AfterPay Privacy Notice

Last version 16.04.2021

Version 1.3

1. About this Privacy Notice

The protection of your privacy is of the utmost importance to us. This Notice explains what personal information we collect and process from you when you use our services and products (the "Services") and become a customer with us. For example, you use our Services whenever you pay using one of our AfterPay payment methods or contact us in connection with payment processing. It also informs you about your data protection rights and explains how you can exercise them.

Specific privacy notices apply to the use of our website, the AfterPay web portal ("MyAfterPay") and our mobile application (the "AfterPay App"), which will be displayed to you when you use the website, the web portal or the AfterPay App.

2. Person responsible for data protection

Our services, e.g. the use of one of our AfterPay payment methods, are offered to you by Arvato Payment Solutions GmbH, Gütersloher Str. 123, 33415 Verl (hereinafter: "APS", "we", "us"). As the data controller within the meaning of EU Regulation 2016/679 (the "GDPR"), we are responsible for the storage and processing of your personal information that we collect from you as part of our services and for compliance with the law.

3. What personal information about you do we process?

3.1 Information you share with us

You provide us with personal information when you use one of our services e.g. paying an order on a merchant's website using one of AfterPay's payment methods or contact us. Depending on which of our services you use, the following information may be affected:

Contact details and personal information such as name, email address, postal address, date of birth, phone number

Payment information such as invoice information, bank account number

3.2 Data collected by us when you use our services

When you use our services (such as when you place an order on a merchant's website and choose to use one of our AfterPay payment methods) or contact us as part of the payment process, we collect the following information about you (either directly from you or via third parties such as credit reference agencies and merchants):

If you have consented to measures to protect against fraud and for misuse detection (see clause [4.1.2]), then we collect the following additional data (the "Access Data") when you visit the merchant's website:

The information you share with us, as well as the information we collect about goods/services, the Historical Information, your financial information and the information about the interactions between you and the merchants are needed to provide you with our services. The other information we collect, such as the information about the interactions between you and us, is required for the purposes listed below.

4. For what purposes is your data used? How long do we store your data?

We use your data for the purposes mentioned below. Furthermore, you can see from the overview for how long your data is stored in each case.

Area Purpose Legal basis for data processing Automated decision Storage period
Identification, risk and fraud management To assess whether we can offer you our AfterPay payment methods Consent  (Article 6 para.1 a GDPR). Safeguarding legitimate interests (Article 6 para. 1 f GDPR). As we purchase the merchant’s receivable, we have a legitimate interest in protecting ourselves against losses due to lack of solvency or due to fraud. Yes 3 years
To be able to identify you uniquely Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR) No 3 years
to be able to carry out appropriate risk management or fraud prevention Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. Consent, if required under the applicable law (Article 6 Paragraph 1(a) GDPR) Yes 3 years
to be able to obtain information from credit agencies for the purpose of assessing creditworthiness Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). We have the legitimate interest to also take external data into account when deciding whether to grant our AfterPay payment methods if internal data alone is not sufficient to make an assessment of the credit risk. Yes 3 years
to be able to prevent misuse of the use of one of our AfterPay payment methods (e.g. by improving credit risk and fraud models). Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR). Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. No 3 years
Payment administration & customer management to be able to manage your payments and communicate with you . Compliance with a contractual obligation (Article 6 Paragraph 1 (b) GDPR). No 10 years
to be able to manage and improve the services. Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to further improve our services and operations to optimise communication with the customer and thus reduce unnecessary costs. No 10 years
Compliance with legal requirements to be able to meet legal requirements, such as the anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements. Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR) No 10 years
Advertising and individual offers to provide you with advertising and offers relating to our services by post, email, MMS, SMS or via the AfterPay App. Safeguarding legitimate interests (Article 6. Paragraph 1 f) GDPR) and, in the case of email, SMS and MMS, additionally Section 7 para. 3 UWG. Our legitimate interest lies in providing you with offers and advertising. No As long as an active business relationship exists and no justified objection has been raised
Processing your data using a Connector ID (C-ID) To use data that other Bertelsmann Group companies have collected from you for our risk and fraud management or for advertising pueposes. Safeguarding legitimate interests (Article 6. Paragraph 1 f) GDPR). Our legitimate interest lies in also taking external data into account when deciding whether to grant our AfterPay payment methods if internal data alone is not sufficient to make an assessment of the credit risk. We also have a legitimate interest in providing you with offers and advertising. No As long as an active business relationship exists and no justified objection has been raised

For more information on the purposes of data processing listed above, please see the sections below.

