Terms & Policies

1. Who We Are and What This Policy CoversCopy to clipboard

Finix Payments, Inc. and Finix Canada, Inc. (together, “Finix,” “we,” “us,” or “our”) provide payment processing services and related tools to businesses. This Privacy Policy explains how we collect, use, share, and protect personal information when you interact with our platform, website, or services.

Our Role in Privacy. In most cases, Finix acts as a service provider or data processor. This means we handle personal information on behalf of our business clients (software platforms, merchants, and payment facilitators) according to their instructions. In this role, Finix processes personal information relating to consumers (i.e., individuals who purchase goods or services from our merchant customers) solely to provide payment processing and related services to our business clients.  When you make a purchase from a merchant that uses Finix, or when a platform brings you to our services, those businesses are responsible for their own privacy practices and your rights regarding that data. You should review their privacy policies for information about how they handle your personal information.

However, Finix acts as a business under California privacy law for certain limited activities that do not involve personal information of consumers making purchases from our merchants. Instead, when acting as a business, Finix processes personal information in a business-to-business (B2B) context and in the employment context, including information about representatives of our prospective and existing business clients, vendors, and partners; visitors to our website; and our job applicants, employees, and contractors. In these situations, Finix is responsible for providing applicable privacy disclosures and honoring individual rights as required under California law.  See Appendix A for more information.

Geographic Scope. Finix Payments, Inc. operates in the United States. Finix Canada, Inc. operates in Canada. All data is processed and stored in data centers located in the United States.

If you are located in Canada, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

If you do not agree with this Privacy Policy, please do not use our services or provide us with your personal information.

2. Information We CollectCopy to clipboard

The personal information we collect depends on how you interact with Finix. We collect information that you provide directly to us, information we receive from our business clients, information from third-party sources, and information collected automatically through your use of our services and website.

Information You Provide Directly. When you apply to become a Finix client, use our services, contact us, or visit our website, you may provide us with personal and business information including your name, email address, phone number, business address, Social Security number or tax identification number, date of birth, government-issued identification documents, bank account information, payment card information, and beneficial ownership details for your business.

Payment and Transaction Information. When processing payments through our platform, we collect and store payment card numbers (PANs), expiration dates, cardholder names, billing and shipping addresses, payment method details, transaction amounts and dates, merchant identifiers, authorization codes, and device information associated with the transaction including IP addresses and device identifiers. We retain card authorization data (CVV codes, PIN data, and magnetic stripe data) only for the duration necessary to complete transaction authorization, after which it is immediately deleted. 

Payment card data is stored in encrypted form and segregated in our PCI DSS-compliant environment. We retain payment card information until the card expires, becomes invalid, or upon customer request for removal, subject to a minimum 24-month retention period required by payment network rules.

Identity Verification and Biometric Information. To verify the identity of business owners, principals, and beneficial owners, and to prevent fraud and comply with anti-money laundering requirements, we collect government-issued identification documents such as driver’s licenses and passports. We use a third-party service provider, Persona Identities, Inc., to assist with identity verification.

As part of this verification process, we may collect biometric information consisting of scans of facial geometry. This is done by comparing a photograph of your face (a “selfie”) with the photograph on your government-issued identification document. The biometric comparison creates a mathematical representation of facial features to verify that the person presenting the identification is the same person depicted in the identification document. We use this biometric information solely for identity verification, fraud prevention, and compliance with legal obligations. Source photographs (selfie and ID image) derived from biometric information are retained for 3 years from your last interaction with Finix, unless we are required by law to retain it for a longer period. 

See Appendix C for more information about our collection and use of biometric information.

Information from Business Clients. When you transact with a merchant or platform that uses Finix services, we receive transaction information from that business including your name, contact information, payment method details, transaction amount and date, shipping or billing address, and in some cases information about the goods or services purchased. The business client remains responsible for obtaining any necessary consents and providing required privacy notices for this data collection.

Information from Third Parties. We receive information about business owners and principals from identity verification services (including Persona Identities, Inc. and GIACT Systems, LLC), card networks, credit bureaus and reporting agencies for underwriting and risk assessment purposes, sanctions screening databases to comply with anti-money laundering requirements, publicly available sources including business registries and corporate filings, and our business partners including software platforms that refer clients to us.

