Privacy Policy
Last updated 6/05/2022
Privacy Policy
Novatti Group Limited (ACN 606 556 183) and its subsidiaries, including Novatti Acquiring Services(AUS) Pty Ltd (ACN 647 567 084)(together, Novatti, we, us, our), are committed to protecting theprivacy ofindividuals whose personal information we handle.
This Privacy Policy (Policy) sets out how we collect, hold, use, disclose, and manage personalinformation in accordance with the Privacy Act1988 (Cth)(Privacy Act) and the Australian PrivacyPrinciples (APPs), as amended by the Privacy and Other Legislation Amendment Act 2024.
This Policy applies to:
● our website at novatti.com and all associated Novatti digital properties;
● our payment processing, acquiring, card issuing, and related financial services;
● ourinteractions with customers, merchants, business partners, and job applicants; and
● all personal information we collect, whether online, in writing, orin person.
By using our website or services, or by providing us with your personal information, youacknowledge that you have read and understood this Policy. You are notrequired to providepersonal information to us, butif you do not, we may be unable to provide you with certainservices.
Who We Are and How to Contact UsNovatti Group Limited is an APP (Australian Privacy Principles) entity forthe Privacy Act, and is theentity accountable forthe personal information described in this Policy.
Our Privacy Officer is responsible for ensuring our compliance with this Policy and the APPs.
Privacy Officer Novatti Group Limited
Address Level 3, 461 Bourke Street, Melbourne VIC 3000, Australia
Telephone +61 3 9011 8490
Email privacy.officer@novatti.comWebsite novatti.com/privacy
If you have questions aboutthis Policy, wish to access or correct your personal information, make a privacy complaint, or opt out of direct marketing, please contact our Privacy Officer using thedetails above. We will respond within a reasonable time and no later than 30 days ofreceiving your request.
What Personal Information We Collect
Personal information means information or an opinion about an identified individual, or anindividual who is reasonably identifiable, whether or nottrue and whether or notrecorded inmaterialform.
Information You Provide to Us
We collect personal information that you voluntarily provide, including:
● Identity information: name, date of birth, gender, and government-issued identificationdetails collected for verification and KYC/AML compliance purposes;
● Contact details: postal address, email address,telephone, and fax numbers;
● Financial information: bank account details, payment card information, and transactiondata required to process payments;
● Business information: ABN, ACN, business name, and the contact details of authorisedrepresentatives;
● Account credentials: usernames and passwords for any Novatti online portal or application;
● Correspondence: information you include in emails, enquiries, or other communicationswith us; and
● Employmentinformation:résumés, CVs, qualifications, and references submitted forjobapplications.Information Collected AutomaticallyWhen you visit our website, we may automatically collect:
● Technical data: yourIP address, browsertype and version, operating system, deviceidentifiers, and time zone;
Usage data: pages visited, links clicked,time on page,referring URLs, and sessioninformation;● Cookie data: information stored by cookies and similartracking technologies (see Section 7below).This data is primarily statistical and non-identifying. Where it can be linked to an individual, itistreated as personal information underthis Policy.Sensitive InformationSensitive information is a subset of personal information that warrants higher protection. Itincludes racial or ethnic origin, health information, biometric data, criminalrecord information,and similar categories defined underthe Privacy Act.We do not actively seek to collect sensitive information through our website or general customerinteractions. However, sensitive information may be collected in the following limitedcircumstances:● With your explicit consent, where itis necessary to provide a service or comply with a legalobligation (for example, health information provided in the context of an employmentapplication);
● Where collection is required or authorised by law (for example, underthe Anti-MoneyLaundering and Counter-Terrorism Financing Act 2006).We will handle sensitive information in accordance with the heightened protections required byAPP 3.3 and will not use or disclose it except as permitted by the APPs orrequired by law.
