This Is the Verifier CDR Policy

Effective date: 13 september 2024

What we do

We provide services to our customers, using personal data collected securely, and in accordance with the rules defined by the Consumer Data Right (CDR).

This policy tells you how we handle and manage your personal data under the CDR law.

About CDR

The CDR gives you control over personal data and enables you to send that data to others – to help you obtain their products or services. For example, you may choose to share your data that is held by a current service provider to you (perhaps your bank) with another financial institution if you are applying for a loan from that institution.

Under the CDR, the collection and use of your personal data, and who it is shared with, are with your full consent, knowledge and control.

Collecting your personal data

With your consent, we may collect the following classes of data (click each data class to view the detailed fields we collect):

  • Name, occupation, contact details

    • Name

    • Occupation

    • Phone

    • Email address

    • Mail address

    • Residential address

    Account Information

    • Name of account

    • Type of account

    • Account number

    • Account balance

    Transaction Details

    • Incoming & outgoing transactions

    • Amounts

    • Dates

    • Descriptions of transactions

    • Who you have sent money to and received money from (e.g. their name, BSB, account number)

  • Concessions and assistance

    • Concession type

    • Concession Information

    Account and plan details

    • Account and plan information

    • Account type

    • Fees, features, rates and discounts

    • Additional account users

    Billing payments and history

    • Account balance

    • Payment method

    • Payment status

    • Charges, discounts, credits

    • Billing date

    • Usage for billing period

    • Payment date

    • Invoice number

    Electricity connection and meter

    • National Meter Identifier (NMI)

    • Supply address

    • Customer type

    • Connection point details

    • Meter details

    • Associated service providers

    Energy generation and storage

    • Generation information

    • Generation or storage device type

    • Device characteristics

    • Devices that can operate without the grid

    • Energy conversion information

    Electricity usage

    • Usage

    • Meter details

You’re in the driver’s seat

You can review your consent, and a summary of your data we obtained from your nominated accounts in our secure dashboard, which you can access via our website: www.verifier.me

You can also withdraw your consent, at any time until it expires, by using our secure dashboard. If you do withdraw your consent for us to collect your data, we will not be able to continue to provide you with our services.

What we do with your personal Banking data

With your consent, we may use your data:

  • to categorise that data and enrich it to generate useful insights, and to give us assurance that our algorithms used to do that are operating correctly (this is a one-time use for up to 4 days);

  • in some cases, to format it and provide you the ability to download it;

  • for our internal research purposes to help us improve our services (this is a use for up to 3 months).

You can also withdraw your consent, at any time before it expires, by using our secure dashboard. If you do withdraw your consent for us to use your data, we will not be able to continue to provide you with our services.

Who we may share your personal banking data with

With your consent:

  • we share only the insights we create from your personal data with a person who is not accredited in accordance with the CDR law. We will not share any account balances or individual transactions with a non-accredited person, and

  • we share the insights we create with a person who is accredited in accordance with the CDR law. We may also share account balances and individual transactions with an accredited person.

We will:

  • not sell your personal (identified) data to anyone

  • not share your personal (identified) data with any third party without your consent

  • with your consent, de-identify your data when the consent you have given us to use your personal data has expired.

When we ask for your consent to collect your personal banking data, you can elect to consent to us either deidentifying your data, or deleting your data, when we no longer need it.

If you have given us your consent to de-identify your data when we no longer need it, you can withdraw that consent at any time before the consent expires by using our secure dashboard. If you withdraw your consent to de-identify your data, we will treat this as your election to delete your data instead, and we will delete your data when we no longer need it.

The process we use to delete data is we remove all of your records (except those records we a required by law to keep) from our databases and systems and permanently destroy them.

What we do with your de-identified data

When we de-identify your data we do so by removing your name and other identifying information, leaving only a reference to the type of transaction, so there is no record left of you (except those records we a required by law to keep).  We will include your de-identified data in the set of data that we use for general research.

Once we have de-identified your data and added it to our data set, you will not be able to ask us to delete it.

We may disclose de-identified data to our lender customers who will use it to help them to understand nuances and relevant patterns in the data.  We do not sell any deidentified data.

What we do with your personal energy data

We do not currently use personal energy data we collect. Instead, with your consent, we collect the data and disclose it to a recipient who is named in the consent process. If at a later date we do intend to use personal energy data we collect, we will ask for your consent to the proposed use during the consent process.

Who we may share your personal energy data with

With your consent:

  • when it is permitted under the CDR law, we may share your personal energy data with a person who is not accredited in accordance with the CDR law, or

  • we may also share your personal energy data with a person who is accredited in accordance with the CDR law.

We will not:

  • sell your personal (identified) data to anyone, or

  • share your personal (identified) data with any third party without your consent.

When we ask for your consent to collect your personal energy data, we will inform you that we will delete your data when we no longer need it, because we have a general policy of deleting personal energy data when it becomes redundant. Because we have a general policy of deleting redundant personal energy data, you do not need to elect for us to delete your data.

The process we use to delete data is we remove all of your records from our databases and systems and permanently destroy them.

Our outsourced service providers

To enable us to provide our services we use an Australian based, trusted third party service provider Basiq Pty Ltd, based in Manly, New South Wales. We use Basiq’s CDR Connect platform to collect CDR banking data, and to enrich that data. Basiq is accredited in accordance with the CDR law. Basiq has access to your CDR banking data it collects for us.

In addition, Basiq uses a third party service provider Basiq.io DOO, which provides various technical support services in relation to Basiq’s CDR Connect platform. Basiq.io DOO is based in Serbia and is not accredited in accordance with the CDR law. When necessary to provide its technical support services, Basiq.io DOO has access to CDR banking data collected for us.

We also use Amazon Web Services to host our infrastructure and platform. Amazon Web Services is not accredited in accordance with the CDR law and does not have access to either your CDR banking data or your CDR energy data.

We hold all your data securely

Your data is stored in Australia. We have administrative, technical and physical safeguards designed to ensure the security, confidentiality and integrity of your data.

If a security breach occurs, we:

  • contain the breach promptly

  • investigate and assess the circumstances of the breach, and the risks and potential harm to affected customers

  • take action to reduce any risks of harm to affected consumers

  • if required by law, notify the Australian Information Commissioner. If the breach is one that we are not required by law to notify to the Commissioner under the Notifiable Data Breach law, we may voluntarily notify the Commissioner of that breach

  • consider what actions we can take to prevent security breaches in the future.

Events we will notify you about

When the following events occur, we will notify you:

  • if a security breach occurs that is an eligible breach under the Notifiable Data Breach law, and you are affected by that security breach,

  • when you give us your consent to collect, use, or disclose your CDR data, or you withdraw such a consent,

  • when we collect your CDR data,

  • when we disclose your CDR data to an accredited person within the meaning of the CDR law,

  • as required to comply with our ongoing notification requirements under the CDR law with respect to consents you give us (including expiry of such consents) – for example, if you have given us an ongoing consent to collect your CDR data we will notify you at least every 90 days that your consent is still current, and

  • if you ask us to correct your CDR data, when respond to your request.

Accessing and correcting your data (or any other data about you)

If you think that any data we hold about you is incorrect, you can ask us to correct it by contacting us using the contact details below. Once we have assessed your request, we will tell you what we did in response to your request, any corrective action or comments. If you are not satisfied with our response, you may make a complaint to us.

How to contact us

If you are not satisfied in any way, please tell us so that we can try to resolve your concern promptly.

You can contact us:

We will respond to you as soon as is reasonably practical after you contact us.

Resolving concerns

You can make a complaint to us at any time. For the purpose of resolving your complaint we may ask for your personal information, including your name, contact information and the details of your complaint.

If you make a complaint, we will try to resolve it as promptly as possible. Remedies that may be available to resolve a dispute may include, for example:

  • an explanation of the circumstances giving rise to the complaint,

  • an apology,

  • providing assistance and support,

  • correcting incorrect or out-of-date data, and

  • undertaking to set in place improvements to systems, procedures or products.

We will:

  • acknowledge receipt of your complaint as soon as reasonably practical, but no later than 1 business day after we receive your complaint.

  • resolve your complaint within 45 days (although our aim is to resolve it as promptly as possible)

  • contact you by phone or email to notify you of the outcome

If you are not satisfied with the outcome, you may lodge a complaint with the Australian Financial Complaints Authority.

Online: www.afca.org.au

Email: info@afca.org.au

Phone: 1800 931 678

Mail: Australia Financial Complaints Authority

GPO Box 3

Melbourne, VIC 3001

You may also make a complaint to the Office of the Australian Information Commissioner, by using the online compliant form

https://forms.oaic.gov.au/forms/complaint

A hardcopy of this policy can be obtained by emailing contact@verifier.me