Storrik

Privacy Policy

How Storrik collects, uses, stores, and shares personal information.

Last updated: May 1st 2026

This Privacy Policy explains how Storrik collects, uses, discloses, stores, protects, and manages personal information when you access or use Storrik’s websites, dashboard, APIs, checkout products, onboarding flows, payment tools, support channels, documentation, and related services.

This Privacy Policy applies to merchants, account holders, business representatives, directors, beneficial owners, authorised users, developers, website visitors, customers who pay through Storrik-powered checkout experiences, and other people whose personal information is handled through the Services.

By accessing or using the Services, submitting information to Storrik, creating an account, completing onboarding, using Storrik checkout, communicating with us, or otherwise interacting with Storrik, you acknowledge that we may handle personal information as described in this Privacy Policy.

1. Who we are

Storrik is operated by Storrik (ABN 84 916 006 495), trading as Storrik.

In this Privacy Policy, Storrik, we, us, and our mean Storrik (ABN 84 916 006 495), its related bodies corporate, officers, employees, contractors, agents, successors, and assigns.

Contact details:

Email: privacy@storrik.com Support: support@storrik.com

2. Key definitions

In this Privacy Policy:

Account means a Storrik account, merchant account, organisation account, connected account, dashboard account, API account, or other account made available through the Services.

Customer means a person or entity that purchases goods, services, subscriptions, digital products, licences, or other offerings from a merchant using Storrik.

Merchant means a business, seller, platform user, organisation, account holder, or other person or entity using Storrik to accept, manage, or monitor payments.

Payment Processor means any bank, acquirer, card network, processor, payment facilitator, financial institution, settlement provider, identity verification provider, fraud provider, compliance provider, or third-party payment service provider used to provide or support the Services.

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

Services means Storrik’s websites, dashboard, APIs, checkout, onboarding, payment tools, reporting tools, developer tools, fraud tools, support, communications, documentation, and related products.

3. Personal information we collect

The personal information we collect depends on how you interact with Storrik, the Services you use, your role, your location, your business type, and the information required by law, Payment Processors, card networks, banks, or risk controls.

We may collect the following categories of information.

4. Account and identity information

When you create or use an Account, we may collect:

  1. name;
  2. email address;
  3. phone number;
  4. username;
  5. password or authentication credentials;
  6. passkey or multi-factor authentication information;
  7. profile picture;
  8. role, permissions, and team access details;
  9. session information;
  10. device information;
  11. login history;
  12. security settings; and
  13. account preferences.

5. Business and merchant information

For Merchants and business representatives, we may collect:

  1. legal business name;
  2. trading name;
  3. business address;
  4. business email and phone number;
  5. website and product URLs;
  6. business description;
  7. industry, category, or merchant category code;
  8. country of registration or operation;
  9. company, trust, partnership, sole trader, or organisation details;
  10. ABN, ACN, company number, tax number, registration number, or similar identifiers;
  11. director, officer, controller, shareholder, beneficial owner, trustee, partner, or representative details;
  12. business documents;
  13. ownership and control information;
  14. expected processing volume;
  15. transaction history;
  16. fulfilment model;
  17. refund and cancellation policies;
  18. risk and compliance information;
  19. payout settings; and
  20. other information needed to onboard, verify, review, or support the business.

6. Verification and compliance information

To meet legal, risk, Payment Processor, card network, fraud prevention, anti-money laundering, counter-terrorism financing, sanctions, identity verification, and onboarding requirements, we may collect:

  1. date of birth;
  2. residential address;
  3. nationality;
  4. citizenship;
  5. government-issued identity document details;
  6. document images;
  7. identity verification results;
  8. proof of address;
  9. bank account ownership evidence;
  10. business registration documents;
  11. beneficial ownership information;
  12. politically exposed person or sanctions screening results where applicable;
  13. watchlist screening results where applicable;
  14. fraud and risk signals;
  15. source of funds or source of wealth information where required;
  16. supplier, inventory, fulfilment, or delivery evidence;
  17. dispute and chargeback evidence; and
  18. other information required by law, Payment Processors, banks, card networks, regulators, or our risk controls.

Some verification information may be sensitive or highly confidential. We only request this information where we reasonably need it for onboarding, verification, compliance, risk, fraud prevention, payment processing, dispute handling, legal obligations, or security.

7. Payment and transaction information

When payments are processed through Storrik or Storrik-supported services, we may collect:

  1. transaction IDs;
  2. payment intent, authorisation, capture, refund, and dispute details;
  3. transaction amount;
  4. currency;
  5. transaction status;
  6. payment method type;
  7. partial card information, such as card brand, last four digits, expiry month and year, funding type, and country, where provided by a Payment Processor;
  8. wallet type;
  9. billing name;
  10. billing email;
  11. billing address;
  12. shipping address;
  13. customer details;
  14. product or order details;
  15. invoice, receipt, subscription, and checkout details;
  16. fraud scores and risk signals;
  17. chargeback, inquiry, and dispute details;
  18. refund details;
  19. payout and settlement details;
  20. metadata submitted through the Services; and
  21. Payment Processor response data.

Storrik does not require you to store full card numbers or CVV codes in your own systems. You must not send full card numbers, CVVs, or sensitive authentication data to Storrik unless we have expressly approved the method and it complies with applicable security requirements.

8. Customer information

If you are a Customer paying through a Storrik-powered checkout or payment flow, we may collect information needed to process your payment, support the transaction, prevent fraud, provide receipts, handle refunds, respond to disputes, and comply with legal or Payment Processor requirements.

This may include:

  1. name;
  2. email address;
  3. phone number;
  4. billing address;
  5. shipping address;
  6. payment method details provided by a Payment Processor;
  7. order details;
  8. product or service details;
  9. IP address;
  10. device and browser information;
  11. fraud and risk signals;
  12. refund, dispute, and support information; and
  13. communications with the Merchant or Storrik.

Merchants are responsible for their own privacy notices and privacy obligations to their Customers. Storrik may act as a service provider, processor, independent controller, or similar role depending on the context, law, provider model, and payment flow.

9. Technical, usage, and device information

When you use the Services, we may collect:

  1. IP address;
  2. device type;
  3. browser type;
  4. operating system;
  5. approximate location based on IP address;
  6. pages viewed;
  7. dashboard actions;
  8. API requests;
  9. logs;
  10. timestamps;
  11. referral URLs;
  12. session identifiers;
  13. cookies and similar technologies;
  14. performance data;
  15. error logs;
  16. rate limit data;
  17. webhook delivery data;
  18. security events; and
  19. analytics data.

We use this information to operate, secure, monitor, improve, debug, and protect the Services.

10. Information from third parties

We may collect information about you from third parties, including:

  1. Payment Processors;
  2. banks and financial institutions;
  3. card networks;
  4. identity verification providers;
  5. fraud prevention providers;
  6. sanctions and screening providers;
  7. business registries;
  8. credit, risk, or compliance data providers where permitted;
  9. analytics providers;
  10. service providers;
  11. Merchants;
  12. Customers;
  13. support communications;
  14. public websites;
  15. public databases; and
  16. regulators, law enforcement, courts, or government bodies where applicable.

We may combine third-party information with information you provide directly.

11. How we collect personal information

We may collect personal information when:

  1. you create an Account;
  2. you complete onboarding;
  3. you submit documents;
  4. you use the dashboard;
  5. you use APIs, SDKs, or webhooks;
  6. you process, receive, refund, dispute, or manage payments;
  7. you contact support;
  8. you subscribe to emails or updates;
  9. you visit our websites;
  10. you interact with checkout pages;
  11. you invite team members;
  12. your business, Customer, bank, Payment Processor, or service provider provides information to us;
  13. we perform risk, compliance, fraud, security, or verification checks; or
  14. we are required or permitted to collect information by law.

Where practical, we collect personal information directly from you. In some cases, we collect it from Merchants, Customers, Payment Processors, service providers, public sources, or other third parties.

12. Why we use personal information

We use personal information for the following purposes:

  1. creating and managing Accounts;
  2. verifying identity and business information;
  3. onboarding Merchants;
  4. providing the Services;
  5. processing payments, refunds, disputes, chargebacks, settlements, and payouts;
  6. supporting checkout and transaction flows;
  7. calculating fees, balances, reserves, and reports;
  8. providing dashboards, analytics, logs, receipts, and records;
  9. providing customer support;
  10. communicating with you;
  11. sending service, security, legal, and account notices;
  12. preventing fraud, misuse, security incidents, and unauthorised activity;
  13. monitoring risk and compliance;
  14. complying with Payment Processor, bank, card network, and scheme requirements;
  15. complying with laws, regulations, court orders, regulator requests, and legal obligations;
  16. enforcing our Terms of Service and policies;
  17. investigating suspicious activity, disputes, complaints, and breaches;
  18. improving, testing, debugging, and developing the Services;
  19. maintaining business records;
  20. protecting Storrik, Merchants, Customers, Payment Processors, card networks, banks, regulators, and others; and
  21. carrying out any other purpose disclosed to you or permitted by law.

