Afterpay Merchant Privacy Policy
We appreciate that you trust us with your personal information. Here we provide an overview of what personal information we collect from you and why, how we handle it, and your rights and choices.
This Privacy Policy describes how Afterpay and affiliates (“Afterpay,” “we,” “us”, and "our") collect, use, disclose, transfer, store, retain or otherwise process your personal information ("your", “you”, and "Merchant") when you visit our website, apply for and use our Merchant product and related services, or otherwise interact and engage with us in relation to our Merchant products, features, and services, including as outlined in our Terms of Service ("agreement") (collectively, "Services"). The Afterpay entity you are interacting with will be based on your country of residence. A list of Afterpay entities can be found in 11. How to Contact Us below.
Partners, merchants, online market places, and suppliers that Afterpay interacts with are independent of Afterpay and responsible for their own privacy policies and practices. This includes, content on their websites or app, and products or services provided. Please refer to their Privacy Policy or reach out directly to these third parties for further information.
Our Privacy Policy explains:
1. PERSONAL INFORMATION WE COLLECT ABOUT YOU AND WHY
Personal information reasonably identifies you and is about you, directly or indirectly, as described in applicable privacy laws in places we operate in.
We collect and process personal information about you in three ways:
(i) when you provide it to us directly;
(ii) when we gather personal information while you are using any of our Services, including through cookies and similar technologies (see 4. How We Use Cookies and Similar Technologies below); and
(iii) when we collect personal information from other third party sources.
We explain in the table below what types of personal information we collect and process, how and why we do so, and the lawful bases that apply in particular as prescribed under the General Data Protection Regulation and UK General Data Protection Regulation. We will collect and process your personal information with your knowledge and consent, including as set out in this Policy, except where otherwise required or permitted by law. We may collect or process personal information in other ways than as described below. We will let you know at that time, unless otherwise inappropriate or unlawful to do so.
If you fail or refuse to provide us with personal information we request from you directly, or we do not obtain your consent where we rely upon it, including to gather personal information while you are using our Services or from third party sources, we may not be able to proceed with entering into or fulfilling some of our Services. Consequently, we will not be able to provide or continue to provide those Services to you. This includes, but without limitation, setting up your Afterpay account, or responding to a support request or complaint.
| Purpose of processing | Categories of personal information we collect and how | Why we collect and process personal information, and lawful bases where applicable |
|---|---|---|
|
To reach out and understand whether you may be interested in applying to be a Merchant with us, including when you have completed our online business sign up and inquiry pages, or when we have received your personal information from other sources. |
From you -
From other sources -
|
|
| To create (and assess whether to create) an Afterpay account, including to carry out our identity and account verification process and to enable you to authenticate into your account once created. |
From you -
From other sources -
|
|
| To provide our Afterpay account Services, including setting up your business’s Service account to interact with you and deliver our Services, such as sending you communications as necessary about our Services, invoices, and agreement updates |
From you -
|
|
|
To send you direct marketing and other promotional communications, before or after you apply to become a Merchant, including to offer new partnerships and promotion opportunities.
Where permitted, we may opt you in to marketing communications, but you can opt out at any time by clicking the unsubscribe link at the bottom of these messages. Refer also to 6. Your Rights and Choices below. |
From you -
|
|
| To provide you support, including to resolve disputes, collect fees, and troubleshoot problems |
From you -
From other sources -
|
|
| To detect, investigate and prevent suspected or actual fraud, money laundering, or other crimes or illegal activities on an ongoing basis , including credit card rules, and to protect Afterpay’s legal rights and claims |
From your use of our Services -
From other sources -
|
|
|
To learn more about your level of satisfaction, your expectations of us and our Partners, and how we can meet them, so that we can customise, measure, and improve our Services including its content, layout and operations. We may send you survey requests to do so. We may use this information to produce statistics and reports about our Services and operations. We will typically use this information to create aggregated or anonymised information and only use personal information where necessary. |
From you -
From your use of our Services -
|
|
|
To make our app or site work as you’d expect it to, such as to prevent and respond to suspected or actual malicious software or activity, for secure identity verification and login, fraud prevention, and remembering your cookies choices. This includes personal information collected and processed by the use of cookies and similar technologies. Refer to 4. How We Use Cookies and Similar Technologies below |
From your use of our Services -
|
|
| To provide by the use of cookies and similar technologies on our website and app better functionality, to assess our performance, for advertising by us and our digital partners, and to provide a personalized experience. Refer also to 4. How We Use Cookies and Similar Technologies below |
From your use of our Services -
|
|
| For other purposes you have specifically consented to |
From you, from the use of our Services, or other sources. For instance, if we collect and process personal information categorized as “sensitive” or “special” under applicable laws, such as your health information, to deliver our Services, we will only collect this information where it is reasonably necessary and we have your consent, or where required by and consistent with applicable laws.
