PAYNUTS PRIVACY COLLECTION STATEMENT
PayNuts Pty Ltd (‘PayNuts’, ‘we’, ‘our’ or ‘us’) complies with the Privacy Act 1988 (Cth). We collect your personal information via our website, digital channels and in the course of other interactions with you in order to respond to your enquiries, provide you with products and services, and conduct our business functions and activities.
Date: 6 February 2023
PayNuts Pty Ltd (‘PayNuts’, ‘we’, ‘our’ or ‘us’) is a payment service that facilitates electronic payments and related services for businesses throughout Australia and New Zealand.
Your privacy is important to us and we respect the privacy of the personal information that we collect and handle. We comply with the Australian Privacy Act 1988 (Cth) (including the Australian Privacy Principles) and all other applicable privacy legislation in Australia.
“Personal information” has the meaning given under these applicable privacy laws. However, this term broadly refers to data or information that identifies you as an individual, or from which your identity could reasonably be determined.
2. What types of personal information we collect and hold
The types of personal information we collect from or about you depend on how and why you are interacting with us. We are also required to collect certain information (including personal information) by applicable laws, including the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the AML/CTF Rules under the AML/CTF Act.
Personal information that we may collect from or about you includes:
a. Prospective, current and former customers (“merchants”)
When you enquire, apply or agree to purchase and receive our products or services, we may collect personal information from you, including details required to verify your identity, assess your application for our products and services, perform credit risk and fraud detection and prevention checks, provide you with a pricing quote, provide, market and sell our products and services to you, and respond to general inquiries about our products and services, including your:
- full name
- contact details (including email address and/or phone numbers)
- current and previous addresses
- date of birth
- document identification numbers (such as passports, driver's licence, Medicare numbers, or other national cards)
- other identity verification information including from third parties, such as the Australian Government's Document Verification Service (DVS), other countries' identity verification sources, identity information from credit files, and other data reference points
- employment and/or business details (including business name, ACN or ABN, industry and estimated monthly revenue)
- financial account details (including bank account names and numbers and account statements)
- payment transaction data related to your business or company, including monthly transaction volumes and values
- records and your communications and interactions with us
- details and history of your preferences, interests and behaviour relating to your transactions, products and services.
b. End customers of merchants
If you are an end customer of one of our merchants, we may collect your personal information in connection with our facilitation of payment transactions that you perform with that merchant using our products and services, including your:
- tokenised and encrypted debit and credit card information associated with payment transactions (note that PayNuts does not collect, handle or store any non-tokenised and/or unencrypted cardholder data of any kind)
- other payment and transaction data and history (including information about the type of payment method used, the value, time, date and location of the transaction)
- name and contact details (e.g. your email and/or phone number), where required to investigate and respond to an enquiry or transaction dispute that you have submitted to the relevant merchant
- behavioural and statistical information about your engagement with the products and services that we product to our merchants, including information about the volume, frequency and value of your transactions.
c. Information collected through your use of our website and digital channels
When you visit our website or use any of our other digital channels (such as our social media profiles, emails, or any apps that we may make available from to time), we may collect digital information about you, including:
- location information (where enabled on your device)
- device type
- operating systems
- device or online identifiers
- data about how you interact with our websites or digital channels, such as scrolling activity, click rates, page visits or mouse movements
- historical device usage including website login details, behavioural data collected by cookies, IP address and activity logs
- behavioural and statistical information about your engagement with our digital channels.
3. When we collect personal information
We may collect your personal information:
- if you are a merchant:
- when you apply to purchase and use our products and services;
- when you use our products and services, including in relation to your transactions processed via our services and services
- when you communicate or interact with us in connection with your account or the products and services that your purchase from us, including when you contact us for support, training or raise a dispute with us
- when you manage your relationship with us, including where you provide us with feedback or participate in a survey or questionnaire.
