AfterPay Privacy Statement

1. About this Privacy statement

The protection of your privacy and GDPR compliance is of the utmost importance to us. This privacy statement explains what personal information we collect and process from you when you use our services and products (the "Services") and become a customer with us. For example, you use our Services whenever you pay using one of our AfterPay payment methods or contact us in connection with payment processing. It also informs you about your data protection rights and explains how you can exercise them.

Specific privacy statement applies to the use of our website, the AfterPay web portal ("AfterPay"), which will be displayed to you when you use the website or the web portal.

2. Data controller

The service AfterPay (payment after delivery of purchase) is provided by arvato Finance A/S, Øst-banegade 55, 2. tv, DK-2100 København Ø, trading under the name AfterPay (hereinafter “AfterPay”, “we” or “us”. As the data controller within the meaning of EU Regulation 2016/679 (the "GDPR"), we are responsible for the storage and processing of your personal information that we collect from you as part of our services and for compliance with the law.

3. What personal information about you do we process?

We need to collect information about you in order for us to provide you with AfterPay’s services with-in the AfterPay environment. The type of information will depend on the service that you are using.

3.1 Information you share with us

You provide us with personal information when you use one of our services e.g. paying an order on a merchant's website using one of AfterPay's payment methods or contact us. Depending on which of our services you use, the following information may be affected:

3.2 Data collected by us when you use our services

When you use our services (such as when you place an order on a merchant's website and choose to use one of our AfterPay payment methods) or contact us as part of the payment process, we col-lect the following information about you (either directly from you or via third parties such as credit reference agencies and merchants):

Each time you visit our customer portal MyAfterPay data are automatically sent to our server. In addi-tion, we collect the following data from you (hereinafter referred to as “Other Information”):

The information you share with us, as well as the information of goods/services and your financial information, is required to provide you with our services. The other information we collect is generally necessary to pursue other purposes, as outlined below.

4. For what purposes is your data used? How long do we store your data?

We use your data for the purposes mentioned below. Furthermore, you can see from the overview for how long your data is stored in each case.

AfterPay may process your information to:

Segment Purpose – what are we doing? Legal Basis for the Processing Automated Decision Storage Duration
Credit Application, Payment Administration &Consumer Management To assess which payment options to offer you, for example by carrying out external and internal credit checks To fulfil our contractual obligation towards you (Article 6.1 b GDPR) We need the data to be able to enter into an agreement with you and for us to provide the services. Yes 3 years
To confirm your identity and verify your personal and contact details To fulfil our contractual obligation towards you (Article 6.1 b GDPR) We need the data to be able to enter into an agreement with you and for us to provide the services. No 3 years
To administer your payment, the services you use and the customer relationship To fulfil our contractual obligation towards you (Article 6 (1) b GDPR). We need the data to be able to enter into an agreement with you and for us to provide the services. No 5 years. Possibly 7 years according to accounting law and tax law.
General AfterPay Service To administer AfterPay´s services, and for internal operations Safeguarding legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to improve AfterPay services and operations to optimise communication with the customer and thus reduce unnecessary costs No 3 years
To comply with applicable laws, such as anti-money laundering and book keeping laws. Comply with a legal obligation (Article 6.1 c GDPR). The purpose of the processing include, but are not limited to, creditworthiness access, identity and age check, fraud and money laundering prevention, combating terrorist financing, and compliance with fiscal control and reporting requirements. No 7 years for book keeping. 5 years for anti-money laundering.
Identification, Risk & Fraud Management To carry out external and internal checks which can include credit checks Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. No 3 years
To confirm your identity and verify your personal and contact details Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. No 3 years
To manage risk, prevent fraud and do risk analytics Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. No 3 years
To prevent misuse of AfterPay´s services e.g. by improving credit risk and fraud models Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to have working and adequate models so we are able to protect us against solvency and fraud losses. No 3 years
Advertising and individual offers To provide you with advertising and offers relating to our services by post, email, MMS, SMS or via the AfterPay App. Safeguarding legitimate interests (Article 6. Paragraph 1 f) GDPR). Our legitimate interest lies in providing you with offers and advertising. No As long as an active business relationship exists and no justified objection has been raised

For further information regarding the purposes of data processing listed above, please see the sec-tions below.

4.1 Identification, risk and fraud management

As part of the ordering process on a merchant’s website, we use your contact details, information about goods/services, financial information and, if available, historical information and, if you have granted your consent, your access data in the interests of effective prevention of abuse, credit checking and payment method control (decision as to whether an AfterPay payment method will be offered to the respective user) as follows:

4.2 Customer communication

Your contact details may be used for customer communication (not advertising). For this purpose, you may, for example, be contacted in connection with customer service or our services, e.g. by sending invoices or reminders by e-mail or notifications about the AfterPay payment methods you use.

4.3. To meet legal requirements

We are subject to various legal requirements (e.g. Money Laundering Act, Act regarding certain busi-nesses with consumer credits, Accounting Act and Tax Laws) as well as regulatory requirements of the national authorities and therefore process personal data for the purposes of creditworthiness checks, identity and age checks, fraud and money laundering prevention, combating the financing of terrorism as well as for the purposes of fulfilling tax control and reporting obligations.

4.4 Advertising and individual offers

We use your contact information to send you advertisements by post, email, MMS, SMS or via the AfterPay app about other AfterPay products, such as payment by instalments ("AfterPay Flex") or monthly billing. You will then receive advertising by email, MMS or SMS even without your express consent if we have received your email address or telephone number in connection with the use of our services and the products/services advertised by us are similar to those you have already used with us in the past. You can object to this use of your contact information for advertising purposes at any time by sending an email to persondata@afterpay.dk.This will not incur any additional costs for you, except for the transmission costs according to the base rates.

