Privacy Policy

Version 3
29 March 2019

PART 1 – PERSONAL AND CREDIT INFORMATION PRIVACY POLICY

Document Purpose

The purpose of this Privacy Policy (Policy) is to provide a summary of how, why and when personal information and credit related personal information (credit information) is collected, disclosed, used, stored and otherwise handled by Tyro Payments Limited (Tyro). The Policy relates to personal information and credit information collected by any means and by any technology. Tyro treats the handling of personal and credit information very seriously. To that end, Tyro has systems and procedures in place to protect privacy in relation to the handling of personal and credit information. Tyro abides by the Australian Privacy Principles and the European Union General Data Protection Regulation (GDPR) (where applicable) and its objective is to handle information responsibly. This Privacy Policy does not apply to employee records (being records relating to a current or former employment relationship between Tyro and the individual).

You have certain rights regarding the personal information we maintain about you. We offer you choices about what personal information we collect from you, how we use that information, and how we communicate with you, as set out below.

Collection of Personal Information

Tyro collects and holds information about you and your interactions with Tyro including when you apply for, enquire about or use Tyro’s products or services, participate in any of Tyro’s promotional activities, contact Tyro by any means or visit Tyro’s website.

When you use the Tyro App, Tyro eCommerce, interact with our advertisements or visit our website or other digital assets, we, and our service providers or partners may use cookies, pixel tags, web beacons or similar technology to enable us to collect, through a third party service provider, data about how you use Tyro’s website, the Tyro App and the Tyro eCommerce (Sites). This data may include personal information. For example, the types of information we may collect include which pages you visit, the time and date of your visit, the internet protocol address assigned to your computer, location information, information about the type of device and operating system you use, user name, name, email addresses, browser type, mobile device identifier, referring URLs and information on actions taken or interaction with our digital assets. This information will be considered personal information where we can link this information to your account or to an identifiable individual. We use this information to help us to improve our website, the Tyro App, the Tyro eCommerce and our services generally. We may also use this information to provide you with in-app or push notifications. For example, we may send you notifications within the Tyro App, the Tyro eCommerce or while you are on the Tyro website to assist you where you have had trouble with a particular item in the App or for marketing purposes.

For further information on “cookies” and “web beacons” refer to Part 4 of this Policy.

You may opt-out of having the data collected through your browser while on Tyro’s App or website automatically retained by visiting https://mixpanel.com/optout. If you get a new computer, install a new browser, erase or otherwise alter your browser’s cookie file (including upgrading certain browsers) this may clear the opt-out cookie.

We will handle any personal information collected by cookies, pixel tags or similar technology in the same way that we handle all other personal information as described in this Privacy Policy.

Tyro collects and holds information about your identity, contact details, identification information such as directorships, passport number, Australian citizenship certificate number, your gender and relationships with other people, tax residency status, your transaction information for any Tyro products you hold and other financial information which you provide to us or authorise us to access from third parties.

Collection of Credit Information

Tyro may collect, use, hold and disclose the following types of credit information:

  • Credit related identification information is information such as name, date of birth, current or previous address, name of current employer, drivers licence number, internet Protocol (IP) addresses and unique device identifiers (UDIDs).
  • Other credit related information is information such as type and amount of credit sought, publicly available information about an individual’s creditworthiness, default information, repayment history information, payment information in relation to overdue payments and personal insolvency information.

Tyro may undertake a credit check (or similar) through a credit reporting body in relation to an application made by you or to assess your eligibility for particular products and services. In this situation, Tyro may derive information about your eligibility to be provided with Tyro’s products and services from information about you contained in the credit check.

