AfterPay Privacy Statement

Last version 31.08.2021

Version 2

1. About this Privacy Statement

The protection of your privacy is of the utmost importance to us. This Notice explains what personal information we collect and process from you when you use our services and products (the "Services") and become a customer with us. For example, you use our Services whenever you pay using one of our AfterPay payment methods or contact us in connection with payment processing. It also informs you about your data protection rights and explains how you can exercise them.

Specific privacy notices apply to the use of our website, the AfterPay web portal ("MyAfterPay") and our mobile application (the "AfterPay App"), which will be displayed to you when you use the website, the web portal or the AfterPay App.

2. Person responsible for data protection

Our services, e.g. the use of one of our AfterPay payment methods, are offered to you by Arvato Finance B.V., K.,R. Poststraat 66, 8441ER Heerenveen (hereinafter: "AfterPay", "we", "us"). As the data controller within the meaning of EU Regulation 2016/679 (the "GDPR"), we are responsible for the storage and processing of your personal information that we collect from you as part of our services and for compliance with the law.

3. What personal information about you do we process?

3.1 Information you share with us

You provide us with personal information when you use one of our services e.g. paying an order on a merchant's website using one of AfterPay's payment methods or contact us. Depending on which of our services you use, the following information may be affected:

3.2 Data collected by us when you use our services

When you use our services (such as when you place an order on a merchant's website and choose to use one of our AfterPay payment methods) or contact us as part of the payment process, we collect the following information about you (either directly from you or via third parties such as credit reference agencies and merchants):

4. For what purposes is your data used? How long do we store your data?

We use your data for the purposes mentioned below. Furthermore, you can see from the overview for how long your data is stored in each case.

Area Purpose Legal base for data processing Automated decision Storage period
Identification, risk & fraud management To assess whether we can offer you our AfterPay payment methods Consent (Article 6 para.1 a GDPR). Safeguarding legitimate interests (Article 6 para. 1 f GDPR). As we purchase the merchant’s receivable, we have a legitimate interest in protecting ourselves against losses due to lack of solvency or due to fraud. Yes 2 years
To be able to identify you uniquely Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR) No 2 years
To be able to carry out appropriate risk management or fraud prevention Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. Consent, if required under the applicable law (Article 6 Paragraph 1(a) GDPR) Yes 2 years
To be able to obtain information from credit agencies for the purpose of assessing creditworthiness. Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). We have the legitimate interest to also take external data into account when deciding whether to grant our AfterPay payment methods if internal data alone is not sufficient to make an assessment of the credit risk. Yes 2 years
To be able to prevent misuse of the use of one of our AfterPay payment methods (e.g. by improving credit risk and fraud models). Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR). Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to protect ourselves against solvency and fraud losses due to the fact that we are buying the receivables from the merchant. No 2 years
Payment administration & customer management To be able to manage your payments and communicate with you. Compliance with a contractual obligation (Article 6 Paragraph 1 (b) GDPR). No 7 years
To be able to manage and improve the services. Safeguarding legitimate interests (Article 6 Paragraph 1(f) GDPR). Our legitimate interest is to further improve our services and operations to optimise communication with the customer and thus reduce unnecessary costs. No 7 years
Compliance with legal requirements To be able to meet legal requirements, such as the anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements. Compliance with a legal obligation (Article 6 Paragraph 1(c) GDPR) No 7 years
Advertising and individual offers To provide you with advertising and offers relating to our services by post, email, MMS, SMS or via the AfterPay App. Safeguarding legitimate interests (Article 6. Paragraph 1 f) GDPR) and, in the case of email, SMS and MMS, additionally Section 7 para. 3 UWG. Our legitimate interest lies in providing you with offers and advertising. No As long as an active business relationship exists and no justified objection has been raised

For more information on the purposes of data processing listed above, please see the sections below.

4.1 Identification, risk and fraud management

As part of the ordering process on a merchant’s website, we use your contact details, information about goods/services, financial information and, if available, historical information and, if you have granted your consent, your access data in the interests of effective prevention of abuse, credit checking and payment method control (decision as to whether an AfterPay payment method will be offered to the respective user) as follows:

4.1.1 Within the framework of the balancing of interests (Article 6 I f GDPR)

Once you have selected one of our payment methods as part of the ordering process on the merchant’s website, the merchant sends us your contact details (name, address, date of birth (if necessary), email address) and information about goods/services so that we can decide whether we can offer you this payment method (passive payment method control).

