KeyPay Ltd
EU & UK Privacy Policy

Learn how KeyPay treats personal data in line with the GDPR when we provide our products and services to you.

For our standard privacy policy, please click here.


1. Overview

Welcome to KeyPay! We value the trust you place in us when providing us with your Personal Data, and we aim to protect your data to the highest of standards as we provide our products and services to you. This Privacy Policy was last updated on 9 December 2022. If you have any questions about the latest changes to this policy, please see the FAQs page on our Help Centre.

2. Scope of this policy

This Privacy Policy describes how KeyPay Ltd and/or its affiliates (“us”, “we”, “our” or “KeyPay”), process the Personal Data of its customers and users (“you” or “your”) as part of your cooperation with us, and your use of our products, platforms, services, apps, and websites (together, the “Services”).

This Privacy Policy applies when you, as our corporate customer or prospective corporate customer, or as a user of our Services, are located in the European Economic Area (“EEA”) or the United Kingdom (UK).

We take the protection of your privacy very seriously. We therefore treat your Personal Data in confidence and with the utmost care, and in compliance with the applicable EU and UK data protection laws.

We may also provide you with additional information when we collect Personal Data where we feel it would be helpful to provide relevant and timely information.

This Privacy Policy describes our independent privacy and data processing practices as a data controller. We also process Personal Data on behalf of our customers as a data processor in accordance with our Data Processing Agreement.

3. What is Personal Data?

The EU and UK data protection laws define Personal Data as any information relating to an identified or identifiable natural person, i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (“Personal Data”).  

Special Categories of Personal Data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation (“Special Categories of Personal Data”). 

4. What information do we collect?

The Personal Data we collect, and process will vary depending on your dealings with us and the Services we provide to you.

We may also collect, and process Special Categories of Personal Data with your explicit consent when providing our Services to you, which includes Special Categories of Personal Data submitted by you, or on your behalf, through our platforms and apps.

(a) Information we collect when you use our Services

We may collect the information from you as a customer or end-user of our Services. Personal Data we collect when you use our Services may include:

  • individual information including name, date of birth or age, gender, sex, and marital status;
  • business information including company or business name, and other information regarding your business and/or employees that can be used to identify an individual;
  • contact information including residential and/or postal address, email address, telephone number, and social media handles;
  • current and past employment related information including occupation or job title, information relating to your current employer, information relating to your former employer and role, key dates relating to your current role and/or past roles, superannuation information, salary and/or pension details including documents such as payslips and payment summaries, citizenship and visa status for work eligibility purposes, emergency contact information, tax information, details of hours worked;
  • billing information including payment details such as banking, or debit/credit card details; and
  • Special Categories of Personal Data including health or disability information, biometric information, immigration information, criminal history and background checks, and any diversity related information such as racial and/or ethnic origin.

(b) Information we collect from your other interactions with us

We collect information when you interact with us, such as when you use our websites, communicate with us via email, telephone, social media or chatbots, make enquiries regarding demos, or when we collect feedback from you on the Services we provide. The information we may collect in these circumstances include individual or business name, address, email, phone number, company/employer, job function, team size, date, time, and reason for contacting us, survey and research responses, social media information, and call recordings.

(c) Information we collect from you automatically

We automatically collect usage information when you browse our websites or use our Services to improve our Services and enhance your user experience. This information includes digital interactions data, i.e., how you use our digital properties (including websites, social media sites, apps, electronic communications, and third-party websites), metadata (collected on an anonymous basis), consumer analytic data (collected on an anonymous basis but which can be attributed to you based on other information we have about you), log file information, information about the type of device and operating system used by you, location information, computer IP addresses, and marketing and cookie preferences, including any consent you have given us.

(d) Information we collect from other sources

We may collect information about you from other third-party sources and affiliates. This may include your name, address, email address, date of birth, gender and sex, salary details, tax information, superannuation information, profession and job title, and banking details.

5. How and why do we use this information?

We must have a legal basis to process your Personal Data. We explain these legal bases below. We also explain the purposes for which we process your Personal Data, the processing operations that we carry out, and the categories of data that we use for each purpose.  

Legal Basis

(a) Contractual performance – we have obligations under our contract with you. To fulfil those obligations, we will have to use your data.

(b) Consent – in certain cases, we ask for your consent to use your data. Whenever we ask for your consent, we will explain the situations where we use your data, and the purposes for which the information will be used.  

(c) Legitimate interest – we can process your data when this is necessary for us to achieve a business purpose, or where this is necessary for someone else to achieve their purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process Personal Data on the basis of a legitimate interest, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals, and to determine whether individuals’ interests outweigh our interests in the processing activity taking place.

(d) Legal obligation – as an organisation, we are obliged to comply with the legal, regulatory and other requirements under EU, EU Member State or UK laws. In certain cases, we will have to use your data to meet these obligations.


We may process your data for different purposes. We may also provide you with more specific notices for some of the processing described below, and on the rare occasions when we need to ask for your consent, we will only do so at the time we collect your Personal Data.