Purposes for collection

Tyro collects, holds, uses and discloses personal and credit information:

  • to establish your identity and assess applications for Tyro’s products and services;
  • to assess eligibility for any of Tyro’s products and services or particular features;
  • to conduct reference checks and background enquiries;
  • to design and price Tyro’s products and services;
  • to understand how you use Tyro’s products and to enhance your experience as well as to enhance Tyro’s features, products and services;
  • to conduct and enhance Tyro’s business;
  • to provide, administer and manage Tyro’s products and services including to provide all available features of our products and services, to process transactions, authenticate you when you access a Tyro product or service and provide customer support;
  • to provide and manage your Tyro App, Tyro eCommerce or other online platforms or accounts we provide;
  • to identify and control or minimise risks to Tyro’s products and services;
  • to enable us to monitor suspicious or fraudulent activity, including unauthorised transactions, in relation to Tyro’s products and services;
  • to manage Tyro’s relationship with you including contacting you in relation to Tyro’s products and services;
  • where required by law;
  • to enforce compliance with our terms and conditions;
  • to provide information to representatives and advisors, including lawyers and accountants, to help us comply with legal, accounting, or security requirements;
  • to validate your payment card information;
  • to communicate with you by email, phone, or SMS in connection with our products and services;
  • to assist third parties in the provision of products or services that you request from third parties;
  • to monitor the use of and improve our interactive assets, including the Tyro eCommerce;
  • to perform data analyses (including anonymization of personal information);
  • to comply with applicable legal requirements, industry standards and our policies or to comply with a request from a law enforcement authorities or other government officials;
  • to perform auditing, research and analysis in order to maintain, protect and improve our services;
  • where we believe it is necessary to protect our legal rights, interests and the interests of others, including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud, ensuring data security;
  • to provide Tyro’s FinTechHub services;
  • to provide you with further information about services and products we think may interest you;
  • to resolve complaints;
  • for direct marketing, promotional and lead generation activities;
  • to manage our risks and identify illegal activity;
  • to provide support services and answer your enquiries;
  • for any other purpose consented to by you; and
  • for any other purpose related to any of the above purposes, as permitted under the privacy legislation.

If you are an individual in the European Union (EU), we collect and process information about you only where we have a legal basis for doing so under the GDPR. The legal basis for processing your personal information will depend on the Tyro products or services you use and your relationship with Tyro (for example, whether you are a Tyro customer, you are a beneficial owner or controlling person of a Tyro customer or you receive products or services from a Tyro customer). We will only collect and use your personal information where one of the following legal bases apply:

  • it is required to provide you with the relevant Tyro products or services in accordance with our agreement with you;
  • it is necessary for the purposes of the legitimate interests of Tyro (which is not overridden by your data protection interests), including in connection with legal claims, compliance, regulatory and audit functions, prevention of fraud and ensuring data and system security;
  • you have given us consent to do so for a specific purpose; or
  • it is necessary for us to comply with our legal obligations.

If you are an individual in the EU and you have consented to our use of your personal information for a specific purpose, you have the right to withdraw your consent at any time, but this will not affect any processing that has already taken place.

Means of Collection and Holding of Information

Tyro collects the personal and credit information voluntarily provided by you through our application forms, via our website, over the phone, through the Tyro App, the Tyro eCommerce or from third parties who Tyro has a relationship with. Tyro may also collect credit information about you from credit reporting bodies or other credit providers, subject to any restrictions under the privacy  legislation.

Tyro may also collect information about you, including where you are not a customer of Tyro, but are associated to a customer or are a customer of a service provider of Tyro, from that customer, through fraud monitoring systems implemented by Tyro or from publicly available sources such as registers maintained by the Australian Securities and Investments Commission and ABN Lookup, social media or made available by third parties.

Generally, the personal information that Tyro may request from you is required to enable Tyro to enter into a contractual agreement with you, is a requirement under the terms of the contractual agreement with you or is required by Tyro to comply with its obligations under applicable laws, such as the Anti-Money Laundering and Terrorism-Financing Act 2006 (Cth).

You are not obliged to provide the personal information we request, however if you do not provide the personal or credit information requested by Tyro, Tyro may not be able to provide you (or the customer with which you are associated) with the requested products or services and we may not be able to provide you with information about our products and services.

Tyro holds personal and credit information in electronic and physical form in accordance with the ‘Security of Information’ section of this Policy.

