Privacy Policy

Last amended [ 18 May 2018  ]


Contact Details

Afterpay Touch Group

Phone: +61 3 9018 6800


About This Document

This privacy policy (the Privacy Policy) applies to Afterpay Touch Group Limited ACN 618 280 649 and its related bodies corporate, (‘Afterpay Touch’, ‘Touch’, ‘APT’, we’, ‘us’ or ‘our’).

Afterpay Touch is committed to complying with the Privacy Act 1988 (Cth) as amended from time to time (Privacy Act) and to protecting information from which the personal identity of its customers and website users is clear or easily determinable (Personal Information), and the personal information of their customers.

In accordance with the 13 Australian Privacy Principles (APPs) set out in the Privacy Act, the Privacy Policy details how Afterpay Touch will manage and protect personal information. 

Afterpay Touch’s retailers, suppliers, service providers and commercial partners (together, Our Partners) are independent of Afterpay Touch and may have privacy policies which differ from ours.  Our Partners are responsible for their own privacy policies and privacy practices. Please contact your retailer directly for further information on its privacy policy.

You accept this Privacy Policy when you sign up for, access, or use our products, services, content, features, technologies or functions (collectively Afterpay Touch Services). Afterpay Touch may amend the Privacy Policy at any time.  The updated version will be available by following the ‘Privacy Policy’ link on the Afterpay Touch’s website ( The revised version will be effective at the time we post it on the websites. Afterpay Touch may highlight changes to the Privacy Policy on its homepage, but you should check the Privacy Policy regularly for changes.

Afterpay Touch is committed to the best-practice privacy standards

 Afterpay Touch operates as a processor of personal data under contract from its customers, who are its controllers, and those requirements that request enhancements to privacy provisions above the legal compliance requirements are incorporated into that customer’s solutions. 

Afterpay Touch is a Level 1 accredited PCI DSS (Payment Card Industry Data Security Standard) organisation. Accreditation is achieved on a yearly basis through the PCI DSS Council and is managed by an independent PCI Council approved auditor. PCI DSS has an impact on the personal data that incorporates Card Holder Data which may be stored, processed or transacted through Touch’s systems.

Afterpay Touch is an accredited IRAPS Medicare Australia compliant organisation. Accreditation is achieved every two years under the accreditation program through the Department of Human Services (Australian Federal Government department) and is audited by an independent IRAPS approved auditor. The compliance process requires Touch to not store Personal Information in regard to Health transactions with Medicare.

 Afterpay Touch is accredited for ISO 27001:2013. ISO 27001 is the international standard for Information Technology – Security Techniques – Information Security Management Systems - Requirements. ISO 27001 belongs to the 27000 family of standards to help organisations keep information assets secure. ISO 27001 has an impact on personal data that incorporates the protection of Management Information Management Systems.


Collection and holding of Personal Information

 In this policy, "personal data" or "personal information" means any information relating to an identified or identifiable natural person ("data subject").

How Afterpay Touch collects and holds Personal Information

 Afterpay Touch may be provided with information through customers entering details on the company's Electronic Service Delivery System (ESDS) when using particular services. In all cases, Afterpay Touch shall only collect and retain information relevant to a customer’s use of the ESDS and in accordance with the requirements of the data controller.

Information collected is stored on secure servers that are protected in controlled facilities, meeting the requirements of 3 separate compliance regimes: PCI DSS, ISO 27001 and IRAP.

Kinds of Personal Information collected and held

Although the amount and type of information collected will vary depending on which services are used on Afterpay Touch's ESDS, a comprehensive list of all of the various kinds of Personal Information that Afterpay Touch may collect is as follows:

  • Contact information, such as a person’s name, address, phone, email and other similar information.
  • Detailed personal information such as a person’s date of birth.
  • Tokenised financial information, such as the bank account numbers and credit card numbers.
  • Details of Our Partner’s businesses, including location of their stores.

Processing of special categories of personal information

We do not collect or process special categories of personal information (also known as "sensitive information") unless the relevant data subject provides explicit consent for us to do so.