|
|
| As required or permitted by applicable laws and regulations , including to satisfy our bookkeeping, taxation, auditing, and accounting requirements, and to carry out business, operational, and legal functions. |
Unspecified information from you, from the use of our Services, or other sources. |
|
2. WHEN AND WITH WHOM WE SHARE YOUR PERSONAL INFORMATION
We may share personal information described in 1. Personal information we collect and why section with the following categories of service providers and other third parties.
| Categories of third parties | When and why we may share your personal information |
|---|---|
|
Affiliates within our group of companies Such as, Cash App, Square, or other wholly-owned subsidiaries of Block Inc. |
We may share your personal information for the following purposes for our legitimate interests or as otherwise required or consistent with applicable law.
|
| Service Providers and sub-contractors |
We share your personal information with the following Service Providers based on our legitimate interests to provide, maintain and improve our Services.
|
| Your customers |
We share your personal information with customers that you engage and transact with using our Services for the following purposes to fulfill our agreement with you
|
| Online trackers |
We may share your personal information for the following purposes with your consent, for our legitimate interests, or as otherwise consistent with applicable law
|
| Companies that we plan to merge with or be acquired by or who may invest in us |
We share your personal information for the following purposes for our legitimate interests.
|
| Law enforcement agencies, government agencies, officials, or other authorities or third parties pursuant to a subpoena, court order, or other legal process, requirement, or legitimate interest |
We share personal information for the following purposes for our legitimate interests, to protect our business and enforce our agreement with you, or where required or authorized by law.
|
| With your consent |
|
| Other third parties where required by law, or our legitimate interests as permitted by law |
|
3. HOW WE SECURE YOUR PERSONAL INFORMATION
We take appropriate measures, including administrative, technical, and physical safeguards, to protect your personal information from loss, theft, and misuse, and unauthorized access, disclosure, alteration, and destruction. The internet is not a 100% secure environment, so we cannot guarantee absolute security of the transmission or storage of your information. We are an ISO 27001 compliant company, and require our third parties to meet appropriate privacy and security standards when handling data on our behalf. Your personal information will be accessible by our employees, contractors and service providers who require access for the purposes described in this Privacy Policy.
For more information about our security practices, please visit https://www.afterpay.com/en-AU/security or refer to 10. How to Contact Us below.
4. HOW WE USE COOKIES AND SIMILAR TECHNOLOGIES
Cookies are small data files stored on your browser or device. They may be sent by the operator of the site or app you are visiting, in this case Afterpay (“first-party cookies”), or by third parties, such as our service providers and digital partners (“third-party cookies”). Other similar technologies may be used, such as tracking pixels or browser local storage (together “cookies”). For example, we partner with third-party analytics providers, like Google, to help us understand how you use our services so that we can improve your experience with us. The analytics providers that administer these services use cookies to help us analyze how you use our online services. We may disclose your site-use information (including IP address) to these analytics providers, and other service providers who use the information to help us figure out how you and others use our online services. To learn more about Google Analytics and how to opt out, please visit https://marketingplatform.google.com/about/ or https://support.google.com/analytics/answer/181881?hl=e.
When you visit our website or app, we use cookies as necessary to make our Services work, to improve our performance and functionality, or to personalize your online experience.
You may see certain interest-based advertising on other websites or online services based on information relating to your access to and use of our Services and other websites. This is because we work with interest based advertisers to promote our Services consistent with applicable law. Third party services use personal information we provide to deliver Afterpay advertisements on third party websites that may be tailored to your individual interests. These interest based advertisers may also use personal information about you that they have independently collected and in accordance with their privacy policy and practices, including through the use of cookies.
Your browser or device may offer settings to control cookies. Selecting “Limit Ad Tracking” (for iOS devices), or “Opt out of Interest-Based Ads” (for Android devices), will allow you to limit our use of information collected from or about your mobile device (such as precise location data) for the purposes of serving interest-based advertising to you. You may also opt-out of receiving ads from us or our partners by using our partners’ settings or by heading to Your Online Choices (EU/UK) or Your Ad Choices (other countries) for more information. As a heads up, blocking or opting-out of some types of cookies may impact your experience and the Services we are able to offer.
Certain web browsers allow you to instruct your browser to respond to Do Not Track ("DNT") signals to websites you visit, informing those sites that you do not want your online activities to be tracked. At this time, our websites are not designed to respond to DNT signals or similar mechanisms from browsers.
If you are based in the EU or UK, head to "Cookies" on our website for further information and to manage cookies on our website or app.
