Privacy Policy

DuePay Limited

Last Updated: 01, April, 2026

1 INTRODUCTION

1.1 This Privacy Policy applies to DuePay Limited (“DuePay”, “we”, “us”, “our”), a New Zealand registered company (company number 9401893 with NZBN 9429053413871) and registered on the Financial Services Provider Register (FSP1012026).

1.2 In this Privacy Policy ‘You’ and ‘your’ means you, as our customer and/or customer or anyone else that provides personal information to us. If you give us information about another person, you must ensure you have their permission first.

1.3 ‘Privacy Act’ means the Privacy Act 2020 and any laws that change or replace it.

1.4 This Privacy Policy explains how we collect, use, store, disclose and protect Personal Information in accordance with the Privacy Act 2020 (New Zealand), the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (“AML/CFT Act”), and other applicable laws when you:

a) Use the DuePay mobile application

b) Use the DuePay website

c) Register for a DuePay wallet

d) Make or receive payments using QR code

e) Connect your bank account via approved third-party providers

f) Use referral, cashback, reporting or withdrawal features

1.5 By accessing or using the DuePay mobile application, website, wallet services or QR payment services (collectively, the “Services”), you acknowledge that you have read and understood this Privacy Policy.

2 WHO WE ARE

2.1 DuePay Limited is a registered financial services provider in New Zealand providing digital wallet and QR-code payment platform.

2.2 Our registered address is 39 Kirby Street, Glendene, Auckland, New Zealand – 0602.

3 DEFINITIONS

In this document:

3.1“Personal Information” means any information that can identify you directly or indirectly.

3.2 “Open Banking Provider” means an authorised third-party provider that securely connects to your bank account with your consent (for example, Akahu).

3.3 “Wallet” means your DuePay digital stored-value account.

3.4 “Trust Account” means the segregated bank account in which customer funds are held separately from DuePay’s operational funds.

4 HOW THIS PRIVACY POLICY WORKS

4.1 This privacy policy applies to all our products and services (even the ones you can use without paying) and all your interactions with us. That means using our apps and website, phone calls with us, in-app chat, SMS and any other means or ways of interaction and engagement between you and us. The privacy policy applies to:

a) The “DuePay” mobile application

b) The DuePay website

c) All wallet services provided by DuePay

d) QR-code based payments

e) Bank account connectivity

f) Merchant onboarding

g) Refunds, withdrawals and reporting

h) Referral and cashback programmes

i) All communications with us

j) The details we send to our partners and receive from our partners to collect the information about you to perform the KYC for AML/CFT compliance.

4.2 By using DuePay, you confirm that you have read and understood this Privacy Policy.

4.3 If you do not agree, you must not use our services.

5 OVERVIEW

5.1 We collect personal information so we can:

a) Open and manage your DuePay wallet

b) Verify your identity

c) Process QR payments on your behalf

d) Enable bank transfers (top-ups & withdrawals)

e) Meet AML/CFT legal requirements

f) Protect against fraud

g) Improve our services

5.2 We do not sell your personal information.

5.3 You have the right to access and correct your information at any time.

5.4 We respect the trust you give us to hold your personal information because we know that your information – and your privacy – are important. For more information on your rights, including how to make a request to access or correct your personal information, please email us at contact@duepaynz.com.

6 INFORMATION WE COLLECT

Depending on your relationship with us (Customer, Merchant, Admin User), we may collect:

6.1 Identity Information: full name, date of birth, address, email, phone number, government-issued ID, biometric verification where required.

6.2 Account Information: Wallet ID, login credentials (encrypted), device identifiers, IP address, communication records.

6.3 Bank Information (via Open Banking Provider): tokenised bank account number, account name, account balance (if consented), transaction history (if consented).

6.4 Transaction Information: QR payment details, merchant details, timestamps, refund records, withdrawal records, cashback or referral rewards.

