Eftsure Privacy Policy and Confidentiality Statement

This Privacy Policy and Confidentiality Statement (Statement) is made by Eftsure Pty Limited ABN 21 168 403 736 (eftsure). eftsure is an Australian owned and operated business that provides electronic payment verification services to businesses.
eftsure provides two services:

• The eftsure payment verification service, which combines functionality of (1) payment protection (alerting payers about potential fraud in real-time on a payer’s online payments screen, or on a payer’s payments file in eftsure’s web portal), and (2) vendor management (providing payer’s finance teams with accurate vendor payment information and capability to onboard and manage new and changed vendors from one single place),
• the EftsureID service, which enables a payee to provide that payee’s prospective payers with a simple way to verify that that payee’s bank details are correct before the payer makes payments to the payee.

This Statement relates to each ensure service, and both eftsure services, in this Statement being the Service, except where (and then to the extent that) a paragraph in this Statement is expressly stated to refer to either the eftsure payment verification service or the EftsureID service, in which case the relevant paragraph relates only to that service.

This Statement is in three parts.

Part A addresses our handling of personal information and business confidential information in the course of our business of provision of the eftsure payment verification, including use of our internet site to log-in to the eftsure payment verification service.

Part B addresses our handling of personal information and business confidential information in the course of our business of provision of the EftsureID service, including use of our internet site to log-in to set-up and use the EftsureID service and download and use of the EftsureID app to use the EftsureID service.

Part C is general terms that apply to everything that eftsure does, including how we handle information in the course of operation of our internet site and associated digital marketing, including uses of online tracking code associated with our internet site including uses of online tracking code associated with our internet site.

We will comply with this Statement.
In relation to ‘personal information’ ‘about individuals’, we will also comply with Privacy Laws. Privacy Laws are, in relation to personal information about individuals in Australia, the Privacy Act 1988 (C’th), including the Australian Privacy Principles (APPs), and other Australian federal, state and territory privacy and data protection laws, and in relation to personal information about individuals in New Zealand, the Privacy Act 2020 (NZ), and mandatory codes and other mandatory requirements applicable in Australia and New Zealand respectively.

Some eftsure customers are agencies or other organisations that are regulated by privacy and data protection statutes of Australian States and Territories. We will ensure that eftsure’s handling of ‘personal information’ about individuals, as entrusted to us by entities that are regulated by those statutes, also complies with those Privacy Laws.

We will not reduce our commitments in this Statement as to our processes, practices and standards to protect privacy, confidentiality and information security.
We may modify or amend other provisions of this Statement from time to time. We will display a notice at www.eftsure.com.au stating when any such revisions have been made.

Each eftsure Service is as described at www.eftsure.com.au. That description may be changed or updated from time to time by eftsure.
This Statement should be read together with the terms of provision of each eftsure Service (eftsure Terms), which may either be as available at www.eftsure.com.au, or as we and you agree in a written contract, as applicable.
If you are a customer or prospective customer for an eftsure Service you should also read the eftsure Terms. The eftsure Terms set out other important terms on which we provide each eftsure Service to our customers.

1 About this Statement in relation to the eftsure Services

This Statement:

• sets out how we collect, use and disclose personal information entrusted to us by our customers or otherwise collected and used by us;
• sets out how we collect, use and disclose other personal information that we collect or that is entrusted to us;
• states our confidentiality commitments to each customer that entrusts us with recipient names and account numbers for verification. These commitments are:

(1) eftsure will maintain business confidentiality and will only disclose information that an eftsure customer deals with particular persons and entities to the limited extent that disclosure is necessary in the course of verification of a payee’s details on behalf of that eftsure customer, or otherwise at the request, or with express consent, of that customer.

(2) eftsure will only use and disclose payee names and account details, and information about payers, for the purpose, and then only in the ways, described in this Statement.
Most of the information that eftsure customers provide to eftsure and that eftsure collects in order to verify payee details is not personal information about individuals. Information about businesses is generally not regulated by Privacy Laws. However, some business information about individuals may also be personal information about individuals.

Eftsure’s data handling processes and systems for collection and handling of payee information are designed for privacy, confidentiality and information security by default and by design, and to minimise handling of information about payees. Eftsure handles confidential information about payee businesses by applying the same privacy, confidentiality and information security standards as we apply to our handling of personal information about individuals.

We retain and use details about completed verifications, including failed verifications, only for the purposes and in the ways described in this Statement.