Purposes for collecting, using and disclosing Personal Information

Afterpay Touch recognises the confidence entrusted in it when its customers and website users provide Personal Information. In order to deliver service required by its customers Afterpay Touch may sometimes share customers’ and users’ Personal Information with a provider of products and services distributed through the Afterpay Touch ESDS.


The Personal Information which individuals provide Afterpay Touch may be collected, held, used or disclosed for a the following reasons only:

  • processing an order placed by a customer;
  •  providing a customer with products and/or services requested;
  • billing a customer or administering a customer’s account;
  • dealing with requests, enquiries or complaints and other customer care related activities; 
  • using aggregated and anonymised data only, carrying out market and product analysis and marketing Touch’s products and services generally;
  • contacting a customer about Touch’s products and services but only with the customer's consent if the customer is an individual within the EU;
  • registering a customer’s details and allocating or offering the customer rewards, discounts or other benefits services but only with the customer's consent if the customer is an individual within the EU; and
  • carrying out any activity in connection with a legal, governmental or regulatory requirement on Touch or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.

Our legal basis for processing EU data subjects' data in accordance with the above is: 

- so far as items 1-4 inclusive are concerned, to meet our contractual obligations

- so far as items 5-7 inclusive are concerned, it is necessary for the purposes of our legitimate interests to process personal data in that way

- so far as item 8 is concerned, we are obliged to comply with the law

 Afterpay Touch will not collect, hold, monitor or use any EU data subjects Personal Information about its customers and website users without their explicit consent unless it is necessary: 

  •  because it is required by law; 
  • to provide its customers with a service that they have requested;
  • to implement its terms of service;
  • to protect the rights or property of Afterpay Touch, any Afterpay Touch customer, or any member of the public; or
  • to lessen a serious threat to a person's health or safety.

The information (both personal and other that Afterpay Touch collects through its customers' use of the ESDS) will not be traded, sold, licensed or used for commercial marketing purposes. Afterpay Touch will not use Personal Information collected through its customers' use of the ESDS for purposes unrelated to the purposes stated in this Privacy Policy. Afterpay Touch will not disclose Personal Information collected through its customers' use of the ESDS for purposes unrelated to the purposes stated in this Privacy Policy unless such disclosure is authorised by law.

Disclosure to overseas recipients

Save for as otherwise set out in this policy, there will be no disclosure of Personal Information by Afterpay Touch to recipients outside of Australia.


We use cookies and track IP addresses via our websites so we can improve our services provided by our websites and enhance user experience.

When you access our websites, or use Afterpay Touch Services, we (including companies we work with) may place small data files on your computer or other device. These data files may be cookies, pixel tags, "Flash cookies," or other local storage provided by your browser or associated applications (collectively Cookies). We use Cookies to ascertain which web pages are visited and how often, to make our websites more user friendly, to give you a better experience when you return to a website and to target advertising to you that we think you may be interested in.  For example, Cookies allow us to save your password so you do not have to re-enter it every time you visit our site. 

Most web browsers automatically accept Cookies. You can find information specific to your browser under the ‘help’ menu. You are free to decline our Cookies if your browser or browser add-on permits, unless our Cookies are required to prevent fraud or ensure the security of websites we control. However, declining our Cookies may interfere with your use of our websites and Afterpay Touch Services.

Storage, security and behaviours regarding Personal Information

Afterpay Touch will take all reasonable steps to ensure that Personal Information which it collects, uses or discloses is accurate, complete, up-to-date and stored in a secure environment protected from unauthorised access, modification and disclosure. The Personal Information, if in digital format, is stored on secure servers that are protected in controlled facilities, meeting the requirements of 3 separate compliance regimes: PCI DSS, ISO 27001 and IRAP. If in hardcopy format, the Personal Information is stored in locked areas in controlled facilities.

In some cases, these facilities are overseas. Afterpay Touch employees and data processors are obliged to respect the confidentiality of any Personal Information held by Afterpay Touch. However, security of communications over the internet cannot be guaranteed, and therefore absolute assurance that information will be secure at all times cannot be given.

