Afterpay

Policy provides comprehensive scope coverage, clear contact information, version tracking, and accessibility commitments. Strong plain language commitment and definitions, though lacks explicit table of contents.

Clear primary purposes stated with good secondary use disclosure including marketing profiling and analytics. Notification commitment for new uses, though general purpose limitation commitment could be more explicit.

Clear update notification process with version tracking and accessibility commitments. ISO 27001 compliance and complaint handling framework disclosed, though lacks specific review frequency commitments.

Excellent granular enumeration of data types collected including biometric and geolocation data. Clear disclosure of collection methods, sensitive data handling with consent requirements, and specific legal bases for collection.

Strong disclosure with named third parties, detailed categories, and specific purposes. Clear affiliate sharing purposes and contractual obligations including ISO 27001 compliance requirements for third parties.

ISO 27001 certification disclosed with general administrative, technical, and physical safeguards mentioned. Third party security requirements stated, but lacks specific encryption details or breach notification commitments.

Specific countries named for transfers with general protection commitment for equivalent levels of protection. Cloud storage locations disclosed, though specific adequacy mechanisms or binding rules not detailed.

Comprehensive rights framework with specific mechanisms for access, correction, marketing opt-out, and targeted advertising opt-out. Clear complaint escalation to OAIC and AFCA with contact details and non-discrimination protection.

Good disclosure of credit risk assessment and marketing profiling with opt-out rights for advertising. Limited transparency about algorithmic logic and no mention of human review rights for automated decisions.

Clear age threshold of 18 with deletion policy if child data discovered. However, lacks proactive age verification mechanisms and parental consent requirements, relying only on reactive detection.