Privacy Policy

Last updated: 28 April 2026

Excise Management Solutions Inc. ("EMS", "we", "our", or "us") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you visit our website, use our software, or otherwise interact with our services (collectively, the "Service").

This document is provided as a baseline privacy framework and does not constitute legal advice. EMS strongly recommends review by qualified counsel and a privacy professional before relying on it as a binding policy.

1. Scope

This Policy applies to information we collect from:

• Visitors to our marketing website;
• Account-holders who use the Service (and their authorised users, including consignee sub-accounts);
• Individuals whose information is included in Customer Data uploaded to the Service.

2. Information We Collect

2.1 Information You Provide

• Account information: name, email address, company name, phone number, job title, and similar contact information you submit when signing up, requesting a demo, or contacting support.
• Billing information: billing contact, billing address, and payment-method metadata. Card numbers themselves are processed by our payment processor; EMS does not store full card data.
• Communications: messages, feedback, and support requests you send to us.
• Customer Data: business records and operational data you or your users enter into the Service in the ordinary course of using it (shipments, products, consignees, production orders, audit logs, etc.).

2.2 Information Collected Automatically

• Usage and device information: IP address, browser type, operating system, referring URLs, pages viewed, and timestamps.
• Cookies and similar technologies: see Section 8 below.
• Audit logs: records of authentication events and significant in-product actions, retained for security and operational integrity.

3. How We Use Information

We use information for the following purposes:

• To provide, operate, maintain, and improve the Service;
• To authenticate users and protect against fraud and unauthorised access;
• To process payments and manage billing;
• To respond to support requests, demos, and other communications;
• To send service-related notices (such as security alerts, billing notifications, and material changes to terms);
• To send product updates and marketing communications, where permitted by law and subject to your opt-out rights;
• To monitor and analyse trends, usage, and activity in connection with the Service;
• To comply with legal obligations and enforce our agreements.

4. Legal Bases (where applicable)

Where the EU or UK GDPR applies, we rely on the following legal bases for processing personal data:

• Contract: to provide the Service to Customer or process Customer's instructions.
• Legitimate interests: to operate, secure, and improve the Service, in a manner balanced against your rights.
• Consent: for marketing communications and certain optional cookies, subject to your right to withdraw consent.
• Legal obligation: to comply with applicable laws and lawful requests from authorities.

5. Sharing of Information

We do not sell personal information. We share information only as follows:

• Service providers: with third-party vendors who help us operate the Service (e.g., cloud hosting, payment processing, email delivery, analytics), bound by contractual confidentiality and data-protection obligations.
• Within Customer's account: Customer Data is accessible to authorised users within the same Customer account. Multi-consignee deployments restrict each consignee's portal access to their own data.
• Legal compliance: when required by law, court order, or government regulation, or to protect rights, property, and safety.
• Business transfers: in connection with a merger, acquisition, financing, reorganisation, or sale of assets, subject to confidentiality protections.
• With your consent: in any other case, with your specific consent.

6. Data Hosting & International Transfers

Customer Data is hosted in Canadian data centres (currently Amazon Web Services' Canada (Central) region in Montréal). EMS may transfer limited operational and account information to other regions for support and analytics purposes, in which case we use appropriate safeguards (such as standard contractual clauses) where required by law.

Enterprise customers can request alternative hosting arrangements as part of an order form.

7. Data Security

We maintain administrative, technical, and physical safeguards designed to protect information from unauthorised access, disclosure, alteration and destruction. Measures include:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256);
• Access controls based on the principle of least privilege;
• Regular automated backups and disaster-recovery procedures;
• Security monitoring, logging, and periodic vulnerability assessments;
• Mandatory security training for personnel with access to production systems.

No method of transmission or storage is 100% secure. While we strive to protect personal information, we cannot guarantee absolute security.

8. Cookies & Similar Technologies

We use cookies and similar tracking technologies to operate and improve the Service:

• Strictly necessary cookies are required for authentication, session management, and security. These cannot be disabled.
• Analytics cookies help us understand how the Service is used so we can improve it. We use first-party analytics where practical and load only after consent in jurisdictions that require it.
• Functional cookies remember preferences such as language and theme.

You can control cookies through your browser settings. Disabling strictly-necessary cookies will prevent the Service from functioning properly.

9. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements.

• Customer Data: retained for the duration of the subscription and for 30 days post-termination, after which it is deleted unless an extended retention is required by law or contract.
• Account data: retained for as long as the account is active and a reasonable period thereafter.
• Billing records: retained for as long as required by tax and accounting law (typically 6–7 years).
• Audit logs: retained for at least 12 months for security and operational integrity.

10. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

• Access — request a copy of your personal information;
• Correction — request that inaccurate information be corrected;
• Deletion — request deletion, subject to legal exceptions;
• Restriction or objection — request that we restrict or stop certain processing;
• Portability — request a portable copy of certain information;
• Withdraw consent — where processing is based on consent;
• Lodge a complaint — with your local data-protection authority (e.g., the Office of the Privacy Commissioner of Canada).

To exercise these rights, contact admin@excisems.com. We may need to verify your identity before fulfilling a request. If your information is held within a Customer's account (e.g., as Customer Data), please direct your request to that Customer; we will assist them in responding as required.

11. Marketing Communications

You may opt out of marketing emails at any time by clicking the unsubscribe link in any marketing message or by contacting us. Transactional and service messages (such as billing notices and security alerts) cannot be opted out of for as long as you have an active account.

12. Children's Privacy

The Service is not directed to individuals under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will take steps to delete it.

13. Third-Party Links

The Service may contain links to third-party websites or services. This Policy does not apply to those third parties. We encourage you to review their privacy practices.

14. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we will provide notice (e.g., by email or in-product notice) before the change takes effect.

15. Contact

Questions, comments, or requests about this Policy can be directed to:

Excise Management Solutions Inc.
Attn: Privacy Officer
Canada
admin@excisems.com