Furthermore, at the end of each e-mail, MMS or SMS, you will be given the opportunity to object to the further use of your e-mail address or telephone number by us for the aforementioned purpose (advertising of comparable goods and services) in the future.

5. Automated decision in individual cases including profiling

The decision on whether to grant one of our AfterPay payment methods in the ordering process (payment method control) and the fraud potential of possible orders is made automatically as part of the online ordering process.

Within the framework of the payment method control, information from the externally used credit agencies as well as any payment data you may already have is used. In the fraud prevention process, additional device tracking data may be used. On the basis of mathematical-statistical methods (in particular methods of logistic regression or other statistical, partially automated optimisation models), a forecast is created, in particular about payment probabilities and, if applicable, risks of fraud and abuse, using our existing payment information, both through comparisons with groups of people who exhibited similar payment behaviour in the past and through historical analyses of fraud patterns (in particular through extrapolation to our target groups).

If you are refused credit due to insufficient creditworthiness or due to a significant suspicion of fraud, the high-risk payment methods offered by us will not be offered to you as we bear the associated risk.

6. Transfer outside the EU/EEA

We use the cloud service "Microsoft Azure" from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter: "Microsoft"); i.e. the data is processed in data centres at our processor Microsoft. In doing so, access to their data from a third country cannot be ruled out. With the exception of Fraud.net and Microsoft, we do not currently transfer your data to countries outside the EU / EEA. If we do transfer your data to companies outside the EU / EEA, we will ensure that your data is adequately protected and that appropriate safeguards are in place (e.g. EU standard contractual clauses and, where applicable, further measures based on the so-called Schrems2 ruling of the ECJ). You can request a copy of the protective measures we have implement-ed from our data protection officer at dataskydd.se@arvato.com.

7. What rights do you have in respect of your data?

Access: You can request a written copy of the information that we hold about you.

Rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to rectify or remove information you think is inaccurate.

Erasure: You can request that we erase your information. We may not be able to erase your information straight away, for example if we still need it for providing you with our services. We are not permitted to erase information about you that the law requires us to keep.

Objection: You have the right to object to the processing of your information pursuant to Article 21 GDPR.

Restriction of processing: You have the right to restrict the processing of your data in accordance with Article 14 of the GDPR.

Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent be-fore its withdrawal.

Data Portability: If your personal data is processed by automated means for the fulfilment of our contractual relation-ship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.

Complaints: You can at any time lodge a complaint against us with the national supervisory authority - the Danish Data Protection Agency - https://www.datatilsynet.dk/borger/klage/saadan-klager-du.

If you wish to make a request regarding the above, please send us an email at persondata@afterpay.dk.

8. Who do we share your data with?

We may share your data with other companies in the AfterPay group (i.e. across countries) for the purposes set out in this statement to enable us to provide you with the best possible AfterPay ser-vice. If necessary, we also engage a third party as a service provider (order processor, e.g. data cen-tres) within the scope of the purposes stated in this declaration. Service providers will only have ac-cess to your data to the extent and for the period necessary to provide the relevant service. We may provide the merchant from whom you made the purchase with the information they need to appropri-ately fulfil and manage your order. This information is subject to the privacy policy of the relevant retailer.

We may disclose your information to credit reference agencies and companies that carry out identity checks to verify your creditworthiness or to carry out a risk assessment if they wish to use one of our AfterPay payment methods, and to verify your identity and address details. Where we are legally obliged to do so, we disclose the necessary information to authorities such as the police or tax au-thorities. A statutory disclosure obligation exists, for example, in the case of measures against mon-ey laundering and terrorist financing. However, we only disclose to the competent authorities the data required on the basis of the current legal situation.

Should we disclose your data to these selected third parties, we will make all reasonably expected efforts in legal, technical and organisational terms to ensure that, when transferred or disclosed to said third parties, your data will be treated confidentially and adequately protected. We would like to expressly point out that we do not sell your personal data to third parties. Furthermore, we do not disclose your data to third parties for the purpose of direct advertising or other forms of direct mar-keting, opinion polls or market studies, unless you have given your consent.

9. Are you obligated to provide your data?

When selecting one of our payments methods on the merchant’s website or when concluding a con-tract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.

In particular, when concluding a contract, we are obliged under anti-money laundering regulations to confirm your identity through your personal ID card before justifying the business relationship and, in the process, we must collect and record your name, place of birth, date of birth, nationality and your home address. To enable us to comply with this legal obligation, you are required to provide us with the necessary information and documents as specified under Section 5 Paragraph 3 of the Swedish Prevention of Money Laundering Act and to immediately notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have re-quested.

10. How do we keep your data secure?

We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised ac-cess, transfer, erasure or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved in the processing of your information, and the careful selection of sub-contractors. In addition, the right to access your information is restricted to AfterPay personnel who need to ac-cess your information as part of their work.

11. Changes to the privacy statement

We are continuously developing our websites and reserve the right to change this Data Privacy Statement by announcing changes here. Changes may also be based on amendments made to appli-cable legislation. We recommend reviewing the Data Privacy Statement content on a regular basis.

12. Questions related to data protection

We have a dedicated team of data protection specialists. If you have any questions about this Data Privacy Statement or data protection, please address them to the local Data Protection Officer persondata@afterpay.dk.