Privacy Policy

Introduction

BrandPay (“BrandPay”, “we”, “our”, or “us”) provides reward and redemption infrastructure that enables participating merchants and brands (“Merchants”) to reward customers, visitors, social users, and consumers (“Consumers”) for eligible social content, engagement activities, purchases, and other approved interactions through the BrandPay platform, website, and Apps (“Site”).

This Privacy Policy explains how we collect, use, store, and protect personal information when Merchants and Consumers (“Users”) use:

• the BrandPay website,
• mobile applications,
• merchant reward experiences,
• and related services (collectively, the “Services”).

BrandPay is designed to process only the information reasonably necessary to operate reward, redemption, fraud prevention, and customer support workflows.

BrandPay does not:

• sell personal information;
• operate a third-party advertising network;
• share Consumer data between Merchants;
• use Merchant or Consumer data for unrelated advertising purposes;
• access private social media content without permission.
• use Merchant or Consumer content to train public artificial intelligence or machine learning models.

BrandPay operates internationally across multiple jurisdictions and takes reasonable steps to implement privacy and data protection practices designed to support compliance with applicable laws and regulatory frameworks in regions where the Services are made available or used, including the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles, the European Union General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act (“CCPA”), and other applicable privacy, consumer protection, or data protection frameworks where relevant.

1. Roles and Responsibilities

BrandPay operates the platform infrastructure used by participating Merchants and Consumers.

Depending on the applicable workflow and jurisdiction:

• BrandPay may act as a processor or service provider operating the platform and associated reward workflows on behalf of participating Merchants; and
• participating Merchants may act as independent controllers or businesses responsible for their own Reward campaigns, marketing activities, and related data usage.

Consumers interact directly with BrandPay when:

• creating an account,
• participating in Rewards,
• redeeming credits,
• or using BrandPay-powered services.

Merchants are independently responsible for how they use information obtained through their Reward campaigns and for complying with applicable laws.

2. Information We Collect

Account Information

When creating an account or participating in a Reward, we may collect:

• name,
• email address,
• mobile number,
• username,
• social media handle,
• date of birth (where required to participate with certain Merchant campaigns or products),
• and other information voluntarily provided by the user.

Reward Participation Information

When Consumers participate in a Reward, we may collect:

• reward participation activity,
• submitted social content,
• timestamps,
• redemption activity,
• transaction information (value, product SKUs, timestamps),
• and Merchant interactions associated with the Reward.

Transaction & Redemption Information

Where applicable, we may process limited transaction or redemption information necessary to:

• validate credits,
• process redemptions,
• prevent fraud,
• reconcile Merchant reporting,
• and support customer service workflows.

BrandPay does not store full payment card details.

Payments may be processed by third-party payment providers including Stripe and Xendit in accordance with their own privacy policies and security standards.

Technical & Platform Information

We automatically collect limited technical and device information required to operate, secure, and improve the BrandPay platform, including:

• IP address (last octet removed),
• browser type,
• device type,
• operating system,
• session information,
• timezone and regional device settings for scheduling operational notifications, redemption timing, or time-sensitive Reward workflows,
• platform usage activity, and
• where enabled or required for platform functionality, approximate or precise device location information.

BrandPay may use foreground precise GPS location data while the App is actively open and in use for purposes including:

• fraud prevention,
• validating venue or merchant presence,
• preventing remote or automated Reward abuse,
• geographic Reward and campaign eligibility verification,
• supporting platform integrity and security workflows.

Certain BrandPay features, Rewards, redemptions, or participation workflows may not function correctly unless location permissions are enabled.

BrandPay does not use location data for third-party advertising purposes or unrelated cross-platform behavioural tracking. The Consumer’s location is never shared publicly within the Site and always remains hidden.

Merchant Social APIs

We allow Merchants to connect their social media accounts to their BrandPay account. Merchants that have social logins enabled on their BrandPay account will be able to see basic information related to connected accounts.

This includes:

• social business account names,
• social usernames,
• media data and insights connected to public social media content that mentions their business account.

We will never use or post to these accounts without the relevant Business’s permission and will always require their interaction or authorisation via the BrandPay platform and Meta to execute any specific actions.

We will only ever use information that a Merchant has made public or specifically allowed us to access in accordance with this Privacy Policy. We do not know or store any passwords associated with a Business’s social media accounts.

If a User wishes to remove the link between the Site, us and any social media network, that User can either remove our permissions inside that specific social media network or unlink it from the Edit tab inside the BrandPay integration settings.

