We take your privacy seriously
Bluechain respects your right to privacy and is committed to safeguarding your personal information. We adhere to the Australian Privacy Principles (APP) contained in the Privacy Act 1988 (Cwth) and protections afforded to residents of the EU under the General Data Protection Regulation (GDPR).
Accepting the terms of this policy
Modifying this policy
What is Personal Information?
“Personal Information” (also referred to as “Personal Data”) is information we hold which is identifiable, either directly or indirectly, as being about a living person. This may include data that you have supplied to us (such as your phone number), data that we have obtained when you use our Services (such as your IP address), or data that we have obtained from other sources (such as from a credit reporting agency). We may also collect certain information that is used in an aggregated manner to analyse how people use our Services. Information that has been aggregated or made anonymous is not considered to be Personal Information.
Why do we collect Personal Information?
Without information about you, we may not be able to provide you with the services or the support you request. We may also collect information about your use and interaction with our services to help protect you from fraud and misuse of your personal information. For example, we may evaluate your computer, mobile phone or other access device to identify any malicious software or activity.
Does this policy cover all Personal Information we hold?
No, it only concerns activities in which we are the Data Controller (as defined by the GDPR)—in other words, where we decide the purposes and means for processing. It doesn’t cover processing of Personal Information that we conduct as a Data Processor—in other words, where we process data on behalf of another party and are following their instructions. In such cases, they are the Data Controller.
When is Bluechain the Data Controller?
We are the Data Controller for:
- Any Personal Information that we process about our customers, including you as an individual or a sole trader or the CEO, board members, beneficial owners, if they are a natural person, and customer representatives of a limited liability company or equivalent.
- Any Personal Information that we process about potential customers who are either website visitors who submit personal data through any of the forms on our websites or otherwise contact us.
- Any Personal Information that we process when a customer signs up for or uses our Services.
- Any behavioural and tracking information, e.g. location data, behavioural patterns, personal preferences, IP address, cookie identifiers, or unique device identifiers, when a customer accesses or uses our Services.
- Any Personal Information that we process when anyone telephones our customer support or uses our website or otherwise contacts us through our support channels.
How we collect Personal Information
We collect this information from you in a variety of ways, including when you interact with us electronically or in person, when you access our websites, and when we provide our services to you. We may also receive Personal Information from third parties, including via a third party app or platform on which you hold an account where you consent to the third party providing it to us (Linked Platform). You may provide information to enable us to send information, provide updates and process your product or service order. We may collect additional information at other times, including but not limited to, when you provide feedback, when you provide information about your personal or business affairs, change your preferences, respond to surveys and promotions, provide financial or credit card information, or communicate with our customer support. Additionally, we may also collect any other information you provide while interacting with us.
What types of Personal Information do we collect?
Our Services can be used by a broad range of industries in connection with their products, service, activities and administrative functions, whether they are involved in government, retail, health, politics, human resources, technology or anything else. Accordingly, a broad range of information may be uploaded to or sent through our Services.
Information supplied by you
We also collect information you provide when you apply or sign up for a Bluechain account and when you provide information as part of our identity verification process. We may collect, without limitation, the following information about you:
- Identification information, such as your name, email address, mailing address, phone number, photograph, company logo, date of birth, passport, drivers licence or other government-issued identification number.
- Financial information, including bank account and payment card numbers.
- Historical, contact and demographic information.
Information obtained when you use our Services
We collect information about you when you use our Services, which may include the following:
- Transaction Information. When you use our Services to make, accept or request payments, we collect information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment amounts, billing and shipping information and the devices and payment methods used to complete the transactions.
- Location Information. When our application is open on your mobile device, we may periodically collect information about the location of the device.
- Behavioural and tracking information. We may collect information about behavioural patterns, personal preferences, IP addresses, cookie identifiers, unique device identifiers you use to access and use the services and our websites.
- Device Information. We collect specific information about your device when you access our Services, including your hardware model, operating system and version, unique device identifier, mobile network information and information about the device’s interaction with our Services. We may also identify other software running on the device for anti-fraud and malware-prevention purposes (but will not collect any content from such software).
- Product Information. We also collect information you upload to or send through our Services, including information about products and services you may sell (including inventory, pricing and other data).
Information obtained from other sources
We also may collect information about you from third parties, including third-party verification services, credit bureaus, mailing list providers and publicly available sources (e.g. company registers, tax authorities, enforcement agencies). In some circumstances, where lawful, this information may include your government-issued identification number. By applying or signing up for a Bluechain account, you authorise and consent to our obtaining from and disclosing to, third parties, from time to time, any information about you as necessary in connection with the processing of any credit investigation, identity verification, fraud detection or collection procedure or as may otherwise be required by applicable law. This includes, without limitation, the receipt and exchange of credit-related information with any credit reporting agency or credit bureau, where lawful and any person or corporation with whom you have had, currently have or may have financial relations, including without limitation past, present and future places of employment and personal reporting agencies.
What we will not do with your information
- We will not share your personal information with third parties for them to use for their own marketing purposes without ensuring that there is a lawful ground to do so.
- We will not sell or rent your personal information to third parties for their marketing purposes without your explicit consent.
- We do not carry out automated decision-making, including profiling, as defined under the GDPR as having legal effects or otherwise similarly affecting you.
What we may do with your information
How we use information
We may use information about you:
- to protect our rights or property, or the security or integrity of our Services;
- to verify your identity;
- to investigate, detect and prevent fraud, security breaches and other potentially prohibited or illegal activities;
- to comply with any applicable law, regulation, legal process or governmental request;
- to provide, maintain and improve our Services, such as processing payment transactions, displaying historical transactions, and developing new products and services;
- to personalize and facilitate your use of our Services;
- to measure, customize and enhance our Services, including the design, content and functionality of our application and websites;
- to track and analyse trends and usage in connection with our Services;
- to send news and information, or to conduct surveys and collect feedback, about our Services and to communicate with you about products; or
- for any other purpose disclosed to you in connection with our Services.
Should we so choose, we may verify your identity by disclosing your name, residential address and date of birth to a credit reporting body. The credit reporting body will match this information against your credit information file and will provide us with an assessment of the matching process. We use this assessment only for the purpose of verifying your identity in compliance with our obligation.
Whom we share information with
We may share information about you:
- with our group companies, including our parent company, Bluechain Payments Limited, for the purposes outlined above;
- with third parties to provide, maintain and improve our Services, including service providers who access information about you to perform Services on our behalf (such as fraud prevention and identity verification); financial institutions, payment networks, payment card associations and other entities that are part of the payment process; and third parties who operate an account for you on a Linked Platform as described above (e.g. to confirm that a related payment has been instructed via Bluechain);
- with users of our Services who have signed up for Bluechain accounts—for example, we may share information when you make or accept a payment using our Services;
- with third parties that run advertising campaigns, contests, special offers or other events or activities in connection with our Services;
- in connection with or during the negotiation of any merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business;
- if we believe that disclosure is reasonably necessary (1) to comply with any applicable law, regulation, legal process or governmental request (e.g., from tax authorities), (2) to protect our rights or property, or the security or integrity of our Services, or (3) to protect us, users of our Services or the public from harm or potentially prohibited or illegal activities; or
- with your consent.
We also may share aggregated information with third parties that does not specifically identify you or any individual user of our Services.
Third parties who are Data Processors
Some of the third parties that we share Personal Information with are Data Processors. A data processor is such a party that processes personal data on our instructions and on our behalf. We collaborate with selected suppliers, which include processing of personal data on behalf of us. Examples include suppliers of IT development, maintenance, hosting and support but also suppliers supporting us with marketing.
When we share your personal data with Data Processors we only share them for purposes compatible with the purposes for which we have collected the data (such as performance of a contract). We always control all Data Processors and ensure that they can provide adequate guarantees as regards security and confidentiality of personal data. We have written agreements in place with all Data Processors through which they guarantee the security and confidentiality of personal data that they process on our behalf and limitations as regards third country transfers.
