Section A: Introduction
The information in this document details how we, Flash Partners Pty Ltd ACN 607 885 941 an Australian incorporated company trading as Flash Payments Partners (“Flash Partners”), comply with the requirements of the Privacy Act 1988 (Cth), the Australian Privacy Principles and the European Union General Data Protection Regulation (“GDPR”) in protecting the personal information we hold about you.
Personal information is any information or opinion about you that is capable, or reasonably capable, of identifying you, whether the information or opinion is true or not and is recorded in material form or not.
Sensitive information includes such things as your racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record, that is also personal information. Your health, genetic and biometric information and biometric templates are also sensitive information.
We will act to protect your personal and sensitive information in accordance with the Australian Privacy Principles,the Privacy Act 1988 and the GDPR (where applicable).
By voluntarily supplying us with your personal information, you are agreeing to be bound by this Policy.
Any amendments to this Policy will be notified to you by posting an updated version on our website.
Please note that our website contains links to other websites.When a user has clicked on a link to another site, they leave our site and are no longer protected by this Policy.
Section B: Collection Of Personal Information
1. Why we collect, hold and disclose your information
We collect, hold and disclose your personal information to allow us to perform the following functions or activities:
providing customers with the products and services they request, for example approving and activating your participation as a user of our services or to facilitate a transaction;
complying with our legal obligations;
monitoring and evaluating products and services;
to identify and control or minimise risks to our products and services;
to enable us to monitor suspicious or fraudulent activity in relation to our products and services;
to enforce compliance with our terms and conditions;
to provide information to representatives and advisors, including lawyers and accountants, to help us comply with legal, accounting, or security requirements;
where we believe it is necessary to protect our legal rights, interests and the interests of others, including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud, ensuring data security;
sending you marketing and promotional messages and other information that may be of interest to you in relation to products and services offered by us and external product and service providers for whom we act as agent (If you have provided us with your email or mobile phone details, we may provide information to you electronically with respect to those products and services);
gathering and aggregating information for statistical, prudential, actuarial and research purpose;
assisting customers with queries;
with your consent;
taking measures to detect and prevent frauds; and
for any purpose related to the above.
If you are an individual in the European Union (EU), we collect and process information about you only where we have a legal basis for doing so under the GDPR.The legal basis for processing your personal information will depend on the products or services you use and your relationship with us(for example, whether you are our customer or you are a beneficial owner or controlling person of a customer). We will only collect and use your personal information where one of the following legal bases apply:
it is required to provide you with the relevant products or services in accordance with our agreement with you;
it is necessary for the purposes of our legitimate interests (which is not overridden by your data protection interests), including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud and ensuring data and system security;
you have given us consent to do so for a specific purpose; or
it is necessary for us to comply with our legal obligations.
2. Information we may collect
The personal and sensitive information we collect generally consists of name, address, date of birth, gender, social media accounts, occupation, account details, contact details (including telephone, and e-mail), location information, IP address information and financial information.
We are required by law to identify you if you are opening a new account or adding a new signatory to an existing account. Anti-money laundering laws require us to sight and record details of certain documents (i.e. photographic and non-photographic documents) in order to meet the standards set under those laws.
We may take steps to verify the information we collect; for example, a birth certificate provided as identification may be verified with records held by the Registry of Births, Deaths and Marriages to protect against impersonation.
Generally, the personal information that we may request from you is required to enable us to enter into a contractual agreement with you, is a requirement under the terms of the contractual agreement with you or is required by us to comply with its obligations under applicable laws, such as the Anti-Money Laundering and Terrorism-Financing Act 2006 (Cth). You are not obliged to provide the personal information we request, however if you do not provide the personal or credit information requested by us, we may not be able to provide you (or the customer with which you are associated) with the requested products or services.
3. How we collect the information
We generally will only collect personal information about you directly from you (rather than someone else) unless it is unreasonable or impracticable to do so or you have instructed us to liaise with someone else.
We may collect personal information when you:
use our website or your account with us;
communicate with us through phone calls, correspondence, email or when you share information with us from other social applications, services or websites; or
fill out a form with us(including electronically).
4. Information collected from someone else
If it is impracticable or unreasonable for us to collect the personal information directly from you, we may collect such information from publicly available sources, agents, or from your family members or friends. If you are not aware that we have collected the personal information, we will notify you of collection and the circumstances of collection, if we consider it is reasonable to do so.
