NexPay Privacy Disclosure Statement & Consent
This privacy statement is made on behalf of NexPay Pty Ltd ACN 153 910 984 (“NexPay”). All references to “NexPay”,
“we”, “us” or “our” in this policy are references to NexPay Pty Ltd.
NexPay is committed to protecting your privacy and to compliance with the Australian Privacy Principles contained in
the Privacy Act 1988 (Cth) and any amendments thereto. If you have any questions relating to this privacy statement or
your privacy rights please contact us.
This Privacy Statement sets out the policy of NexPay for management of personal information. We are committed to
ensuring the privacy of your information and recognise that you, as a customer, are concerned about your privacy and
about the confidentiality and security of information that NexPay may hold about you.
By using our web site and/or our services, you consent to our collection, use and collation of your information as it
appears within this policy. If at any time our information practices change in the future, we will amend the policy on
our website. Should you have any immediate concerns about how your information is used, you should check our website
periodically to ensure you are up to date with our current policy.
This Policy is designed to inform customers of –
-
The NexPay Privacy Policy;
-
What information we collect and the purposes for which we collect it;
-
Use and disclosure of information collected;
-
Security of your personal information;
-
Gaining access to information we hold about you;
-
What to do if you believe the information we hold about you is inaccurate;
-
Complaints in relation to privacy; and
-
How to contact us.
Personal Information
Personal information is information or an opinion about an individual whose identity is apparent, or can reasonably
be ascertained, from the information or opinion. NexPay will also collect any personal information necessary for the
purposes of complying with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Information generally collected by NexPay includes (but is not limited to) the following (depending on the nature of
the service provided):
-
your name, address and other contact details;
-
relevant financial information;
-
transaction purpose;
-
Identification and verification information;
-
Tax file numbers
-
Bank account information
Open and transparent management of personal information
NexPay seeks to ensure that personal information we hold about an individual is managed in an open and transparent
manner. We have implemented procedures to ensure compliance with the Australian Privacy Principles and any applicable
codes, and to deal with any complaints relating to our compliance therewith.
NexPay has a clear and up-to-date privacy policy outlining our management of personal information, including details
regarding the kind of personal information we collect and hold; how and why we collect and hold this information, and
how an individual may access and seek correction of the information we hold about them. We further provide details
regarding our complaints handling process, our policy on disclosure of information to overseas recipients.
Collection of personal information
This policy details how NexPay adheres to the Australian Privacy Principles regarding the collection of solicited
personal information. NexPay only collects personal information directly from individuals, which is reasonably
necessary for the provision of our services, and only by lawful and fair means. We will always ensure you are apprised
of our purpose in collecting information, and your right to gain access to such information. If you do not provide the
information requested, we may be unable to provide you with our services.
Please note that generally we will only use the personal information we collect for the main purposes disclosed at
the time of collection such as to provide you with financial services. We may also use your contact information to
provide you with information regarding our other products from time to time, where we believe these may be of interest
or benefit to you.
Where possible we will collect the information directly from you but certain information may be collected about you
from other sources, for example, a referring third party. You herewith consent to such indirect collection of
information in these circumstances, unless you advise us otherwise.
Unsolicited personal information
Where we receive personal information about an individual which is unsolicited by us and not required for the
provision of our services, we will destroy the information (provided it is lawful and reasonable for us to do so).
Notification of the collection of personal information
When we obtain personal information about you, we ensure that you have our contact details and that you are aware of
the collection of information and our purposes for doing so. As per above, we are unable to provide certain services
if the requested information is not provided. We do not disclose your information to third parties, unless they are
related entities or services providers, in which case they are required to conform to our procedures.
Use and disclosure of personal information
NexPay collects and holds personal information about an individual for the purpose of providing remittance services.
We collect this information with your consent as per our service documentation, for the primary purpose disclosed to
you at the time of collection.
However, in some cases NexPay will use or disclose personal information for secondary purposes (any purpose other
than a primary purpose). Personal information obtained to provide remittance services may be applied to secondary
purposes if the secondary purpose is related to the primary purpose of collection and the person concerned would
reasonably expect the personal information to be used or disclosed for such secondary purpose. NexPay may also provide
your personal information to third parties in order to provide you with our remittance services.
