Privacy Policy

Table of Contents

Personal Information We collect and hold

 

“Personal Information” is information or an opinion about an individual who can be identified, or is reasonably identifiable, whether the information is true or not; and whether the information or opinion is recorded in a material form or not.

The kinds of personal information we collect and hold include, but are not limited to:

  1. Identification and contact details information g. name, date of birth, postal and email address, mobile number;
  2. Financial information g. tax file number, bank account and credit card details, financial statements, superannuation, shareholding;
  3. Employment information g. employer name, occupation, industry;
  4. Device and app usage data e.g. session data, feature usage patterns, and app analytics collected through our platform and mobile application;
  5. Website activity data e.g. cookies and usage analytics collected through our public website and;
  6. Associated individuals of business customers, including directors, officers, ultimate beneficial owners (UBOs), authorised signatories, and personal guarantors, where collected in connection with customer onboarding, AML/CTF compliance, credit assessment, or ongoing monitoring obligations.

The Personal Information that we collect from you may include “Sensitive Personal Information”.

Sensitive Personal Information includes information identified under the Australian Privacy Act 1988 (the Act) as requiring special treatment or protection and may include, but is not limited to, racial or ethnic origin; political opinions; religious, philosophical, or other similar beliefs; membership of a trade union or profession or trade association; physical or mental health; biometric data; criminal record; or sexual orientation.

We do not collect, use, share or otherwise process Sensitive Personal Information unless you provide consent prior to the collection or it is permitted by law to do so, such as for example, compliance with applicable Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF laws).

Our services are designed for wholesale and business customers and are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal information has been provided by a person under 18, we will take reasonable steps to delete such information as soon as practicable, unless we are required to retain it by law.

 

Personal Information We collect and hold

 

“Personal Information” is information or an opinion about an individual who can be identified, or is reasonably identifiable, whether the information is true or not; and whether the information or opinion is recorded in a material form or not.

The kinds of personal information we collect and hold include, but are not limited to:

  1. Identification and contact details information g. name, date of birth, postal and email address, mobile number;
  2. Financial information g. tax file number, bank account and credit card details, financial statements, superannuation, shareholding;
  3. Employment information g. employer name, occupation, industry;
  4. Device and app usage data e.g. session data, feature usage patterns, and app analytics collected through our platform and mobile application;
  5. Website activity data e.g. cookies and usage analytics collected through our public website and;
  6. Associated individuals of business customers, including directors, officers, ultimate beneficial owners (UBOs), authorised signatories, and personal guarantors, where collected in connection with customer onboarding, AML/CTF compliance, credit assessment, or ongoing monitoring obligations.

The Personal Information that we collect from you may include “Sensitive Personal Information”.

Sensitive Personal Information includes information identified under the Australian Privacy Act 1988 (the Act) as requiring special treatment or protection and may include, but is not limited to, racial or ethnic origin; political opinions; religious, philosophical, or other similar beliefs; membership of a trade union or profession or trade association; physical or mental health; biometric data; criminal record; or sexual orientation.

We do not collect, use, share or otherwise process Sensitive Personal Information unless you provide consent prior to the collection or it is permitted by law to do so, such as for example, compliance with applicable Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF laws).

Our services are designed for wholesale and business customers and are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal information has been provided by a person under 18, we will take reasonable steps to delete such information as soon as practicable, unless we are required to retain it by law.

 

Government Related Identifiers

 

We do not use government-related identifiers as our own internal customer identifiers.

We do not adopt, use, or disclose government-related identifiers—such as Medicare numbers, tax file numbers (TFNs), driver’s licence numbers, or any identifier assigned by a government agency—unless we are legally required or permitted to do so under the Privacy Act 1988 (Cth).

We only collect or use these identifiers when necessary to verify your identity, to comply with Australian law, such as the AML/CTF laws or to fulfil obligations with government agencies or regulators.

