT is responsible for maintaining and protecting the personal information under its control.

Procedures:  

  • KORT has a designated Chief Privacy Officer.  The Privacy Officer is accountable for the oversight of KORT’s ongoing compliance with the Privacy Policy.  
  • All Privacy-related enquiries are to be forwarded to the Privacy Officer in accordance with the procedures outlined below in Principles 9 and 10.  The Privacy Officer will respond to enquiries in accordance with the legislation and generally within 30 days of the enquiry.

Identifying Purposes

Summary:  KORT must identify the purposes for which personal information is collected before or at the time the information is collected. 

Procedures:  

KORT uses personal information to respond to a merchant’s application and provide our services.  Personal Information about a KORT merchant may be used as follows:

  • to determine a merchant’s financial situation by collecting credit and related financial information from our affiliates, strategic partners, credit agencies, other financial institutions and from references provided by the merchant;
  • to facilitate the provision of our services by sharing a merchant’s information with our third party service providers, credit and debit card issuers, credit and debit card associations, credit agencies and similar parties connected to credit or debit card services;
  • to investigate potentially fraudulent or questionable activities regarding the merchant’s account(s) or the merchant’s use of our services;
  • for reporting purposes under credit or debit card association rules or regulations and to credit and debit card issuers, financial institutions or other credit or debit card related entities;

Consent 

Summary:  Knowledge and consent are required for the collection, use or disclosure of personal information except where required or permitted by law.  

Procedures:  

  • Net new merchants will consent to KORT’s collection, use and disclosure of personal information by way of the KORT Agreement

    Limiting Collection 

    Summary:  The personal information collected must be limited to those details necessary for the purposes identified by KORT.

    Procedures:  

    • The amount and type of personal information collected must be limited to what is necessary for the identified purposes.
    • Each KORT representative that collects personal information must be able to explain why the information is needed.

    Limiting Use, Disclosure and Retention

    Summary:  Personal information may only be used or disclosed for the purpose for which it was collected unless a merchant has otherwise consented, or when it is required or permitted by law.  Personal information may only be retained for the period of time required to fulfill the purpose for which it was collected or as required by law.

    Procedures:

    • Merchants may request a copy of their Privacy Policy as follows:
      By post or email to KORT’s support team, 179 John St. Toronto, Ontario, M5T 1X3, or to partners@kortpayments.com
    • KORT merchants have the right to complain about KORT’s compliance with the federal legislation to the federal Privacy Commissioner.

    California Consumer Privacy Rights (CCPA/CPRA)

    In addition to complying with Canadian federal legislation, KORT recognizes and complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents. These laws provide specific rights, including:

    • The right to know what personal information is collected and how it is used
    • The right to access and receive a copy of that information
    • The right to correct or delete personal information, subject to certain exceptions
    • The right to opt out of the sale or sharing of personal information
    • The right to limit the use and disclosure of sensitive personal information
    • The right to non-discrimination for exercising privacy rights

    Categories of Personal Information Collected & Shared

    We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

    Category

    Examples

    Source

    Purpose of Collection

    Shared With

    Retention Period

    Identifiers

    Name, email, phone number, IP address, account ID

    Directly from user

    Account creation, customer support, communication

    Service providers (e.g. CRM, email), analytics tools

    As long as necessary for active accounts + 7 years

    Commercial Information

    Products/services purchased, transaction history

    Directly from user; payment processor

    Order fulfillment, transaction tracking, fraud prevention

    Payment processors, accounting systems

    7 years (for financial records)

    Internet or Other Network Activity

    Browsing history, device ID, referral source, session data

    Automatically via website cookies and tools

    Improve website performance, security, user experience, marketing

    Analytics providers (e.g. Google), ad networks

    Up to 26 months, depending on tool

    Geolocation Data

    General region (e.g. city/state) from IP address

    Automatically via user device

    Fraud prevention, service availability

    Security services, analytics

    1–2 years

    Professional or Employment-Related Info

    Job title, employer (for business account users)

    Directly from user

    Business relationship management

    Internal use only

    Duration of active relationship

    Sensitive Personal Information

    Login credentials, payment card data, IP address tied to user identity

    Directly from user; indirectly via secure services

    Secure account access, payment processing

    Encrypted services, payment gateways

    Varies: credentials deleted upon closure; payment tokens retained per legal obligations

    California residents may exercise these rights via the following dedicated links:

     

    Requests may also be submitted via email to partners@kortpayments.com or by mail to our address above. Identity verification may be required to process requests.

    Applies to All Users

    While the above rights are required under California law, KORT seeks to extend transparency and data control to all of our users. If you are located outside of California and would like to request access to, correction of, or deletion of your personal information, please contact us at partners@kortpayments.com.

    This policy is reviewed and updated regularly. The current version reflects revisions to include applicable California privacy laws as of June 9, 2025.