We may exchange or supply your personal information with/to our professional advisers or agents, external service
providers, your nominated professional advisers or representatives, government departments/agencies/bodies, other
financial institutions, our insurers, or debt collectors. Examples include disclosure of your information to an
external party providing electronic identification services, or to intermediary banks in order to process transactions
on your behalf.
We may also disclose your personal information without consent where it is required or authorised by law.
Direct Marketing
NexPay will only use personal information obtained for the provision of remittance services, for the secondary
purpose of direct marketing where:
- NexPay collected the personal information from the individual; and
-
The individual would reasonably expect NexPay to use or disclose the information for the purpose of direct
marketing; and
-
NexPay provides a simple means through which an individual can request to not receive marketing communications;
and
- The individual has NOT requested such communications cease.
Please note that NexPay allows an individual to opt out of the receipt of direct marketing in each direct marketing
communication. You can change your mind about receiving information at any time by emailing us at support@nexpay.com.au . On occasion, the law requires us to
advise you of certain changes to products/services or regulations. You will continue to receive this information from
us even if you choose not to receive direct marketing information from us. We will not disclose your information to
any outside parties for the purpose of allowing them to directly market to you.
Cross border disclosure/Sensitive information/Use of government identifiers/Anonymity &
Pseudonymity
NexPay does not, for the purposes of the Privacy Act, collect sensitive information. Wherever lawful and practicable,
individuals may deal anonymously with NexPay but given the nature of our services, it is unlikely that this will be a
viable option. NexPay does not use official identifiers (e.g. tax file numbers) to identify individuals. An
individual’s name or Australian Business Number is not an identifier for the purposes of the Privacy Act and hence may
be used to identify individuals.
NexPay will only share/transfer personal information with overseas entities or persons to facilitate your
transactions or comply with our legal obligations. Such entities or persons may include overseas intermediary banks,
as well as our overseas branches and service providers (who will be required to comply with our privacy policy).
Access to personal information
Where a person requests access to their personal information, our policy is, subject to certain conditions (as
outlined below) to permit access. We will not charge an individual for reasonable access and correction requests. If a
person wishes to access their personal information or correct it, they should contact the Privacy Officer, and we will
seek to provide such information within a reasonable period of time, and in the manner so requested (where reasonable
to do so).
NexPay may not always be able to give you access to all the personal information we hold about you. If this is the
case, we will provide a written explanation of the reasons for our refusal, together with details of our complaints
process for if you wish to challenge the decision.
We may not be able to give you access to information in the following circumstances:
-
Where we reasonably believe this may pose a serious threat to the life, health of safety of any individual or to
public health/safety;
- Which would unreasonably impact the privacy of another individual;
- Where such request is reasonably considered to be frivolous or vexatious;
-
Which relates to existing or anticipated legal proceedings which would otherwise not be accessible in the
discovery process relating to such proceedings;
- Which would reveal our intentions and thereby prejudice our negotiations with you;
- Which would be unlawful;
- Which is prohibited by law or a court/tribunal order;
-
Which relates to suspected unlawful activity or serious misconduct, where access would likely prejudice the taking
of appropriate action in relation thereto;
- Where enforcement activities conducted by or on behalf of an enforcement body may be prejudiced; or
- Where access would reveal details regarding a commercially sensitive decision-making process.
Correction of personal information
NexPay takes all reasonable steps to ensure the personal information held about individuals is accurate, up-to-date
and complete. We verify personal information at the point of collection.
Where NexPay believes information we hold about an individual is inaccurate, out-of-date, incomplete, irrelevant or
misleading, OR an individual requests us to correct information held about them, NexPay will take all reasonable steps
to correct such information in a reasonable time frame. No fees are payable for such requests. If you request us to
similarly advise a relevant third party of such correction, we will facilitate that notification unless impracticable
or unlawful for us to do so.
If NexPay intends to refuse to comply with your correction request, we will notify you in writing of our reasons for
such refusal, and the complaints process you may avail if you wish to challenge that decision. You may also request
that we associate the personal information we hold with a statement regarding your view of its inaccuracy.
If you believe any of your personal information is incorrect, has changed, or is out-of-date please notify NexPay as
soon as possible via email – support@nexpay.com.au or via
phone 1300 786 320.
