XFACTOR VERIFIED
The CommandCenterThe Morpheus System, the PlatformYour Departments, Your Exec TeamCertification ProgramsPricing for ClientsPricing for SuppliersAbout XiHow to Comply ManualsProductsContactLoginRequest Founder Access →
HomeThe CommandCenterThe Morpheus System, the PlatformYour Departments, Your Exec TeamCertification ProgramsPricing for ClientsPricing for SuppliersAbout XiHow to Comply ManualsProductsContactLoginRequest Founder Access →

Privacy Policy

XFACTOR COMMAND (operating as XFACTOR VERIFIED) Registered in British Columbia, Canada

Policy Version: 1.1 Effective Date: April 16, 2026 Last Updated: June 28, 2026


Table of Contents

  1. About This Policy
  2. Who We Are
  3. Scope of This Policy
  4. Personal Information We Collect
  5. How We Collect Personal Information
  6. Purposes for Collection, Use, and Disclosure
  7. Lawful Basis for Processing (GDPR)
  8. PIPEDA — Ten Fair Information Principles
  9. Use of Artificial Intelligence
  10. Disclosure of Personal Information
  11. Sub-Processors and Third-Party Service Providers
  12. Cross-Border Data Transfers
  13. Data Retention
  14. Data Security
  15. Data Subject Rights
  16. Cookie Policy
  17. Children's Privacy
  18. Data Breach Notification
  19. Changes to This Policy
  20. Contact Information and Privacy Inquiries

1. About This Policy

This Privacy Policy describes how XFACTOR COMMAND, operating as XFACTOR VERIFIED ("XFACTOR VERIFIED," "we," "our," or "us"), collects, uses, discloses, and protects personal information in connection with the operation of our supply chain security and digital trust platform and associated services. XFACTOR COMMAND is a business registered in British Columbia, Canada; "XFACTOR VERIFIED" is the operating and brand name under which it provides these services.

We are committed to protecting your privacy and handling your personal information in an open and transparent manner, consistent with our obligations under Canada's Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), Canada's Digital Charter Implementation Act, 2022 (Bill C-27, where applicable upon proclamation), and, to the extent applicable, the European Union's General Data Protection Regulation (EU) 2016/679 ("GDPR").

This Policy applies to all individuals whose personal information we process, including clients, suppliers, prospective clients and suppliers, website visitors, and any other individuals whose data comes into our possession in the course of providing our services.

Please read this Policy carefully. By accessing our website at xfactorverified.com, submitting information through our platform, or entering into a contract with us, you acknowledge that you have read and understood this Policy.


2. Who We Are

Legal Name: XFACTOR COMMAND Province of Registration: British Columbia, Canada (Sole Proprietorship FM1105802) Operating Name: XFACTOR COMMAND Website: https://xfactorverified.com Chief Executive Officer: Mandy-Lynn Aitken Privacy Officer: Mandy-Lynn Aitken Privacy Contact Email: mandy@globalmlx.com Mailing Address: PO Box 221, Sooke, BC V9Z 1A0, Canada

For the purposes of GDPR, where applicable, XFACTOR COMMAND acts as a data controller with respect to personal data of its clients and their authorized users, and as a data processor with respect to personal data of suppliers submitted to the platform by our clients.


3. Scope of This Policy

This Policy applies to:

3.1 Our Platform and Products — XFACTOR VERIFIED (supply chain security assessment), XFACTOR TRUSTED (digital trust and compliance services), XFACTOR COMMANDCENTER (centralized operations and reporting), and XFACTOR VALIDATED (supplier validation services) (collectively, the "Platform" or "Services").

3.2 Our Website — The public-facing website accessible at xfactorverified.com and any associated subdomains.

3.3 Communications — Email, telephone, and any other communications between you and XFACTOR COMMAND.

3.4 Contractual Relationships — Information exchanged in the context of service agreements with clients or procurement relationships with suppliers.