Part A – the eftsure payment verification service

2 Why do payers use the eftsure payment verification service?

The eftsure payment verification service supports Australia’s leading businesses by significantly increasing the likelihood that that payments by them go to the right bank account of intended recipients.

Australian inter-bank payment systems do not enable automated checking of a payee’s name against the payee name associated with a bank account. These systems treat a payee’s name as an information field for recording on account statements, but not a required field for verification or verification of a payee’s name against the name recorded in the recipient bank’s system as the holder of the bank account specified in the payment record. Accordingly, funds may be (either inadvertently, or through fraud) deposited into an account that is unrelated to the nominated recipient.

The eftsure payment verification service enables an eftsure customer that is a prospective payer to confirm that a payee’s bank account details as proposed to be used by the payer appear to be correct.

eftsure does this either through direct verification or check against previous verifications conducted by eftsure. This substantially reduces possibility of error or fraud.

The eftsure payment verification service provides assurance to:

our customers, being payers proposing to make direct payments to bank accounts of Australian recipients, that the payment should be received and credited by the recipient bank to the correct recipient, and that this recipient holds a bank account with the details as verified by us, and

• prospective payment recipients, that the business making a payment to that recipient has the correct recipient name and that this recipient name is associated with the correct account details.
  The eftsure payment verification service therefore:
• reduces risk of adverse consequences that otherwise are likely to arise from operator error or inconsistencies in transcription of payee details from invoices or other source material into payee details as held in accounts payable systems,
• reduces opportunities for fraud that otherwise may arise through bank account details being deliberately associated with payee names that are not the holders of those bank accounts,
• improves relationships between our customers and their suppliers and other prospective payees, by ensuring that verification happens once and then through a courteous, confidential and trustworthy procedure that includes a proper audit trail,
• improves banking relationships, by reducing possibilities of misdirected or incorrectly credited payments,
• reduces credit risk. Most banks do not accept contractual responsibility to reimburse their customers for unrecoverable payments that had been credited to a destination account number as notified by their customer where the destination account number is not the intended payee, regardless of whether the intended payee details as entered in the information field of the payment request matched the name of the holder of the destination account number.

3 How is information relating to payees handled by eftsure?

The eftsure payment verification service verifies names, email and other contact and account details and account numbers of prospective payees, as provided by customers for checking.

Verifications are undertaken by one of a number of ways, including enquiry made by eftsure of prospective recipients, cross-verification using records of previous verifications that eftsure has conducted in relation to the proposed recipient, and cross-verification by matching multiple requests made by multiple customers.

Upon request by an eftsure customer (as made through the eftsure payment verification service in relation to a proposed payee), the eftsure Service checks the verification status of that proposed payee. If the prospective payee is not then already verified, eftsure attempts to conduct a verification by enquiry of the prospective payee. Following verification, the eftsure payment verification service as provided to that eftsure customer flags the verification result for that particular payee.

Some of eftsure customers make payments to the same payees: for example, the Australian Taxation Office, Australian Post, airlines, electricity and telecommunications service providers, office supply companies and courier companies and so on. eftsure seeks to avoid multiple contacts of the same prospective payee to confirm the same details. Upon receiving a request from a customer for verification of a prospective payee and bank account, eftsure may conduct cross-verification, using records of payee details as formerly verified by us or by matching multiple requests made by multiple customers. If there is a cross-verification match in relation to a prospective payee, we may elect not make a further verification enquiry of the prospective payee. If there is no cross-verification match, eftsure will undertake the verification process described above.

Eftsure’s verification process depends upon confirmation by a prospective payee of their bank account details, or cross-verification by us in the way described above. If a prospective payee does not elect to confirm their bank account, or cross-verification as above described is not possible, eftsure cannot complete our verification process.

We retain a record of payee details that are verified, and a record of details that we appear incorrect or unverifiable, for disclosure of verification of those details (but not which eftsure customer requested the verification) to an eftsure customer, including any eftsure customer making an enquiry as to the same payee.

The eftsure payment verification service also maintains records as to amounts paid to payees in order to identify and then flag possible duplicate payments or unusual payment amounts and for associated service assurance, billing and administration by eftsure.
Eftsure retains, uses and discloses records of the identity of businesses with verified account details and of failed verifications, only:

• for the purposes described above,
• for otherwise related secondary purposes such as data analytics and other statistical analysis as to verifications, maintaining an audit trail as to verifications undertaken and the outcome of those verification enquiries, maintaining business records as required by laws, assisting our customers or banks or law enforcement agencies with investigation of any suspected fraud or other serious wrongdoing, as required by law or otherwise as required or authorised by law, including Privacy Laws.

