Debit Success Privacy Statement
What is “personal information”?
Personal information is information or an opinion, whether or not true, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. It may include contact details, date of birth, bank account or credit card details, or other personal details unlikely to be known to other people.
What information we collect and hold?
We will only collect personal information from you if it is reasonably necessary in order for us to provide services to you. We will only collect personal information for the purposes for which we advised you we were collecting it or a related purpose which would reasonably be expected, or another purpose that we obtain your permission for.
Personal information we may collect and hold includes without limitation:
- Details and content you provide us
When you register to use our services we may collect personal information necessary to offer and fulfil the services you request. This includes your name, postal address, telephone number, email address and any other details. If you are a merchant or individual signing up to accept payments for an account we may collect verification information necessary and your bank account and financial details to be able to accept payments.
When you use our services, for example to make direct debit payments to merchants or to receive payments from payers, we collect information about the transaction as well as information associated with the transaction including your name, address, telephone number, email address, credit card, bank account information, merchant information, including information about the funding and amounts used to complete the transaction.
When you make a payment using our services we also collect the information you provide us about the other participants associated in the transaction. This includes for example the personal information of transacting parties and payment amounts.If you are unable to make a payment on time we may contact you and assist you in making payments. If we request you to participate in any further optional services we may collect this additional information from you.We may also collect information that is necessary for a service to be provided, or when you fill in a form on our website or participate in an online survey we conduct. We may also collect information about you when you ask to be included in an email mailing list.
We may also act on behalf of our clients in our customer support services and debt collection services. Where we do this you will continue to provide your personal information directly to us. We may collect your name and any other necessary information in providing these services to our clients.
We may collect personal information directly from you as a customer of our client.
- Information we collect from others
We may collect information from third parties, such as from merchants and data providers including transaction details, outstanding payments and customer records.
Our clients may use our services in their workplace or business. This means we may collect personal information that the client may send to us either manually or automatically through our services.
- Information we collect from use of our online services
We may collect a variety of information from your interaction with the website and our online services including your IP Address; the date, time and duration of your visit; the number of pages you have downloaded; and the type of browser you use.
How do we collect personal information
We will generally collect your personal information from you directly. For example, we may collect personal information directly as follows:
- when you fill in a form when applying for or using our services;
- when you access or use our services; and
- when you interact with us.
We may also be required to collect personal information (including credit information) about you from a third party. These parties may include merchants, credit providers or our clients, your representatives, brokers or other publicly available sources. We also collect your information from our analytics providers. We may also collect your information from our clients.
Why do we collect personal information?
Collection of personal information is essential for the provision of our products and services to our clients and provision of products and services provided on behalf of our client(s) to you. Without personal information, we would not be able to provide these products and services.
Personal information is only used for the purposes for which it was collected, this may include to:
- administer our relationship with you (including collecting your payments, following up on any missed payments, refunding payments, dealing with any ad hoc enquiries you may have, and otherwise dealing with other matters relevant to the provision of our products and services to you);
- perform our internal administration and operations (including, without limitation, distributing payments to our clients, accounting, reporting, risk management, record-keeping, archiving, systems development and testing and staff training);
- provide customer service (including via the use of a third party);
- collect outstanding debts (including via the use of a third party); and
- comply with our legal obligations.
Personal information may also be used for:
- monitoring, evaluating, developing and identifying products and services;
- informing you of our products and services (unless you have expressly asked us not to);
- gathering and aggregating information for statistical and research purposes;
- maintaining your account and your details;
- communicating with you;
- providing you with access to restricted areas of the website;
- taking measures to detect fraud and credit loss.
We will not use or disclose your personal information for a secondary purpose unless you consent to us doing so, or under the circumstances involved we believe you would reasonably expect us to use or disclose the information for that secondary purpose and that secondary purpose is related to the primary purpose.
In the event that we hold sensitive information about you, we will only disclose or use that information with your consent or if the use or disclosure is directly related to the primary purpose for which it was collected or to services that you have requested that we provide you or services being provided to our client.
