Introduction

545490 Pty Ltd trading as Karta Co, ABN 83 648 605 225 (Karta, us, we, our), and all its related companies, are committed to protecting your privacy. We maintain robust physical, electronic, and procedural safeguards to protect personal information. This Privacy Policy applies to the Karta website, our mobile applications and products and services, and governs data collection and usage. We adopted this Privacy Policy (Policy) to manage personal information in an open and transparent manner for use on the website and our mobile applications in relation to any products and our services (Products and Services).

We are bound by the Privacy Act 1988 (Cth) (as amended from time to time) (Privacy Act) and will protect personal information we collect from you, or that you provide to us, in accordance with the Australian Privacy Principles as set out in the Privacy Act (APPs). The APPs govern how we collect, use, store and disclose your personal information, as well as how we ensure the quality and security of your personal information.

What is personal information?

Personal information includes any information or opinion, about an identified individual or an individual who can be reasonably identified from that information.

Personal Information may include the following:
a. name;
b. address;
c. telephone number;
d. email address;
e. date of birth;
f.  gender;
g. marital status;
h. occupation;
i.  bank account details;
j.  contact details; and/or
k. any other information we consider necessary to carry out our functions and activities.

How do we collect personal information?

We are an issuer of products and services in Australia, and our main functions and activities we perform as a program manager include, but are not limited to:

• Card issuing, payment clearing and settlement;
• Platform Hosting and transaction processing;
• Application support and development;
• Program maintenance and reporting;
• Account management services;
• Cardholder and card program customer service; and
• Fraud and transaction monitoring.
• Collectively Products and Services.

We usually have direct contact with the individual cardholder, but we may also need to collect personal information about you from other people or organisations. This may happen without your direct involvement. For instance, we may collect personal information about you from other organisations, who jointly with us, provide Products or Services to you.

The circumstances in which we will collect personal information about you, as the cardholder, includes when:

• you contact us;
• you create an account or activate a Card, as defined in our Terms and Conditions; or
• you use a Card for transactions and balance enquiries.

What personal information do we collect?

We collect and/or record the following types of personal information:

 • The personal information you have provided to us through our online Products and Services;
  • card activation process including:
          • e-mail address;
          • name; and
          • telephone number.

There is also information about your computer hardware and software that is automatically collected by us. This information can include:
‍
 • your IP address;
 • browser type;
 • domain names;
 • device details;
 • access times; and
 • Information we receive from third parties including:
        • card program sponsors; and
        • credit bureaus and information services and other aggregation businesses, regarding            verification of identification details.

Throughout the life of your Product or Services, we may collect and hold additional personal information about you. This could include transaction information or making a record of queries or complaints you may make.

For what purposes do we collect, store, use, and disclose personal information?

We collect, use, store and disclose personal information is to provide you with Products and Services.

This includes:

• checking whether you are eligible for the Product or Services;
• for direct marketing purposes;
• providing the Product or Services; and
• assisting you with your inquiries or concerns.

We may also collect, use, and exchange your information so that we can:

• establish your identity;
• manage our risks and help identify and investigate illegal activity, such as fraud;
• contact you;
• comply with our legal obligations and assist government and law enforcement agencies or   regulators;
• conduct research and training; or
• provide general statistics regarding use of our website.

We encourage you to review the privacy statements of websites you choose to link to, so that you can understand how those websites collect, use and share your information. We are not responsible for the privacy statements or other content on websites other than our own website.

We only retain personal data for so long as it is necessary in accordance with the time frames stipulated in the laws that impact us, such as privacy, anti-money laundering and counter-terrorism and tax laws. For example, we may require your personal information to be collected and verified under the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (Cth).

Sharing your information with related entities and third parties

We may share your personal information within Karta and its related companies  (Group). This helps us to:
 • provide you with information about other Products and Services within the Group;
 • verify your personal information; and
 • offer a streamlined customer experience across our Group and entities.
‍
The information shared will depend on the Product or Services you have with us, and the related corporate entity you're dealing with.
‍
From time to time, we also need to share your information with third parties outside of our corporate entities that help us provide the Product or Services to you.
‍
For your security, we always take measures to ensure our service providers take appropriate steps to protect that information, and restrict the way they can use it.

For instance, to protect your personal information, we select providers that we reasonably expect to comply with the Privacy Act and to only use the personal information we disclose to them for the specific role we ask them to perform.

We also have agreements in place which set out the terms we expect our service providers and related entities to comply with.
‍

Is the information disclosed to third parties?

We may disclose your personal information to third parties:

 • who are service providers, contractors, or card program sponsors of ours;
 • to facilitate the operation of the card and the completion and settlement of transactions using the card;
 • for anti-money laundering and counter-terrorism financing requirements, the detection of crime,     legislative and compliance regulations, and fraud prevention purposes; and
 • when required or allowed by law.

When your personal information is shared with service providers or contractors, it will only be to the extent reasonably necessary for the purpose of the services they are contracted to provide.

