Mercatus Technologies Inc. and its affiliates (“Mercatus”) are committed to the protection of the Personal Information of our suppliers, customers and other parties which whom we do business. In this Policy, “Personal Information” means information about an identifiable individual, but does not include the name, title, business address or business telephone number of an employee of an organization.


Accountability for our compliance with this Policy rests with our Privacy Officer, even though other individuals within Mercatus may also have responsibility for some day-to-day collection and processing of Personal Information. Other individuals within Mercatus may be delegated to act on behalf of the Privacy Officer

We are responsible for Personal Information in our possession or custody, including information that has been transferred to a third party for processing. We will use contractual or other means to provide a comparable level of protection when the information is being processed by a third party.

Identifying Purposes

Mercatus collects Personal Information for the purposes set out below, and any other identified purposes. These purposes will be limited to those related to our business and which a reasonable person would consider appropriate in the circumstances.

Mercatus, its assignees and their respective affiliates, agents and contractors collect, use, and disclose Personal Information for the following reasons: to enter into business relationships, communicate and do business with suppliers, customers and others; to manage, promote and protect our business activities and interests; for contract management and administration; to provide information to suppliers, customers and others on our business activities and projects; and otherwise as required or permitted by law.

Personal Information may also be disclosed in connection with a sale, transfer or reorganization of Mercatus’s business, in which case Mercatus will require that any Personal Information will continue to be treated in accordance with this privacy policy

We will make a reasonable effort to specify the identified purposes to the individual from whom the Personal Information is collected at or before the time of collection. This may be done either orally, electronically or in writing

If Personal Information we have collected is to be used or communicated for a purpose not previously identified, we will identify and document this purpose before such use or communication, and obtain consent, except as required or permitted by law.


Personal Information will only be collected, used, or disclosed with the knowledge and consent of the individual. However, in certain circumstances, as required or permitted by law, Mercatus may collect, use or disclose Personal Information without the knowledge or consent of the individual. These circumstances include: where collection or use is clearly in the interests of the individual and consent cannot be obtained in a timely way; to act in respect to an emergency that threatens the life, health or security of an individual; where Personal Information is publicly available as defined by regulation; where collection with knowledge or consent might compromise the availability or accuracy of the information and the collection relates to investigation of a breach of agreement or contravention of law; for debt collection; or to comply with a subpoena, warrant or court order.

Typically, we will seek consent for the use or disclosure of information at the time of collection. In certain circumstances, we may seek consent after the information has been collected but before use (for example, where we want to use information for a purpose not previously identified).

We will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of Personal Information beyond that required to fulfil the explicitly specified and legitimate purposes.

The form of consent, including whether it is express or implied, or oral or written, may vary depending upon the circumstances and the type of information, including the sensitivity of the information and the reasonable expectations of the individual.

An individual can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform the individual of any implications of such withdrawal.

An individual’s Personal information may be transferred outside of their jurisdiction for processing and storage. We or our service providers may store Personal Information on servers located in other jurisdictions. Privacy laws in such jurisdictions may differ from those in the individual’s jurisdiction, and in some jurisdictions Personal Information may be accessed by law enforcement authorities or the courts. Individuals may obtain information and address questions about the privacy policies and practices relating to handling of their Personal Information outside of their jurisdiction by contacting our Privacy Officer as outlined below.

Limiting Collection

The collection of Personal Information will be limited to that which is necessary for the purposes identified by Mercatus. Information will be collected by fair and lawful means.

Limiting Use, Disclosure, and Retention

Personal Information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. Personal Information will be retained only as long as necessary to fulfil the purposes for which consent was obtained or as required or permitted by law. Thereafter, the Personal Information will be destroyed, erased, or made anonymous.

Personal Information which has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made, and, in the event of an access request or a challenge, long enough to exhaust any recourse an individual may have under the law.


Mercatus will use reasonable efforts to keep Personal Information as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used, and to minimize the possibility that inappropriate information may be used to make a decision about an individual. Mercatus expects the assistance of the individuals concerned in keeping Personal Information accurate, complete and up-to-date.


Mercatus will protect Personal Information with safeguards appropriate to the sensitivity of the information, in order to protect Personal Information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.

The methods of protection may include physical measures (such as locked filing cabinets or restricted access to offices), organizational measures (such as security clearances), and technological measures (such as the use of passwords or encryption).

We will make our employees aware of the importance of maintaining the confidentiality of Personal Information, and will use care in the disposal or destruction of Personal Information to prevent unauthorized parties from gaining access to the information.


Mercatus will make readily available to individuals, upon request, specific information about its policies and practices relating to the management of Personal Information.

This information will include: contact information for our Privacy Officer, who is accountable for our policies and practices and to whom complaints or inquiries can be forwarded; the means of gaining access to Personal Information held by us; a description of the type of Personal Information held by us, including a general account of its use; information that explains our Policy and policies; and what Personal Information is made available to related organizations.

Individual Access

Within the limits set by applicable legislation, an individual whose Personal Information is held by Mercatus has the right to have access to this Personal Information. Upon written request, Mercatus will inform an individual of the existence, use, and disclosure of his or her Personal Information, and give the individual access to that Personal Information. An individual may challenge the accuracy and completeness of the Personal Information and have it amended as appropriate.

However, in certain situations, we may refuse a request or not be able to provide access to all the Personal Information we hold about an individual. Exceptions to the access requirement will be limited and specific, as required or permitted by law. Where permitted, the reasons for denying access will be provided to the individual. This will be done upon the individual’s request, unless Mercatus is required by law to provide such written reasons. Exceptions to the grant of an access request include: information that contains references to other individuals or contains confidential commercial information, where such information cannot be severed from the record; information protected by solicitor-client privilege; information properly collected without the knowledge or consent of the individual for purposes related to investigating a breach of an agreement or a contravention of law; and information generated in the course of a formal dispute resolution process.

In addition, we will provide an account of the use that has been made or is being made of the Personal Information and an account of the third parties to which it has been disclosed.

An individual may be required to provide sufficient information to permit us to provide an account of the existence, use, and disclosure of Personal Information. The information provided will only be used for this purpose.

In providing an account of third parties to which we may have disclosed Personal Information about an individual, we will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which we have actually disclosed Personal Information, we will provide a list of organizations to which we may have disclosed the information.

We will respond to an individual’s written request within a reasonable time (generally within 30 days). We will assist any individual who informs us that they need assistance in preparing a request. While our response will typically be provided at no cost to the individual, depending on the nature of the request and the amount of information involved, we reserve the right to impose a cost. In these circumstances, we will inform the individual of the approximate cost to provide the response and proceed upon payment by the individual of the cost. Requested information will be provided or made available in a form that is generally understandable.

If an individual successfully demonstrates the inaccuracy or incompleteness of Personal Information, we will amend the information as required. Where appropriate, the amended information will be transmitted to third parties having access to the information in question. If a challenge is not resolved to the satisfaction of the individual, we will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

Access and Correction; Questions

Individuals may access their Personal Information, or request that their Personal Information be removed from our database, by contacting our Privacy Officer as outlined below. Mercatus will provide access to this information, correct any factual inaccuracies identified, and remove information as requested. We may be unable to remove information to the extent that it is permitted or required to be retained by applicable law or document retention and data backup policies, or if removal is not practicable due to technological reasons. Removal of an individual’s Personal Information may prevent us from providing further services and information to the individual.