Use and Disclosure of Information

Tyro will use and may disclose personal and credit information for any of the purposes set out above. People Tyro may disclose your information to for the above purposes include:

  • Tyro’s service providers, including service providers that assist us to operate, provide, improve, integrate, customise, support, monitor and market our products and services. We do not authorise these service providers to use or disclose such data except as necessary to perform certain services on our behalf or to comply with legal requirements. We use reasonable endeavours to contractually require these service providers to appropriately safeguard the privacy and security of personal information they process on our behalf;
  • providers of software that integrates with Tyro’s products and services;
  • our affiliates and other entities that assist with payment card fraud prevention;
  • merchants;
  • entities to whom Tyro outsources functions;
  • people acting on your behalf including guardians, agents, people holding a power of attorney and people you authorise us to share information with;
  • guarantors (where you have Tyro lending products);
  • other financial institutions;
  • employers or former employers;
  • any referees you nominate in connection with your application for Tyro products or services;
  • credit reporting bodies and credit providers;
  • Tyro’s representatives and advisors, including lawyers and accountants;
  • government or law enforcement entities.

We may share aggregated and de-identified information with participating financial institutions and their customers. For example, we may share data to show trends about the general use of our products and services.

We may work with third parties to provide additional products or services which may be offered to you. At the time these products or services are offered to you, you will be asked if you consent to share your personal information with such third parties for the purpose of providing such product or service, or for other purposes, such as marketing. If you agree with our sharing your personal information with such third party for such specific purpose, we then may share your personal information with such third party.

We also reserve the right to transfer personal information we hold about you in the event we sell or transfer all or a portion of our business or assets.  We may also disclose your personal information to potential acquirers in the event of a prospective sale or transfer.  Following such a sale or transfer, you may contact the entity to which we transferred your personal information with any inquiries concerning the processing of that information.

We also may share personal information otherwise with your consent.

In addition, we also may share aggregated or anonymised data with third parties for any lawful purpose.

Where you permit or enable a Tyro application, product or service to integrate with another application, product or service (or use a feature of Tyro’s products and services that requires such integration), Tyro will disclose your personal and financial information to the provider of the integrated service and collect your personal and financial information from the software provider (where relevant).

Where you become a Tyro customer, Tyro may disclose financial information relating to your Tyro EFTPOS Facility to third parties for the assessment of the third party’s credit risk where it is in the business of lending money to you or your business, the improvement of customer service and marketing purposes. It is the responsibility of the third party to comply with all applicable regulatory requirements in relation to the use of the relevant financial information.

Tyro may be required in some circumstances to disclose personal or credit information where:

  • required or authorised by law;
  • required in order to investigate an unlawful activity;
  • required by an enforcement body for investigative activities; or
  • necessary to prevent a serious threat to a person’s life, health or safety, or to public health or safety.

Tyro discloses personal information to overseas third parties located in the United States of America, Singapore and China for the purposes of providing our products, marketing and lead generation activities and obtaining product analytics to allow it to improve its products and services In addition, personal information may need to be transferred to service providers located in other overseas countries from time to time in order for Tyro to perform its functions or activities.

Some of the overseas third parties to whom we may disclose personal information may not have equivalent privacy and data protection laws to the country in which you reside and may not, in the case of individuals located in the EU, be subject to an adequacy decision of the European Commission that the third country ensures an adequate level of protection. Tyro will use reasonable endeavours to ensure that personal information will receive protection similar to that which it would have if the information were in Australia by implementing standard data protection obligations in its contractual agreements with these overseas service providers. For more information, please contact the Privacy Officer.

Tyro may disclose personal and credit information to an Australian-based office of a third party with offices located overseas (in addition to the Australian-based office), such as VISA, Mastercard and China Union Pay. This information may be disclosed to and used by the third party’s overseas offices, located predominantly in the United States. The disclosure and use of information between the third party’s Australian-based office and its overseas offices will be governed by that third party’s privacy policy.

If you register to use the BPAY Scheme, you agree to us disclosing to billers nominated by you and if necessary the entity operating the BPAY Scheme (BPAY Pty Ltd) or any other participant in the BPAY Scheme and any agent appointed by any of them from time to time, including Cardlink Services Limited, that provides the electronic systems needed to implement the BPAY Scheme the following information:

  • such of your personal information (for example your name, email address and the fact that you are our customer) as is necessary to facilitate your registration for or use of the BPAY Scheme;
  • such of your transactional information as is necessary to process your BPAY Your BPAY Payments information will be disclosed by BPAY Pty Ltd, through its agent, to the biller’s financial institution.

If any of your personal information changes, we may be required to disclose your updated personal information to other participants in the BPAY Scheme.