This Policy does not apply to the practices of third parties that we do not own or control, or to individuals that we do not manage or employ.


4. Personal Information We Collect

"Personal information" means any information about an identifiable individual. We collect the following categories of personal information:

4.1 Client-Side Personal Information

Collected from organizations that subscribe to our Services and their authorized personnel:

Category Examples
Identity data Full name, job title, department
Contact data Business email address, telephone number, business address
Account credentials Username, hashed password, multi-factor authentication tokens
Organizational data Company name, company registration number, industry classification, number of employees, annual revenue (where provided)
Usage data Login timestamps, pages accessed, features used, session duration, IP address
Compliance and assessment data Compliance scores, assessment responses, uploaded documentation, findings, corrective action plans
Billing and payment data Billing contact name, billing address, payment method identifiers (tokenized; we do not store full card numbers)
Communication records Emails, in-platform messages, support tickets, and notes from client calls

4.2 Supplier-Side Personal Information

Collected directly from suppliers completing assessments, or submitted on their behalf by our clients:

Category Examples
Identity data Full name, job title, department, employee ID (if provided)
Contact data Business email address, telephone number, business address
Organizational data Company name, company registration number, country of incorporation, operating jurisdictions
Assessment and verification data Responses to supply chain security questionnaires, uploaded certifications and compliance documents, audit records, risk scores, ESG maturity ratings, transportation mode declarations, Incoterms positions, cargo routing information
Government-issued identifiers Business registration numbers, C-TPAT or PIP membership numbers, customs broker license numbers (where required for verification)
Communication records Emails and in-platform messages exchanged during the assessment process

4.3 Website Visitor Data

Collected automatically when you visit xfactorverified.com:

Category Examples
Technical data IP address, browser type and version, operating system, device type, screen resolution
Behavioural data Pages visited, referring URL, time spent on pages, click paths
Cookie and tracking data See Section 16 (Cookie Policy)

4.4 Sensitive Personal Information

We do not intentionally collect sensitive personal information such as health data, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data. If you believe any such information has been inadvertently submitted through our Platform, please contact our Privacy Officer immediately using the details in Section 20.


5. How We Collect Personal Information

We collect personal information through the following means:

5.1 Directly from you, when you: - Register for an account on our Platform - Complete a supplier assessment questionnaire - Upload documents or supporting evidence through the Platform - Contact us by email or telephone - Subscribe to communications or marketing materials - Complete a form on our website - Enter into a service agreement with us

5.2 From our clients, who may submit personal information about their suppliers or their own employees as part of using our Services. Clients are responsible for ensuring they have obtained all necessary consents and authorizations before submitting third-party personal information to our Platform.

5.3 Automatically, through our website and Platform using cookies, web beacons, server logs, and similar technologies. See Section 16 for details.

5.4 From public sources, including corporate registries, government sanctions and watchlists, publicly available customs and trade databases, and business directories, for the purposes of verifying supplier information as part of our assessment methodology.

5.5 From third-party integrations, including Google Workspace services (Gmail, Google Drive, Google Calendar) where you have connected such services to your XFACTOR COMMAND account.


6. Purposes for Collection, Use, and Disclosure

We collect, use, and disclose personal information only for the purposes described in this Policy, or for purposes that a reasonable person would consider appropriate in the circumstances, and only to the extent necessary to fulfill those purposes.

6.1 Service Delivery

  • To create, administer, and maintain your account
  • To provide and operate the XFACTOR VERIFIED, XFACTOR TRUSTED, XFACTOR COMMANDCENTER, and XFACTOR VALIDATED services
  • To conduct supply chain security assessments and generate risk scores, findings, and reports
  • To verify supplier claims against submitted documentary evidence
  • To generate the Master 5-Step Assessment Report and Individual Supplier Reports
  • To map and visualize cargo flow and supply chain routes using Mapbox
  • To send notifications, alerts, and status updates related to assessments in progress