For statistical purposes, we may collect information on website activity through the use of ‘cookies’. A cookie contains information that makes it easier for our server to interact with your computer. Cookies do not identify individual users, although they do identify a user’s browser type and your Internet Service Provider (ISP).
You can configure your browser to accept all cookies, reject all cookies or notify you when a cookie is sent. Please refer to your browser instructions or help screens to learn more about these functions.
Our websites may contain links to other third party websites. While these links are provided for your convenience, you should be aware that the information handling practices of the linked websites might not be the same as ours.
Anonymity and Pseudonymity
We will generally need to know who you are in order to provide you with our products and services.
Where it is reasonable and practicable we may allow you to transact with us anonymously or by using a pseudonym, such as where you make a general enquiry.
However, this is not possible if we are required or authorised by law or other instrument to deal with customers who have been appropriately identified, or where it is impracticable for us to deal with individuals who have not identified themselves or who would prefer to use a pseudonym.
Disclosure of personal information
- service providers, whom we use to provide you with services that we offer including those that verify your identity, assist in processing transactions, information technology service providers, mailing houses and market research organisations, and organisations that provide us with professional advice such as lawyers, accountants and business advisers, and business partners;
- third parties where we reasonably believe there has been an infringement of your rights or those of a third party and disclosure of your information may remedy or assist in the remedy of the infringement;
- other parties to transactions when you use our services, such as other users, merchants and their service providers. We may share information with the other participants in your transactions to facilitate the transaction and to help resolve disputes and detect and prevent fraud. If you make payments through our services to a merchant, we will provide details of transactions, payment details and call note history as well as reporting to the merchant;
- the client in respect of whose product or service the information was collected and other organisations that are contracted to our client to provide services in relation to the information collected; and
- third parties where we believe in good faith we are required to do so by law, or an exception applies under the Privacy Act or with your consent.
Notwithstanding the above, we may disclose aggregate information and other information that does not personally identify you to such third parties as we may see fit.
Integrity and retention of personal information
Where that information is no longer required, it will be destroyed, deleted or disposed of in a secure manner.
Please contact us if at any time you believe that your personal information held by us is inaccurate, incomplete or not up-to-date.
How we hold your personal information
We will take all reasonable steps to ensure that the information we collect is stored in a secure environment and protected from misuse, interference, loss, unauthorised access, modification or disclosure. We hold information both electronically and in some instances in hard copy form with various service providers that assist us with information storage.
We have a range of policies and practices in place aimed at providing a secure environment. These measures are reviewed regularly to ensure their on-going viability. Security measures that we have implemented include, but are not limited to:
- educating our staff as to their obligations with regard to your personal information;
- requiring our staff to use personalised passwords when accessing our systems;
- providing secure storage for all physical records;
- ensuring that the facilities and records containing personal information are
- protected on-site by enhanced security measures including restricted access
- rooms, alarms and cameras;
- employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised access to our systems; and
- practicing a clean desk policy.
Where information is no longer needed for any purpose, we ensure that it is effectively and securely destroyed or de-identified.
We are one of the few billing companies that holds the highest level of Payment Card Industry Data Security Standards (PCI DSS) compliance certification. This means that we are Level 1 PCI DSS compliant and independently certified. PCI DSS is a comprehensive data security standard intended to help organisations proactively protect customer account data.
From time to time we may also use your personal information to let you know about other products and services from us that you might be interested in, but we will not if you tell us not to. If you do not want to receive direct marketing messages or want to change your contact preferences please contact our Privacy Officer. Please note we may also send you text messages or emails that are in connection with our services, for example we send out text messages when your payment is reversed or declined. You are not able to unsubscribe from these messages.
We will only use any personal information we hold on you for the purpose of direct marketing if:
- we collected the information involved; and
- we believe you would reasonably expect us to use or disclose the information for direct marketing; and
we provide an option for you to request that we do not use the information for direct marketing – and you have not utilised this offer.
