Privacy Policy

This Privacy Policy outlines how Blink Pay Global Group Limited ("Blink Group") and its subsidiary Blink Pay NZ Limited (collectively "us", "our", or "we") collect, store, use, and protect your personal information when you use our payment services, including Blink PayNow and Blink AutoPay, or visit our websites.

Consent to Privacy Policy

By providing us with your personal information or by using our services, website, or associated services, you provide unconditional consent to the collection, storage, use, processing, and disclosure of your personal information in the manner set out in this Privacy Policy. This includes consent to process your information both directly and on behalf of the banks, organisations, and merchants we serve. If you do not agree with these terms, please do not use our services.

1. About Us

Blink Group provides finance and technology services to banks, organisations, and merchants through our "Blink Bills," "Blink Debit", "Blink PayNow", "Blink AutoPay" services as well as other integrations and services. We operate in New Zealand through Blink Pay NZ Limited and are bound by the New Zealand Privacy Act 2020 ("Privacy Act"). While our exposure to European Union ("EU") residents is limited, where applicable, we also consider requirements under the EU General Data Protection Regulation ("GDPR").

Important Note: Blink Group often processes personal data on behalf of banks, organisations, and merchants. In these cases, these organisations remain responsible for your personal data and its handling. If we are processing your personal data on behalf of another organisation, you must contact that organisation directly for any requests relating to your data and privacy rights.

2. Information We Collect

From Our Payment Services:

  • Bank account numbers and account holder information
  • Transaction details (amount, date, merchant information)
  • Payment reference information
  • Information required to process authorised banking data requests
  • Information you provide when contacting our support team, including name and contact details

From Our Websites:

  • IP addresses and browser information for security and analytics
  • Website usage patterns analysed through third-party services like Google Analytics
  • Information you provide through contact forms or support requests
  • Device information including operating system and browser type
  • Geographic location data

Automated Collection Methods:

We use cookies and similar tracking technologies to:

  • Monitor website performance and usage patterns
  • Improve website navigation and user experience
  • Maintain security and prevent fraud
  • Analyse the effectiveness of our servicesYou can control cookie settings through your browser preferences.

3. How We Handle Your Information

Purpose Limitation:

We collect and use your personal information only for purposes directly related to our core payment and banking services. Specifically, we will:

  • Only use your data for purposes outlined in this policy
  • Not use your information for purposes unrelated to our core services without your explicit consent
  • Not use your information for marketing purposes without your express permission
  • Limit data collection to what is necessary for providing our services

Payment and Banking Services:

  • We facilitate payments between you and merchants
  • We process banking data requests when authorised by you
  • We maintain records of transactions and authorisations
  • We verify information to prevent fraud
  • We handle support enquiries and resolve disputes
  • And for other activities that you consent to from time to time

Website Usage:

  • We analyse website traffic patterns using third-party analytics tools
  • We monitor site security and performance
  • We improve our services based on usage patterns

8. Data Security and Breach Notification

Security Certification and Controls:

We maintain ISO 27001 certification for Information Security Management, which includes:

  • Comprehensive information security risk management
  • Regular independent security audits
  • Employee security awareness training
  • Incident management procedures
  • Business continuity planning
  • Physical and environmental security controls
  • Access control and user authentication
  • Network and system security
  • Secure development practices

Technical Security Measures:

We implement robust security measures including:

  • SSL/HTTPS encryption for all data in transit
  • AES-256 encryption or stronger for data at rest
  • Industry standard authentication protocols (OAuth 2, OpenID Connect)
  • Regular vulnerability assessments and penetration testing
  • Strict access controls and monitoring
  • Multi-factor authentication where appropriate

Service Providers and Data Storage:

We use secure cloud services hosted by Amazon Web Services (AWS) primarily for personal data processing. All data is:

  • Stored in encrypted form
  • Processed by AWS acting solely as our agent
  • Protected by AWS's extensive security controls
  • Subject to strict contractual protections

Data Breach Response:

In the event of a privacy breach that has caused or may cause serious harm:

  • We will promptly investigate the breach and take remedial action
  • We will notify affected individuals and the Privacy Commissioner as required by the Privacy Act 2020
  • We will provide information about the breach and steps being taken
  • We will advise what actions individuals can take to protect themselves

We maintain a comprehensive data breach response plan that is regularly tested and updated.