(a) Provision of Services and administration of our contract with you (Contractual Performance or Consent)

We use your Personal Data to administer aspects of our relationship with you so we can fulfil the obligations we have in the contract between you and us or based on your explicit consent. We process your information:

  • to fulfil a contract, or take steps linked to contractual obligations;
  • to provide our Services, including ancillary Services such as customer support;
  • to take payment for Services (where applicable); or
  • to send you service, technical and other administrative emails, messages, and other types of communications relating to our Services.

To do this, we use your information related to our contract, such as your individual or business account information, billing information such as bank details, and information about your use of our Services.

To the extent we process Special Categories of Personal Data as a part of our Services we will only rely on your explicit consent where required by law.

(b) Our business purposes (Legitimate Interests)

We have an interest in maintaining, developing, and protecting our business interests and legal rights. We process your information:

  • to ensure our Services are working as intended, such as tracking outages or troubleshooting issues that you report to us, to make improvements to our Services, and to help us develop new products and services;
  • to ensure your experience with our Services is personalised and customised, and to tailor our communications and marketing to you;
  • we use data for analytics and measurement to understand how our Services are used. For example, we analyse data about your, and your employees, use of our Services to do things like optimise product design;
  • to conduct surveys and other market research to ensure our Services are relevant to your needs;
  • to investigate any complaints by or about you;
  • to investigate any suspected breach of any of our terms and conditions or unlawful activity engaged in by you;
  • to ensure your experience with our Services is personalised and customised;
  • to investigate, raise or defend ourselves from legal claims;
  • to comply with our compliance, regulatory, auditing, investigative and disciplinary obligations (including disclosure of such information in connection with legal process or litigation) and other ethics and compliance reporting requirements;
  • to protect the security of our premises, assets, systems, and intellectual property, and to enforce company policies, including monitoring communications as permitted by law, to verify your identity and enable us to monitor suspicious or fraudulent activity; or
  • where our business interests involve undertaking mergers, acquisitions, reorganisations, or disposals, as permitted/required in accordance with applicable law.

To do this, we use your information related to our contract, such as your individual or business account information, billing information such as bank details, and information about your use of our Services.

(c) Marketing communication and preferences (Consent)

We send you marketing communications via email or SMS when you provide us with consent by using your contact details and information provided through your use of the Services.

We may also place particular types of cookies and use similar technologies when you provide us with consent. See our Cookie Policy for further information.

(d) Compliance with law (Legal Obligation)

We analyse and sometimes transmit your data where necessary to comply with a legal obligation.

Those legal obligations, and the processing operations they require us to undertake, are:

  • Tax laws and similar obligations (these include tax laws and obligations that apply to us in each of the jurisdictions in which we operate). These require us to undertake tax and national insurance reporting, filing and withholding; and
  • Anti-money laundering laws and similar obligations (these include anti-money laundering laws and obligations that apply to us in each of the jurisdictions in which we operate). These require us to undertake specific action to prevent money laundering as part of or in relation to the use of our Services.

Sometimes it is also necessary for us to comply with requirements to respond to court orders, subpoenas, or other legal processes.

In these circumstances we use your personal identification information, contractual relationship information and, in some circumstances, information about your use of the Services.

6. How we share your Personal Data?

(a) Sharing of information when providing our Services

We may share your Personal Data with our affiliates and with other third parties from time to time for the purposes and means described in this Privacy Policy. In delivering our Services, we may disclose your information to:

  • members and personnel of our business and our affiliates listed here (i.e. the Employment Hero group) – we may share your information between our departments or business functions, including with our employees, contractors, and our affiliates  for the purposes of the delivery and operation of our Services, and fulfilling requests by you, and we may share your information with our affiliates for the purposes of the delivery of their services to you where you have subscribed to their services, or where they integrate with us to provide our Services;
  • legal and regulatory authorities – we may share your information with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws;
  • parties involved in a business sale – in the event that we undergo any reorganisation, restructuring, merger, sale, or other transfer of assets your information will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to any new owners of the business;
  • business partners – we may share your data with our existing or potential agents, business partners or joint venture entities or partners to enable us to perform our business activities in relation to your services; and
  • your organisation – we may share your information with your employer and other personnel (where it is necessary and reasonable) in your organisation, if you use our Services in connection with your employment and your employer has established an account on your behalf.

(b) Sharing your information with third parties

We may disclose your Personal Data to specific third-party service providers who facilitate the delivery of our Services and operation of our business activities. We disclose your Personal Data to such third parties as doing so may be necessary to adequately provide our Services to you, or to assist us in analysing how our Services are used and ensure they are provided to you at the highest quality. These third parties are given access to your Personal Data only to perform these tasks on our behalf or for our benefit and are required not to disclose or use it for any other purpose.

Such third parties include providers of hosting services and technical infrastructure (e.g., Amazon Web Services), maintenance services, CRM services, customer support services, and marketing services.

(c) Sharing your information with overseas recipients

In connection with the purposes identified in this Privacy Policy, and the Services described, your Personal Data may be transferred outside the EEA or the UK, including to KeyPay’s team members and affiliates based in Australia, New Zealand, Singapore, Malaysia, Vietnam and the Philippines,  and to third-party service providers located globally, where it is deemed reasonably necessary for us to make such transfer.

