Main Menu

Privacy Policy

Last updated: 2nd July 2025

Introduction

OtherPay Pty Ltd (“OtherPay,” “we,” or “us”) respects your right to privacy and is committed to safeguarding personal information. We operate globally with headquarters in Australia and subsidiaries in the United Kingdom and India. This Privacy Policy explains how we collect, use, store, and disclose personal information across our operations. We comply with applicable privacy laws, including the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles, the UK/EU General Data Protection Regulation (GDPR), and India’s Digital Personal Data Protection Act 2023 (DPDPA), among others. Our aim is to be transparent about our data handling practices and to help you understand your rights regarding your personal information.

Scope: This Policy applies to all personal information we process when you use OtherPay’s websites, products and services, interact with us (for example, by contacting customer support or subscribing to communications), or otherwise engage with our business. It covers all users globally and provides a unified privacy approach regardless of your location. Some sections include specific information for jurisdictions we operate in (Australia, UK/EEA, and India) to ensure compliance with local requirements.

What is “Personal Information”? In this Policy, “personal information” (also known as “personal data”) means any information that identifies you or that can reasonably be used to identify you. This includes obvious identifiers like your name and contact details, as well as information such as your device ID or IP address when it can be linked to you.
By using our services or providing personal information to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please do not provide personal information or use our services. We may provide additional privacy notices for specific services or in certain regions; to the extent those differ from this Policy, those specific notices will take precedence.

Personal Information We Collect

We collect personal information that is necessary for us to provide our fintech products and services and to operate our business. The types of personal information we collect, and how we collect it, include:

Information You Provide Directly: When you interact with OtherPay, you may give us information such as:

  • Identity and Contact Details: For example, your name, postal address, email address, phone number, date of birth, and other contact information. We collect these when you create an account, fill in forms on our website or app, sign up for newsletters, or contact us for support.
  • Financial and Transaction Information: If you use OtherPay’s payment services or purchase a product, we collect information needed to process the transaction. This may include your payment method details (such as credit or debit card number, expiration date, billing address) or bank account information, as well as transaction history and payment amount.
  • Identity Verification Documents: If our services require identity verification (for example, to comply with financial regulations), we might collect documents or data to verify your identity, such as passport or driver’s license details, national ID number, or other information required by Know-Your-Customer (KYC) regulations. (We will only request these when necessary and as permitted by law.)
  • Business Information: If you represent a business or use OtherPay for business purposes, we may collect details about your business (e.g. company name, business address, role/title, and other information related to the business account).
  • Customer Support and Communications: The content of your communications with us (such as via email, chat or phone) and any additional information you choose to provide when giving us feedback, responding to surveys, or participating in promotions. For example, if you contact us with a support question, we will collect the information you share during that interaction.

Information We Collect Automatically: When you use our websites or apps, we automatically collect certain technical and usage information:

  • Usage and Device Data: This includes details about your visits and activity on our site or app, such as your IP address, browser type, operating system, referral website (the page you visited before coming to our site), pages or features you access, the dates/times of access, and other information about how you interact with our digital services. We use this information to understand user engagement and improve our services. This data is generally collected via cookies and similar tracking technologies (described more in Cookies and Tracking Technologies below) and via our server logs.
  • Cookies and Similar Technologies: We use cookies (small text files stored on your browser or device) and related technologies to recognize you when you return to our site, remember your preferences, and gather analytics information. Cookies help us analyse website traffic and usage patterns so we can enhance user experience. Most browsers automatically accept cookies, but you can modify your browser setting to block or alert you about cookies. Note that if you disable cookies, some features of our site or service may not function properly. (See the Cookies and Tracking Technologies section for more details.)
  • Mobile Device Data: If you use a mobile app of OtherPay (if applicable), we might collect device identifiers and mobile network info, and, with your permission, certain device features such as geolocation data. (If we ever collect precise location data, we will obtain your consent as required; at present, our services do not collect precise GPS location.)

Information from Other Sources: In general, OtherPay does not obtain personal information about you from third-party sources for our core services. We do not purchase marketing lists or data from data brokers. In some cases, we may receive personal information from OtherPay group companies (for example, if you interact with our subsidiary in the UK or India, they may share information with our Australian headquarters as part of our unified services). We may also receive information from you about others – for example, if you refer a friend to our service or if you use a feature to send a payment to someone, we will collect the information you provide about that other person (such as their name or email) to fulfill your request. If we ever receive personal information about you from third parties (such as identity verification providers or public databases for compliance checks), we will handle it according to this Policy and applicable law.

We limit our collection of personal information to what is relevant for the purposes described in this Policy. If you choose not to provide certain information (or ask us to delete it), we may not be able to offer you some features of our services – for instance, we cannot create an account without a name and email or cannot process a payment without payment details.

How We Use Personal Information

OtherPay uses the personal information we collect for the following purposes, which we explain in more detail below. We always strive to use your information in fair and expected ways, and we will not process personal information in a manner incompatible with these purposes without your knowledge or consent.

Providing and Improving Our Services:
  • To Perform Services and Transactions: We use your information to operate our fintech services and deliver the products or features you request. For example, we use personal details to create and manage user accounts, to process payments or transfers you initiate, to facilitate transactions, and to provide you with customer support. We also use the information to send you important service-related communications, such as confirmations, invoices, technical notices, updates, security alerts, and administrative messages.
  • Service Improvement and Analytics: We analyse usage data and feedback to understand how our services are used and to make improvements. This helps us troubleshoot issues, develop new features, and enhance the quality and user experience of OtherPay’s offerings. For instance, aggregated website usage data helps us see which pages are most visited or if any user interface issues need fixing. We may also use your feedback or survey responses to refine our products. (Where feasible, we use aggregated or de- identified data for analytics, to protect your privacy.)
Communication and Marketing:
  • Communicating with You: We use your contact information to communicate with you about your account, respond to your inquiries, and fulfill your requests. If you contact our support team, we will use your name and email/ phone to respond and will use the details of your issue to resolve it. We may also send notifications about important changes to our terms or this Privacy Policy, or other service-related announcements. These transactional or service communications are necessary for us to perform our contract with you or to meet legal obligations, so you may continue to receive these even if you opt out of marketing messages.
  • Marketing and Promotional Messages: If you have agreed or if it is otherwise permitted by law, we may use your personal information to inform you about new or additional products, services, or promotions that might interest you. For example, we might send newsletters, promotional emails, or special offers. We will obtain your consent to send you marketing communications where required (for instance, if you are in a jurisdiction like the EU, UK, or India that requires opt-in consent for electronic direct marketing). In other cases (such as in Australia or India for customers with whom we have an existing relationship), we might rely on implied consent or lawful exceptions, but in all cases, we provide a clear opportunity to opt out. If you do not wish to receive marketing emails or texts, you can unsubscribe at any time by clicking the “unsubscribe” link in an email, replying “STOP” to an SMS, or contacting us as described below. We do not send you marketing communications if you have asked us not to, and opting out will not affect your ability to use our service.
Legal Compliance and Security:
  • Compliance with Laws and Regulations: We process personal information as necessary to comply with our legal obligations. This includes using personal data to satisfy reporting obligations, comply with lawful requests and orders (such as court orders, subpoenas, or requests from regulatory authorities), and to meet obligations under financial or privacy regulations. For example, as a fintech service, we may be required to retain certain transaction records for anti-money laundering (AML), tax, or accounting purposes. If we are under a legal duty to disclose data to law enforcement or regulators, we will only do so after verifying the request and to the extent required by law.
  • Protection of Rights, Security and Preventing Misuse: We may use and disclose personal information when we believe it’s necessary to protect the rights, property, or safety of OtherPay, our users, or the public. This can include investigating and mitigating fraudulent transactions or security incidents, detecting and preventing malicious or illegal activity (such as hacking, fraud, or other misuse of our services), and enforcing our terms of service or other agreements. For instance, we might use certain data to verify identity and prevent unauthorized access to accounts, or to monitor for suspicious activity on our platform.
  • Data Security and Incident Response: Internally, information may be accessed and used to maintain the security of our systems. In the event of a suspected data breach or security threat, we will use relevant personal data to investigate and respond, which might include informing affected individuals and authorities (as discussed in Data Security below).
Other Purposes (with Notice or Consent):
  • If we intend to use your personal information for a purpose not described in this Privacy Policy, we will provide you with additional notice. In some cases, we may also request your consent if required. We do not use your personal information for purposes that are unrelated to our business without telling you and obtaining your permission when required. We do not engage in automated decision-making or profiling that has legal or similarly significant effects without your knowledge and consent (if it ever becomes relevant, we will update you).
  • No Selling of Personal Data: We do not sell, rent, or trade your personal information to third parties for their own marketing or other purposes. All uses of personal data are limited to OtherPay’s internal purposes as described above, or as otherwise disclosed to you.
Legal Bases for Processing Personal Data (UK/EU)

For individuals in the United Kingdom or European Union, we must have a valid legal basis to process your personal data under the GDPR (and UK GDPR).
OtherPay acts as a “data controller” for your personal data, meaning we determine how and why the data is processed. We rely on the following legal bases:

  • Performance of a Contract: We process personal data to provide you with our services and to fulfill our obligations in our contract with you. For example, when you register for an account or initiate a payment, processing your personal data (like your identity and payment info) is necessary to deliver the service you requested. Without this data, we cannot perform the contract.
  • Consent: In certain situations, we ask for your consent to process your data. For instance, we will seek your consent before sending you marketing emails, or before processing any sensitive personal data if that ever occurs. If we rely on consent, you have the right to withdraw your consent at any time (see Your Rights and Choices below on how to withdraw consent). Withdrawal of consent will not affect the lawfulness of processing we conducted prior to withdrawal, but it will mean we stop the specific processing going forward.
  • Legitimate Interests: We process some personal data for purposes of our legitimate interests, and those of third parties, provided that such processing does not override your rights and freedoms. Our legitimate interests include things like improving and securing our services, understanding how our services are used, communicating with you about relevant products, preventing fraud, and conducting business operations efficiently. For example, using cookies for basic analytics or using your email to send service improvement surveys may be based on our legitimate interests. Whenever we rely on this basis, we ensure that we consider and balance any potential impact on you (both positive and negative) and your rights under data protection laws.
  • Legal Obligation: We process personal data when necessary to comply with a legal obligation to which we are subject. As noted above, this can include retaining certain records for regulatory compliance, responding to government requests, or honouring your data rights under privacy laws.

(Note: In some cases, the same personal data might be processed under more than one legal basis. For instance, we may process your email address to send both service-related messages (contract necessity) and marketing messages (consent).)

If you have any questions about the legal bases for processing applicable to your personal data, feel free to contact us (see Contact Us below) and we will provide additional explanation.

Cookies and Tracking Technologies

Like most online services, OtherPay uses cookies and similar tracking technologies on our website. Cookies are small data files placed on your computer or device when you visit a website. They allow the site to remember your actions or preferences over time.

How We Use Cookies: We use cookies to make our website function properly, to provide a smooth user experience, and to gather analytics information:

  • Some cookies are essential for the site to operate, such as those that keep you logged in or enable core features.
  • Other cookies help us remember your preferences (for example, your language or region) to personalize your experience.
  • We also use cookies (and similar technologies like local storage or pixels) to collect analytics data about site traffic and user interactions. For instance, cookies may record the pages you visited and the time you spent on the site. We use this information in aggregate form to analyse trends and statistics, so we can improve our website’s design and functionality. This helps us understand which features are popular or if users encounter errors.

Cookie Consent: Currently, we do not use a cookie “pop-up” banner on our site. We only use cookies in ways permitted by applicable law. In jurisdictions where consent for certain cookies is required (such as the EU/UK for non-essential cookies), we aim to only use those cookies if you have provided implied or explicit consent through your browser settings or other means. By using our site without disabling cookies, you are effectively consenting to our use of cookies as described in this Policy. We are continuously evaluating our cookie practices and may introduce a cookie consent tool in the future to ensure full compliance with evolving regulations.

Third-Party Cookies: Notably, OtherPay does not share personal data collected via cookies with third-party companies for their own use. We also do not currently serve third-party targeted advertising on our site that would involve third-party tracking cookies (we do not have marketing pixels sharing your data with social media or ad networks at this time). Any analytics are primarily for our internal use. If we engage any analytics or performance services (for example, a web traffic analytics service), we will ensure no personally identifying information (like your name or contact) is shared in the cookies. In any case, we do not allow third parties to directly collect personal information from our site for their own purposes.

Your Choices for Cookies: Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or alert you when cookies are being sent. You have the right to control cookies and can delete cookies that have already been set. However, please be aware that if you disable or delete certain cookies, it may affect the functionality of our website – for example, you might not be able to use some features, or your preferences might not be remembered. For information on how to manage cookies in your browser, you can refer to your browser’s help documentation.

Do-Not-Track Signals: Some browsers offer a “Do Not Track” (DNT) setting that allows you to signal your privacy preference regarding tracking by websites.
Currently, our website does not respond to DNT signals in any special way (there is no industry standard for DNT), but we only use your data as described in this Policy. We treat all users’ data in accordance with this Policy, and we do not alter our practices based on a DNT signal alone.

For more details about our use of cookies or similar technologies, or if you have any concerns about particular cookies, you can contact us, and we will be happy to provide more information or assist you in managing your cookie preferences.

Direct Marketing Communications

As mentioned above, we may send you direct marketing communications about our new products, services, offers, or events, but only in accordance with your preferences and applicable law. This section summarizes our approach to marketing communications:

  • Consent for Marketing: We respect your choices when it comes to receiving promotional messages. If law requires opt-in consent (for example, electronic marketing in the EU, or under India’s DPDPA), we will only send you such messages if you have given consent. In other cases (such as Australia’s Spam Act or the UK’s Privacy and Electronic Communications rules), we may send marketing to our existing customers on an opt-out basis, but we will always provide a clear and easy way to unsubscribe.
  • Opting Out: You have the right to opt out of marketing at any time. If you no longer wish to receive emails from us, simply click the “unsubscribe” link at the bottom of any marketing email. For SMS or text messages, you can reply with the prescribed keyword (such as “STOP”) to opt out. You can also contact us directly (via the contact details below) and request to be removed from our marketing lists. Once we process your opt-out request, we will stop using your contact information for promotional purposes. There is no charge for opting out (aside from any basic data/voice rates from your telecom provider).
  • Transactional and Service Messages: Even if you opt out of marketing, you will still receive essential service-related communications from us if you continue to use our services. This includes messages like payment confirmations, account notifications, password resets, security alerts, and responses to your inquiries. These are not marketing communications but part of our contractual service to you or required for legal/security reasons.
  • No Third-Party Marketing: OtherPay will not sell or share your personal information with outside third parties for their own direct marketing, unless you have explicitly authorized us to do so. All marketing messages you receive from OtherPay will come from us on behalf of OtherPay – we might mention a partner if we ever co-sponsor an offer, but we will not give your contact info to that partner without your consent. If our practices change, we will update this Policy and obtain necessary permissions from you.

We strive to keep our communications relevant and infrequent. If you have any issues with our marketing (for example, receiving unwanted messages after opting out), please contact us so we can promptly address the situation.

Disclosure of Personal Information

We understand the importance of keeping your personal information private. OtherPay does not sell, trade, or rent your personal data to unrelated third parties for their own use. In the ordinary course of running our business, however, we may need to share certain personal information with others in the following circumstances:

  • Within the OtherPay Group: We may share personal information with our subsidiaries, affiliates, and branch offices as needed to provide our services and operate our business. For example, if you are a customer in the UK, information collected by our UK subsidiary might be shared with our Australian headquarters (and vice versa) for centralized record-keeping, customer support, technical operations, etc. All entities within our corporate group follow this Privacy Policy and are bound to protect your information in the same manner. Access by our employees or staff is on a need-to-know basis and subject to confidentiality obligations.
  • Service Providers and Contractors: (Note: Currently, OtherPay handles data processing internally and does not rely on external processors to handle personal data.) In the future, if we engage any trusted third-party service providers to perform functions on our behalf (such as cloud infrastructure hosting, email delivery, or identity verification services), we may share the minimal necessary personal information with them. In such cases, these providers would be contractually obligated to use the information only to provide the services to us and to protect it in line with this Policy and applicable laws. We would not permit them to use your data for any other purposes. (As of now, all personal data is processed by OtherPay and its controlled affiliates and not sent to outside data processors.)
  • Legal Requirements and Safety: We may disclose personal information to courts, law enforcement, government authorities, or other third parties when we believe it is legally required to do so. Examples include:
    • Responding to a subpoena, court order, or other binding request from authorities (after verifying its legitimacy).
    • Sharing information to comply with the law or regulatory obligations (such as reporting requirements to regulators or auditors).
    • Disclosing information if necessary to enforce our terms of service or other agreements, or to investigate and defend ourselves against any third-party claims or allegations.
    • Sharing information to protect against fraud, credit risk, or security vulnerabilities.
    • In an emergency, sharing information if we believe it will help prevent physical harm or financial loss, or is necessary to protect someone’s vital interests (for instance, releasing information to law enforcement about a credible identity theft or cybercrime situation).
  • Business Transfers: If OtherPay undergoes a business transition, such as a merger, acquisition by another company, reorganization, or sale of all or part of our assets, personal information may be transferred to the successor or acquiring entity as part of that transaction. We would ensure any such transfer is subject to appropriate confidentiality arrangements and that your personal information remains protected. If a change of ownership occurs, we will provide notice on our website or by other means to inform you of any significant changes to how your personal information is handled (and if applicable, any choices you may have).
  • With Your Consent or at Your Direction: Apart from the cases above, we will share your personal information with third parties only if you specifically request or consent to such sharing. For example, if you ask us to transfer money to another financial institution or link OtherPay with a third-party service, we will share data as needed to fulfill your request. Similarly, if we ever want to share your information for a new purpose not described in this Policy, we will ask for your consent.

No Third-Party Advertising Trackers: As stated in the Cookies section, we do not disclose your personal information to third-party ad networks or social media companies for advertising purposes. We also do not engage in “list sharing” with other companies for joint marketing.

We remain responsible for the handling of your personal information in accordance with this Policy, even when it is shared with or processed by third parties on our behalf. Any third-party with whom we share data (such as an infrastructure provider) must meet our standards for security and privacy and, where applicable, meet the requirements of relevant privacy laws (for example, being a GDPR-compliant processor if handling EU data).

If you have questions about who your information is disclosed to, or if you need more specific information about third parties we work with, you can contact us for further details.

International Data Transfers

OtherPay is an Australian-headquartered company but operates internationally. Your personal information may be stored and processed in countries other than your own, including Australia, the United Kingdom (UK), India, and the United States (USA). We want to be transparent about these cross-border data transfers and how we protect your information in the process:

  • Data Storage Locations: We utilize data servers and infrastructure in multiple jurisdictions. Currently, personal data is planned to be stored in:
    • Australia: Our primary data centre is in Australia, where OtherPay Pty Ltd is based.
    • United Kingdom: We maintain systems or backups in the UK to serve our UK and European users and to comply with any local data residency requirements.
    • India: We have operations in India and plan to store certain data locally in India for Indian users, in line with local regulations and to improve service efficiency.
    • United States: We plan to use secure servers in the United States as part of our global infrastructure (for backup, redundancy, or cloud service purposes).

Because of this distributed infrastructure, your personal information might be accessed or transferred between these locations. For example, an Australian customer’s data might be accessed by our support team in India, or a UK user’s data might be stored on a server in the US for backup.

