XGC CORP

Global Privacy Policy

Effective Date: August 28, 2025
Legal Entity: XGC CORP. (an Ontario corporation)
Registered Address: 372 Bay Street, Suite 1800, Toronto, ON M5H 2W9, Canada
Privacy Contact: Chief Counsel, Barnet Goldberg

1) Scope & Who We Are

This Privacy Policy explains how XGC CORP. ("XGC", "we", "our") collects, uses, discloses, and protects personal information when you visit our websites, use our software and services, attend our events, or otherwise interact with us. It applies worldwide to all individuals whose data we process, with region‑specific rights explained in Section 12.

XGC adheres to Canada’s PIPEDA fair information principles and comparable global frameworks including the EU/UK GDPR, California CCPA/CPRA, Brazil LGPD, South Africa POPIA, and Singapore PDPA. Where local law affords you stronger rights, we honor those rights.

2) Key Definitions

  • Personal Information / Personal Data: Any information relating to an identified or identifiable individual (e.g., name, email, ID numbers, online identifiers, or data combined to identify you).
  • Processing: Any operation performed on personal data (collection, use, disclosure, storage, etc.).
  • Controller/Responsible Party: XGC CORP., which determines purposes and means of processing.
  • Processor/Operator: A vendor that processes personal data for us, under contract.

3) What We Collect

We collect the following categories of personal information (depending on your relationship with us and applicable law):

  • Identifiers & Contact Data: name, title, organization, email, phone, postal address, government‑issued IDs where legally required for KYC/AML.
  • Account & Commercial Data: usernames, role, usage metrics, subscription and billing details, purchase history.
  • Technical & Usage Data: device and browser info, IP address, log files, analytics, cookies/SDKs, session recordings where disclosed.
  • Geolocation Data: approximate location derived from IP or precise location only if you opt‑in (e.g., mobile app features).
  • Payment & Financial Data: limited payment card tokens/reference numbers via PCI‑compliant processors; we do not store raw PAN data.
  • User Content & Communications: messages, files, support tickets, survey and event responses.
  • Sensitive/Special Categories: processed only where permitted and necessary (e.g., identity verification for regulatory purposes). We do not use sensitive data for cross‑context behavioral advertising.

Sources include information you provide directly, automated collection via our services, and third parties (e.g., partners, public databases, fraud‑prevention services) as permitted by law.

4) Why We Process Your Data (Purposes) & Legal Bases

We process personal data to:

  1. Provide and secure services (create/manage accounts, authenticate users, deliver features, maintain availability, prevent fraud/abuse).
  2. Customer support & communications (respond to inquiries, service messages, incident notices).
  3. Business operations (billing, accounting, audits, analytics, product improvement, R&D).
  4. Compliance (KYC/AML where applicable, recordkeeping, legal reporting, responding to lawful requests).
  5. Marketing (with choices and opt‑out): product updates, event invites, and thought leadership; we respect regional rules on consent and opt‑out/opt‑in.

Legal bases (EU/UK GDPR): performance of a contract; compliance with legal obligations; our legitimate interests (e.g., service safety, improvement, B2B relationship management) balanced against your rights; and consent for specific activities (e.g., certain cookies/precise geolocation/optional marketing).

Canada (PIPEDA): we follow the principles of accountability, identifying purposes, consent, limiting collection/use/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Consent may be implied for obvious purposes or required expressly depending on context; you can withdraw consent subject to legal/contractual limits.

5) Cookies & Similar Technologies

We use first‑party and third‑party cookies, pixels, and SDKs for:

  • Strictly necessary operations and security;
  • Functional preferences;
  • Analytics and performance;
  • Limited marketing/retargeting in compliance with regional law.

You can manage cookies via our cookie banner (where offered) and your browser settings. Some features may not function without certain cookies. See our Cookie Notice for details on vendors and retention.

6) Disclosures & International Transfers

We disclose personal data to:

  • Service providers/processors (cloud hosting, security monitoring, analytics, support, payments) under contracts that limit use and require appropriate safeguards;
  • Business partners (only with legal basis and your choices);
  • Corporate transactions (mergers, acquisitions, financing, or asset transfers, with continued protections);
  • Legal/Compliance (lawful requests from authorities, to protect rights, safety, and the integrity of our services).

Because we operate globally, data may be processed in countries with different laws. Where required, we use appropriate transfer safeguards (e.g., Standard Contractual Clauses, UK IDTA/Addendum, and comparable mechanisms) and implement technical/organizational measures to protect data.

7) Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described above, comply with legal, regulatory, taxation, accounting, or reporting requirements, resolve disputes, and enforce agreements. Where feasible, we anonymize or aggregate data.

