Introduction

545490 Pty Ltd trading as Karta Co, ABN 83 648 605 225 (Karta, us, we, our), and all its related companies, are committed to protecting your privacy. We maintain robust physical, electronic, and procedural safeguards to protect personal information. This Privacy Policy applies to the Karta website, our mobile applications and products and services, and governs data collection and usage. We adopted this Privacy Policy (Policy) to manage personal information in an open and transparent manner for use on the website and our mobile applications in relation to any products and our services (Products and Services).

Who we are

For the purposes of this Policy, “Karta”, “we”, “us” or “our” means 545490 Pty Ltd trading as Karta Co, ABN 83 648 605 225 and its Australian related bodies corporate that collect and handle personal information in connection with the Special website, app and Products and Services.“Karta Card” and “Card” means the Karta physical card and Pays enabled digital card issued by 545490 Pty Ltd, ABN 83 648 605 225, trading as Karta Co and distributed by us or our related entity 545490 Ops Pty Ltd ABN 48 659 671 315, and applies to our Products and Services. In some cases, Karta is also an APP entity that collects and handles your personal information in connection with the Card. Where this is the case, references to “we”, “us” or “our” in this Policy are references to both Special and Karta, unless the context requires otherwise.

We are bound by the Privacy Act 1988 (Cth) (as amended from time to time) (Privacy Act) and will protect personal information we collect from you, or that you provide to us, in accordance with the Australian Privacy Principles as set out in the Privacy Act (APPs). The APPs govern how we collect, use, store and disclose your personal information, as well as how we ensure the quality and security of your personal information.

What is personal information?

Personal information includes any information or opinion, about an identified individual or an individual who can be reasonably identified from that information.

Personal Information may include the following:

1. name;
2. address;
3. telephone number;
4. email address;
5. date of birth;
6. gender;
7. marital status;
8. occupation;
9. bank account details;
10. contact details; and/or
11. any other information we consider necessary to carry out our functions and activities.

How do we collect personal information?

We are an issuer of non-reloadable prepaid card Products and Services in Australia, and our main functions and activities we perform as issuer include, but are not limited to:

1. Card issuing, payment clearing and settlement;
2. Platform Hosting and transaction processing;
3. Application support and development;
4. Program maintenance and reporting;
5. Account management services;
6. Cardholder and card program customer service; and
7. Fraud and transaction monitoring.
8. Collectively Products and Services.

We usually have direct contact with the individual cardholder, but we may also need to collect personal information about you from other people or organisations. This may happen without your direct involvement. For instance, we may collect personal information about you from other organisations, who jointly with us, provide Products or Services to you.

The circumstances in which we will collect personal information about you, as the cardholder, includes when:

1. you contact us;
2. you create an account or activate a Card, as defined in our Terms and Conditions; or
3. you use a Card for transactions and balance enquiries.

We may also collect personal information about you if you are a candidate for employment or a prospective contractor (see “Candidates and employees” below).

Anonymity and pseudonymity

Where it is lawful and practicable, you may choose to remain anonymous or use a pseudonym when dealing with us (for example, when making a general enquiry). However, if you do not provide certain personal information that we request, we may not be able to provide you with some or all of our Products and Services (including issuing or activating a Card) or meet our obligations under Australian law.

What personal information do we collect?

We collect and/or record the following types of personal information:

1. The personal information you have provided to us through our Products and Services;
2. card activation process including:
             • e-mail address;
             • name; and
             • telephone number.

There is also information about your computer hardware and software that is automatically collected by us. This information can include:

1. your IP address;
2. browser type;
3. domain names;
4. device details;
5. access times; and

1. Information we receive from third parties including:
           • card program sponsors; and
           • credit bureaus and information services and other aggregation businesses, regarding            verification of identification details.

Throughout the life of your Product or Services, we may collect and hold additional personal information about you. This could include:  

1. transaction information; and
2. making a record of queries or complaints you may make.

We also collect certain information automatically about your use of our website and App (see “Do we collect personal information electronically?” below).

Information we collect from third parties

We may collect personal information about you from third parties, including:

1. card program sponsors
2. identity verification service providers and other information services and aggregation businesses (for example, to verify your identification details)
3. recruitment agencies, referees and background checking providers (for candidates).

For what purposes do we collect, store, use, and disclose personal information?

We collect, use, store and disclose personal information is to provide you with Products and Services.

This includes:

1. checking whether you are eligible for the Product or Services;
2. for direct marketing purposes;
3. providing the Product or Services; and
4. assisting you with your inquiries or concerns.

We may also collect, use, and exchange your information so that we can:

1. establish your identity;
2. manage our risks and help identify and investigate illegal activity, such as fraud;
3. contact you;
4. comply with our legal obligations and assist government and law enforcement agencies or regulators;
5. conduct research and training; or
6. provide general statistics regarding use of our website.

We encourage you to review the privacy statements of websites you choose to link to, so that you can understand how those websites collect, use and share your information. We are not responsible for the privacy statements or other content on websites other than our own website.

We only retain personal data for so long as it is necessary in accordance with the time frames stipulated in the laws that impact us, such as privacy, anti-money laundering and counter-terrorism and tax laws. For example, we may require your personal information to be collected and verified under the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth).

If you do not provide the personal information we request, or if it is incomplete or inaccurate, we may not be able to provide you with some or all of our Products and Services (including issuing or activating a Card) or meet our obligations under Australian law.

Sharing your information with related entities and third parties

We may share your personal information within Karta and its related companies (Group). This helps us to:

1. provide you with information about other Products and Services within the Group;
2. verify your personal information; and
3. offer a streamlined customer experience across our Group and entities.

The information shared will depend on the Product or Services you have with us, and the related corporate entity you're dealing with.
‍
From time to time, we also need to share your information with third parties outside of our corporate entities that help us provide the Product or Services to you.
‍
For your security, we always take measures to ensure our service providers take appropriate steps to protect that information and restrict the way they can use it.

For instance, to protect your personal information, we select providers that we reasonably expect to comply with the Privacy Act and to only use the personal information we disclose to them for the specific role we ask them to perform.

We also have agreements in place which set out the terms we expect our service providers and related entities to comply with.
‍

Is the information disclosed to third parties?

We may share your personal information within Karta and its related companies (the Group). This helps us provide you with information about other Products and Services within the Group, verify your personal information and offer a streamlined customer experience across our Group and entities. This will depend on the Product or Services you have with us and the related corporate entity you are dealing with.

We may disclose your personal information to third parties:

1. service providers, contractors, or card program sponsors of ours
2. payment processors and card scheme operators
3. fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct
4. our insurers, auditors and professional advisers
5. external dispute resolution schemes
6. regulators, government agencies, law enforcement bodies and courts or tribunals, where required or permitted by law.

We may also disclose personal information where:

1. we must fulfil our legal obligations (for example, disclosure to Australian (and international) enforcement bodies such as the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC) or the courts)
2. it is in the public interest (for example, to protect our interests or where we have a duty to the public to disclose, or where it is necessary in proceedings before a court or tribunal) and where a crime or fraud is committed or is suspected
3. it can be reasonably inferred from the circumstances that you have consented to your personal information being disclosed to a third party.

When your personal information is shared with service providers or contractors, it will only be to the extent reasonably necessary for the purpose of the services they are contracted to provide.

When your personal information is shared with program sponsors, it will only be to the extent reasonably necessary for the purpose of performing:

1. any necessary cardholder customer support;
2. conducting statistical analysis; or
3. improving their product, services, and practices.

We do not use or disclose the Personal Information for any other purpose unless one of the following applies:

1. The individual has consented;
2. the individual would reasonably expect us to use or disclose the Personal Information for a purpose that is related to the primary purpose;
3. for insurance purposes;
4. for external dispute resolution schemes;
5. any necessaryto liaise with fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct; or
6. for use or disclosure as required under Australian law.

Overseas disclosures

We use a range of service providers and technology solutions, some of which are located outside Australia or may store or access personal information on servers located outside Australia (for example, cloud hosting, payment processing and analytics providers such as Google Analytics). We may therefore disclose personal information to overseas recipients in connection with the purposes described in this Policy.

Where we disclose personal information to recipients who are not in Australia, we take reasonable steps to ensure that they do not breach the Australian Privacy Principles in relation to your personal information. We do this by, for example:

1. engaging providers in countries that we believe have laws substantially similar to the Privacy Act; and/or
2. requiring overseas recipients to handle personal information in a way that is consistent with the Australian Privacy Principles (including by entering into contracts that contain appropriate privacy and security obligations).

Sensitive information

We generally do not need to collect sensitive information (such as information about your health, racial or ethnic origin, religious beliefs, political opinions, sexual orientation or criminal record) in order to provide our Products and Services.

1. If we do need to collect sensitive information (for example, information required to verify your identity where permitted by law), we will only do so with your consent or where otherwise permitted or required by law, and we will explain the purpose of the collection at the time. Sensitive information is given a higher level of protection under the Privacy Act and we handle it accordingly.

Your consent is important

We may require your consent to use and/or disclose your information in particular ways. We need your consent if we use your information for a purpose that is not related to the purpose for which we collected your information in the first instance. Depending on the circumstances, this consent may be express (for example, you expressly agree to the specific use of your information by ticking a box) or implied by some action you take or do not take (for example your agreement is implied by the fact that you have agreed to your product terms and conditions which contains information about the use or disclosure of the information).

Do we collect personal information electronically?

Each time you visit our website, we collect information about your use of the website, which may include the following:

1. The date and time of visits;
2. Which pages are viewed;
3. How users navigate through the site and interact with pages;
4. Information about the device used to visit our website; and
5. IP addresses.

We use cookies and similar technologies (such as pixels and local storage) to:

1. operate and improve our website and App
2. provide security and prevent fraud
3. remember your preferences
4. perform analytics, including via tools such as Google Analytics.
5. You can control cookies through your browser settings. However, if you choose to disable cookies, some parts of our website or App may not function properly.
6. Some of our analytics and technology providers may be located, or store information, outside Australia. For more information, see “Overseas disclosures” above.

Security of your Personal Information

We protect your personal information from unauthorised access, misuse, and disclosure. With regards to personal information security, our focus is to ensure we take reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. Our security safeguards include taking reasonable steps to destroy or de-identify personal information it holds where:

a) we no longer need the personal information for any purpose for which the information may be used or disclosed by us; and
b) the information is not contained in a Commonwealth record; and
c) we are not required to retain that information under an Australian law, or a Court/Tribunal Order.

Data breaches

If we experience a data breach involving your personal information that is likely to result in serious harm to you, we will investigate the incident and notify you and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme in the Privacy Act.

System security

When you transact with us, we encrypt data sent from your computer to our systems and payment providers. Where appropriate, we have firewalls, password protection, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses accessing our systems. When personal information is transmitted to other websites, it is protected by encryption, using industry standard security measures to safeguard and protect your information. We also limit access by requiring the use of passwords and access control. We do not store credit card numbers in our systems

Destroying data when no longer required

Where practical, we keep information only for as long as required (for example, to meet legal requirements or our reasonable internal needs) and take reasonable steps to destroy or de-identify personal information.
If we receive unsolicited personal information that we do not need to deliver Products and Services to you (for example, in correspondence you send to us), we will, where reasonable to do so, destroy or de identify this information. Where information is retained, it will be subject to this Policy.

Payment Card Industry (PCI) Data Security Standard (DSS)

We comply with PCI/DSS standards (Standards) where applicable.  These Standards represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The Standards provide an actionable framework for developing a robust account data security process – including preventing, detecting, and reacting to security incidents.

Training and education

We train and provide refreshers to our staff of their privacy obligations regarding your personal information. We specifically cover how we can collect, use, store and disclose personal information, and how we can handle personal information in day-to-day work in away that complies with the Privacy Act and the APPs. Training also covers agency obligations around storing personal information in a secure manner, the retention of personal information and destroying and/or de-identifying personal information. This allows us to educate our staff on identifying safe personal information handling practices.

Protecting your privacy

You can help us to protect your privacy by:

1. keeping your contact details up to date; and
2. observing our security requirements.

We require you to keep your personal identification number (PIN), passwords and access codes confidential and secure at all times. This means that you should not disclose your PIN, passwords or access codes to any other person.

You should contact us immediately if you:

1. believe that your PIN, passwords or access codes may have been compromised; or
2. would like to change your PIN or password

Our mobile application (App)

Our App is covered by this Privacy Policy to ensure we stay compliant with the Privacy Act and international privacy laws, as well as Apple App Store and Google Play Store terms and conditions (T&Cs). These T&Cs govern your use of the App and the products, features, apps, services, technologies and software we offer, except where expressly stated that separate terms (and not these) apply.

The T&Cs establish the rules users must follow when downloading and using the App and Karta reserves the right to:

1. Suspend or delete abusive accounts if they violate the T&Cs;
2. Update its terms regarding the operation of the App and establishes guidelines for dealing with consumer issues such as late delivery, payment problems and refunds;
3. Establish the jurisdiction in which laws govern the App; and
4. Specify the intellectual property rights and the actions taken where they are infringed.

To access and use the Products and Services, you must register for a Karta account (Account) by providing your full legal name, a valid email address, phone number and any other information indicated as required. Karta may reject your application for an Account, or cancel an existing Account, for any reason, in our sole discretion.

A breach or violation of any terms and conditions (as determined in the sole discretion of Karta) may result in an immediate termination of your Products and Services.