4.1 Identification, risk and fraud management

As part of the ordering process on a merchant’s website, we use your contact details, information about goods/services, financial information and, if available, historical information and, if you have granted your consent, your access data in the interests of effective prevention of abuse, credit checking and payment method control (decision as to whether an AfterPay payment method will be offered to the respective user) as follows:

4.1.1 Within the framework of the balancing of interests (Article 6 I f DSVO)

Once you have selected one of our payment methods as part of the ordering process on the merchant’s website, the merchant sends us your contact details (name, address, date of birth (if necessary), email address) and information about goods/services so that we can decide whether we can offer you this payment method (passive payment method control).

For this purpose, we send your name, address and, if necessary, your date of birth via informa solutions GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany for the credit check to be carried out to Infoscore Consumer Data GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany (hereinafter referred to as “ICD”), for the credit check to be carried out. Taking into account, among other things, address data and past payment experiences, ICD produces a forecast of payment probabilities (score), in particular, on the basis of mathematical-statistical processes (in particular logical regression and comparisons with groups of persons with similar payment behaviour in the past), and provides this score to us. Based on the information about goods/services, the score provided by ICD, your con-tact details (name, address and, if applicable, date of birth) and the information we have about your previous payment behaviour, we make a balanced decision as to whether we can offer you the selected payment option. The legal bases for these investigations are Article 6 Paragraph 1 b) and Article 6 Paragraph 1 f) GDPR. Before offering one of our payment methods, which all involve a credit risk, our legitimate interest is to assess as accurately as possible whether you will meet the payment commitments that you will have entered into with us. The legitimate interest of the merchant is to be able to offer you high-risk payment methods as well, such as payment on account or direct debit. In addition, we use Fraud.net Inc. 330 7th Avenue, New York City, NY 10001, USA, as another processor for fraud prevention and detection. The data is stored in the EU; however, access to this data is provided by Fraud.net from the USA. We have concluded standard contractual clauses with Fraud.net, published by the EU Commission, to ensure an adequate level of data protection in the EU.

The legal basis for these transfers is Article 6 Paragraph 1 b) and Article 6 Paragraph 1 f) of the GDPR. Our legitimate interest is to be able to assess as well as possible whether you will meet the payment obligations entered into before granting one of our payment methods, which all entail a credit risk. The merchant's legitimate interest is to also be able to offer you risky payment methods, such as open invoice or direct debit. Furthermore, in order to avoid any incorrect deliveries and payment defaults, the address data that you have specified shall be verified by means of an address check based on Article 6 Paragraph 1 f) GDPR and sent to ICD for this purpose. The data required for credit and address checking and for payment method control shall be sent via a secure interface. Any sensitive personal concerns that you have will of course be taken into account as stipulated by law.

In accordance with Article 21 Paragraph 1 GDPR, you are entitled to object to the processing of your data with future effect for reasons arising from your specific situation; this also applies for any profiling carried out for the purposes specified above. Please bear in mind, however, that, in this case, we will no longer be able to offer you any of our high-risk payment methods as part of your ordering process on the merchant’s website.

You can find more detailed information about ICD as defined by Article 14 of the GDPR, i.e. information about the business purpose, about the purpose of data storage, on the data recipients, on the right to find out what details are held about you, a right to erasure or rectification, etc. in the annex to this document or by clicking on the following link: https://finance.arvato.com/icdinfoblatt.

4.1.2 Based on your consent (Article 6 I a) DSGVO)

Consent to abuse prevention and detection measures

If you have indicated your consent to fraud prevention and detection of misuse as part of the ordering process on the merchant’s website, you are consenting that,

  1. your data for the execution of the contract (e.g. purchase object, name, postal address, e-mail ad-dress, delivery address, payment method and bank details) and
  2. your device data used when visiting the websites (e.g. screen resolution, operating system version , browser language, anonymized, i.e. shortened IP address ) and an anonymized device ID based on this information (optionally be cached by a cookie, if permitted by you), and based on that with a certain probability further visits can be recognized,

are transmitted from the online shop to us for purposes of fraud prevention and misuse recognition. We use this data to automatically check for any evidence of online fraud or other misuse of the online store (for example, in the form of ordering goods / services in the online shop by taking over your user account, the automated creation of fake user accounts by bots, the use of stolen identities or payment data). Insofar as there is concrete evidence of online fraud or other misuse of the online shop, we and the online shop reserve the right to interrupt the relevant order process or to offer any of the AfterPay payment methods. The fraud prevention measures also help protect your user account against fraud and misuse of your information. You hereby confirm that you are authorised to gran this consent in respect of all devices used by you during your visit to this online shop and that you shall inform any third parties to whom you make your devices available of said consent and shall ensure that they are also in agreement with the measures described above, otherwise they may not visit this online shop with your device.

The provision of personal data is required in order to conclude any contract. Should this not be provided, the online shop reserves the right to stop the purchase process.

You can revoke the above mentioned consents at any time by sending an informal letter to datenschutz@afterpay.de with effect for the future.

4.2 Customer communication

Your contact details may be used for customer communication (not advertising). For this purpose, you may, for example, be contacted in connection with customer service or our services, e.g. by sending invoices or reminders by e-mail or notifications about the AfterPay payment methods you use.

4.3 To meet legal requirements

We are subject to various legal requirements (e.g. Money Laundering Act, Banking Act, tax laws) as well as regulatory requirements (e.g. of the Federal Financial Supervisory Authority) and therefore process personal data for the purposes of creditworthiness checks, identity and age checks, fraud and money laundering prevention, combating the financing of terrorism as well as for the purposes of fulfilling tax control and reporting obligations.

4.4 Advertising and individual offers

We use your contact information to send you advertisements by post, email, MMS, SMS or via the AfterPay app about other AfterPay products, such as payment by instalments ("AfterPay Flex") or monthly billing. You will then receive advertising by email, MMS or SMS even without your express consent if we have received your email address or telephone number in connection with the use of our services and the products/services advertised by us are similar to those you have already used with us in the past. You can object to this use of your contact information for advertising purposes at any time by sending an email to datenschutz@afterpay.de. This will not incur any additional costs for you, except for the transmission costs according to the base rates.

Furthermore, at the end of each e-mail, MMS or SMS, you will be given the opportunity to object to the further use of your e-mail address or telephone number by us for the aforementioned purpose (advertising of comparable goods and services) in the future.

4.5 Processing your data using a Connector ID (C-ID)

We transmit your name, address and, if available, your contact details (e.g. e-mail address, telephone number) to Bertelsmann Data Services GmbH, Carl-Bertelsmann-Str. 270, 33311 Gütersloh ("BDS"). BDS processes this data to generate a unique connector ID ("C-ID"). This data is then deleted by BDS. The C-ID is a marker (identifier) which enables the Bertelsmann company involved in each case to determine in which databases of the other Bertelsmann companies involved a person present in their databases is stored.

In addition, we transmit the ID (customer ID) that we have assigned to their data record in our database to the BDS. BDS centrally records and manages the C-ID, the customer ID, information on the anonymous data catalogue and on which consents to a C-ID exist at the participating Bertelsmann companies for all participating Bertelsmann companies. The anonymous data catalogue is aggregated, non-personal information about the data stored in the customer databases of the other Bertelsmann companies ("anonymous data catalogue"). We do not ourselves transmit an anonymous data catalogue to the BDS. The data processing described above is carried out to protect our legitimate interests on the basis of Article 6 (1) (f) DSGVO. This is initially done so that we can assess, through a request to the BDS, which Bertelsmann companies involved have the same C-ID and what potential the Anonymous Data Catalogue of the other Bertelsmann company offers for a data transfer to us.

Insofar as you have consented to this vis-à-vis another Bertelsmann company involved, this company may transmit further data about you to us using the C-ID. We will then use this data for our risk and fraud management or for advertising purposes, as described in more detail in section 4 of this data protection notice. Please note that we ourselves do not transmit any data about you to other Bertelsmann companies involved, but are exclusively data recipients in this context.

The Bertelsmann companies currently involved can be found at https://dataservices.bertelsmann.de/participatingcompanies/ or requested by post or e-mail at datenschutz@bertelsmann.de.

We and the BDS are joint data protection controllers for the data processing involved in generating the C-ID. In this respect, we and the BDS have stipulated in a joint agreement pursuant to Art. 26 DSGVO which of us fulfils which obligations under the DSGVO. This relates in particular to the exercise of the rights of the data subjects and the fulfilment of the information obligations pursuant to Articles 13 and 14 of the GDPR. This agreement is necessary because personal data is processed in different process sections when generating the C-ID, which are either operated by us, the BDS or jointly. Even if there is joint responsibility, the parties fulfil the data protection obligations in accordance with their respective responsibilities for the individual process sections as follows:

a) We are responsible for the process of transferring the above data to the BDS. b) We and the BDS are jointly responsible for the generation of the C-ID. c) The BDS is responsible for the administration of the C-ID as well as for the deletion described above of the data transmitted to the BDS for the generation of the C-ID.

You can assert your data protection rights both with us (see section 12) and with Bertelsmann Data Services GmbH, Corporate Data Protection, Carl-Bertelsmann-Str. 270, 33311 Gütersloh, Germany, or by e-mail at datenschutz@bertelsmann.de. As a rule, you will receive the information from the office where you assert your rights.

You can object to the use of your data for the data processing described in section 4.5.1 at any time, as described in section 7. Your data will then no longer be used for these purposes in the future.

5. Automated decision in individual cases including profiling

The decision on whether to grant one of our AfterPay payment methods in the ordering process (payment method control) and the fraud potential of possible orders is made automatically as part of the online ordering process.