If your Personal Data is transferred outside the EEA or the UK, we ensure that such transfer is compliant with the relevant requirements.

Adequacy decisions

Where the European Commission or the UK government has determined that certain countries outside of the EEA or the UK have an adequate level of Personal Data protection, e.g., New Zealand, Personal Data can be transferred to such a country without any further safeguards being necessary. A full list of such adequate countries is available here (for the EEA) and here (for the UK).

Where information is transferred outside the UK, or the EEA to a location that is not subject to an adequacy decision by the European Commission or the UK government, we ensure data is adequately protected. We may transfer your Personal Data (as described in section 4 above) for the purposes described in section 5 above to Australia, Singapore, Malaysia, Vietnam and the Philippines by relying on the EU Standard Contractual Clauses for the transfers from the EU, or the International Data Transfer Agreement or International Data Transfer Addendum to the EU Standard Contractual Clauses for the transfers from the UK, or relying on such other data transfer mechanisms as available under applicable data protection laws.

A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

7. What rights do you have?

You have the right to ask us for a copy of your Personal Data to correct, delete or restrict processing of your Personal Data, and to obtain the Personal Data you provide to us on a contractual basis or with your consent in a structured, machine-readable format.

You can also correct and delete some Personal Data through your account provided by our Services. Where your Personal Data has been added to your account by your employer, you can ask your employer to correct or delete your Personal Data on your behalf. Your employer will then request us to correct or delete the Personal Data from our systems.

In addition, you can object to the processing of your Personal Data in some circumstances, i.e. when we process your Personal Data based on our legitimate interests or where we are using the data for direct marketing. In some cases, we may send you direct marketing based on our legitimate interests.

You have an absolute right to opt out of direct marketing at any time. You can do this by following the instructions in the communication within an electronic message, or by contacting us at

These rights may be limited, for example if fulfilling your request would reveal Personal Data about another person, or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. We will inform you of relevant exemptions we rely upon when responding to any request you make.

To exercise any of these rights, including obtaining a copy of your legitimate interest balancing test, you can get in touch with us using the details set out below. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or where you believe a breach may have occurred.

For the provision of information marked as mandatory when you register to use our Service, if such information is not provided, then you will not be able to use our Services. All other provision of your information is optional. If you do not provide such information, our provision of certain Services to you may be detracted from.

Where we rely on your consent, you will always be able to withdraw that consent at any time.

If you ask to withdraw your consent to our processing your data, this will not affect any processing which has already taken place.

Direct marketing communications

In some cases, we may send you direct marketing based on our legitimate interests or where you have provided us with explicit consent.

You have an absolute right to opt out of direct marketing at any time. You can do this by following the instructions in the communication within the electronic message we send to you, or by contacting us via email at

We may still send you important notices relating to your account, operational activities, and technical updates, even after you have opted out of receiving marketing communications.

8. How long will you retain my data?

We store data for as long as necessary to provide our Services and in accordance with our internal Data Retention Policy. This is a case-by-case determination that depends on things such as the nature of the data, why it is collected and processed, and relevant legal or operational retention needs. You can delete some Personal Data whenever you like, some data is deleted automatically, and some data we retain for longer periods of time. For example:

  • We keep account information for as long as your subscription or agreement continues or for as long as it is necessary to deliver our Services.
  • We will keep a record of the fact that you have asked us not to send you direct marketing, so that we can respect your request in future. If you unsubscribe from receiving direct marketing, then we will remove your details from our direct marketing mailing list.
  • We will keep the usage information and analytics data relating to your use of the Services to understand how people use our Services. We will do this through the use of cookies and tracking technologies to provide us with user analytics data to improve our Services and enhance your user experience. More information about the retention period of cookies can be found in our Cookie Policy.

Sometimes business and legal requirements oblige us to retain certain information, for specific purposes, and for an extended period of time. Reasons we might retain some data for longer periods of time include security, fraud prevention, financial record-keeping, complying with legal or regulatory requirements, ensuring the continuity of our Services, and when you have had direct communications with us.

9. How do I get in touch with you?

We are an entity belonging to the Employment Hero group and all privacy related matters are dealt with by the Employment Hero legal team. If you have any questions or concerns about how we process your data, please send your query to

To comply with the EU data protection laws (GDPR), we have appointed a representative in the EU and UK. If you wish to contact them, their details are as follows:

Bird & Bird GDPR Representative Services Ireland

Deloitte House, 29 Earlsfort Terrace, Dublin 2, D02 AY28


Main point of contact: Vincent Rezzouk-Hammachi

10. Changes to our Privacy Policy

We reserve the right to change this Privacy Policy from time to time to reflect changes in the law or regulation, our information practices, our Services, or our operational requirements. We encourage you to periodically review this page to see any changes we have made. In the event that we make any significant changes in terms of data processing operations or any other change that may be relevant to you or may impact you, we will additionally notify you via email or notifications on our Services.

11. Related Policies

KeyPay AU Privacy Policy

Data Processing Agreement