13. Legal bases and lawful grounds

Depending on where you are located, we may rely on one or more lawful grounds to handle personal information, including:

  1. your consent;
  2. performing a contract with you;
  3. taking steps at your request before entering into a contract;
  4. complying with legal obligations;
  5. protecting legitimate business, security, fraud prevention, compliance, and risk management interests;
  6. protecting vital interests where applicable;
  7. performing a task in the public interest where applicable; and
  8. other lawful grounds available under applicable privacy or data protection laws.

Where consent is required, you may withdraw consent as permitted by law. Withdrawal may affect your ability to use some Services.

14. Automated systems and risk decisions

Storrik may use automated systems, rules, models, risk engines, fraud tools, monitoring tools, screening tools, and Payment Processor systems to help detect fraud, assess risk, support onboarding, monitor transactions, flag suspicious activity, prevent abuse, identify unsupported activity, protect accounts, and comply with legal or Payment Processor requirements.

These systems may use information such as identity details, business details, transaction data, payment method data, device data, IP address, location signals, behavioural signals, account history, chargeback history, refund history, risk signals, screening results, and Payment Processor data.

Automated systems may support decisions about:

  1. whether additional verification is required;
  2. whether a transaction should be reviewed, delayed, declined, refunded, or restricted;
  3. whether payouts should be delayed or reviewed;
  4. whether reserves, limits, or account restrictions should be applied;
  5. whether an Account should be reviewed, suspended, or closed;
  6. whether a login or API request appears suspicious; and
  7. whether a business, product, or activity may be unsupported or prohibited.

Where required by law, we will provide information about significant automated decisions and any rights you may have to request review, correction, explanation, or human involvement.

15. When we disclose personal information

We may disclose personal information to:

  1. Payment Processors;
  2. banks and financial institutions;
  3. card networks and payment schemes;
  4. identity verification providers;
  5. fraud prevention and risk providers;
  6. sanctions, watchlist, and compliance screening providers;
  7. cloud hosting providers;
  8. database, storage, infrastructure, and security providers;
  9. email, SMS, notification, and communications providers;
  10. analytics and monitoring providers;
  11. support and customer service providers;
  12. professional advisers, including lawyers, accountants, auditors, consultants, insurers, and compliance advisers;
  13. Merchants, where information relates to their Customers or transactions;
  14. Customers, where necessary for receipts, refunds, disputes, support, or transaction information;
  15. regulators, government agencies, law enforcement, courts, tribunals, and dispute resolution bodies;
  16. third parties involved in a merger, acquisition, financing, restructure, sale of assets, change of control, or similar transaction;
  17. related bodies corporate or affiliated entities; and
  18. other parties where you direct us to disclose the information, where disclosure is necessary to provide the Services, or where disclosure is required or permitted by law.

We do not sell personal information to advertisers.

16. International disclosures

Storrik may disclose, transfer, store, or process personal information outside Australia. This may occur because we use global Payment Processors, cloud infrastructure, identity providers, fraud providers, compliance providers, support tools, analytics providers, or other service providers.

Countries where personal information may be handled may include:

  1. Australia;
  2. United States;
  3. United Kingdom;
  4. European Economic Area countries;
  5. Singapore;
  6. New Zealand;
  7. Canada; and
  8. other countries where Storrik, Payment Processors, or service providers operate.

Where required by law, we take reasonable steps to ensure overseas recipients protect personal information appropriately.

17. Cookies and similar technologies

We may use cookies, local storage, pixels, tags, SDKs, and similar technologies to:

  1. keep you signed in;
  2. secure accounts;
  3. remember preferences;
  4. detect fraud and abuse;
  5. measure performance;
  6. understand usage;
  7. debug errors;
  8. improve the Services; and
  9. support marketing or analytics where permitted.

You can usually control cookies through your browser settings. Blocking cookies may affect login, checkout, security, dashboard functionality, or other parts of the Services.

18. Marketing communications

We may send marketing communications where permitted by law. You can unsubscribe from marketing emails using the unsubscribe link or by contacting us.

We may still send non-marketing communications, including security notices, account notices, legal notices, payment notices, onboarding notices, transaction notices, support messages, policy updates, and service-related communications.

19. Data retention

We keep personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Services, comply with legal obligations, meet Payment Processor and card network requirements, resolve disputes, prevent fraud, enforce agreements, maintain records, support audits, and manage risk.

Retention periods may vary based on:

  1. account status;
  2. transaction activity;
  3. legal requirements;
  4. tax and accounting obligations;
  5. AML, sanctions, and compliance obligations;
  6. Payment Processor requirements;
  7. card network and dispute windows;
  8. fraud and risk needs;
  9. unresolved complaints, investigations, or disputes; and
  10. security requirements.

When personal information is no longer needed, we will take reasonable steps to delete, destroy, or de-identify it, unless we are required or permitted to keep it.

