Privacy Policy
We recognise the importance of protecting your privacy. We are committed to ensuring the continued integrity and security of the personal information you entrust to us.
We appreciate that the success of our business is largely dependent upon a relationship of trust being established and maintained with past, current and prospective customers, shareholders and other individuals with whom we conduct business. We will therefore continue to collect and manage your personal information with a high degree of diligence and care.
Our aim is to comply at all times with the privacy laws (incorporating the Australian Privacy Principles) that apply to us. If you have a comment, query or complaint regarding a privacy matter, we encourage you to discuss it with us.
Collection
We usually collect personal information directly from you. Sometimes we collect or confirm this information from a third party such as a credit reporting body. We will use reasonable efforts to obtain your consent to do this.
We collect personal information that includes details such as your:
- Identity information (Name, Date of Birth)
- Contact information (such as phone numbers, address, and e-mail addresses)
- Financial information such as information about your use of financial products and services which you acquire from or through us
In some cases, we may need to collect sensitive information about you such as:
- health related information that is relevant to the services we are providing to you or that you have applied for; or
- biometric information we collect and use for the purpose of verifying your identity.
We will first seek your consent to collect such information where we are required to do so.
As part of our business operations we collect personal information from other individuals such as shareholders and non-corporate suppliers. Where you are not a customer of ours you may still seek confirmation as to whether we hold information in relation to you. For the purposes of complying with our obligations under anti-money laundering laws, we are required to collect your personal information to confirm your identity and we may collect personal information about you from commercially available third party databases.
When you visit our website, apps or other web-based content and services (“Websites”), either we or our service provider will collect information including:
- Information about your use of our services, including your login details, IP address, behavioural data, activity logs, and information collected by cookies.
- Information about the devices you use to access our services including types of device, their operating systems, browsers, application settings, and location information. Information about the way you use your devices when accessing our services, such as the pages you visit, how you hold your device, scrolling, swiping or clicking activity, mouse movements and typing speed. We may collect and process this information to generate a ‘digital profile’ specific to you, which we can use to identify unusual behaviour.
Use and disclosure
We use your personal information in order to:
- Provide you with financial products and services (including situations where we are an agent for another product issuer)
- Assist you with your queries or concerns
- Comply with any legal or regulatory obligations imposed on us
- Perform our necessary business functions (such as internal audit investigations, performance reporting, research, product development and planning).
- Identify and prevent fraud, scams and other unauthorised activity. This can include using your ‘digital profile’ and other behavioural information we collect to identify unusual or suspicious activity.
We may disclose your personal information to organisations that carry out functions on our behalf. This may include for example mailing and printing houses, electronic transaction processors, information technology service providers, fraud detection and prevention providers, professional advisers, account holders and operators, regulators and government authorities. Our agreements with these entities ensure your personal information is only used to carry out specific functions on our behalf.
We may disclose your personal information to an individual or an organisation (a “third party”) if:
- You direct us to do so;
- You consent to the third party obtaining the information from us; or
- You consent to the third party accessing the information on our systems, and/or do anything which enables the third party to obtain access.
Your consent to a third party obtaining or accessing information may be implied from:
- Your use of any service or application which a third party provides to you, or makes available to you, which involves the third party obtaining or accessing personal information held by us or organisations like us; or
- You doing anything else which enables the third party to obtain access to the information.
You should never provide or disclose any of your pass codes to any third party to enable the third party to obtain or access to your personal information. If you do, you may breach the ePayments Code and the terms and conditions applying to the products and services we provide to you and you may be liable for any unauthorised transactions that subsequently occur. Pass codes include PINs, internet and telephone banking passwords, and codes generated by security tokens.
We may use your personal information to tell you about other financial products and services we think you may be interested in. This may include products and services offered or distributed by us or the companies we are associated with. You can opt out of receiving this information (see below - ‘Opting out of product promotions’). We do not sell your personal information to third parties.
We provide services to a number of business partners and their customers. In order to provide these services, personal information may be used and exchanged. The information is given the same level of protection and treated in the same way as for customers of ours.
Where we have collected your personal information on behalf of another party (for example, where we are an agent for another product issuer) the use of your personal information by that party is governed by their privacy policy. You should contact them to understand how they might use your personal information.
Discoverability
An Up customer that has you listed in their phone contacts under your registered mobile number may import that list into the Up app and see that you’re an Up customer, including your Upname and profile picture.
You may opt out from being found via your mobile number in the Up app from the Payments Settings screen.
Importing Your Contacts
You may choose to import your contacts into Up. If you do, we store the name and mobile number of each contact, so that you can quickly and easily see who in your contacts is an Upsider and pay them via Up, attempt a payment to a mobile number PayID in your contacts, or send an SMS invite to Up. This data is never shared outside the Up platform.
