Zeller UK Limited (‘Zeller UK’) Privacy Notice

1. About this Privacy Policy

This section describes the purpose of this document and explains which entities this Privacy Notice applies to.

This Privacy Notice applies to individuals who are, or represent, current or potential customers, suppliers, and job applicants of Zeller UK. If you are dealing with Zeller Holdings Pty Ltd, the Privacy Notice applicable to you is www.myzeller.com/au/privacy.
Zeller UK as the data controller (we, us or our) has implemented this Privacy Notice to provide information about what kinds of Personal Data we collect, hold, and otherwise process about you, and describes how we collect, hold, use, disclose, share, or otherwise process that Personal Data, along with your choices you have regarding our use of that Personal Data, and your ability to access or correct that Personal Data. If you wish to make any inquiries regarding this Privacy Notice, you should contact our Privacy Officer in any of the ways specified in paragraph 14.
Zeller UK is part of a global group of companies and is related to other companies and entities in the UK and elsewhere (related entities). This Privacy Notice applies to the use of your Personal Data by us and by those related entities.

2. Personal Data

This section explains what is meant by "Personal Data".

"Personal Data" is information, including opinions, whether true or not about an identified or identifiable individual. This includes data such as your name, date of birth and address, as well as any Zeller UK account details, amongst other things.

3. What Personal Data do we collect and how do we use it?

This section explains generally the types of Personal Data we collect and who we generally collect that Personal Data from and how we use it.

The types of Personal Data we collect about you will depend upon the nature of our interaction with you. The Personal Data that we collect, and the purposes for which we collect that information, is summarised below:

Individuals	Processing Purpose	Categories of Data
Individuals who are, or represent, our customers and potential customers (merchants)	to communicate with you, including when you contact us or when we need to contact you	name, email address, phone number
	to conduct identity verification checks	name, date of birth, contact details, current and previous addresses, identification document numbers such as passport or driver’s licence number, biometric data (facial images)
	to comply with our obligations in relation to sanctions screening and anti-money-laundering	name, date of birth, residential address, identification document such as passport, transaction details, account information
	to assess your application for our products and services, including through credit checks	(i) application status, (ii) name, date of birth, residential address, (iii) driver’s licence number, passport number, (iv) companies owned by or associated with you, financial account details including bank and utility company statements, invoices relating to card transactions, geographical location, photograph,
	to protect you and our services against fraud, theft and other unauthorised uses: including undertaking fraud monitoring and identification, and fraud analysis, risk assessment and fraud risk management	(i) transaction data, (ii) device and user metadata including details about the type of device you are using and your connection status (iii) biometric data (facial images)
	to assist you or to provide, manage and support your Zeller UK products and services: including account creation, administration and management;	(i) name, email address, password, (iii) account balance and transaction details, Zeller UK terminal telemetry data
	to provide customer support to you	(i) name, phone number, email address, (ii) call logs and recordings, (iii) SMS or email correspondence with you
	to process payments to or from you, including card payments and direct debit authorities	(i) cardholder name, expiry date, service code, card verification value (CVV), physical address (ii) transaction data including acquired card, QR code, Buy Now Pay Later, and spent card transaction data
	to improve our services and for new product development	feedback you submit to us, data about your navigation through our Website and use of our products and services
	to market our services	(i) data about whether you have interacted with our ads (ii) data about your behaviour when accessing our Website (including as described in paragraph 5 below)
	to enable multi-factor authentication when you access your account	phone number
Individuals who are, or represent, our merchants' customers	to send electronic receipts to you, where you request an electronic receipt	contact details (phone number and email)
	to process transactions made to Zeller UK merchants through Zeller UK technologies	transaction data, including acquired card, QR code, Buy Now Pay Later, and spent card transaction data
	to improve our products and services	transaction data, including acquired card, QR code, Buy Now Pay Later, and spent card transaction data
Individuals who are, or represent, our investors	to administer your investment in Zeller UK	your name, email address, and shareholding
Individuals who are, or represent, our suppliers and potential suppliers:	to contact you in relation to our use (or potential use) of your company’s products and services	business contact information (name, role, business email address and phone number)
Individuals who are, or represent, job applicants	to assess your application for employment	(i) occupation and employment details including employment status and any previous work experience; and information from or in connection with your resume or job application if you apply for a position with us (including information from referees and to verify your qualifications, work and academic history) (ii) contact details such as email address
Individuals who visit Zeller UK premises	to ensure the security of Zeller UK premises	(i) CCTV footage of Zeller UK premises (ii) the name and role of visitors to Zeller UK premises

4. How and when do we collect Personal Data?

This section describes the general situations and interactions through which we collect Personal Data. It also describes some scenarios where we will collect your Personal Data from other people or sources. This section also describes the consequences if we are unable to collect Personal Data.

We collect your Personal Data, as outlined above, to allow us to conduct our business functions, to provide, market and sell our products and services and for the specified purposes set out in paragraph 6. In some circumstances the collection of Personal Data is required by law.
We may collect your Personal Information:
1. when you apply for our products: when a potential merchant or their representative submits an application for our products, including providing personal information so we can perform an identity verification check on you; or when you request general information about our products
2. when you use our products: when a merchant or their representative uses our products, we collect information about that use, including via remote readings of device telemetry (typically hardware sensor information) from our products/devices
3. when you interact with our services (other than our products): when our merchants' customers or their representatives interact with Zeller UK devices and technologies we collect information about that use, including via remote readings of device telemetry(typically hardware sensor information) from our products/devices; and when you visit our Website (see paragraph 5)
4. when we receive goods and services from you: when you provide that personal information to allow us to communicate and manage our relationship with your business or the business of your employer, we collect basic contact information
5. when you attend our premises: when you visit or attend our premises we may collect visitor information and information from our security cameras and systems, and
6. when you manage your relationship with us directly or as a representative of your employer, or otherwise communicate or interact with us: for example, when you provide feedback or information to us; when you submit a job application; or when you otherwise contact us by any means.
Generally, when providing our products and services, dealing with our personnel, or obtaining goods and services from our service providers, suppliers or contractors, we collect Personal Data directly from the relevant individual where reasonable and practicable.
We may also collect Personal Data about you from third parties and other sources such as:
1. resellers from whom you have acquired Zeller UK services,
2. identity verification service providers, who in turn may access third party databases, document issuers, official record holders, DVS and other sources in order to perform identity verification services,
3. your nominated representatives (eg spouse, accountant, power of attorney, brokers and other professional advisors),
4. publicly available sources of information,
5. related entities, companies and businesses of Zeller UK, or
6. credit checking entities bodies,
but we will only collect your Personal Data in this way if it is a legal requirement for us to do so, or if it is unreasonable or impracticable to collect this information directly from you or if we are otherwise permitted to do so.
If we do not or are unable to collect the Personal Data we require, either directly or via other sources, we may not be able to provide you with some requested information, products or services, or to effectively conduct our relationship with you or your employer entity.

5. Information collected via our Website and other technology.

This section describes the ways we may automatically collect information (including Personal Data) through the operation of our Website and other technologies.

Personal Data may be collected by us and by our third party service providers who assist us in operating our website at https://myzeller.com/gb, including its/their subdomains and any other website we operate from time to time (collectively the Website).
We use various technological methods, including cookies, to track the visiting patterns of individuals accessing our Website or using our technology including as set out in our cookie notice available at cookie policy page.

6. What is our legal basis for using your Personal Data?

This section describes the legal bases for which we collect Personal Data.

We use the Personal Data we collect about you for our business functions and activities, in order to operate our business efficiently, and to market our products and services, for the benefit of our customers, as described in paragraph 3 above.
Our legal basis for processing this data is as follows:

