Privacy Policy

eftpos Payments Australia Limited (ABN 37 136 180 366)

eftpos Payments Australia Limited (ABN 37 136 180 366) (ePAL) has practices, procedures and systems controls designed to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. This Privacy Policy sets out how eftpos collects, uses, keeps secure and discloses personal information collected by any means and by any technology, including through the ePAL website.

About Us

eftpos is a debit payment scheme which governs and facilitates electronic debit transactions in Australia and is trusted by consumers and merchants as a secure, convenient and efficient method of payment.

Your personal information

Personal information held by us may include:

  • Identification information such as your name, date of birth and place of work and in some circumstances driver’s licence number;
  • Contact information such as current and previous addresses, fixed line or mobile phone number, email address and social media contact information;
  • Information required for payment processing, such as eftpos transaction and loyalty program information.

If you choose not to provide certain personal information (e.g. your date of birth), we may not be able to provide you with the services you request, or the level of service on which we pride ourselves.

Occasionally, we may collect personal information about other individuals from you (e.g. member/vendor contact details). If so, we rely on you to inform those individuals that you are providing their personal information to us and to advise them that we can be contacted for further information about how we handle their information (refer to our contact details below).

How we collect personal information

We collect personal information in a number of ways, including:

  • directly from you (if it is reasonable and practicable to do so) for example, when you provide information by phone, in application forms or other agreements, or when you submit your personal details through our website (eg. for marketing campaigns, certification authority services);
  • from third parties for example from our members (which are banks and retailers and their aggregators) and from other entities that provide payment processing and related services for the purposes of the eftpos payment system;
  • from publicly available sources of information;
  • when you visit our website (refer below for details on information collected through use of our website).

How we use your personal information

Your personal information may be used for any of the following (in addition to specific uses notified to you at or about the time of collection):

  • verification of your identity (eg. for access to documents stored in our secure portal, certification authority services);
  • providing you or your employing entity with documents and information relevant to your or your entity’s participation in the eftpos payment system;
  • providing you with information about or the promotion or delivery of our products or services (should you choose to receive them) or such services ancillary to or necessary for those products or services;
  • administration of our business, business analysis, dispute resolution, prevent fraud or meet any legal obligations imposed on us;
  • statistical or other analysis or similar research purposes, whether or not for product development;
  • maintenance and development of our business systems and infrastructure, including testing and upgrading of these systems

(each a Purpose).

Your privacy and personal information is important to us and we will do each of the following:

  • take reasonable steps to ensure the personal information that we collect, use or disclose is accurate, complete and up-to-date and relevant to the use or disclosure;
  • take reasonable steps to protect your personal information from misuse, loss and unauthorised access, modification or disclosure. This includes physical and logical security measures such as premises, infrastructure and database access restrictions, de-identification of data where possible and encryption of data in transit and at rest;
  • take reasonable steps to destroy or permanently de-identify personal information if we no longer need it for any legitimate business purpose.

When we disclose your information

We will disclose your personal information:

  • where you have consented to that disclosure;
  • to our service providers (including web hosting and database hosting in Australia, the United States of America, the United Kingdom and The Netherlands, product and application testing in Australia and Taiwan and payment processing entities located in Australia and the United States of America, ) for a Purpose. We have entered into agreements with each of these entities which require compliance with the Privacy Act 1988 (C’th) and include provisions designed to give your personal information at least the same level of protection as we provide;
  • to our members (which are banks and retailers and their aggregators), as necessary, to enable us to provide any of our products or services to you or answer enquiries and administer governance activities related to our rules. These entities are also bound by the Privacy Act 1988 (C’th) and have their own privacy policies, and will observe these when using your personal information;
  • where we are required or authorised to do so by law, including in response to a lawful request by any person, organisation, government, regulatory body or enforcement agency;
  • where it is necessary in order to investigate an unlawful activity;
  • where it is necessary to prevent a serious and imminent threat to a person’s life, health or safety, or to public health or safety.

Trans-Border Data flow

It is possible that the overseas entities which we share your personal information with may not be subject to foreign laws that provide the same level of protection of information as in Australia or may not be subject to any privacy obligations. Overseas entities may be required or compelled to disclose your personal information to a third party such as an overseas authority. You may not be able to seek redress in the overseas jurisdiction against the overseas entity. If we ask and you consent to us disclosing your personal information to an overseas entity and that overseas entity breaches the Australian Privacy Principles, we will not be accountable for that breach under the Privacy Act and you will not be able to seek redress in respect of that breach under the Privacy Act.  Therefore, if we transfer or provide access to your personal information to a recipient outside Australia, we will impose, and review compliance with, obligations on that recipient to comply with the Privacy Act 1988 (C’th) and include provisions designed to give at least the same level of protection for your personal information as we provide.

Information collected from the ePAL website

We collect information about the website and the service, including the number of visitors, when the visits occur, how many pages are viewed and navigation patterns. We may also collect and store your Internet Protocol (IP) address. We get this information from ‘cookies’, which are a website tool commonly used to identify website users’ computers. Knowing this information allows us to ensure that the information and services available through the website are relevant. We may use this information to obtain statistical information, which helps us evaluate and enhance the website. We may also send session numbers and keys as cookies to ensure that your connection, when using our online services, is kept as secure as possible.

It is ePAL’s policy not to sell or pass on any information recorded about your visit to the website for commercial purposes unrelated to any Purpose, unless we have your express consent.

If you decline to provide us with certain personal information when requested (for example, refusing cookies in your browser), the website may not operate optimally or at all.

We also use your IP address to help diagnose problems with and to administer our web site. No attempt is made to link any IP address with any individuals that visit the site.

Where our website contains links to other sites, we are not responsible for the information handling practices or content of these external sites.

We also maintain several email lists to keep you informed about areas of specific interest. You may request to join our mailing lists by signing up through our website or by contacting us. You may also unsubscribe from any email list at any time.

We do not sell, rent, loan, trade, or lease any addresses or other information on our lists, or any other personal information that we may collect or hold, to anyone, unless we have your express consent.

Access to your personal information

You can request access to the personal information we hold in a record about you.  Your request must be in writing and include proof of identity.  We may charge a fee for the staff time and any expenses incurred to respond to your request and provide the requested information to you.  If it is not possible for us to provide you with access as requested, we will tell you why.

If you think that any personal information we hold about you is not accurate, complete and up-to-date, you may ask us to amend your details.  We will take reasonable steps to amend your personal information as you direct, unless we reasonably consider that your information is already accurate, complete and up-to-date, in which case we will tell you why.

If you believe that we have failed to comply with this privacy policy, we encourage you to tell us how and to be as specific as possible so that we can resolve any misunderstanding or dispute between you and us.  We will do our best to resolve your complaint as quickly as possible and will in any event respond within 5 days of receiving details from you.  If you are not satisfied with our response to your complaint, you can refer the matter to:

Director of Complaints,
Office of the Australian Information Commissioner,
Level 3, 175 Pitt Street, Sydney 2000
GPO Box 5218, Sydney NSW 2001.
Telephone: 1300 363 992
Facsimile: +61 2 9284 9666

You can contact us by writing to us at Level 11, 45 Clarence Street, Sydney NSW 2000 or by email at or by contacting us at (02) 8270 1800 and asking for the Privacy Officer.