6.2 Contract Management and Billing

  • To enter into and administer service agreements with clients
  • To process payments and manage billing
  • To enforce our terms of service

6.3 Communications and Support

  • To respond to inquiries, requests, and support tickets
  • To communicate important platform updates, security notices, and policy changes
  • To send marketing and promotional communications where you have provided consent, or where we have a legitimate interest in doing so (see Section 8.2)

6.4 Security and Fraud Prevention

  • To authenticate users and prevent unauthorized access
  • To detect, investigate, and respond to security incidents
  • To protect the integrity of assessment data and prevent fraudulent submissions

6.5 Product Improvement and Analytics

  • To analyze usage patterns to improve Platform functionality and user experience
  • To develop new features and services
  • To conduct internal research and analytics (using aggregated and, where possible, de-identified data)

6.6 Legal and Regulatory Compliance

  • To comply with applicable laws, regulations, and government requests
  • To establish, exercise, or defend legal claims
  • To fulfill our obligations under applicable privacy laws

7. Lawful Basis for Processing (GDPR)

This section applies to personal data of individuals who are residents of the European Economic Area (EEA) or the United Kingdom. For all other individuals, Section 8 (PIPEDA) governs our handling of personal information.

For EEA/UK individuals, we rely on the following lawful bases under Article 6 GDPR:

Processing Activity Lawful Basis
Providing the Services pursuant to a contract Article 6(1)(b) — Performance of a contract, or steps prior to entering a contract
Billing and payment processing Article 6(1)(b) — Performance of a contract
Compliance with legal obligations (e.g., record-keeping, sanctions screening) Article 6(1)(c) — Legal obligation
Security, fraud prevention, and platform integrity Article 6(1)(f) — Legitimate interests (our legitimate interest in protecting the security of our Platform and our clients' data)
Product analytics and improvement (aggregated/de-identified) Article 6(1)(f) — Legitimate interests (our legitimate interest in improving our services)
Marketing communications to existing clients Article 6(1)(f) — Legitimate interests, subject to your right to object
Marketing communications to prospective clients Article 6(1)(a) — Consent
Processing assessment responses and supporting documents Article 6(1)(b) — Performance of a contract (with the client); or Article 6(1)(f) — Legitimate interests, where processing is carried out for the client's benefit in a B2B context

Where we rely on legitimate interests, we have conducted a balancing test and determined that our legitimate interests are not overridden by your interests, rights, or freedoms. You may request a copy of our legitimate interests assessment by contacting our Privacy Officer.

Where we rely on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.


8. PIPEDA — Ten Fair Information Principles

XFACTOR COMMAND is committed to compliance with the ten fair information principles established in Schedule 1 of PIPEDA:

Principle 1 — Accountability

XFACTOR COMMAND is responsible for all personal information under its control, including information transferred to third-party processors. Our Privacy Officer, Mandy-Lynn Aitken, is accountable for compliance with this Policy and applicable privacy law. Contact details are in Section 20.

Principle 2 — Identifying Purposes

The purposes for which personal information is collected are identified before or at the time of collection. See Section 6 for a full description of our purposes. Where we intend to use personal information for a new purpose not identified at the time of collection, we will obtain fresh consent or ensure an applicable exception applies.

Principle 3 — Consent

8.3.1 We obtain meaningful consent for the collection, use, and disclosure of personal information, except where an exception under PIPEDA applies.

8.3.2 Express consent is obtained where required — for example, for marketing communications to prospective clients, or for any use of personal information that is not directly related to service delivery.

8.3.3 Implied consent may be relied upon for the collection and use of personal information that is necessary for service delivery, where the individual has voluntarily provided the information in a commercial context and would reasonably understand it would be used for that purpose.

8.3.4 Consent may be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide Services. To withdraw consent, contact our Privacy Officer using the details in Section 20.

8.3.5 Clients bear responsibility for obtaining any necessary consents from their suppliers and employees before submitting personal information to the Platform on their behalf. By using the Platform, clients warrant that they have obtained all required authorizations.

