Our Privacy Policy

This Privacy Policy helps to ensure that Windcave complies with applicable law in the countries in which we operate, such as the General Data Protection Regulation (“GDPR”) promulgated by the European Union.

We at Windcave take your privacy seriously, and will only use your personal information for the purposes permitted by law and this Privacy Policy. Please read our Privacy Policy, and let us know if you have questions.

Who is Windcave?

Windcave is a group of companies consisting of Windcave Limited, its affiliates, and its subsidiaries (collectively, “Windcave”). Windcave provides technical solutions to businesses by allowing them to process payments in e-commerce, and via physical payment devices, such as card readers.

Windcave Protects Your Personal Information at Least Up to the Standards Set Forth by PCI-DSS

Windcave is committed to protecting your privacy whenever you buy goods or services from a merchant that uses Windcave payment solutions (“Merchant”). Merchants will generally use Windcave’ payment solutions when customer uses a credit or debit payment card over the internet, telephone, fax, unattended or integrated electronic funds transfer at the point of sale (“EFTPOS”) system (collectively “Transactions”).

Windcave recognizes its responsibility to keep all personal information confidential at all times. Any information that Windcave acquires in connection with such Transactions is kept confidential, whether the information is acquired directly from a cardholder or Merchant. Windcave protects personal information - at a minimum - to the Payment Card Industry Data Security Standards (“PCI-DSS”). To learn more about PCI-DSS, please see our PCI-DSS section below, or visit the PCI Security Standards Council’s website, at: https://www.pcisecuritystandards.org/.

Please note, however, that Windcave’ responsibility is limited to protection of information that is obtained by Windcave. Windcave itself cannot control the use or disclosure by your Merchant of any information that it obtains from you.

How We Collect Information

To enable Windcave to provide secure payment facilities, we acquire information which may include a cardholder's name, credit card number (with the expiry date) and billing address. That information is collected when a card and its information is provided to a Windcave payment solution.

How We Use and Disclose Information

Windcave uses the information it collects to obtain authorization for Transactions from the payment card’s issuing bank (the bank that issued your credit or debit card) and from Windcave's own or the Merchant's bank (the “acquirer” or “Acquiring Bank”). Some details from the Transaction (such as name, email and delivery address) may be made available to the Merchant or Acquiring Bank through Payline - Windcave’s web-based transactions management system. Payline allows Merchants to track Transactions and process refunds. Payment card numbers are encrypted and stored by Windcave securely, and are not provided to the Merchant. Please note that your personal data may be shared with legal authorities if required by law. In addition, and separate from its performance of the services set forth in this Privacy Policy, Windcave may aggregate and disclose the aggregated data that is not personally identifiable to its partners or third parties. This aggregated, non-identifiable data may be used for statistical analysis or similar purposes.

Security

Windcave is committed to data security. Windcave uses a variety of technologies and procedures to help protect personal information from unauthorized access, use or disclosure. For example, Windcave stores the data in computer servers with limited access that are located in controlled facilities secured by advanced surveillance and security technology. When Windcave transmits sensitive information (such as a payment card number), Windcave protects it through the use of encryption, such as the Secure Socket Layer (“SSL”) protocol. Credit card details stored onsite are encrypted using 168bit 3DES encryption. Windcave is a level 1 certified PCI-DSS compliant provider.

What is PCI-DSS?

PCI-DSS, the Payment Card Industry Data Security Standard, is a set of security requirements relating to the protection of cardholder data. PCI-DSS is governed by the Payment Card Industry (“PCI”) Security Standards Council, an organisation put together by the major card schemes - VISA, MasterCard, American Express, JCB and Discover. PCI-DSS is relevant to any entity that stores or transmits sensitive cardholder data, which consists of information such as the PAN (card number), card security code, track data, and PIN block. Preceding PCI-DSS, the card schemes had their own standards, and the VISA Account Information Security (AIS) standard formed the basis to most of the PCI-DSS requirements. Click here to view our PCI-DSS compliance certificate.

Storage of Information

Windcave may transfer your information to countries outside of your country of residence, and those countries may have information protection rules that are different from those of your country of residence. Generally, Windcave stores and processes information in countries where we operate offices, such as New Zealand, Australia, the United States, and the United Kingdom. Windcave takes measures to ensure that information transfers comply with applicable data protection laws and that your information remains protected to the standards described in this Privacy Policy.

Although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk and you accept all liability for such risk, to the extent legally permissible. Once we have received your information, we use strict procedures and security features to try to prevent unauthorised access.

Transfer of Personal Data Outside European Economic Area

The data that we collect from you may be transferred to and stored at a destination outside of the European Economic Area (“EEA”), including, but not limited to, in New Zealand, Australia, and the United States. It may also be processed by staff operating outside the EEA who work for Windcave. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of payment details, and the provision of support services. By submitting your personal data, you agree to this transfer, storing and processing of your data.

EU-US Privacy Shield Framework

Privacy Shield Principles

Windcave’s United States subsidiary, Windcave Inc., complies with the EU-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Windcave Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the policies in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, to the extent available, please visit https://www.privacyshield.gov/list.