Merchant Store APIs

We also allow Merchants to connect their customers (“transaction gateways”) to their BrandPay account. These can include but are not limited to:

• gift card and orders APIs (e.g. Shopify, Woo Commerce, Big Commerce),
• subscription billing APIs (e.g. Stripe),
• loyalty application endpoints that control in-App credits and points.

Merchants that have transaction gateway APIs enabled on their BrandPay account will be able to see basic information related to connected accounts. This includes but is not limited to orders data including:

• total transaction value,
• credits used,
• timestamps,
• product SKUs.

We will only ever use information that a Merchant has made public or specifically allowed us to access in accordance with this Privacy Policy. We do not know or store any passwords associated with a Merchant’s transaction gateways. If a User wishes to remove the link between the Site, us and any transaction gateway, that User can either remove our permissions inside that specific software or unlink it from the Edit tab inside the BrandPay integration settings.

Fraud Prevention Signals

BrandPay uses limited device and browser signals to help identify:

• duplicate participation,
• fraudulent activity,
• abuse of Rewards,
• automated activity,
• and misuse of the platform.

These signals are used solely for platform integrity and fraud prevention purposes and are not used for advertising or cross-site behavioural tracking.

3. How We Use Information

We use personal information to:

• operate Rewards and redemptions;
• validate participation;
• manage user accounts;
• provide customer support;
• prevent fraud and abuse;
• improve platform reliability and security;
• generate aggregated reporting and analytics;
• communicate service updates and operational notifications;
• comply with legal obligations.

Where permitted by law, Merchants may separately communicate with Consumers who have opted in to receive Merchant communications.

4. Merchant Access to Consumer Information

When a Consumer participates in a Reward, the relevant Merchant may receive limited information associated with that participation, including:

• social handle,
• participation activity,
• submitted content media,
• content engagement metrics,
• redemption activity,
• and information voluntarily submitted by the Consumer as part of the Reward workflow.

BrandPay logically separates Consumer participation data between Merchants.

One Merchant does not receive access to another Merchant’s Consumer data through the BrandPay platform.

Consumers should review the privacy policies of participating Merchants to understand how those Merchants independently process information they receive.

5. User-Generated Content

When Consumers voluntarily participate in a Reward involving social content, they grant BrandPay and the relevant Merchant a non-exclusive, royalty-free license to use, reproduce, repost, publish, display, distribute, and promote the submitted content in connection with:

• the relevant Reward campaign;
• the Merchant’s marketing, advertising, promotional, social media, website, ecommerce, in-store, and related brand channels;
• BrandPay platform functionality and campaign reporting;
• related brand communications associated with the relevant Merchant.

This license applies only to content voluntarily submitted, tagged, linked, or otherwise associated with a Reward through the BrandPay platform.

Certain Rewards may require submitted content to remain publicly accessible for a minimum period in order for the Reward to remain valid. If content is deleted, hidden, materially altered, or otherwise becomes inaccessible before the applicable Reward conditions are satisfied, associated credits or Rewards may be reversed, cancelled, or adjusted in accordance with the applicable Reward terms.

Consumers retain ownership of their content.

BrandPay does not claim ownership of Consumer content and does not sell Consumer content to unrelated third parties.

6. Cookies, Advertising, Analytics and Session Technologies

BrandPay uses cookies and similar technologies to:

• maintain login sessions,
• operate platform functionality,
• remember user preferences,
• improve performance,
• and support fraud prevention and analytics.

Users may manage cookie preferences through their browser settings, though some platform functionality may not operate correctly if cookies are disabled.

BrandPay may use analytics, advertising, attribution, and measurement technologies provided by third parties such as Google Analytics and Google Ads to better understand how users interact with our website, measure advertising performance, improve marketing effectiveness, and support platform growth.

In certain circumstances, BrandPay may share limited first-party data, such as hashed identifiers or conversion-related information, with advertising or analytics providers for attribution, conversion measurement, fraud prevention, or campaign performance reporting purposes.

These providers process information in accordance with their own terms, policies, and applicable data protection obligations.

Where required by applicable law, BrandPay will request consent before using non-essential cookies, advertising technologies, or related data-sharing mechanisms.

7. Sharing Information

BrandPay does not sell personal information.

We may share information with:

• participating Merchants associated with a Reward;
• infrastructure and service providers supporting the platform;
• payment providers;
• cloud hosting providers;
• analytics providers;
• customer support providers;
• and legal or regulatory authorities where required by law.

Service providers are contractually required to protect information and process it only for authorised purposes.

8. Subprocessors and Infrastructure Providers

BrandPay may use trusted third-party providers to operate the platform, including cloud infrastructure, analytics, communications, payment processing, and customer support providers.