- if you are an end customer of a merchant:
- when you interact with our products and services via one of our merchants, including where we facilitate the processing of a payment transaction that you perform with a merchant
- where we communicate or intact with you in connection with any such transaction, including in connection with the investigation and resolution of a transaction dispute.
- when you visit our website or use any of our other digital channels, including when you contact us to submit an enquiry or dispute.
- when such collection is otherwise authorised or required by applicable law or court order.
We may monitor and record your communications with us (including email, online chat and telephone) for security, dispute resolution and training purposes, to improve our products and services or as required to comply with applicable law.
You may have the option to engage with us anonymously in certain circumstances, such as where you wish to submit a general question to our support team which does not require us to verify your identity for account security reasons. However, we are unable to provide you with our products and services unless you submit all required personal information as part of your application. You may also be unable to access and use some or all of our products and services unless you login or otherwise verify your account prior to use.
4. How we collect personal information
Generally, we collect personal information directly from the relevant person wherever reasonable and practical (e.g. through an application form you submit to us or when you contact us).
However, at times, we may need to collect information about you from third parties and other sources, including:
- identity verification and fraud prevention service providers, who in turn may access third party databases, document issuers, official record holders, DVS and other sources in order to perform identity verification services
- credit checking service providers and credit reporting bodies
- publicly available sources
- other companies that you have dealt with (such as financial services institutions)
- corporate group members and business partners of PayNuts
- anyone authorised to act on your behalf (e.g. your spouse, power or attorney or professional advisor)
- service providers who help us to operate our business and provider our products and services, including any company that performs the role of an acquiror in relation to the processing of payment transactions that are facilitated by us
- information service providers (including to assist us in ensuring our information is accurate, up to date and complete, and for data integrity purposes).
5. Purposes for which we collect, use and hold personal information
We use the personal information we collect about you to:
- identify you, including where we are required to identify you when assessing your application for our products or services or as part of our ongoing relationship and provision of products and services to you
- perform credit checks, review and process applications and orders for our products and services, set up and administer your account, and manage our business relationship with you
- supply our products and services to you and/or your end customers, including facilitating the processing of payment transactions, setting up direct debit authorities, providing payment systems and management of payment devices
- charging and billing you for products and services that you use, collecting payment from you and undertaking debt recovery
- detect, manage and prevent fraud, theft and unauthorised uses of our products and services, ensure account security, and monitor compliance with applicable legal obligations, including by undertaking fraud monitoring, identification, analysis, risk assessment and management
- promote, market and sell our products and services, including undertaking direct marketing in relation to products and services that may be interested in receiving from us, our corporate group members and our business partners (see Section 7 for more details)
- communicate and interact with you and/or your end customers, provide you with customers support, respond to enquiries and investigate and respond to disputes and complaints
- manage, test and improve existing products and services, conduct research and develop new products and services
- personalise your experiences on our website or other digital channels, understand your online preferences and behaviours, and perform data analytics and undertake quality assurance and improvement activities
- operate and administer our business, including as authorised or permitted by applicable laws, to protect our lawful interests and to facilitate purchases or our business or shares
- comply with various laws and regulations that apply to us (including the AML/CTF Act and AML/CTF Rules), and respond to regulators, government authorities, law enforcement agencies and court orders.
6. When and to whom we disclose personal information
We may disclose your personal information as reasonably needed to:
- contractors or suppliers engaged by us who supply or support us with:
- identity verification and fraud checking, including where required when you apply for or use our products and services
- credit related matters, including credit rating, risk and worthiness checks and assessments
- service provisioning, including supply of software, hardware or systems used to deliver or enable our products and services
- device or hardware supply, installation, maintenance, support, repair and warranties
- service, incident or support enquiries
- communications and mailing
- direct marketing activities (see Section 7 for more details)
- market research and sales
- legal and regulatory compliance, accountancy, tax, audit or other professional advice related to our business operations
- billing, debt recovery and credit management
- investigating and responding to disputes and complaints
- otherwise providing good and services that we use to operate our business and provide products and services to you
- your authorised representative(s), power of attorney, or legal guardian
- our agents and members of our corporate group
- our acquirer, financial services partners, card schemes and other business partners that we use to provide products and services to you
- Australian Financial Complaints Authority, regulatory bodies (such as the ACCC, AUSTRAC and ASIC), police, law enforcement agencies, national security agencies and other authorities when and as required by law
- organisations that provide credit or finance to us, investors, shareholders, or actual or prospective purchasers of our business or shares.