You can request access to your information held by BPAY Pty Ltd or its agent, Cardlink Services Limited by referring to the procedures set out in the privacy policy of the relevant entity.

Direct Marketing

From time to time Tyro may use personal information to send you information regarding Tyro’s services and products. If you do not wish to receive direct marketing information, you can contact the Privacy Officer using the contact details provided below or you can click the unsubscribe link within the marketing emails you receive from us and Tyro will take immediate steps to ensure that you do not receive any direct marketing information in future.

If you sign-up to receive information about the services of our partners, you may receive other communications from our partners. If you don’t wish to receive communications from our partners, please contact them directly to inform them of your preference.

Quality of Information

Tyro’s objective is to ensure that all information collected by Tyro is accurate, complete and up-to-date. If Tyro is unable to update its records following a request to do so it will notify you and provide its reasons in writing. Tyro will update records if notified that information is not accurate, complete or up-to-date. If you believe the information that Tyro holds about you is not accurate, please contact the Privacy Officer using the contact details provided below.

Security and Retention of Information

Tyro is committed to keeping information secure and will take all reasonable precautions to protect information from unauthorised access, interference, modification, disclosure, loss, misuse or alteration. Personal and credit information may be stored in hard copy documents or electronically on Tyro’s software or systems. Tyro maintains physical security over its paper and electronic data stores, such as locks and security systems. Tyro also maintains computer and network security using passwords to control and restrict access to authorised staff for approved purposes.

We restrict access to personal information about you to those employees who need to know that information to provide products or services to you. We maintain appropriate administrative, technical and physical safeguards to protect the personal information we have about you. We endeavour to take measures to destroy or permanently de-identify personal information when there is no longer a business need to keep the data. The types of measures we take vary with the type of information, and how it is collected and stored.

The period of time for which your information will be retained by Tyro will depend on the types of information we hold about you. Generally, your information will be retained for the period during which you have an ongoing relationship with Tyro and for a period of at least 7 years after this relationship ceases, or such other period of time as required under specific legislation relating to the type of information held (for example under the Anti-Money Laundering and Terrorism-Financing Act 2006 (Cth)).

Access to Information

Any individual or company may request access to the personal and credit information Tyro holds about them and seek correction of this information. An individual may also request confirmation from Tyro as to whether we are processing their personal information.

Requests should be made by phone on 1300 966 639 or +61 2 8907 1750 or in writing and addressed to the Privacy Officer at privacy@tyro.com. In some circumstances, Tyro may not be in a position to provide access or make a correction to the information held. If Tyro denies your request, it will provide its reasons in writing.

Tyro will respond to your request for access to your information within a reasonable time after you make the request and if access is granted, access will be provided within 30 days from your request. Tyro will, on request, provide you with access to your information or update or correct your information, unless an exception applies to us granting your request, for example if:

  • giving access would be unlawful;
  • we are required or authorised by law or a court/tribunal order to deny access;
  • giving access is likely to prejudice one or more enforcement related activities conducted by an enforcement body; or
  • the request is manifestly unfounded or excessive.

Where your request for access is accepted, Tyro will provide you with access to your information in a manner, as requested by you, providing it is reasonable to do so.

Your request for correction will be dealt with within 30 days, or such longer period as agreed by you.

Upon accepting a request for correction of your information, we will take all steps that are reasonable in the circumstances, having regard to the purpose for which your information is held, to correct your information.

If your request for correction of credit information is accepted Tyro will provide written notice of this correction to any entity to which we have disclosed this information previously, to the extent that this is practicable.

Features and Links to Other Websites

The Tyro website may contain links to websites maintained by third parties. Any personal information collected on the resulting website will not be controlled by Tyro or its service providers but will be subject to the privacy notice and terms of use of the resulting website. We strongly suggest that you review the Privacy Notice and terms of use of the resulting website.

Additional rights applying to EU Individuals

If you are an individual in the EU, you have the following additional rights:

  • Erasure of your personal information: You may request erasure of your personal information in certain circumstances. For example, if you believe your personal information is no longer necessary for the purpose which Tyro collected it or if you have withdrawn your consent for Tyro to process your personal information.
  • Restriction or objection to processing personal information: You may request Tyro to restrict or stop the processing of your personal information in certain circumstances. For example, if you believe the personal information we hold is not accurate, if you believe that the data has been unlawfully processed or if we are using your personal information for direct marketing activities.
  • Data portability: You may request Tyro to provide you with a copy of your personal information in a format that you can easily move or provide to another service provider. Your right to data portability applies to some, but not all, of your personal information.

Requests should be made by phone on 1300 966 639 or +61 2 8907 1750 or in writing and addressed to the Privacy Officer at privacy@tyro.com. Tyro may refuse your request, for example if we still have a legitimate business interest in keeping and continuing to process that personal information, if processing of your personal information is necessary to comply with a legal obligation, or if the request is manifestly unfounded or excessive (as applicable). If Tyro denies your request, it will provide its reasons in writing.

Change to this Policy

Tyro may change this Policy from time to time for any reason without prior notice to you to reflect changes in our personal information handling practices. The up to date version of this Policy is located on Tyro’s website, www.tyro.com. You will be notified of any changes to this policy by Tyro uploading an updated version to this website.

We will indicate in the Policy when it was most recently updated. Please check this Policy and our website periodically to ensure that you are aware of any changes or updates.

Complaints

Any complaints should be directed to the Privacy Officer in the first instance at privacy@tyro.com. If you believe Tyro has not adequately dealt with your complaint, you may complain to the Privacy Commissioner, details of which can be found at www.oaic.gov.au.

If you are an individual in the EU, you may lodge a complaint with your local data protection supervisory authority within the European Union if your complaint has not been adequately dealt with by Tyro.

We will review and respond to all complaints within a reasonable period of time. If you are not satisfied with our response, to the extent permitted by applicable law, you may take your complaint to the applicable regulator in your jurisdiction.

Privacy Officer Contact

To update your preferences, ask us to remove your data from our mailing lists or submit an access request for personal information collected through our website or our products or services, please contact the Privacy Officer as specified below. The right to access personal information may be limited in some circumstances by local law requirements.

When submitting a request to exercise your data protection rights, it must be done in writing and contain and/or enclose the following:

  • The name of the data owner and/or other means to communicate to the same our response to the request received;
  • The specific indication of the data protection right which you wish to exercise; and
  • A clear and precise description of the personal information for which the exercise of any data protection rights is pursued.

If you have any questions or comments about this Policy or if you would like us to update the data we have about you or your preferences, please contact the Privacy Officer using the details set out below.

To assist us in responding to your request, please provide us with information of your issue or concern and include as many details as possible.

Our Privacy Officer’s contact details are:

Phone: 1300 966 639 or +61 2 8907 1750
Email: privacy@tyro.com
Mail: Level 1, 155 Clarence Street Sydney NSW 2000

If you are an individual in the EU, please contact the Privacy Officer to obtain details of Tyro’s representative for the purposes of the GDPR.

 

PART 2 – CREDIT INFORMATION NOTIFIABLE MATTERS

In accordance with Tyro’s obligations under the Australian Privacy Act 1988 (Cth), Tyro sets out the following notifiable matters in relation to any of your personal or credit information disclosed by Tyro to a credit reporting body for the purposes of undertaking a credit check or disclosing payment default information in relation to commercial credit provided to you:

  1. Tyro only provides commercial credit and is therefore not subject to any obligations under the Australian Privacy Act 1988 (Cth) that apply only in relation to a credit provider that provides consumer credit.
  2. In connection with the provision of commercial credit, Tyro may disclose your personal and credit information to credit reporting bodies for the purposes of undertaking a credit check in relation to an application made by you or assessing your eligibility for Tyro products or disclosing payment default information or have committed a serious credit infringement, if that is the case. We may disclose information to or collect information from the following CRBs whose privacy policy and contact details are at:

Equifax Australia – www.equifax.com.au or 13 8332

illion – www.illion.com.au or 13 2333

  1. Equifax and illion may include any of your personal or credit information, disclosed to it by Tyro, in reports provided to other credit providers to assist other credit providers to assess your credit worthiness.
  2. Tyro’s policy about the management of personal and credit information is set out in Part 1 of this document. In accordance with Part 1 of this document, you may request to access or correct your personal or credit information and to make a complaint to Tyro.
  3. You have the right to make a request to Equifax and illion not to use or disclose your credit reporting information:
    1. for the purposes of pre-screening of direct marketing by a credit provider; or
    2. if you believe on reasonable grounds that you have been, or are likely to be, a victim of fraud.