  • Cross-Border Data Protection: When we transfer personal data across national borders, we take steps to ensure such transfers comply with applicable data protection laws and that your information remains protected. These steps may include:
    • Australian Requirements: If we disclose personal information from Australia to an overseas recipient (such as our own affiliate or a server overseas), we will take reasonable steps to ensure the recipient protects the information in a manner consistent with the Australian Privacy Principles. OtherPay remains accountable under the Privacy Act for personal information transferred to our overseas affiliates. We carefully control access such that only authorized OtherPay personnel in those countries can access the data, for the purposes described in this Policy.
    • GDPR Safeguards: For personal data originating from the UK or European Economic Area (EEA) that is transferred to countries not deemed “adequate” by the European Commission (which currently includes countries like Australia, India, and the US), we implement appropriate safeguards. Typically, this means we rely on Standard Contractual Clauses (SCCs) – standard data protection contract terms approved by the EU – or an equivalent legal transfer mechanism. These SCCs contractually require that the personal data will have a level of protection essentially equivalent to EU standards, even after it leaves Europe. We also assess on a case-by-case basis whether any additional technical or organizational measures are needed (like encryption in transit and at rest, access controls, etc.) to ensure data is secure during international transfer.
    • India DPDPA Considerations: The Digital Personal Data Protection Act 2023 permits cross-border transfer of personal data except to certain countries or categories that may be restricted by the Indian government in the future. Currently, we transfer data to and from India under the assumption that such transfers are allowed. We ensure that our handling of Indian personal data abroad is secure and only as necessary for the purposes stated. If rules are introduced specifying conditions or requiring consent for international transfers, we will comply with those requirements (for instance, by obtaining consent if needed).
    • United States: While the US may not have a federal comprehensive privacy law for personal data, we treat any data stored in the US with the same high security standards we apply elsewhere. If UK/EU personal data is stored in the US (for example, on a cloud server), that transfer is covered by the safeguards mentioned (SCCs or any future UK adequacy arrangements). We also monitor developments like the EU-US Data Privacy Framework; if applicable, we may incorporate such mechanisms once fully adopted by relevant parties.
  • Access by Our Team Worldwide: Employees or team members of OtherPay in different countries (Australia, UK, India, etc.) may have access to personal data on a need-to-know basis. This means, for example, an engineer in the US or India might access data to fix a technical issue for a user in Australia. All such internal accesses are logged and controlled. Our staff are trained on privacy requirements and are bound by confidentiality and our internal data protection policies.

Your Acknowledgment: By using our services or providing us with your information, you acknowledge that your personal information may be transferred to and processed in countries outside of your country of residence. We understand that different countries may have different data protection laws, but we assure you that when your data travels, it remains subject to strict protections by OtherPay.
If you would like more information about our international data transfer practices, or if you need a copy of the relevant data transfer agreements (such as SCCs) we have in place, you can contact us using the details provided in the Contact Us section.

We will be happy to provide additional details to the extent allowed by confidentiality obligations.

Data Security

OtherPay is committed to protecting the security of your personal information. We implement a variety of physical, technical, and organizational safeguards to help prevent unauthorized access, alteration, disclosure, or destruction of your data. Here are some key aspects of our security approach:

  • Secure Systems: We use modern security measures appropriate to the sensitivity of the information. This includes industry-standard practices such as encryption of data (encrypting personal data in transit over networks via TLS/SSL, and at rest where applicable), firewall and intrusion prevention systems to guard against external attacks, and access controls to limit which employees can view personal information. Our systems are monitored for vulnerabilities and regularly updated to patch security issues.
  • Restricted Access: Personal information is only accessible by authorized personnel who require access to perform their job duties. All OtherPay staff and contractors must adhere to confidentiality obligations and are trained in data protection. We limit administrative access to production systems, and we use techniques like two-factor authentication and unique user credentials to reduce the risk of unauthorized access.
  • Organizational Policies: We maintain internal policies and procedures on information security and privacy. This includes guidelines on how to handle personal data, how to respond to security incidents, and how to safely dispose of data when no longer needed. We periodically review our practices and update them to address new threats or regulatory requirements.
  • Payment and Financial Information: If we collect financial information (like credit card details), we comply with relevant security standards. For instance, payment card details are processed using secure, PCI-DSS compliant methods. We do not store full payment card numbers on our own servers unless necessary; typically, we use accredited payment gateways or encryption/tokenization to handle sensitive payment data.
  • Third-Party Security: Although OtherPay currently does not use external processors for personal data, if that changes and we store data with cloud providers or other vendors, we choose providers that have strong security certifications, and we enforce contractual security requirements. We also conduct due diligence on any service providers who might have access to personal data.

Despite all these precautions, it’s important to note that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security. Cyber risks evolve rapidly, and there is always some risk that a breach could occur due to factors beyond our control. You also play a role in keeping your data safe: we encourage you to use unique and strong passwords for your OtherPay account, protect your account credentials, and notify us immediately if you suspect any unauthorized access to your account or personal information.

Data Breach Notification

In the unlikely event of a data breach (an incident resulting in unauthorized access to or disclosure of personal information), OtherPay will act promptly to contain the breach and mitigate potential harm. We will assess the nature and scope of the incident and take appropriate steps to remediate it. As part of our commitment to compliance and transparency:

  • We will notify you without undue delay if a data breach is likely to result in a high risk to your rights and freedoms. This notification will describe, in plain language, the nature of the breach and recommended steps for you to protect yourself (for example, resetting passwords if credentials were compromised).
  • We will also fulfill any legal reporting obligations. For instance, under Australia’s Notifiable Data Breaches scheme, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if a breach is likely to result in serious harm. Under the GDPR, we are required to notify the relevant supervisory authority (such as the UK Information Commissioner’s Office) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to pose a risk. India’s DPDPA similarly will require notification to the Data Protection Board of India and impacted individuals in the event of a personal data breach.
  • We keep a record of all security incidents, regardless of severity, and our team will investigate the root cause. We’ll implement measures to prevent a recurrence and improve our security posture where needed.

Our goal is to be transparent and proactive in the unfortunate event of a security incident. Rest assured, we value your trust and will do everything we can to prevent incidents and to inform and assist you should one occur.

