Global Privacy Policy
Last Updated: 17/09/2025
1. Who We Are
Mint Payments operates through regional entities. The controller for your personal information depends on where you are located when you interact with us:
- Australia: Mint Australia Pty Ltd (ACN 634 104 895)
- New Zealand: Mint New Zealand Pty Ltd (NZBN: 9429050799244)
- United Kingdom: Mint Payments UK Limited (company no. 14167728)
- United States: Mint Payments USA, Inc. (EIN: 37-2113583)
- Canada: Mint Payments Canada Limited (Ontario Corporation Number: 1001314815)
- Singapore: Mint Payments Asia Pte. Ltd. (registration no. 201111222W)
- European Union/EEA: IPG Europe Limited (company no. HE 357214)
- Hong Kong: IPGPAY Limited (registration no. 59480962)
Each entity, together with its related bodies corporate or related companies, is referred to as “Mint”, “we” or “us” and “you” and “your” refers to any individual about whom we collect personal information.
2. Overview
Mint develops payments technology and processes to deliver an efficient experience for our merchants and their customers. Protecting the privacy of individuals whose personal information we process is fundamental to how we operate. This Global Privacy Policy explains the personal information we collect, how and why we use it, how we share and protect it, and the choices and rights available to you.
This Policy is designed as a global baseline. It is supplemented by Jurisdictional Addenda that apply where you are located. If there is a conflict between this Policy and a Jurisdictional Addendum, the Addendum prevails for that location. Where requirements differ across jurisdictions, we generally apply the strictest requirement, unless a local law mandates a shorter retention, a different process, or prohibits a stricter approach.
3. Purpose
Mint Payments handles the personal information we collect about you in accordance with this Privacy Policy and our obligations under the data protection laws that apply to our activities. For example, these laws include (but are not limited to):
- Australian Privacy Act 1988 (Cth) (AU Privacy Act), including the Australian Privacy Principles (APPs);
- New Zealand Privacy Act 2020 (NZ Privacy Act), including the Information Privacy Principles (IPPs);
- the United Kingdom’s data protection laws, including the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (UK Data Protection Laws);
- the European Union’s General Data Protection Regulation (EU GDPR);
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation;
- Singapore’s Personal Data Protection Act 2012 (PDPA);
- Hong Kong’s Personal Data (Privacy) Ordinance (PDPO); and
- Applicable United States federal and state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
We strongly encourage you to read this document, so that you understand and are comfortable with how we handle your personal information. If you have any questions about this document, or about Mint Payments’ handling of your personal information, please contact us via privacy@mintpayments.com.
4. Mint’s Risk Appetite In Relation To Privacy
Mint is intolerant of any breaches of privacy in respect of our merchants, customers, employees, contractors and anyone we do business with.
Mint respects the personal and sensitive data of our merchants, End Users (as defined below), employees and business partners and will treat such data safely and securely and in compliance with the applicable data protection laws.
5. About This Privacy Policy
This Privacy Policy sets out how we collect, store, process, use and disclose personal information (including personal information we collect, and personal information submitted to us, whether offline or online, for example through our portal).
Other terms and conditions may apply to you such as:
- the privacy terms and conditions contained in contractual arrangements we may have with you, including our General Terms and Conditions; and
- the collection notices and privacy statements which may be provided to you at the time your personal information is collected by us (for example a collection notice provided when you are being onboarded as a merchant).
6. Automated Decisions & Profiling
We use automated tools to assess transaction risk, prevent fraud, and verify identity. These systems can affect the speed or availability of a transaction. Where required by law, you can request human review, share your views, and contest a decision.
7. International Data Transfers
We operate globally and may transfer personal information across borders using appropriate safeguards, including:
- Intra Group Data Transfer Agreement (IGDTA) incorporating the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
- Additional contractual, technical and organisational measures (encryption, access controls, logging/monitoring).
- Local protections where available (e.g., adequacy decisions).
Details of transfer mechanisms and sub processors are available on request or in our sub-processor register.
Where you are part of a partner network, franchise group, buying consortium, or similar organisation that has a commercial arrangement with Mint, we may share relevant merchant and transaction information with that organisation. This sharing is limited to what is necessary to:
- reconcile transactions, manage trust or client accounts, or distribute payments;
- provide reporting and support services to you and your group;
- assist with fraud prevention, compliance, and dispute resolution.
These organisations act as independent controllers of the data we share with them, and are responsible for their own compliance with applicable data protection laws. We ensure that any such sharing is subject to appropriate contractual safeguards, including controller-to-controller data sharing agreements where required.
8. Marketing And Cookies
We send electronic marketing in line with local laws and user preferences, and honour unsubscribe requests. We use cookies and similar technologies for essential site functionality, analytics, and (where consented) marketing. In the UK/EU we obtain consent for non-essential cookies; elsewhere we follow local requirements and honour browser signals where applicable. See our Cookie Policy and Preferences Centre.
9. Children’s Privacy
Our services are not directed to children. We do not knowingly collect personal information from children below the relevant local age threshold (e.g., 13 in the US; 16 in the EU/UK unless a lower Member State age applies). If you believe a child has provided us information, contact us to delete it.
10. What Is Personal Information And What Do We Collect?
“Personal information” or “personal data” is information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
In this Privacy Policy, we use the terms “personal information” and “personal data” interchangeably. Personal information does not include aggregated or de-identified data.
In order to provide you with our end-to-end payments solutions (including our online and in-person products/services), or to otherwise interact with us (such as applying for a job with us), Mint Payments needs to collect your personal information.
In summary, we collect your personal information when you:
- fill out a merchant application form or otherwise apply to be a merchant;
- interact with us, for example via phone or online (including through our portals, website or our social media channels), or when you contact us with a query; or
- make a transaction using our payment service;
- apply for a position with us.
Summary of personal information we collect and how we collect this information
The types of personal information we usually collect about you depends on who you are and your dealings with us. However, the table below sets out a summary of the personal information we generally collect and how we collect this information. Some of this information may be considered “sensitive personal information” or “special categories of personal data” under applicable law (e.g., biometric data).
| Who are the relevant individuals? | What type of information may we collect? | How do we collect this information? |
|---|---|---|
| Merchants/customers | If you are a merchant, we collect the following information:
| We collect your personal information directly from you, for example:
|
| Individuals transacting with or through Merchants with the use of the payment services (“End-Users”) | If you are an End User, we process the following information:
| We collect your personal information directly from you when you make the transaction. We also collect personal information about you from our merchants and other organisations involved in the payment process. |
| Job / work experience applicants | If you are applying to work with us, we may collect the following information:
| We may collect this information if you apply for a position with Mint Payments (including if you are applying for work experience with us). |
| Other individuals | Depending on who you are (such as a supplier of goods and services to us or if you interact with our social media channels), we collect:
| We collect this information if you visit us, contact us or otherwise interact with us in person, online or via phone/email. |
We also collect other types of information, which we have summarised below:
| Type of personal information | What this includes | How do we collect this information? |
|---|---|---|
| Online and digital services information (including behavioural information) | We collect information from you electronically which includes information such as your IP address, and details about your device. Please see section 11 for further information on the digital information we collect. | We collect this information when you use our website or any online services, via use of online behavioural technologies, such as cookies. Please see section 11 for further information on the digital information we collect. |
| Call recording information | This includes the voice recording, time, date, number and name of individuals on the call. | We collect this information in circumstances where we monitor and record our call with you, when we call you, or you call us. We will let you know if we are going to record call information. |
| Camera surveillance information | We collect camera surveillance information which includes photographs or video recordings of you. | We collect this information in circumstances where we use camera surveillance (e.g. CCTV) at our premises for the safety of our staff and any visitors to our offices. |
| Information required to be collected by law | We collect information as required by law (for example, under anti-money laundering or anti-terrorism legislation). This includes information related to any politically exposed person, sanctions that an individual may be subject to and criminal convictions or offences related information. | We collect this from you and/or third parties as required depending on the information required by law. |
| Publicly available online information | We collect information that is publicly available online, such as on online forums, websites, and social media channels (for example, information that relates to a complaint). | We collect this directly from the publicly available source (e.g. on the online forum, website, or social media channel). |
In some cases, you may provide us with personal information which relates to another person (for example, an emergency contact or a job referee). If you do so, you must ensure that you have received permission from these individuals for us to collect, use, and share, their personal information in accordance with this Privacy Policy.