6.5 Merchant Information (if applicable): business name, NZBN, GST details, directors and shareholders, settlement bank account.

6.6 Compliance Information: AML/CFT verification results, sanctions screening, risk scoring, suspicious activity monitoring.

7 OPEN BANKING CONSENT (INCLUDING AKAHU)

7.1 When you choose to connect your bank account to DuePay, you provide explicit consent for us to access specified financial data via an Open Banking Provider.

7.2 We only access the information that you authorise. This may include:

a) Account holder name;

b) Account number (tokenised);

c) Account balance;

d) Transaction history;

e) Authority to initiate payments for wallet top-ups (where enabled).

7.3 DuePay does not collect, store, or have access to your internet banking password.

7.4 Your bank account credentials are securely handled by the Open Banking Provider in accordance with their security standards.

7.5 You may revoke your consent to bank access at any time within the DuePay app. Revoking consent may limit certain functionality such as wallet top-ups or withdrawals.

7.6 When you deactivate your DuePay wallet, your bank account access authorisation and token is immediately removed from our system. This would mean that if you choose to reactivate your DuePay Wallet, you may again have to provide us with the authorisation. This can be done in the application using “Add Bank Account” feature.

7.7 When any DuePay Wallet is terminated due to admin or legal reasons your bank account token and access is immediately removed from our system.

7.8 We rely on Open Banking Providers to comply with New Zealand privacy and security standards and we contractually require them to protect your Personal Information to a standard comparable with the Privacy Act 2020.

7.9 We may change the Open Banking Provider at our discretion.

8 TRUST ACCOUNT & SAFEGUARDING OF FUNDS

8.1 All customer funds stored in DuePay Wallets are held in a segregated Trust Account with a New Zealand registered bank. You can read more at our Trust Account Safeguarding Page.

8.2 The Trust Account is separate from DuePay’s operational funds and is used solely for safeguarding customer funds.

8.3 DuePay does not use customer funds for operational expenses, lending, or investment purposes.

8.4 While DuePay facilitates payments and withdrawals, we are not a registered bank and funds held in a DuePay Wallet are not deposits for the purposes of the Reserve Bank of New Zealand Act.

8.5 We may share limited settlement information with our banking partners to process transactions securely.

9 AML/CFT & REGULATORY COMPLIANCE

9.1 DuePay is required to comply with the AML/CFT Act and associated regulations. You can read more at our AML/CFT Compliance page.

9.2 We collect and verify your identity to:

a) Confirm your identity;

b) Monitor transactions;

c) Detect suspicious behaviour;

d) Report suspicious activities to the Department of Internal Affairs (“DIA”) or other authorities where required.

9.3 We may conduct ongoing customer due diligence, enhanced due diligence, and transaction monitoring.

9.4 We may disclose Personal Information to regulatory authorities including:

a) Department of Internal Affairs (DIA);

b) Financial Markets Authority (FMA);

c) Inland Revenue;

d) New Zealand Police;

e) Other agencies as required by law.

9.5 Under AML/CFT legislation, we are generally required to retain certain Personal Information for a minimum of seven (7) years, even if you close your account.

9.6 We may delay, decline, freeze or reverse transactions where required to comply with legal or regulatory obligations.

10 HOW WE COLLECT YOUR INFORMATION

10.1 We collect personal information:

a) Directly from you (when you register or use DuePay)

b) From identity verification providers

c) From Open Banking providers (with your consent)

d) From merchants during transactions

e) From credit or fraud prevention agencies

f) From publicly available databases

g) From regulatory authorities where required

10.2 If you provide information about another person, you must have their permission.

10.3 You are not required to provide personal information. However, if you do not, we may be unable to provide services to you.

11 HOW WE USE YOUR PERSONAL INFORMATION

We use your information to:

11.1 Provide Wallet & Payment Services

a) Create and manage your account

b) Process QR payments

c) Enable wallet top-ups

d) Enble withdrawals to verified bank accounts

e) Process refunds

f) Maintain transaction history

11.2 Verify Identity & Comply with AML/CFT

11.3 We are required under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 to:

a) Verify your identity

b) Monitor transactions

c) Report suspicious activities

b) Retain records for at least 7 years

11.4 Fraud Prevention & Security where we may:

a) Monitor unusual transaction activity

b) Use automated fraud detection systems

c) Suspend accounts if suspicious behaviour is detected

d) Share information with law enforcement if required

11.5 Bank Connectivity Services when you connect your bank account:

a) We access data only with your consent

b) We use tokenised access

c) You may revoke consent at any time

d) Access is limited to permissions you grant

11.6 For communications where we may contact you to:

a) Send operational notifications

b) Confirm transactions

c) Provide customer support

d) Send security alerts

e) Send marketing messages (you can opt out anytime)

f) Operational messages cannot be opted out of.

11.7 For improving Our Services we may use aggregated and anonymised data to:

a) Improve app performance

b) Develop new features

c) Conduct analytics

d) Improve fraud detection

12 DISCLOSURE OF PERSONAL INFORMATION

12.1 We only share personal information where necessary and permitted under New Zealand law. We may share information with:

12.2 We may disclose Personal Information to:

a) Identity verification providers;

b) Open Banking Providers;

c) Cloud hosting providers;

d) Fraud detection services;

e) Banking and settlement partners;

f) Merchants (limited transaction information);

g) Professional advisers;

h) Potential investors or purchasers;

i) Regulatory authorities where required.

12.3 Some service providers may be located outside New Zealand. Where this occurs, we ensure comparable safeguards and contractual protections.

12.4 Business Transfers – If DuePay is sold or restructured, your information may be transferred as part of that transaction.

13 OVERSEAS DISCLOSURE

13.1 Some of our service providers may store data outside New Zealand (for example, Australia, Singapore, or Europe).

13.2 Where this occurs, we ensure:

a) Comparable privacy protections

b) Contractual safeguards

c) Compliance with the Privacy Act 2020

14 SECURITY OF YOUR INFORMATION

14.1 We take reasonable steps to protect your information, including:

a) Encryption in transit (TLS)

b) Encryption at rest

c) Tokenisation of bank accounts

d) Multi-factor authentication

e) Role-based access controls

f) Secure cloud hosting

g) Cybersecurity monitoring

14.2 If we believe a privacy breach has caused serious harm, we will notify:

a) The Office of the Privacy Commissioner

b) Affected individuals

15 DATA RETENTION

15.1 We retain personal information:

a) For as long as your account remains active

b) For at least 7 years where required under AML/CFT laws

c) As required for dispute resolution or regulatory compliance

15.2 After this period, data is securely deleted or anonymised.

16 COOKIES & TRACKING TECHNOLOGIES

16.1 We use cookies on our website for:

a) Performance monitoring

b) Security

c) Analytics

d) Marketing measurement

16.2 You may disable cookies in your browser settings. Some website features may not function properly if disabled.

16.3 Third-party platforms (such as Meta or Google) may track interactions in accordance with their own privacy policies.

17 YOUR RIGHTS

17.1 Under the Privacy Act 2020, you have the right to:

a) Access your personal information

b) Request correction

c) Withdraw consent (where applicable)

d) Complain about misuse

17.2 You can update most details directly in the DuePay app.

17.3 To make a formal request email us at: contact@duepaynz.com

18 COMPLAINTS

18.1 If you are not satisfied with how we handle your personal information, you may contact:

Office of the Privacy Commissioner (NZ)
Website: www.privacy.org.nz
Phone: 0800 803 909

19 CHANGES TO THIS PRIVACY POLICY

19.1 We may update this Privacy Policy from time to time.

19.2 Where changes are significant, we will provide at least 14 days’ notice via:

a) App notification

b) Website notice

c) Email

19.3 Continued use of DuePay after the effective date means you accept the updated policy.