5. HOW LONG WE KEEP YOUR PERSONAL INFORMATION
The retention periods for personal information we collect and process about you are determined on a case-by-case basis that depends on the following factors below.
● The nature of the personal information, and why it is collected and processed, as described in this Privacy Policy. This includes to provide our Services, to comply with legal obligations, to enforce and prevent violations of our agreement with you, and to protect us against fraudulent activity.
● To manage and enforce our agreement with you. Your use of our Services is subject to the agreement between us. So if, for example, you close your Afterpay account, we retain personal information about you for a period of time so as to collect any debt or fees owed, resolve disputes, troubleshoot problems, assist with any investigations or complaints, and to prevent fraud or risk.
● To establish, exercise, or defend our legal claims or rights. For example, we preserve your personal information related to a legal claim or complaint, such as where we are subject to a regulatory investigation, or we need to defend ourselves in legal proceedings involving your personal information, or respond to a government authority or body in relation to a legal or regulatory complaint made by you or someone else.
● As required or otherwise permitted by applicable law. For example, retention periods may be imposed under law or regulation for a prescribed period of time. For instance, to protect our or other’s legitimate interests, such as to prevent fraud.
6. YOUR RIGHTS AND CHOICES
You can see or change personal information you gave us, ask us to close your account, control your device location tracking settings, or tell us to stop direct marketing to you at any time. Head to our Help Centre at any time by clicking "Help" on our website or app for detailed instructions. We also respect other privacy rights and choices you make consistent with applicable law. These rights and choices available to you are based on your country of residence and which Afterpay entity you are dealing with, and are subject to limitations as required or permitted by applicable law.
We may ask you to verify your identity in accordance with our standard procedures, including any authorized agent who would like to act on your behalf, or clarify your request, before taking further action on your privacy right or choice request. We endeavor to respond and address all privacy rights and choices requests within the applicable statutory time frame. We will let you know if we need more time, and why. We may not always be able to fulfill your request if we have a legitimate basis to refuse it. We will tell you why. For example, if you seek to erase your personal data in a way that would mean we are not able to comply with our obligations under law.
If you would like to make a privacy right or choice request, please refer to 11. How To Contact Us below.
Rights and choices that may be available to you, based on your country of residence
| Right to | Description |
|---|---|
| Withdraw your consent |
You have the right to withdraw your consent where we have relied on it to process your personal information. If you withdraw your consent, we may not be able to provide you with certain Services. It will not affect our lawful basis for processing based on consent before your withdrawal. |
| Access |
You have the right to request a copy of your personal information held by us. |
| Further information |
You have the right to enquire further about the personal information we hold about you and our privacy practices, including how we transfer personal information internationally and onward disclosures of personal information |
| Correction |
You have the right to ask us to correct your personal information held by us, including where you believe it is not accurate, complete, up to date, or relevant. |
| Erasure |
You have the right to ask us to erase your personal information, and where personal information is made public, to inform other controllers of your personal information to erase your personal information where you have a lawful erasure right. |
| Restrict Processing |
You have the right to ask us to restrict processing of your personal information. |
| Object to processing |
You have the right to object to us processing your personal information where we process it based on our legitimate interests, including for direct marketing purposes and other profiling activities. You can also opt out of direct marketing at any time as described above. |
| Data Portability |
You have the right to ask us to access or transfer on your behalf personal information we hold about you to a third party in a structured, commonly used and machine-readable format. |
| Make an enquiry or complaint |
You have the right to make an enquiry or complaint, including to lodge a complaint with your local privacy authority. |
| Object to automated decision making |
You have the right to object to solely automated decisions that we may have made about you that produce a legal or similarly significant effect, and ask for more information about the decision and have a person review it, unless we are prohibited or exempt from doing so under law. More information We use systems to make decisions about you through automated means, including behavioral profiling, without our staff being involved. We complete the following decision making by automated means, with legal or similarly significant effects on you, to enter into and perform our Services you request from us, or to comply with laws that apply to us:
These decisions rely on personal information we collect or hold about you from your applications and your interactions and experiences with us, such as transactions attempted to be made or made to your company. We may also use information about you we collect from third party credit reference and fraud prevention agencies. Automated decisions can affect the products, services or features we may offer you. As a result of the above decisions, you may be declined access or have limited access to our Services. We perform regular checks of our automated decision models to ensure they are operating correctly. |
7. RIGHTS OF CALIFORNIA RESIDENTS
If you live in California, the following additional rights apply to you.