8) Security

We use administrative, technical, and physical safeguards proportionate to the sensitivity of the data, including access controls, encryption in transit and at rest (where applicable), secure software development practices, logging/monitoring, vulnerability management, and vendor due diligence. No system is 100% secure; please use strong, unique passwords and enable multi‑factor authentication where available.

9) Children’s Privacy

Our services are not directed to children. We do not knowingly collect personal information from children under the age of 13 (or a higher age threshold where required, e.g., 16 in parts of the EU for certain online services). If you believe a child provided personal information, contact us so we can take appropriate steps.

10) Automated Decision‑Making

We do not engage in solely automated decisions with legal or similarly significant effects without appropriate human review. Where we use profiling or risk scoring (e.g., security/fraud detection), we do so in accordance with applicable law and provide meaningful information upon request.

11) Your Choices

  • Marketing: unsubscribe using the link in emails or contact us.
  • Cookies: manage via browser settings and any site‑specific preferences center.
  • Consent: where processing is based on consent, you may withdraw it at any time (this does not affect prior lawful processing).

12) Regional Rights & Notices

Canada (PIPEDA)

You have the right to access and request correction of your personal information and to challenge our compliance. We follow the ten fair information principles and will explain purposes, obtain appropriate consent, and limit collection, use, and retention.

EU/EEA & UK (GDPR/UK GDPR)

You have the right to: access; rectification; erasure; restriction; portability; and to object to processing (including direct marketing). You may also have rights against decisions based solely on automated processing. Our legal bases are outlined in Section 4.

California, USA (CCPA/CPRA)

California residents have the right to: know/access; delete; correct; non‑discrimination; and to opt‑out of the “sale” or “sharing” of personal information. You may also limit the use and disclosure of sensitive personal information and opt out of cross‑context behavioral advertising. If we “sell” or “share” data (as defined by California law), we will provide a “Do Not Sell or Share My Personal Information” mechanism and honor Global Privacy Control (GPC) signals where required.

Brazil (LGPD)

Brazilian residents have rights to: confirmation of processing; access; correction; anonymization/blocking/deletion of unnecessary or excessive data; portability; deletion of data processed with consent; information about data sharing; withdrawal of consent; and complaint.

South Africa (POPIA)

You have rights to be notified of collection or data breaches, to access your information, to request correction or deletion, to object to processing (including direct marketing), to not be subject to certain automated decisions, and to lodge a complaint with the Information Regulator.

Singapore (PDPA)

You have rights to be informed of purposes, to access and correct personal data, and to withdraw consent. You may also register numbers on the Do Not Call (DNC) Registry to opt out of unsolicited marketing calls, messages, and faxes.

Note: If your jurisdiction is not listed, we will still handle requests consistent with local laws and our commitment to global privacy standards.

13) How to Exercise Your Rights

Submit a request using our contact methods below. To protect privacy, we may verify your identity (and, where allowed, authorized agents) before fulfilling a request. We will respond within the timeframes required by applicable law. Some rights may be subject to limitations or exemptions (e.g., legal holds, security, the rights of others).

14) Third‑Party Links & Services

Our sites and services may link to third‑party websites, plug‑ins, or services. We are not responsible for their privacy practices. We encourage you to read their privacy notices.

15) Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the “Effective Date” and, where required, provide a prominent notice or obtain your consent.

16) Contact Us (Privacy)

XGC CORP. — Privacy Office
Attn: Chief Counsel, Barnet Goldberg
372 Bay Street, Suite 1800
Toronto, ON M5H 2W9, Canada
Email: privacy@xgccorp.com (or use our website’s contact form)

If we cannot resolve your concern, you may have the right to contact a supervisory authority/regulator in your region (e.g., Office of the Privacy Commissioner of Canada, your EU/UK data protection authority, the California Privacy Protection Agency, Brazil’s ANPD, South Africa’s Information Regulator, or Singapore’s PDPC).

17) Supplemental Disclosures (If Required by Local Law)

  • Do Not Sell/Share: XGC does not sell personal information for money. Where “sale” or “sharing” is defined more broadly (e.g., for targeted advertising), we will provide required notices and opt‑out tools.
  • Sensitive Data: Where law recognizes “sensitive” categories, we process them only for limited, disclosed purposes and offer additional controls as required.
  • Financial Incentives: If we offer any loyalty or incentive program involving personal information, we will provide a separate notice describing terms and opt‑in/opt‑out rights.

This Policy is intended to be clear and comprehensive but not a contract that creates legal rights beyond those provided by applicable law.