 

Why we collect Personal Information

 

We collect Personal Information for reasons which are necessary to provide you with our products and/or services. These reasons include, but are not limited to:identity verification and authentication;

  1. providing you with information about our product or service and helping you to manage that product or service;
  2. checking to ensure that we can provide you with a product or service;
  3. assisting you with your applications, including when online applications are incomplete;
  4. processing your application;
  5. administration of your account;
  6. satisfying legal, regulatory, and other compliance requirements (including providing assistance to law enforcement, judicial, regulatory or other government agencies and statutory bodies), such as performing customer due-diligence checks to comply with our anti-money laundering obligations;
  7. market analysis and development;
  8. providing you with notices about our products or services, events or news that may be of interest to you, including through direct messages and advertisements;
  9. accessing and responding to your queries, feedback and requests;
  10. updating our records about you;
  11. if you are seeking employment or other appointment with us, to:
    1. verify your identity and qualifications as well as obtaining employment references; and
    2. carry out other activities related to the recruitment

 

We will not use your Personal Information for any purpose other than those for which we are permitted under applicable laws and regulations.

If you do not provide us with your Personal Information when requested, it may prevent us from being able to provide you with, or manage and administer, our products and/or services.

  1.  

How We Collect Personal Information

 

We only collect personal information about you directly from you unless it is unreasonable or impracticable to do so or you have instructed us to collect your personal information from someone else including third parties, including your agent, family or friends, or our affiliates.

Typically, we collect Personal Information from you when:

  • you visit or use our website;
  • fill out a form with us;
  • give us a call; and/or
  • send us an email or SMS;
 

We may collect Personal Information from third parties that we work with for the purposes of performing our Services and there are also other ways we collect your Personal Information, both directly and indirectly, through:

  1. receiving documents or information directly from your representative in relation to the services we provide;
  2. parties that we work with for the purposes of performing our Services, such as our marketing partners or other third-party services provider we utilise for purposes of the AML/CTF laws that require us to collect certain identification information about you;
  3. publicly available sources, including the internet and social media;
  4. third-party websites or applications or in connection with third-party services that have been integrated with our website or application by API or any other technologies or means; and
  5. cookies when you access our website;
 

At or before the time we collect your personal information (or as soon as practicable after), we will take reasonable steps to ensure you are notified of, or are otherwise aware of:

  1. our identity and contact details;
  2. the fact that we are collecting your personal information and, where applicable, the manner in which we are collecting it;
  3. the primary purpose for which we collect the information;
  4. any other purposes for which we collect, use, or disclose the information;
  5. whether we are likely to disclose the information to overseas recipients and, if practicable, the countries in which those recipients are located;
  6. the consequences for you if you choose not to provide the personal information, and whether any law requires you to provide the information.
 

Where we collect personal information about you from a third party (including from our Program Managers), we will take reasonable steps to notify you of the matters above as soon as practicable, to the extent that it is reasonable and practicable to do so.

We use cookies and other technologies to improve our Services. Cookies are small text file stored on your device that analyse user activity to improve our Service. These tools may collect information about how users interact with our services, including pages visited, device information, and usage patterns, and may involve third-party providers that process data on our behalf, potentially outside Australia.

Only when you use your computer to access our website can the cookies be sent to your computer hard drive. You can reset or disable your web browser to refuse all cookies. However, it is possible that when you do so, you may not be able to launch or use some functions of our website.

We recognise that onboarding may involve identity document scanning and biometric technologies (e.g. facial recognition). We may collect personal information from identity documents and, where applicable, biometric data such as facial images or comparison data. The collection and use of this information is governed by the Australian Privacy Principles.

We only collect and use this information where reasonably necessary for identity verification, legal compliance, or fraud prevention, and with consent where required. We apply strong safeguards, ensure third-party providers meet privacy standards, and retain information only as long as necessary before secure deletion or de-identification.

 

How We Use Personal Information

 

Because we offer a range of products and services, collecting your Personal Information allows us to provide you with the products and services you’ve asked for to enable us to, among others:

  • consider your request for products and services, including your eligibility;
  • provide you with information about our products and services;
  • process your application;
  • answer your requests and complaints;
  • vary products and services;
  • conduct market research; and
  • data analytics

 

Unsolicited Personal Information

 

Sometimes we get information we did not ask for. When this happens, we will check whether that information is reasonably necessary for our functions or activities. If it is, we will handle the information the same way we do with other information we collect from you. If not, we will ensure we destroy or de-identify the information.