You should also let them know about our Privacy Policy (including the information in this Privacy Policy).
Can you deal with us without providing your name?
Where possible and lawful, you may interact with us anonymously or using a fake name. For example, if you contact us with a general question or query, we will not record your name or other details unless we need it to adequately respond to your query.
However, for many of our functions and the services we provide, we need information about you including your financial information (e.g. bank details) as it may not be practicable for us to deal with you anonymously or pseudonymously on an ongoing basis when providing our products/services.
If you provide incomplete or inaccurate information to us or withhold personal information from us, we may not be able to provide you with the products and services you are seeking.
11. Why Do We Collect, Store And Use Your Personal Information?
The primary purpose for which we collect your personal information will depend on who you are and your interaction with us, for example, if you are a merchant, job applicant, or a supplier of goods or services to us.
We have summarised the types of purposes for which we may collect your personal information:
| Purpose | Explanation |
|---|---|
| To provide you with our products/services | We collect, store and use your personal information to:
|
| To comply with regulatory requirements | In the course of providing our products/services we have to comply with applicable regulatory requirements including anti-money laundering, anti-terrorism and KYC checks. |
| To manage your working relationship with us (including when you are a contractor) | We collect, store and use your personal information to assess your suitability for a position with us, and, if you successfully join us, to manage your working relationship with us, including for payroll purposes. We collect, store and use your personal information for administration and management purposes. |
| To do business with you | We collect, store and use your personal information about you if you interact with us on a commercial basis (such as if you are a service provider, contractor or supplier to us), or you otherwise interact with us on a commercial basis. |
| To manage and improve our operations and business | We collect, store and use your personal information to:
|
12. Lawful Bases
We rely on: Contract (provide services, run your account), Legal obligation (AML/CTF, KYC, tax, record-keeping), Legitimate interests (fraud/risk prevention, security, service improvement, defending claims), and Consent (non-essential cookies/e-marketing where required). For biometric or criminal-history data we use narrow legal bases (e.g., substantial public interest for AML/fraud) or explicit consent, keep access tightly limited, and complete DPIAs where required.
We have summarised the types of lawful bases for your personal information:
| Purpose | Explanation |
|---|---|
| Onboarding/KYC/AML | Legal obligation / Contract |
| Payments Processing | Contract |
| Fraud & risk scoring/security | Legitimate interests / substantial public interest (where available) |
| Support/incident handling | Contract / Legitimate interests |
| Service improvement/analytics | Legitimate interests (consent for non-essential cookies) |
| Regulatory reporting/audit/records | Legal obligation |
| Marketing/preferences | Consent or Legitimate interests (as applicable) |
13. How Long We Keep Information
We will store the personal information we collect about you for no longer than necessary for the purposes set out in Clause 11 in accordance with our legal obligations and legitimate business interests.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, as well as the applicable legal, regulatory, tax, accounting or other requirements.
14. Your Privacy Rights And Choices
Depending on location, individuals may have rights to access, correct, delete, port, object, restrict processing, and withdraw consent. In California and some US states, individuals may also opt out of selling or sharing personal information and may limit the use of Sensitive Personal Information. We honour Global Privacy Control (GPC) signals where applicable. Requests can be sent to privacy@mintpayments.com with “Privacy request” in the subject.
15. Do We Sell Or Share Personal Information?
We do not sell personal information and we do not share personal information for cross-context behavioural advertising. If this changes, we will update the Policy and provide a “Do Not Sell or Share” mechanism where required.
16. Security
We use encryption in transit and at rest, role-based access control and multi-factor authentication, logging/monitoring, and regular testing. Access to sensitive data (including biometrics) is strictly limited. Staff receive training and we maintain incident response and breach notification procedures.
17. Contact And Complaints
Email: privacy@mintpayments.com
You can also contact or complain to your local authority:
- Australia – Office of the Australian Information Commissioner (OAIC)
- New Zealand – Office of the Privacy Commissioner (OPC)
- United Kingdom – Information Commissioner’s Office (ICO)
- European Union – Your local Data Protection Authority
- Singapore – Personal Data Protection Commission (PDPC)
- Hong Kong – Office of the Privacy Commissioner for Personal Data (PCPD)
- Canada – Office of the Privacy Commissioner of Canada (or provincial authority)
- United States – State Attorney General / California Privacy Protection Agency (CPPA)
18. Jurisdictional Addenda (A–H)
Annex A – Australia (APPs)
- Sensitive information (e.g., biometrics) handled under APP 3 with consent or where required/authorised by law; minimised collection and tight access controls.
- Anonymity/pseudonymity supported where practicable (APP 2).
- Cross-border disclosures (APP 8): reasonable steps to ensure comparable protection, or rely on permitted exceptions.
- Notifiable Data Breaches: assess eligible breaches and notify affected individuals and OAIC where required.
- Retention: AML/KYC and transaction records generally 7 years.
Annex B – New Zealand (Privacy Act 2020)
- Compliance with IPPs, including collection/use/disclosure limits, storage/security, access/correction, and unique identifiers.
- Notifiable privacy breaches: notify NZ OPC and affected individuals where required.
- Overseas disclosures: ensure comparable safeguards or use contractual protections.
Annex C – Hong Kong (PDPO)
- Compliance with DPPs.
- Cross-border transfers: Section 33 not in force; apply equivalent safeguards contractually and appropriate clauses where applicable.
- Data Access Requests permitted; any fees are reasonable and cost-based.
- No direct marketing for new purposes without prescribed consent.
Annex D – Singapore (PDPA)
- Consent and notification rules apply; legitimate interests exception used where documented.
- Do-Not-Call Registry screening for marketing unless an exemption applies.
- Overseas transfers: comparable standard of protection via contracts and technical measures.
- Breach notification: notify PDPC and affected individuals where required.
Annex E – United Kingdom (UK GDPR & DPA 2018)
- Controller: Mint Payments UK Limited; ICO registration ZB933012.
- Transfers outside the UK rely on the UK Addendum to the EU SCCs and other permitted safeguards.
Annex F – European Union (EU GDPR)
- Where we target individuals in the EU, we designate an EU representative (Art. 27) – to be inserted in Who we are.
- Transfers outside the EEA rely on EU SCCs (and adequacy where applicable).
Annex G – Canada (PIPEDA & provincial laws)
- Meaningful consent principle; exceptions apply (e.g., investigations, fraud prevention).
- Cross-border processing with contractual/technical safeguards and transparency.
- Quebec Law 25: conduct PIAs for out-of-Quebec transfers; disclose automated decision-making where applicable.
Annex H – United States (CPRA and state privacy laws)
- No sale/share of personal information for cross context behavioural advertising.
- Use of Sensitive Personal Information limited to disclosed purposes (onboarding, fraud prevention, compliance).
- Honour Global Privacy Control (GPC) signals where applicable.
- Rights: access, deletion, correction, portability, and opt-out of targeted advertising (where offered by law) via privacy contact.