Windcave Inc. is responsible for the processing of personal information it receives from individuals residing in the European Union, under the Privacy Shield Frameworks, or subsequently transfers to a third party acting as an agent on its behalf. Windcave Inc. complies with the Privacy Shield Principles for all onward transfers of personal information from the European Union including the onward transfer liability requirements.

The United States Federal Trade Commission may investigate any violation of our commitment to the EU-US Privacy Shield. In certain circumstances, Windcave Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Information Shared with Commonly Owned Entities

We may share some or all of your personal information with other non-US companies under common ownership or control of Windcave Inc., which may include our corporate parent or any other subsidiaries owned by our corporate parent in order to provide you better service and improve user experience. These include Windcave entities in New Zealand, the United Kingdom, and in some instances, Australia. Generally, sharing such information is necessary for us to perform on our contract with you – for example, to provide technical support after normal business hours. We may provide additional notice and ask for your prior consent if we wish to share your Personal Information with our commonly owned entities in a materially different way than discussed in this privacy statement.

Accountability for Third Parties

We may securely transfer personal data to third parties, including banks and financial institutions, for processing on our behalf. For example, when you process a payment with Windcave, your data may be transferred to your merchant’s bank, as well as your bank. We will ensure that such data may only be processed for limited and specified purposes consistent with the consent you provided.

Your Rights With Respect to Your Personal Data

You, as the customer of a Merchant using Windcave, have certain rights with respect to your personal data.

You have the right to revoke your agreement to the collection, processing, and use of your personal data at any time with effect for the future by contacting our Data Protection Officer at the email address, or physical address, listed in this Privacy Policy. However, please note that doing so may result in Windcave no longer being able to perform services for your benefit and/or processing payments for your benefit.

You have the right to request access and know what information is held about you. Windcave will inform you, upon your written request to our Data Protection Officer, about the personal data it has in relation to you, how Windcave has used it, and to whom it has been disclosed subject to certain exceptions prescribed by applicable law and regulation and provided we can authenticate your identity. You have the right to verify, update, or correct your information, and to have obsolete information removed.

You have the right to erasure, or otherwise to have your personal data deleted or removed upon written request to Windcave. Please note that Windcave may erase such data in a reasonable period of time, and that lodging a request to erase your data may effect some of the services Windcave offers to Merchants.

How long will we retain your information?

We will not retain your Personal Information for longer than permitted by applicable law and regulation, and in no event longer than 7 years. If you have questions about our data retention policy, or about the deletion of your data, please contact us at compliance@windcave.com.

How to Contact Us

Any questions or concerns relating to the collection and processing of your personal data should be sent via email to the following address: compliance@windcave.com. At this email address you can also request to change your personal data, or have your personal data deleted. Windcave will answer your request within a reasonable time. You can also send your written requests via mail to the following address: Windcave, 31-33 Wilkinson Road, Ellerslie, Auckland 1060, New Zealand, for the attention of the Data Protection Officer. If you contact Windcave via letter, e-mail, phone or by fax, Windcave is storing your personal data in order to be able to answer your request, and may store your correspondence for our records.

Windcave Inc. has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.

Independent Dispute Resolution

If we are not able to solve your complaint in relation to our non-compliance with the EU-US Privacy Shield Framework you have the right to refer your complaint to JAMS, which we designated as our independent recourse mechanism. Mediation will be conducted pursuant to JAMS International Mediation Rules. If you wish to file a case, please refer to JAMS’ website for more information (https://www.jamsadr.com/eu-us-privacy-shield).

Binding Arbitration

If independent dispute resolution has not resolved your complaint, as a last resort and under limited circumstances, EU individuals with residual privacy complaints may invoke a binding arbitration option before the Privacy Shield Panel.

Updating this Policy

Windcave reserves the right to change this Privacy Policy at all times. It is your responsibility to periodically verify the applicable privacy statement and to comply with its most recent version. This Privacy Policy statement was last modified in July 2018.

Cookies

Cookies are small text files that some websites place on your computer as a tool to remember your preferences. At Windcave, we do not use cookies at this time.

Miscellaneous

As you navigate our site, you may click to the websites of partner companies or other companies with whom we have a business relationship. This Windcave Privacy Policy will not apply when you move to one of these other sites because privacy practices and policies are tailored to the products and services offered by each individual company. If you visit the pages and sites of our affiliated business units, please be sure to review the privacy policies applicable to those sites. Our website contains links to third-party websites, and Windcave is not responsible for the content or the privacy practices employed by other websites. Apart from using your data in the processing of Transactions, Windcave does not use your data to make automated decisions. We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy. Windcave does not process “sensitive personal data” revealing ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic, biometric, health, or mortality; or data concerning a natural person’s sex life or sexual orientation.

Employment Data

As an employer, Windcave may collect personal information of its employees including name, address, email, date of birth, bank information, work experience, and education history. This information is provided to Windcave by its employees through an application form. In the event a conditional employment offer is made, we may share this information with third parties for the completion of background screenings, payment distribution, and enrolment in health/financial benefits. Windcave may require such third parties to maintain confidentiality of employee personal information.

We release account and other personal information when we believe release is appropriate to comply with the law, as well as to protect the rights, property or safety of Windcave, our customers or others. Certain laws or government regulations may require us to disclose non-public personal information about you to respond to court orders or legal investigations. Please note, that such disclosures do not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in violation of the commitments set forth in this Privacy Policy.