Financial Account Data via Plaid. We use Plaid Inc. to gather your data from financial institutions, which may include personal, account, and transaction information. By using the Services, you grant us and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from your relevant financial institution. You also agree that Plaid may transfer, store, and process your personal and financial information in accordance with the Plaid Privacy Policy, available at https://plaid.com/legal/#end-user-privacy-policy.

Automatically Collected Information. When you visit our website or use our platform, we automatically collect technical information including IP addresses, browser type and version, device identifiers, operating system, pages visited and links clicked, time and date of visits, referring website addresses, and cookie identifiers. We use cookies, web beacons, and similar tracking technologies for website functionality, security, fraud prevention, and analytics purposes. For more information, see our Cookie Policy at https://finix.com/terms-and-policies/cookie-policy as well as Section 5 below.

Session Replay and Interaction Recording. When you use our platform or Services, we may use session replay and similar technologies to collect and record data about your use of, and interaction with, the Services, including recording certain interactions such as your mouse movements, keystrokes, and other activity. We use these technologies to better understand your interactions with the Services, in order to review and improve the customer experience, improve our marketing outreach, and for troubleshooting purposes.

3. How We Use InformationCopy to clipboard

Finix uses personal information for the following purposes, depending on our role as either a service provider (processing data on behalf of business clients) or as a business (processing data for our own purposes).

To Provide Payment Services. We use personal information to process payment transactions, verify the authenticity and validity of payment methods, facilitate fund transfers and settlements, prevent and detect fraud and unauthorized transactions, comply with payment network rules and requirements, provide transaction history and reporting to our business clients, and resolve disputes including chargebacks and refunds.

For Identity Verification and Compliance. We use personal information to verify the identities of business owners, principals, and beneficial owners as required by anti-money laundering laws, conduct sanctions screening and watchlist checks as required by law, assess the risk associated with potential and current business relationships, comply with Know Your Customer (KYC) and Customer Identification Program (CIP) requirements under the Bank Secrecy Act, meet tax reporting obligations, respond to legal process including subpoenas and court orders, and investigate potential violations of our terms of service or applicable law.

For Fraud Prevention and Security. We use personal information collected across our services to detect patterns indicative of fraud, unauthorized access, or other harmful activity, monitor transactions for unusual or suspicious patterns, verify that transactions are authorized by legitimate account holders, protect our business clients and their customers from financial loss, maintain the security and integrity of our platform and systems, and develop and improve our fraud detection tools and models. This may include analyzing transaction data, device information, behavioral patterns, and information from third-party fraud prevention services. 

To Evaluate and Onboard Business Clients. When a business applies to use Finix services, we use personal information provided by business owners and principals to assess credit risk and business viability, verify business registration and corporate standing, conduct background checks where permitted by law, determine appropriate pricing and terms, open and manage business accounts, and maintain ongoing relationships including account updates and reviews.

For Customer Support and Communications. We use contact information to respond to inquiries and support requests, provide updates about our services, deliver transaction confirmations and receipts, send important notices about account status or changes to our terms and policies, communicate about security issues or potential fraud, and resolve disputes or complaints. We may record customer service calls for quality assurance, training, and dispute resolution purposes where permitted by law.

For Business Operations and Improvement. We use personal information in aggregated or de-identified form to analyze how our services are used, identify trends in payment processing and fraud patterns, develop new products and features, improve the performance and reliability of our platform, conduct internal research and analytics, maintain business records and accounting, and fulfill audit and reporting obligations. We may also use information to evaluate the effectiveness of our marketing and business development efforts.

For Marketing and Advertising. Where permitted by law, we use personal information to market our services to prospective business clients and send promotional communications about new features or services, display targeted advertisements on third-party websites and platforms, measure the effectiveness of our marketing campaigns, and personalize content on our website based on your interests. 

You can opt out of marketing emails by clicking the unsubscribe link in any marketing message or by contacting us at privacy@finix.com. Opting out of marketing communications will not affect service-related communications or communications required by law. For information about opting out, see Section 5 below.

For Legal and Safety Purposes. We may use and disclose personal information as required by applicable law, regulation, legal process, or governmental request, to enforce our agreements and terms of service, to protect the rights, property, or safety of Finix, our business clients, or others, to prevent or investigate possible wrongdoing in connection with our services, or to protect against legal liability.

With Consent or at Your Direction. We may use personal information for other purposes with your consent, at your direction, or as otherwise disclosed at the time of information collection.

De-identified and Aggregated Information. We may use information that has been de-identified or aggregated to the extent permitted by applicable law.

4. How We Share InformationCopy to clipboard

Finix shares personal information with the categories of recipients described below. In many cases, we share information in our role as a service provider on behalf of and at the direction of our business clients. In other cases, we share information for our own business purposes as described in this policy.

With Business Clients. When we process payments on behalf of merchants, platforms, and payment facilitators, we share transaction information and customer data with those business clients as necessary to provide our services. This includes payment confirmations, transaction details, fraud risk assessments, dispute information, and reporting data. Business clients are responsible for their own use and protection of this information. Please refer to their privacy policies.

With Payment Networks and Financial Institutions. We share personal information with payment card networks (Visa, Mastercard, American Express, Discover, and others), issuing banks and card issuers, acquiring banks and payment processors, and ACH networks and banking partners as necessary to authorize and process transactions, investigate fraud and disputes, comply with network rules and requirements, and facilitate fund transfers and settlements.

With Platforms and Integrated Partners. Some of our business clients are software platforms that bring multiple merchants to Finix services. We share merchant and transaction information with these platforms to enable them to provide services to their merchant clients, manage fraud and compliance across their merchant portfolios (including access to masked transaction data for compliance purposes), and fulfill their own reporting and reconciliation obligations.

Platforms and merchants that handle payment card data directly are required to maintain their own PCI DSS compliance. We do not share full unencrypted payment card data with partners unless they demonstrate appropriate security controls and compliance.

With Service Providers and Vendors. We share personal information with third-party service providers who perform services on our behalf, including cloud infrastructure and hosting providers for data storage and processing, identity verification and sanctions screening services, fraud prevention and risk assessment services, customer support and communication platforms, analytics and data processing services, security and threat monitoring services, compliance and audit support providers, legal and professional advisors, and payment processing and banking partners.

These service providers are contractually required to protect personal information, use it only for the purposes we specify, and maintain appropriate security measures. We require service providers to comply with applicable privacy laws and to process personal information only as instructed by Finix. Where permitted by law, our service providers may combine or match the data they collect on our behalf about you, including through cookies, with other data such as names and addresses from third-party databases, for the purpose of direct mail advertising.

With Marketing and Advertising Partners. Where permitted by law, we may share personal information with advertising networks and platforms, analytics providers, social media companies, and marketing service providers to advertise our services, measure the effectiveness of our advertising, and reach potential business clients.

This sharing may constitute a “sale” or “sharing” of personal information as defined under California privacy law. California residents have the right to opt out of this sharing. See Appendix A for more information about opt-out rights available under California law.

Telephone and Text Messaging Data. We do not share telephone numbers, text messaging originator opt-in data, or any information associated with your consent to receive text messages with third parties or affiliates for marketing purposes.

With Professional Advisors. We may share personal information with attorneys, accountants, auditors, and other professional advisors who provide services to Finix, subject to confidentiality obligations.

In Corporate Transactions. If Finix is involved in a merger, acquisition, financing, reorganization, bankruptcy, dissolution, or sale of assets, personal information may be shared with or transferred to the parties involved in the transaction. If such a transaction occurs, the acquiring entity will be required to honor the commitments in this Privacy Policy or provide notice of any changes.

For Legal and Safety Reasons. We may disclose personal information if required by law, court order, subpoena, or other legal process, if we believe disclosure is necessary to comply with legal obligations or respond to lawful requests from public authorities, to enforce our agreements or policies, to protect the rights, property, or safety of Finix, our clients, or the public, to prevent or investigate fraud, security issues, or illegal activity, or to protect against legal liability.

With Consent or at Your Direction. We may share personal information for other purposes with your consent or at your direction.

De-identified and Aggregated Information. We may share information that has been de-identified or aggregated such that it cannot reasonably be used to identify you. This includes industry trends, fraud statistics, payment analytics, and similar aggregate data. We may share this information to the extent permitted by applicable law.

5. Your Rights and ChoicesCopy to clipboard

This section describes general rights and choices Finix provides to you. Additional state-specific and country-specific rights are described in the appendices below.

Opting Out of Marketing Communications. You may opt out of promotional emails by clicking the “unsubscribe” link in any marketing message or by contacting us at privacy@finix.com. Please note that even if you opt out of marketing emails, we will still send you transactional and service-related communications such as payment confirmations, account notices, and legally required disclosures.

Digital Advertising & Analytics. We may partner with ad networks and other ad serving providers (“Advertising Providers”) that serve ads on behalf of us and others on non-affiliated platforms.  Some of those ads may be personalized, meaning that they are intended to be relevant to you based on information Advertising Providers collect about your use of our website and other websites or apps over time, including information about relationships among different browsers and devices.  This type of advertising is known as interest-based advertising.

You may visit the DAA Web choices tool at www.aboutads.info to learn more about interest-based advertising and how to opt out across companies participating in the DAA self-regulatory program. You can also exercise choices regarding interest-based advertising on your mobile device by downloading the appropriate version of the DAA’s AppChoices tool at https://youradchoices.com/appchoices.  If you delete your cookies or use a different browser or mobile device, you may need to renew any opt-out choices you have exercised. Please note that opting out does not mean you will stop seeing advertisements; it means the ads you see may be less relevant to your interests.

Analytics Services. We use Google Analytics and other third-party services to improve the performance of our website and for analytics and marketing purposes. For more information about how Google Analytics collects and uses data when you use our website, visit www.google.com/policies/privacy/partners. To opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout.

6. Security and Data ProtectionCopy to clipboard

Finix maintains technical, physical, and administrative security measures designed to protect personal information from unauthorized access, destruction, loss, alteration, and misuse. These measures are designed to provide a level of security appropriate to the risk of processing your personal information.

7. Data RetentionCopy to clipboard

We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes. Retention periods vary depending on the type of information and the purpose for which it was collected.

8. Cross-Border Data TransfersCopy to clipboard

Finix Payments, Inc. is based in the United States, and Finix Canada, Inc. operates from Canada. However, all data processing and storage occurs in data centers located in the United States. This means that if you are located outside the United States, your personal information will be transferred to, processed in, and stored in the United States.

Legal Frameworks. Data protection laws in the United States may be different from the laws in your jurisdiction. In particular, United States government authorities may have access to personal information under United States law, including the CLOUD Act and national security laws. By using our services or providing information to us, you acknowledge that your personal information will be subject to United States law.

Contractual Protections. Where required by applicable law, we implement appropriate safeguards for international data transfers, including entering into standard contractual clauses or data processing agreements with service providers, implementing technical and organizational measures to protect transferred data, conducting risk assessments for transfers to jurisdictions without adequate data protection, and limiting access to personal information to authorized personnel with legitimate business needs.

The person responsible for the protection of personal information for Finix Canada, Inc. is the Head of Legal, who can be reached at privacy@finix.com or at the address listed in Section 12 below.

Your Consent. By using our services, applying to become a business client, or otherwise providing personal information to us, you consent to the transfer of your personal information to the United States and its processing and storage in accordance with this Privacy Policy and applicable law.

9. Updates to This Privacy PolicyCopy to clipboard

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements, or for other operational reasons. When we make material changes, we will notify you by updating the “Last Updated” date at the top of this policy and, where required by law, by providing additional notice such as posting a prominent announcement on our website, sending an email to the address associated with your account, or providing notice through our platform.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Your continued use of our services after we post changes constitutes your acceptance of the updated policy.

For business clients, material changes that affect the processing of payment or customer data may require acceptance of an updated agreement or policy before you can continue using our services.

10. Third-Party Services and LinksCopy to clipboard

Our website and platform may contain links to third-party websites, services, or applications that are not operated by Finix. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites or services you visit or use.

Social Media and Integrated Services. Our website may include social media features and integrations (such as LinkedIn, Twitter, or Facebook buttons) that may collect information about your use of our site and enable you to share information on social media platforms. These features are operated by the third-party social media companies and are governed by their privacy policies, not this Privacy Policy.

Business Client Services. When you interact with a merchant, platform, or payment facilitator that uses Finix services, that business’s own privacy policy governs their collection and use of your information. Finix processes information on behalf of these businesses as a service provider, but the business client is responsible for providing appropriate privacy notices and obtaining necessary consents.

Service Provider Privacy Policies. Certain service providers we use, such as Persona Identities, Inc., for identity verification and Plaid Inc., for bank account verification, have their own privacy policies that govern their collection and use of information. We encourage you to review these policies:

• Persona Privacy Policy: https://withpersona.com/legal/privacy-policy

• Plaid Privacy Policy: https://plaid.com/legal/end-user-privacy-policy

11. Information for Specific AudiencesCopy to clipboard

Business Owners and Principals. If you are an owner, officer, director, principal, or beneficial owner of a business that applies to use or uses Finix services, we collect and process your personal information as described in this policy to verify your identity, assess risk, comply with legal obligations, prevent fraud, and manage the business relationship. Even if the business relationship ends, we may retain your information as described in Section 7.

Employees and Job Applicants. If you are a Finix employee or job applicant, our collection and use of your personal information is governed by this Privacy Policy as well as internal human resources policies. You may have additional rights under employment and labor laws. For questions about employee privacy, please contact us at privacy@finix.com.

End Customers. If you are making a purchase or payment to a merchant or platform that uses Finix services, we process your personal information as a service provider or processor on behalf of that business. The merchant or platform is responsible for providing you with privacy notices and honoring your privacy rights. If you have questions about how your information is used, you should contact the merchant or platform directly. However, you may also contact us at privacy@finix.com if you have questions about Finix’s role in processing your information.

Website Visitors. If you are visiting our website without creating an account or submitting a business application, we collect limited information through cookies and similar technologies as described in Section 2 and our Cookie Policy. You can control cookies through your browser settings and exercise other choices as described in Section 5.

Minors. Our services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from minors. If we learn that we have collected personal information from a minor without parental consent, we will delete that information. If you believe we have collected information from a minor, please contact us at privacy@finix.com.

12. Contact InformationCopy to clipboard

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

General Privacy Inquiries: Email: privacy@finix.com Mail: Finix Payments, Inc. Attention: Privacy Officer 760 Market, Suite 200, Street San Francisco, CA 94102

For Canadian Residents (including Quebec): Email: privacy@finix.com Person Responsible for Protection of Personal Information: Head of Legal Mail: Finix Canada, Inc. Attention: Privacy Officer

APPENDIX A: CALIFORNIA RESIDENTS - YOUR PRIVACY RIGHTSCopy to clipboard

This section applies to California residents and supplements the information in the main body of this Privacy Policy. It addresses our processing of personal information as a “business” for certain activities, including when we collect information from visitors to our website, when we evaluate and onboard business clients, and when we manage employee and applicant information. It describes rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other California privacy laws.

Categories of Personal Information We CollectCopy to clipboard

In the past 12 months, we have collected the following categories of personal information from California residents:

Identifiers: Name, email address, mailing address, phone number, Social Security number, driver’s license number, passport number, business tax identification number, IP address, device identifiers, account credentials.

Customer Records Information: Name, address, telephone number, bank account number, payment card number, employment information, education information.

Protected Classification Characteristics: Date of birth (used for identity verification and compliance purposes only).

Commercial Information: Transaction history, purchase records, payment method preferences, merchant account details.

Biometric Information: Facial geometry scans derived from identity verification photographs for the purpose of identity verification and fraud prevention.

Internet or Network Activity: Browsing history on our website, search history on our platform, interactions with our website and platform, cookie and tracking data.

Geolocation Data: General location based on IP address (city/region level, not precise GPS coordinates).

Sensory Information: Call recordings when you contact customer support (where permitted and with notice).

Professional Information: Business ownership details, officer and director information, beneficial ownership information, business registration details.

Inferences: Fraud risk scores, creditworthiness assessments, likelihood of business success.

Sources of Personal InformationCopy to clipboard

We collect this information from the following sources:

• Directly from you when you apply for services, use our platform or website, or contact us

• From third party providers (about prospective employees)

• From identity verification, sanctions screening, and fraud prevention service providers

• From credit bureaus and business information providers

• From publicly available sources including business registries

• Automatically through your use of our website and platform (cookies, log files)

• From payment networks and financial institutions

Purposes for Collecting and Using Personal InformationCopy to clipboard

We collect and use these categories of personal information for the business and commercial purposes described in Section 3 of this Privacy Policy, including to provide payment processing services, verify identities and comply with legal requirements, prevent and detect fraud, manage business relationships, provide customer support, improve our services, conduct marketing and analytics, manage our applicants and employees, and fulfill legal obligations.

We may use and share de-identified information to the extent permitted by applicable law. When we use de-identified information, we maintain and use the information in de-identified form and do not attempt to re-identify it, except to check whether our deidentification processes satisfy the requirements of applicable law.

Categories of Third Parties to Whom We Disclose Personal InformationCopy to clipboard

In the past 12 months, we have disclosed personal information to the following categories of third parties for business purposes:

• Payment networks and financial institutions

• Service providers including cloud hosting, identity verification, fraud prevention, customer support, and analytics providers

• Professional advisors including attorneys and auditors

• Government entities and law enforcement (as required by law)

Sale and Sharing of Personal InformationCopy to clipboard

Our Practices. We do not sell personal information in exchange for monetary consideration. However, we may share certain information with advertising and analytics partners in ways that could constitute “sales” or “sharing,” as defined under California law.  We do not knowingly sell or share personal information of individuals under age 18.

In the past 12 months, we have disclosed the following categories of personal information for targeted advertising purposes to advertising networks and platforms, analytics providers, social media companies, and marketing service providers:

• Identifiers (email addresses, cookie IDs, device IDs)

• Internet or network activity (website visits, pages viewed)

• Inferences (interests, preferences)

Sensitive Personal InformationCopy to clipboard

California law provides state residents with the right to limit the use and disclosure of sensitive personal information (including Social Security numbers and biometric information) to only those purposes permitted by law, such as providing services you requested, preventing fraud and security incidents, and complying with legal obligations.  We use and disclose sensitive personal information only for these permitted purposes and therefore are not required to offer a right to limit its use or disclosure.  If you have any questions about our use and disclosure of sensitive personal information, please contact us at privacy@finix.com. 

Your California Privacy RightsCopy to clipboard

Right to Know. You have the right to request that we disclose the following information covering the 12 months preceding your request:

• The categories of personal information we collected about you

• The categories of sources from which we collected the personal information

• Our business or commercial purpose(s) for collecting, selling, or sharing personal information

• The categories of third parties to whom we disclose personal information

• The specific pieces of personal information we collected about you

Right to Delete. You have the right to request that we delete personal information we collected from you, subject to certain exceptions under law.

Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing. You have the right to opt out of the sale or sharing of your personal information. 

Right to Non-Discrimination. We will not discriminate against you for exercising any of these rights, including by denying services, charging different prices, providing different service levels, or suggesting you will receive different prices or service levels.

How to Exercise Your RightsCopy to clipboard

To exercise your right to know, delete, or correct, contact us at:

• Email: privacy@finix.com

• Toll-free number: (415) 888-5080

To exercise your right to opt out of sale or sharing:

• Email: privacy@finix.com

Verification. For all requests except for requests to opt-out, we will verify your identity before processing your request by asking you to provide information that matches information we have on file, such as your name, email address, business name, transaction details, or account information. For deletion requests or requests to access specific pieces of data, we may request additional information from you to perform verification.

Authorized Agents. You may designate an authorized agent to submit requests on your behalf. For verifiable consumer requests, such as requests to know, delete, or correct, we will require written proof of agent authorization, and we may also require you to verify your identity directly with us.

Response Time. We will respond to verified requests as required by law and within 45 days. If we need more time (up to an additional 45 days), we will notify you of the extension and the reason for it.

APPENDIX B: CANADIAN RESIDENTS - YOUR PRIVACY RIGHTS

This section applies to residents of Canada and supplements the information in the main body of this Privacy Policy. In Canada, Finix Canada, Inc. controls and is accountable for the personal information that we collect, use, and disclose. 

Our Role and ResponsibilitiesCopy to clipboard

In most cases, Finix acts as a service provider or data processor, handling personal information on behalf of our business clients (merchants and platforms) according to their instructions. However, Finix acts as a data controller or business for certain activities, including when we collect information from business owners and principals during client onboarding and verification, collect information from website visitors, and manage employee and applicant information.

For data we control, we are responsible for protecting your privacy rights under Canadian law. For data we process on behalf of business clients, those businesses are responsible for honoring your rights, and you should direct privacy requests to them.

We collect information about you directly from you unless we have your consent or are legally permitted to collect your personal information indirectly. We will only collect, use and disclose your personal information with your consent, unless otherwise permitted or required by law. Your consent may be given expressly or implied, depending on the circumstances and the sensitivity of the information involved. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

Person Responsible for Protection of Personal Information. The person responsible for ensuring Finix’s compliance with Canadian privacy laws is:

Head of Legal – Email: privacy@finix.com Mail: Finix Payments, Inc., 760 Market Street, Suite 200, San Francisco, CA 94102

Cross-Border Data TransfersCopy to clipboard

All personal information collected in Canada is transferred to and processed in data centers located in the United States. This means your personal information will be subject to United States federal and state laws, including laws that may allow United States government authorities to access your information in certain circumstances.

We have implemented appropriate safeguards for this transfer, including contractual protections with our service providers, encryption and security controls, and access restrictions to ensure personal information is protected in accordance with Canadian privacy principles.

We conduct Privacy Impact Assessment for the transfer of personal information outside of Quebec, evaluating the risks associated with such transfers and we implement measures to mitigate those risks.

Your Privacy Rights Under Canadian LawCopy to clipboard

Depending on the jurisdiction in which you reside, you may have the following rights:

Right of Access. You have the right to request access to personal information we hold about you, including information about how we use and disclose that information. We will provide this information in a form that is generally understandable.

Right to Correction. If personal information we hold about you is inaccurate or incomplete, you have the right to request that we correct it.

Right to Withdraw Consent. Where we process personal information based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal, but may impact our ability to continue providing services to you.

Right to File a Complaint. If you believe we have not complied with Canadian privacy laws, you have the right to file a complaint with a privacy regulator.

Right to Portability. You may have the right to receive personal information we hold about you in a structured, commonly used, technological format and, where technically feasible, to have it transmitted to another organization.

Right to De-Indexing. You may request in certain circumstances that we cease disseminating personal information through technological means that allow it to be located using a search function (such as search engines), subject to certain exceptions.

Right to Deletion. You may have the right to request deletion of your personal information, subject to our legal obligations to retain certain information as described in Section 7 of this Privacy Policy.

How to Exercise Your RightsCopy to clipboard

To exercise your rights under Canadian privacy law:

• Email: privacy@finix.com

• Mail: Person Responsible for Privacy Protection, Finix Payments, Inc., 760 Market Street, Suite 200, San Francisco, CA 94102

We will respond to your request within 30 days (or such other period as specified by applicable law). If we need additional time, we will notify you of the extension and the reason for it.

Verification. We will verify your identity before processing your request by asking you to provide information that matches our records. For sensitive requests, we may require additional verification.

Fees. We do not charge a fee for responding to access requests, except in limited circumstances where permitted by law (such as when requests are manifestly unfounded, excessive, or repetitive).

APPENDIX C: BIOMETRIC INFORMATION PRIVACY NOTICECopy to clipboard

This Biometric Information Privacy Notice supplements the information in the main body of this Privacy Policy and provides additional details about our collection and use of biometric information, as required by applicable laws including in Illinois, Texas, California, Washington, and Quebec.

What Biometric Information We CollectCopy to clipboard

Finix and our service providers process biometric information consisting of scans of facial geometry for the purpose of verifying the identity of business owners, principals, beneficial owners, and/or authorized representatives. This occurs when you apply to become a Finix business client or when we verify your identity for ongoing compliance purposes.

The biometric information is created by analyzing a photograph of your face (a “selfie” that you provide) and comparing it to the photograph on a government-issued identification document (such as a driver’s license or passport) that you also provide. The analysis creates a mathematical representation of facial features (facial geometry) to determine whether the person in the selfie is the same person depicted in the identification document.

We use a third-party service provider, Persona Identities, Inc., to perform this biometric verification. Persona’s technology extracts facial geometry data from the images, compares the two representations, and provides us with a verification result (match or no match). Neither Finix nor Persona stores the raw facial geometry data in biometric template form for more than 30 days; however, we retain the source photographs (selfie and ID image) from which the geometry was derived.

Why We Collect Biometric InformationCopy to clipboard

We collect and use biometric information for the following purposes:

Identity Verification. To verify that the person applying for an account or authorized to act on behalf of a business is who they claim to be, fulfilling our obligations under anti-money laundering and Know Your Customer requirements.

Fraud Prevention. To prevent identity theft, account takeover, and other fraudulent activity by ensuring that identity documents have not been stolen or used by unauthorized individuals.

Compliance with Law. To comply with federal anti-money laundering requirements under the Bank Secrecy Act and related regulations, which require us to verify the identities of business owners and principals.

We do not use biometric information for any purpose other than those stated above. We do not sell, lease, or trade biometric information. We do not disclose biometric information to third parties except to our service provider (Persona) for the purposes described above and as required by law.

Your Consent and Right to RefuseCopy to clipboard

Illinois, Texas, Washington, and California Residents. Before collecting your biometric information, we will obtain your informed written consent. This consent will be provided separately from any general terms and conditions and will specifically inform you that biometric information is being collected, the purpose for collection, and the retention period.

You may refuse to provide biometric information. If you refuse, we will attempt to verify your identity through alternative means, such as manual review of identity documents, video verification calls, or other methods. However, if we are unable to verify your identity to the standard required by law and our risk policies, we may not be able to provide services to you.

Quebec Residents. We collect biometric information from Quebec residents only for the serious and legitimate purposes described above (identity verification, fraud prevention, legal compliance) in accordance with applicable laws. We obtain your explicit consent before collecting biometric information. You may withdraw consent at any time, but this may affect our ability to provide services.

How We Protect Biometric InformationCopy to clipboard

Biometric information is subject to enhanced security measures:

• Encryption during transmission and storage

• Access restricted to authorized personnel with legitimate business needs

• Storage in secure, PCI-compliant data centers

• Contractual protections with our service provider (Persona) requiring confidentiality and security

• Regular security assessments and monitoring

• Incident response procedures for unauthorized access or disclosure

Retention and Destruction of Biometric InformationCopy to clipboard

We retain source photographs (selfie and ID image) derived from biometric information for 3 years from your last interaction with Finix. After this period, we permanently destroy the biometric information by securely deleting it from our systems and backups.

“Last interaction” means the most recent of: the date you last accessed your account, the date of your last transaction, the date you last contacted us, or the date we last contacted you for account verification purposes.

In some cases, we may be required by law to retain biometric information for longer periods, such as when the information is subject to a legal hold or is necessary for ongoing fraud investigations or legal proceedings. In such cases, we will delete the information as soon as the legal requirement expires.

Illinois Residents - Specific Notice. Under Illinois’ Biometric Information Privacy Act (740 ILCS 14/1 et seq.), we are required to publicly disclose our biometric information retention and destruction practices. This notice, along with the retention practices described in Section 7 of the main Privacy Policy, constitutes our written policy on biometric information retention and destruction as required by Illinois law.

Your Rights Regarding Biometric InformationCopy to clipboard

Access and Correction. You may request access to the biometric information we hold about you and request correction if it is inaccurate.

Deletion. You may request deletion of your biometric information at any time. We will delete it within 30 days of your request, unless we are required by law to retain it (for example, if it is subject to a legal hold or necessary for an ongoing investigation). Please note that requesting deletion of your biometric information may prevent us from verifying your identity in the future and may affect your ability to use our services.

Opt-Out of Future Collection. You may opt out of future biometric collection by notifying us that you do not wish to provide biometric information. We will attempt to use alternative verification methods, but this may limit our ability to provide services if we cannot verify your identity to required standards.

To exercise these rights, contact us at privacy@finix.com or at the address in Section 12 of this Privacy Policy.

Questions or ConcernsCopy to clipboard

If you have questions about our biometric information practices or concerns about how your biometric information is handled, contact us at:

Email: privacy@finix.com Mail: Finix Payments, Inc., Attention: Privacy Officer, 760 Market Street, Suite 200, San Francisco, CA 94102

Illinois Residents. If you have concerns that we have not resolved, you may file a complaint with the Illinois Attorney General’s Office: Illinois Attorney General’s Office 100 West Randolph Street Chicago, IL 60601 Phone: (312) 814-3000 Website: www.illinoisattorneygeneral.gov

Washington Residents. You may contact the Washington State Attorney General’s Office: Washington State Attorney General’s Office 1125 Washington Street SE PO Box 40100 Olympia, WA 98504-0100 Phone: (360) 753-6200 Website: www.atg.wa.gov

End of Privacy PolicyCopy to clipboard

This Privacy Policy was last updated on March 26, 2025 and is effective as of that date.

For questions, contact: privacy@finix.com