When your personal information is shared with program sponsors, it will only be to the extent reasonably necessary for the purpose of performing:
 • any necessary cardholder customer support;  
• conducting statistical analysis; or
 • improving their product, services, and practices.

We may also disclose Personal Information to other third parties in circumstances where:

 • We must fulfil our legal obligations (for example, disclosure to Australian (and international) enforcement bodies such as the Australian Securities and Investments Commission (ASIC),the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC) or the Courts);

 • It is in the public interest (that is, to protect our interests or where we have a duty to the public to disclose, or where it is necessary in proceedings before a court or tribunal) and where a crime or fraud is committed or is suspected; or

 • It can be reasonably inferred from the circumstances that the Cardholder has consented to their Personal Information being disclosed to a third party.

We do not use or disclose the Personal Information for any other purpose unless one of the following applies:

 • The individual has consented;

 • the individual would reasonably expect us to use or disclose the Personal Information for a purpose that is related to the primary purpose;

• for insurance purposes;

• for external dispute resolution schemes;

• to liaise with fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct; or

• for use or disclosure as required under Australian law.

We do not disclose personal information to overseas recipients. We will only send your personal information outside Australia, where, for example:

• You have requested or consented to us sending your Personal Information;

• We outsource a function or service to an overseas contractor with whom we have a contractual relationship; and

• We will not send your personal information outside Australia unless it is authorised by law, and we are satisfied that the recipient of the Personal Information has adequate data protection arrangements in place.

Where we disclose Personal Information about an individual to a recipient who is not in Australia, we must ensure that the overseas recipient does not breach the APPs. We will continue to keep your personal information as is reasonably necessary, for the purposes mentioned above, after the expiry of the Card.

We may collect, use, or disclose sensitive personal information, such as race, religion, or political affiliations. Sensitive information is a sub-set of personal information and is given a higher level of protection under the privacy principles. Unless required by law, we will only collect sensitive information with your consent. Sensitive information is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, health information, genetic or biometric information.

When we disclose or store information overseas, we take reasonable steps to ensure that your information is provided with the same level of protection as it is within Australia. We do this by only engaging with third parties located in a country which we believe has similar privacy laws to Australia, or by ensuring the third party can provide the same level of protection consistent with our Privacy Act. We also have agreements in place which set out the terms we expect them to comply with, which include compliance with privacy and other Australian laws. Before, and during the agreement, we may ask for information to satisfy ourselves that they can and are complying with the terms of the agreement.

Your consent is important

We may require your consent to use and/or disclose your information in particular ways. We need your consent if we use your information for a purpose that is not related to the purpose for which we collected your information in the first instance. Depending on the circumstances, this consent may be express (for example, you expressly agree to the specific use of your information by ticking a box) or implied by some action you take or do not take (for example your agreement is implied by the fact that you have agreed to your product terms and conditions which contains information about the use or disclosure of the information).

Do we collect personal information electronically?

Each time you visit our website, we collect information about your use of the website, which may include the following:

• The date and time of visits;

• Which pages are viewed;

• How users navigate through the site and interact with pages;

• Information about the device used to visit our website; and

• IP addresses.

This information is obtained using Google Analytics. Our website does not use cookies or collect personal information or data.

Security of your Personal Information

We protect your personal information from unauthorised access, misuse, and disclosure. With regard to personal information security, our focus is to ensure we take reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. Our security safeguards include taking reasonable steps to destroy or de-identify personal information it holds where:

a) we no longer need the personal information for any purpose for which the information may be used or disclosed by us; and
b) the information is not contained in a Commonwealth record; and
c) we not required to retain that information under an Australian law, or a Court/Tribunal Order.

System security

When you transact with us, we encrypt data sent from your computer to our systems and payment providers. Where appropriate, we have firewalls, password protection, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses accessing our systems. When personal information is transmitted to other websites, it is protected by encryption, using industry standard security measures to safeguard and protect your information. We also limit access by requiring the use of passwords and access control. We do not store credit card numbers in our systems

Destroying data when no longer required

Where practical, we keep information only for as long as required (for example, to meet legal requirements or our reasonable internal needs) and take reasonable steps to destroy or de-identify personal information. The same concepts apply where we receive unsolicited personal information that we do not need to deliver Products and Services to you (i.e. in a correspondence you have sent to us), we will, where reasonable to do so, destroy and de-identify this information. Where information is retained, it will be subject to this Privacy Policy.

Payment Card Industry (PCI) Data Security Standard (DSS)

We comply with PCI/DSS standards (Standards) where applicable.  These Standards represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The Standards provide an actionable framework for developing a robust account data security process – including preventing, detecting, and reacting to security incidents.

Training and education

We train and provide refreshers to our staff of their privacy obligations regarding your personal information. We specifically cover how we can collect, use, store and disclose personal information, and how we can handle personal information in day-to-day work in away that complies with the Privacy Act and the APPs. Training also covers agency obligations around storing personal information in a secure manner, the retention of personal information and destroying and/or de-identifying personal information. This allows us to educate our staff on identifying safe personal information handling practices.

Protecting your privacy

You can help us to protect your privacy by observing our security requirements and contacting us immediately if your contact details change. We require you to keep your personal identification number (PIN), passwords and access codes confidential and secure at all times. This means that you should not disclose you PIN, passwords, or access codes to any other person. You should also contact us immediately if you believe that your PIN, passwords, or access codes may have been compromised or if you would like to change your PIN or password.

Our mobile application (App)

Our App is covered by this Privacy Policy to ensure we stay compliant with the Privacy Act and international privacy laws, as well as Apple App Store and Google Play Store terms and conditions (T&Cs). These T&Cs govern your use of the App and the products, features, apps, services, technologies and software we offer, except where expressly stated that separate terms (and not these) apply.

The T&Cs establish the rules users must follow when downloading and using the App and Karta reserves the right to:
‍
 • Suspend or delete abusive accounts if they violate the T&Cs;
 • Update its terms regarding the operation of the App and establishes guidelines for dealing with     consumer issues such as late delivery, payment problems and refunds;
 • Establish the jurisdiction in which laws govern the App; and
 • Specify the intellectual property rights and the actions taken where they are infringed.

To access and use the Products and Services, you must register for a Karta account (Account) by providing your full legal name, a valid email address, phone number and any other information indicated as required. Karta may reject your application for an Account, or cancel an existing Account, for any reason, in our sole discretion.

A breach or violation of any terms and conditions (as determined in the sole discretion of Karta) may result in an immediate termination of your Products and Services.

Reasonable use

Karta wants people to use the App to buy and expend gift card services on behalf of a recipient but not at the expense of the safety and well-being of others or the integrity of the Karta customers. You therefore agree not to engage in conduct described below (or to facilitate or support others in doing so):

Trademarks

Trademarks, service marks and all graphical elements, including the look and feel appearing on the online and App services, are distinctive and protected trademarks or trade dress of Karta or its licensors. The online services may also contain various third-party names, trademarks and service marks that are the property of their respective owners.

Access to your personal information

You are entitled to ask us to supply you with any personal information that we hold about you. You must submit your request in writing an email to privacy@karta.com.au, addressing to Privacy Officer

We maintain the quality of your personal information by taking reasonable steps to ensure that the information collected, used, and disclosed is accurate, complete, and up to date. Alternatively, you may also update your personal information at any time by emailing support@karta.com.au directly.

Privacy Enquiries

If you need to resolve an issue or make a complaint about how we collect, use or store your personal information, please contact us directly at privacy@karta.com.au addressing your complaint to the Privacy Officer or alternatively at support@karta.com.au.

How to make a complaint

If you wish to resolve an issue about the way in which we manage your personal information, please contact us directly on support@karta.com.au. If you are not satisfied with our response or would like to make a complaint, please ask the email to be addressed to our Privacy Officer.

We will let you know if we need any further information from you to assist in investigating and resolving your complaint. We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five business days, but some complaints take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.

If you are not satisfied with our response or prefer to raise a complaint with our Privacy Officer directly, please email privacy@karta.com.au

If you have followed these steps and are still not satisfied with the outcome, you can contact the Australian Information Commissioner as follows:

(Address) GPO Box 5218, Sydney NSW 2001

(Phone) 1300 363 992

(Email) enquiries@oaic.gov.au

(Website) www.oaic.gov.au (where you can make a complaint online)

Changes to this Privacy Policy

From time to time it may be necessary for us to review and revise our privacy policy to reflect company, client and regulatory feedback. We encourage you to periodically review the website and the Privacy Policy to be informed of how we are protecting your information. We will publish the updated version on our website and by continuing to deal with us, we confirm that you accept this Privacy Policy as it applies at that point in time. Alternatively, if you would like a copy of this Privacy Policy, please contact us.

Candidates and employees

How we collect information

If you are a candidate for employment or prospective contractor, when you complete forms in relation to the recruitment and selection process, for the purpose of assessment.

Purpose

If you are a candidate for employment or prospective contractor, to assess your suitability for a position at Karta or one of our related companies or brands. In addition, if you are employee at the Group, we may contact you after your employment ends to conduct an exit-survey.

Third Parties

If you are a candidate for employment or prospective contractor, we may collect information about you from your nominated referees, confirm working rights with the relevant government departments, and complete employee due diligence screening, where you have authorised us to do so.

Disclosure

If you are a candidate for an employment position involving a third party with whom we have an agreement, to that third party to assess your application.

If you are a candidate for employment, you may alternatively contact us in relation to this Privacy Policy or to access, update or amend your personal information. This Privacy Policy does not apply to current and former employees of the Group. If you are a current or former employee and have a query about your personal information, please contact our Leadership team.