 

Disclosure of Personal Information

 

We may disclose the Personal Information we collect from you where we need to do so in the course of providing any of our products or Services to you – we will ensure that your Personal Information is used in a way that is consistent with this Privacy Statement.

We may disclose your Personal Information with:

  1. our affiliates, partners and suppliers in connection with the provision of the products and Services to our Clients/Users;
  2. third-party service providers who provide services to us or who jointly with us, provide products or services to you, including but not limited to our authorised representatives, agents, vendors or suppliers, contractors payroll processing, technical, training, market research, call centre, security or other such services to us;
  3. your representative or agents who you have told us or who we are otherwise aware is acting on your behalf, or who introduces you to us, or who you have asked us to contact;
  4. in the event of an actual or prospective business asset or share purchase transaction (such as any merger, acquisition or asset sale), any business partner, prospective investor, assignee, or transferee for the purposes of facilitating such a transaction; and/or
  5. any relevant government regulators, statutory boards or authorities or law enforcement agencies as required or authorised by any laws, rules, guidelines, regulations or

In exceptional circumstances, we may also be required to disclose your Personal Information where there are grounds to believe that disclosure is necessary to prevent a threat to life or health, or for law enforcement purposes.

In some cases, we shall encrypt, anonymise or de-identify, or aggregate the information before sharing it. Anonymising and de-identifying means stripping the information of personally identifiable features. Aggregating means presenting the information in groups or segments e.g., age groups.

We may disclose Personal Information as part of executing payment transactions. This includes sharing data with beneficiary banks, correspondent banks, payment intermediaries, and payment networks (such as SWIFT and local clearing systems) to process and settle transactions. As an inherent feature of international payments, these networks may transmit personal information across jurisdictions.

We also use sanctions screening processes, which involve checking personal data against external watchlists (including OFAC, UN, and Australian sanctions lists). This may involve overseas processing where information may be transferred outside Australia. If any such events occur, we take reasonable steps to ensure such disclosures comply with applicable privacy laws and safeguards.

We may disclose personal information to fraud prevention agencies and, where appropriate, credit reference agencies as part of our KYC and AML/CTF obligations. This includes information used to verify identity, assess risk, and detect or prevent fraud or financial crime. These agencies may retain and use this information to conduct checks for other organisations, which may affect an individual’s ability to obtain financial products or services. We take reasonable steps to ensure such disclosures are necessary, proportionate, and handled in accordance with applicable privacy laws.

Where our customers are business entities, we may also collect and disclose personal information relating to associated individuals, including directors, officers, ultimate beneficial owners (UBOs), authorised signatories, and personal guarantors, to third-party service providers engaged for purposes including AML/CTF compliance, identity verification, and credit risk monitoring. This includes disclosure to providers such as National Credit Insurance (NCI), whose monitoring services may be used to assess the creditworthiness and financial standing of business customers on an ongoing basis. Where a customer is a sole trader, such monitoring will necessarily involve the personal information of that individual. By submitting an application or accepting our terms, the applicant warrants that it has obtained any necessary consent from such associated individuals for the collection and disclosure of their personal information in accordance with this Privacy Statement.

 

Overseas Disclosure

 

We may disclose your Personal Information to a recipient located overseas such as Malaysia, China, Hong

Kong or New Zealand for reasons described in this Privacy Statement or where we are compelled to do so by the relevant authorities of the jurisdictions in which we operate our business.

In the course of providing its services, personal information and transactional data may be stored, processed, or accessed using cloud-based infrastructure or software-as-a-service (SaaS) providers, including but not limited to providers such as Amazon Web Services (AWS) and Microsoft Azure. As a result, such data may be transferred to, or hosted in, jurisdictions outside Australia.