Principle 4 — Limiting Collection

We collect only the personal information necessary to fulfill the identified purposes. We do not collect personal information indiscriminately.

Principle 5 — Limiting Use, Disclosure, and Retention

Personal information is used and disclosed only for the purposes for which it was collected, unless the individual consents to another use or disclosure, or another use or disclosure is required or permitted by law. Personal information is retained only as long as necessary to fulfill the identified purposes. See Section 13 for our retention schedule.

Principle 6 — Accuracy

We take reasonable steps to ensure that personal information is accurate, complete, and up to date for the purposes for which it is used. Individuals may request correction of inaccurate information using the process in Section 15.

Principle 7 — Safeguards

We protect personal information with security safeguards appropriate to the sensitivity of the information. See Section 14 for details of our security practices.

Principle 8 — Openness

We make this Policy readily available. It is published at https://xfactorverified.com/privacy and is available in print upon request.

Principle 9 — Individual Access

Individuals have the right to request access to their personal information and to be informed of how it has been used and to whom it has been disclosed. We will respond to access requests within 30 days of receipt, subject to applicable exceptions. See Section 15 for the request process.

Principle 10 — Challenging Compliance

Individuals may direct questions, concerns, or complaints regarding our compliance with PIPEDA or this Policy to our Privacy Officer. We will investigate and respond to all complaints. If a complaint cannot be resolved to your satisfaction, you may escalate to the Office of the Privacy Commissioner of Canada (OPC) at https://www.priv.gc.ca or toll-free at 1-800-282-1376.


9. Use of Artificial Intelligence

9.1 How We Use AI

XFACTOR COMMAND uses artificial intelligence and machine learning technologies as part of our assessment and reporting Services, specifically:

  • Claude AI by Anthropic — We use Claude, a large language model developed by Anthropic PBC (San Francisco, California, USA), to assist in processing assessment responses, generating narrative findings and recommendations, analyzing documentary evidence for consistency with supplier claims, and producing sections of the Master Assessment Report and Individual Supplier Reports.

9.2 What Data Is Processed by AI

Assessment response data, uploaded supporting documents (metadata and extracted text), supplier profile information, and scoring inputs may be transmitted to Anthropic's API for processing. This data may include personal information about supplier personnel and client users.

9.3 How AI Outputs Are Used

AI-generated outputs are used as analytical inputs into our assessment methodology. All final assessment findings, risk scores, and designations are subject to review within the Platform's structured scoring framework. We do not make fully automated decisions with legal or similarly significant effects on individuals solely on the basis of AI output, without human oversight embedded in our process.

9.4 AI and GDPR Article 22

Where AI-assisted processing forms part of a decision that has legal or similarly significant effects on a supplier (for example, a formal risk designation that may affect their commercial relationship with a client), individuals have the right to: - Obtain an explanation of the logic involved - Request human review of the decision - Contest the outcome

To exercise these rights, contact our Privacy Officer.

9.5 Anthropic Data Processing

Anthropic processes data submitted via its API in accordance with its own Privacy Policy and Data Processing Addendum, available at https://www.anthropic.com/legal/privacy. XFACTOR COMMAND has entered into appropriate data processing terms with Anthropic. Data submitted to the Claude API may be processed on servers located in the United States. See Section 12 for cross-border transfer safeguards.

9.6 AI Transparency

We are committed to transparency about our use of AI. We will inform affected individuals, through our standard assessment process communications, that AI-assisted tools are used in generating assessment outputs.

9.7 AI Voice Assistant and Call Recording

When you call our published telephone number, your call is answered by "Victor," an automated AI voice assistant. You are informed of this, and that the call is recorded, at the start of every call. We record and transcribe these calls to (a) respond to your inquiry, (b) follow up with the information or materials you request, (c) maintain an accurate record of the conversation, and (d) improve the quality of our service. Call audio is processed by our telephony and voice provider (Retell AI), and the transcript is processed by a large-language-model provider to generate the assistant’s responses and to summarize the call for follow-up. Call recordings and transcripts are handled under the same safeguards as all other personal information and retained in accordance with Section 13. If you would prefer not to be recorded, you may ask the assistant to take a message by other means, or contact us by email instead.


