Privacy Notice

for Aperia Compliance – an IXOPAY Company

Version: 10 Mar 2026

Aperia Compliance Privacy Notice

1. Introduction

1.1 Scope of Application

This Privacy Notice informs you about the processing of personal data (as defined under the EU General Data Protection Regulation (“GDPR”), including equivalent terms under applicable international data protection legislation) by Aperia Compliance, LLC (“Aperia Compliance”, “we”, “us” or “our”) in relation to the following categories of data subjects:

  • Visitors of our website www.aperiacompliance.com and visitors of Aperia Compliance’s social media presence (e.g., LinkedIn) (“Social Media Sites”), including those who provide contact information to receive communications from us (together “Website”);

  • Business Contacts, namely representatives of current or prospective customers, partners, and suppliers whose data we process for business relationship management (CRM) purposes;

  • Customers, organizations using Aperia Compliance’s offerings (“Services”) and individuals acting on their behalf; and

  • Authorized Users, namely individuals accessing the Services under a Customer’s authority.

Aperia Compliance operates in the United States and serves customers in the United States and internationally.

1.2 General Roles 

To ensure you understand how your data is handled, we distinguish between two primary roles depending on the context:

1.2.1 Aperia Compliance acts as a controller for personal data of Visitors and Business Contacts. This means we determine the purposes and means of processing that data.

1.2.2 When providing the Services, Aperia Compliance typically acts as a processor for personal data processed via the Services on behalf of a Customer (“Service Data”). In this capacity, we process Service Data on the Customer’s documented instructions under the applicable contract and data processing terms. Processors engaged by us as part of the Service delivery are communicated on our Subprocessors page.

We use Service Data as personal data only to provide, secure, support, and maintain the Services under the Customer’s documented instructions. We may perform benchmarking, analytics, or product development beyond direct service delivery, including by using irreversibly anonymized data as described in Section 3.

We process personal data depending on how you interact with us. Personal data is obtained (a) directly from you; (b) automatically via technical logs and tracking technologies through our Website and Social Media Sites; and/or (c) from third parties, such as referrals, public sources, or sales intelligence providers, as described below.

2.1 Visitors and Business Contacts

When you use our Website, subscribe to communications, request information or a demo, contact us, or manage your commercial relationship with us, we may process:

  • Identity & Contact Data: name, business email address, phone number, job title, company name, physical business address.

  • Communications Data: inquiry content, email correspondence, meeting notes, and similar interactions.

  • Commercial and Relationship Data: information about requested or purchased Services, contracting and billing contacts, and communication preferences.

  • Technical Usage Data: IP address, browser type and version, operating system, referral URLs, device information, server log file information, and interaction data (e.g., pages visited, time spent, clickstream data).

  • Marketing and Newsletter Data: subscription status and engagement data (e.g., opens/clicks), where enabled.

  • Sales Intelligence / Lead Enrichment: in a B2B context, we may supplement contact information with business-related data received from professional networks or sales intelligence providers to support relationship management and marketing.

Purposes. We use this data to operate and secure our Website; respond to inquiries; provide requested materials and demos; manage our sales pipeline; administer customer, partner, and supplier relationships; communicate about Services; send newsletters/marketing (where applicable); improve our Website and communications; and comply with legal obligations and protect our rights.

Legal bases (GDPR/UK GDPR where applicable). We process personal data based on:

  • The performance of a contract / pre-contractual steps, e.g., responding to requests, entering into and managing contracts;

  • Your Consent, e.g., certain marketing communications or tracking technologies where required; and/or

  • Our Legitimate interests, including B2B relationship management, direct marketing where permitted, Website operation and security, fraud prevention, internal administration, and legal claim management. You can object to processing based on legitimate interests as set out in Section 7.

2.2 Data Processed via Services (Service Data)

In the course of providing the Services, we process Service Data on behalf of and under the instructions of Customers. Depending on Customer configuration and usage, Service Data may include:

  • Account and user data: name, email address, role, and identifiers for Authorized Users and merchant users;

  • Compliance and assessment data: PCI self-assessment questionnaire (SAQ) information and related compliance artifacts;

  • Security and scanning data: scan scheduling information and scan outputs/results (as configured by the Customer);

  • Customer-provided documents: documents uploaded through secure upload functionality;

  • Technical logs and diagnostics: information necessary for security, troubleshooting, and support.

Aperia Compliance processes Service Data as a processor. Customers determine the purposes and legal bases for Service Data processing.

2.3 Cookies & Tracking Technologies

We use cookies and other information-gathering technologies for as providing information about how you interact with our Website, ensuring the security of our services, and assisting in our marketing efforts.

2.3.1 Managing your preferences.
You can view a list of cookies and trackers and change your cookie preferences at any time using the “Privacy Settings” link made available on our Website, powered by Clym. Depending on configuration and your choices, Clym also processes consent records and audit logs (for example consent status, timestamp, and consent identifier) and basic technical identifiers (for example IP address and user agent).

Cookie choices include the categories:

  • Essential (required for core functionality and security of the Website);

  • Analytics (to analyze usage and improve Website performance); and

  • Advertising (to measure campaign performance and support relevant advertising).

2.3.2 Browser settings and opt-outs.
In addition to our cookie settings tool, you can generally control cookies through your browser settings or other opt-out mechanisms. If you use an opt-out mechanism, your browser may store an “opt-out cookie” to remember your choice. You may need to repeat this process on each browser you use and if you delete cookie data from your device.

Some functions of our Website require Essential cookies to function properly. Information via Analytics and Advertising technologies is collected only where and for as long as we have a valid legal basis (including consent where required).

2.4 Social Media Sites

We operate Social Media Sites (e.g., LinkedIn) to communicate with Customers and prospects. Social media platform providers process personal data under their own privacy terms. We also process data you share with us via our social media presence (for example, messages or comments) to respond and manage relationships.

