Privacy Policy

Version 1.0 · May 2026

Issued by ElasticBrain Pty Ltd, the operator of ElasticPay. Contact: [email protected].

This is the public summary of ElasticPay's privacy policy. It covers what we collect, how we use it, how we protect it, and how to exercise your rights under the Australian Privacy Act. The full master document including detailed retention periods, glossary, and APP cross-references is available on request from [email protected].

Who this covers

ElasticPay is operated by ElasticBrain Pty Ltd, an Australian company that provides payment facilitation services to merchants. This policy applies to:

  • Merchants — businesses that apply to use or use our services
  • Cardholders — individuals whose payments we process for our merchants
  • Website visitors — anyone who browses elasticpay.co or uses our dashboards
  • Job applicants and others who contact us

We are bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles. As a Payment Facilitator we are also subject to PCI DSS and the operating rules of Visa, Mastercard, and American Express.

What we collect

What we collect depends on your relationship with ElasticPay.

  • From merchants: business and beneficial-owner details (name, date of birth, address, contact, government ID, tax identifiers), bank account information for settlement, and the transaction, chargeback, and dispute history of your account. This is required by anti-money-laundering law and our acquirer's PayFac agreement.
  • From cardholders at checkout: name on card, payment card details, billing address (for fraud checks), and device / browser identifiers. Full card numbers are processed only in our PCI DSS-certified Cardholder Data Environment, which is separate from our merchant-facing systems. After authorisation we keep only a token, the card brand, the last four digits, and the expiry month and year.
  • From website visitors: IP address, approximate location, browser type, pages visited, and timing. Plus the ep_vst first-party cookie described under Cookies and tracking below.

We do not intentionally collect sensitive information (health, race, religion, biometric data, etc.). If we receive it inadvertently we destroy or de-identify it unless law requires us to retain it.

Why we use it

  • To onboard merchants and process payments on their behalf
  • To verify identity and meet our AML/CTF and PayFac obligations
  • To detect fraud and manage chargebacks, disputes, and refunds
  • To send transaction notifications, support replies, and required compliance notices
  • To meet legal, regulatory, and card-scheme requirements

We do not send marketing communications without your explicit consent. We do not sell personal information.

Who we share with

We share the minimum personal information necessary with our acquirer (for settlement, clearing, and dispute management), the card networks (Visa, Mastercard, American Express), our identity-verification provider during merchant onboarding, our fraud detection services, and our infrastructure providers (Cloudflare for our payment-page CDE; DigitalOcean for application hosting; BetterStack for monitoring).

We may disclose personal information to government agencies, courts, AUSTRAC, or other regulators where required by law. Where permitted, we will notify you.

Some of these recipients are located overseas, primarily in the United States. We take reasonable steps under APP 8 to ensure they handle personal information in line with the APPs. Cardholder payment data is transmitted overseas as an inherent part of the global card payment network.

How we secure it

  • PCI DSS-compliant Cardholder Data Environment, hosted on Cloudflare Workers
  • Full card numbers never present in our non-CDE systems
  • TLS in transit; encryption at rest for sensitive stores
  • Least-privilege access controls with multi-factor authentication
  • WAF and DDoS protection
  • Continuous vulnerability scanning, regular independent penetration testing
  • Comprehensive logging, monitoring, and alerting

We maintain an Incident Response Plan and will notify the OAIC and affected individuals under the Notifiable Data Breaches scheme if an eligible breach occurs.

Retention

We retain personal information only as long as needed and as required by law. Headline periods:

  • Merchant KYC / onboarding records: 7 years after the merchant relationship ends
  • Transaction records: 7 years from the transaction date
  • Cardholder Data (full PAN, CVV): not retained beyond authorisation
  • Dispute and chargeback records: 5 years after resolution
  • Access logs and security events: 2 years

Cookies and tracking

We use a first-party cookie (ep_vst) on elasticpay.co to understand which channels and pages produced your signup. The cookie holds an opaque session identifier and is not shared with third parties. You may clear it at any time via your browser's cookie controls.

On our dashboards and payment pages we also use:

  • Essential / Security: session management, CSRF protection, and fraud signal collection on the payment page. Strictly necessary; cannot be disabled.
  • Analytics: aggregate, de-identified usage statistics. No individual is identified.
  • Preferences: remembering your dashboard settings (date ranges, column preferences, etc.).

We do not use advertising cookies or share cookie data with third-party advertising networks. Our websites do not respond to "Do Not Track" browser signals.

Your rights

Under the Privacy Act and the APPs, you have the right to:

  • Access the personal information we hold about you (APP 12) — we will respond within 30 days
  • Correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
  • Complain if you believe we have interfered with your privacy — we aim to resolve complaints within 30 days. If you are not satisfied with our response you can escalate to the Office of the Australian Information Commissioner (OAIC) on 1300 363 992 or oaic.gov.au.

To exercise any of these rights, email [email protected]. We may ask you to verify your identity before processing your request.

Children's privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from minors. If you become aware that a minor has provided us with personal information without parental consent, please contact us and we will take steps to remove that information.

Changes to this policy

We may update this policy to reflect changes in our practices, technology, or legal obligations. When we make material changes we update the version number and date at the top of this page and notify registered merchants by email at least 30 days before the changes take effect, where practicable.

Contact


This page is the public summary of our privacy policy. The full master document — including detailed APP cross-references, the complete glossary, the comprehensive list of overseas recipients, and our retention matrix — is maintained internally as part of our compliance programme and is available on request from [email protected].

Effective date: 1 May 2026 · Version 1.0 · Next review: 1 May 2027