Disclosure to overseas recipients
In some cases, we may need to share some of your information with organisations outside Australia. For example, when you instruct us to carry out a transaction such as a telegraphic transfer to or from an overseas country, or when we use service providers located overseas to perform a function on our behalf.
We may share your information with overseas organisations located in the following countries:
- Belgium
- Bulgaria
- Canada
- Fiji
- France
- Germany
- India
- Indonesia
- Ireland
- Israel
- Nauru
- The Netherlands
- New Zealand
- Philippines
- Singapore
- Spain
- UK
- US
When we share your information with organisations overseas we ensure appropriate data handling and security measures are in place.
Access and correction
In most cases you can gain access to your personal information held by us.
We will take reasonable steps to amend or correct your personal information to keep it accurate and up-to-date. Please contact us if you would like to access or request a correction of your personal information (see ‘Contacting us’ below).
Opting out of product promotions
You can opt out of receiving direct marketing material at any time by contacting us (see ‘Contacting us’ below).
If you do opt out, we will continue to provide information in relation to your existing accounts or facilities only (including new features or products related to these accounts/facilities).
Storage and security of your personal information
We will take reasonable steps to keep the personal information that we hold about you secure to ensure that it is protected from loss, unauthorised access, use, modification or disclosure.
We will retain data related to your account for 7 years after we cease to provide financial services to you, in accordance with our regulatory obligations. We will delete your data when we are no longer obliged to retain it. Your personal information is stored within secure systems that are protected in controlled facilities. Our employees and authorised agents are obliged to respect the confidentiality of any personal information held by us.
You can help to keep the personal information that we hold about you secure by taking care before you authorise or otherwise assist any third party to obtain or gain access to that information (see ‘Use and disclosure’ above).
Our websites, app, cookies and event tracking
Our website and app use a variety of analytics and tracking tools designed to help us understand usage, fix bugs and improve the effectiveness of our marketing. These include, but are not limited to cookies, tracking pixels and app based event data.
These tools determine which parts of our website and app are visited most often, indicate when specific events occur (such as when an advertisement has resulted in you becoming a customer), or whether you visited our site from another party's website, and other sites you may visit from our website.
Sometimes we share this data third party service providers with whom we have an agreement to monitor the success of our marketing campaigns, make the advertising and communications we show more relevant or to provide core services and features on our websites. The third party service provider uses the instrumentation to collect information such as when you visited our site, your browser type, your IP address and other unique identifiers.
The information is used in an aggregate form and generally no personal information is collected by the third party service provider. Our agreements with these third parties ensure this information is only used to carry out functions on our behalf, and if any personal information is collected the confidentiality of that information is maintained.
Most internet web browsers and devices are pre-set to accept cookies and facilitate the eventing mentioned. However, if you do not wish to transmit this data you may configure your browser or device to opt-out or receive a warning when tracking instrumentation software is being used.
To amend your ad preferences for a specific social network see their privacy sections in your settings.
Changes to this policy
From time to time, it may be necessary for us to review our Privacy Policy and the information contained in this document. We will notify you of any changes by posting an updated version on our Websites.
Privacy concerns or complaints
If you have concerns or wish to make a complaint regarding the handling of your personal information by us, please chat to us via the "Talk to Us" section of the app, call us on 1300 002 258 or e-mail us at support@up.com.au. We will promptly investigate your complaint and notify you of the outcome.
If you are not satisfied with the response provided by us, you may refer your complaint directly to the relevant External Dispute Resolution scheme:
Australian Financial Complaints Authority
GPO Box 3, Melbourne Vic 3001
Online: www.afca.org.au
Phone: 1800 931 678
Email: info@afca.org.au
Office of the Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Online: www.oaic.gov.auPhone: 1300 363 992
Email: enquiries@oaic.gov.au
Contacting us
If you have any questions about our Privacy Policy, what personal information we may hold in relation to you, or about the way we manage your personal information you can chat to us via the "Talk to Us" section of the app, call us on 1300 002 258 or e-mail us at privacy@up.com.au.
Further information about privacy
You can find more information about privacy (including information about specific issues, answers to frequently asked questions, and the Australian Privacy Principles) on the Office of the Privacy Commissioner’s website at www.oaic.gov.au
European Union General Data Protection Regulation (GDPR)
If you are in a country that is a member of the European Economic Area (EEA), you may be protected by the European Union General Data Protection Regulation 2016/679 (‘GDPR’).