Data Retention

We retain personal information only for as long as it is necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. How long we keep your data depends on the type of information and the context in which it’s used. Here are our general retention practices:

  • Active Accounts: If you have an account with OtherPay, we will keep your personal information for as long as your account is active or as long as needed to provide you with our services. This allows us to give you ongoing access to your account history, preferences, and to facilitate your transactions.
  • Closed Accounts or Inactive Users: If you decide to close your OtherPay account or it has been inactive for an extended period, we will initiate the process to delete or anonymize the personal information associated with it. However, we will retain data for as long as required to comply with laws and regulations. For example, financial transaction records may need to be kept for a minimum period (commonly 5 to 7 years) to comply with tax, anti-fraud, anti-money laundering or other financial regulations.
  • Legal Obligations and Disputes: We may retain certain information for longer if we have a legal obligation to do so. For instance, if a law enforcement request or a legal hold (e.g., related to litigation) is in place, we will preserve the data until we are legally permitted to delete it. Also, if you have made a complaint or a dispute is ongoing, we may retain relevant information until the issue is resolved and for a reasonable period thereafter.
  • Backups and Archival: Even after we delete your personal information from our active databases, it may remain in our backup archives for a short period until those backups cycle out of rotation. We also maintain logs and audit trails for security purposes that may contain some personal data; these are typically retained only for a limited time (unless required for investigation of a known issue).
  • Anonymized or Aggregated Data: In some cases, we may convert personal information into anonymized (irreversibly de-identified) or aggregated form for statistical analysis, research, or business planning. Once data is anonymized so that it can no longer be associated with an individual, it is no longer considered personal information and we may retain and use it indefinitely without further notice to you, as it poses no privacy risk.

When we no longer need personal information in identifiable form, we securely destroy or de-identify it. We use techniques that prevent the information from being reconstructed or read. For example, physical documents are shredded, and digital data is securely erased or overwritten.

If you have specific questions about our data retention policies – for example, if you want to know how long we keep a certain type of data – you can contact us, and we’ll provide more detail. Additionally, if you wish to delete your personal data, please see the next section on your rights; we will make efforts to honour deletion requests while balancing legal and contractual retention obligations.

Your Rights and Choices

You have important rights regarding your personal information. OtherPay is committed to honouring these rights and providing you with control over your data. The availability of certain rights may depend on your jurisdiction and the applicable law (for example, GDPR grants particular rights to EU/UK individuals, and India’s DPDPA grants rights to Indian data principals). However, as a global policy, we set out all the key rights here, and we will strive to fulfill any legitimate request regardless of where you are located, to the extent feasible and required by law.

Your key data protection rights include:

  • Right to Access: You have the right to request confirmation of whether we are processing your personal information, and if so, to access that information. This includes the right to ask for a copy of the personal data we hold about you. We will provide this in a reasonable format (usually electronic). For example, Australian law (APP 12) and GDPR both give you the right to access personal information. We will respond to access requests as soon as possible, and within any timeframe required by law (GDPR typically 1 month, India DPDPA expects a prompt response). In some cases, we may charge a reasonable administrative fee if a request is manifestly unfounded or excessive, or for additional copies as permitted by law, but we will inform you in advance if any fee applies.
  • Right to Correction (Rectification): We want to ensure that the personal information we hold is accurate, up-to-date, and complete. If you believe any of your information is incorrect, incomplete, or out of date, you have the right to request that we correct or update it. Under Australian APP 13, individuals can request corrections, and under GDPR this is the right to rectification. We will promptly make the requested corrections where possible. If for some reason we cannot comply (for instance, if we disagree that the data is incorrect), we will explain why and how you can object.
  • Right to Deletion (Erasure): You may have the right to request that we delete your personal information. GDPR calls this the “right to be forgotten,” and India’s DPDPA provides a right of erasure as well (subject to conditions). If you request deletion, we will assess whether the data can be deleted. We will honor deletion requests provided: (a) the data is no longer needed for the purpose it was collected, (b) we have no further legal or contractual obligation to keep it, and (c) no other exceptions apply (for example, we may retain limited data if needed for free speech, public interest, or establishment of legal claims under GDPR exceptions). If we have shared your data with any service providers, we will take reasonable steps to notify them of the deletion request as well. Keep in mind that certain data cannot be fully deleted if it’s required to be retained (see Data Retention above), but we will let you know if that is the case. We will also let you know if we have anonymized certain data instead of deleting (anonymization is irreversible and is another way to fulfill a deletion request without erasing the underlying information’s utility).
  • Right to Withdraw Consent: Where we rely on your consent to process personal information (for example, for sending marketing emails or for certain optional data collections), you have the right to withdraw that consent at any time. Your withdrawal will not affect the lawfulness of any processing done before the withdrawal, but it will stop the relevant processing going forward. For instance, you can withdraw consent for marketing communications by unsubscribing, as described in Direct Marketing Communications. In the context of India’s DPDPA, consent can be withdrawn by the data principal, and we must honour that decision – we will make it as easy to withdraw consent as it is to give consent. To withdraw consent for any other processing, simply contact us and specify which consent you are withdrawing. We will then cease processing your data for that purpose, unless we have an alternate legal basis to continue (which we will inform you about if applicable).
  • Right to Object to Processing: In certain jurisdictions, you have the right to object to our processing of your personal information. Under GDPR, you may object at any time to processing of your data for direct marketing (we will always honour that, as noted above). You can also object to processing based on a legitimate interest or public interest, in which case we will review your objection and stop or limit processing unless we have compelling legitimate grounds to continue or as otherwise permitted by law. While Australian and Indian laws don’t explicitly use the term “object” in the same way, you can always contact us to raise concerns about any particular use of your data, and we will consider if we can accommodate your request.
  • Right to Restrict Processing: GDPR provides that you can ask us to restrict (temporarily halt) processing of your personal data in certain circumstances – for example, if you contest the accuracy of the data or if you have objected and are awaiting verification of our grounds to continue. During such periods, we will only store your data and not perform other processing until the issue is resolved (except if processing is allowed for legal claims or to protect others’ rights). If you request restriction, we will let you know if we are able to implement it and when the restriction is lifted.
  • Right to Data Portability: For our users under GDPR (or any similar law), you have the right to data portability. This means you can request that we provide your personal data that you provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another controller (for example, another service provider), where technically feasible. This right applies when the processing is based on consent or contract and is carried out by automated means. If you need your data ported, we will provide it in a CSV or similar format that should be easily importable by others. (Please note, data portability under GDPR covers only the data you have provided to us, not any results of processing we derived about you.)
  • Right Not to Be Subject to Automated Decisions: OtherPay does not currently make any legally significant decisions about you using purely automated processes (without human involvement). If that ever changes, individuals in the EU/UK would have the right to not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. In any case, you would have the right to request human review of such a decision and to contest it. Given our current practices, this right is more theoretical; if we introduce automated decision-making (for example, automated fraud-detection that denies a transaction), we will inform affected users and provide an avenue for appeal.
  • Rights Specific to India’s DPDPA: If you are a data principal under India’s Digital Personal Data Protection Act, you have rights largely aligned with those above (e.g. the right to confirmation and access, correction, and erasure of your data, as well as the ability to grievance redressal). One unique provision is that you may nominate a representative to exercise your rights on your behalf in case of your death or incapacity. If you choose to do so, please inform us in writing (with appropriate verification and legal documentation), and we will work with your nominee as required by law. Additionally, if we obtained your consent before DPDPA came into effect, we will provide you with relevant information about how your data is being used, and you have the right to withdraw that consent at any time as noted above.