Within the framework of the payment method control, information from the externally used credit agencies as well as any payment data you may already have is used (see 4.1.1.). In the fraud prevention process, additional device tracking data may be used (see 4.1.2.). On the basis of mathematical-statistical methods (in particular methods of logistic regression or other statistical, partially automated optimisation models), a forecast is created, in particular about payment probabilities and, if applicable, risks of fraud and abuse, using our existing payment information, both through comparisons with groups of people who exhibited similar payment behaviour in the past and through historical analyses of fraud patterns (in particular through extrapolation to our target groups).

If you are refused credit due to insufficient creditworthiness or due to a significant suspicion of fraud, the high-risk payment methods offered by us will not be offered to you as we bear the associated risk.

6. Transfer outside the EU/EEA

We use the cloud service "Microsoft Azure" from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter: "Microsoft"); i.e. the data is processed in data centres at our processor Microsoft. In doing so, access to their data from a third country cannot be ruled out. With the exception of Fraud.net and Microsoft, we do not currently transfer your data to countries outside the EU / EEA. If we do transfer your data to companies outside the EU / EEA, we will ensure that your data is adequately protected and that appropriate safeguards are in place (e.g. EU standard contractual clauses and, where applicable, further measures based on the so-called Schrems2 ruling of the ECJ). You can request a copy of the protective measures we have implemented from our data protection officer at datenschutz@afterpay.de.

7. What rights do you have in respect of your data?

Access: You can request a written copy of the information that we hold about you. Rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to rectify or remove information you think is inaccurate. Erasure: You can request that we erase your information. We may not be able to erase your information straight away, for example if we still need it for providing you with our services. We are not permitted to erase information about you that the law requires us to keep. Objection: You have the right to object to the processing of your information pursuant to Article 21 GDPR. Restriction of processing: You have the right to restrict the processing of your data in accordance with Article 14 of the GDPR. Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal. Data portability: If your personal data is processed by automated means for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller. Complaints: You can file a complaint with us or your local data protection authority at any time: Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf (Tel.: 0211/38424-0, Fax: 0211/38424-10, E-Mail: post-stelle@ldi.nrw.de).

If you have a request send us an e-mail to datenschutz@afterpay.de.

8. Who do we share your data with?

We may share your data with other companies in the AfterPay group (i.e. across countries) for the purposes set out in this statement to enable us to provide you with the best possible AfterPay service. If necessary, we also engage a third party as a service provider (order processor, e.g. data centres) within the scope of the purposes stated in this declaration. Service providers will only have access to your data to the extent and for the period necessary to provide the relevant service. We may provide the merchant from whom you made the purchase with the information they need to appropriately fulfil and manage your order. This information is subject to the privacy policy of the relevant retailer.

We may disclose your information to credit reference agencies and companies that carry out identity checks to verify your creditworthiness or to carry out a risk assessment if they wish to use one of our AfterPay payment methods, and to verify your identity and address details. Where we are legally obliged to do so, we disclose the necessary information to authorities such as the police or tax authorities. A statutory disclosure obligation exists, for example, in the case of measures against money laundering and terrorist financing. However, we only disclose to the competent authorities the data required on the basis of the current legal situation.

Should we disclose your data to these selected third parties, we will make all reasonably expected efforts in legal, technical and organisational terms to ensure that, when transferred or disclosed to said third parties, your data will be treated confidentially and adequately protected. We would like to expressly point out that we do not sell your personal data to third parties. Furthermore, we do not disclose your data to third parties for the purpose of direct advertising or other forms of direct marketing, opinion polls or market studies, unless you have given your consent.

9. Is there an obligation for you to provide data?

When selecting one of our payments methods on the merchant’s website or when concluding a contract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.

In particular, when concluding a contract, we are obliged under anti-money laundering regulations to confirm your identity through your personal ID card before justifying the business relationship and, in the process, we must collect and record your name, place of birth, date of birth, nationality and your home address. To enable us to comply with this legal obligation, you are required to provide us with the necessary information and documents as specified under Section 4 Paragraph 6 of the German Prevention of Money Laundering Act (Geldwäschegesetz) and to immediately notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have requested.

10. How do we keep your data secure?

We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised access, transfer, erasure or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved in the processing of your information, and the careful selection of sub-contractors. In addition, the right to access your information is restricted to AfterPay personnel who need to access your information as part of their work.

11. Changes to the privacy policy

We are constantly working on the further development of our services and therefore adapt this data protection declaration accordingly in the event of changes to the services. Changes may also result from a change in the applicable law.

12. Questions on data protection

You have the right, upon request and within a reasonable time, to request information about your data, to correct any inaccurate data relating to you or to inform us that you withdraw your consent to the storage of your personal data. We have a dedicated team of data protection specialists. If you have any questions about this privacy statement or data protection, please contact the APS Data Protection Officer at datenschutz@afterpay.de.