10. Disclosure of Personal Information

We do not sell personal information. We do not disclose personal information to third parties except as described in this Policy or as required by law.

10.1 Disclosure to Clients

When a supplier completes an assessment on the Platform, assessment results, risk scores, and findings are disclosed to the subscribing client who initiated the assessment. Suppliers are informed of this at the time of assessment initiation.

10.2 Disclosure to Service Providers

We disclose personal information to third-party service providers that process data on our behalf, as described in Section 11. These providers are bound by contractual obligations to protect personal information and use it only for the purposes we specify.

10.3 Legal Requirements

We may disclose personal information where required to do so by law, including in response to: - A court order, subpoena, or other lawful demand - A request from a law enforcement agency with appropriate legal authority - Obligations under applicable Canadian federal or provincial law

We will, where legally permissible, notify affected individuals of such disclosures.

10.4 Business Transfers

In the event of a merger, acquisition, sale of assets, or reorganization involving XFACTOR COMMAND, personal information may be transferred as part of that transaction, subject to the acquiring party assuming equivalent privacy obligations. We will notify affected individuals in advance of any such transfer that materially changes how their personal information is handled.

10.5 With Consent

We may disclose personal information for other purposes with the express consent of the affected individual.


11. Sub-Processors and Third-Party Service Providers

XFACTOR COMMAND uses the following sub-processors and third-party service providers. This list is current as of the Last Updated date of this Policy and will be updated when material changes occur.

Provider Service Data Processed Location
Supabase Inc. Cloud database and backend infrastructure (hosted on AWS US East) All Platform data, including client and supplier personal information, assessment data, and account credentials United States (AWS US East)
Anthropic PBC AI language model processing (Claude API) Assessment response data, document text extracts, supplier and client profile data submitted for processing United States
Mapbox Inc. Cargo route mapping and geographic visualization Cargo routing data, origin/destination locations, port and logistics data United States
Google LLC Email (Gmail), cloud file storage (Google Drive), calendar (Google Calendar) Emails, attached documents, calendar entries, and any personal information contained therein United States (and potentially other regions per Google's infrastructure)
Helcim Inc. Payment processing Billing contact name, billing address, payment card identifiers (tokenized) Canada (Calgary, Alberta)
Vercel Inc. (if applicable) Web application hosting Technical log data, IP addresses United States
Retell AI, Inc. AI voice telephony for our inbound phone line - call connection, speech-to-text, and text-to-speech Call audio, call transcripts, caller telephone number United States
Groq, Inc. / OpenRouter, Inc. Large-language-model inference powering the AI voice assistant responses and call summaries Call transcript text United States

11.1 Changes to Sub-Processors

We will provide at least 30 days' advance notice of the addition of any new sub-processor that processes personal data, by updating this Policy and, where we have contact details, notifying affected clients directly. Clients who have entered into a data processing agreement with us may object to the addition of a new sub-processor within this notice period.


12. Cross-Border Data Transfers

12.1 Canada — General Position

PIPEDA permits the transfer of personal information to service providers in other countries for processing, provided that equivalent protection is applied. Our use of US-based sub-processors (see Section 11) constitutes a cross-border transfer.

Before transferring personal information to any sub-processor outside Canada, we ensure that: - The sub-processor is subject to a binding contractual obligation to protect the information to a standard substantially similar to PIPEDA - We have conducted reasonable due diligence on the sub-processor's security and privacy practices - Individuals are informed (through this Policy) that their information may be subject to the laws of the country in which the sub-processor operates, including lawful access by authorities in that country

Please be aware that personal information stored in the United States is subject to access by US government agencies under applicable US law, including the USA PATRIOT Act and FISA, in ways that may differ from Canadian law.

