Privacy
Section A
RubeePay may collect, use, disclose, transfer or otherwise handle any Personal Information, and complies with the PrivacyAct 1988 (Cth) and associated Australian Privacy Principles.
Section B
Without limiting section A, RubeePay must:
a) only use Personal Information in the to the extent necessary to perform its obligations in accordance with this Agreement;
b) not disclose any Personal Information to any other person (including to a subcontractor) without the prior written consent of The Client or, subject to section B, sub-paragraph l., as required by Law;
c) without limiting any of RubeePay’s other obligations under this Agreement, take such steps as are reasonable in the circumstances to protect any Personal Information from:
(i) misuse, interference and loss; and
(ii) unauthorised access, modification or disclosure,
d) not do anything that adversely affects the accuracy, currency or completeness of any Personal Information;
e) without limiting section B, paragraph (c) above, ensure that none of RubeePay’s Personnel who have access to any Personal Information use, disclose, transfer or retain such Personal Information except to the extent necessary to perform their duties of engagement;
f) notify the Client immediately if RubeePay becomes aware of any actual or potential misuse, interference, loss or unauthorised access, modification or disclosure of Personal Information, or if it becomes aware of a breach of this clause;
g) notify the Client as soon as reasonably practicable after RubeePay receives any:
(i) request concerning access to or correction of any Personal Information; or
(ii) complaint about the handling of any Personal Information;
h) comply with any reasonable requests or directions of The Client concerning:
(i) the storage, security, use and disclosure of any Personal Information;
(ii) remedying or otherwise dealing with any event referred to in paragraph l) (vi); and
(iii) the handling of any request or complaint referred to in paragraph l) (vii);
i) notify The Client as soon as reasonably practicable after RubeePay becomes aware that a disclosure of any Personal Information maybe required by Law and, if requested by The Client, prior to any such disclosure:
(i) assist the Client to obtain a written legal opinion, from a reputable law firm or senior counsel nominated by The Client and at The Client’s cost, confirming that the disclosure is required by Law; and/or
(ii) assist The Client to prevent, resist, object to or limit such disclosure (at the Client’s cost);
j) at any time upon The Client’s request, or on the termination or expiry of an Agreement for any reason:
(i) ensure that any Personal Information is De-Identified (as defined in the Privacy Act) or destroyed except as required by Law; or
(ii) otherwise deal with any Personal Information, in accordance with the reasonable directions of the Client; and
k) if RubeePay becomes aware that there are reasonable grounds to suspect that an Eligible Data Breach may have occurred in relation to any Personal Information collected, stored or processed by RubeePay in the course of providing the Services:
(i) promptly provide written notice to the Client specifying the nature and details of the suspected Eligible Data Breach, the kind of Personal Information potentially affected and recommendations for any actions to be taken by The Client in response to the breach;
(ii) carry out a reasonable and prompt assessment of whether there are reasonable grounds to believe that the suspected Eligible Data Breach amounts to an actual Eligible Data Breach; and
(iii) promptly discuss in good faith the results of the assessment with the Client and the proposed preventative, remedial or other action to be taken by RubeePay;
l) if RubeePay becomes aware that there are reasonable grounds to believe that an Eligible Data Breach has occurred in relation to any such Personal Information(whether after conducting an assessment of a suspected Eligible Data Breach in accordance with paragraph (k) above or otherwise):
(i) if an assessment pursuant to paragraph (k) above has not been conducted, prior to taking any other action in connection with the Eligible Data Breach, immediately provide written notice to the Client of the nature and details of the Eligible Data Breach, the kinds of information concerned and recommendations for any actions to be taken by the Client and/or affected individuals in response to the breach;
(ii) promptly discuss and negotiate in good faith with The Client which Party will be the Party responsible for fulfilling the relevant notification requirements under the Privacy Law in respect of the Eligible Data Breach, including to the Office of the Australian Information Commissioner (OAIC) and the relevant affected individuals;
(iii) where the parties agree that RubeePay will be the party responsible for fulfilling the relevant notification requirements, and comply with all such requirements in accordance with the Privacy Act, and the Client must provide all such assistance as may be necessary;
(iv) in any event, obtain the Client’s approval prior to issuing any relevant notification statements to the OAIC and affected individuals in accordance with the Privacy Act and the Client must not unreasonably withhold its approval where RubeePay is required by Law to issue a notification and the Client has not made a determination to itself fulfil the notification requirement;
(v) the Client must provide approval as soon as reasonably practicable to RubeePay under sub-paragraph (iv) above to enable RubeePay to comply with its notification requirements;
(vi) promptly take appropriate remedial action to mitigate any loss or interference with privacy flowing from the Eligible Data Breach, prevent any further serious harm to affected individuals and protect the affected Personal Information from further misuse or breach; and
(vii) without limiting the foregoing, cooperate with and provide reasonable assistance to the Client for the purpose of ensuring that the Client complies with its statutory obligations under the Privacy Act.