In addition, Afterpay Touch's employees and data processors are obliged to respect the confidentiality of any Personal Information held by Afterpay Touch, as well as undertaking continuing police reference checks to determine their suitability of employment. Touch employees and agents undergo a yearly education program regarding privacy to ensure an understanding by all staff as to the correct handling of personal data is understood.

 Afterpay Touch is independently (and separately) audited for Medicare IRAP, ISO 27001 and PCI DSS on a regular basis. Afterpay Touch is also audited for some specific products like MoneyGram to ensure data for their systems is similarly protected to personal data collected. Some of those product requirements request that no Personal Information is stored.

Individual’s right to access


An individual may request access to his or her Personal Information held by Afterpay Touch by contacting Afterpay Touch on the contact details provided in this Privacy Policy. Upon request, Afterpay Touch will provide an individual with access to the individual’s Personal Information, except in certain prescribed circumstances, including emergency situations, specified business imperatives and law enforcement or other public interests.

Afterpay Touch will respond to an individual’s request for access to his or her information within a period of seven (7) days. Afterpay Touch will provide access to the information in the manner requested by the individual, so far as it is reasonable and practicable to do so. 

Correction and updating

An individual may contact Afterpay Touch on the contact details provided in this Privacy Policy to request that their Personal Information held by Afterpay Touch be updated. 

Afterpay Touch will take all reasonable steps to ensure that the Personal Information it holds is accurate and will correct Personal Information within seven (7) days of a request from an individual. If Afterpay Touch is unable to correct Personal Information held, Afterpay Touch will provide an explanation in writing as to why the information cannot be corrected.

Complaints handling 

Complaints regarding breaches by Afterpay Touch of privacy obligations may be made by contacting Afterpay Touch directly on the contact information provided in this Privacy Policy. 

Afterpay Touch will deal with all complaints promptly and will endeavour to reach an amicable solution to the problem. 

If you are not satisfied with the outcome of your complaint, you may make a complaint with the Privacy Commissioner at the Office of the Australian Information Commissioner (

International application

Afterpay Touch will comply with any applicable privacy laws of any jurisdiction which are binding on Afterpay Touch. 

In particular, so far as data subjects in the EEA are concerned you have the right to:

Access. You have the right to request a copy of the personal information we are processing about you.

Rectification. You have the right to have incomplete or inaccurate personal information that we process about you rectified. 

Deletion. You have the right to request that we delete personal information that we process about you unless it is lawful to retain it for other purposes. 

Restriction. You have the right to restrict our unlawful processing of your personal information.

Portability. You have the right in certain circumstances to obtain personal information we hold about you and to transmit such data to another data controller.  

Objection. Where the legal justification for our processing of your personal information is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. 

Withdrawing Consent.  If you have consented to our processing of your personal information, you have the right to withdraw your consent at any time, free of charge.


You can make any of these requests in relation to your personal information by sending the request to the address at 1.2 above or Korzo 11, HR-51000 Rijeka, Croatia, EU or by email to DPO@afterpaytouch.comor


Data subjects in the EEA also have the right to lodge a complaint with the local data protection authority if you believe that we have not complied with applicable data protection laws. please click the link for a list oflocal data protection authorities in the countries within the EEA in which we operate.

Changes in policy

Afterpay Touch reserves the right to change its privacy policy at any time, and in accordance with the Privacy Act, The Privacy Amendment (Notifiable Data Breaches) Bill 2016 and any subsequent amendments to that act. Any change of policy will be notified by posting an updated version of the policy on Afterpay Touch's website.

More information

If you have any queries about this Privacy Policy, please contact Afterpay Touch by email at or telephone +613 9018 6824.  

For more information about privacy issues in Australia, visit the Office of the Australian Information Commissioner's website at


This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. This email may contain personal information of individuals, and be subject to Commonwealth and/or State privacy laws in Australia. This email is also subject to copyright. If you are not the intended recipient, you must not read, print, store, copy, forward or use this email for any reason, in accordance with privacy and copyright laws. If you have received this email in error, please notify the sender by return email, and delete this email from your inbox.