Privacy Policy

Wealthra Pty Ltd (ACN 693 425 393, "we", "us", or "our") operates a website and personal financial management application ("the Service") that assists users in managing their finances. We are committed to protecting your privacy and handling your personal information in accordance with Australian laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as the Consumer Data Right (CDR) framework where applicable. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information, including any CDR data (such as banking information) obtained under Australia's open banking regime. If you are providing us with CDR data, this Policy also serves as our CDR Policy as required under Privacy Safeguard 1 of the CDR regime. We are an Accredited Data Recipient (ADR) under the CDR framework, accredited by the ACCC to securely receive and handle CDR data from data holders (e.g., your bank) with your consent. CDR data includes information about your banking products, accounts, transactions, and related personal details. By using our Service, you consent to the practices described in this Policy. If you do not agree, please do not use the Service.

We collect personal information that is reasonably necessary for our functions and activities. "Personal information" has the meaning given in the Privacy Act and includes sensitive information (e.g., financial details). Under the CDR, this may include "CDR data," which is data about you or your use of banking products that we receive from your data holder. Types of information we may collect include: Identification and Contact Details: Name, date of birth, address, email, phone number, and identification documents (e.g., for verification purposes). Financial and Banking Information: Account details (e.g., account numbers, balances, transaction history), payment details, income, expenses, and credit information. This may include CDR data such as: • Product details (e.g., interest rates, fees, features of loans, deposits, or credit cards). • Account information (e.g., balances, authorisations like direct debits). • Transaction data (e.g., dates, amounts, descriptions). Device and Usage Data: IP address, browser type, device identifiers, location data (if enabled), and interaction data with our website or app (e.g., pages viewed, time spent). Other Information: Preferences, feedback, or any information you provide voluntarily (e.g., via surveys or support queries). We do not collect sensitive information (e.g., health data, racial origin) unless it is necessary and you consent, or as permitted by law.

We collect information: Directly from You: When you register for an account, use the Service, provide consent for data sharing, or contact us. Via Open Banking (CDR): With your explicit consent, we collect CDR data from your accredited data holder (e.g., bank) through secure APIs. We will only collect data for the purposes and duration you authorise, as displayed during the consent process. From Third Parties: Such as credit reporting bodies (with your consent), service providers, or publicly available sources. Automatically: Through cookies, analytics tools (e.g., Google Analytics), or device tracking on our website/app. You can manage cookie preferences via your browser settings. We will notify you at or before the time of collection (or as soon as practicable) about our practices, unless an exception applies under the APPs or CDR Rules.

We use and disclose your personal information only for the primary purposes for which it was collected, or for related secondary purposes you would reasonably expect, or with your consent, or as required/permitted by law. Primary purposes include: • Providing and improving the Service (e.g., budgeting tools, financial insights). • Managing your account and responding to queries. • Under CDR: Using CDR data to deliver personalised financial management features, such as transaction categorisation or spending analysis, strictly in line with your consent. We may disclose information to: • Service providers (e.g., cloud storage, IT support, analytics firms) who are bound by confidentiality and located in Australia or overseas (see Section 6). • Your authorised representatives or joint account holders. • Regulators (e.g., OAIC, ACCC) for compliance or audits. • In de-identified form for research or analytics. We will not use CDR data for direct marketing unless you explicitly consent and it is permitted under CDR Rules. We will not sell your data.

If you choose to share CDR data: • We will seek your explicit, informed, voluntary, and time-limited consent via our app or website. • The consent process will clearly state: what data is shared, how it will be used, who will access it, the duration (up to 12 months, or as specified), and how to manage/withdraw consent. • You can view, amend, or withdraw consents at any time via our dashboard. Withdrawal will stop further collection/use, but we may retain data as required by law. • We comply with CDR Privacy Safeguards, including deleting redundant data promptly after consent expiry.

We take reasonable steps to protect your information from misuse, interference, loss, unauthorised access, modification, or disclosure. Storage: Data is stored on secure servers in Australia. Under CDR Rules, we prioritise Australian storage for CDR data but may use overseas providers if they meet equivalent security standards (e.g., in the EU or US under binding agreements). We will disclose overseas recipients if required. Security Measures: Encryption (e.g., AES-256 for data at rest/transit), access controls, firewalls, regular audits, and staff training. We comply with CDR information security requirements (e.g., Privacy Safeguard 12). Retention: We retain information only as long as necessary for our purposes or as required by law (e.g., 7 years for financial records). CDR data is deleted or de-identified when no longer needed or upon consent withdrawal, per CDR Rules. Data Breaches: If a data breach occurs that is likely to cause serious harm, we will notify you and the OAIC as required under the Notifiable Data Breaches scheme.

You have the right to access your personal information we hold, subject to exceptions under the APPs or CDR Rules. Requests can be made via the contact details below. We will respond within a reasonable period (usually 30 days) and may charge a reasonable fee for access. If information is inaccurate, outdated, or incomplete, you can request correction. We will correct it or provide a statement if we disagree. For CDR data, you can also request access via your data holder's dashboard or our Service.

If you believe we have breached your privacy or the CDR Rules, please contact us first at info@wealthra.io. We will investigate and respond within 30 days. If unsatisfied, you can complain to: • OAIC: www.oaic.gov.au or 1300 363 992. • ACCC (for CDR matters): www.accc.gov.au or via their website.

We may update this Policy to reflect changes in our practices or laws. Changes will be posted on our website with the updated effective date. Continued use of the Service constitutes acceptance.

For questions or requests: info@wealthra.io For CDR-specific inquiries, visit our CDR dashboard in the app or contact us as above.