Before and at the time of disclosing your personal information to an overseas recipient, we will take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. These steps may include one or more of the following:

  1. We will take reasonable steps under Australian Privacy Principle1 to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to your personal information. This may include entering into contractual arrangements requiring the overseas recipient to handle your personal information in accordance with the Australian Privacy Principles or equivalent standards;
  2. Reliance on an applicable exception under Australian Privacy Principle2, including where we are required to disclose your personal information to a foreign government authority or law enforcement agency in accordance with applicable law, including the Australian Transaction Reports and Analysis Centre (AUSTRAC), in order to comply with our obligations under the Anti Money Laundering and Counter Terrorism Financing Act 2006 (Cth). AUSTRAC may, as part of its statutory functions, share financial intelligence with overseas regulators and foreign Financial Intelligence Units (FIUs) under international information sharing arrangements and agreements. This may result in the transfer of information to jurisdictions outside Australia, which is outside our direct control; or
  3. We takes reasonable steps to ensure that any foreign service providers comply with standards equivalent to Australian privacy and data protection requirements, including through contractual safeguards, data security controls, and due diligence processes. We also implement appropriate technical and organisational measures to protect data held offshore, including encryption, access controls, and ongoing monitoring of service providers’ compliance.

Where we disclose your personal information to overseas recipients within our Corporate Alliance Group (including Hong Kong or New Zealand related entities), we have in place intra-group data sharing arrangements that require those entities to handle your personal information in accordance with standards consistent with the Australian Privacy Principles.

We disclose personal information to DayThree Business Services Sdn Bhd (DayThree), a business process outsourcing provider located in Malaysia, for the purpose of providing compliance services (including transaction monitoring and ongoing customer due diligence) and global support services (including client services and technical business analysis). The disclosure of personal information to DayThree is a disclosure to an overseas recipient under Australian Privacy Principle 8. Where we make such a disclosure, we remain accountable under section 16C of the Privacy Act 1988 (Cth) for any act or practice of DayThree that would breach the Australian Privacy Principles as if we had engaged in that act or practice ourselves. We take reasonable steps under Australian Privacy Principle 8.1 to ensure that DayThree does not handle your personal information in a manner inconsistent with the Australian Privacy Principles, including through written data processing agreements, security controls, and contractual audit rights.

We also engage personnel located in China who support our development functions and our compliance and global support functions. To the extent that those personnel access your personal information in the course of their work, China is an overseas recipient of that information, and the accountability and reasonable steps obligations described above in relation to overseas disclosures apply equally to that disclosure.

In addition, some of the technology, cloud, and artificial intelligence services we use (including in connection with our mobile application) may involve the processing of personal information by third-party providers located overseas. The countries in which those providers are located will be identified on our website and updated from time to time as those providers and their locations are confirmed.

In the event that there is a need for us to transfer your Personal Information to another country, we have safeguards in place and to ensure that the standard of data protection in the recipient country is comparable to Australia, or in certain circumstances, we may rely on allowable exceptions under the Act in relation to the disclosure of your Personal Information. You agree to the disclosure of your Personal Information to overseas entities when you accept and agree to this Privacy Statement in relation to accessing our products and Services.

 

Direct Marketing

 

By agreeing to this Privacy Statement, you agree that we may market and promote our products and Services to you or send you information which we believe may be of interest to you. In doing so, we may collect, use or share your Personal Information to, among others, our affiliates and service providers.

Where permitted by applicable law, we may also use Personal Information we collect from you without your consent if:

  1. it is not Sensitive Information; and
  2. you would reasonably expect us to use that Personal Information for the purposes of direct marketing; and
  3. we allow you to unsubscribe/opt-out of our direct marketing; and
  4. you have not already requested to opt-out of direct marketing from us.

 

If we contact you by telephone for direct marketing purposes, we will comply with the Do Not Call Register Act 2006 (Cth). You may opt out of our marketing emails – our emails will contain instructions describing how you can opt-out from the mailing list if you do not want to receive such marketing materials. You may register your phone number on the Do Not Call Register at www.donotcall.gov.au to opt out of receiving unsolicited telemarketing calls.

In addition to the provisions above, we comply with the Spam Act 2003 (Cth) in relation to all commercial electronic messages we send to you. This means:

  1. we will not send you unsolicited commercial electronic messages (including email, SMS, or MMS) without your consent;
  2. all commercial electronic messages we send will clearly identify us as the sender; and
  3. all commercial electronic messages will include a functional unsubscribe facility that you can use to opt out of receiving further messages.

 

Quality of Personal Information and Access to Correction

 

We will not be held liable or responsible for any loss, misuse or alteration of Personal Information that may be caused by third parties. The Personal Information collected and processed solely by the third party, independently from our processing activities are not subject to this Privacy Statement.

Sometimes our website contains links to other websites. When you access a website other than our website or Platform, we are not responsible for the privacy practices of that site. We recommend

that you review the privacy policies of each website you visit.

We implement and maintain appropriate technical, physical, and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

  1. encryption of personal information both in transit and at rest;
  2. role-based access controls limiting access to personal information to those staff and contractors with a genuine operational need;
  3. physical security controls over premises and paper records;
  4. network security measures including firewalls, intrusion detection, and patch management;
  5. mandatory privacy and security training for all staff who handle personal information; 
  6. contractual requirements on third-party service providers who process personal information on our behalf, requiring equivalent security standards.

Whilst we take all reasonable steps to protect your personal information, the transmission of information over the internet is not completely secure. Any transmission of personal information to us over the internet is at your own risk. Once we have received your personal information, we will use the security measures described in this clause to protect it.

Third-party service providers who process personal information on our behalf are required to enter into written data processing agreements with us. These agreements must, as a minimum, require the third party to: process personal information only on our instructions; implement appropriate security measures; notify us of any data breach involving our customers’ personal information; and return or delete personal information at the conclusion of the engagement.

Where we become aware of a data security incident involving your personal information, we will take immediate steps to contain the incident and will notify you in accordance with our obligations under the Notifiable Data Breaches scheme.

Links on our website or platform to third-party websites are provided for your convenience only. We are not responsible for the privacy or security practices of those third-party websites. We encourage you to review the privacy policies of all websites you visit.

 

Security of Personal Information


We will not be held liable or responsible for any loss, misuse or alteration of Personal Information that may be caused by third parties. The Personal Information collected and processed solely by the third party, independently from our processing activities are not subject to this Privacy Statement.

Sometimes our website contains links to other websites. When you access a website other than our website or Platform, we are not responsible for the privacy practices of that site. We recommend

that you review the privacy policies of each website you visit.

 

We implement and maintain appropriate technical, physical, and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

  1. encryption of personal information both in transit and at rest;
  2. role-based access controls limiting access to personal information to those staff and contractors with a genuine operational need;
  3. physical security controls over premises and paper records;
  4. network security measures including firewalls, intrusion detection, and patch management;
  5. mandatory privacy and security training for all staff who handle personal information; and
  6. contractual requirements on third-party service providers who process personal information on our behalf, requiring equivalent security standards.

 

Whilst we take all reasonable steps to protect your personal information, the transmission of information over the internet is not completely secure. Any transmission of personal information to us over the internet is at your own risk. Once we have received your personal information, we will use the security measures described in this clause to protect it.

Third-party service providers who process personal information on our behalf are required to enter into written data processing agreements with us. These agreements must, as a minimum, require the third party to: process personal information only on our instructions; implement appropriate security measures; notify us of any data breach involving our customers’ personal information; and return or delete personal information at the conclusion of the engagement.

Where we become aware of a data security incident involving your personal information, we will take immediate steps to contain the incident and will notify you in accordance with our obligations under the Notifiable Data Breaches scheme.

Links on our website or platform to third-party websites are provided for your convenience only. We are not responsible for the privacy or security practices of those third-party websites. We encourage you to review the privacy policies of all websites you visit.

 

Enquires and Complaints

 

We have a Complaints Handling Policy in place to manage and respond to privacy risks and issues. If you believe that we have breached this Privacy Statement, or any other applicable privacy law or data protection laws or regulations which may apply to us, please contact our Privacy and Complaints Officer – see contact details in Part 19.

Our Privacy and Complaints Officer will endeavour to resolve your complaint in a satisfactory and timely manner and in accordance with our Complaints Handling Policy. Our Privacy and Complaints Officer will generally try to resolve the complaint within 10 business days, but please allow up to one calendar month for us to investigate your complaint and return a written response detailing the resolution.

You also have the right to contact the Office of the Australian Information Commissioner directly at any time. Please refer to Part 19.