Security of personal information
We take reasonable steps and precautions to keep personal information secure from loss, misuse, and interference, and
from unauthorised access, modification or disclosure
Personal information imaged and stored on electronic databases requires password access and access is restricted to
authorised personnel.
Where information is no longer required to be held or retained by NexPay for any purpose or legal obligation, we will
take all reasonable steps to destroy or de-identify the information accordingly.
Cookies
Cookie is a small text file placed on your computer hard drive by a web page server. Cookies may be accessed later by
our web server. Cookies may store information about your use of our web site. Cookies also allow us to provide you
with more personalised service when using our web site.
Most web browsers are set to accept cookies but you may configure your browser not to accept cookies. If you set your
browser to reject cookies you may not be able to make full use of the NexPay web site.
To administer and improve our Web site, we may use a third party to track and analyse usage and statistical volume
information, including page requests, form requests, and click paths. The third party may use cookies to track
behavior and may set cookies on behalf of us. These cookies do not contain any personally identifiable information.
Privacy Complaints
If you have a complaint relating to our compliance with privacy laws or our treatment of your personal information,
please contact our Privacy Officer at the contact details above. We will investigate your complaint and endeavour to
resolve the issue to your satisfaction. If you are not satisfied with the outcome of your complaint, you have the
right to lodge a complaint with the Office of the Australian Information Commissioner by telephoning 1300 363 992 or
visiting their website at www.oaic.gov.au
European Union Privacy
Your Rights
This statement is made on behalf of NexPay Pty Ltd ACN 153 910 984 (“NexPay”). All references to “NexPay”, “we”, “us”
or “our” in this policy are references to NexPay Pty Ltd and its subsidiaries.
In addition to the principles detailed in the NexPay Privacy Disclosure Statement & Consent (‘the
policy’), NexPay is committed to protecting your privacy under legislation and best practice requirements across all
jurisdictions in which it operates.
In offering its services to UK and EU based individuals, NexPay complies with, amongst other legislation, the General
Data Protection Regulation (‘GDPR’) (EU Regulation 2016/679).
This addendum sets out the specific requirements for the processing of personal information under the GDPR
requirements. Where no specific differences are detailed, ‘the policy’ provides the default approach and overriding
principles.
The addendum is designed to inform customers in relation to the following principle rights:
-
Right of Access: the right to be informed of and request access to the personal data we process about
you;
-
Right to Rectification: the right to request that we amend or update your personal data where it is
inaccurate or incomplete;
- Right to Erasure: the right to request that we delete your personal data;
-
Right to Restrict: the right to request that we temporarily or permanently stop processing all or some of
your personal data;
-
Right to Object:
-
the right, at any time, to object to us processing your personal data on grounds relating to your particular
situation;
- the right to object to your personal data being processed for direct marketing purposes;
-
Right to Data Portability: the right to request a copy of your personal data in electronic format and the
right to transmit that personal data for use in another party’s service; and
-
Right not to be subject to Automated Decision-making - the right to not be subject to a decision based solely on
automated decision making, including profiling, where the decision would have a legal effect on you or produce a
similarly significant effect.
The Addendum further informs EU based individuals of
- What information we collect and the purposes for which we collect it;
- Use and disclosure of information collected;
- Security of your personal information;
- Gaining access to information we hold about you;
- What to do if you believe the information we hold about you is inaccurate;
- Complaints in relation to privacy; and
- How to contact us.
Personal Information
As mentioned in ‘the policy’, information generally collected by NexPay includes (but is not limited to) the
following (depending on the nature of the service provided):
- Your name, address, email and other contact details;
- Relevant financial information;
- Transaction purpose;
- Identification and verification information;
- Tax file numbers
- Bank account information
This information is collected solely from you and will not be obtained from third-party sources.
Processing:
In adherence to GDPR legislation, the above personal data is processed by NexPay for the following purposes:
-
In order to allow your transactions and instructions to be processed and notification provided to you relating to
the status of such. Also to allow your education agent and/or education provider to receive approved feedback from
NexPay in relation to your transaction. The legitimate grounds for this processing is the performance of a contract
to which you are a party.
