CPOS Privacy Policy
Last updated: 07 January 2026
1) Who we are and how to contact us
This Privacy Policy explains how CPOS Inc. (“CPOS,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you visit https://cpos.com, https://hub.cpos.com (together, the “Websites”), use our applications, or interact with our related services and features (collectively, the “Services”).
Controller / Responsible Entity: CPOS Inc., 251 Laurier Avenue West, Ottawa, Ontario, K1P 5J6, Canada.
Privacy contact: privacy@cpos.com (preferred) or the postal address above.
If you are a resident of the UK/EU or other jurisdictions with data protection authorities, you may also have the right to lodge a complaint with your supervisory authority.
2) Scope & roles we play
This Policy applies to personal information we process as a controller (e.g., Website visitors, account holders, marketing contacts). Where we host or process information for a business customer under their instructions (e.g., merchant use of our Services), we act as a processor/service provider and process that information solely on their instructions and pursuant to our agreement and data processing terms. (This mirrors market‑standard DPA role splits.)
3) Key terms
“Personal information” (or “personal data”) means information that identifies or can be reasonably linked to an individual.
“Processor/Service Provider” and “Controller” are used as defined in applicable law.
“Usage Data” includes device, technical, and interaction data generated by your use of the Services.
4) What we collect
Information you provide may include, but is not limited to
- Identity & contact: name, email, phone, address, company.
- Account & support: credentials, preferences, support tickets, survey responses, interview or research participation details (if you opt in).
- Marketing choices: newsletter subscriptions, consent records, and related preferences.
Information collected automatically (Usage Data)
IP address, device identifiers, browser type, pages viewed, timestamps, crash logs, and similar diagnostic/telemetry; when using mobile, device OS and identifiers.
Information from third parties
We may receive contact and firmographic details from partners/CRMs, and insights from analytics/advertising platforms to understand website performance and campaign effectiveness. Examples include online identifiers (cookies, pixels, ad IDs), behavior logs, and partner‑supplied contact data.
Sensitive data
We generally do not seek sensitive categories (e.g., health, precise biometrics). If a feature requires identity verification or fraud screening, we will provide appropriate notice and safeguards and will not use such data for unrelated purposes.
5) Cookies & similar technologies
We use cookies, pixels, SDKs, and similar technologies to operate the Services, remember preferences, analyze usage, and (where permitted) tailor content/ads. You can disable or limit these technologies through your browser or device settings. If you do, some functions may not work properly or certain features might no longer be available.
6) How we use personal information (purposes & legal bases)
Purposes (apply globally):
- Provide, secure, and maintain the Services; personalize your experience; diagnose and fix issues.
- Account administration and customer support.
- Communicate about updates, transactional notices, and—if you opt in or it’s permitted—marketing.
- Analytics to understand behavior and improve product, features, performance, UX and marketing.
- Safety, fraud detection, and legal compliance.
- Business continuity (e.g., M&A, reorganizations) as allowed by law.
Legal bases (UK/EU; illustrative table): consent; performance of a contract; legal obligation; vital interests; and legitimate interests (e.g., improving services, securing systems, and limited direct marketing, subject to opt‑out). We provide human review and the right to contest decisions where automated processing significantly affects you.
7) Analytics, advertising & CRM
- Analytics (e.g., Amplitude): We (or our providers) capture event/usage data and device/network signals to understand feature adoption and improve performance. Depending on your jurisdiction, we use non‑essential analytics only with consent (see cookie banner).
- Advertising/retargeting (e.g., Google/Meta/TikTok): We may use hashed identifiers and event data for measurement and targeted advertising. You can opt out via our banner, relevant platform controls. In U.S. jurisdictions with “sharing” rules, this may be deemed sharing for cross‑context behavioral advertising—see “Your U.S. rights.”
- Email & CRM (e.g., HubSpot): We process contact details and preferences, maintain consent/unsubscribe records, and comply with CASL (Canada), CAN‑SPAM (U.S.), and PECR (UK). Every marketing message contains an unsubscribe link; transactional messages are still required to deliver the Services.
