You agree to the disclosure of your personal information to entities located outside Australia. You acknowledge that by providing this consent, Australian Privacy Principle (“APP”) 8.1 will not apply to the disclosure (which means that we will not be obliged under the Privacy Act 1988 (Cth) (“Privacy Act”) to take reasonable steps to ensure that an overseas recipient does not breach the APPs and we may not be liable under the Privacy Act if the recipient does not act consistently with the APPs).
You agree that we can disclose your name, residential address and date of birth to a credit reporting body so that the credit reporting body can provide an assessment to us of whether the information provided by you matches (in whole or in part) the information in the credit reporting body’s possession or control (which may include personal information held by the credit reporting body about you or other individuals). This will be done for the purpose of verifying your identity as required under Australia’s anti-money laundering and counter-terrorism laws where applicable. If you would prefer us to use another form of verification, such as your passport or driver’s licence, you must notify us and provide us with any information that we request.
You agree that we can disclose your personal information to organisations approved by the Australian Government to use the Document Verification Service (“DVS”) for the purpose of verifying your identity.
You agree that we can send you marketing materials (see ‘Marketing’ below for further details on how you can choose what marketing materials (if any) we send you).
What personal information do we collect about you?
Personal information means information or an opinion about an individual who is identified or who can be reasonably identified (for example, your name and date of birth).
We may collect, hold, use and disclose different kinds of personal information about you which we have grouped together as follows:
Identity Data includes first name, last name, maiden name, username of similar identifier, marital status, title, date of birth and gender;
Contact Data: includes billing address, delivery address, email address and telephone numbers;
Financial Data: includes bank account and payment card details;
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Usage Data includes information about how you use our website, the RailsPay platform and services.
Marketing and Communications Data includes your preferences in receiving marketing from us and third parties acting on our behalf and your communication preferences.
We do not collect or hold any ‘sensitive information’ about you. Sensitive information is a type of personal information that is sensitive in nature (for example, your racial or ethnic origin, your political opinions, religious or philosophical beliefs, membership of a professional or trade association or union, genetic and biometric data, and health information).
How is your personal information collected?
We use different methods to collect personal information from and about you including through:
Direct interactions - you may give us your Identity, Contact and Financial Data by filling in forms on our website or otherwise or by corresponding with us by phone, e-mail or other methods. This includes personal information you provide when you:
- apply to use the RailsPay platform or any of our other services;
- create an account with us using our website or otherwise;
- register to use our website;
- place an order or transact on our website;
- report a problem with our website; and
- give us feedback or contact us.
Third parties or publicly available sources. We will receive personal information about you from various third parties such as Technical Data from analytics providers such as Google and Identity and Contact Data from publicly available sources such as the Australian Securities and Investments Commission.
If you fail to provide personal information
Where we need to collect personal information by law, under the terms of a contract we have with you, or to provide our services to you and you fail to provide that personal information when requested, we may not be able to provide our services or otherwise engage with you.
Personal information about other persons
If you provide us with personal information about any other person, you agree to tell them:
that you are providing this information to us;
the reason you are providing their information; and
Purposes for collecting, holding, using and disclosing your personal information
In the table below, we have set out the purpose for which we collect, hold, use and disclose your personal information.
To whom we disclose your personal information
We may disclose your personal information to the parties set out below for the purposes set out in the previous section:
our related bodies corporate;
Service providers acting as processors who provide IT and system administration services;
professional advisers acting as processor or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services;
regulators and other authorities acting as processors or joint controllers who require reporting of processing activities in certain circumstances;
other third parties where you ask us to, including with partners who have integrated with RailsPay through our API or in connection with banking and financial services; and
if we are under a duty to disclose or share your personal information in order to (i) comply with any legal obligation, or (ii) enforce or apply any agreement with you or our suppliers, to protect the rights, property or safety of RailsPay, our customers or others. This includes:
- exchanging personal information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and
- disclosing personal information to the tax authorities, the police and other law enforcement or governmental bodies.
We disclose your personal information to organisations located outside Australia. Generally, when we disclose personal information to overseas recipients those recipients are located in the United Kingdom, the European Economic Area (EEA), Singapore and Malaysia.
In relation to a very small number of our suppliers, your personal information may be transferred to, and stored at, a destination outside Australia as well as processed by staff operating outside Australia who work for them. In these instances the countries your personal information may be disclosed to include: [insert].
Unfortunately, the transmission of your personal information via the Internet can never be 100% secure. Although we will do our best to protect your personal information, we cannot guarantee the security of personal information about you transmitted to us and so any transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to try to prevent unauthorised access.
Protecting your personal information
We process your personal information and store it on servers managed by our hosting providers.
Those servers are located across a number of secure data centres in the EEA. Our server environment is highly secure and there is very limited personnel access. Any personal information will be encrypted “at rest” (in other words, on being stored).
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Duration for holding your personal information
We will only hold your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Your legal rights
Under certain circumstances, you have rights under the Privacy Act in relation to your personal information. You have the right to:
Request access to the personal information we hold about you;
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate personal information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us. If we do not agree that the personal information we have about you is incorrect, we’ll explain why in writing.
If you wish to exercise any of the rights set out above, please contact our Data Protection Officer via the email address stated below. We will give you access to your personal information in the manner requested by you, if it is reasonable and practicable for us to do so. You will not have to pay a fee to request access to your personal information. However, we may charge a reasonable fee for providing access if your request is clearly unfounded, repetitive, excessive or costly for us to respond to. Alternatively, we could refuse to comply with your request in these circumstances. We may need to request specific personal information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further personal information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We strive to provide you with choices regarding certain personal information uses, particularly around marketing and advertising. You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights you can do so by selecting your contact preferences at the point where you provide us with your information on our website or by contacting us. You can also unsubscribe from any email marketing using the links provided in the emails we send to you.
Email address: email@example.com
If you have a compliant about our handling of your personal information or a breach of the Privacy Act you can make a compliant to us at any time.
To make a complaint, please contact us at firstname.lastname@example.org. We’ll deal with your complaint promptly and fairly and will respond to your complaint within a reasonable time (usually 30 days).
If you are not satisfied with how we have dealt with your complaint, you can raise the complaint with:
Australian Financial Complaints Authority (AFCA)
Phone: 1800 931 678
Mail: GPO Box 3, Melbourne VIC 3001
If you are not a small business or consumer AFCA may not consider your complaint and you should complain directly to the OAIC
Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Mail: GPO Box 5218, Sydney NSW 2001
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.