For this purpose, we send your name, address and, if necessary, your date of birth via informa solutions GmbH, Rheinstr. 99, 76532 Baden-Baden, Germany for the credit check to be carried out to Experian Nederland B.V., Verheeskade 25, 2521 BP Den Haag (hereinafter referred to as “Experian”), for the credit check to be carried out. Taking into account, among other things, address data and past payment experiences, Experian produces a forecast of payment probabilities (score), in particular, on the basis of mathematical-statistical processes (in particular logical regression and comparisons with groups of persons with similar payment behaviour in the past), and provides this score to us. Based on the information about goods/services, the score provided by Experian, your con-tact details (name, address and, if applicable, date of birth) and the information we have about your previous payment behaviour, we make a balanced decision as to whether we can offer you the selected payment option. The legal bases for these investigations are Article 6 Paragraph 1 b) and Article 6 Paragraph 1 f) GDPR. Before offering one of our payment methods, which all involve a credit risk, our legitimate interest is to assess as accurately as possible whether you will meet the payment commitments that you will have entered into with us. The legitimate interest of the merchant is to be able to offer you high-risk payment methods as well, such as open invoice. In addition, we use Fraud.net Inc. 330 7th Avenue, New York City, NY 10001, USA, as another processor for fraud prevention and detection. The data is stored in the EU; however, access to this data is provided by Fraud.net from the USA. We have concluded standard contractual clauses with Fraud.net, published by the EU Commission, to ensure an adequate level of data protection in the EU.

The legal basis for these transfers is Article 6 Paragraph 1 b) and Article 6 Paragraph 1 f) of the GDPR. Our legitimate interest is to be able to assess as well as possible whether you will meet the payment obligations entered into before granting one of our payment methods, which all entail a credit risk. The merchant's legitimate interest is to also be able to offer you risky payment methods, such as open invoice.

Furthermore, in order to avoid any incorrect deliveries and payment defaults, the address data that you have specified shall be verified by means of an address check based on Article 6 Paragraph 1 f) GDPR and sent to Experian for this purpose. The data required for credit and address checking and for payment method control shall be sent via a secure interface. Any sensitive personal concerns that you have will of course be taken into account as stipulated by law.

You can find more detailed information about Experian as defined by Article 14 of the GDPR, i.e. information about the business purpose, about the purpose of data storage, on the data recipients, on the right to find out what details are held about you, a right to erasure or rectification, etc. in the annex to this document or by clicking on the following link: http://www.experian.nl/over-experian/over-uw-registratie.html.

4.1.2 Based on your consent (Article 6 I a) GDPR)

Consent to abuse prevention and detection measures

If you have indicated your consent to fraud prevention and detection of misuse as part of the ordering process on the merchant’s website, you are consenting that,

  1. your data for the execution of the contract (e.g. purchase object, name, postal address, e-mail ad-dress, delivery address, payment method and bank details) and
  2. your device data used when visiting the websites (e.g. screen resolution, operating system version , browser language, anonymized, i.e. shortened IP address ) and an anonymized device ID based on this information (optionally be cached by a cookie, if permitted by you), and based on that with a certain probability further visits can be recognized,

are transmitted from the online shop to us for purposes of fraud prevention and misuse recognition. We use this data to automatically check for any evidence of online fraud or other misuse of the online store (for example, in the form of ordering goods / services in the online shop by taking over your user account, the automated creation of fake user accounts by bots, the use of stolen identities or payment data). Insofar as there is concrete evidence of online fraud or other misuse of the online shop, we and the online shop reserve the right to interrupt the relevant order process or to offer any of the AfterPay payment methods. The fraud prevention measures also help protect your user account against fraud and misuse of your information.

You hereby confirm that you are authorised to grant this consent in respect of all devices used by you during your visit to this online shop and that you shall inform any third parties to whom you make your devices available of said consent and shall ensure that they are also in agreement with the measures described above, otherwise they may not visit this online shop with your device.

The provision of personal data is required in order to conclude any contract. Should this not be provided, the online shop reserves the right to stop the purchase process.

You can revoke the above mentioned consents at any time by sending an informal letter to privacy@afterpay.nlwith effect for the future.

4.2 Customer communication

Your contact details may be used for customer communication (not advertising). For this purpose, you may, for example, be contacted in connection with customer service or our services, e.g. by sending invoices or reminders by e-mail or notifications about the AfterPay payment methods you use.

4.3 To meet legal requirements

We are subject to various legal requirements (e.g. Money Laundering Act, Banking Act, tax laws) as well as regulatory requirements (e.g. of the Federal Financial Supervisory Authority) and therefore process personal data for the purposes of creditworthiness checks, identity and age checks, fraud and money laundering prevention, combating the financing of terrorism as well as for the purposes of fulfilling tax control and reporting obligations.

4.4 Advertising and individual offers

We use your contact information to send you advertisements by post, email, MMS, SMS or via the AfterPay app about other AfterPay products, such as payment by instalments ("AfterPay Flex"). You will then receive advertising by email, MMS or SMS even without your express consent if we have received your email address or telephone number in connection with the use of our services and the products/services advertised by us are similar to those you have already used with us in the past. You can object to this use of your contact information for advertising purposes at any time by sending an email to privacy@afterpay.nl. This will not incur any additional costs for you, except for the transmission costs according to the base rates.

Furthermore, at the end of each e-mail, MMS or SMS, you will be given the opportunity to object to the further use of your e-mail address or telephone number by us for the aforementioned purpose (advertising of comparable goods and services) in the future.

5. Automated decision in individual cases including profiling

The decision on whether to grant one of our AfterPay payment methods in the ordering process (payment method control) and the fraud potential of possible orders is made automatically as part of the online ordering process.