3. Aggregation and Anonymization

To improve security, stability, performance, and support of the Services, we process Service Data under Customer instructions (processor activity).

Separately, we may irreversibly anonymize Service Data so that it can no longer be linked to an identified or identifiable natural person and cannot reasonably be re-identified. After anonymization, the resulting data is no longer personal data and may be used by us and our affiliates for legitimate business purposes such as benchmarking, analytics,  product development and machine learning. 

We do not use Service Data as personal data to develop, train, or fine-tune generative AI models. Where we use machine learning on Service Data as personal data, it is solely to support service delivery (for example fraud scoring, anomaly detection, or routing optimization) and remains within Customer instructions.

4. Disclosure of Personal Data

We disclose personal data only where necessary for the purposes described in this Privacy Notice, including to:

  • Service providers supporting our Website, communications, CRM, hosting, security, support tooling, and cookie/tracking technologies. These recipients are contractually bound to process personal data only pursuant to our instructions and subject to appropriate confidentiality and security obligations.

  • Professional advisors (e.g., legal, accounting, auditors) where necessary.

  • Authorities and others where required by law or valid legal process, or where necessary to establish, exercise, or defend legal claims, or to protect our rights and the security of our systems.

  • Corporate transactions (M&A), limited to what is necessary and subject to appropriate safeguards.

  • Subprocessors (Service Data): For Service Data, Aperia Compliance engages subprocessors only as permitted under the applicable customer terms. We publish our current list of subprocessors (and updates) here: aperiacompliance.com/legal/subprocessors

5. International Data Transfers

Where personal data is transferred to recipients in countries outside the EEA and not subject to an adequacy decision, we implement appropriate safeguards (in particular EU Standard Contractual Clauses and the UK Addendum and supplementary measures, where required). For questions or further information, contact us as set out in Section 9.

6. Retention

We store personal data no longer than necessary for the purposes for which it is processed, including:

  • for as long as required to perform contractual obligations;

  • when processed based on legitimate interests, for as long as those interests are not overridden by data subject rights;

  • when processed based on consent, until consent is withdrawn; and/or

  • as necessary to comply with statutory retention periods.

Key retention periods may include:

  • Server log files: up to 15 days.

  • Newsletter/marketing data: until you unsubscribe or withdraw consent.

  • Account and commercial records: for the duration of the relationship and thereafter as required by statutory retention rules.

  • Service Data: as set out in the customer contract and Customer instructions.

7. Your Rights

7.1 Rights and Submission Process

Depending on applicable law (including the GDPR/UK GDPR), you may have the right to request access, correction, deletion, restriction of processing, a copy of certain data you provided (portability), and to object to processing based on legitimate interests (including direct marketing). Where we rely on consent, you can withdraw consent at any time.

To exercise your rights, contact us using Section 9. To help us process your request, include your name, business email address, company name, and a clear description of the request. We verify requests using reasonable measures. If you submit a request on behalf of another individual, we may request proof of authorization and/or verification by the data subject.

If you live in a jurisdiction that provides an appeal right for denied rights requests, you can appeal our decision by replying to the email that informs you of the denial or by sending an appeal request to [email protected] with the subject line “Appeal”. We respond to appeals within the timeframe required by applicable law.

If you are in the EEA, the UK, or Switzerland, you also have the right to lodge a complaint with a data protection supervisory authority.

7.2 Requests relating to Service Data

If your request relates to Service Data processed through the Services (where we act as a processor under a Customer’s instructions), the Customer controls the purposes and legal basis for that processing. We will, where appropriate, forward your request to the relevant Customer or ask you to contact the Customer directly.

8. Notice to California Residents

This section applies only to California residents for purposes of compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (together, the “California Privacy Laws”).

Categories and purposes.
In the previous twelve (12) months, we have collected personal information described in this Privacy Notice (for example identifiers, internet or other electronic network activity information, professional or employment-related information, and in some cases commercial information) for the business purposes described in this Privacy Notice.

Sale, Sharing.
We do not sell personal information as defined under California Privacy Laws. Where we engage in “sharing” for cross-context behavioral advertising (as defined under California Privacy Laws), we provide mechanisms to exercise opt-out choices (for example through cookie settings and other methods made available on our Website).

California rights.
California residents may have the right to request access to, correction of, or deletion of personal information, and to opt out of the sale or sharing of personal information (as applicable), and the right not to be discriminated against for exercising their rights.

Verification.
We verify requests using reasonable measures. Personal information provided for verification is used only for verification and security purposes.

Requests may be submitted using the contact details in Section 9.

9. Contact Information

If you have questions regarding this Privacy Notice or wish to exercise your rights, contact us at:
Email: [email protected]
Postal address: 333 E Main St #396, Lehi, Utah 84043, USA c/o IXOPAY, Inc.

EU representative (GDPR Article 27).
For data subjects in the EU/EEA, Aperia Compliance has appointed IXOPAY GmbH as its representative under Article 27 GDPR. You may contact the representative regarding GDPR-related matters as follows:
IXOPAY GmbH, Vorgartenstraße 206c, A-1020 Vienna, Austria; Attn: Legal Department. Email: [email protected] (Subject: “Aperia Compliance Compliance – EU Representative”)

10. Data Security

We employ appropriate technical and organizational security measures designed to protect personal data from accidental or unlawful loss, destruction, alteration, unauthorized access, or disclosure.

11. Amendments of this Privacy Notice

We may amend this Privacy Notice as necessary to reflect changes to the legal landscape and the development of our Website and Services. Amendments will be published on our Website.

Ready to Launch?

Let’s embed compliance into your offering — branded, seamless, and built to grow with you.

Get Started