Privacy Policy

Privacy Policy

Last amended 18 APRIL 2017
1. Contact Details

Touch Holdings Limited
Phone: +61 (03) 9018 6800  

2. About This Document

This privacy policy (the Privacy Policy) applies to Touch Holdings Limited ACN 109 766 592 and its related bodies corporate, (‘Touch’,‘we’, ‘us’ or ‘our’).

Touch is committed to complying with the Privacy Act 1988 (Cth) as amended from time to time (Privacy Act) and to protecting information from which the personal identity of its customers and website users is clear or easily determinable (Personal Information), and the personal information of their customers.

In accordance with the 13 Australian Privacy Principles (APPs) set out in the Privacy Act, the Privacy Policy details how Touch will manage and protect personal information.

Touch’s retailers, suppliers, service providers and commercial partners (together, Our Partners) are independent of Touch and may have privacy policies which differ from ours.  Our Partners are responsible for their own privacy policies and privacy practices. Please contact your retailer directly for further information on its privacy policy.

You accept this Privacy Policy when you sign up for, access, or use our products, services, content, features, technologies or functions (collectively Touch Services). Touch may amend the Privacy Policy at any time.  The updated version will be available by following the ‘Privacy Policy’ link on the Touch’s website ( The revised version will be effective at the time we post it on the websites. Touch may highlight changes to the Privacy Policy on its homepage, but you should check the Privacy Policy regularly for changes. 

3. Touch is committed to the best-practice privacy standards

Touch operates under contract from its customers and those requirements that request enhancements to privacy provisions above the legal compliance requirements are incorporated into that customer’s solutions.

Touch is a Level 1 accredited PCI DSS (Payment Card Industry Data Security Standard) organisation. Accreditation is achieved on a yearly basis through the PCI DSS Council and is managed by an independent PCI Council approved auditor. PCI DSS has an impact on the personal data that incorporates Card Holder Data which may be stored, processed or transacted through Touch’s systems.

Touch is an accredited IRAPS Medicare Australia compliant organisation. Accreditation is achieved every two years under the accreditation program through the Department of Human Services (Australian Federal Government department) and is audited by an independent IRAPS approved auditor. The compliance process requires Touch to not store Personal Information in regards to Health transactions with Medicare. 

4. Collection and holding of Personal Information

4.1 How Touch collects and holds Personal Information

Touch may be provided with information through customers entering details on the company's Electronic Service Delivery System (ESDS) when using particular services. In all cases, Touch shall only collect and retain information relevant to a customer’s use of the ESDS.

Information collected is stored on secure servers that are protected in controlled facilities, meeting the requirements of 2 separate compliance regimes: PCI DSS and IRAPS. 

4.2  Kinds of Personal Information collected and held

Although the amount and type of information collected will vary depending on which services are used on Touch's ESDS, a comprehensive list of all of the various kinds of Personal Information that Touch may collect is as follows: 

  • Contact information, such as a person’s name, address, phone, email and other similar information.
  • Detailed personal information such as a person’s date of birth.
  • Tokenised financial information, such as the bank account numbers and credit card numbers.
  • Details of Our Partner’s businesses, including location of their stores.
5. Purposes for collecting, using and disclosing Personal Information

5.1 Purposes for collecting, using and disclosing Personal Information

Touch recognises the confidence entrusted in it when its customers and website users provide Personal Information. In order to deliver a service Touch may sometimes share customers’ and users’ Personal Information with a provider of products and services distributed through the Touch ESDS.

The Personal Information which individuals provide Touch may be collected, held, used or disclosed for a number of purposes connected with Touch’s business operations, which include: 

  • processing an order placed by a customer;
  • providing a customer with products and/or services requested;
  • billing a customer or administering a customer’s account;
  • dealing with requests, enquiries or complaints and other customer care related activities;
  • carrying out market and product analysis and marketing Touch’s products and services generally;
  • contacting a customer about Touch’s products and services;
  • registering a customer’s details and allocating or offering the customer rewards, discounts or other benefits; and
  • carrying out any activity in connection with a legal, governmental or regulatory requirement on Touch or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

In addition, Touch may collect, hold, use or disclose a customer’s or user’s Personal Information for purposes related to those described above which would be reasonably expected by the customer or user.

Touch will not collect, hold, monitor or use any Personal Information about its customers and website users without their consent unless it is necessary: 

  • because it is required by law;
  • to provide its customers with a service that they have requested;
  • to implement its terms of service;
  • to protect the rights or property of Touch, any Touch customer, or any member of the public; or
  • to lessen a serious threat to a person's health or safety.