 

Retention and Destruction of Personal Information

 

We will retain your Personal Information for as long as necessary to fulfill the purpose for which it was collected, such as providing our products and services, or as required by applicable laws or regulations. This period may extend beyond the termination of our relationship with you.

As a regulated financial services entity, we are subject to minimum statutory retention periods. In particular:

  1. AML/CTF Act 2006 (Cth): We are required to retain records relating to customer identification (KYC), transactions, and correspondent banking relationships for a minimum retention period as set out in the legislation;
  2. Corporations Act 2001 (Cth): As an AFSL holder, we retain financial records and client records for a minimum retention period as set out in the legislation; and
  3. Other applicable laws: We may be required to retain your personal information for different or longer periods where required by taxation, superannuation, or other applicable legislation.

When your personal information is no longer required, we will take reasonable steps to destroy or de-identify it. Our destruction and de-identification methods include:

  1. for physical records: secure shredding or destruction;
  2. for digital records: secure deletion, overwriting, or physical destruction of storage media.

Where we are required by law to retain your personal information but it is no longer required for our operational purposes, we will restrict active access to that information and ensure it is only retained in a secure archival manner until the statutory retention period expires.

 

Profiling and Automated Decision-Making 

 

In providing our financial services, we may use automated processes to:

  • verify your identity and assess your eligibility to use our services, including by comparing identity documents against government databases and third-party verification services;
  • screen transactions for potential fraud, money laundering, terrorism financing, or other financial crime indicators, consistent with our AML/CTF obligations;
  • personalise our services and communications based on your transaction history and service usage; and
  • conduct risk assessments for the purpose of customer due diligence and ongoing monitoring.

 

Where an automated process makes a decision that significantly affects you (for example, a decision to decline a transaction, restrict your account, or terminate our services), we will notify you of that decision. You may request a manual review of any such decision by contacting our Privacy and Complaints Officer. Some automated decisions may take immediate effect (for example, blocking a transaction or temporarily restricting account access). Where this occurs, we will notify you and you may request a manual review by contacting our Privacy and Complaints Officer.

We may use personal information, including transaction data, to better understand customer behaviour, improve our products and services, and develop relevant features or offerings. This may involve analysing transaction patterns, volumes, and usage trends to support business decision-making, service optimisation, and customer segmentation.

In addition to AML/CTF-related monitoring, such processing may be used for commercial and operational purposes, including tailoring our services to better meet customer needs. We do not use this information for unsolicited direct marketing without consent where required. Any profiling activities are conducted in accordance with applicable privacy laws and are subject to appropriate safeguards.

 

Artificial Intelligence and Machine Learning

 

We may use artificial intelligence (AI) and machine learning (ML) tools to support the delivery and improvement of our services. This may include use of AI to:

  • detect fraud and financial crime patterns in transaction data;
  • improve the accuracy and speed of identity verification processes;
  • personalise our products, services, and communications; and
  • support our customer service operations.

We will always inform you when you are interacting with an AI-powered system rather than a human staff member.

Our use of AI and ML tools do not create fully automated decisions without a human review pathway being available. However, some automated decisions may take immediate effect pending that review. Where AI outputs are used to inform significant decisions about you, you may request human review by contacting our Privacy and Complaints Officer — see Part 19. Some AI tools may also involve processing by third-party technology providers, some of which may be located overseas. Details of any overseas processing involving artificial intelligence providers are set out in the Overseas Disclosure section (Part 8) of this Privacy Statement.

 

Obligations of Program Manager

 

Program Managers are required, as a condition of their appointment, to:

  1. handle personal information in compliance with this Privacy Statement and all applicable Australian Privacy Principles;
  2. not use or disclose personal information obtained through their role as a Program Manager for any purpose other than the performance of services for or on behalf of us;
  3. implement security measures for personal information;
  4. immediately notify us of any actual or suspected data breach involving personal information obtained in their capacity as a Program Manager; and
  5. return or securely destroy personal information upon termination of their appointment.

 

We remain responsible under the Privacy Act 1988 (Cth) for personal information collected, used, or disclosed by Program Managers in the course of their role on our behalf. If you have a complaint about the handling of your personal information by a Program Manager, please contact our Privacy and Complaints Officer.

 

Notifiable Data Breach

 

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). This requires us to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm to any individual whose personal information is involved.

An ‘eligible data breach’ occurs when:

  1. there is unauthorised access to, or unauthorised disclosure of, personal information we hold; or personal information is lost in circumstances where unauthorised access to, or disclosure of, the information is likely to occur; and
  2. the breach is likely to result in serious harm to one or more individuals.

 

If we suspect an eligible data breach has occurred, we will promptly assess the suspected breach. If we determine, or reasonably believe, that an eligible data breach has occurred, we will:

  1. notify the OAIC as soon as practicable by lodging a statement in the form prescribed under the Act; and
  2. notify affected individuals as soon as practicable, in accordance with the Act, providing: a description of the breach; the kinds of personal information involved; recommendations for steps affected individuals should take; and our contact details.

 

We maintain data breach response procedures which sets out our internal procedures for assessing and responding to data breaches.

  1. If you become aware of, or suspect, a data breach involving your personal information held by us, please contact our Privacy and Complaints Officer immediately.

 

Mobile Application Data Collection and Third-Party Technologies

 

We use cookies and similar technologies in our mobile applications, to support functionality, analyse usage, and improve user experience. In our apps, this may include device identifiers (such as IDFA or GAID), analytics SDKs, and crash reporting tools. These technologies may be provided by third parties and may involve overseas data processing. These technologies may collect information such as device data, usage patterns, and technical diagnostics, and may operate through service providers located in Australia or overseas. Where these technologies involve the processing of personal information by service providers located overseas, that processing is subject to the Overseas Disclosure section (Part 8) of this Privacy Statement.

Where required, we will obtain consent for tracking (including via App Tracking Transparency on iOS). You can manage preferences via your device or browser settings. Our apps may also collect location data where reasonably necessary (e.g. for fraud prevention or regulatory compliance). We will only do so in accordance with applicable law and with appropriate user permissions.

The application may request certain device permissions (such as notifications, biometric authentication, or location access) where reasonably necessary for service delivery, security, or regulatory compliance. Any data collected through such technologies or permissions is handled in accordance with applicable privacy laws and used only for legitimate business purposes. We take reasonable steps to ensure that third-party providers handle personal information in line with appropriate privacy and security standards.

Our mobile application may support biometric authentication features such as Face ID or Touch ID to facilitate secure login. These features are provided and managed by your device’s operating system. We do not collect, access, or store your biometric information (such as facial data or fingerprints). Any biometric data used for authentication remains securely stored on your device and is not shared with us. You may choose to enable or disable biometric authentication at any time through your device settings.

 

How to Contact Us – Choosing to be Anonymous or Use a Pseudonym

 

Where possible and permissible under applicable laws, we will allow you to interact with us anonymously or using a pseudonym. For example, if you contact us with a general enquiry, we will not ask for your name unless we need it to adequately handle your enquiry. However, for most of our functions and activities and to comply with applicable AML/CTF laws and regulations, we usually need your name and contact information.

If you have any question or complaint about how we handle your Personal Information, you are welcome to contact us.

 

 

Mail

 

Privacy and Complaints Officer

Level 22, 8 Chifley Square, Sydney NSW Australia 2000

 

Email

 

compliance@cafx.com.au

 

If you feel that your complaint has not been resolved to your satisfaction, you may contact:

 

  • Australian Financial Complaints Authority (AFCA) – this is an external dispute resolution

scheme that is a free service established to provide you with an independent mechanism to resolve financial services complaints:

 

 

Online

 

www.afca.org.au

 

Email

 

info@afca.org.au

 

Phone

 

1800 931 678

 

Mail

 

GPO Box 3 Melbourne VIC 3001

 

 

  • Office of the Australian Information Commissioner:

 

 

Online

 

www.oaic.gov.au/privacy

 

Email

 

enquiries@oaic.gov.au

 

Phone

 

1300 363 992

 

Mail

 

GPO Box 5218 Sydney NSW 2001 or GPO Box 2999 Canberra ACT 2601

 

Contact Corporate Alliance

Australian Privacy Policy PDF: