Consumer Data Right Policy
v2.0 28 February 2023
About this Policy
This policy provides information about how Zepto Payments Pty Ltd (ACN: 604 057 598) (Zepto) manages data under the Consumer Data Right (CDR). References in this policy to data apply specifically to data in the context of the CDR, as described in this policy below.
Please refer to the Zepto Privacy Policy available on our website for information on how we manage your personal information, as well as ensure the quality, integrity and security of that personal information under applicable Privacy Laws more generally.
What is the Consumer Data Right?
Your CDR is an important part of the Government’s Open Banking initiative the objective of which is in delivering better services to you. The rules for Open Banking are defined by the Consumer Data Right (CDR), which aims to provide greater choice for Australians over how their data is used and disclosed in a secure way. The CDR regime will apply first to the banking industry and then to other industries including energy and telecommunications. The CDR is designed to give you greater control of your data to increase competition and encourage innovation throughout the Australian economy. Through the Open Banking CDR Framework, you will be able to control who your data is sent to, what data is shared and over what period of time. Where the data sharing consent you provide is enduring, you retain full control to manage this consent over time.
Accredited Data Recipient
Zepto has been designated an Accredited Data Recipient by the Australian Competition and Consumer Commission (ACCC) and as a consequence is subject to ongoing compliance with a stringent and multi-faceted governance framework to ensure the highest levels of control as it relates to our interactions with the Open Banking CDR Framework and your data.
Zepto provides account-to-account direct debit and real time payment (New Payment Platform) services. As an Accredited Data Recipient Zepto can access your banking data securely in compliance with the Open Banking CDR Framework as regulated by the Australian Government. Under the CDR regime, an Accredited Data Recipient can request banking data from an Accredited Data Holder, in other words, your bank or
financial institution.
Collection of your Banking Data
Zepto adopts a data minimisation approach and only collects banking data that is necessary to verify bank account information, improve consumer experience and support general “Know Your Customer” (KYC) requirements.
There are no fees for accessing your “required” banking data from Accredited Data Holders. Zepto does not accept consumer requests to access any additional data such as voluntary product or consumer data that the bank may have but is not obligated to supply under the CDR Rules.
When you as the consumer provide consent to share your banking data with Zepto in accordance with the CDR regime it is executed through a CDR Consumer Dashboard. The consent covers such parameters as duration, the scope of banking data to be shared and from which nominated bank account(s). At the point at which the consent is granted, a consent receipt is created. Consumers can view and manage their active consents granted through this CDR Consumer Dashboard.
Classes of CDR data
The following classes of data are accessed by Zepto for the duration of consent:
Account Data:
- Account Name
- Account Number
- BSB
Data Disclosure
Zepto does not disclose your banking data with third parties to engage in direct marketing or for any other commercial purposes, nor with any non CDR Accredited entities.
Deleting CDR data
If you ask us to stop collecting and using your CDR data, if your consent expires and/or if the data becomes redundant, we’ll delete the CDR data we have collected (and any data derived from it), unless we’re legally required or permitted to keep it or if you have consented to us using it in de-identified form.
How Data is Stored
All CDR data, and its backups, are stored onshore (Sydney, Australia) with at-rest encryption.
Events for Notifying the CDR Consumer
Zepto does not make a consumer’s stored banking data accessible or visible to outside organisations and employs leading industry standard information security practices. In the event of a data breach (e.g. someone gaining unauthorised access) we will notify a CDR consumer as soon as practical in order for the consumer to take appropriate action as required.
Contact Us
You can contact Zepto via our website zepto.com.au or via email at [email protected].
How to Make a Complaint
If you wish to raise a complaint in relation to how your CDR banking data has been managed by Zepto, please contact us via email at [email protected]. When submitting your complaint please include your full name, contact details, preferred contact method (phone or email) and the details relating to your complaint.
Once your complaint is received, Zepto will acknowledge receipt of the complaint within five (5) business days of being received.
Zepto will thoroughly investigate your complaint and endeavour to provide you with a written response to resolve the matter within thirty (30) calendar days of receipt of your complaint.
If your complaint remains unresolved after thirty (30) calendar days, you will be advised in writing that additional time is required to complete the investigation and to provide a full and final response.
When the complaint is resolved, you will receive a ‘final response’ letter within forty-five (45) calendar days, informing you of the final outcome of your complaint and your right to take the complaint to external dispute resolution. The relevant body that manages external dispute resolution for the CDR Regime is the Australian Financial Complaints Authority, which can be contacted as follows:
Online:
Email:
Phone:
1800 931 678
Mail:
Australia Financial Complaints Authority
GPO Box 3
Melbourne, VIC 3001
If your complaint remains outstanding and is unable to be resolved within forty-five (45) calendar days, Zepto must write to you to inform you of the reasons for the delay, specify a date when a decision can be reasonably expected and inform you of your rights to take the complaint to the Australian Financial Complaints Authority for external dispute resolution.
Policy Availability
This policy is available via our website www.zepto.com.au.