Privacy Policy

1. INTRODUCTION

Global PayEx, Inc. and Global PayEx Technologies Private Limited (together, “Global PayEx,” “we,” “us,” or “our”) respect the privacy of users (“User,” “your,” or “you”) of our services. This Privacy Policy (the “Privacy Policy”) explains how we collect, use, disclose, and safeguard your information when you access or use the Global PayEx platform (the “Platform”) through our website at https://www.globalpayex.com/ (the “Website”) or our mobile application FreePay (the “App”).

Our services are intended for enterprise and business users in a commercial context. The Website, App, and Platform are not consumer products.

In most cases, Global PayEx acts as a processor on behalf of enterprise customers and banking partners (the controllers), processing personal information only on their documented instructions. Where we determine the purposes and means of processing — for example, in operating our Website, managing our own corporate communications, or maintaining the security of our infrastructure — Global PayEx acts as a controller.

Capitalised terms not defined here have the meaning given in our Terms of Use or Terms of Service, as applicable.

PLEASE READ THIS PRIVACY POLICY CAREFULLY. BY ACCESSING OR USING THE WEBSITE, APP, OR PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY. THIS PRIVACY POLICY IS A TRANSPARENCY NOTICE PROVIDED IN ACCORDANCE WITH APPLICABLE DATA-PROTECTION LAW AND IS NOT INTENDED TO CONSTITUTE A CONTRACTUAL CONSENT MECHANISM. WHERE YOUR CONSENT IS REQUIRED FOR A SPECIFIC PROCESSING ACTIVITY, WE WILL OBTAIN IT SEPARATELY AND IN ACCORDANCE WITH APPLICABLE LAW.

Questions about this Privacy Policy may be sent to [email protected].

We do not sell your personal information, and we do not “share” personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act, as amended.

We share personal information with sub-processors and partners only as described in Sections 11 and 22 below, and only under written agreements that require equivalent protection.

2. INFORMATION WE COLLECT

When you register or use the Website, App, or Platform, we collect the following categories of information:

a. Identity and Contact Information

Name, business email address, phone number, business address, job title, employer, and (for Hong Kong applicants) résumé and cover letter.

b. Account and Authentication Information

Username, password (stored hashed), authentication tokens, and two-factor authentication identifiers.

c. Financial and Transaction Information

Bank account details, payment instrument identifiers, invoice and remittance data, and transaction metadata necessary to provide AR/AP automation, reconciliation, and embedded financing services. We share payment instrument data with regulated payment processors as required to complete a transaction.

d. Device, Network, and Usage Information

IP address, device identifiers, browser type and version, operating system, geolocation derived from IP, log files, page views, click paths, and timestamps.

e. Cookies and Similar Technologies

Cookies, web beacons, pixels, and local storage. See Section 7 (“Cookies and Similar Technologies”).

f. Communications

Records of correspondence with us, including emails, in-product messages, support tickets, and call recordings (where lawful and disclosed at the time of the call).

g. Sensitive Personal Information

We do not seek to collect special-category data under GDPR Article 9, “sensitive personal information” under the CCPA/CPRA, or “sensitive personal data or information” under the Indian DPDP Act 2023 and the IT Rules 2011. If such data is provided to us inadvertently in free-text fields or uploaded documents, we apply heightened access controls and minimise retention.

h. Mandatory vs. Optional Information

We distinguish between mandatory information (required to provide the service or to authenticate you) and optional information (provided voluntarily to enhance your experience):

Refusal to provide optional information will not affect the quality of the core service. Refusal to provide mandatory information will prevent authentication.

i. Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) Information

Where Global PayEx is offered through a banking or financial-institution partner (such as BMO, JPMorgan, BNP Paribas, or SMBC), KYC, AML, sanctions-screening, and customer-due-diligence checks are performed by that banking partner under its own regulatory authorisations. Global PayEx does not store full KYC documentation (for example, government identity documents, beneficial-ownership certificates, or proof-of-address evidence) on our systems. We may receive limited status indicators from the banking partner (for example, a verified/unverified flag or a sanctions-clear indicator) to enable the service. Where a customer engages Global PayEx directly without a banking-partner channel, we do not collect KYC documentation; we rely on our customer’s own onboarding records.