Data usage and security
Note: All customers who use RubeePay services will enter into a contract/s which entails all terms and conditions as part of the facility
1. Data Usage Overview
The following terms used in this section relate to data provided to Rubee Pay by you or your Customers, or received or accessed by you through your use of the Services:
“Personal Data” means information that identifies a specific living person (not a company, legal entity, or machine) and is transmitted to or accessible through the Services.
“User Data” means information that describes your business and its operations, your products or services, and orders placed by Customers.
“Payment Data” means payment account details, information communicated to or by Financial Services Providers, financial information specifically regulated by Laws and Network Rules, and any other information used with the Payment Services to complete a Transaction.
“Rubee Pay Data” means details of the API transactions over Rubee Pay infrastructure, information used in fraud detection and analysis, aggregated or anonymised information generated from Data, and any other information created by or originating from Rubee Pay or the Services.
The term “Data” used without a modifier means all Personal Data, User Data, Payment Data, and Rubee Pay Data.
Rubee Pay processes, analyses, and manages Data to: (a) provide Services to you, other Rubee Pay users, and Customers; (b) mitigate fraud, financial loss, or other harm to users, Customers and Rubee Pay; and (c) analyse, develop and improve our products, systems, and tools. Rubee Pay provides Data to third-party service providers, including Financial Services Providers and their affiliates, as well as Rubee Pay’s global affiliates, to allow us to provide Services to you and other users. We do not provide Personal Data to unaffiliated parties for marketing their products to you. You understand and consent to Rubee Pay’s use of Data for the purposes and in a manner consistent with this Section D.
2. Data Protection and Privacy
a. Confidentiality: Rubee Pay will only use User Data as permitted by this Agreement, by other agreements between you and us, or as otherwise directed by you. You will protect all Data you receive through the Services, and you may not disclose or distribute any such Data, and you will only use such Data in conjunction with the Services and as permitted by this Agreement or by other agreements between you and us. Neither party may use any Personal Data to market to Customers unless it has received the express consent from a specific Customer to do so. You may not disclose Payment Data to others except in connection with processing Transactions requested by Customers and consistent with applicable Laws and Network Rules.
b. PCI Compliance: If you use Payment Services to accept payment card Transactions, you must comply with the Payment Card Industry Data Security Standards (PCI-DSS) and, if applicable to your business, the Payment Application Data Security Standards (PA-DSS) (collectively, the “PCI Standards”). Rubee Pay provides tools to simplify your compliance with the PCI Standards, but you must ensure that your business is compliant. The specific steps you will need to take to comply with the PCI Standards will depend on your implementation of the Payment Services. You can find more information about implementing Rubee Pay in a manner compliant with the PCI Standards in our Documentation. You will promptly provide us with documentation demonstrating your compliance with the PCI Standards upon our request. If you elect to store, hold and maintain “Account Data”, as defined by the PCI Standards (including Customer card account number or expiration date), you further agree that you will either maintain a PCI-compliant system or use a compliant service provider to store or transmit such Account Data; further, you agree to never store any “Sensitive Authentication Data”, as defined by the PCI Standards (including CVC or CVV2), data at any time. You can find information about the PCI Standards on the PCI Council’s website.