Category of individual	Purposes of processing	Legal basis for processing
Our customers and potential customers (merchants):	To communicate with you: including when you contact us or when we need to contact you	Our legitimate interest in communicating with you about Zeller UK services, including providing customer support.
	To conduct identity verification checks	(i) Where checks are required by law, our legal obligations in relation to customer identity verification and money-laundering, including under the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). (ii) Where checks are not required by law, our and our customers’ legitimate interests in preventing the fraudulent use of Zeller services, safeguarding both the company and its customers from identity theft and financial crime. (iii) On the basis of the substantial public interest condition for preventing fraud.
	To comply with our obligations in relation to sanctions screening and anti-money-laundering	Our legal obligations in relation to customer identity verification and money-laundering, including under the UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Sanctions and Anti-Money Laundering Act 2018 (SAMLA).
	To assess your application for our products and services, including through credit checks	Our legitimate interests in ensuring that recipients of our services are of suitable credit.
	To protect you and our services against fraud, theft and other unauthorised uses: including undertaking fraud monitoring and identification, and fraud analysis, risk assessment and fraud risk management	Our, and our users’ legitimate interests in ensuring that our platform is not used for fraudulent purposes. On the basis of the substantial public interest condition for preventing fraud.
	To assist you or to provide, manage and support your Zeller UK products and services: including account creation, administration and management;	Our legitimate interests in providing Zeller UK services to you.
	To provide customer support to you	Our legitimate interests in providing customer support to you.
	To process payments to or from you, including card payments and direct debit authorities	Our, and our customers’, legitimate interest in facilitating payments using the Zeller UK platform.
	To improve our services and for new product development	Our legitimate interests in meeting the needs of our customers and improving the quality of Zeller UK services over time.
	Information for marketing our services	Our legitimate interests in making more users aware of Zeller UK products and services.
	To enable multi-factor authentication when you access your account	Our and our customers’ legitimate interests in ensuring that Zeller UK accounts are secure.
Our merchants’ customers	To send electronic receipts to you, where you request an electronic receipt	Our legitimate interest in providing an electronic receipt to you where requested.
	To process transactions made through Zeller UK technologies	Our, and our customers’ legitimate interest in facilitating payments using the Zeller UK platform.
	To improve our products and services	Our legitimate interests in meeting the needs of our customers and improving the quality of Zeller UK services over time.
Our investors and shareholders	To administer your investment in Zeller UK	Our legitimate interests in coordinating and communicating with shareholders in Zeller UK.
Our suppliers, potential suppliers, and their representatives:	To contact you in relation to our use (or potential use) of your company’s products and services	Our legitimate interests in communicating with you about your partnership with, or provision of products and services to, Zeller UK.
Job applicants	To assess your application for employment	Our legitimate interests in receiving and assessing applications for employment with Zeller UK.
Visitors to Zeller UK premises	To ensure the security of Zeller UK premises	Our legitimate interests in ensuring the security of our premises, including as required by payment industry security standards.

7. When do we share or provide access to your Personal Data?

This section describes the situations in which we may share or provide access to your Personal Data to others, including a list of the types of third parties to whom we may share or provide access to your Personal Data.

Depending on the circumstances and the nature of your engagement with us, we may disclose your Personal Data to our related entities, to third parties that provide products and services to us or through us, or to other third parties (such as your referee(s) in connection with a job application you have submitted) as described in paragraph 7.2 and in connection with the purposes described in paragraph 6.
Specifically, we may disclose your Personal Data to:
1. other parts of our organisation: including our internal teams and business units, and our related companies
2. your nominated representatives
3. third parties involved in providing our services to you: such as payment scheme operators (such as Visa, MasterCard, EFTPOS, American Express, ChinaPayments (AliPay and WeChat Pay), Zip Money); acquiring banks or acquiring payment processing service providers; prepaid issuing programme partners; direct entry processing service providers; and third party identification service providers who may disclose your Personal Data to document issuers or official record holders, and check with other third party databases, in order to verify your identity. In connection with their provision of these services, these third parties may also require access to Personal Data, merchant and transactional data to carry out audits of Zeller UK in connection with our provision of products and services, including to merchants
4. mobile device manufacturers: such as Apple, who we may provide your Personal Data to in order to set up your mobile device for Mobile Device Acquiring Services and in connection with the provision of those services to you. The relevant mobile device manufacturer may also collect and handle Personal Data about you when you use and access certain features of your mobile device while using particular Zeller UK products. In addition to Zeller UK's use of the Personal Data available to it arising from your use of Zeller UK products and the associated Mobile Device Acquiring Services, the collection and handling of your Personal Data by those mobile device manufacturers will be subject to the relevant mobile device manufacturer's own privacy policy and any terms and conditions or other agreements they have with you'
5. our other supply chain partners and vendors: who supply us goods and services or assist us in providing products and services to you; or who help us administer our business (such as data storage or processing (including in cloud based data storage facilities or through cloud computing service providers), printing, mailing, marketing, planning and product or service development), banks, lenders, valuers, insurers, brokers and other IT service providers; medical providers including medical and rehabilitation practitioners for assessing and managing workplace insurance claims (in respect of our employees); employment agencies (in respect of candidates or employees they have supplied or may supply to us); and purchasers of bad debt owed by a merchant to Zeller UK, to allow those purchasers to recover those debts
6. our professional advisers: who provide advice or perform functions on our behalf, such as lawyers, auditors and business consultants
7. law enforcement, regulatory and government bodies: such as regulatory authorities, law enforcement agencies, and other authorities or organisations as required or authorised by law (such as the Financial Conduct Authority, HMRC, and the Police), and
8. Cifas: we share your personal information with fraud prevention agencies who will use it to prevent fraud and money-laundering, and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by these fraud prevention agencies, and your data protection rights, can be found at http://www.cifas.org.uk/fpn.
As we continue to develop our business, we may buy, invest in, merge or partner with other companies or organisations, and in so doing, acquire customer Personal Data. In such transactions, Personal Data may be among the transferred assets. Similarly, in the event that a portion or substantially all of our business or assets are sold or transferred to a third party, or new investments are made in Zeller UK, we may also disclose certain information including your Personal Data to a purchaser, potential purchaser, or potential investor in connection with the sale, potential sale, or investment, of us, our business or any of our assets, including in insolvency, subject to our obligations under the GDPR.

8. Overseas disclosures

This section describes when your Personal Data may be transferred overseas (outside of the UK). It specifies the countries or regions where our IT facilities are located or in which third parties who receive that Personal Data from us are located.

We are a global organisation and will collect, use and disclose Personal Data within both the UK and other countries.
In particular, your Personal Data may be disclosed to third parties in Singapore, US, Ireland, India, the Philippines, Ukraine and Europe, and such other countries or regions, in which those parties or their, or our, computer systems may be located from time to time, where it may be used for the purposes described in this Privacy Notice. Where such parties are located overseas in a country whose privacy regulations are not considered by the UK government to be “adequate”, we will put in place appropriate safeguards in the form of the UK’s approved data transfer clauses.
Some of your Personal Data may also be disclosed, transferred, stored, processed or used overseas by us, or by third party service providers. This will happen where:
1. our offices or related entities are overseas
2. we outsource certain activities overseas
3. transactions, information, services or products have an overseas connection, or
4. our computer systems (including third party IT service providers we may use from time to time) including IT servers are located overseas.

9. Storage and security of Personal Data held by us

This section explains our security practices and that we may destroy or de-identify Personal Data once we no longer require or have no further need for it.

We aim to keep your Personal Data secure. We are PCI PIN and DSS compliant, which require us to maintain industry standards relating to data protection and security. Any Personal Data that is held on our computer systems is protected by safeguards including physical, technical (firewalls, SSL encryption etc) and organisational methods.
We retain and dispose of your Personal Data in accordance with our document and information retention policies and procedures as set out in the following table. If we find that we no longer require or have no further need for your Personal Data we will anonymise it or delete it from our systems.
We retain your Personal Data for as long as is necessary to achieve the purposes for which we collected that Personal Data, or for such longer period as required by law or to protect our legal interests. This period will generally be:
1. In relation to data of Zeller UK customers, 5 years from the end of our relationship with you, other than screening data which is retained for 5 years from the completion of the screening check.
2. In relation to customer support and marketing data, 5 years from the date the support query or marketing communication was sent.
3. In relation to job applications, 7 years from the end of the recruitment process.
4. In relation to transaction data of customers of our merchants, 5 years from the date of the transaction.
5. In relation to our investors and shareholders, 5 years from the end of the shareholding.
6. In relation to suppliers and their representatives, 5 years from the last interaction with that supplier.
7. In relation to screening data of people who have applied to become Zeller UK customers, 18 months from the date of the screening search.
8. In relation to CCTV footage, 9 months.

10. Automated decision-making

We use automated decision-making in two distinct circumstances, as set out below:
1. When credit assessing your application to use our products or services. If this assessment determines that you credit is insufficient, we will not be able to provide services to you. These assessments are necessary for us to enter into contracts with you. This assessment considers factors including your income, your outgoings, and your history of keeping up with repayments.
2. monitoring your use of our products or services for indications of fraud or money-laundering. These assessments are necessary for us to meet our legal obligations under UK financial services law. This assessment considers factors including the frequency, time, location, amount, and destination of payments made to or from your accounts.
If you object to an automated decision, you can contact us as specified in paragraph 14.

11. You have rights in relation to your data

This section explains that you have rights in relation to your Personal Data, and describes how you can exercise those rights.

You are generally entitled to access Personal Data that we hold about you. If you request access to your Personal Data, we will give you full access to a copy of your Personal Data, unless an exemption applies.
If you are a customer of Zeller UK, you can access and correct some of your Personal Data and other merchant information through self-service by logging into Zeller UK's Merchant Portal and updating or editing that information at any time. Alternatively, a request for access or correction can be made by contacting us as described in paragraph 14.
We take all reasonable steps to ensure that any Personal Data we collect and use is accurate, complete and up-to-date. To assist us in this, you should provide true, accurate, current and complete information about yourself as requested, and properly update the information provided to us to keep it true, accurate, current and complete. You also have a right to correct information held by us; you can contact us as specified in paragraph 14.
In addition, in you also have the right to request that we delete all or some of your Personal Data held by us, object to our processing of your data based on legitimate interests, to request your data in a portable format, and to withdraw your consent to our processing at any time where we have relied on your consent to process that Personal Data. To exercise these rights, you can contact us as specified in paragraph 14.
It would assist us to ensure we properly understand your request, and allow us to respond more promptly, if requests are made in writing and include as much detail as possible.

12. How do we deal with complaints about privacy?

This section explains how you may make a complaint in respect of our processing of your Personal Data, and how we will deal with complaints.

If you feel that we have not respected your privacy or that we have conducted ourselves inconsistently with this Privacy Notice, please contact our Privacy Officer in any of the ways specified in paragraph 14 and advise us as soon as possible. We will investigate your queries and privacy complaints within a reasonable period of time depending on the complexity of the complaint.
It would assist us to respond to your complaint promptly if it is made in writing. Please detail information relevant to your complaint.
We will notify you of the outcome of our investigation.

13. Updates to this Privacy Notice

This section explains that we can make updates to this Privacy Notice, how we may notify you about those updates, and how you may otherwise ensure you are aware of our most recent version of this Privacy Notice.

We may, from time to time, review and update this Privacy Notice, including to take into account new laws, regulations, practices and technology. All Personal Data held by us will be governed by our most recent Privacy Notice, posted on our Website at: www.myzeller.com/privacy. Any changes to this Privacy Notice will be advised to you by updating this page on our Website and by notifying you in advance of those changes by email. We will provide reasonable advance notice of such changes.

14. What to do if you have a question, problem or complaint, or want to contact us about our use of your Personal Data or this Privacy Notice

This section explains our contact details to allow you to contact us if you have a question, access or update request, problem or complaint about privacy, or would like to opt out of direct marketing from us.

If you:

have a query or concern about this Privacy Notice or our Personal Data handling processes
wish to make a complaint in relation to a breach of your privacy
would like to access your Personal Data held by us
would like to update or correct your Personal Data held by us,
wish to withdraw your consent to the processing of your Personal Data where we have relied on your consent,
would like to exercise any other applicable right you have in relation to Personal Data, or
would like to opt out of direct marketing,

please contact our Privacy Officer at:

Email Address: privacy@myzeller.com.
You can also lodge a complaint directly with the Information Commissioner on the Information Commissioner’s website at ico.org.uk.