3. HOW WE COLLECT INFORMATION

We collect personal information:

• (a) directly from you when you register, complete forms, upload documents, or contact us;

• (b) from your employer or our enterprise customer when they enrol you on the Platform under a master services agreement;

• (c) from our banking and channel partners (e.g., BMO, JPMorgan, BNP Paribas, SMBC) when they introduce you to our white-label products;

• (d) automatically through cookies, log files, and similar technologies as you navigate the Website or App; and

• (e) from third-party service providers, such as identity-verification, fraud-prevention, and credit-bureau partners.
  
  

4. LEGAL BASES FOR PROCESSING (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

5. HOW WE USE YOUR INFORMATION

We use personal information to:

• provide, operate, maintain, and improve the Website, App, and Platform;

• authenticate users and secure accounts (including two-factor authentication);

• process transactions, generate invoices, perform reconciliation, and enable embedded financing;

• communicate with you about your account, transactions, service updates, and security alerts;

• respond to enquiries and provide customer support;

• comply with legal, regulatory, and audit obligations;

• detect, investigate, and prevent fraud, abuse, and security incidents;

• conduct analytics and research using de-identified or aggregated data; and

• with your consent, send marketing communications. We do not display third-party advertising on the Website, App, or Platform.

6. AUTOMATED PROCESSING AND ARTIFICIAL INTELLIGENCE

Certain Global PayEx products — including AlgoriQ (cash application and reconciliation), FinEX (embedded financing), and ApEX (accounts-payable automation) — use machine-learning and rules-based models to suggest matches, classify transactions, score risk, and automate workflows.

These models support, rather than replace, human decision-making:

• Outputs are recommendations and confidence scores reviewed by our customer’s authorised users before any externally-binding action (e.g., release of payment, extension of credit) is taken.

• We do not use these models to make decisions producing legal or similarly significant effects on you within the meaning of GDPR Article 22 without human review.

• Where you believe an automated output is incorrect, you may contact your administrator or [email protected] to request human review.

Training data for our models is drawn from de-identified or aggregated transactional data. We do not use one customer’s data to train models that benefit other unrelated customers, except where expressly authorised in writing by the relevant enterprise customer.

7. COOKIES AND SIMILAR TECHNOLOGIES

“Cookies” in this Policy include cookies, pixels, web beacons, SDKs, and local storage. We use these technologies to:

• operate the Website and App (strictly necessary cookies);

• remember your preferences and authentication state (functional cookies); and

• understand aggregated usage of the Platform (analytics cookies).

We do not display third-party advertising on the Website, App, or Platform, and we do not use cookies for cross-context behavioural advertising or retargeting.

Where required by law (including the EU ePrivacy Directive and UK PECR), we obtain consent before placing non-essential cookies through a cookie banner. You can withdraw consent at any time via the cookie preferences link in the Website footer. We honour Global Privacy Control (GPC) and Do Not Track signals where technically feasible.

We use Google Analytics for aggregated usage measurement only, configured to anonymise IP addresses and to disable advertising features. To learn more or opt out of Google Analytics, visit https://tools.google.com/dlpage/gaoptout.

8. INFORMATION SECURITY

We maintain a documented information-security programme aligned with industry standards. Global PayEx holds the following independent certifications and attestations:

• SOC 2 Type II

• SOC 1 Type I

• ISO 27001

• PCI-DSS

We also maintain compliance programmes for the EU and UK General Data Protection Regulations and the Indian Digital Personal Data Protection Act, 2023.

Operational controls include:

• encryption of personal information in transit (TLS 1.2+) and at rest (AES-256 or equivalent);

• network segmentation, firewalls, and intrusion-detection across cloud-native infrastructure;

• role-based access control, least-privilege, and mandatory multi-factor authentication for personnel;

• continuous monitoring, alerting, and 24×7 incident response;

• regular vulnerability scanning, penetration testing, and software-composition analysis;

• PCI-DSS-aligned controls for environments handling cardholder data, with payment processing delegated to PCI-DSS Level 1 service providers;

• secure software-development lifecycle, code review, and a published vulnerability-disclosure channel;

• annual independent audits and continuous compliance monitoring; and

• personnel background checks, mandatory privacy and security training, and binding confidentiality obligations.