-
For the purposes of preventing fraud or criminal acts. The legitimate ground for this processing is the pursuing
of the legitimate interest of NexPay to protect its businesses/interests against losses caused by fraud or criminal
acts.
-
In order to comply with NexPays legal obligations under applicable legislation relating to the fight against money
laundering and the financing of terrorism or to comply with a request from law enforcement authorities and other
legal or administrative authorities. The legitimate ground for this processing is the compliance with a legal
obligation to which NexPay is subject or the processing is necessary for the performance of a task carried out in
the public interest.
The provision of personal data is either a contractual or a statutory requirement and is obligatory since without
this personal data NexPay cannot:
- enter into a contractual relationship with you or your agent,
- protect its own business/interests, or those of any other third party against losses caused by fraud,
-
comply with legal obligations related to the fight against anti-money laundering and the financing of terrorism
and comply with requests from law enforcement authorities and other competent legal authorities.
Communicating
NexPay will not communicate your personal data to third parties, except in the following limited circumstances:
-
Communication by NexPay to any third party that is involved in the processing of the payment, its suppliers,
subcontractors or other parties with whom NexPay has a contractual relationship and that provide services for /
assistance to NexPay in the framework of:
- the performance of the agreement between you and NexPay, and/or
- fraud prevention or the prevention of criminal acts.
-
To comply with its legal obligations, namely if NexPay is required by law to communicate certain information or
documents to national regulators, law enforcement authorities or any judicial authority in the countries and
territories in which it operates. Communication of personal data to those entities will be limited to the extent
necessary or required under the applicable regulations.
NexPay will communicate your personal data to any organisation without your consent and where it is not used for the
purposes specified. NexPay will also not provide you with direct marketing without your explicit consent and will not
provide your personal data to any other direct marketing organisation.
Retention
NexPay will keep your personal data only as long as necessary to provide you with legitimate and essential business
purposes or for complying with our legal obligations and resolving disputes.
If you request, we will delete or de-identify your personal data, unless we are legally required to maintain it, in
which case we will let you know.
Transfer to other countries
NexPay may transfer your data outside of the EU and Switzerland to group companies, to provide you with effective
services and support our contractual obligations to you. NexPay’s platform uses best in class encryption algorithms
and protocols to secure your data, as well as strong multi-layered password protection.
To maintain continuity of service and effective contingency, NexPay data is hosted in multiple overseas locations
managed by Microsoft Azure. Microsoft Azure is also fully compliant with GDPR regulations. It is policy for NexPay to
ensure that all existing or prospective partners, that may host personal data, are similarly compliant.
NexPay is committed to protecting users personal data. We implement appropriate technical and organisational measures
to help protect the security of your personal data; however, please note that no system is ever completely secure. We
have implemented various policies including pseudonymisation, encryption, access, and retention policies to guard
against unauthorised access and unnecessary retention of personal data in our systems.
Your password protects your user profile and we encourage you to use a unique and strong password, limit access to
your computer and browser, and log out after having used the NexPay platform.
Children’s Data
NexPay does not knowingly collect from children under 16 years. If you are under 16 years of age please do not use
NexPay and do not provide any personal data to us.
If you are a parent or guardian of a child under 16 years of age and become aware that your child has provided
personal data to NexPay, please contact us though the support contact details in this addendum.
If we learn that we have collected the personal data of a child under the age of 16 years, we will take reasonable
steps to delete the personal data.
Access to your Personal Data
You are entitled to access your data. If you would like to do so please contact the NexPay Privacy Officer by email
at support@nexpay.com.au
Privacy Complaints
If you have a complaint relating to our compliance with privacy laws or our treatment of your personal information,
please contact our Privacy Officer at support@nexpay.com.au or on the
either of the following numbers
NexPay Pty Ltd : +612 90787967
We will investigate your complaint and endeavour to resolve the issue to your satisfaction. If you are not satisfied
with the outcome of your complaint, you have the right to lodge a complaint with a supervisory authority responsible
for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place
of the alleged infringement.
The supervisory authority of the NexPay parent company (NexPay Pty Ltd) is The Office of the Australian Information
Commissioner. Please visit their website at www.oaic.gov.au
Changes to this Notice
This addendum will be reviewed annually or as required under changes to the GDPR regulation.
Effective Date May 25th 2018