3. Security and Fraud Controls
a. Rubee Pay’s Security: Rubee Pay is responsible for protecting the security of Data in our possession. We will maintain commercially reasonable administrative, technical, and physical procedures to protect User Data and Personal Data stored in our servers from unauthorised access, accidental loss, modification, or breach, and we will comply with applicable Laws and Network Rules when we handle User and Personal Data. However, no security system is impenetrable and we cannot guarantee that unauthorised parties will never be able to defeat our security measures or misuse any Data in our possession. You provide User Data and Personal Data to Rubee Pay with the understanding that any security measures we provide may not be appropriate or adequate for your business, and you agree to implement the Security Controls and any additional controls that meet your specific requirements. In our sole discretion, we may take any action, including suspension of your Rubee Pay Account, to maintain the integrity and security of the Services or Data, or to prevent harm to you, us, Customers, or others. You waive any right to make a claim against us for losses you incur that may result from our actions.
b. Your Security: You are solely responsible for the security of any Data on your website, your servers, in your possession, or that you are otherwise authorised to access or handle. You will comply with applicable Laws and Network Rules when handling or maintaining User Data and Personal Data, and will provide evidence of your compliance to us upon our request. If you do not provide evidence of such compliance to our satisfaction, we may suspend transactions on your account or terminate this Agreement.
c. Security and Fraud Controls: We may provide or suggest Security Controls to you, but we cannot guarantee that you or Customers will never become victims of fraud. Any Security Controls we provide or suggest may include processes or applications developed by Rubee Pay, its affiliates, or other companies. You agree to review all the Security Controls we suggest and choose those that are appropriate for your business to protect against unauthorised Transactions and, if appropriate for your business, independently implement other security procedures and controls not provided by us. If you disable or fail to properly use Security Controls, you will increase the likelihood of unauthorised Transactions, Disputes, fraud, losses, and other similar occurrences. Keep in mind that you are solely responsible for losses you incur from the use of lost or stolen payment credentials or accounts by fraudsters who engage in fraudulent Transactions with you, and your failure to implement Security Controls will only increase the risk of fraud. We may assist you with recovering lost funds, but you are solely responsible for losses due to lost or stolen credentials or accounts, compromise of your username or password, changes to your Payout Account, and any other unauthorised use or modification of your Rubee Pay Account. Rubee Pay is not liable or responsible to you and you waive any right to bring a claim against us for any losses that result from the use of lost or stolen credentials or accounts to engage in fraudulent Transactions, unless such losses result from Rubee Pay’s wilful or intentional actions. Further, you will fully reimburse us for any losses we incur that result from the use of lost or stolen credentials or accounts. We may also provide you with subjective Data regarding the possibility or likelihood that a Transaction may be fraudulent that require action or review by you. We may incorporate action or inaction by you into any such subjective scoring when identifying future potential fraud. You understand that we provide this Data to you for your consideration, but that you are ultimately responsible for any actions you choose to take or not take in relation to such Data, and for providing inaccurate or incorrect information to us. You are solely responsible for any action or inaction you take based on such Data.
4. Transfer of Payment Data upon Termination
For 30 days after termination of your Rubee Pay Account, you may request in writing that we transfer Payment Data regarding transactions between you and Customers that you are entitled to receive (“Exportable Data”) to an alternative payment services provider consistent with applicable Laws. For payment card transactions, Rubee Pay will only transfer Exportable Data to a PCI-DSS Level 1-certified payment services provider. For other payment methods, Rubee Pay may require you to provide us with evidence that the alternative payment services provider you select has appropriate systems and security controls before we migrate any Exportable Data. We will use commercially reasonable efforts to transfer Exportable Data within 14 business days after we receive your written request. We may delay or refuse any transfer request if we believe the payment services provider you have identified does not have systems or security controls in place that are sufficient to protect Exportable Data, that the integrity of Exportable Data may be compromised, or if Laws or Network Rules prohibit us from transferring it.