How to Exercise Your Rights: To exercise any of your rights, please contact us using the contact information in the next section (Contact Us and Grievances). Provide sufficient information for us to verify your identity (we need to make sure we’re giving data to the right person) and to process your request. For example, we may ask you to confirm control of the email associated with your account or provide some identifying details. You do not have to use any specific form to make a request; a clear written request via email is often sufficient.

We will respond to your request as quickly as we can. Under GDPR, we will do so within one month (and we will inform you if we need an extension of up to two further months in complex cases). Under the Australian Privacy Act, we will respond within a reasonable time, and under India’s DPDPA, we intend to acknowledge and address requests promptly (the forthcoming regulations may specify a timeline such as within 30 days). If we cannot fulfill your request, we will explain the reasons (for instance, if the request is unfounded, excessive, or if an exemption applies). In some cases, we may refuse certain requests in accordance with law – for example, we might decline an access request if providing the information would reveal personal data about another person or if a legal exception applies. If so, we will explain our justification and any options you have to challenge the decision.

We will not discriminate against you for exercising your rights. Our services and prices will remain the same for you regardless of whether you choose to exercise privacy rights.

Accessing and Updating Your Information: If you have created an account with OtherPay, you may also access and update some of your personal details (like your profile information or contact info) directly by logging into your account settings. We encourage you to keep your information up to date. For any information not editable through the account portal, just contact us and we will make the changes for you.
Your privacy and control over your data are high priorities for us. Please reach out anytime if you need assistance with a privacy request or have questions about your rights.

Contact Us and Grievance Redressal

We welcome any questions, concerns, or requests you may have regarding this Privacy Policy or how we handle your personal information. Our goal is to address your inquiries and resolve any issues to your satisfaction.

Contact Point:
The primary point of contact for privacy matters at OtherPay is our Privacy Team. While we have not appointed a formal Data Protection Officer (DPO) under GDPR or a dedicated Grievance Officer under India’s DPDPA yet, we do have personnel responsible for privacy compliance. You can reach our team by email at:

Email: privacy@otherpay.com

Using email is usually the quickest way to reach us with your privacy-related inquiries or requests (such as exercising your data rights). Please include your name, contact information, and a detailed description of your request or concern. If you are an OtherPay customer, it may help to include the email associated with your account or a reference number, if you have one, so we can locate your records.

Mailing Address:
If you prefer to contact us by mail, or need to send any official correspondence, you may write to us at our Australian head office address:

OtherPay Pty Ltd
Attn: Privacy Team
Level 2, 1 Southbank Blvd
Southbank, VIC 3006 Australia

When we receive a privacy inquiry or complaint, our privacy team will review it and respond as soon as possible. We may ask you to verify your identity if your request involves access to personal data (to ensure we don’t disclose data to the wrong person). We take all privacy complaints seriously and will do our best to resolve any issues directly with you.