5. Information Sharing and Disclosure

We may share your information with:

  • Banks and financial institutions to process payments
  • Merchants you are paying or who are providing a refund to you
  • Requestors of information that you consent to
  • Our authorised service providers who act solely as our agents
  • Regulatory authorities or law enforcement when required
  • Organisations we serve, to assist them in responding to legal or regulatory requests

Our service providers:

  • Act only on our instructions
  • Have no independent rights to your information
  • Are bound by strict confidentiality obligations
  • Must meet our security and privacy standards

When we process data on behalf of merchants or banks:

  • They remain the primary controller of your data
  • You should contact them directly for data-related requests
  • We will assist them in responding to authorised requests
  • We follow their instructions for handling your data in accordance with applicable laws

6. Data Retention

Our standard retention period is 5 years from the time we no longer have a relationship with you or the service is complete. However, specific retention periods apply to different types of data:

Retention by Data Type:

  • Anti-Money Laundering (AML) and Know Your Customer (KYC) data: 5 years (collected for merchant onboarding only)
  • Transaction data: Retained for the duration of our contractual obligation with the merchant
  • Technical logs: 2 years for security and audit purposes
  • Support communications: 2 years from last interaction

We follow data minimisation principles, meaning we:

  • Only collect and retain information necessary for specific purposes
  • Regularly review and assess the need to keep data
  • Securely delete or anonymise information when no longer needed
  • Remove personal identifiers when full records must be kept
  • Apply shorter retention periods where longer retention is not justified

In all cases, we retain only the minimum information necessary and securely delete information as soon as legal, contractual, or business requirements expire.

7. Your Rights and Data Access

Your Privacy Rights:

Where we hold and control your personal information directly, you have the right to:

  • Access your personal information
  • Request correction of inaccurate information
  • Opt out of any marketing communications
  • Request restrictions on certain types of data processing
  • Make a complaint about our handling of your information
  • Be notified of privacy breaches that may cause serious harm
  • Request information about how your data is being used

Processing Restrictions:

You may request restrictions on processing your personal information in certain circumstances, such as:

  • While we verify the accuracy of your information
  • Where the processing is unlawful but you don't want deletion
  • Where you need the data for legal claims

For Information We Process on Behalf of Others:

As mentioned above, we primarily process personal data on behalf of banks, organisations, and merchants when providing our various services (Blink Bills, Blink Debit, Blink PayNow, Blink AutoPay, and other integrations). In these cases:

  • The bank, organisation, or merchant remains responsible for your personal data
  • You must contact these organisations directly for any requests about your data
  • We will assist these organisations in responding to authorised requests as required

For Information We Control:

Where we hold and control your personal information directly:

  • We will address authorised requests promptly per New Zealand law
  • You may request access to or correction of your personal information
  • You may make a complaint about our handling of your information

9. Making a Request About Your Information

Request Process:

To make a request about your personal information:

  1. Contact our Privacy Officer using the details provided below
  2. Provide sufficient information to identify yourself
  3. Clearly state the nature of your request
  4. Allow up to one month for us to process your request

Identity Verification:

To protect your privacy, we must be satisfied that you are who you say you are before processing any request. We may require:

  • Official identification documents
  • Proof of address
  • Other relevant documentation

Request Conditions:

We may decline requests where:

  • We are not the organisation you have a direct relationship with
  • Your identity cannot be verified
  • The request is manifestly unfounded or excessive
  • The request would infringe others' rights
  • We are legally prevented from disclosing the information
  • The information is commercially sensitive

Response Timeframes:

  • We will acknowledge your request within 5 working days
  • We aim to fully respond within 20 working days
  • Complex requests may take up to one month
  • We will inform you if we need more time

10. Complaints and Concerns

If you have concerns about how we handle your information:

  1. Contact our Privacy Officer at privacy@blinkpay.co.nz
  2. Provide details of your concern
  3. Allow us reasonable time to investigate and respond
  4. If unsatisfied, you may contact the New Zealand Privacy Commissioner

11. Changes to this Policy

We may update this Privacy Policy at any time at our discretion. Changes take effect immediately once published on our website. For material changes, we will notify merchants who can then inform their customers as appropriate.

Last updated: 14 November 2024

BlinkPay logo

BLINKPAY

FOR YOU

FOR BUSINESS

© Copyright ZZZZ Blink Pay Global Group Limited. All rights reserved. | Terms | PrivacyComplaints | Acceptable Use Policy