Reasonable use

Karta wants people to use the App to buy and expend our Product and Services on behalf of a recipient but not at the expense of the safety and well-being of others or the integrity of the Karta customers. You therefore agree not to engage in the conduct described below (or to facilitate or support others in doing so):

 1.   You may not use our Products and Services to do or share anything:
        a.   that violates these terms and conditions
        b.   that is unlawful, misleading, discriminatory or fraudulent
        c.   that infringesor violates someone else’s rights.  
 2.   You may not upload viruses or malicious code or do anything that could disable, overburden or         impair the proper working or appearance of our services.
 3.   You may not access or collect data from our Products and Services using automated means         (without our prior written consent) or attempt to access data you do not have permission to         access.
 4.   You cannot impersonate others or provide inaccurate information:
        a.   you do not have to disclose your identity on the Special platform but you must provide us               with accurate and up to date information (including email address).
        b.   you may not impersonate someone you are not; and
        c.   you cannot create an account for someone else or gift to someone else without having their               express permission or consenting to take responsibility for the provision of information and               indemnifying Special in relation to this information.
 5.   You cannot do anything to interfere with or impair the intended operation of the Products and         Services.
 6.   You cannot attempt to create accounts or access or collect information in an unauthorised way,         including creating accounts or collecting information in an automated way without our express         permission.

Trademarks

Trademarks, service marks and all graphical elements, including the look and feel appearing on the online and App services, are distinctive and protected trademarks or trade dress of Karta or its licensors. The online services may also contain various third-party names, trademarks and service marks that are the property of their respective owners.

Access, correction and deletion of your personal information

You may request access to the personal information that we hold about you or request that we correct any personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading by writing an email to contact details below and addressing to Privacy Officer.

You may request access to the personal information we hold about you, or request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant or misleading, by contacting us using the details below. We will respond to your request within a reasonable period.

If we refuse to give you access, or to correct your personal information, we will give you written reasons and information about how you can complain.

In some circumstances you may also ask us to delete your personal information. Where we are not required to retain the information under Australian law (for example, under anti money laundering or taxation laws), we will take reasonable steps to delete or de-identify it.

Contact details

Privacy Officer: privacy@karta.com.au
For general service complaints: support@karta.com.au

You may also update your personal information at any time or request access, correction or deletion by emailing privacy@karta.com.au.

How to make a complaint

If you wish to resolve an issue about the way in which we manage your personal information, please contact us directly on support@karta.com.au. If you are not satisfied with our response or would like to make a complaint, please ask the email to contact detail above and addressed to our Privacy Officer.

We will let you know if we need any further information from you to assist in investigating and resolving your complaint. We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five business days, but some complaints take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.

If you have followed these steps and are still not satisfied with the outcome, you can contact the Australian Information Commissioner as follows:

(Address) GPO Box 5218, Sydney NSW 2001

(Phone) 1300 363 992

(Email) enquiries@oaic.gov.au

(Website) www.oaic.gov.au (where you can make a complaint online)

Changes to this Privacy Policy

From time to time it may be necessary for us to review and revise our privacy policy to reflect company, client and regulatory feedback. We encourage you to periodically review the website and the Privacy Policy to be informed of how we are protecting your information. We will publish the updated version on our website and by continuing to deal with us, we confirm that you accept this Privacy Policy as it applies at that point in time. Alternatively, if you would like a copy of this Privacy Policy, please contact us.

Candidates and employees

How we collect information

If you are a candidate for employment or a prospective contractor, we may collect personal information about you when you complete forms or provide information to us in relation to the recruitment and selection process, for the purpose of assessing your application.

We may also collect information about you from your nominated referees, from relevant government departments (for example, to confirm your right to work in Australia) and from employee due diligence and background checking providers, where you have authorised us to do so.

Purpose

If you are a candidate for employment or prospective contractor, we collect, use and disclose your personal information to assess your suitability for a position at Karta or one of our related companies or brands. In addition, if you are an employee of the Group, we may contact you after your employment ends to conduct an exit survey.

Third parties and disclosure

If you are a candidate for an employment position involving a third party with whom we have an agreement, we may disclose your personal information to that third party to assess your application. We may also disclose your personal information to background checking providers, recruitment agencies and other third parties involved in the recruitment process where this is necessary to assess your application.

Your rights as a candidate

If you are a candidate for employment or a prospective contractor, you may contact us in relation to this Privacy Policy or to access, update or amend your personal information. The access, correction and complaints mechanisms described in this Policy also apply to candidates.

Current and former employees

This Privacy Policy does not apply to current and former employees of the Group, whose personal information is handled in accordance with our separate employee privacy notices. If you are a current or former employee and have a query about your personal information, please contact our People and Culture team.