Third parties who are Data Controllers
Some of the third parties that we share Personal Information with are independent Data Controllers. This means that we are not the ones that dictate how the data that we provide will be processed. Examples are authorities, credit bureaus, acquirers and other financial institutions. When your data is shared with independent Data Controllers, their privacy policies and processing principles apply.
We also disclose personal data to authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our services, e.g. revenue or tax authorities, as required by law, which may include personal data such as your name, address and information regarding card transactions processed by us on your behalf through your use of our services.
Third-party advertising and analytics
We may allow third-party service providers to deliver content and advertisements in connection with our Services and to provide anonymous site metrics and other analytics services. This information may be used by Bluechain and third-party service providers on behalf of Bluechain to analyze and track usage of our Services, determine the popularity of certain content, deliver advertising and content targeted to your interests and better understand how you use our Services. We do not permit any third-party service providers to collect information through our Services for their own purposes, and all third-party service providers that we do engage are bound by confidentiality obligations and other restrictions with respect to their use and collection of your information.
Cookies remember that you have visited us or used our Services before. This allows us to identify the number of unique visitors we receive, which allows us to make sure we have enough capacity to accommodate all of our users. Cookies are also used to customise elements of the promotional layout or content of our website or application, such as displaying relevant ads to website visitors through third-party services such as Google Adwords. These ads may appear on this website or other websites you visit. Cookies also collect anonymous statistical information about how you use the Services (including the length of your web or application session) and the location from which you access the Services, so that we can improve the Services and learn which elements and functions of the Services are most popular with our users.
Some of the cookies used in the Services are set by us, and others are set by third parties who deliver Services on our behalf. Most web and mobile device browsers automatically accept cookies, but you can choose to reject cookies or to notify you each time a cookie is set by changing your browser settings. However, this may prevent you from taking full advantage of our website. To learn more about cookies, visit www.allaboutcookies.org, which includes additional useful information on cookies and how to block cookies on different types of browsers and mobile devices.
Links to third parties
Our Services may from time to time have links to other websites or services not owned or controlled by us. These links are meant for your convenience only. Links to third parties do not constitute sponsorship or endorsement or approval of these sites or products. Please be aware that Bluechain is not responsible for the privacy practices of third parties and, when you leave our Services, be sure to read the privacy statements of each and every website or service that collects personal identifiable information.
Transferring data to another jurisdiction
If we transfer your Personal Information from within Australia, or to a country outside the European Economic Area, then we will comply with all applicable laws in respect of such transfer, including making sure that your Personal Information is kept secure, and ensure that appropriate safeguards are in place to ensure there is adequate protection. Our preferred basis for transfer is by the use of Standard Contractual Clauses. You can access a copy of the relevant EU model-clauses used by us for transfers by browsing to www.eur-lex.europa.eu and searching for “32010D0087”.
How we protect and store personal information
We store and process your personal information on computers in Australia, the US, Asia, Europe and elsewhere in the world in accordance with applicable laws and regulations. We may use third-party service providers to, process and store your information where required. We protect your information using physical, technical, and administrative security measures to reduce the risks of loss, theft, misuse, unauthorised access, disclosure, alteration and destruction. Some of the safeguards we use are firewalls and data encryption, physical access controls to our data centres, and information access authorisation controls.
How long is your data stored for?
This means that we, as an example, will only keep your data for as long as necessary for the performance of a contract and as required by applicable laws. If we keep your data for other purposes than those of the performance of a contract, such as anti-money laundering purposes, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.
The data retention obligations will differ within Bluechain companies, which are subject to applicable local laws. Retention periods typically vary based on requirements for:
- Preventing, detecting and investigating money laundering, terrorist financing and fraud
- Bookkeeping regulations
- Details on performance of an agreement to defend against possible claims
- Recorded telephone calls to our support
We may contact you in a number of ways, including by email, telephone, SMS or mail or via our app. Where you have agreed to receive promotional information from us, we may periodically send promotional material via in any of these ways about new products, special offers or other information which we think you may find interesting. We may customize that information based on any personal information we hold about you (e.g. your location).