The information (both personal and other that Touch collects through its customers' use of the ESDS) will not be traded, sold, licensed or used for commercial marketing purposes. Touch will not use Personal Information collected through its customers' use of the ESDS for purposes unrelated to the purposes stated in this Privacy Policy. Touch will not disclose Personal Information collected through its customers' use of the ESDS for purposes unrelated to the purposes stated in this Privacy Policy unless such disclosure is authorised by law. 

5.2 Disclosure to overseas recipients

Save for as otherwise set out in this policy, there will be no disclosure of Personal Information by Touch to recipients outside of Australia.


We use cookies and track IP addresses via our websites so we can improve our services provided by our websites and enhance your user experience.

When you access our websites or use Touch Services, we (including companies we work with) may place small data files on your computer or other device. These data files may be cookies, pixel tags, "Flash cookies," or other local storage provided by your browser or associated applications (collectively Cookies). We use Cookies to ascertain which web pages are visited and how often, to make our websites more user friendly, to give you a better experience when you return to a website and to target advertising to you that we think you may be interested in.  For example, Cookies allow us to save your password so you do not have to re-enter it every time you visit our site. 

Most web browsers automatically accept Cookies. You can find information specific to your browser under the ‘help’ menu. You are free to decline our Cookies if your browser or browser add-on permits, unless our Cookies are required to prevent fraud or ensure the security of websites we control. However, declining our Cookies may interfere with your use of our websites and Touch Services. 

Storage, security and behaviours regarding Personal Information

Touch will take all reasonable steps to ensure that Personal Information which it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification and disclosure. The Personal Information, if in digital format, is stored on secure servers that are protected in controlled facilities, meeting the requirements of 2 separate compliance regimes: PCI DSS and IRAPS. If in hardcopy format, the Personal Information is stored in locked areas in controlled facilities.

In some cases these facilities are overseas. Touch employees and data processors are obliged to respect the confidentiality of any Personal Information held by Touch. However, security of communications over the internet cannot be guaranteed, and therefore absolute assurance that information will be secure at all times cannot be given.

In addition, Touch's employees and data processors are obliged to respect the confidentiality of any Personal Information held by Touch, as well as undertaking continuing police reference checks to determine their suitability of employment. Touch employees and agents undergo a yearly education program regarding privacy to ensure an understanding by all staff as to the correct handling of personal data is understood.

Touch is independently (and separately) audited for Medicare IRAPS and PCI DSS on a regular basis. Touch is also audited for some specific products like MoneyGram to ensure data for their systems is similarly protected to personal data collected. Some of those product requirements request that no Personal Information is stored. 

8 Individual’s right to access

8.1 Access

An individual may request access to his or her Personal Information held by Touch by contacting Touch on the contact details provided in this Privacy Policy. Upon request, Touch will provide an individual with access to the individual’s Personal Information, except in certain prescribed circumstances, including emergency situations, specified business imperatives and law enforcement or other public interests.

Touch will respond to an individual’s request for access to his or her information within a period of seven (7) days. Touch will provide access to the information in the manner requested by the individual, so far as it is reasonable and practicable to do so. 

8.2 Correction and updating

An individual may contact Touch on the contact details provided in this Privacy Policy to request that their Personal Information held by Touch be updated.

Touch will take all reasonable steps to ensure that the Personal Information it holds is accurate and will correct Personal Information within seven (7) days of a request from an individual. If Touch is unable to correct Personal Information held, Touch will provide an explanation in writing as to why the information cannot be corrected. 

8.3 Complaints handling

Complaints regarding breaches by Touch of privacy obligations may be made by contacting Touch directly on the contact information provided in this Privacy Policy.

Touch will deal with all complaints promptly and will endeavour to reach an amicable solution to the problem.

If you are not satisfied with the outcome of your complaint, you may make a complaint with the Privacy Commissioner at the Office of the Australian Information Commissioner ( 

International application

Touch will comply with any applicable privacy laws of any jurisdiction which are binding on Touch.

10 Changes in policy

Touch reserves the right to change its privacy policy at any time, and in accordance with the Privacy Act and any subsequent amendments to that act. Any change of policy will be notified by posting an updated version of the policy on Touch's website.

Touch will be updating this privacy policy in line with The Privacy Amendment (Notifiable Data Breaches) Bill 2016

11 More information

If you have any queries about this Privacy Policy, please contact Touch by email at or telephone +613 9018 6824.

For more information about privacy issues in Australia, visit the Office of the Australian Information Commissioner's website at