Our website or digital channels may include applications or links to websites made available by third parties, such as social media buttons. The third party operators of these applications or websites may themselves collect personal information from you. We are not responsible for these applications or websites or their collection and use of your information. Please visit the relevant third party websites to understand their privacy policies and practices.
7. Overseas use and disclosure of personal information
Our business operates in Australia and New Zealand and we may collect, use, disclose and store personal information generally in these locations.
8. Marketing Activities
We may use and disclose your personal information for the purposes of sending you marketing and promotional material about us or our products and services, as well as the products and services of our corporate group members, business partners and agents. We may send such marketing and promotional materials to you using:
- electronic messaging
- targeted website advertising
- social media and other digital channels
- other direct marketing channels
You may choose to opt out of electronic and telephone direct marketing communications from us at any time by emailing our Privacy Officer in accordance with Section 11. You can also use the unsubscribe facility provided in any electronic marketing communications from PayNuts.
If you elect to opt out, you will still receive service based communications relating to PayNuts products and services and your account, as well as other information that we are required to send you by law, such as changes to our terms and conditions and notifications relating to your transactions.
We may also use personal testimonials or endorsements from customers on our website or in other marketing materials. This may be anonymous, or we may request your consent to include your name and/or information about your business. If you wish to update or delete your published testimonial or endorsement, you can contact our Privacy Officer in accordance with Section 11.
9. Storage and security of personal information
We hold personal information electronically and in hard copy form, both at our own premises and with the assistance of our third party service providers. We aim to keep your personal information secure and we implement a range of measures to protect the security of that personal information. Examples of these measures include:
- our third party service providers that process, handle and store personal information on our behalf are required to comply with the Payment Card Industry Data Security Standard (“PCI DSS”), which is an industry standard related to the protection and security of credit and debit card data. PayNuts does not itself collect, handle or store any credit or debit card numbers or other cardholder data
- access to personal information that we store is controlled through physical, technical and procedural methods, including firewalls and encryption
- our personnel are bound by internal information security policies and are required to keep personal information secure at all times
- we take measures to destroy or de-identify personal information that is no longer needed for any lawful purpose.
10. Access and correct your personal information
You are generally entitled to access personal information we hold about you. In ordinary circumstances, we will give you access to the personal information we hold about you. Depending on the nature of the request, we may charge a reasonable administrative fee to cover our costs in complying with the request. If this fee applies, we will inform you in advance so you can decide if you would like to proceed with your access request or not.
However, there may be some legal or administrative reasons to deny access. If we refuse your request to access your personal information, we will provide you with reasons for the refusal where we are required by law to give those reasons.
If you are a merchant, you can access and correct some of your personal information and other merchant information through self-service by logging into our merchant portal and updating or editing that information at any time.
Alternatively, a request for access or correction can be made by contacting us in accordance with Section 11 and we will use all reasonable efforts to correct the information.
11. Questions and complaints
If you lodge a complaint with us, you can expect a full response within 30 days of our receipt of it. If you are not satisfied with our respond, please let us know and we will investigate further and respond to you.
Privacy complaints should be directed to us in the first instance. If you are still not satisfied, you can contact the Office of the Australian Information Commission, whose contact details are also set out below.
All enquiries and complaints related to privacy should be directed to the PayNuts Privacy Officer:
Phone: 1800 338 767
Post: Ground Floor, 132-136 Albert Road, South Melbourne, VIC, 3205
Office of the Australian Information Commissioner
Post: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992