If you have received marketing from us, you may at any time object to the marketing by contacting us at [email protected] or opt out by following the instructions in the marketing material.
Right to be informed
Right of access
You have the right to access the personal data that we hold about you. In this respect, you may receive a copy of the personal data that we hold about you. For any further copies, we reserve the right to charge a reasonable fee based on our administrative costs. To exercise this right, please contact us as set out below. Please note that much of the personal data that we process about you is available and visible for you in your Bluechain Account.
This right means that you have a right to:
- receive a confirmation about what personal data that we process about you,
- get access to your personal data, and
Please note that we might have to ask you to provide further information about yourself in order for us to be able to identify you and handle the request in an efficient and secure way. This may mean that we may require you to send in a copy of a valid ID, which we will also require you to sign.
If we refuse your request (e.g. because an exception applies) then we will give you a written statement setting out the reasons for the refusal (unless unreasonable to give them), and the process we provide if you wish to complain about the refusal.
We will provide access in the manner you request if it is reasonable and practicable to do so. If it is not reasonable and practicable to provide access in that manner then we will endeavour to provide you with a suitable range of choices as to how you access it (e.g. emailing or mailing it to you).
Right to rectification
We ensure that inaccurate or incomplete Personal Data is erased or rectified. You have the right to rectification of inaccurate or incomplete personal data that we hold about you.
If you believe that any Personal Data we hold on you is inaccurate, incomplete, out of date, irrelevant or misleading, then please contact us. We will consider if the information requires amendment and respond to you within a reasonable period after your request. If we do not agree that it should be amended, then we will add a note to the personal information stating that you disagree with it and will also give you a written statement setting out the reasons for the refusal (unless unreasonable to give them), and the process we provide if you wish to complain about the refusal.
Right to erasure (right to be forgotten)
You have the right to erasure if:
- the personal data is no longer necessary for the purposes it was collected or processed for (and no new lawful purpose exists);
- your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below) and there is no justified reason for continuing the processing;
- the lawful basis for the processing is your consent, and you withdraw your consent, and no other lawful grounds exist;
- processing the personal data has been unlawful; or
- there is a legal obligation for us to erase the data.
Please note that we provide financial services that may be subject to a license, which may obliged us to retain personal data about you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims. We may also keep data that we have about you for any period required by applicable anti-money laundering regulations.
Right to restrict the processing of your personal data
You have the right to request us to restrict the processing of your data (meaning that the personal data may only be held by us and may only be used for limited purposes) if:
- the personal data we have about you is inaccurate;
- the processing is unlawful and you ask us to restrict the use of the personal data instead of erasing it;
- we no longer need the personal data for the purposes of the processing, but if we still need it for the establishment, exercise or defence of legal claims; or
- you have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.
Right to object to the processing of your personal data
Where our lawful basis for processing your data is our legitimate interests, you have the right to object to the processing of your data if:
- you can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data, or
- we process your personal data for direct marketing purposes, including but not limited to profiling.
This means that we will cease such processing unless we:
- demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
- require the personal data in order to establish, exercise or defend legal rights.
Right to data portability
You have the right to data portability:
- for personal data that you provided to us, and
- if the legal basis for the processing of the personal data is the fulfilment of contract or consent.
This right means that, subject to any exceptions to this right ordinarily applicable by law, we will send a copy of your data in a commonly used and machine-readable format to you or a person/organization appointed by you, where technically feasible.
How to deactivate your account
To deactivate your account, please send an email with the subject “Please deactivate my account” to [email protected]. We will contact you within one business day, providing you with instructions on how to deactivate your account.
How to contact us
If you have any questions or complaints about our privacy practices, please feel free to send in details of your complaints to Level 1, 313 Burwood Road, Hawthorn, Victoria 3122, Australia. We take complaints very seriously and will try to resolve any complaints within 10 working days after receiving written notice. If your complaint is not satisfactorily resolved, you may apply to the Office of the Australian Information Commissioner (OAIC) to have the complaint heard and determined. When we write to you about our decision, we will explain how you may make a complaint to the OAIC.