| Right to | Description |
|---|---|
| Know |
You may have the right to request, up to twice in a 12-month period, to see the following information about the personal information we have collected about you:
California law also gives you the right to ask if we share your personal information to third parties for their direct marketing purposes (we do not disclose your personal information for unaffiliated third parties’ direct marketing purposes). |
| Erasure |
You have the right to ask us to delete the personal information we have collected from you (subject to exceptions the law provides). Please note that you may no longer be able to use our Services if you delete your personal information. |
| Correction |
You have the right to correct the personal information we have collected about you (subject to exceptions the law provides). |
| Non-Discrimination |
You have the right to not be discriminated against if you exercise these privacy rights. We will not discriminate against you, deny, charge different prices for, or provide a different quality of goods or services if you choose to exercise these rights. |
| Opt-Out |
You have the right to opt-out of the sharing of your personal information for purposes of certain targeted advertising known as cross-context behavioral advertising. If we share your personal information to third parties for such purposes, we will provide you the right to opt out of such sharing (subject to exceptions the law provides).
Although some of the information we collect and process about you may be considered sensitive personal information, we only process such information for purposes authorized by law, such as to provide services you request from us or to verify your information.
|
8. INTERNATIONAL DATA TRANSFERS
Personal information we collect and handle about you may be transferred to or stored in a jurisdiction outside your country of residence and where the Afterpay entity you are dealing with operates. We may do so, for example without limitation, when sharing personal information with our affiliates and service providers to help us provide (or assess to provide) our Services or other third parties that we partner with. Your personal information may be transferred to or stored in Australia, New Zealand, the United States, Canada, United Kingdom, the European Union, China, and Singapore. We may transfer your personal information to other countries, but we will always take steps to ensure your personal information is afforded equivalent levels of protection and rights as are required under your country of residence and where the Afterpay entity you are dealing with operates. For more information please reach out using the details in 10 How to Contact Us below.
We take steps to ensure your personal information is afforded equivalent levels of protection and rights as are required under your country of residence and where the Afterpay entity you are dealing with operates.
Where we transfer your personal information outside the United Kingdom or European Union to countries that are not covered by an adequacy decision of the UK government or European Commission (as applicable), we use appropriate safeguards that include Standard Contractual Clauses approved by the UK's Information Commissioner's Office or European Commission as appropriate, or other applicable measures, including transfers to a third party that has implemented Binding Corporate Rules, or specific situations outlined under Article 49 of the UK GDPR / GDPR. You can access a copy of the Standard Contractual Clauses approved by the UK Information Commissioner's Office here, and the Standard Contractual Clauses approved by the European Commission here. Afterpay entities are bound by an Intercompany Personal Data Transfer Agreement that contains Standard Contractual Clauses.
For further information about our policies and practices with respect to international data transfers, please refer to 10. How To Contact Us below.
9. CHILDREN'S PERSONAL INFORMATION
Our Services are not directed at children under the age of 18. If we learn that any personal information we collect has been provided by a child under the age of 18, we will promptly close the relevant account and delete that personal information as consistent with applicable law.
10. CHANGES TO THIS PRIVACY POLICY
We reserve the right to change this Privacy Policy from time to time, as may be required. We will provide you with reasonable prior notice of any material changes in how we use your personal information, including by email if you have provided one. If you disagree with these changes, you may cancel your Afterpay account at any time. Any amendments will be published by posting a revised version of the Privacy Policy and updating the “Effective Date” and "Posted Date" above. The revised version will be effective on the “Effective Date” listed.
11. HOW TO CONTACT US
If you have any questions or concerns regarding this Privacy Policy, or would like to exercise your rights and choices, you can get in touch with us by contacting your country specific Afterpay entity below. If you are dissatisfied with our response, you have a right to make a complaint to your local privacy authority, with a link to their contact page below.
| Country | Contact Details | Local Authority |
|---|---|---|
| Australia |
GPO Box 2269, Melbourne, VIC 3001, Australia |
Office of the Australian Information Commissioner |
| Canada |
760 Market St., 2nd Floor, San Francisco, California, United States of America 94102 If you would like to speak to the Afterpay Privacy Lead, please address your communication accordingly. |
|
| European Union |
Paseo de la Castellana, 95, 28046 Madrid, Madrid, España If you would like to speak to the EU Data Protection Officer, please address your communication for the attention of the Data Protection Officer. Clearpay S.A.U Limited is the Data Controller for the purposes of the General Data Protection Regulation (GDPR). |
|
| New Zealand |
TMF Group, Level 11, 41 Shortland Street, Auckland 1010 |
|
| United Kingdom |
101 New Cavendish Street, London, W1W 6XH If you would like to speak to the UK Data Protection Officer, please address your communication for the attention of the Data Protection Officer. Clearpay Finance Limited is the Data Controller for the purposes of the General Data Protection Regulation (GDPR) and U.K. GDPR / Data Protection Act 2018. |
|
| United States |
760 Market St. Floor 2 Unit 2.03, San Francisco, CA 94102 |
