1. About this statement
The protection of your privacy is of the utmost importance to us. This statement explains what information we collect about you in order for us to provide you with our services within the “AfterPay Environment” containing of the CheckOut services, AfterPay websites and our customer portal MyAfterPay, and how we use this information. It also informs you about your data protection rights and how to exercise them.
2. Data controller
The service AfterPay (payment after delivery of purchase) is provided by Gothia Oy, 1730113-3, PO Box 414, 00101 Helsinki trading under the name AfterPay (hereinafter “AfterPay”, “we”, “us”). As data controller, we are responsible for processing your information that we collect through our websites and services.
3.What information do we collect about you?
We need to collect information about you in order for us to provide you with AfterPay’s services within the AfterPay Environment. The type of information will depend on the service that you are using
3.1 Information you give us
You provide us with information about you when you:
- Place an order on a merchant´s site,
- Choose to pay with one of AfterPay´s payment methods in the CheckOut,
- Use our customer portal MyAfterPay or any other service whitin the AfterPay Environment where you submit information about you, or
- Otherwise, share your information with us, directly or indirectly.
This information will comprise of the following information:
- Personal and contact information - name, e-mail address, postal address date of birth, phone number, etc.
- Payment information – invoice information, bank account number, etc.
3.2 Information we collect when you use our services
When you use our services within the AfterPay Environment (such as when you place an order on a merchant´s site, choose to pay with one of our payment options in CheckOut or use our customer portal MyAfterPay, we may collect the following information on you:
- Information on goods/services - details about the items you ordered (e.g. order value, product group, value of goods, and, if applicable, method of request and type of delivery)
- Financial information - your income, potential credit commitments, negative payment remarks
- Historical information - your purchase, payment and credit acceptance history
- IP address
- Date and time when you visited the AfterPay Environment and the duration of your visit. Website from which you came to the AfterPay Environment.
- Device IDs, such as terminal device model and individual device and/or cookie ID, and other information about your device (e.g. browser, language, time zone settings, operating system, platform and screen resolution).
- Channel of data collection: web browser, mobile browser, application and browser version
- Geographical information – your geographical location
Each time you visit our customer portal MyAfterPay data are automatically sent to our server. In addition, we collect the following data from you (hereinafter referred to as “Other Information”):
- Log-in data
- Website from which you came to the AfterPay Environment
The information you share with us, as well as the information of goods/services and your financial information, is required to provide you with our services. The other information we collect is generally necessary to pursue other purposes, as outlined below.
4. Why do we process your information? How long do we store your information?
We use your information for the purposes specified below. Further, you can find the period for which your information will be stored in the table below.
AfterPay may process your information to:
|Segment||Purpose – what are we doing?||Legal Basis for the Processing||Automated Decision||Storage Duration|
|Credit Application, Payment Administration & Consumer Management||To assess which payment options to offer you, for example by carrying out external and internal credit checks||To fulfil our contractual obligation towards you (Article 6 (1) b GDPR). We need the data to be able to enter into an agreement with you and for us to provide the services.||Yes||5 years|
|To confirm your identity and verify your personal and contact details||To fulfil our contractual obligation towards you (Article 6.1 b GDPR). We need the data to be able to enter into an agreement with you and for us to provide the services.||Yes||5 years|
|To administer your payment, the services you use and the customer relationship||To fulfil our contractual obligation towards you (Article 6 (1) b GDPR). We need the data to be able to enter into an agreement with you and for us to provide the services.||No||5 years|
|General AfterPay Service||To administer AfterPay´s services, and for internal operations||Safeguarding legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to improve AfterPay services and operations to optimise communication with the customer and thus reduce unnecessary costs||No||5 years|
|To comply with applicable laws, such as anti-money laundering and book keeping laws.||Comply with a legal obligation(Article 6 (1) c GDPR). The processing include, but are not limited to compliance with money laundering prevention, combating terrorist financing, and compliance with fiscal control and reporting requirements.||No||7 year for book keeping|
5 year for anti-money laundering
|Identification, Risk & Fraud Management||To carry out external and internal checks which can include credit checks||Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.||No||5 years|
|To confirm your identity and verify your personal and contact details||Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.||No||5 years|
|To manage risk, prevent fraud and do risk analytics||Pursue legitimate interest (Article 6.1 f GDPR). Our legitimate interest is to protect us against solvency and fraud losses due to the fact that we are buying the receivables from the merchant.||No||5 years|
|To prevent misuse of AfterPay´s services e.g. by improving credit risk and fraud models||Pursue legitimate interest (Article 6 (1) f GDPR). Our legitimate interest is to have working and adequate models so we are able to protect us against solvency and fraud losses.||No||5 years|
4.1 Automated decision
The decision on your creditworthiness, your identity and contact information and granting of one of our payment methods to you is done in the online ordering process. The credit decision is based information from externally used credit agencies as well as any payment and financial data that may already be available.
The credit-related decision uses information from externally used credit agencies as well as any payment data that may already be available. In case of insufficient creditworthiness or because of a considerable suspicion of fraud, then certain payment types offered by AfterPay are not offered to you.