20. Security

We use reasonable technical, organisational, and administrative measures designed to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.

These measures may include:

  1. access controls;
  2. encryption in transit;
  3. secure authentication;
  4. logging and monitoring;
  5. least-privilege access;
  6. infrastructure security controls;
  7. vulnerability management;
  8. account security controls;
  9. fraud monitoring;
  10. staff and contractor access restrictions; and
  11. incident response processes.

No system is completely secure. You are responsible for keeping your login credentials, devices, API keys, webhook secrets, and account access secure.

21. Data breaches

If we become aware of a data breach involving personal information, we will assess the incident and take steps required by applicable law. This may include containment, investigation, remediation, notification to affected individuals, notification to regulators, and cooperation with Payment Processors or other relevant parties.

You must notify us immediately if you become aware of unauthorised access, account compromise, API key exposure, webhook secret exposure, suspected fraud, or any security incident involving the Services.

22. Access and correction

You may request access to personal information we hold about you. You may also request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

We may need to verify your identity before responding. We may refuse or limit access or correction where permitted by law, including where access would affect another person’s privacy, reveal sensitive security or fraud controls, prejudice an investigation, breach legal obligations, or be otherwise restricted by law.

If we refuse a request, we will explain the reason where required by law.

23. Deletion and account closure

You may request deletion of personal information or closure of your Account. We may not be able to delete all information immediately if we need to keep it for legal, tax, accounting, AML, sanctions, fraud prevention, security, Payment Processor, card network, dispute, chargeback, audit, or legitimate business purposes.

Closing an Account does not automatically remove historical transaction, compliance, tax, dispute, or risk records.

24. Your choices and controls

Depending on your location and applicable law, you may have rights to:

  1. access personal information;
  2. correct personal information;
  3. request deletion;
  4. object to certain processing;
  5. restrict certain processing;
  6. request data portability;
  7. withdraw consent;
  8. opt out of marketing;
  9. complain to Storrik or a regulator; and
  10. request information about automated decisions where required by law.

To exercise rights, contact us using the details in this Privacy Policy.

25. Children and minors

The Services are intended for businesses and users who can lawfully use payment and business services. We do not knowingly provide Accounts to children.

If we become aware that we have collected personal information from a child without appropriate authority or legal basis, we will take reasonable steps to delete or de-identify the information, unless we are required or permitted to retain it.

26. Merchant obligations for Customer data

If you are a Merchant, you are responsible for your own privacy obligations to Customers and other individuals whose personal information you provide to Storrik or process through the Services.

You must:

  1. provide all required privacy notices;
  2. obtain all required consents;
  3. ensure you have a lawful basis to collect and share Customer information with Storrik and Payment Processors;
  4. use Customer information lawfully;
  5. keep Customer information accurate where required;
  6. protect Customer information in your own systems;
  7. avoid sending unnecessary sensitive information to Storrik;
  8. comply with marketing, spam, cookie, consumer, and data protection laws; and
  9. respond to Customer privacy requests where you are responsible for doing so.

27. API, logs, and metadata

Merchants and developers may submit metadata, logs, customer references, order references, product information, webhook payloads, or other data through the Services.

You must not submit unnecessary sensitive personal information, full card numbers, CVVs, passwords, private keys, health information, government identifiers, or other highly sensitive information through metadata, logs, support messages, or free-text fields unless Storrik has specifically requested it through an approved method.

We may use API logs, request logs, webhook logs, and metadata to provide the Services, debug issues, prevent fraud, maintain security, respond to disputes, support compliance, and enforce our terms.

28. Payment Processor terms and privacy practices

Payment Processors and other third-party providers may handle personal information under their own terms and privacy policies. Their practices may differ from ours.

Where a Payment Processor independently determines how and why it handles personal information, it may be responsible for its own privacy obligations. Where required, you may need to provide Customers or business representatives with notices about Payment Processor handling of personal information.

29. Complaints

If you have a privacy complaint, contact us at privacy@storrik.com. Please include enough information for us to understand and investigate the issue.

We will respond within a reasonable time. If you are not satisfied with our response, you may be able to complain to the privacy regulator in your jurisdiction.

For Australia, you may contact the Office of the Australian Information Commissioner.

30. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our Services, legal requirements, Payment Processor requirements, technology, privacy practices, or business operations.

If a change is material, we will provide notice through the dashboard, website, email, or another appropriate method. The updated Privacy Policy applies from the date stated at the top of the policy or from another date we specify.

31. Additional notices

We may provide additional privacy notices for specific products, regions, onboarding steps, identity checks, payment flows, cookies, automated systems, or data processing arrangements. Those notices should be read together with this Privacy Policy.