12.2 EEA/UK — GDPR Transfer Mechanisms

For personal data transferred from the European Economic Area or the United Kingdom to the United States or other countries not recognized as providing adequate protection, XFACTOR COMMAND relies on the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) — We incorporate the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) into our agreements with US-based sub-processors.
  • UK International Data Transfer Agreements (IDTAs) — For UK data subjects, we use the UK IDTA or the UK Addendum to the EU SCCs.

Copies of the applicable transfer mechanism documentation are available upon request from our Privacy Officer.

12.3 Canada — Adequacy

Canada is recognized by the European Commission as providing an adequate level of protection for personal data transferred from the EEA to Canada (Decision 2002/2/EC, applicable to PIPEDA-covered organizations). This facilitates the lawful transfer of EEA personal data to XFACTOR COMMAND in Canada.


13. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, or as required by applicable law.

Data Category Retention Period Basis
Active client account data (identity, contact, credentials) Duration of the client relationship plus 7 years after termination Legal obligation (tax/corporate records); contractual
Supplier assessment responses and uploaded documents Duration of the client relationship plus 7 years after completion of the assessment Legal obligation; legitimate interest in resolving disputes
Assessment reports and findings Duration of the client relationship plus 7 years Legal obligation; contractual
Billing and payment records 7 years from the date of transaction Legal obligation (Income Tax Act, GST/HST records)
Website visitor logs and analytics 13 months from collection Legitimate interest (analytics baseline)
Marketing contact data (with consent) Until consent is withdrawn, plus 30 days for processing deletion Consent
Data breach investigation records 5 years from resolution of the incident Legal obligation; regulatory compliance
Support and communications records 3 years from last interaction Legitimate interest (dispute resolution)

At the end of the applicable retention period, personal information is securely deleted or anonymized. Anonymized data (which can no longer identify an individual) may be retained indefinitely for statistical and research purposes.


14. Data Security

XFACTOR COMMAND implements technical and organizational measures appropriate to the sensitivity of personal information and the risks associated with its processing. Our measures include:

14.1 Technical Safeguards

  • Encryption in transit: All data transmitted between your browser/device and our Platform is encrypted using TLS 1.2 or higher (HTTPS enforced site-wide)
  • Encryption at rest: All personal data stored in Supabase is encrypted at rest using AES-256
  • Access controls: Role-based access control (RBAC) limits access to personal data to authorized personnel on a need-to-know basis
  • Authentication: Multi-factor authentication is available to all Platform users and is mandatory for administrative accounts
  • Database security: Supabase Row Level Security (RLS) policies enforce data isolation between client organizations
  • API security: All API endpoints require authentication; rate limiting and input validation are enforced

14.2 Organizational Safeguards

  • Internal data handling policies and procedures
  • Confidentiality obligations in contracts with employees and sub-processors
  • Regular review of security practices and sub-processor compliance
  • Incident response procedures (see Section 18)

14.3 Limits of Security

No system is completely secure. While we take reasonable precautions, we cannot guarantee that personal information will never be subject to unauthorized access, disclosure, or loss. We encourage you to use a strong, unique password for your account and to notify us immediately if you suspect unauthorized access.


15. Data Subject Rights

15.1 Rights Available to All Individuals (PIPEDA)

All individuals whose personal information XFACTOR COMMAND holds have the following rights:

Right of Access — You may request confirmation of whether we hold personal information about you, and a copy of that information, along with information about the purposes for which it is used and to whom it has been disclosed.

Right to Correction — You may request correction of inaccurate or incomplete personal information about you.

Right to Withdraw Consent — You may withdraw consent for processing that is based on consent, subject to legal and contractual restrictions.

Right to Complain — You may lodge a complaint with our Privacy Officer or with the Office of the Privacy Commissioner of Canada.

15.2 Additional Rights for EEA/UK Residents (GDPR)

If you are a resident of the EEA or the United Kingdom, you have the following additional rights under the GDPR:

Right to Erasure ("Right to Be Forgotten") — You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent (and no other lawful basis applies), where you have objected and we have no overriding legitimate interest, or where the data has been unlawfully processed.

Right to Restriction of Processing — You may request that we restrict processing of your personal data in certain circumstances (e.g., while you contest its accuracy, or while we are assessing an objection).

Right to Data Portability — Where processing is based on consent or contract and is carried out by automated means, you may request a copy of your personal data in a structured, commonly used, machine-readable format, and the right to transmit that data to another controller.

Right to Object — You may object at any time to processing of your personal data based on legitimate interests (including profiling), or to processing for direct marketing purposes. We will cease processing for direct marketing immediately upon your objection.

Rights Related to Automated Decision-Making — See Section 9.4.

15.3 Exercising Your Rights

To exercise any of the rights described in this section, please submit a written request to our Privacy Officer at:

Email: mandy@globalmlx.com Subject line: "Privacy Rights Request — [Your Name]"

We will acknowledge receipt within 5 business days and respond substantively within 30 days of receipt (extendable by a further 30 days in complex cases, with notice to you).

We may need to verify your identity before processing your request. We will not charge a fee for access requests unless the request is manifestly unfounded, excessive, or repetitive, in which case we will notify you before proceeding.

We may decline a request where an exception under PIPEDA or GDPR applies (for example, where disclosure would reveal information about a third party, or where the information is subject to legal professional privilege). We will notify you of any such refusal and the reason for it.

15.4 EEA/UK Supervisory Authority

If you are an EEA resident and are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with the supervisory authority in your Member State of residence or place of work. A list of EEA supervisory authorities is available at https://www.edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.


16. Cookie Policy

16.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. We also use similar technologies such as web beacons, pixels, and local storage objects.

16.2 Cookies We Use

Strictly Necessary Cookies — These cookies are essential for the website to function and cannot be switched off. They are typically set in response to actions you take (such as logging in or filling in forms). They do not require consent under applicable law.

Cookie Purpose Duration
session_token Authenticates your logged-in session Session (deleted on browser close)
csrf_token Prevents cross-site request forgery attacks Session
auth_refresh Maintains your authenticated session without re-login 7 days

Functional Cookies — These cookies enable enhanced functionality and personalization, such as remembering your language preferences and dashboard settings. They are set with your consent.

Cookie Purpose Duration
user_prefs Stores dashboard layout and display preferences 1 year
locale Remembers your selected language 1 year

Analytics Cookies — These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. They are set with your consent.

Cookie Purpose Duration
_analytics_id Tracks unique visitors and page views (anonymized) 13 months

Third-Party Cookies — Mapbox may set cookies in connection with the interactive map features embedded in our Platform. These cookies are subject to Mapbox's own privacy policy at https://www.mapbox.com/legal/privacy.

16.3 Managing Cookies

You can control cookies through:

  • Our Cookie Consent Banner — When you first visit xfactorverified.com, you will be presented with a cookie consent notice that allows you to accept, reject, or customize non-essential cookies.
  • Your Browser Settings — Most browsers allow you to refuse or delete cookies. Instructions vary by browser; consult your browser's help documentation.
  • Opt-Out Tools — You may opt out of analytics tracking at any time by contacting us or using the opt-out mechanism in our cookie banner.

Please note that disabling strictly necessary cookies will impair your ability to use the Platform.


17. Children's Privacy

Our Platform and Services are intended exclusively for business use by adults, and are not directed at children under the age of 18.

We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will promptly delete it.

If you are a parent or guardian and believe that a child under 18 has provided personal information to us, please contact our Privacy Officer at mandy@globalmlx.com, and we will take immediate steps to investigate and delete the information.