Accessing your personal information
You have the right to request access to, and to obtain a copy of, your personal information held by us, and we are required to respond to your request within a reasonable period of time. Your request must be accompanied by the information we require in order to verify your identity.
In most cases, we will provide you with the access to your personal information that you have requested, though there are limited circumstances permitted by the Privacy Act 1988 (Cth) where we may refuse. If we do not give you the access you have requested, or only give you restricted access, we will let you know why.
We may also charge a fee for providing you with access to your personal information. This fee must not be excessive and must not relate to the making of the request.
Correction of personal information
If you require access in order to correct your personal information, you will need to establish why the correction is necessary. We will then take reasonable steps to correct your information within a reasonable period of time, so that it is accurate, up-to-date, complete, relevant and not misleading. We may also correct your personal information if we determine that it is inaccurate, out of date, incomplete, irrelevant or misleading.
In certain circumstances we may refuse to update or correct the information held, if we do, we will provide you with a reason why.
If we can’t collect your personal information
If you do not provide us with the personal information we have requested, we may not be able to provide you with our services.
Notifiable Data Breach
In the event that there is a data breach and we are required to comply with the notification of eligible data breaches provisions in Part IIIC of the Privacy Act 1988 (Cth) or any other subsequent sections or legislation which supersede this Part IIIC, we will take all reasonable steps to contain the suspected or known breach where possible and follow the following process set out in this clause.
We will take immediate steps to limit any further access or distribution where possible. If we have reasonable grounds to suspect that the data breach is likely to result in serious harm to any individuals involved, then we will take all reasonable steps to ensure an assessment is completed within 30 days of the breach or sooner if possible. We will follow the guide published by the Office of the Australian Information Commissioner (if any) in making this assessment.
If we reasonably determine that the data breach is not likely to result in serious harm to any individuals involved or any remedial action we take is successful in making serious harm no longer likely, then no notification or statement will be made.
Where, following an assessment and undertaking remedial action (if any), we still have reasonable grounds to believe serious harm is likely, as soon as practicable, we will provide a statement to each of the individuals whose data was breached or who are at risk. The statement will contain details of the breach and recommendations of the steps each individual should take. We will also provide a copy of the statement to the Office of the Australian Information Commissioner.
We will then review the incident and take action to prevent future breaches.
Debit Success was established in New Zealand in 1994, and has offices in both Australia and New Zealand. The core functionality for the provision of our products and services is located in, and operates out of, our office in Auckland, New Zealand.
We are permitted by the Privacy Act 1988 (Privacy Act) to disclose personal information that we have collected in Australia to our operational team in Auckland, and this is necessary in order for us to provide our products and services to you.
While our New Zealand operations are not bound by Australian privacy law, they are bound by local privacy law which imposes similar obligations as the Privacy Act 1988 (Cth) and your personal information will in all circumstances be treated as confidential.
Disclosures required by law
We may be required to disclose your personal information by law (for example, by Court Order or Statutory Notice) and you authorise such disclosure. In all circumstances, we will comply with our legal obligations.
Our services are not directed to children under the age of 13. We do not knowingly collect information, including personal information, from children or other individuals who are not legally able to use our Services. If we obtain actual knowledge that we have collected personal information from a child under the age of 13, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of 13.
We are committed to abiding by the terms set out in this document. However, if something does go wrong and you have a privacy related complaint, please let us know as it gives us the opportunity to address the problem. Our representative will be in touch with you regarding your complaint within a reasonable time. If the issue is more complicated we may require additional documentation from you to help resolve the issue. In turn, we will keep you updated on the progress of your complaint.
If you are still unhappy, you can contact the Financial Ombudsman Service or the Office of the Australian Information Commission:
Financial Ombudsman Service
GPO Box 3
Melbourne VIC 3000
Phone: 1300 78 08 08
Office of the Australian information Commission
Office Address: Level 3, 175 Pitt Street, Sydney NSW 2000
Postal Address: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992