Eftsure Privacy Policy and Confidentiality Statement

1. This Privacy Policy

(a) This is the Privacy Policy of Eftsure, a business that provides electronic payment verification services. This Privacy Policy sets out how we collect and manage your personal information and business confidential information when providing services to you, or when you otherwise engage with us. In this Privacy Policy, unless the contrary intention appears, references to “we”, “us”, “our” or “Eftsure” means each of the following entities: Eftsure Pty Limited (ABN 21 168 403 736) (Eftsure AU), Eftsure NZ Pty Limited (company number 8495986), Eftsure, USA Inc. (EIN 99-0939957) (Eftsure US), Vector HoldCo Pty Limited (ABN 72 693 566), Vector BidCo Pty Limited (ABN 19 655 693 717) and Eftsure e-invoicing Pty Limited (ABN 77 669 461 974).

(b) Eftsure provides two main services, described below:

(i) the Eftsure payment verification service which includes the following functionality: (A) payment protection (i.e. alerting payers about potential fraud or error through the payer’s online banking, the Eftsure web portal or an API); and (B) vendor management (i.e. providing payer’s finance teams with up-to-date vendor payment information and capability to onboard and manage new and changed vendors from one single place); and

(ii) the EftsureID service which enables a payee to provide that payee’s prospective payers with a simple way to verify that that payee’s bank details are correct before the payer makes payments to the payee.

Please see your agreement with us for further information about which Eftsure entity provides the Eftsure services to you.

(c) We may update our services from time to time. Further information about our services is available on our website or in your agreement with us.

(d) We may update this Privacy Policy from time to time. The most current version will be located on our website. You may also request a copy using our contact details in section 11 below.

(e) For customers of Eftsure, this Privacy Policy should be read together with the terms that apply to the Eftsure services we provide to you. These will either be the terms available on our website (at https://eftsure.com/terms-of-service), or the terms in your written agreement with us.

2. Personal information and business confidential information

(a) Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion is true and whether or not the information or opinion is recorded in a material form. Therefore, not all information that we collect about you will be considered personal information.

(b) While information that we collect, use and store in the Eftsure secure database may not be personal information in every case, it may be business confidential information. Our data management processes and systems are designed for privacy, confidentiality and information security, by default and by design. We manage business confidential information that is stored in the Eftsure secure database by applying the same privacy, confidentiality and information security standards as we apply to our management of your personal information.

(c) Where we collect, use, hold or disclose personal information, we will do so in accordance with this Privacy Policy and will comply with all applicable privacy laws which may include (as the case may be): the Australian Privacy Act 1988 (Cth), the Privacy Act 2020 (NZ) and any mandatory privacy-related codes applicable to us in Australia or New Zealand.

3. Types of personal information that we collect and hold

The types of personal information that we collect and hold about you will depend on which services you or your customers use, and how you otherwise interact with us.

(a) Use of our services generally. In providing the Eftsure payment verification and EftsureID services, we may collect the following information about our customers and their respective suppliers:

(i) names of individuals;

(ii) job title;

(iii) business names;

(iv) Australian Business Number (ABN), Australian Company Number (ACN) and any other equivalent information in jurisdictions other than Australia;

(v) contact numbers;

(vi) business addresses;

(vii) email addresses;

(viii) payment amounts; and

(ix) full legal account name, bank account number, BSB and any other equivalent information in jurisdictions other than Australia.

(b) Use of the EftsureID service. In addition to the types of information listed in paragraph 3(a) above, in providing the EftsureID service, we may collect the following additional information about our customers and their respective suppliers:

(i) copies of customer invoices uploaded to the EftsureID service;

(ii) EftsureIDs; and

(iii) device App IDs.

(c) Use of our websites. We use tracking code (‘cookies’, pixels or other technology), collect device identifiers and log information to track access to, and use of, our website. We may also collect names, email addresses, phone numbers and other personal information when you complete any forms on our website, or request to join our mailing list. Please see section 4 for further information about cookies.

(d) Use of social media operated by us. We may collect the following information: your name, job title, email address and business name.