Within the framework of the payment method control, information from the externally used credit agencies as well as any payment data you may already have is used (see 4.1.1.). In the fraud prevention process, additional device tracking data may be used (see 4.1.2.). On the basis of mathematical-statistical methods (in particular methods of logistic regression or other statistical, partially automated optimisation models), a forecast is created, in particular about payment probabilities and, if applicable, risks of fraud and abuse, using our existing payment information, both through comparisons with groups of people who exhibited similar payment behaviour in the past and through historical analyses of fraud patterns (in particular through extrapolation to our target groups).

If you are refused credit due to insufficient creditworthiness or due to a significant suspicion of fraud, the high-risk payment methods offered by us will not be offered to you as we bear the associated risk.

6. Transfer outside the EU/EEA

We use the cloud service "Microsoft Azure" from the provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter: "Microsoft"); i.e. the data is processed in data centres at our processor Microsoft. In doing so, access to their data from a third country cannot be ruled out. With the exception of Fraud.net and Microsoft, we do not currently transfer your data to countries outside the EU / EEA. If we do transfer your data to companies outside the EU / EEA, we will ensure that your data is adequately protected and that appropriate safeguards are in place (e.g. EU standard contractual clauses and, where applicable, further measures based on the so-called Schrems2 ruling of the ECJ). You can request a copy of the protective measures we have implemented from our data protection officer at privacy@afterpay.nl

7. What rights do you have in respect of your data?

Access: You can request a written copy of the information that we hold about you.

Rectification: We want to make sure that your personal information is accurate and up to date. You may ask us to rectify or remove information you think is inaccurate.

Erasure: You can request that we erase your information. We may not be able to erase your information straight away, for example if we still need it for providing you with our services. We are not permitted to erase information about you that the law requires us to keep.

Objection: You have the right to object to the processing of your information pursuant to Article 21 GDPR.

Restriction of processing: You have the right to restrict the processing of your data in accordance with Article 14 of the GDPR.

Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on your consent before its withdrawal.

Data portability: If your personal data is processed by automated means for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.

Complaints: You can file a complaint with us or your local data protection authority at any time via privacy@afterpay.nl or with the authority via https://autoriteitpersoonsgegevens.nl/.

8. Who do we share your data with?

We may share your data with other companies in the AfterPay group (i.e. across countries) for the purposes set out in this statement to enable us to provide you with the best possible AfterPay service. If necessary, we also engage a third party as a service provider (order processor, e.g. data centres) within the scope of the purposes stated in this declaration. Service providers will only have access to your data to the extent and for the period necessary to provide the relevant service. We may provide the merchant from whom you made the purchase with the information they need to appropriately fulfil and manage your order. This information is subject to the privacy policy of the relevant retailer.

We may disclose your information to credit reference agencies and companies that carry out identity checks to verify your creditworthiness or to carry out a risk assessment if they wish to use one of our AfterPay payment methods, and to verify your identity and address details. Where we are legally obliged to do so, we disclose the necessary information to authorities such as the police or tax authorities. A statutory disclosure obligation exists, for example, in the case of measures against money laundering and terrorist financing. However, we only disclose to the competent authorities the data required on the basis of the current legal situation.

Should we disclose your data to these selected third parties, we will make all reasonably expected efforts in legal, technical and organisational terms to ensure that, when transferred or disclosed to said third parties, your data will be treated confidentially and adequately protected. We would like to expressly point out that we do not sell your personal data to third parties. Furthermore, we do not disclose your data to third parties for the purpose of direct advertising or other forms of direct marketing, opinion polls or market studies, unless you have given your consent.

9. Is there an obligation for you to provide data?

When selecting one of our payments methods on the merchant’s website or when concluding a contract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.

In particular, when concluding a contract, we are obliged under anti-money laundering regulations to confirm your identity through your personal ID card before justifying the business relationship and, in the process, we must collect and record your name, place of birth, date of birth, nationality and your home address. To enable us to comply with this legal obligation, you are required to provide us with the necessary information and documents as specified under Section 2, Paragraph 1 of the Dutch Anti-Money Laundering Law (Wet ter voorkoming van Witwassen en Financiering Terrorisme) and to immediately notify us of any changes that arise during the course of the business relationship. If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have requested.

10. How do we keep your data secure?

We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised access, transfer, erasure or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved in the processing of your information, and the careful selection of sub-contractors. In addition, the right to access your information is restricted to AfterPay personnel who need to access your information as part of their work.

11. Changes to the privacy policy

We are constantly working on the further development of our services and therefore adapt this data protection declaration accordingly in the event of changes to the services. Changes may also result from a change in the applicable law.

12. Questions on data protection

You have the right, upon request and within a reasonable time, to request information about your data, to correct any inaccurate data relating to you or to inform us that you withdraw your consent to the storage of your personal data. We have a dedicated team of data protection specialists. If you have any questions about this privacy statement or data protection, please contact one of the Data Protection Officers, S.Joustra or M.Lassche, via privacy@afterpay.nl.