Privacy Policy - Amber

Current as from the 1st of July, 2019.

At Amber Labs Pty Ltd ABN 69 623 875 052, we are committed to protecting your privacy. This Privacy Policy describes our policies and practices in relation to how we collect, handle, store, use and disclose your personal information. It also deals with how you can complain about a breach of the privacy laws, how you can access the personal information we hold about you and how to have that information corrected.

At Amber Labs Pty Ltd ABN 69 623 875 052, we are committed to protecting your privacy. This Privacy Policy describes our policies and practices in relation to how we collect, handle, store, use and disclose your personal information. It also deals with how you can complain about a breach of the privacy laws, how you can access the personal information we hold about you and how to have that information corrected.

The Australia Privacy Principles

We will treat all personal information in accordance with any and all obligations that are binding upon us under the Privacy Act 1988 (Cth) (“Privacy Act”). The Privacy Act lays down 13 key principles in relation to the collection and treatment of personal information, which are called the “Australian Privacy Principles”.

How do we collect your personal information?

‘Personal information’ means any details about you, from which your identity is apparent or can be uncovered, including (but not limited to) your:

name and date of birth;

residential and business postal addresses, telephone/mobile/fax numbers and email addresses;

any information that you provided to us by you during your account creation process or added to your user profile;

bank account details;

preferences and password for using this site and your computer and connection information; and

any information that you otherwise share with us.

Generally, we collect your personal information directly from you through our website and mobile application by the following means:

When you sign up with us, we ask you for the information we need to provide you with our service and verify your identity. This can include your name, email address, and identity details e.g. your drivers’ licence. We will also ask you for your payment information.

If you link your financial accounts, we will collect account details and transactional information from those accounts. We will only collect and store your personal information from these accounts if it is contained in these accounts (e.g. if your name is in a transaction record).

Generally, we will not collect sensitive information about you unless we required to do so by law or unless you provide consent. Sensitive information includes information about your race or ethnicity, political opinions, religious beliefs, criminal record, sexual information, health or biometric information.

We may collect personal information about you from other people or organisations where it is not reasonable or practicable for us to collect the information directly from you. Examples of how we may do this include collecting your personal information from:

Our own records;

Organisations who help us verify your identity (such as Rapid ID or Fabric);

Other organisations, service providers or business partners who provide you with products or services along with us; and

People who refer you to us e.g. your friend may send us your name and contact information.

The purposes for which we manage your personal information

The main purpose for which we collect, store, use and disclose personal information is to provide our service.

Other purposes for which we do this include to:

Verify your identity which we may be required to do by the Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth);

Provide you with information about ours products or services, or those of other organisations. If we send you marketing, we will always give you the option to unsubscribe at any time by notifying us that you wish to do so;

Perform internal functions such as administration, accounting and information technology system requirements;

Refer you to other organisations, service providers or business partners;

Comply with legal and regulatory requirements, and prevent fraud or crime; and

Help us improve our services, develop our products and conduct research.

We will communicate with you electronically unless you tell us that you do not wish to receive electronic communications. If you do not wish to receive electronic communications, we won’t be able to provide our service to you as it is an electronic service.

To whom will we disclose your personal information?

We may disclose personal information to:

Organisations who help us verify your identity (such as Vix Verify);

Our agents and contractors who supply services to us e.g. our data storage providers;

Other organisations, service providers or business partners whom we consider may provide services or products you would find useful. You may opt out of this service at any time by getting in contact with us;

Other companies in the event of a corporate sale, merger, reorganisation, dissolution or similar event;

Regulatory bodies, government agencies or law enforcement bodies; and

Anyone else to whom we are permitted to provide information by law.

We do not sell, trade, or rent your identifying personal information to others.

Only we will contact you unless you consent to someone else doing so e.g. if you consent to receivemarketing from another company.

We do not disclose your personal information to overseas recipients.

Aggregated information

We use the information we collect from our customers to create aggregated information. Aggregated information only contains anonymised personal account information or data; it does not contain information that could be used to identify you. Examples of aggregated information might include deidentified information about our customers, their responses to polls or questionnaires, or de-identified information about the transactions they make.

We may use, sell, license, redistribute and disclose de-identified, aggregated information to third parties such as to commercial and charitable organisations to allow them to understand the needs of their consumers, to plan their marketing and build strategic plans or for research purposes.

What if you don’t provide some personal information to us?

If you do not provide us with some or all of the personal information that we ask for, we may not be able to provide you with our services.