We may collect information about you, including where you are not a customer of Flash Payments, but are associated to a customer, from that customer, through fraud/transaction monitoring systems implemented by us or from publicly available sources such as registers maintained by the Australian Securities and Investments Commission and ABN Lookup or made available by third parties.
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) require us to collect certain identification information about you. We will collect personal information from third parties in respect of AML/CTF checks which are required to be carried out, under AML/CTF Legislation.
5. Incomplete or inaccurate information
We may not be able to provide you with the products or services you are seeking if you provide incomplete or inaccurate information.
6. Sensitive information
In addition to the above conditions of collecting personal information, we will only collect sensitive information about you if we obtain your prior consent to the collection of the information or if the collection is required or authorised by law.
7. Dealing with unsolicited personal information
If we receive personal information that is not solicited by us, we will only retain it, if we determine that it is reasonably necessary for one or more of our functions or activities. If these conditions are not met, we will destroy or de-identify the information.
If such unsolicited information is sensitive information we will obtain your consent to retain it regardless of what the circumstances are.
Section C: Integrity Of Your Personal Information
1. Quality of personal information
We will use our best endeavours to ensure that the personal information we collect and use or disclose is accurate, up to date, complete and relevant.
Please contact us if any of the details you have provided to us change or if you believe that the information we have about you is not accurate or up to date.
2. Security of personal information
We are committed to ensure that we protect any personal information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.
For this purpose we have a range of practices and policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them.
Our security measures include, but are not limited to:
educating our staff as to their obligations with regard to your personal information;
requiring our staff to use passwords when accessing our systems;
encrypting data sent from your computer to our systems during Internet transactions and customer access codes transmitted across networks;
employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems;
using dedicated secure networks or encryption if we transmit electronic data for purposes of outsourcing;
providing secure storage for physical records.
Section D: Use Or Disclosure Of Personal Information
1. Use or Disclosure
If we hold personal information about you that was collected for a particular purpose (“the primary purpose”), we will not use or disclose the information for another purpose (“the secondary purpose”) unless:
we have obtained your consent to use or disclose the information for the secondary purpose; or
you would reasonably expect us to use or disclose the information for the secondary purpose and the secondary purpose is:
if the information is sensitive – directly related to the primary purpose; or
if the information is not sensitive – related to the primary purpose;
the use or disclosure ofthe information is otherwise permitted under the Privacy Act or GDPR.
We may share non-personally identifiable information about you, including URL and URL-specific statistics and other similar information collected by us with advertisers, business partners, sponsors and other third parties.
If you are an individual in the EU and you have consented to our use of your personal information for a specific purpose, you have the right to withdraw your consent at any time, but this will not affect any processing that has already taken place.
2. Who we may communicate with
Depending on the product or service you have, the entities we may exchange your information with include but are not limited to:
third party suppliers and service providers in connection with providing our products and services to you, such as cloud service providers;
any person acting on your behalf, including your solicitor, settlement agent, accountant, executor, administrator, trustee, guardian or attorney;
our representatives and advisors, including lawyers and accountants;
if required or authorised to do so, regulatory bodies and government agencies; and
other organisations who in conjunction with us provide products and services (so that they may provide their products and services to you).
In all circumstances where personal information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. We take our obligations to protect customer information very seriously we make every effort to deal only with parties who share and demonstrate the same attitude.
We may disclose personal information outside of Australia to cloud storage providers and payment service providers located in India, South Korea, Singapore, Japan, United Kingdom, Europe and the United States of America.
Some of these third parties may not have equivalent privacy and data protection laws to the country in which you reside and may not, in the case of individuals located in the EU, be subject to an adequacy decision of the European Commission that the third country ensures an adequate level of protection. We will use our best endeavours to ensure that personal information will receive protection similar to that which it would have if the information were in Australia by implementing standard data protection obligations in its contractual agreements with these overseas service providers. For more information, please contact the Privacy Officer.
4. Disclosure required by law
We may be required to disclose customer information by law e.g. under Court Orders or Statutory Notices pursuant to taxation or social security laws or under laws relating to sanctions, anti-money laundering or counter terrorism financing.
Section E: Direct Marketing
1. Direct marketing
We may use or disclose the personal information we hold about you for the purpose of direct marketing in relation to our products and services that may interest you.