8) When we act as a processor/service provider
For business customers, we process personal information under their instructions, implement appropriate technical and organizational measures, and require any sub‑processors to be bound by written terms, including onward‑transfer safeguards and assistance with data subject requests.
9) Sharing of information (categories)
We do not sell personal information. (No sales in the last 12 months under the CCPA definition.) We disclose categories of information to:
-
Infrastructure & hosting (e.g., cloud providers)
-
Analytics/measurement & A/B testing
-
Customer support tools & communications
-
Payments and billing
-
Security/fraud & quality
-
Marketing/advertising (as permitted; subject to opt‑out)
-
Professional advisers and legal/regulatory bodies
We maintain a current list of sub‑processor categories and will make it available upon request; we notify customers of material changes where contractually required.
10) International data transfers
We store and process data where our operations and service providers are located and may transfer data to other countries where our team members or vendors operate. For transfers to vendors that are self-certified to the EU-U.S./UK-U.S. Data Privacy Framework, we rely on their certification for those specific transfers; such vendors remain liable for onward transfers consistent with DPF Principles.
11) Retention
We keep personal information only as long as needed for the purposes above, to comply with law, resolve disputes, and enforce agreements, then delete or de‑identify it. Retention periods vary by category (e.g., analytics telemetry, account records, consent logs) and legal requirements.
12) Security
We implement administrative, technical, and physical safeguards appropriate to the nature of the data and risk.
13) Your privacy choices & rights (global)
- Marketing choices. You can unsubscribe at any time via links in our emails; we’ll continue necessary transactional messages. (Aligned with CASL/CAN‑SPAM/PECR.)
- Cookies/Ads. Manage preferences in your browser/OS settings.
- Access, correction, deletion, objection, restriction, portability. Contact us at privacy@cpos.com; we will verify your request and respond within applicable timelines. Where we process on a customer’s behalf, we’ll route requests to the relevant controller.
- Automated decisions & profiling. You may request human review, express your point of view, contest outcomes, and ask for an explanation where a decision has legal or similarly significant effects.
14) Regional notices
United States (including California):
- We disclose the categories of personal information described above for business purposes and do not sell personal information.
- You may have the right to know/access, correct, delete, opt‑out of sale/share, and limit use of sensitive personal information. CPOS does not disclose personal information to third parties for their own direct marketing purposes.
- Email marketing complies with CAN‑SPAM; every marketing email includes our physical mailing address and an unsubscribe link.
Canada (PIPEDA & Quebec Law 25):
- You have rights to access, correction, and (where applicable) deletion/portability. For uses beyond the original purpose, we obtain meaningful consent.
- Quebec residents have additional rights (e.g., certain de‑indexation/erasure rights) and organizations must assess cross‑border transfer risks; we apply contractual and technical safeguards when data leaves Quebec/Canada.
Australia:
- We handle personal information in line with the Privacy Act 1988 and the Australian Privacy Principles (APPs), and we will comply with mandatory OAIC Notifiable Data Breaches obligations where applicable.
15) User research, testimonials & case studies (optional)
If you volunteer for interviews, surveys, or recordings, we use the information to improve our Services and—only with your permission—to create anonymized reports or public testimonials/case studies. You can withdraw consent; public testimonials may still appear in archives or backups.
16) Children’s privacy
Our Services are not directed to children under 13 (or older, where local law sets a higher age). We do not knowingly collect personal information from children; if we learn that we have, we will delete it.
17) Third‑party links and services
Our Website may link to third‑party sites/services not controlled by CPOS. Review their privacy policies; we are not responsible for their practices.
18) Data breaches
We maintain internal incident response processes. Where required, we will notify regulators and affected individuals without undue delay and within applicable timeframes.
19) Changes to this Policy
We will post any updates on this page and revise the “Last updated” date. For material changes, we may provide additional notice (e.g., email or in‑product). Continued use of the Services after an update constitutes acceptance of the revised Policy.
20) How to exercise your rights or ask questions
Email privacy@cpos.com or write to: CPOS Inc. (Attn: Privacy), 251 Laurier Avenue West, Ottawa, ON K1P 5J6, Canada. If you contact us, we may ask for information to verify your identity. Where we process information for a business customer, we will forward your request to the controller, as appropriate.