When your business applies to be a Merchant with us, we appreciate that you (the Merchant’s beneficial owners, directors, and other employees, contractors or trustees) trust us with your personal data that we collect and handle.
Here we provide an overview of what personal data we collect from you and why, our handling practices, and your rights and choices.
This Policy applies to Afterpay Australia Pty Ltd ACN 169 342 947, Afterpay NZ Limited (Company number: 6340314), Afterpay US , Inc., Afterpay US Services, LLC, Afterpay Canada Limited, Clearpay Finance Limited (company number 05198026), and their affiliates and related companies (together, ‘we’, ‘us’ or ‘our’). Clearpay Finance Limited acts as a Data Controller in accordance with the General Data Protection Regulation (GDPR) and U.K. GDPR / 2018 Data Protection Act 2018. The entity you are interacting with in your jurisdiction of residence as indicated above is collecting the personal data and will process it, but may share it with other entities as set forth in this Policy.
What is personal data?
Personal data or is any information that reasonably identifies you and is about you as described in our applicable privacy laws. Some examples of personal data are your name, home address, and date of birth.
Personal data we collect and why
During your Merchant application process and throughout our business relationship, we may ask for your personal data directly from you or your business representatives on your behalf where it is lawful to do so.
We may collect your personal data for the following purposes outlined in below, for compatible purposes, and where otherwise lawful to do so. We will collect, use or disclose your personal data only with your knowledge and consent, including as set out in this Policy, except where otherwise required or permitted by law.
If you are unable to provide the requested personal data for our purposes, or refuse to do so, we may not be able to approve your application, enter into or continue an agreement to access or provide our Services.
Personal and contact details. For example, your name, date of birth, email address, business and residential address, location. information from third party and publicly available sources.
To enter into and for the performance of your Merchant contract, and as required by law
We need to get in touch with you, and discuss your application with us.
Once your business is approved, we will also set up your business’s Service account, and use it to authorise discussions about your business’ account with our customer support team, and to interact with you to deliver our Services.
Refer also to purposes described in “Identifiers” below.
With your consent or, where applicable, our legitimate interests for marketing and research purposes
To conduct Merchant surveys
To send you marketing communications and to offer new partnerships and promotion opportunities. Where permitted, we may opt you in to marketing communications, but you can opt out at any time by clicking the unsubscribe link at the bottom of these messages.
Our legitimate interests
Before you apply to become a Merchant, we may collect this type of information from your business, publicly available (eg. your website or LinkedIn), and other third party sources where permitted to reach out and understand whether you may be interested in applying to be a Merchant. This includes, where another Merchant has referred you under our Merchant Referral Program.
We may search online for any publicly available information about you, such as adverse media, through our onboarding process, and ongoing review of your suitability to provide our Services.
Identifiers, including government-issued documents. For example, a driver’s license, passport, social security number, health or social insurance number, birth certificate, trust deed, or other agreed identity documentation
To enter into and for the performance of a Merchant contract, and where required by law
With your personal details, we may ask for this information where permitted to verify your identity and assess your eligibility to approve you as a Merchant and ongoing review of your suitability to provide our services.
We do so as required and in accordance with applicable Anti-Money Laundering Counter Terrorism Financing Laws, Sanctions-related Laws, and internal risk policies. These include:
Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (New Zealand)
Anti-Money Laundering and Countering Terrorism Financing Act 2006 (Australia)
The provision of your identifiers is voluntary, but if you do not provide it to us when requested, we may not be able to verify your identity, and we may not be able to enter into a contract with your business.
Use of our information, communication, and transaction processing systems
For example, login information and sessions, information about your interactions with our Services, your bank account details
To enter into and for the performance of your Merchant contract, and our legitimate interests
To provide, maintain, and improve our services, including your service account and perform transactions
When you interact with us through contacting our customer support team, suppliers or service providers to manage your account or respond to a query (whether by web form, mail, email or through telephone enquiries), and to deliver our partnership and promotion opportunities, such as the Merchant Retailer Program.
How your personal data is used and shared
We may use and share your personal data with the following categories of recipients where lawful to do so, including for purposes outlined in “Personal data we collect and why”. We do not sell your personal data.