18. Data Breach Notification

18.1 Internal Response

XFACTOR COMMAND maintains a written incident response procedure for responding to data breaches. In the event of a confirmed or suspected breach of personal information, we will:

  1. Contain the breach and prevent further unauthorized access
  2. Assess the scope, nature, and sensitivity of the affected information
  3. Identify affected individuals
  4. Notify the relevant regulatory authority and affected individuals as required

18.2 Regulatory Notification — PIPEDA

Under PIPEDA's mandatory breach reporting requirements (in force since November 1, 2018), XFACTOR COMMAND will report to the Office of the Privacy Commissioner of Canada (OPC) any breach of security safeguards involving personal information that creates a real risk of significant harm to affected individuals, as soon as feasible and no later than 72 hours after we form a reasonable belief that a reportable breach has occurred.

We will simultaneously notify affected individuals where the breach creates a real risk of significant harm to them, in plain language, describing: - The circumstances of the breach - The personal information affected - Steps we have taken to reduce risk - Steps affected individuals can take to protect themselves - Contact information for our Privacy Officer

We will maintain records of all breaches, whether or not reportable, for a minimum of 24 months as required under PIPEDA.

18.3 Regulatory Notification — GDPR

For personal data of EEA/UK residents, XFACTOR COMMAND will notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, where feasible, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of EEA/UK individuals, we will also notify affected individuals without undue delay, as required by Article 34 GDPR.


19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the revised "Last Updated" date at the top of this Policy.

For material changes — including changes that would affect how we use personal information already collected, introduce new categories of sub-processors, or significantly affect your rights — we will provide 30 days' advance notice by:

  • Posting a prominent notice on our website
  • Sending a notification to the email address associated with your account (if you have one)

Your continued use of our Platform after the effective date of a revised Policy constitutes your acknowledgment of and agreement to the updated terms, to the extent permitted by applicable law. If you do not agree to the revised Policy, you should discontinue use of the Platform and contact our Privacy Officer to request deletion of your personal information.


20. Contact Information and Privacy Inquiries

For all privacy-related inquiries, requests, or complaints, please contact:

Privacy Officer XFACTOR COMMAND British Columbia, Canada

Email: mandy@globalmlx.com Subject line for privacy matters: "Privacy Inquiry — [Your Name]" Website: https://xfactorverified.com

We are committed to responding to all privacy inquiries within 5 business days of receipt.

If you are not satisfied with our response to your privacy concern, you may contact:

For Canadian residents: Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, QC K1A 1H3 Toll-free: 1-800-282-1376 Website: https://www.priv.gc.ca

For EEA residents: The supervisory authority in your Member State of residence or place of work. Full list: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

For UK residents: Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Helpline: 0303 123 1113 Website: https://ico.org.uk


This Privacy Policy was prepared for XFACTOR COMMAND and is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. Nothing in this Policy constitutes legal advice, and XFACTOR COMMAND recommends that all data processing agreements and cross-border transfer mechanisms be reviewed by qualified legal counsel prior to reliance.


XFACTOR COMMAND British Columbia, Canada https://xfactorverified.com

Policy Version: 1.0 | Effective Date: April 16, 2026 | Last Updated: April 16, 2026

XFACTOR
XFACTOR VERIFIED

Supply chain security.
Built by a 30-year expert.

customercare@xfactorverified.com+1 (866) 883-8169

Programs

  • C-TPAT
  • PIP
  • ESG
  • Bill S-211
  • AEO
  • GFSI / Food Safety

Platform

  • How It Works
  • Departments
  • VANTAGE
  • Pricing
  • Products
  • How to Comply Manuals
  • Book a Demo

Resources

  • Learn
  • Risk Leader Challenge
  • The Book
  • FAQ
  • Security & Trust

Company

  • About
  • Founder Access
  • Client Login
  • Privacy
  • Terms

© 2026 XFACTOR COMMAND. Built by Mandy Lynn Aitken.

PrivacyTermsSecurity
PO Box 221, Sooke, BC V9Z 1A0, Canada