How do we store and protect your personal information?

Data that we collect about you may be stored or otherwise processed by third party services with data centres based outside the Australia and/or the European Union, such as Google Analytics, Microsoft Azure, Amazon Web Services, Apple, etc and online relationship management tools. We consider that the collection and such processing of this information is necessary to pursue our legitimate interests in a way that might reasonably be expected (eg, to analyse how you use our services, develop our services and grow our business) and which does not materially impact your rights, freedom or interests.

We require that all third parties that act as “data processors” for us provide sufficient guarantees and implement appropriate technical and organisational measures to secure your data, only process personal data for specified purposes and have committed themselves to confidentiality.

We are committed to maintaining the confidentiality of the information that you provide us and we will take all reasonable precautions to protect your personal information from unauthorised use or alteration. In our business, personal information may be stored both electronically (on our computer systems and with our website hosting provider) and in hard-copy form. Firewalls, anti-virus software and email filters, as well as passwords, protect all of our electronic information. Likewise, we take all reasonable measures to ensure the security of hard-copy information.

We keep your personal information only for as long as is reasonably necessary for the purpose for which it was collected, which is generally only as long as you are a customer of ours, then we delete your personal information. We keep de-identified and aggregated information for as long as we may need it.

GDPR

We welcome the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) as an important step forward in streamlining data protection globally. Although we do not operate an establishment within the EU and do not target any offering of services towards clients in the EU specifically, we intend to comply with the data handling regime laid out in the GDPR in respect of any personal information of data subjects in the EU that we may obtain.

GDPR rights

The requirements of the GDPR are broadly similar to those set out in the Privacy Act and include thefollowing rights:

you are entitled to request details of the information that we hold about you and how we process it. For EU residents, we will provide this information for no fee;

you may also have a right to:

have that information rectified or deleted;

restrict our processing of that information;

stop unauthorised transfers of your personal information to a third party;

in some circumstances, have that information transferred to another organisation;

lodge a complaint in relation to our processing of your personal information with a local supervisory authority; and

where we rely upon your consent as our legal basis for collecting and processing your data, you may withdraw that consent at any time.

If you object to the processing of your personal information, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations. However, please be aware that:

such objection or withdrawal of consent could mean that we are unable to provide our services to you, and could unduly prevent us from legitimately providing our services to other clients subject to appropriate confidentiality protections; and

even after you have chosen to withdraw your consent, we may be able to continue to keep and process your personal information to the extent required or otherwise permitted by law, in particular:

to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on your rights, freedoms or interests; and

in exercising and defending our legal rights and meeting our legal and regulatory obligations.

What about your financial information?

You pay for our service through a secure service and we will not collect or store the payment information( e.g. credit card or bank account number) that you give us for payment.

What information does our website and app collect?

Anonymous data – We collect anonymous information about the use of our website and mobile app, e.g. our service provider logs your server address when you browse our website, as well as the date and time of your visit, the pages and links accessed and the type of browser used or our mobile app may log your location. We do not use this information to identify you personally (except in exceptional circumstances e.g. fraud or cyberattack) and we use this information for statistical purposes, to improve the content and functionality of our service, and to better understand our users. However, we may disclose your IP address to regulatory bodies, government agencies or law enforcement bodies (including AUSTRAC).

Cookies – In order to collect this data we may use “cookies”. Cookies are small pieces of information which are sent to your browser and stored on your computer’s hard drive. Sometimes they identify users where the website requires information to be retained from one page to the next. This is purely to increase the functionality of the site. Cookies by themselves cannot be used to discover the identity ofthe user except they may collect your IP address and we may disclose this to bodies as discussed above .Cookies do not damage your computer and you can set your browser to notify you when you receive a cookie so that you can decide if you want to accept it.

Information you post on our website - Information you send to us by posting to a forum or blog is stored on our servers. We do not specifically use that information except to allow it to be read.

Other information you provide through our website or app – We will collect the personal information that you provide to us through our website or app.

Third party advertising - Third parties may advertise on our web site. In doing so, those parties, their agents or other companies working for them may use technology that automatically collects your IP address when they send an advertisement that appears on our site to your browser. They may also use other technology such as cookies or JavaScript to personalise the content of, and to measure the performance of their adverts. We do not have control over these technologies or the data that these parties obtain. Accordingly, this privacy notice does not cover the information practices of these third parties.

How can you check, update or change the personal information we are holding?

You have the right to:

Request access to your personal information and to ask us to correct or erase it;

Request us to restrict the way we manage your personal information, e.g. if you dispute its correctness;

Request us to transfer your data to another entity; and

Object to us managing your personal information at any time, e.g., you may withdraw any consent you have given us about how we manage and use your personal information. This does not invalidate any earlier permitted use we have made of your information.

If you wish to access or correct your personal information please write to us by email at the contact details shown below.

Upon receipt of your written request and enough information to allow us to identify the information, we will disclose to you the personal information we hold about you. We will also correct, amend or delete any personal information that we agree is inaccurate, irrelevant, out of date or incomplete.

We do not charge for receiving a request for access to personal information or for complying with a correction request.

In some limited cases, we may need to refuse access or a request for correction. We will advise you as soon as possible if this is the case and the reasons for our refusal.

Compliance with the Australian Anti-Encryption Bill

The laws have recently changed here in Australia to compel companies to share data with intelligence agencies or build in data sharing mechanisms which will report directly to the Australian Government. While we endeavor to protect your data and our platform from vulnerabilities wherever possible, we can’t break the law, nor can we tell you when your data may be at risk due to the orders of the Government. By using our platform or website, you expressly exclude us from any liability which arises from sharing data or building data sharing mechanisms (including ‘back-doors’ and vulnerabilities) at the direction of Australian Government and its agencies.

What happens if you want to complain?

If you have any concerns about whether we have complied with the Privacy Act 1988 (Cth), the Australian Privacy Principles, or this Privacy Policy, please write to us using the contact details shown below.

Your complaint will be considered by us through our internal complaints resolution process and we will try to respond with a decision within 30 days of you making the complaint.

If your complaint is not resolved, you may refer it to the Office of the Australian Information Commissioner who can be contacted by phone at 1300 363 992, by email at [email protected], by post at GPO Box 5218, Sydney NSW 2001 or you can go to www.oaic.gov.au.

If your complaint reasonably requires us to contact a third party, we may need to give some of theinformation contained in your complaint to that party.

Updating this Privacy Policy

We may update this Privacy Policy at any time by publishing it on our website.

Tell us what you think

We welcome your questions and comments about privacy.

Contact us

Contact us for requests for access and alterations, concerns or complaints or questions and comments at [email protected] or PO Box 8318, Woolloongabba, QLD, 4102.

Privacy Policy - Fabric

Current as from the 1st of July, 2019.

At Fabric Corporation Pty Ltd ABN 14 615 495 808, we are committed to protecting your privacy. This Privacy Policy describes our policies and practices in relation to how we collect, handle, store, use and disclose your personal information. It also deals with how you can complain about a breach of the privacy laws, how you can access the personal information we hold about you and how to have that information corrected.

This Privacy Policy forms part of, and is subject to the provisions of, our Terms of Use.

The Australia Privacy Principles

We will treat all personal information in accordance with any and all obligations that are binding upon us under the Privacy Act 1988 (Cth) (“Privacy Act”). The Privacy Act lays down 13 key principles in relation to the collection and treatment of personal information, which are called the “Australian Privacy Principles”.

The Platform

Our platform provides you with a range of functions, including giving access to the financial data in your bank accounts to businesses that are providing services to you on a permissioned basis (i.e. with your consent).

For example, if you are making an application with a financial institution or a fintech business, you can use our platform to share your financial data from your bank accounts and you can ask us to share it with that business so you can streamline the application e.g. to help them identify you or to help them understand your financial situation.

As another example, if you sign up for a round-up service which saves or invests the round-up of your transactions, you can use our platform to identify from your bank accounts, the amounts that need to be rounded up. In this privacy policy, we call these businesses who collaborate with us to provide you their services along with our platform, our partners.

We store the personal and financial information that we collect, so that when you sign up with a financial institutions and fintech business and give them permissioned access to this information, we will supply it to them on your behalf. If we have verified your identity, you can also ask us to give that information to a bank or other businesses who need to verify your identity, so you don’t need to provide identification to them yourself.

How do we collect your personal information?

‘Personal information’ means any details about you, from which your identity is apparent or can be uncovered, including (but not limited to) your:

name and date of birth;

residential and business postal addresses, telephone/mobile/fax numbers and email addresses;

any information that you provided to us by you during your account creation process or added to your user profile;

bank account details;

preferences and password for using this site and your computer and connection information; and

any information that you otherwise share with us.

Generally, we collect your personal information directly from you, when you set up an account with us through our platform.

When you sign up with us, we ask you for the information we need to give you access to our platform and verify your identity. This can include your name, phone number, email address, address, date of birth, and identity information e.g. your drivers’ licence or passport information. We will also ask you for your banking credentials (see below).

If you provide us with your banking credentials, e.g. customer number and password, we will collect and store that information in an encrypted form. Those stored credentials then enable you to link your bank accounts to the Fabric platform, and subsequently give permissioned access to the data to the service providers and institutions you wish to give access to. You, as the owner of this data, will have the option to give permission to service providers to aggregate data, verify identity and also perform transactions to a specific limit – it’s all decided by you.

We will collect a range of information from your bank accounts including account information, transactional information, and personal information e.g. any personal information in your bank accounts. We may use your bank account information to verify your identity. We will have daily access to the information in your bank accounts until you revoke it.

Generally, we will not collect sensitive information about you unless we are required to do so by law or unless you provide consent. Sensitive information includes information about your race or ethnicity, political opinions, religious beliefs, criminal record, sexual information, health or biometric information.

We may collect personal information about you from other people or organisations where it is not reasonable or practicable for us to collect the information directly from you. Examples of how we may do this include collecting your personal information from:

Your bank accounts, as explained above;

Our own records;

Organisations who help us verify your identity; and

Our partners e.g. any financial institution or other business that provides you a service using our platform.

The purposes for which we manage your personal information

The main purpose for which we collect, store, use and disclose your personal information is to provide data to the people you give us permission to share it with and also to allow transactions to be performed if you elect to allow partners and service providers to perform them using our platform. We allow service providers to embed parts of our platform into their customer experience so that when they ask you for information, you can give them permission to access your personal information, or link to your bank account or to conduct transactions from your account.

Other purposes for which we do this include to:

Verify your identity which we or a partner may be required to do by the Anti-Money Laundering and Counter-Terrorism Act 2006 (Cth);

Provide you with information about our platform, or the products and services of other organisations. If we send you marketing, we will always give you the option to unsubscribe at any time by notifying us that you wish to do so;

Perform internal functions such as administration, accounting and information technology system requirements;

Refer you to partners;

Comply with legal and regulatory requirements, and prevent fraud or crime; and

Help us improve our platform, develop our products and conduct research.

You can restrict the purposes for which your personal information can be used, as well as which information of yours can be used or shared, by reviewing your privacy settings on the platform.

We will communicate with you electronically unless you tell us that you do not wish to receive electronic communications. If you do not wish to receive electronic communications, we won’t be able to provide our platform to you as it is electronic.

To whom will we disclose your personal information?

We only share your personal information, transaction history, preferences and financial information with our partners if you give us permission to e.g. if you want to use a round-up service, you can ask us to supply information about the transactions in your bank account. Depending on your privacy setting, partners may be able to view your personal information, copy and store it. However, we will only allow them to view, use, copy and store your personal information for the purposes expressly provided by you in your privacy settings. We may from time to time ask you to set or reset these settings.

We may disclose personal information to:

Organisations and service providers who help us verify your identity or to partners who want to verify your identity;

Our agents and contractors who supply services to us e.g. our data storage providers;

Other organisations, service providers or businesses whom we consider may provide services or products you would find useful. You may opt out of this service at any time by getting in contact with us;

Other companies in the event of a corporate sale, merger, reorganisation, dissolution or similar event;

Regulatory bodies, government agencies or law enforcement bodies; and

Anyone else to whom we are permitted to provide information by law.

We do not sell, trade, licence or rent your identifying personal information to others. We will not allow any partners to sell, trade, licence or rent any of your identifying personal information to anyone else.

We do not disclose your personal information to overseas recipients.

Aggregated information

We may use the information we collect from you to create aggregated information. Aggregated information only contains anonymised personal account information or data; it does not contain information that could be used to identify you. Examples of aggregated information might include de-identified information about our users, or de-identified information about the transactions they make.

We may use, sell, license, redistribute and disclose de-identified, aggregated information to service partners and to others to allow them to research and understand buying and transactional trends and patterns.

What if you don’t provide some personal information to us?

If you do not provide us with some or all of the personal information that we ask for, we may not be able to provide you with our technology.

How do we store and protect your personal information?

Data that we collect about you may be stored or otherwise processed by third party services with data centres based outside the Australia and/or the European Union, such as Google Analytics, Microsoft Azure, Amazon Web Services, Apple, etc and online relationship management tools. We consider that the collection and such processing of this information is necessary to pursue our legitimate interests in a way that might reasonably be expected (eg, to analyse how you use our services, develop our services and grow our business) and which does not materially impact your rights, freedom or interests.