4.2 Developing services within the AfterPay Environment
Your information may be used in the provision of services in the AfterPay Environment, for user identification and for making services within the AfterPay Environment more personal, interactive and user-friendly. It may also be used in responding to your requests and questions, implementing any choices you make and performing other similar tasks, ensuring data security and preventing the misuse of the AfterPay Environment.
4.3 Customer communications
Your information may be used for customer communications, such as sending you notifications concerning our services and contacting you on matters related to customer service or our services.
5. Transfers outside the EU/EEA
As a rule, we do not transfer your information outside the EU or EEA. If we do transfer your information outside the EU or EEA, we ensure that your information is protected by an adequate level of protection or appropriate safeguards. Such safeguards may be, for example, contractually agreeing on the confidentiality of your information and matters related to processing in accordance with applicable law, such as by using model contract clauses approved by the European Commission and otherwise in a manner ensuring that your information is processed in full accordance with this statement. You can obtain a copy of the safeguards implemented by us from our local Data Protection Officer. His contact details are set out in Section 13 of this Privacy Statement.
6. Which rights do you have?
Access: You can request a copy of the information that we hold about you.
Correction: We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
Erasure: You can request that we erase your information. We may not be able to delete your information right away, for example when we still need it for providing you with our services. We are not allowed to erase information about you that the law requires us to keep.
Restriction of processing: You may have the right to restriction of processing pursuant to Article 18 GDPR.
Objection: You have the right to object to processing of your information pursuant to Article 21 GDPR.
Withdrawing consent: Where the processing of your information is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on the consent before its withdrawal.
Data Portability: If your personal data is processed by automated means for the fulfilment of our contractual relationship, you have the right to request that we provide you with personal data on a machine-readable format for transmission to another data controller.
Complaints: i>You can lodge a complaint with us or your local data protection authority at any time
Tietosuojavaltuutetun toimisto, PO Box 800, 00521 Helsinki, firstname.lastname@example.org
If you have a request send us an e-mail to email@example.com.
7. Who do we share your information with?
We may transfer to or share your information with selected third parties, as follows:
- We may share your information with other companies within the Arvato Financial Solutions group so that we can offer you an optimum AfterPay service. If necessary, we may commission a third party service provider (order processor, e.g. data centres) for the purposes outlined in this Privacy Statement. Service providers only have access to your data to the extent and for the period of time necessary to perform the respective service.
- We may transfer your information to suppliers and subcontractors for the performance of our contractual obligations with you and for our purposes described in this Privacy Statement.
- We may share your information with credit reference agencies and providers of identity lookups for the purposes of assessing your credit score and risk assessment upon applying for one of our payment methods, and for confirming your identity and address information.
The credit reference agencies and PEP and Sanctionlist screening company we are using are listed here: Bisnode Finland Oy, Suomen Asiakastieto Oy, CM1 Softtronic AB.
- We may disclose necessary information to authorities such as the police, tax agencies or other authorities if law requires us. An example of legally required disclosure is for purposes of anti-money laundry and counter-terrorist financing.
However, we may disclose your information when demanded by competent authorities or other agencies in a manner based on currently valid legislation.
If we share your information with such selected third parties, we take all reasonable legal, technical, and organisational measures to ensure that your data is treated securely and with an adequate level of protection when transferred to or shared with such selected third parties.
Please note that we will not sell your personal details to third parties. In addition, we do not disclose your information to any third parties for direct advertising, distance selling or other forms of direct marketing, opinion polls or market surveys, unless you have given us your consent to do so.
8. Are you obligated to provide your data?
When selecting one of our payments methods on the merchant’s website or when concluding a contract with us you must provide those personal data that are necessary in order to make a decision on approving the payment method you have selected or for the justification and implementation of a contract or such data which we are obliged to collect by law. Without these data, we will normally be unable to approve the method of payment you have selected or the conclusion of the agreement, or we will no longer be able to continue to implement a contract and may have to terminate it.
If you do not provide us with the necessary information and documents, we will not be permitted to enter into or continue the business relationship you have requested.
9. How do we keep your data secure?
We use the latest technology to keep your information secure. This means that we use all necessary technical and administrative security measures to protect your information against unauthorised access, transfer, destruction or any other unauthorised processing. These security measures include state-of-the-art firewalls, encryption, use of secure IT areas, proper access control, providing instruction to personnel involved with the processing of your information, and the careful selection of subcontractors. In addition, the right to access your information is restricted to AfterPay personnel who need to access your information to in their work.
10. Other websites
Our websites may link to other websites. We are not responsible for the privacy policies of or content on these websites. We recommend that you read the privacy policies, terms and conditions of these websites carefully before using them.
12. Changes to the Data Privacy Statement
We are continuously developing our websites and reserve the right to change this Data Privacy Statement by announcing changes here. Changes may also be based on amendments made to applicable legislation. We recommend reviewing the Data Privacy Statement content from time to time.
13. Questions related to data protection
We have a dedicated team of data protection specialists. If you have any questions regarding this Data Privacy Statement or data protection, please address them to the local Data Protection Officer: firstname.lastname@example.org.
This Privacy Statement was last updated on 2018-05-23