When verifying your identity and assessing your eligibility, we may share your personal data with credit reporting bodies, identity verification services, and/or other external agencies. We may collect responses as to whether you pose a fraud or money laundering risk, and whether you are listed on a government sanctions list. The searches we would make are "soft" searches and do not leave a footprint on your credit file.
We may also share your personal data with other Afterpay entities, affiliates and related companies (company group), and with Suppliers and Service Providers for the provision, maintenance, and improvement of our Services. Personal data may be accessible by authorised employees and contractors as required for the purposes described in this Policy.
We may also share your personal data with companies that we plan to merge with or be acquired by or who may invest in us.
Where required, we may share your personal data with government, law enforcement, and regulatory authorities, or as otherwise required or authorised by law.
Cross border transfers
We may collect or transfer personal data across borders in a secure and lawful manner, within and externally to our company group, including for purposes described in this Policy and as otherwise required or permitted by law. Your personal data may be transferred to countries that include the United Kingdom, United States, Australia, Canada, New Zealand, and the Philippines. We take necessary steps to require entities that deal with your personal data, by written agreement, to comply with a similar standard of compliance with applicable privacy requirements and to have appropriate safeguards. This includes, where required, cross-border transfer mechanisms under the GDPR for transfers of personal data outside the European Economic Area. For example, transferring to European Commission approved third countries holding an adequacy provision or providing appropriate and enforceable safeguards, including availability of an effective legal remedy to individual rights.
To facilitate our global operations we may share personal information with Afterpay and our affiliates and related companies, including those based in Australia, United States, United Kingdom, Canada, China, and New Zealand, and where we operate in Europe. We are bound by an Intercompany Personal Data Transfer Agreement that contains Standard Contractual Clauses.
How we keep your personal data safe
As part of our commitment to protecting the security of any data we process, we have put in place physical, technical, and administrative security measures. We are an ISO 27001 compliant company, and require our third parties to meet appropriate privacy and security standards when handling data on our behalf.
How we retain your personal data
We will retain your personal data for as long as necessary to fulfill the purposes we collected it for. This includes where required under law, our legitimate interests, or for the establishment, exercise or defence of legal claims, and for reasons explained in “Personal data we collect and why” and “How your personal data is used and shared”. We will otherwise delete personal data where we no longer have a lawful basis.
When you provide your personal data to us to enter into and for the performance of a contract we will retain it for 7 years after the application is made or the termination of our agreement (where applicable), and where otherwise we have a lawful basis to do so. This includes for as long as is necessary for our for legal and compliance reasons.
Your rights and choices
We respect your rights and choices you make. Your rights and choices are where applicable to you based on your location and which entity you are dealing with, and subject to limitations as required or permitted by law. They are set out below.
We may not always be able to fulfill your request if we have a legitimate basis to refuse it. We will tell you why. For example, if you seek to erase your personal data in a way that would mean we are not able to comply with our obligations under law.
Withdraw your consent
You have the right to withdraw your consent where we have relied on it. If you withdraw your consent, we may not be able to provide you with certain Services. It will not affect our lawful basis for processing by consent before your withdrawal.
You have the right to enquire further about the personal data we hold about you and how we process it, including across borders.
You have the right to request access to your personal data.
You have the right to ask us to correct your personal data, including where you believe it is not accurate, complete, up to date, or relevant.
Make an enquiry or complaint
You have a right to make an enquiry or complaint, including to lodge a complaint with your local privacy authority
You have the right to ask us to erase your personal data, and where personal data is made public, to inform other controllers of your personal data where you have a lawful erasure right.
You have the right to ask us to restrict processing of your personal data.
Object to processing
You have the right to object to us processing your personal data.
You have the right to ask us to access or transfer on your behalf personal data we hold about you to a third party.
If you have a query or concern regarding the way we collect and handle your personal data, or would like to exercise your rights and choices, please get in touch at [email protected] or directly to a privacy specialist at:
UK: [email protected] or mail 22 Long Acre, London, UK, WC2E 9LY
All other regions: [email protected]
If you are located in the UK or Europe and would like to speak to your local Data Protection Officer, please ask or address your email to the “Data Protection Officer”.
Where you have asked us to exercise a right or choice, we will review and advise you of the steps we have taken to respond within a reasonable and lawful time frame, and explain our process and reasons.
Changes to this Policy
LAST UPDATED: 1 April 2022