4 Operation of Privacy Laws

(a) The eftsure payment verification service is provided to assure payers that their payments will go to the correct recipient and prospective payees that payments due to them will be properly credited to their nominated account. eftsure considers that this is a use of information about payees that is reasonably within the contemplation of prospective payees.

(b) As service provider to our customers, we rely upon each eftsure customer that entrusts us with proposed payee names and account numbers and other data, including personal information, to provide any notices and obtain any consents as may be required or desirable to enable the eftsure customer to disclose that data, including personal information, to us, so that we may provide the eftsure payment verification service in accordance with this Statement and with Privacy Laws.

(c) APP 3.6 provides that an APP entity must collect personal information about an individual only from that particular relevant individual unless it is unreasonable or impracticable for the entity to collect personal information only from the individual. Whether it is ‘unreasonable or impracticable’ to collect personal information only from the individual concerned depends on the circumstances of the particular case, including whether the individual would reasonably expect personal information about them to be collected directly from them or from another source, the sensitivity of the personal information being collected, any privacy risk if the information is collected from another source, and the time and cost involved of collecting directly from the individual. It is not reasonable or practicable for eftsure to verify that each individual in relation to whom personal information (not being sensitive information) is provided to us by a customer is aware that personal information will be provided by that business to eftsure.

(d) If you wish to verify how, when and why any business with whom you interact or otherwise deal collects personal information about you or then uses or discloses that personal information to anyone else, you should first check the privacy statement of that business (usually available at their internet site and labelled privacy policy, privacy statement or something similar) and any privacy notice or other terms associated with a particular product or service that you may consider acquiring or acquire from that business.

Part B – the EftsureID service

5 How is information relating to payers handled by eftsure in provision of the EfsureID service?

The EftsureID service enables an eftsure customer payee to provide prospective payers with a simple way to verify that that payee’s bank details are correct before the payer makes payments to the payee.

The eftsure customer is allocated an EftsureID. The eftsure customer may then make available that EftsureID to prospective payers, for example, by reproducing the EftsureID on the eftsure customer’s invoice. The prospective payer may elect to scan that EftsureID, or manually enter the EftsureID details into the Eftsure web page at https://id.eftsure.com.au/. To scan the invoice reproducing the EftsureID, the payee must download the eftsureID App from the IOS or Android store.

In the course of provision of the EftsureID service, eftsure:

• collects and holds email addresses and device App IDs (unique device identifiers) of users of the EftsureID, including by creating a user record of these addresses and logs of scanned EftsureIDs,
• collects and holds the scanned invoice image, for support, troubleshooting and audit,
• collects and holds the EftsureID that is scanned, to maintain an audit trail to the email address and device App ID of the scanning party.

Part C – all eftsure’s services and activities

6. Protecting confidentiality and privacy from disclosure

Except as above described, eftsure will not otherwise disclose records of the identity of businesses with verified account details and of failed verifications, or details as to payers collected in the course of provision of the EftsureID service to any third party, unless the disclosure is to a third party and:

(a) that third party is a group company of ours, in which case we will require that group company to only use and disclose such records in accordance with this Statement, as if a reference in this Statement to us was a reference to that group company,

(b) that third party is a sub-contractor engaged to provide services to us. This may include disclosure to contractors outside of Australia and located in countries whose Privacy Laws do not provide a similar or equivalent level or scope of protection of personal information as Australian Privacy Laws. In this case we will obtain contractual commitments by these sub-contractors to only use and disclose such records for the purposes of providing services to us in accordance with this Statement.

We will not use any personal information about an individual for a secondary purpose unless:

(a) for the purposes described above,

(b) an individual would reasonably expect that we would use or disclose the personal information for that secondary purpose and that purpose is related to the primary purposes for which it was given to us,

(c) that individual has consented to the use of that personal information for the secondary purpose, or

(d) the secondary use or purpose is required or permitted under law, such as in connection with the sale of some or all of our business or assets, or the disclosure is authorised by the Privacy Laws including to lessen or prevent a serious threat to life or health, to protect the personal safety of the public, if authorised or required by law, if we have reason to suspect that unlawful activity has been, is being or may be engaged in, to enforce the law or where necessary to investigate a suspected unlawful activity, or if we have told an individual that personal information about that individual is usually used or disclosed to third parties in this way.