Grievance Redressal (India): If you are in India and have a specific grievance under the DPDPA, you can also use the contact information above to lodge your grievance. In your email or letter, please mention that it is a “DPDPA grievance” and describe the issue in detail. We will acknowledge your complaint and strive to resolve it within the timeframe prescribed by Indian law or as soon as possible.
Currently, we do not have a designated “Grievance Officer” name to provide, but our Privacy Team will fulfill this function. As the DPDPA rules develop, we will update our contact information to meet any specific requirements (such as appointing a dedicated Grievance Officer and publishing their contact info).

Language: We can communicate with you in English. If you require another language, we will do our best to accommodate or provide translation, especially for requests from India where local language support may be needed.

Complaints to Regulators

We encourage you to reach out to us first with any privacy concerns so we can address them. However, if you are not satisfied with our response, or you believe we have not handled your personal information lawfully, you have the right to lodge a complaint with the relevant data protection or privacy regulator in your jurisdiction.

Below are the key regulatory authorities for our operations:

  • Australia – Office of the Australian Information Commissioner (OAIC): If you are in Australia and are not satisfied with our handling of your privacy complaint, you may contact the OAIC. The OAIC is the national regulator overseeing the Privacy Act and can investigate privacy complaints.
    • Website: oaic.gov.au (See the “Privacy Complaints” section on their site for how to file a complaint online or by mail)
    • Phone: 1300 363 992 (within Australia)
  • United Kingdom – Information Commissioner’s Office (ICO):
    If you are in the UK, you have the right to complain to the ICO about our data protection practices. The ICO can provide guidance or take further action if needed.
    • Website: ico.org.uk (There is an online form for making a complaint)
    • Helpline: +44 303 123 1113
  • European Union – Data Protection Authorities: If you are in the EU/EEA, you may contact your local Data Protection Authority (DPA). For example, if you are in France, you can contact the CNIL; in Germany, your regional DPA; in Ireland (where we might fall under if we target EU broadly), the Data Protection Commission, etc. Each EU country has its own supervisory authority. You can find the list of national DPAs on the European Data Protection Board’s website. You generally would contact the authority in the country of your residence or where the issue occurred. (Since OtherPay’s EU operations are handled via our UK/International framework, you may also contact the UK ICO as above, but EU individuals are free to go to their home DPA.)
  • India – Data Protection Board of India (DPBI): Under the DPDPA 2023, the Government of India will establish the Data Protection Board of India to oversee compliance and address grievances. If you are in India and not satisfied with our resolution of your complaint, or if we do not respond to your grievance within a reasonable time, you have the right to file a complaint with the Data Protection Board.
    • Note: As of the date of this Policy, the DPBI is newly formed and the process for filing complaints is being set up. Typically, one would submit a complaint through the Board’s online portal or prescribed method. We advise checking the official MeitY (Ministry of Electronics and Information Technology) or Government of India websites for guidance on contacting the Data Protection Board. Once the Board is fully operational, we will update this Policy with more specific contact details or a link.

When contacting a regulator, it may be helpful to provide them with as much detail as possible, including how you believe OtherPay violated your rights or which aspects of the law you think were breached. Regulators generally expect that you attempt to resolve the issue with the company first (and we certainly hope to resolve any issue directly). We will cooperate fully with any official investigations or inquiries by these authorities.

Remember, your rights are important, and you will not be penalized or refused service for exercising your right to seek redress from a regulator. We include this information so that you are aware of all avenues available to you.

Third-Party Websites and Services

Our website or communications may contain links to third-party websites or services that are not owned or controlled by OtherPay. For example, we might link to an article about financial tips on a blog, or you might choose to interact with a third-party service that integrates with OtherPay. This Privacy Policy applies only to OtherPay’s own websites and services. If you follow links to any external websites or services, please be aware that those third parties have their own privacy policies. We are not responsible for the privacy practices or content of sites we don’t operate.

We recommend that you review the privacy policies of any third-party site or service before providing any personal information to them. If you notice a link on our site that no longer works or appears problematic, feel free to let us know.

OtherPay’s inclusion of a third-party link does not imply that we endorse or have reviewed their privacy practices. It is provided for your convenience, and you proceed at your discretion.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we do make changes, we will post the updated Policy on our website and change the “Last updated” date at the top. If the changes are significant, we will also take additional steps to notify you of the updates. This could include posting a prominent notice on our website or sending you a direct notification (such as an email or in-app alert) explaining the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of OtherPay’s services after any changes to this Policy will be deemed acceptance of those changes, to the extent permitted by law.

If we were to materially change the purposes for which we use your personal information or the way we collect or process that information, we would seek your consent again where required by law.

Contact Information Recap

To summarize our contact details for any privacy questions or requests:

Email: privacy@otherpay.com
Mail: OtherPay Privacy Team, Level 2, 1 Southbank Blvd, Southbank VIC 3006, Australia
Website: You may also find information or updates on our official website (www.otherpay.com) under the Privacy section.

Thank you for taking the time to read our Privacy Policy. We hope it has clarified how your personal information is handled by OtherPay. Your privacy is important to us, and we are committed to protecting it. If you have any questions or need further clarification, please do not hesitate to contact us.

Main Menu