Merchant Privacy Policy

When your business applies to be a Merchant with us, we appreciate that you (the Merchant’s beneficial owners, directors, other employees or trustees) trust us with your personal data that we collect and handle.

 

Here we provide an overview of what personal data we collect from you and why, our handling practices, and your rights and choices.

 

This Policy applies to Afterpay Australia Pty Ltd ACN 169 342 947, Afterpay NZ Limited (Company number: 6340314), Afterpay US , Inc., Afterpay US Services, LLC, Afterpay Canada Limited, Clearpay Finance Limited (company number 05198026), and their affiliates and related companies (together, ‘we’, ‘us’ or ‘our’). Clearpay Finance Limited acts as a Data Controller in accordance with the General Data Protection Regulation (GDPR) and U.K. GDPR / 2018 Data Protection Act 2018. The entity you are interacting with in your jurisdiction of residence as indicated above is collecting the personal data and will process it, but may share it with other entities as set forth in this Policy.

 

What is personal data?


Personal data or is any information that reasonably identifies you and is about you as described in our applicable privacy laws. Some examples of personal data are your name, home address, and date of birth. 

 

Personal data we collect and why


During your Merchant application process and throughout our business relationship, we may ask for your personal data directly from you or your business representatives on your behalf where it is lawful to do so.

 

We may collect your personal data for the following purposes outlined in below, for compatible purposes, and where otherwise lawful to do so. We will collect, use or disclose your personal data only with your knowledge and consent, including as set out in this Policy, except where otherwise required or permitted by law.

 

If you are unable to provide the requested personal data for our purposes, or refuse to do so, we may not be able to approve your application, enter into or continue an agreement to access or provide our Services.

 Category Purpose/s 
 

Personal and contact details. For example, your name, date of birth, email address, business and residential address, location

  

To enter into and for the performance of your Merchant contract, and as required by law

  • We need to get in touch with you, and discuss your application with us.
  • Once your business is approved, we will also set up your business’s Service account, and use it to authorise discussions about your business’ account with our customer support team.
  • As required by law. Refer to “Identifiers” below.

 

With your consent for marketing and research purposes

  • To conduct Merchant surveys

 

Our legitimate interests

  • Before you apply to become a Merchant, we may collect this type of information from your business, publicly available (eg. your website or LinkedIn), and other third party sources where permitted to reach out and understand whether you may be interested in applying to be a Merchant. This includes, where another Merchant has referred you under our Merchant Referral Program.
  • We may search online for any publicly available information about you, such as adverse media, through our onboarding process.
  • To support the delivery and enhancement of our Services, such as reaching out to you to offer new partnerships and promotions opportunities. Where permitted, we may opt you in, but you can opt out at any time by clicking the unsubscribe link at the bottom of these messages.
 

Identifiers, including government-issued documents. For example, a driver’s license, passport, social security number, health or social insurance number, birth certificate, trust deed, or other agreed identity documentation

To enter into a Merchant contract, and where required by law

  • With your personal details, we may ask for this information where permitted to verify your identity and assess your eligibility to approve you as a Merchant.
  • We do so as required and in accordance with applicable Anti-Money Laundering Counter Terrorism Financing Laws, Sanctions-related Laws, and internal risk policies. These include:
    • Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (New Zealand)
    • Anti-Money Laundering and Countering Terrorism Financing Act 2006 (Australia)
  • The provision of your identifiers is voluntary, but if you do not provide it to us when requested, we may not be able to verify your identity, and we may not be able to enter into a contract with your business.
 
 

Use of our information, communication, and transaction processing systems

For example, login sessions, information about your interactions with our Services, your bank account details

For performance of your Merchant contract, and our legitimate interests

  • To provide, maintain, and improve our services, including your service account and perform transactions
  • When you access or use your Service account we may collect personal data via the use of cookies and other web tracking technology, such as pixels or beacons, in order to  take reasonable steps to ensure the security of our systems and to help us deliver, maintain, and improve our Services. A cookie is a small text file saved on your computer, mobile device or browser when you visit us. Your browser may give you the ability to control our use of cookies. If you block all cookies, you may disrupt certain Service features, and limit the functionality we can provide.
  • When you interact with us through contacting our customer support team, suppliers or service providers to manage your account or respond to a query (whether by web form, mail, email or through telephone enquiries), and to deliver our partnership and promotion opportunities, such as the Merchant Retailer Program.
 

How your personal data is used and shared


We may use and share your personal data with the following categories of recipients where lawful to do so, including for purposes outlined in “Personal data we collect and why”. We do not sell your personal data.

 

  • When verifying your identity and assessing your eligibility, we may share your personal data with credit reporting bodies, identity verification services, and/or other external agencies. We may collect responses as to whether you pose a fraud or money laundering risk, and whether you are listed on a government sanctions list. The searches we would make are "soft" searches and do not leave a footprint on your credit file. 
  • We may also share your personal data with other Afterpay entities, affiliates and related companies (company group), and with Suppliers and Service Providers for the provision, maintenance, and improvement of our Services. Personal data may be accessible by authorised employees and contractors as required for the purposes described in this Policy. 
  • Where required, we may share your personal data with government, law enforcement, and regulatory authorities, or as otherwise required or authorised by law.

 

Cross border transfers

 

We may collect or transfer personal data across borders in a secure and lawful manner, within and externally to our company group, including for purposes described in this Policy and as otherwise required or permitted by law. Your personal data may be transferred to countries that include the United Kingdom, United States, Australia, Canada, New Zealand, and the Philippines. We take necessary steps to require entities that deal with your personal data, by written agreement, to comply with a similar standard of compliance with applicable privacy requirements and to have appropriate safeguards. This includes, where required, cross-border transfer mechanisms under the GDPR for transfers of personal data outside the European Economic Area. For example, transferring to European Commission approved third countries holding an adequacy provision or providing appropriate and enforceable safeguards, including availability of an effective legal remedy to individual rights. 

 

How we keep your personal data safe

 

As part of our commitment to protecting the security of any data we process, we have put in place physical, technical, and administrative security measures. We are an ISO 27001 compliant company, and require our third parties to meet appropriate privacy and security standards when handling data on our behalf. 

 

How we retain your personal data

 

We will retain your personal data for as long as necessary to fulfill the purposes we collected it for. This includes where required under law, our legitimate interests, or for the establishment, exercise or defence of legal claims, and for reasons explained in “Personal data we collect and why” and “How your personal data is used and shared”. We will otherwise delete personal data where we no longer have a lawful basis. 

 

When you provide your personal data to us to enter into and for the performance of a contract we will retain it for 7 years after the application is made or the termination of our agreement (where applicable), and where otherwise we have a lawful basis to do so. This includes for as long as is necessary for our for legal and compliance reasons.

 

Your rights and choices

 

We respect your rights and choices you make. Your rights and choices are where applicable to you based on your location and which entity you are dealing with, and subject to limitations as required or permitted by law. They are set out below.

 

We may not always be able to fulfill your request if we have a legitimate basis to refuse it. We will tell you why. For example, if you seek to erase your personal data in a way that would mean we are not able to comply with our obligations under law.

 

 

Right to  Description
Withdraw your consent You have the right to withdraw your consent where we have relied on it. If you withdraw your consent, we may not be able to provide you with certain Services. It will not affect our lawful basis for processing by consent before your withdrawal.
Further information  You have the right to enquire further about the personal data we hold about you and how we process it, including across borders.
Access You have the right to request access to your personal data.  
Correction You have the right to ask us to correct your personal data, including where you believe it is not accurate, complete, up to date, or relevant. 
Make an enquiry or complaint You have a right to make an enquiry or complaint, including to lodge a complaint with your local privacy authority
Erasure You have the right to ask us to erase your personal data, and where personal data is made public, to inform other controllers of your personal data where you have a lawful erasure right. 
Restrict processing You have the right to ask us to restrict processing of your personal data.
Object to processing You have the right to object to us processing your personal data.
Portability You have the right to ask us to access or transfer on your behalf personal data we hold about you to a third party.

 

Contact Us

 

If you have a query or concern regarding the way we collect and handle your personal data, or would like to exercise your rights and choices, please contact our Customer Support Team at [email protected]. You may alternatively contact our Senior Manager, Privacy at [email protected].

 

If you are in the European Economic Area, and you have a query or concern regarding the way we collect and handle your personal data, or would like to exercise your rights and choices, please instead visit the Contact Us section of our website: http://help.clearpay.co.uk or contact our Senior Manager, Privacy at [email protected].

 

You can also alternatively reach out to our Data Protection Officer at [email protected] or the address below.

 

Data Protection Officer

Clearpay Finance Limited

125 Kingsway, London WC2B 6NH

 
We will respond to you in a timely manner. Afterpay will provide written acknowledgement of your correspondence within 7 days of receipt.

 

Where you have asked us to exercise a right or choice, we will review and advise you of the steps we have taken to respond within a reasonable and lawful time frame, and explain our process and reasons.

 

Changes to this Policy

 

The Policy will be reviewed regularly and updated as needed to reflect our current collection and handling practices. The updated version will be available by following the ‘Merchant Privacy Policy’ link on our Websites. The revised version will be effective from the time we post it. We may notify you if we make material changes to this Policy.

 

Policy last updated: 5 January 2021