These providers may include:

• Google Cloud Platform,
• Stripe,
• Xendit,
• Google Analytics,
• Supabase,
• Mixpanel,
• and other operational infrastructure vendors.

We take reasonable steps to ensure service providers maintain appropriate security and confidentiality protections.

9. International Data Transfers

BrandPay operates internationally and may process information in countries outside a user’s jurisdiction, including Australia, Singapore, the United States, the United Kingdom, and other locations where our service providers operate.

Where applicable, BrandPay implements reasonable contractual and operational safeguards designed to protect personal information during international transfers.

10. Security Measures

BrandPay uses reasonable technical and organisational measures designed to protect personal information, including:

• encryption in transit,
• access controls,
• authentication controls,
• infrastructure monitoring,
• fraud detection systems,
• and restricted employee access based on operational necessity.

BrandPay maintains internal procedures designed to identify, investigate, contain, and respond to security incidents affecting personal information.

While BrandPay takes reasonable steps to protect personal information, no method of electronic transmission or storage can be guaranteed completely secure. Users should take reasonable steps to protect their account credentials and devices when accessing the Services.

We store a User’s personal information in a number of secure computer storage facilities. We may also engage third party service providers to assist in storing and processing certain types of personal information for us, some of which may be located overseas, including in the United States and the United Kingdom.

For EU and EEA residents, to assist our Merchants and their European Reward users (data subjects), the legality of our processing services and the international transfers of the personal data, BrandPay has implemented contractual and operational safeguards designed to support applicable GDPR-related data protection obligations.

Privacy and data protection laws in jurisdictions where BrandPay or its providers operate may differ from those in a User’s jurisdiction.

BrandPay uses Stripe and Xendit to process credit card payments, which maintain PCI DSS Level 1 Service Provider certifications. No credit card details are stored on our servers.

In case of an unauthorized security intrusion that materially affects Users or personal information processed through the Services, we will notify affected Users as soon as possible and will within reasonable time report the action we took in response.

We have a privacy and data protection contact who is responsible for matters relating to privacy and data protection. This Privacy and Data Protection contact can be reached at the following address:

11. Data Retention

BrandPay retains personal information only for as long as reasonably necessary to:

• operate the platform,
• fulfil Reward workflows,
• comply with legal obligations,
• resolve disputes,
• enforce agreements,
• and prevent fraud or abuse.

Retention periods may vary depending on the type of information and operational requirements.

BrandPay may retain certain transactional, reward, payout, moderation, fraud prevention, accounting, and campaign audit records associated with submitted content and Reward activity after account deletion where reasonably necessary for legal, operational, security, dispute resolution, fraud prevention, or compliance purposes.

Where reasonably practicable, retained records are de-identified, pseudonymised, aggregated, or disassociated from active user profile information following account deletion.

You may delete your account at any time by clicking “delete my account” from within your Profile → Settings.

Your account will retain its data for a period of 30 days, before active account profile information is deleted or de-identified from BrandPay production systems, subject to limited retention required for legal, operational, fraud prevention, accounting, backup, or compliance purposes.

You may reactivate your account and data anytime within this 30 day period by re-registering.

You may request to have your data deleted sooner than 30 days, by contacting privacy@brandpay.io.

Deleted information may continue to persist in secure backup systems for a limited period following deletion before being automatically overwritten or removed in accordance with backup retention schedules.

Backup systems are not used for routine live production access. If backup data is restored, BrandPay will take reasonable steps to re-apply applicable deletion requests and protections before restored systems are returned to production use.

BrandPay may suspend or terminate your account if you violate any of the terms, engage in fraudulent or inappropriate activity, or misuse the Services.

12. User Rights and Choices

Subject to applicable laws, users may request to:

• access personal information;
• correct inaccurate information;
• delete personal information;
• restrict certain processing activities;
• object to certain processing activities;
• receive a copy of certain information.

Users may also:

• disconnect linked social accounts;
• manage communication preferences;
• opt out of marketing communications.

Requests may be submitted to: privacy@brandpay.io or else they should follow the instructions in these communications on how to unsubscribe.

13. Children’s Privacy

BrandPay is not directed toward children under the age of 16.

We do not knowingly collect personal information from children under 16 without appropriate consent or legal basis.

If we become aware that personal information has been collected from a child inappropriately, we will take reasonable steps to delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

Updated versions will be published on our website with a revised “Last Updated” date.

Continued use of the Services after an update constitutes acceptance of the revised Privacy Policy.

16. Contact Us

If you have questions about this Privacy Policy or BrandPay’s privacy practices, please contact: