Image Image Image Image

Privacy Policy

Image Image Image

Privacy Policy

Swipelocal, ABN: 41 668 081 945, we are committed to protecting your privacy and handling personal information responsibly. As an Australian-based payment gateway provider, we help businesses accept online, in-store, and mobile payments securely and efficiently. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in connection with our website, our payment services (including PayTo, PayID, POS solutions, and risk management systems), and related offerings.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other applicable Australian laws, such as the Payment Systems (Regulation) Act 1998 and PCI DSS standards. If you are a business (merchant) using our services, this policy applies to information about you and your customers. If you are an end-user (e.g., a customer making a payment via a merchant), it applies to any personal information we process on behalf of the merchant.

By using our services or website, you consent to the practices described in this policy. We may update this policy from time to time—check this page for the latest version. Significant changes will be notified via email or on our website.


1. Key definitions

  • Personal information has the meaning given in the Privacy Act (information or an opinion about an identified individual, or an individual who is reasonably identifiable), whether true or not, and whether recorded in a material form or not.
  • Sensitive information includes information such as health information, biometric templates, and information about racial or ethnic origin. Financial information (e.g., bank account or card details) is not treated as sensitive information under the Privacy Act, but we protect it to a high standard.
  • Credit-related information includes information we may obtain or create when assessing merchants for risk.

2. The Personal Information We Collect

We collect personal information that is reasonably necessary for our functions and activities. This includes "personal information" as defined under the Privacy Act(information about an identified or reasonably identifiable individual) and may include "sensitive information" (e.g., financial details or health data in rare cases).

2.1 Information about merchants (Business Users)

When you onboard, register, or use our services, we may collect:

  • Identity and contact: full name, business name, trading name, email, phone, address, date of birth (for KYC where applicable), role/title.
  • Business and financial: bank account details for settlements, billing details, corporate structure, beneficial ownership, director/officeholder details.
  • KYC/AML: government-issued ID, proof of address, beneficial ownership and control information, sanctions/PEP screening results, risk assessments, and information required by AUSTRAC rules.
  • Transaction and account: settlement records, chargebacks/disputes, support tickets, device and access logs to our portals/APIs.
  • Credit-related: see relevant section (only where relevant to onboarding or ongoing risk management).
  • Tax File Number (TFN) (if applicable): we only collect and handle TFNs in accordance with the Privacy Rule and only where legally required.

We ensure cookie usage complies with APP 7 (direct marketing) and APP 5 (notification of collection) under the Privacy Act 1988.

2.2 Information from End-Users (customers of our Merchants)

Through our gateway and merchant integrations, we may process (and in some cases store) end-user data on behalf of merchants, including:

  • Payment and contact: name, email, phone, billing and shipping addresses.
  • Payment instrument: card details via secure tokenisation (we do not store full PANs in clear text), bank account identifiers for PayTo/Direct Debit, PayID alias (where provided by the payer), and transaction uthentication data (e.g., 3-D Secure results).
  • Transaction metadata: device information, IP address, geolocation (approximate), and risk signals used for fraud detection and anti-abuse.

2.3 Automatically Collected Information (all users)

When you visit our website or use our portals/APIs, we collect:

  • Log data: IP address, device identifiers, browser type/version, operating system, pages viewed, timestamps, and referrers.
  • Cookies and similar technologies: see relevant section.

3. How We Collect Information

We collect information:

  • Directly from you: forms (onboarding, contact, support), emails, phone calls, and in-person interactions.
  • Automatically: via our websites, portals, SDKs, and APIs (including telemetry necessary for security and availability).
  • From third parties: banks and payment schemes (for verification and settlements), identity verification providers, sanctions/PEP screening services, credit reporting bodies (see relevant section), service providers, and public sources.

If we receive unsolicited personal information, we will determine whether we could have collected it under APP 3. If not, we will destroy or de-identify it as soon as practicable


4. Why We Collect, Use, and Disclose Information

We collect and handle personal information for purposes that are reasonably necessary for our functions and activities, including:

  • Providing the Services : processing payments; enabling settlements and refunds; POS and real-time payments (PayTo/PayID); subscription and invoicing features; merchant dashboard access.
  • Risk management and compliance: fraud detection and prevention; chargeback handling; AML/CTF compliance (including AUSTRAC reporting); scheme and network rule compliance (e.g., NPP rules for PayTo); sanctions screening and ongoing monitoring.
  • Operations and improvement: service provisioning and support; incident management; analytics to improve functionality, reliability, and security; developing new features (e.g., multi-currency support).
  • Marketing and communications: sending service notices and product updates; promoting features (you may opt out at any time). We comply with APP 7 and applicable spam laws.
  • Legal and security: complying with Australian law and law enforcement requests; exercising and defending legal rights; investigating misuse and protecting our users and the public.

We will notify you at, or as soon as practicable after, the time of collection about our identity and contact details, the purpose of collection, the types of information collected, any consequences of not providing information, and the persons or bodies to whom we usually disclose information.

Where practicable, you may interact with us anonymously or using a pseudonym (APP 2), for example when browsing our website or making general enquiries. However, we may be unable to provide some Services without certain information (e.g., to process payments or verify a merchant’s identity).