Section F: Adoption, Use Or Disclosure Of Government Identifiers
1. Adoption of government related identifiers
We will not adopt a government related identifier of an individual as our own identifier unless required or authorised to do so by or under an Australian law, regulation or court/tribunal order.
Section G: Access To, And Correction Of, Personal Information
You can request us to provide you with access to the personal information we hold about you. You can also request confirmation from us as to whether we are processing your personal information.
Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled over the telephone.
If you would like to request access to more substantial amounts of personal information such as details of what is recorded in your account file, we will require you to complete and sign a “Request for Access to Personal Information” form. You can obtain a “Request for Access to Personal Information” form by contacting us using the contact details set out in Section I of this Policy.
Following receipt of your request, we will provide you with an estimate of the access charge and confirm that you want to proceed.
We will not charge you for making the request for access.
We will respond to your request as soon as possible and in the manner requested by you. We will endeavour to comply with your request within 14 days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request will be dealt with within 30 days. It will help us provide access if you can tell us what you are looking for.
Your identity will be confirmed before access is provided.
In particular circumstances we are permitted by law to deny your request for access, or limit the access we provide. We will let you know why your request is denied or limited if this is the case. For example, we may give an explanation of a commercially sensitive decision rather than direct access to evaluative information connected with it.
3. Refusal to give access and other means of access
If we refuse to give access to the personal information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.
Additionally, we will endeavour to give access in a way that meets both yours and our needs.
4. Data retention
The period of time for which your information will be retained by us will depend on the types of information we hold about you. Generally, your information will be retained for the period during which you have an ongoing relationship with us and for a period of 7 years after this relationship ceases, or such other period of time as required under specific legislation relating to the type of information held (for example under the Anti-Money Laundering and Terrorism-Financing Act 2006 (Cth)).
5. Additional rights for individuals located in the EU
If you are an individual in the EU, you have the following additional rights:
Erasure of your personal information: You may request erasure of your personal information in certain circumstances. For example, if you believe your personal information is no longer necessary for the purpose which we collected it or if you have withdrawn your consent for us to process your personal information.
Restriction or objection to processing personal information: You may request us to restrict or stop the processing of your personal data in certain circumstances. For example, if you believe the personal information we hold is not accurate, if you believe that the data has been unlawfully processed or if we are using your personal information for direct marketing activities.
Data portability: You may request us to provide you with a copy of your personal information in a format that you can easily move or provide to another service provider.Your right to data portability applies to some, but not all, of your personal information.
Requests should be made by in writing and addressed to the Privacy Officer at email@example.com. We may refuse your request, for example if we still have a legitimate business interest in keeping and continuing to process that personal information, if processing of your personal information is necessary to comply with a legal obligation, or if the request is manifestly unfounded or excessive (as applicable). If we deny your request, it will provide its reasons in writing.
Section H: Correction Of Personal Information
We will correct all personal information that we believe to be inaccurate, out of date, incomplete, irrelevant or misleading given the purpose for which that information is held or if you request us to correct the information. You can request us to correct your personal information by contacting us using the contact details set out in Section I of this Policy.
If we correct your personal information that we previously disclosed to another APP entity you can request us to notify the other APP entity of the correction. Following such a request, we will give that notification unless it is impracticable or unlawful to do so.
2. Refusal to correct information
If we refuse to correct the personal information as requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.
3. Request to associate a statement
If we refuse to correct the personal information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that will make the statement apparent to users of the information.
Section I: Contact Us And Complaints
If you have any questions or would like further information about our privacy and information handling practices, please contact our Privacy Officer using the following details:
Email us on: firstname.lastname@example.org
Call us on: 1300 352 749
If you are an individual located in the EU, you may email our EU representative using the following details: email@example.com
2. Making a privacy complaint
We offer a free internal complaint resolution scheme to all of our customers. Should you have a privacy complaint, please contact us to discuss your concerns.
To assist us in helping you, we ask you to follow a simple three-step process:
Gather all supporting documents relating to the complaint.
Contact us and we will review your situation and if possible resolve your complaint immediately.
If the matter is not resolved to your satisfaction, please contact our Complaints Officer on firstname.lastname@example.org or 1300 352 749. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, we will provide you with information about the further steps you can take.
If you are not satisfied with how we have dealt with your complaint you can contact the Office of the Australian Information Commissioner using any of the following details:
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
If you are an individual in the EU, you may lodge a complaint with your local data protection supervisory authority within the European Union if your complaint has not been adequately dealt with by us.
Last revised: June 2023