Application
This GDPR section of our Privacy Policy (‘GDPR Policy’) applies to you if you are in a country that is a member of the European Economic Area (‘EEA’) and you are protected by the General Data Protection Regulation 2016/679 (‘GDPR’) in relation to your personal data that we process or control (an ‘EU Data Subject’). We are the data controller under this GDPR Policy. If you are an EU Data Subject, the other sections of this Privacy Policy and our Credit Reporting Policy also apply to you, but they do not affect this GDPR Policy if they are not consistent with this GDPR Policy.
Principles
Your personal data will be:
- processed lawfully, fairly, and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- adequate, relevant and limited to data necessary for the purposes for which the data is processed;
- accurate and kept up-to-date where necessary;
- kept in a form which permits your identification for no longer than is necessary for the purpose for which data is processed; and
- processed in a manner that ensures appropriate security.
These principles are subject to applicable laws, including any limits or exceptions to these principles in the GDPR.
Processing your personal data
We will only process your personal data if you have given consent, or when it is necessary:
- to perform a contract with you or to take steps preparatory to such a contract;
- to comply with a legal obligation to which we are subject;
- to protect your vital interests or those of another person; or
- to perform a task carried out in the public interest or in the exercise of official authority vested in us.
We may also process your personal data if it is necessary for our legitimate interests or those of a third party. This includes processing for direct marketing purposes or preventing fraud, transmission of personal data within a group of companies for internal administrative purposes, processing for ensuring network and information security, and reporting possible criminal acts or threats to public security. However, this does not apply where these legitimate interests are overridden by your interests, or fundamental rights and freedoms which require protection of personal data.
We will not process your sensitive personal data, such as health information, racial or ethnic origin or political opinions unless you have given express consent for a specified purpose or in other special circumstances authorised under the GDPR, such as where it is necessary to protect your vital interests.
Generally, we retain your personal data while we have a customer relationship with you and to comply with any record-keeping requirements.
Your rights
Under the GDPR you have certain rights in relation to your personal data that we control. The following is a summary of the main rights which are in addition to any other rights that you may have under our Privacy Policy.
- Access rights: You have the right to obtain confirmation of whether your personal data is being processed and the right to access the data (including obtaining a copy). We will comply with your request without undue delay. You also have the right to obtain information about the purposes of processing, the categories of data processed, the recipients, the envisaged retention period (or criteria to determine that period), your rights to rectify or erase data or restrict processing and to complain, information about the sources of data not collected from you, and about any regulated automated decision making, including the significance and envisaged consequences of the automated decision making for you.
- Rectification: You may require us to rectify inaccuracies in personal data held about you.
- Objection rights: You have the right to object to processing of data for direct marketing, processing based on our legitimate interests, and processing for research or statistical purposes. If you object, there may be compelling reasons why we are not required to stop processing your data (except in the case of direct marketing).
- Right of erasure: You have the right to have your personal data erased in certain situations, including where the data is no longer necessary for the purpose for which it was collected or processed, or if you withdraw consent to processing and there is no other justification for processing.
- Right to restrict processing: You have the right to restrict the processing of data in certain situations, such as where the individual disputes the accuracy of the data or has objected to its processing.
- Profiling and automated decision making: You have the right not to be subject to decisions based solely on automated processing of data, such as profiling, if the decision produces legal effects concerning you, or similarly significantly affects you. However, we can use automated processing of data if it is necessary to enter into or perform a contract between you and us, if it is based on your explicit consent, or when it is authorised by law.
Data breaches
We will report a personal data breach to the relevant supervisory authority without undue delay unless we are not required to do so under the GDPR, such as when it is unlikely to result in any risk to the rights of individuals.
If the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay, unless we are not required to do so under the GDPR, such as when we have implemented appropriate measures such as encryption.
Transferring personal data
We may transfer your personal data collected in the EEA to a country outside the EEA which has an adequate level of data protection, or if we have provided for appropriate safeguards and there are enforceable data subject rights and effective legal remedies available in the country.
We may also transfer your personal data outside the EEA:
- if you have given your explicit consent to the proposed transfer after being informed of the transfer and the possible risks;
- where it is necessary to perform a contract between you and us, or the implementation of pre- contractual measure; or
- where otherwise permitted under the GDPR.
Contacting us
If you have any questions about our GDPR Policy, or if you want to exercise any of your rights under this GDPR Policy you may contact us by calling us on 1300 002 258 or e-mailing us at support@up.com.au.
Complaints
You can make a complaint in relation to this GDPR Policy to our Customer Feedback Team on 1300 002 258 or e-mailing us at support@up.com.au. You can also complain to your local data protection authority in the EEA. Contact details for those authorities are available here.
Date of Publication – 30 August 2023