No method of internet transmission or electronic storage is fully secure. Where you have been issued a password, you are responsible for keeping it confidential. We are not responsible for circumvention of privacy or security measures by users.

9. PERSONAL DATA BREACH NOTIFICATION

In the event of a personal data breach affecting your information, we will:

• notify the relevant supervisory authority without undue delay, and where required by law within 72 hours of becoming aware of the breach (consistent with GDPR Article 33 and the UK GDPR);

• notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34);

• for users in Canada, notify you and the Office of the Privacy Commissioner where the breach creates a real risk of significant harm (PIPEDA);

• for users in India, comply with the breach-notification requirements of the DPDP Act 2023 and CERT-In Directions, including notification to CERT-In within six hours of detection where applicable; and

• provide the information required by applicable law, including the nature of the breach, categories and approximate number of individuals affected, likely consequences, and mitigation measures taken or proposed.
  
  

10. DATA RETENTION

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, regulatory, or reporting requirements:

After the applicable period, we delete or anonymise the data so it can no longer be associated with you.

11. DISCLOSURE OF PERSONAL INFORMATION

We disclose personal information only in the following circumstances:

a. To Our Affiliates and Subsidiaries

Within the Global PayEx group, under intra-group data-transfer agreements that ensure equivalent protection.

b. To Sub-processors and Service Providers

To vendors that host, support, secure, and operate the Platform on our behalf, including those listed in Section 22. All sub-processors are bound by written agreements requiring confidentiality, security, and use restrictions consistent with this Policy.

c. To Banking and Channel Partners

Where you access Global PayEx through a white-label or co-branded service offered by one of our banking partners (such as BMO, JPMorgan, BNP Paribas, or SMBC), we share your data with that partner under a written agreement to deliver the service. In these arrangements, the banking partner typically acts as an independent data controller for the personal information it processes in connection with its banking relationship with you, and Global PayEx acts as a processor or sub-processor of that banking partner. Each banking partner is independently responsible for its own privacy practices and you should consult its privacy notice for further information.

d. For Legal and Regulatory Reasons

To comply with valid legal process, court orders, or government requests; to enforce our agreements; to protect the rights, property, and safety of Global PayEx, our users, and the public; and to cooperate with fraud-prevention and credit-risk-reduction efforts.

e. Business Transfers

In connection with a merger, acquisition, financing, reorganisation, sale of assets, or insolvency event, with continuing protection of your information.

f. With Your Consent

For any other purpose disclosed at the time of collection, with your consent.

We do not sell, rent, or otherwise commercialise personal information to third parties for their independent marketing, and we do not “share” personal information for cross-context behavioural advertising.

12. INTERNATIONAL DATA TRANSFERS

Global PayEx operates in India, Ireland, the United States, Ghana, Uganda, and other jurisdictions. Personal information may be transferred to, stored in, and processed in any country in which we or our sub-processors operate. By using the Platform, you understand that your information may be transferred outside your country of residence.

Data residency may vary by deployment model and customer agreement. In particular, where a customer engages a regional-hosting or on-premises deployment of the Platform (for example, an EU-only or India-only deployment as part of an ERP-Connect or enterprise rollout), personal information processed under that deployment is held within the agreed region or environment.

Where we transfer personal information from the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of protection, we rely on appropriate safeguards, including:

• the European Commission’s Standard Contractual Clauses adopted under Implementing Decision (EU) 2021/914 (the modular SCCs);

• the UK International Data Transfer Addendum to the EU SCCs, or the UK International Data Transfer Agreement, as applicable;

• the Swiss Federal Data Protection and Information Commissioner’s recognition of the EU SCCs with Swiss-specific amendments;

• supplementary measures (encryption, access controls, and transfer-impact assessments where required following the Schrems II judgment); and

• the EU-US Data Privacy Framework where the recipient is certified, as a complementary mechanism.

A copy of the relevant transfer mechanism may be requested from [email protected] (commercially-sensitive terms may be redacted).

13. YOUR RIGHTS UNDER GDPR AND UK GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights, subject to applicable exceptions:

• Access — to request confirmation of, and a copy of, the personal information we hold about you;

• Rectification — to request correction of inaccurate or incomplete information;

• Erasure — to request deletion of personal information (the “right to be forgotten”), subject to statutory retention requirements;

• Restriction — to request that we limit the processing of your information in defined circumstances;

• Objection — to object to processing based on our legitimate interests, including profiling, and to object at any time to direct marketing;

• Portability — to receive your information in a structured, commonly-used, machine-readable format and to have it transmitted to another controller where technically feasible;

• Withdraw Consent — where processing is based on consent, to withdraw at any time without affecting prior lawful processing;

• Not be Subject to Solely Automated Decisions — to request human review of decisions producing legal or similarly significant effects on you that are made solely by automated means; and

• Lodge a Complaint — with the supervisory authority in your jurisdiction. EEA authorities are listed at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. The UK authority is the Information Commissioner’s Office at https://ico.org.uk.

To exercise any of these rights, contact [email protected] or write to Global PayEx, 38 Tower Drive, Darien, Connecticut 06820, USA. We will respond within one month, extendable by two further months for complex requests, and will inform you of any extension. We may need to verify your identity before acting on your request.

14. YOUR RIGHTS UNDER CALIFORNIA LAW (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), gives you the following rights:

• Right to Know — request the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose, and the categories of third parties to whom it has been disclosed;

• Right to Delete — request deletion of personal information we have collected from you, subject to legal exceptions;

• Right to Correct — request correction of inaccurate personal information;

• Right to Opt Out of Sale or Sharing — opt out of the sale or sharing of personal information for cross-context behavioural advertising. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising;

• Right to Limit Use of Sensitive Personal Information — direct us to limit use and disclosure of sensitive personal information to that necessary to provide the requested service;

• Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights; and

• Right to Authorised Agent — designate an authorised agent to make a request on your behalf, subject to verification.

To exercise these rights, email [email protected] or write to Global PayEx, 38 Tower Drive, Darien, Connecticut 06820. We will verify your identity and respond within 45 days (extendable by a further 45 days where reasonably necessary). We honour Global Privacy Control signals as opt-out-of-sale/sharing requests.

We have not sold or shared personal information of consumers under 16 years of age in the preceding 12 months.

15. FOR USERS IN CANADA

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws give you rights to access, correct, and (in defined circumstances) delete your personal information. To exercise these rights, contact [email protected].

We will respond within 30 calendar days. We notify affected individuals and the Office of the Privacy Commissioner of Canada of breaches involving a “real risk of significant harm” and maintain a record of all breaches available to the Commissioner on request.

16. FOR USERS IN INDIA

If you are located in India, this Section applies in addition to the rest of this Policy. We process your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable.

You have the right to:

• obtain a summary of personal data being processed and the processing activities undertaken;

• request correction, completion, updating, or erasure of your personal data;

• nominate another individual to exercise these rights in the event of your death or incapacity;

• a grievance-redressal mechanism — please contact our India Grievance Officer (Section 25); and

• approach the Data Protection Board of India in the event of unresolved grievances.

We process personal data only for lawful purposes for which you have given consent or for legitimate uses recognised under the DPDP Act. Where consent is the basis, you may withdraw it at any time, with effect from the time of withdrawal.

17. FOR USERS IN HONG KONG

If you are located in Hong Kong, we comply with the Personal Data (Privacy) Ordinance (PDPO). In addition to the rights described elsewhere:

• Access — you may request a copy of personal data we hold about you, unless an exemption applies;

• Correction — you may request correction of inaccurate or incomplete data; we may refuse if we reasonably believe the data is accurate or the proposed correction is itself inaccurate; and

• Direct Marketing — we will only use your personal data for direct marketing with your prior consent and you may opt out at any time.

We will respond to access and correction requests within 40 calendar days. Without your prior consent, we will not disclose your personal data to any third party other than as described in Section 11.

18. CHILDREN’S PRIVACY

The Website, App, and Platform are intended for business users and are not directed to children under the age of 13 (or under the age of 16 in the EEA, the United Kingdom, and certain other jurisdictions, as applicable). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without verifiable parental consent, we will delete that information promptly. Parents and guardians who believe their child has provided personal information to us may contact [email protected].

19. EMAIL COMMUNICATIONS (CAN-SPAM ACT)

Marketing emails sent by Global PayEx to US recipients comply with the CAN-SPAM Act of 2003. We will not use false or misleading headers, will identify commercial messages, will include our physical address (Global PayEx, 38 Tower Drive, Darien, CT 06820), will honour unsubscribe requests promptly, and will provide an unsubscribe mechanism in every commercial email.

To opt out of marketing emails, use the unsubscribe link in any message or email [email protected].

20. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer who serves as a liaison with supervisory authorities and as the point of contact for data-protection matters.

• Name: Michael Essandoh

• Email: [email protected]

• General privacy contact: [email protected]
  
  

21. GOVERNANCE: RoPA, DPIA, AND DATA MINIMISATION

• Record of Processing Activities (RoPA) — we maintain a RoPA documenting categories of data subjects, categories of personal data, processing purposes, recipients, retention, transfers, and security measures, in accordance with GDPR Article 30.

• Data Protection Impact Assessments (DPIA) — we conduct DPIAs for new high-risk processing activities, systems, or features, and review them at least annually.

• Data Minimisation — we collect only the minimum personal data necessary for the purposes set out in this Policy.

• Pseudonymisation and Anonymisation — where compatible with the processing purpose, we apply pseudonymisation, anonymisation, and aggregation techniques to reduce identifiability. Statistical, analytical, and audit processing uses anonymised or pseudonymised data wherever feasible.

• No Re-identification — we do not maintain additional identifying information solely to re-identify pseudonymised data.
  
  

22. SUB-PROCESSORS AND THIRD-PARTY SERVICE PROVIDERS

We engage the following categories of sub-processors. The current named list of sub-processors is available on request to [email protected], is provided to enterprise customers under contract, and is updated as new providers are engaged.

23. COPYRIGHT INFRINGEMENT (DMCA)

Notices of claimed copyright infringement under the Digital Millennium Copyright Act may be sent to our designated agent. The notice must include the elements required by 17 U.S.C. §512(c)(3), including:

• your physical or electronic signature;

• identification of the copyrighted work claimed to have been infringed;

• identification of the allegedly infringing material and information sufficient to locate it;

• your contact information;

• a good-faith statement that the use is not authorised; and

• a statement, under penalty of perjury, that the information is accurate and that you are the copyright owner or authorised to act on the owner’s behalf.

Designated Agent: [email protected] (with escalation to Abhilash Edakadampil, [email protected]), Global PayEx, Attn: DMCA Notice, 38 Tower Drive, Darien, Connecticut 06820. Misrepresentations may result in liability under 17 U.S.C. §512(f).

24. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. The “Last Updated” date at the top reflects the date of the most recent revision. For material changes, we will provide reasonable advance notice — for example by email, in-product notification, or a prominent notice on the Website — and, where required by applicable law, will obtain renewed consent. Your continued use of the Website, App, or Platform after the effective date of an updated Privacy Policy constitutes acceptance of the updated terms.

25. CONTACT US

Questions, comments, or requests regarding this Privacy Policy or our privacy practices may be directed to:

• Privacy Officer — [email protected]

• Data Protection Officer — Michael Essandoh, [email protected]

• India Grievance Officer (DPDP Act) — [email protected]

• Postal — Global PayEx, 38 Tower Drive, Darien, Connecticut 06820, USA

BY USING THE WEBSITE, APP, OR PLATFORM YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.