7 Ways in which we collect personal information

Parts A and B above describes our handling of personal information in the course of provision of the eftsure payment verification service and the EftsureID service respectively, including use of our internet site to log-in to the eftsure payment verification service.

Other ways that we collect personal information about individuals are as follows.

• In the course of operation of our internet site, including in interactions with users of our internet site. See further paragraph 8 below.
• When an individual gives personal information to us, such as when that individual submits an order form or interacts with us. This might happen when a customer’s representative is setting up an account with us, using one of our products or services or filling out a form or contacting us with a problem or query.
• When a customer uses services, including our call centres and online services. For example, when an individual visits our website or uses our systems and applications, we may also collect information about that use of our website, systems and applications (including via cookies and other technologies).
• We collect personal information about from service providers like identity and fraud checking services and credit reporting bodies.
• We also collect personal information from other sources such as regulators, credit reports, marketing mailing lists, public information (including public posts to social networking sites), and commercially available personal, identity, geographic and demographic information sources. For example, we use third party services that assist us to analyse and augment personal information of individuals in businesses and other organisations that are prospective clients and clients (such as contacts and leads that we engage with via digital channels and speak to over the phone). This information, generally in the public domain, includes business or other organisation name, names of personnel, work email addresses, work addresses, which banks an organisation uses, and which ERP systems an organisation uses. We collect this information into our customer relationship management (CRM) systems.
• We may record online meetings with personnel of businesses and other organisations that are prospective clients. When we do so, we will give prior notice to those persons as required by law. We will use these recordings only in accordance with this Statement and to the extent permitted by law.
• We also collect personal information about our personnel (employees and contractors), and applicants for positions with us, to support management our human resource functions and statutory obligations. We may monitor communications of our personnel that are made using work resources, to ensure that we provide safe and secure services and that we handle personal information of others only in accordance with this Statement and to the extent permitted or required by law. We will inform our personnel of this workplace monitoring and conduct this monitoring only to the extent permitted by law.

Some of our service providers that analyse and augment personal information for us provide their services from outside Australia and may store personal information outside Australia. We will take reasonable steps to ensure that those service providers do not breach all applicable Australian Privacy Laws in relation to personal information that they handle on our behalf.

Use of our internet site

(a) We use tracking code (‘cookies’, pixels or other technology) and collect device identifiers to track access to, and use of, our internet site. The information collected using tracking code and device identifiers is handled by us to mitigate risks that this tracking code might be used to identify a person using a browser or device. We use tracking code to provide a better user experience for users when using our internet site and to improve our internet site. We do not use tracking code to identify a person using a browser or device.

(b) We may also receive tracking code data, device identifiers, log information and other information, from ad serving services or advertising networks and relating to use by other persons of third-party internet sites serviced by those ad serving services or advertising networks. We also use this received tracking code to provide a better user experience for users when using our internet site and to improve our internet site. We do not use tracking code to identify a person using a browser or device.

(c) Our internet site uses technologies of third-party partners, such as NextRoll, to help us recognize your browser device and understand how you use our internet site so that we can improve our services to reflect your interests and serve you advertisements about the products and/or services that are likely to be of more interest to you. Specifically, these partners collect information about your activity on our internet site to enable us to:

• measure and analyse traffic and browsing activity on our site(s),
• show advertisements for our products and/or services to you on third-party sites, and
• measure and analyse the performance of our advertising campaigns.

(d) We may share data, such as hashed email derived from emails or other online identifiers collected on our internet site with our advertising partners. This allows our partners to recognize and deliver you ads across devices and browsers. To read more about the technologies used by NextRoll and their cross device capabilities please refer to https://www.nextroll.com/privacy.

(e) Our partners such as NextRoll may use non-cookie technologies that may not be impacted by browser settings that block cookies. Your browser may not permit you to block such technologies. For this reason, you may if you wish use the following third party tools to decline the collection and use of information for the purpose of serving you interest based advertising:

• the NAI’s opt-out platform: https://optout.networkadvertising.org/
• the DAA’s opt-out platform: https://optout.aboutads.info/

(f) Links to other internet sites: Sometimes our internet site contains links to other internet sites. When you access an internet site other than our internet site, we are not responsible for the privacy practices of that site. We recommend that you review the privacy policies of each internet site you visit.