How We Collect Personal Information
We collect personal information by lawful and fair means. We collectit directly from you whereverreasonably practicable. Collection occurs:
● when you visit orinteract with our website;
● when you contact us by telephone, email, post, orin person;
● when you apply for, use, or enquire about our products or services;
● when you complete accountregistration or onboarding processes;
● when you submit a job application or participate in a recruitment process;
● through cookies and analytics tools (see Section 7); and
● through identity verification and KYC processes required by law.We may also collect personal information from third parties, including creditreporting bodies,identity verification services, government agencies, and publicly available sources, wherepermitted by law and where it is unreasonable orimpracticable to collectthe information directlyfrom you. Where we do so, we willtake reasonable steps to notify you as soon as practicable.
How We Use Your Personal Information
We use personal information only forthe purposes for which it was collected,for directly relatedpurposes, or as otherwise permitted orrequired by law. These purposes include:
Providing Our Services
● Processing and settling paymenttransactions;
● Operating and managing merchant acquiring and paymentfacilitation services;
● Creating and managing customer accounts and profiles;
● Responding to enquiries,requests, and complaints;
● Communicating with you about your account or our services.
Legal and Regulatory Compliance
● Verifying youridentity and conducting customer due diligence (KYC/CDD) as required bythe Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
● Monitoring transactions and reporting to AUSTRAC as required by law;
● Meeting our obligations as an Australian Financial Services Licensee;
● Complying with court orders, regulatory directions, and other legal requirements
Business Operations
● Improving and developing our products, services, and website;
● Conducting internal analytics,risk management, and fraud prevention;
● Managing supplier, partner, and contractorrelationships;
● Processing job applications and managing our workforce
Direct Marketing
We may use your contactinformation to send you marketing communications about our productsand services, but only where:
● you have provided your consent, or we reasonably believe you would expectto receive suchcommunications based on our existing relationship; and● we provide a clear and easy opt-out mechanism in every marketing communication.You may opt out of direct marketing at any time by:
● using the unsubscribe link in any marketing email;
● contacting our Privacy Officer at privacy.officer@novatti.com; or
● updating your communication preferences in your account settings.We will action opt-outrequests promptly and no laterthan 5 business days afterreceipt. We willnot use or disclose personal information for direct marketing if you have opted out.
Automated Decision-Making
From December 2026, amendments to the Privacy Act introduced by POLA 2024 require APPentities to notify individuals when their personal information is used in substantially automateddecisions that significantly affectthem. Where we use automated processes to make orinformsuch decisions — including in the areas offraud detection,transaction risk scoring, or onboardingassessments — we willtake reasonable steps to inform you ofthis use at or before the time ofcollection, or as otherwise required by law. You may contact our Privacy Officerif you havequestions about whether an automated decision has been made using your personal information.
Disclosure of Personal Information
We do not sell personal information. We may disclose personal information to third parties andoverseas recipients in the limited circumstances set out below.
Disclosure to Third Parties
We may disclose personal information to the following categories ofthird parties:
● Service providers:third-party vendors and contractors who assist us in operating our business (including technology providers, payment processors, identity verification services, cloud storage providers, and professional advisers), who are bound by confidentiality obligations and must handle personal information in accordance with theAPPs;
● Related entities: other Novatti Group entities where necessary to deliver services orforinternal business purposes;
● Regulatory authorities: AUSTRAC, ASIC, APRA, and otherregulatory bodies as required bylaw;
● Law enforcement: when required by law, court order, or government authority;
● Business transfers: in connection with a merger, acquisition, corporate restructure, orasset sale, where equivalent privacy obligations bind the recipient.
Cross-Border Disclosure
Novatti operates internationally, and your personal information may be transferred to, stored, orprocessed by personnel or systems located outside Australia, including in the following countriesorregions:
● India — technology development and operations support;
● United States — cloud infrastructure and third-party service providers;
● United Kingdom and European Union — international payment network partners;
● Singapore and other Asia-Pacific jurisdictions — regional operations.Before disclosing personal information to overseas recipients, we take reasonable steps to ensurethatthe overseas recipient does not breach the APPs in relation to the information. This mayinclude entering into data processing agreements, standard contractual clauses, or othercontractual protections.Where we are unable to ensure that an overseas recipient will handle personal information inaccordance with the APPs, we will seek your consentto the disclosure. By consenting, youacknowledge that we may not be able to take reasonable steps to ensure the overseas participantcomplies with the APPs, and that you may not be able to seek redress underthe Privacy Actinrelation to the recipient’s handling of your personal information.
Cookies and Online Tracking
What Are Cookies?
Cookies are small data files placed on your device when you visit a website. We use cookies andsimilartechnologies (including pixels, web beacons, and local storage)to operate and improve ourwebsite, personalize your experience, and support our marketing activities.
Types of Cookies We Use
● Essential cookies:required forthe website to function and cannot be disabled;
● Analytics cookies: help us understand how visitors interact with our website (we use Google Analytics forthis purpose);
● Marketing and remarketing cookies: used to deliver advertisements relevantto yourinterests across third-party platforms, including through Google Ads.
Google Ads Remarketing
Our website uses Google Ads to show advertisements to previous visitors on third-party websitesand in Google search results. This service uses cookies to identify visitors who have previouslyinteracted with our site. Any personal information collected through these activities is used inaccordance with this Policy and Google’s Privacy Policy.You can opt out of Google’s use of cookies for advertising purposes by visiting Google’s AdSettings page at adssettings.google.com.au.
Managing Cookies
Most browsers allow you to control cookies through their settings. You can choose to block ordelete cookies; however, doing so may affectthe functionality of our website. For moreinformation about managing cookies, visit allaboutcookies.org
Data Security
We take the security of your personal information seriously and implementreasonable technicaland organisational safeguards to protectitfrom misuse, interference, loss, and unauthorisedaccess, modification, or disclosure. Our security measures include:
● Encryption of personal information in transit(TLS/SSL) and atrestfor sensitive data;
● Multi-factor authentication and role-based access controls on systems storing personalinformation;
● Regular security assessments, penetration testing, and vulnerability management;
● Stafftraining on privacy and information security obligations;
● Physical security controls at our premises and data centres;
● Contractualrequirements on third-party service providers to maintain appropriate securitymeasures.While we take allreasonable precautions, no method of electronic transmission or storage isentirely secure, and we cannot guarantee the absolute security ofinformation transmitted overthe internet.
Data Retention
We retain personal information only for as long as itis necessary to fulfilthe purposes for which itwas collected, or as required or permitted by law. Specific retention obligations include:
● AML/CTF records: minimum 7 years from the date ofthe relevanttransaction or customerrelationship, as required by the Anti-Money Laundering and Counter-Terrorism FinancingAct 2006;
● Financialrecords: as required by applicable tax and corporations legislation;
● Customer account data:retained forthe duration ofthe customerrelationship and for aperiod thereafter as required by law and legitimate business purposes;
● Job applicant data:for unsuccessful applicants,retained for up to 12 months afterthecompletion ofthe recruitment process, unless you consentto retention forfutureopportunities;
● Website analytics data: typically retained in aggregate or anonymised form after 26months.When personal information is no longerrequired, we take reasonable steps to securely destroy itor de-identify itin accordance with APP 11.2.Please referto the Record Keeping Policy forfurtherinformation.
Notifiable Data Breaches
Novatti is subjectto the Notifiable Data Breaches (NDB) scheme under PartIIIC ofthe Privacy Act.If we become aware of a data breach thatis likely to resultin serious harm to one or moreindividuals, we are required to:
● assess whetherthe breach is an eligible data breach;
● notify the Office ofthe Australian Information Commissioner(OAIC); and
● notify affected individuals as soon as practicable.We maintain an internal data breach response plan and incidentregister. All staff are required toreport suspected data breaches to the Privacy Officerimmediately upon becoming aware ofthem.If you believe that a data breach involving your personal information has occurred, please contactour Privacy Officer as soon as possible using the contact details in Section 2.
