AU Privacy Policy

Overview – who we are and what this policy is for

 

At Openpay, we value your privacy and want to be accountable, fair and transparent with you in the way that we collect, hold, use, store and disclose your personal information.

 

This Privacy Policy (“policy”) applies to Openpay Pty Ltd ACN 159 699 126 (“Openpay”, “our”, “us”, “we”) and sets out the ways in which we collect, hold, use, store and disclose personal information about you.

 

All references in this policy to “our website”, refer to the website owned by Openpay at https://www.opy.com/.

 

By engaging with us in the ways set out in this policy, you confirm that you have read and understood this policy, as it applies to you.

1. How we obtain your personal information.

You may provide us with your personal information (including credit information and credit eligibility information) through our website, mobile application, merchant portal, consumer portal, phone, email or by any other means through which you engage with us in order to receive information or services from us.

We may also receive information about you from third parties such as marketing agencies, credit reference agencies, market research companies, our suppliers, group companies, public websites and public agencies (which we refer to as “third party sources” or “suppliers” throughout this policy). 

2. Collection of your personal information and how we use it.

2.1 Visitors to our website

We, or third parties on our behalf, may collect and use any of the following information about you when you visit our website: 

(a) information provided when you correspond with us; 

(b) any updates to information provided to us; 

(c) if you are a Merchant or a representative of a Merchant, we may also collect the following information (either in respect of you or any individual on whose behalf you are authorised to provide such information): name including title, postal address, email address and telephone number; 

(d) personal information we collect about you or that we obtain from our third party sources; and

(e) the following information created and recorded automatically when you visit our website: 

(i) Technical information. This includes: your device ID, the Internet Protocol (IP) address used to connect your computer to the internet address; the website address and country from which you access information; the files requested; browser type and version; browser plug-in types and versions; operating system; and platform. We use this personal information to administer our website, to measure the efficiency of our systems and to undertake an analysis on the locations from which people access our webpages; and 

(ii) Information about your visit and your behaviour on our website (for example, the pages that you click on). This may include the website you visit before and after visiting our website (including date and time), time and length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, traffic data, location data, weblogs and other communication data and information provided when requesting further service or downloads. 

2.1.1 How we use your personal information 

We will collect, use and store the personal information listed above for the following reasons: 

(a) to allow you to access our website; 

(b) to receive enquiries from you through the website about our business and services; 

(c) for improvement and maintenance of our website and to provide technical support for our website; 

(d) to ensure the security of our website; 

(e) to recognise you when you return to our website, to store information about your preferences, and to allow us to customise the website according to your individual interests; and 

(f) to evaluate your visit to the website and prepare reports or compile statistics to understand the type of people who use our website, how they use our website and to make our website more intuitive. Such details will be anonymised as far as reasonably possible and you will not be identifiable from the information collected. 

2.1.2 A word about cookies  

(a) Our website and mobile application use cookies (and similar tracking technologies), which are small files placed on your internet browser / device when you visit our website and / or download our mobile application. We use cookies in order to offer you a more tailored experience in the future, by understanding and remembering your particular browsing preferences. 

(b) You may block the cookies we use on our website at any time. To do so, you can activate the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies), you may not be able to access all or parts of our website or to use all the functionality provided through our website. 

(c) We handle personal information collected by cookies (and similar tracking technologies) in the same way that we handle all other personal information as described in this policy.

2.2 Our customers (both consumers and Merchants, and including users of our App) 

(a) Unless you are authorised by another individual to provide their personal information to us, you are only allowed to provide your own personal information when using our services.

(b) We, or third parties on our behalf, may collect, hold and use any of the following information (including credit information and credit eligibility information) about you (or, in the case of Merchants, if you are authorised to provide information about another individual, that other individual): 

(i) your name;

(ii) your postal address;

(iii) your email address;

(iv) your telephone number;

(v) your date of birth;

(vi) your gender;

(vii) your credit card details;

(viii) your plan and repayment transaction records;

(ix) information provided when you correspond with us;

(x) any updates to information provided to us;

(xi) if you are an App user your location data if you opt-in to our service to make you aware of any Openpay locations near you;

(xii) information about the services we provide to you:

(xiii) information you provide to help us provide you with improved service for example if we ask you to fill in a survey or questionnaire; and

(xiv) your credit file from third parties based on data given to us by you.

(xv) credit card balances and limits;

(xvi) default information and when the default has been paid;

(xvii) any new arrangements with us because of a default;

(xviii) information about your application for credit with us including the type and amount;

(xix) publicly available information;

(xx) any serious credit infringements;

(xxi) credit reporting information we obtain from credit reporting bodies including your credit score;

(xxii) any CP derived information about you which we derive from credit reports we obtain about you;

(xxiii) payment history with third parties; and

(xxiv) information that we require to identify customers, including as required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”), which may include details or copies of passports or driver’s licences or utility bills or other documentary evidence of applicants’ identities. 

(c) We will only collect sensitive information (e.g. information about your health) where absolutely necessary, and only with your consent or when permissible under applicable laws.

(d) Your telephone calls to our Customer Service Team may be monitored and recorded for quality and training purposes. 

2.2.1 How we use your personal information 

(a) We will collect, use and store the personal information (including credit information and credit eligibility information) listed above for the following reasons: 

(i) to assess your credit risk in order to determine your individual credit limit and assess whether it is appropriate to agree to advance you the funds which you requested. This will involve automated profiling and decision-making and our algorithms will assess things such as your credit score (which will include information that you have provided to us, information that we may already hold and information provided by third parties such as Credit Reporting Bodies). Our automated systems will assess this information to predict behaviour and make decisions on your individual credit limit. If you have any accounts with us, then we may continue to use automated decision making when deciding whether to change your individual credit limit. If you disagree with the result or would like further information about this process then please feel free to contact us using the details set out in Section 14; 

(ii) to ensure that you are age appropriate to receive our financial services;

(iii) to deal with any enquiries or issues you have about our services that you request from us, our App or our online consumer portal which helps you manage our services; 

(iv) to send you certain communications (including by email or post) about our services such as administrative messages (for example, setting out changes to our terms and conditions and keeping you informed about our fees and charges); 

(v) if you have consented to us doing so, to contact you (including by telephone, SMS or post) with information about our services or the products and services of our suppliers which either you request, or which we feel will be of interest to you 

(vi) to provide you with our services including taking the repayments on your purchases in accordance with the plan intervals that you have nominated; 

(vii) where we collect your location data, we use this to make you aware of any nearby Openpay locations; 

(viii) to carry out statistical analysis and market research on people who may be interested in our services; 

(ix) if you have consented and it is in our legitimate interests for business development and marketing purposes, to contact you (including by telephone or post) with information about our services or the products or services of our suppliers which either you request, or which we feel will be of interest to you; 

(x) if you are an individual, a sole trader or a non-limited liability partnership and if you have consented, to contact you by email with information about our services or the products and services of our suppliers which either you request, or which we feel will be of interest to you; 

(xi) to assist you to avoid defaulting on your loan; 

(xii) to recover overdue amounts you owe us where you have failed to meet your payment obligations to us;

(xiii) to verify your identity for the purposes of the AML/CTF Act; and

(xiv) if you are a Merchant, all applicable purposes outlined above, as well as for the following purposes:

(a) to assess whether to enter into a merchant agreement with you;

(b) to enter into and perform our obligations under your merchant agreement with us, and as required by law;

(c) with your consent, for marketing and research purposes (eg, to conduct merchant surveys); and

(d) our legitimate interests. 

(b) Source of personal information. We may receive some of your personal information from third parties, such as from Credit Reporting Bodies. For more information on Credit Reporting Bodies see section 6. 

(c) Information we need to provide services to you. We need certain types of personal information so that we can provide services to you and perform contractual and other legal obligations that we have to you. If you do not provide us with such personal information, or if you ask us to delete it, you may no longer be able to access our services. 

2.3 All individuals

Whatever our relationship with you is, we may also collect, use and store your personal information (including credit information and credit eligibility information) for the following additional reasons: 

(a) to deal with any enquiries or issues you have about how we collect, store and use your personal information, or any requests made by you for a copy of the information we hold about you. If we do not have a contract with you, we may process your personal information for these purposes where it is in our legitimate interests for customer service purposes; 

(b) for internal corporate reporting, business administration, ensuring adequate insurance coverage for our business, ensuring the security of company facilities, research and development, and to identify and implement business efficiencies. We may process your personal information for these purposes where it is in our legitimate interests to do so; 

(c) to comply with any procedures, laws and regulations which apply to us – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others to comply, as well as where we are legally required to do so; and 

(d) to establish, exercise or defend our legal rights – this may include where we reasonably consider it is in our legitimate interests or the legitimate interests of others, as well as where we are legally required to do so.

2.4 Our recruitment process 

We may also collect, use and store your personal information, details of your employment history, and other information provided as part of our recruitment process when you apply for a position with us.

The Openpay Careers website is powered by a service provided by Breezy HR, Inc., whose privacy policy and contact details are set out at https://breezy.hr/privacy.

2.5 Further processing 

Before using your personal information for any purposes which fall outside those set out in this section, we will undertake an analysis to establish if our new use of your personal information is compatible with the purposes set out in this section. 

3. Legal basis for use of your personal information 

(a) We consider that the legal bases for using your personal information as set out in this policy are as follows: 

(i) our use of your personal information is necessary to perform our obligations under any contract with you (for example, to perform our services in accordance with our terms and conditions or in accordance with the terms of a merchant agreement); or 

(ii) our use of your personal information is necessary for complying with our legal obligations (for example, identifying you in accordance with the AML/CTF Act); or 

(iii) where neither (a) nor (b) apply, use of your personal information is necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of our website). Our legitimate interests are to: 

(a) run, grow and develop our business in accordance with our internal risk appetite;

(b) operate our website and app;

(c) carry out marketing, market research and business development; and

(d) for internal group administrative purposes.

(b) If we rely on our (or another person’s) legitimate interests for using your personal information, we will undertake a balancing test to ensure that our (or the other person’s) legitimate interests are not outweighed by your interests or fundamental rights and freedoms which require protection of your personal information. 

(c) We may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time after giving it, as described in section 9 below). 

(d) If we rely on your consent for us to use your personal information in a particular way, but you later change your mind, you may withdraw your consent within the consumer portal and we will stop doing so. However, if you withdraw your consent, this may impact the ability for us to be able to provide you with our services. 

4. How and why we share your personal information with others 

(a) We may share your personal information with our group companies where it is in our legitimate interests to do so for internal administrative purposes (for example, for corporate strategy, compliance, auditing and monitoring, research and development and quality assurance). 

(b) We will share your personal information with the following third parties or categories of third parties: 

(i) Credit Providers and Credit Reporting Agencies who provide us with your credit file and/or other information about your creditworthiness. For more information see Section 6; 

(ii) fraud prevention services, including fraud databases such as the Australian Financial Crimes Exchange; 

(iii) identity matching services; 

(iv) ACI Red and other, similar companies who provide us with credit card fraud detection services; 

(v) SMS gateways who use your mobile number to send text messages for mobile verification loops; 

(vi) our other service providers and sub-contractors, including payment processors, utility providers, suppliers of technical and support services, insurers, logistic providers, and cloud service providers; 

(vii) companies that assist in our marketing, advertising and promotional activities, such as the marketing automation platform Braze (who may themselves share your personal information with other third party platforms, such as Facebook, for the purpose of allowing us to provide targeted marketing services to you); 

(viii) analytics and search engine providers that assist us in the improvement and optimisation of our website and mobile application, such as Google Analytics and FullStory; 

(ix) debt collection agencies who provide us with debt collection and recovery services; and 

(x) the merchant(s), for the purposes of processing refunds, account reconciliation and settlement. 

(c) We will always ensure that any third parties with whom we share your personal information are subject to privacy and security obligations consistent with this policy and applicable laws. 

(d) We will also disclose your personal information to third parties: 

(i) where it is in our legitimate interests to do so including, in particular, to run, grow and develop our business: 

(a) if we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets; 

(b) if substantially all of our or any of our affiliates’ assets are acquired by a third party, in which case personal information held by us will be one of the transferred assets; 

(ii) if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government or law enforcement officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity; 

(iii) in order to enforce or apply our terms of use, our terms and conditions for customers or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or 

(iv) to protect the rights, property, or safety of Openpay, our staff, our customers or other persons. This may include exchanging personal information with other organisations for the purposes of fraud protection and credit risk reduction. 

(e) We may also disclose and use anonymised, aggregated reporting and statistics about users of our website or our services for the purpose of internal reporting or reporting to our group or other third parties, and for our marketing and promotion purposes. None of these anonymised, aggregated reports or statistics will enable our users to be personally identified. 

(f) Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, where necessary, obtaining your consent. If you have given your consent for us to use your personal information in a particular way, but later change your mind, you should withdraw consent by contacting us and we will stop doing so. 

5. Credit Providers and Credit Reporting Bodies 


(a) In accordance with section 5(b) of this policy and as permitted by law, we may disclose and exchange credit information and credit eligibility information (including your credit worthiness or credit history) we hold about you with credit reporting bodies (CRBs) and with other credit providers; 

(b) We exchange this credit information and credit eligibility information to: 

(i) assess an application by you for credit and to notify CRBs and other credit providers of a serious credit infringement or default by you;

(ii) if you are a Merchant (or an authorised representative of a Merchant), assess an application by you to become an Openpay Merchant; and 

(iii) allow the relevant CRB to create and/or maintain accurate records in relation to you. 

(c) We may disclose your information to any person reasonably necessary for the purposes of that person taking an assignment of your loan. 

(d) The CRB we use is Equifax Pty Ltd, whose privacy policy and contact details are set out at

Website: https://www.equifax.com.au

Telephone: 13 83 32

(e) You have a right to request a CRB not to use your information for the purposes of pre-screening direct marketing and you can also request a CRB not to use your information if you believe on reasonable grounds that you have been or are likely to be the victim of fraud.

6. Your rights 


(a) You have certain rights in relation to your personal information. If you would like further information in relation to these or would like to exercise any of them, please contact us (see contact details in section 14.1 below) at any time. You have the following rights: 

(i) Right of access. Subject to any exceptions in the Privacy Act 1988 (Cth) (“Privacy Act”), you have a right of access to any personal information (including credit eligibility information) we hold about you.

(ii) Right to update your information. You have a right to request an update or correction to any of your personal information (including credit information and/or credit eligibility information) which we hold.

(iii) Right to opt-out of marketing communications: You have a right to ask us to stop using your personal information for direct marketing purposes. If you exercise this right, we will stop using your personal information for this purpose but may still contact you for transactional or account maintenance purposes.

(b) We will consider all such requests and provide our response within a reasonable period and in accordance with applicable laws. We may request you provide us with information necessary to verify your identity before responding to any request you make. 

(c) for example if giving access would be unlawful or giving access would have an unreasonable impact on the privacy of other individuals.

(d) If we deny you access to the personal information (including credit information and/or credit eligibility information) we hold about you, or refuse to correct your personal information (including credit information and/or credit eligibility information), we will provide you with an explanation when responding to your request.

7. Children


(a) You must be aged 18 or over to purchase services from us. Our website and services are not directed at children and we do not knowingly collect any personal information from children. 

(b) If you are a child and we learn that we have inadvertently obtained personal information from you from our websites, or from any other source, then we will delete or de-identify that information as soon as possible. 

(c) Please contact us if you are aware that we may have inadvertently collected personal information from a child. 

8. Opting-out of marketing communications


(a) We may collect and use your personal information for marketing communications that may be sent in various forms, including by email, SMS, telephone and post in accordance with the Privacy Act and Spam Act 2003 (Cth)

(b) We may send you certain marketing communications (including electronic communications) if we have obtained your consent to do so. 

(c) If you wish to stop receiving marketing communications, you can contact us by email (see section 14.1 below), unsubscribe using the link at the bottom of any marketing emails or via any other contact method specified on our website or in our mobile app. 

9. Where we may transfer your personal information 


(a) Your personal information (including credit information and credit eligibility information) may be used, stored and/or accessed or otherwise disclosed by staff operating outside of Australia working for us, other members of our group or suppliers. These parties may not have an Australian link and may include entities located in the United Kingdom, Philippines, Israel, Ukraine, USA and Ireland. Further details on to whom your personal information may be disclosed are set out in section 5. 

(b) The third parties we use may be located in jurisdictions with privacy regimes which are not comparable to Australia. We will take reasonable steps to ensure that any overseas recipient does not use the personal information for their own purpose and complies with the Privacy Act and this policy.

(c) If we provide any personal information about you to members of our group or suppliers which are located outside of Australia, we will take appropriate measures to ensure that the recipient adequately protects your personal information. 

(d) We work with a number of merchants, each with their own privacy policy. We will not be responsible or held liable for how your information is collected, managed, stored, accessed or disclosed by our merchant partners. Prior to purchasing goods and services from a merchant you should read their privacy policy to ensure that you are familiar with their information handling practices. 

(e) By providing your personal information to us, you consent to us disclosing your personal information to any such overseas recipients for purposes necessary or useful in the course of operating our business.

10. Risks and how we keep your personal information secure 


(a) The main risk of our processing of your personal information is if it is lost, stolen or misused. This could lead to your personal information being in the hands of someone else who may use it fraudulently or make it public.

(b) For this reason, Openpay is committed to protecting your personal information from loss, unauthorised access and disclosure, theft, alteration and misuse. We take all reasonable precautions to safeguard the confidentiality and security of your personal information, including through use of appropriate contractual, legal, organisational, physical and technical measures such as maintaining a PCI DSS Level 1 compliant environment. 

(c) In the course of provision of your personal information to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information over the internet is not completely secure. As such, you acknowledge and accept that we cannot guarantee the security of your personal information transmitted to our website and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorised access and disclosure to it. 

(d) Where we have given you (or where you have chosen) a password which enables you to access your online account, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. 

(e) We hold your personal information (including credit information and credit eligibility information) in a combination of  electronic and hard copy files. Electronic information is stored within secure environments and systems that are protected in controlled facilities. 

(f) In the unlikely event of a data breach affecting your personal information, we will notify you, the Office of the Australian Information Commissioner (“OAIC”) and/or other relevant authorities, as required by applicable law.

11. Links to other websites 


Our website and mobile application may contain hyperlinks to websites that are not operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of such third-party websites or any association with their operators. This privacy policy only applies to the personal information that we collect or which we receive from third party sources, and we cannot be responsible for personal information about you that is collected and stored by third parties. Third party websites have their own terms and conditions and privacy policies, and you should read these carefully before you submit any personal information to these websites. If you have any privacy concerns, we encourage you to contact the providers of such third party websites directly. We do not endorse or otherwise accept any responsibility or liability for the content of such third party websites or third party terms and conditions or policies. 

12. Changes to our Privacy Policy 


We may update our Privacy Policy from time to time. Any changes we make to our Privacy Policy in the future will be posted on our website and, where appropriate, notified to you by post or email. Please check back frequently to ensure that you have the most up to date version of our Privacy Policy. 

13. Further questions and how to make a complaint 


13.1 Contacting us

(a) If you have any queries or complaints about our collection, holding, use, disclosure or storage of your personal information (including a complaint relating to any failure by us to comply with our obligations under the credit reporting provisions of the Privacy Act or under the Credit Reporting Privacy Code), or if you wish to exercise any of your rights in relation to your personal information, use the following contact details:

The Privacy Officer

Openpay Pty Ltd

Email: info@openpay.com.au 

Telephone: 1300 168 359

(b) We will need to verify your identity. We take all complaints seriously and will respond to you within a reasonable period of time to both acknowledge (usually within 7 days of receipt of a complaint) and respond to (where practicable, within 30 days of receiving a complaint) your query or complaint.

13.2 Office of the Australian Information Commissioner

If you are not satisfied with our handling of your complaint, you may contact OAIC using the following contact details: 

Post: Office of the Australian Information Commissioner  

GPO Box 5218

Sydney NSW 2001 

Telephone: 1300 363 992 

Email: enquiries@oaic.gov.au

Website: www.oaic.gov.au  

14. Meaning of words 


All terms defined in the Privacy Act have the same meaning when used in this policy. 

The practices described in this policy are current as of 11th August 2021.