9 Ways in which we use personal information

We use personal information to provide products and services and conduct our business.

• Administration – We may use personal information to help us manage the products and services we provide, to deal with customer enquiries and complaints, and to maintain and update our records. For example, we need to be able to verify an individual’s identity to detect, prevent and address fraud.
• Marketing, customer relationship management (including customer support), and accounting and billing: We use information in our CRM systems to contact prospective clients and clients. Information in our CRM systems are also accessed and analysed in an application that we use called Grow, that pools data from our CRM systems and third party sources and presents the merged information as graphs and charts for use within our operations. We also link our CRM systems to our accounting software system called SaaSOptics, which enables us to manage customer billing, invoicing and receipts.
• Services security and fraud protection – We undertake a range of network, security and fraud protection activities including identifying and blocking possible malicious actors, code or content. We may also use personal information to determine whether an individual might be impacted, and take action to block the malicious activity or notify the individual so that the individual can take protective action.
• Communication – We need to be able to communicate with individuals in businesses and other organisations that are prospective clients and clients you. We may do this via phone, email, SMS, social media, search engines and web pages you visit. Where these communications are in the nature of direct marketing, we will ensure that we comply with relevant laws, including prohibitions on unsolicited electronic communications (spam) and requirements to provide unsubscribe functionality and other readily accessible opt-out choices.

Please be aware that if you unsubscribe from a mailing list, we will continue to send you important messages that are not marketing communications, such as safety or administrative messages.

10 Access to and correction of personal information

(a) Where we collect personal information from an individual directly, we take steps to ensure that the personal information we collect, use and disclose is accurate, up to date and complete. These steps include maintaining and updating any personal information when we are advised by an individual that their information has changed.

(b) Where we collect personal information about an individual from a third party, we rely on that third party to ensure that information it collects is accurate, up to date and complete, subject however to the verification procedures which are at the core of the eftsure service as above described.

(c) An individual may request access to personal information about that individual that is held by us. Subject to any permitted exception under the Privacy Laws, we shall give that individual access to that personal information.

(d) If an individual notifies us that personal information about that individual as held by us is not accurate, we will take reasonable steps to correct that information. To the extent that we have received any personal information indirectly (for example, from a business for which we act as sub-contractor), we may notify that business that it has received a request from an individual to access or correct the personal information it has provided to us.

(e) If you require access to your personal information, please contact www.eftsure.com.au/contact-us.html. Before we provide you with access to your personal information we will require some proof of identity.

(f) For most requests, your information will be provided free of charge, however, we may charge a reasonable fee if your request requires a substantial effort on our part.

(g) If we refuse to provide you with access to the information, we will provide you with reasons for the refusal and inform you of any exceptions relied upon under the APPs (unless it would be unreasonable to do so).

(h) We take reasonable steps to ensure that your personal information is accurate, complete, and up-to-date whenever we collect or use it. If the personal information we hold about you is inaccurate, incomplete, irrelevant or out-of-date, please contact us and we will take reasonable steps to either correct this information, or if necessary, discuss alternative action with you.

11 Retention of personal information

We retain personal information after we have used the personal information for the purposes for which we collected or received it.
If we retain such personal information, it will only be used for the following purposes:

(a) as required by or under Australian law, or a court / tribunal order;

(b) as required for professional indemnity insurance; and

(c) in accordance with our back-up archive policy.
When no longer required, eftsure uses its best endeavours to ensure that all such information will be destroyed in a secure manner and in a reasonable time frame.

12 How we hold and secure your information

The security of your personal and confidential business information is important to us.

We take appropriate industry recognised steps to prevent personal and confidential business information we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure. This protection includes the use of technologies and processes such as access control procedures, network firewalls, encryption and physical security.

13 How to contact us

(a) If an individual:

(i) would like to access or inquire about any personal information we hold about that individual;
(ii) has a query in relation to this Statement; or
(iii) would like to make a complaint about out handling of an individual’s personal information,

please contact us using the details below.
A: Level 6/122 Walker Street
North Sydney NSW 2060
E: privacy@eftsure.com.au
T: 1300 985 976

(b) If you wish to make a complaint about an alleged breach of the Privacy Laws, we ask that you send us your complaint in writing to the email address listed above. We endeavour to respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner by phoning 1300 363 992 or by email at enquiries@oaic.gov.au.

This Statement was last updated on 4 December 2022.