Your Rights
Access
You have the rightto request access to personal information that we hold about you. To make anaccess request, please contact our Privacy Officer. We willrespond within 30 days and provideaccess in a formatthatis reasonable and appropriate. We may charge a reasonable fee to coverthe cost of providing access.We may refuse access in limited circumstances permitted by the Privacy Act, such as whereaccess would unreasonably impactthe privacy of otherindividuals, or where required by law. Wewill provide written reasons for any refusal.
Correction
If you believe that personal information we hold about you is inaccurate, incomplete, out of date,irrelevant, or misleading, you may requestthat we correctit. We willtake reasonable steps tocorrectthe information and willrespond to yourrequest within 30 days.
Anonymity and Pseudonymity
Where lawful and practicable, you may interact with us anonymously or using a pseudonym. Wewill inform you ifitis not practicable to deal with you on this basis.Opt Out of Direct MarketingYou may opt out ofreceiving direct marketing communications from us at any time. See Section5.4 for opt-out methods.
Children
Our services are not directed at children underthe age of18. We do not knowingly collect personalinformation from individuals under18 without verifiable parental or guardian consent. If youbelieve we have inadvertently collected such information, please contact our Privacy Officer, and we will take steps to delete it promptly.We are committed to compliance with any Children’s Online Privacy Code made underthe PrivacyAct as thatframework develops.
Statutory Tort for Serious Invasions of Privacy
From 10 June 2025, individuals have a directrightto take legal action against organisations —including Novatti — for serious invasions of privacy underthe statutory tortintroduced by POLA2024. This right exists independently of any complaint made to the OAIC.[C1]A serious invasion of privacy may include unauthorised surveillance or monitoring, improperdisclosure of sensitive personal information, or misuse of personal data in a way that would behighly offensive to a reasonable person. If you believe Novatti has seriously invaded your privacy,you may:● contact our Privacy Officerto raise a complaint(see Section 11); or● seek independentlegal advice about yourrights underthe statutory tort.
Making a Privacy Complaint
If you have a complaint about how we have handled your personal information, or believe we havebreached the APPs orthis Policy, please contact our Privacy Officer using the details in Section 2.Please provide as much detail as possible aboutthe nature of your complaint.We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.Where a complaintis complex, we will keep you informed of our progress.If you are not satisfied with ourresponse, you may lodge a complaint with the Office oftheAustralian Information Commissioner(OAIC):
Australian Information Commissioner(OAIC)
Office of the Australian Information
Commissioner GPO Box 5218, Sydney NSW
2001 Telephone:1300 363 992
Website
oaic.gov.au
Online complaintf orm: oaic.gov.au/privacy/privacy-complaints
Government Identifiers
Novatti will not adopt, use, or disclose a government-related identifier(such as a tax file number orMedicare number) as its own identifier of an individual, except where required or permitted by law,including foridentity verification and AML/CTF compliance.
Updates to This Policy
We may update this Policy from time to time to reflect changes in our practices,technology, orlegal obligations. We will publish the updated Policy on our website and, where the changes arematerial, we will notify you by email orthrough a prominent notice on our website.The current version and effective date ofthis Policy are shown on the cover page. We encourageyou to review this Policy periodically.This Policy will be reviewed atleast annually, or earlier upon:
● material changes to the Privacy Act, APPs, or OAIC guidance (including POLA 2024implementation);
● significant changes to the Novatti Group’s business model, services, or data handlingpractices;
● identification of a material compliance deficiency or privacy incident; or
● direction from the OAIC or anotherregulatory authority.
Definitions
APP: Australian Privacy Principle, as set outin Schedule 1 ofthe PrivacyAct.
APP entity: An organisation or agency bound by the APPs underthe Privacy Act.
Eligible data breach: A data breach thatis likely to resultin serious harm to any oftheindividuals to whom the information relates.
KYC / CDD: Know Your Customer/ Customer Due Diligence — identityverification and risk assessment processes required by AML/CTF law.
NDB scheme: The Notifiable Data Breaches scheme under PartIIIC ofthe PrivacyAct.
OAIC: Office ofthe Australian Information Commissioner.
Personal information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Sensitive information: A subset of personal information, including racial or ethnic origin,health information, biometric data, and other categories defined inthe Privacy Act