 

PART 3 – TYRO ECOMMERCE SPECIFIC TERMS

This section applies to our merchants or other individuals (including customers of Tyro’s merchants) that use the Tyro eCommerce in addition to the other sections of this Policy.

In connection with the Tyro eCommerce, we may collect, use, hold and disclose personal information, in addition to that described above, from merchants participating in the Tyro eCommerce, and their respective service providers, developers and/or admins when an account is being created on behalf of a merchant as part of the enrolment process for the Tyro eCommerce. Such personal information includes, but is not limited to, first name, last name, tax ID, name, date of birth, phone number (landline and mobile), social security number, address, customer service phone number, government issued ID number (e.g., passport or national ID), bank account information (e.g., routing number, bank account number, IBAN, SWIFT, and SORT code), email address, username, password, and security questions. We may also collect other information about your business such as business address, business type, business start date, filing state, and bank name.

If you create a developer account in connection with the Tyro eCommerce, we collect personal information from you in order to operate your account.  Such personal information includes, but is not limited to, first name, last name, email (doubles as username), and password.

We may also process the personal information of individuals who make payments through the Tyro eCommerce on behalf of merchants.  There are obligations that apply to merchants with respect to personal information about individuals making payments to merchants through the Tyro eCommerce, which are described in our terms and conditions. Please make sure to read our terms and conditions carefully to make sure you understand how these obligations may apply to you and that you can comply.

Data transfers

The Tyro eCommerce is provided on a global platform. To offer our services, we may need to transfer your personal information among several countries, in addition to those set out above. We endeavour to comply with applicable legal requirements providing adequate safeguards for the transfer of personal information to countries outside of your local country.

 

PART 4 – COOKIES

A “cookie” is a text file placed on a computer’s hard drive by a web server. A cookie contains small amounts of information which is downloaded on your device’s memory and can subsequently be accessed by our web servers.

A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, is used to transmit information back to a web server. A web beacon is an object embedded in and downloaded together with a webpage which provides information as to the viewing of that webpage.

We may use the following cookies:

Essential cookies – Some cookies are essential for the Site to function effectively and to offer you products and services. For example, essential cookies enable you to securely access and navigate within the Site and its functionalities or sign-in.

Essential cookies collect the following information: session ID (to remember your credentials in the course of your session), security token and other server affinity and authentication data (to establish and maintain communication with the most appropriate servers).

We use essential cookies for the duration of each session (session cookies). Session cookies are deleted when you log out of the Site or when you close your web browser. Session cookies are also used by us or our service providers to know whether our cookie consent notice has been viewed and to allow for the frequency capping of the cookie on-site notice (an on-site cookie notice at the bottom of the landing page that informs you that cookies are used on the Site and how to enable and disable them). In addition, we use session cookies to remember the choices you make on our Sites.

You may reject essential or session cookies by altering the cookie function of your browser. The “help” option of the toolbar on most browsers will tell you how to stop accepting new cookies, how to be notified when you receive a new cookie, and how to disable existing cookies. However, if you reject these cookies, you may not be able to use full or part of the Site, as these cookies are strictly necessary for the Site to operate.

Advertising cookies – Third party cookies are used for web advertising purposes, such as to understand your use of the Site and your online activities and to present you with relevant offers and advertisement tailored to your interests. You may see certain advertisement on other websites because we work with advertising partners to customise relevant content to you on third-party websites.

Advertising cookies collect the following information: unique identification assigned to your device; IP address, device and browser type, operating system, referring URLs, content viewed, products purchased, or other actions taken on the Site, time and date of those actions and country information.

Analytics cookies – Analytics cookies like Omniture cookies are used on the Site for website analytics purposes, such as creating anonymised reports and statistics on the performance of the Site. In addition, other third party cookies are used to manage and improve the performance of the Site. This includes performance cookies that help us understand the use of the Site and our products.

Analytics cookies help collect the following information: unique identification assigned to your device, IP address, device and browser type, operating system, referring URLs, time and date page was visited, information on actions taken in the course of using the Site and country information.