5. Disclosure of Personal Information

We may disclose personal information to the following recipients for the purposes above:

  • Service providers and partners: payment processors and acquiring banks; card and account-to-account schemes; identity verification and sanctions/PEP screening vendors; fraud and chargeback tools; hosting and cloud providers (e.g., Australian data centres); auditors and professional advisers. We require appropriate confidentiality and security commitments.
  • Merchants: in respect of their end-users’ transactions and risk assessment.
  • Financial institutions: to complete settlements, refunds and chargebacks, and for compliance/regulatory purposes
  • Regulators and law enforcement: including AUSTRAC and other governmental authorities where required by law.
  • Corporate transactions: with acquirers or counterparties (and their advisers) in the context of a merger, acquisition, restructure, or asset sale, subject to appropriate safeguards.

We do not sell personal information.


6. Overseas Disclosure

We primarily store personal information in Australia. Some recipients (e.g., cloud, support, or specialised fraud vendors) may be located overseas, including [insert likely countries, e.g., United States and Singapore]. Where we disclose personal information to overseas recipients, we will take reasonable steps to ensure the recipient does not breach the APPs in relation to the information (for example, by contractually requiring APP-equivalent protections and security controls). Where appropriate, we will inform you and obtain consent if required by law.

Note: “Standard Contractual Clauses” are an EU/GDPR mechanism and are not determinative under Australian law. We rely on APP-compliant contractual and organisational measures.


7. Security of Personal Information (APP11)

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure, including:

  • PCI DSS-aligned controls; tokenisation of card data; 3-D Secure support where applicable.
  • Encryption in transit (TLS) and at rest; network segregation and firewalls; least-privilege access controls and MFA.
  • Secure software development practices, vulnerability management and regular security sting/audits.
  • Staff training, background checks for relevant roles, and logging/monitoring of access to systems.

No system can be guaranteed 100% secure. We maintain and test an eligible data breach response plan and will notify affected individuals and the OAIC as required under the Notifiable Data Breaches scheme.


8. Credit-related information (merchants only)

Where relevant to onboarding or ongoing risk management, we may handle credit-related information about merchant directors/beneficial owners and the business entity, including through credit reporting bodies (CRBs). We handle such information in accordance with Part IIIA of the Privacy Act and the Privacy (Credit Reporting) Code. Upon request, we can provide additional information about how we manage credit information, including the CRBs we use and how to access/correct or complain about credit reporting.


9. Data Quality and Retention (APP 10 & APP 11.2)

We take reasonable steps to ensure the personal information we collect, use and disclose is accurate, up-to-date, complete and relevant. We retain personal information only for as long as needed for the purposes described or as required by law. Typical retention periods include:

  • Transaction records and AML/CTF records: generally, 7 years from the date of the transaction or end of the business relationship (to meet legal, tax and AUSTRAC obligations).
  • Merchant account records: retained while the account is active and for a reasonable period afterwards (usually up to 12 months) for queries, disputes and auditing.

After these periods, we will take reasonable steps to de-identify or securely destroy personal information.


10. Cookies and online tracking

We use cookies and similar technologies to enable functionality, analytics, security, and (with consent) marketing. You can control cookies through your browser settings; however, some features may not function properly without essential cookies.

Types we use:

  • Essential (required for login, checkout, fraud prevention, and security).
  • Analytics (aggregated usage and performance insights).
  • Marketing (where consented).

For more detail, see our Cookie Policy.


11. Your Rights

Under the APPs, you have rights in relation to your personal information.

Access (APP 12)

You may request access to personal information we hold about you. Contact us using the details below. We will respond within a reasonable period (usually within 30 days). We may need to verify your identity and may charge a reasonable fee for access (e.g.,for retrieval and copying), which we will disclose in advance. In limited cases, we may refuse access in accordance with the APPs and will provide written reasons.

Correction (APP 13)

If you believe information we hold about you is inaccurate, out-of-date, incomplete, irrelevant, or misleading, please contact us. We will take reasonable steps to correct it. Where appropriate, we will notify third parties to whom the information has been disclosed.

Marketing preferences (APP 7)

You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us. Service and transactional communications will still be sent.

Complaints

If you have a privacy complaint, please contact us. We will acknowledge receipt and aim to respond within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

End-users of merchants

If you made a payment to a merchant who uses our Services, please first contact that merchant. We can assist the merchant to address your request where we act on their behalf.


12. Automated decision-making and profiling

We use automated systems (e.g., risk scoring and fraud detection) to help protect our Services and users. These tools may consider signals such as device characteristics, IP address, transaction history, and behavioural patterns. Outcomes may include additional verification, temporary holds, or declined transactions. You may contact us if you have questions about these rocesses.


13. Third-party sites and services

Our website and portals may contain links to third-party sites or integrate with third-party services. We are not responsible for the privacy practices of those third parties. We recommend you review their privacy notices.


14. Changes to This Policy

We may update this policy to reflect changes in our practices or laws. Posted changes take effect immediately. We will notify you of material updates


15. Contact Us

For questions, access requests, or complaints:

Privacy Officer

Swipelocal

Address: Suite 1238, Level 1, 241 Adelaide St, Brisbane QLD 4000 Australia

Email: [email protected]

Website: https://swipelocal.au

Note: You can contact the OAIC at oaic.gov.au if you are unable to resolve a complaint with us.


Changes to this policy (APP 1.4(g))

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The updated version will be posted on our website with a new “Last updated” date and will take effect when posted. We will provide prominent notice of material changes (e.g., via email or dashboard banner).