(e) When applying for a job with us. If you apply for a job with us, we collect personal information such as your name, contact number, address and email address. We may also collect sensitive information, such as health information or your criminal history, if this is relevant.

(f) When attending an Eftsure event or meeting. We may collect personal information such as your name, contact number, address and email address when attending, or planning on attending, an Eftsure event or meeting.

4. Cookies and other tracking technologies

(a) We use tracking code (being ‘cookies’, pixels or other technology) and collect device identifiers to track access to, and use of, our website. We use tracking code to provide a better user experience for our website users and to improve our internet site. We do not use tracking code to identify a specific person using a browser or device.

(b) We may also receive tracking code data, device identifiers, log information and other information, from advertising serving services or advertising networks which relates to your use of third-party websites. We use this tracking code to provide a better user experience for the users of our website and to improve our website.

(c) Our website uses technologies of third-party partners to help us recognise your browser device and understand how you use our website so that we can improve our services and to serve you advertisements about products and services that are likely to be of interest to you. These partners collect information about your activity on our websites to enable us to:

(i) measure and analyse traffic and browsing activity on our websites;

(ii) show advertisements for our products and services to you on third party websites; and

(iii) measure and analyse the performance of our advertising campaigns.

(d) We may share certain data with our advertising partners. Such data includes partially redacted/hashed emails or other online identifiers collected on our website. This allows our partners to recognise and deliver advertisements to you across your devices and browsers.

(e) If you do not wish to use cookies or other tracking technologies, you can amend the settings on your internet browser so it will not automatically download cookies, noting that:

(i) if you remove or block cookies on your computer, please be aware that your user experience and our website’s functionality may be affected; and

(ii) our partners may use non-cookie technologies that cannot be blocked by adjusting your browser settings. Where this is relevant, you may wish to use a third-party tool to prevent the collection and use of information for the purpose of serving you interest-based advertising. For further information, please see: Digital Advertising Alliance: YourAdChoices and Network Advertising Initiative: Consumer Opt-Out.

5. How we collect and hold your personal information

(a) We collect personal information in a number of ways:

(i) where reasonable and practicable, we will collect any personal information directly from you;

(ii) through use of the Eftsure payment verification service – if you are the payee of an Eftsure customer, we may collect personal information about you from the relevant Eftsure customer or our service providers (who assist us to provide verification services).

Please note that it would not be reasonable or practicable for Eftsure to collect all personal information about our customers’ payees directly from those payees in all cases, which is why we may collect some personal information about an Eftsure customer payee from the relevant Eftsure customer or our service providers.

It is the responsibility of each Eftsure customer to ensure that it has the appropriate consents in place to disclose any personal information about its payees to Eftsure. If you are a payee of an Eftsure customer and you would like to understand how that Eftsure customer manages your personal information, you should contact the relevant Eftsure customer directly;

(iii) through use of the EftsureID service – we may collect personal information from prospective payers in connection with the EftsureID service, such as when a prospective payer downloads and sets up the EftsureID app, scans an Eftsure customer’s invoice using this app or our webpage, or manually enters EftsureID details into the app or our webpage;

(iv) we may collect personal information from our personnel (employees and contractors), from individuals who apply for a position with us, and from prospective customers who engage with us;

(v) we may collect personal information from other third parties. This may include our advertising partners (please see section 4 for further information), our third-party delivery partners (such as integration and referral partners), and our service providers (such as identity and fraud checking services, and credit reporting agencies); and

(vi) we may also collect personal information from publicly available sources such as the Australian Business Register and any other equivalent sources in jurisdictions other than Australia, and social media.

(b) Any personal information and business confidential information stored in the Eftsure secure database that is collected by us is held securely using appropriate and up to date industry-recognised methods such as access control procedures, network firewalls, encryption, and physical security.

(c) Subject to any legal requirement, or ability to retain personal information pursuant to any contractual arrangement, we will destroy or de-identify your personal information when it is no longer needed for the purpose for which we collected it.

6. How we use your personal information

(a) How we use your personal information depends on which services you or your customers use, and how you otherwise interact with us. We have described the purposes for which we collect, hold, use and disclose your personal information, below:

(i) Provision of the Eftsure payment verification service. We collect and hold the data of Eftsure customers, as well as Eftsure customer payee data, in Eftsure’s secure database, which is encrypted. This information is used for verification purposes and ongoing vendor management for Eftsure customers. This may include: (A) verifying the data in an Eftsure customer’s vendor management file against data held in the Eftsure secure database to confirm whether the data aligns, and providing a report to the Eftsure customer; (B) verifying payee data by matching multiple requests made by multiple Eftsure customers; (C) contacting the payee to verify their details; (D) verifying payee data using third party service providers; (E) inviting a payee to register as a new supplier on the Eftsure portal; (F) before an Eftsure customer makes a payment, verifying the Eftsure customer’s data against the data in the Eftsure secure database and providing a notification or alert to the Eftsure customer regarding whether that data aligns, the likelihood of a duplicate payment, or a payment being made that is outside of set parameters; (G) maintaining and updating vendor details; and (H) providing help desk support or training.

We retain a record of payee details that are verified, and a record of details that appear incorrect or are unverifiable so that this may be disclosed to other Eftsure customers. However, we do not disclose which Eftsure customers are customers of a particular payee/vendor to any other Eftsure customer or third party.

(ii) Provision of the EftsureID service. We collect and hold the data of Eftsure customers, their invoices, as well as Eftsure customer payer data, in Eftsure’s secure database, which is encrypted. This data is: (A) collected and used to verify that the data on an invoice received by a payer of an Eftsure customer aligns with the same data held in the Eftsure secure database; and (B) retained for troubleshooting, audit and support purposes.

(iii) Our service providers and delivery partners. We may disclose personal information to our third party service providers and our delivery partners (including integration and referral partners) for the purpose of providing services to us.

(iv) Administration. We may use personal information for the purposes of managing customer enquiries, complaints, and to maintain and update our records.

(v) Marketing, customer relationship management (CRM), customer support, accounting and billing. We use information in our CRM systems to contact clients and prospective clients. Information in our CRM systems is also accessed and analysed in an application that pools data from our CRM systems and third-party sources (such as marketing mailing lists, commercially available personal, geographic and demographic information sources as well as publicly available information), and presents the merged information as graphs and charts for use within our operations. This information includes business names, names of individuals, business email addresses, business addresses, which financial institution an organisation uses, and which ERP systems an organisation uses. We also link our CRM systems to our accounting software, which enables us to manage customer billing, invoicing and receipts.

(vi) Operating our website. When an individual visits our website, uses our systems or applications, we may collect personal information about that individual including via cookies and other technologies. We collect this information for marketing purposes and to improve our websites. Please see section 4 for further information about how your data is used, where that data is collected through your use of our websites.

(vii) Security and fraud protection. We undertake a range of network, security and fraud protection activities including identifying and blocking possible malicious actors, code or content. We may also use personal information to determine whether an individual might be impacted and take action to block the malicious activity or notify the individual so that the individual can take protective action.

(viii) Communication. We communicate with individuals in businesses and other organisations that are clients or prospective clients. We may communicate with you for the purposes of providing or selling our services to you, setting up an account with us, filling out a form, or answering your queries. We may do this via phone, email, SMS, social media, web forms, search engines and web pages you visit. Where these communications are considered marketing, we will comply with relevant laws.

(ix) Business meetings. We may collect, use and store your personal information if you attend any online meetings with us, and we may like to record such meetings. If we do, we will give the attendees prior notice, and will comply with all applicable laws. We will use the recording of any online meetings for our own internal business purposes only.

(x) Job applicants. We will use any personal information that we collect from a job applicant solely for the purpose of assessing whether you meet the requirements of the relevant role, to fulfil any legal obligations and, if relevant, any pre-employment screening.

(xi) To fulfill our legal obligations. We may disclose your personal information to law enforcement authorities or government agencies where required to do so, or authorised, under applicable laws.

(b) Where we hold personal information that was collected for a particular purpose (the primary purpose), we will not use or disclose that personal information for another purpose (the secondary purpose) unless: (A) the relevant individual has consented to the use or disclosure; (B) the relevant individual would reasonably expect us to use or disclose the personal information for the secondary purpose and the secondary purpose relates to the primary purpose; or (C) the use or disclosure is otherwise required or permitted by relevant laws.

Eftsure may use and disclose personal information for the following secondary purposes: (A) data analytics and other statistical analysis related to verifications and trends in fraud; (B) maintaining an audit trail of verifications undertaken and the outcome of those verification enquiries; (C) maintaining business records as required by applicable law; (D) assisting our customers, financial institutions or law enforcement agencies with the investigation of any suspected fraud or other serious wrongdoing; and (E) as otherwise authorised or required by law (including privacy laws).

7. Access to, and correction of, personal information

(a) We will take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up to date, complete and relevant. If you believe that any information held by us is incorrect, you may ask us to correct it.

(b) You may request access to personal information about you that is held by us using the contact details in section 11. Before we provide you with access to any personal information, we will require some proof of identity to ensure that you have the right to access such information. Subject to any permitted exception under relevant privacy laws, we will provide you with a copy of the relevant personal information.

(c) For most access requests, your personal information will be provided free of charge, however, we may charge a reasonable fee if responding to your request requires a substantial effort on our part. We will not charge you for simply making the request and will not charge you for making any corrections to your personal information.

8. Third party sites

(a) We use a third-party service provider located in the United States of America to assist us with some digital verification activities. Where we do, our website contains a link to our third-party service provider’s website, and is clearly labelled as such. Any use of this third-party service provider is subject to their terms of service, although the third-party service provider will comply with this Privacy Policy. If you (being the payee of an Eftsure customer) do not consent to the third-party terms of service, you may choose another verification method.

(b) In addition to the third-party website outlined in paragraph 8(a), our websites may contain links to other websites that are operated by third parties. If you access a third party website through one of our websites, other than as outlined in paragraph 8(a), you may be bound by their terms of service and any personal information collected by that third party will be managed in accordance with their own privacy practices. We recommend that you read any terms of service and privacy policy to understand how your personal information will be managed by that third party. We are not responsible for the privacy practices of such third parties.

9. Cross-border disclosures

(a) We may collect, hold, process and transfer personal information outside the country in which you are located. Please note that information held in the Eftsure secure database is held within: (i) Australia, if the relevant customer agreement is with Eftsure AU; and (ii) the United States of America (USA), if the relevant customer agreement is with Eftsure US. For all other types of information, we may transfer such information within the Eftsure group of companies, which may result in a cross-border disclosure.

(b) Some of our service providers are in countries other than the country in which you are located. Where the disclosure of personal information to a service provider results in a cross-border disclosure, those service providers are likely to be located in Philippines, New Zealand, the USA or Australia.

(c) This paragraph 9(c) only applies if there is a cross-border disclosure of personal information by Eftsure AU. Where we disclose or store personal information outside of Australia, we will take reasonable steps to ensure that the recipient maintains adequate data security and privacy practices in relation to the management of that personal information, in accordance with applicable privacy laws (including the Australian Privacy Principles (APPs) where applicable). Such reasonable measures may include entering into enforceable contractual arrangements with overseas recipients, to ensure that any personal information disclosed overseas remains adequately protected.

10. How to make a complaint

If you wish to make a complaint about how we manage your personal information, please send a written complaint using the contact details below. We will respond to complaints within a reasonable period (usually 30 days). If you are not satisfied with our response, you may make a complaint to the Office of the Australian Information Commissioner (OAIC). Please see the OAIC website for further information.

11. How to contact us

If you would like to access or update your personal information, have any questions about this Privacy Policy, or would like to make a compliant about how we manage your personal information, please contact us using the details below:

A: The Privacy Officer, Level 9/177 Pacific Highway, North Sydney NSW 2060

E: privacy@eftsure.com.au