We require that all third parties that act as “data processors” for us provide sufficient guarantees and implement appropriate technical and organisational measures to secure your data, only process personal data for specified purposes and have committed themselves to confidentiality.

We are committed to maintaining the confidentiality of the information that you provide us and we will take all reasonable precautions to protect your personal information from unauthorised use or alteration. In our business, personal information may be stored both electronically (on our computer systems and with our website hosting provider) and in hard-copy form. Firewalls, anti-virus software and email filters, as well as passwords, protect all of our electronic information. Likewise, we take all reasonable measures to ensure the security of hard-copy information.

We keep your personal information only for as long as is reasonably necessary for the purpose for which it was collected, which is generally only as long as you are a user of the platform, then we delete your personal information. We keep de-identified and aggregated information for as long as we may need it.

GDPR

We welcome the General Data Protection Regulation (“GDPR”) of the European Union (“EU”) as an important step forward in streamlining data protection globally. Although we do not operate an establishment within the EU and do not target any offering of services towards clients in the EU specifically, we intend to comply with the data handling regime laid out in the GDPR in respect of any personal information of data subjects in the EU that we may obtain.

GDPR rights

The requirements of the GDPR are broadly similar to those set out in the Privacy Act and include the following rights:

you are entitled to request details of the information that we hold about you and how we process it. For EU residents, we will provide this information for no fee;

you may also have a right to:

have that information rectified or deleted;

restrict our processing of that information;

stop unauthorised transfers of your personal information to a third party;

in some circumstances, have that information transferred to another organisation;

lodge a complaint in relation to our processing of your personal information with a local supervisory authority; and

where we rely upon your consent as our legal basis for collecting and processing your data, you may withdraw that consent at any time.

If you object to the processing of your personal information, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations. However, please be aware that:

such objection or withdrawal of consent could mean that we are unable to provide our services to you, and could unduly prevent us from legitimately providing our services to other clients subject to appropriate confidentiality protections; and

even after you have chosen to withdraw your consent, we may be able to continue to keep and process your personal information to the extent required or otherwise permitted by law, in particular:

to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact on your rights, freedoms or interests; and

in exercising and defending our legal rights and meeting our legal and regulatory obligations.

What information does our website and app collect?

Anonymous data – We collect anonymous information about the use of our website and mobile app, e.g. our service provider logs your server address when you browse our website, as well as the date and time of your visit, the pages and links accessed and the type of browser used or our mobile app may log your location. We do not use this information to identify you personally (except in exceptional circumstances e.g. fraud or cyberattack) and we use this information for statistical purposes, to improve the content and functionality of our service, and to better understand our users. However, we may disclose your IP address to regulatory bodies, government agencies or law enforcement bodies (including AUSTRAC).

Cookies – In order to collect this data we may use “cookies”. Cookies are small pieces of information which are sent to your browser and stored on your computer’s hard drive. Sometimes they identify users where the website requires information to be retained from one page to the next. This is purely to increase the functionality of the site. Cookies by themselves cannot be used to discover the identity ofthe user except they may collect your IP address and we may disclose this to bodies as discussed above .Cookies do not damage your computer and you can set your browser to notify you when you receive a cookie so that you can decide if you want to accept it.

Information you post on our website - Information you send to us by posting to a forum or blog is stored on our servers. We do not specifically use that information except to allow it to be read.

Other information you provide through our website or app – We will collect the personal information that you provide to us through our website or app.

Third party advertising - Third parties may advertise on our web site. In doing so, those parties, their agents or other companies working for them may use technology that automatically collects your IP address when they send an advertisement that appears on our site to your browser. They may also use other technology such as cookies or JavaScript to personalise the content of, and to measure the performance of their adverts. We do not have control over these technologies or the data that these parties obtain. Accordingly, this privacy notice does not cover the information practices of these third parties.

How can you check, update or change the personal information we are holding?

You have the right to:

Request access to your personal information and to ask us to correct or erase it;

Request us to restrict the way we manage your personal information, e.g. if you dispute its correctness;

Request us to transfer your data to another entity; and

Object to us managing your personal information at any time, e.g., you may withdraw any consent you have given us about how we manage and use your personal information. This does not invalidate any earlier permitted use we have made of your information.

If you wish to access or correct your personal information please write to us by email at the contact details shown below.

Upon receipt of your written request and enough information to allow us to identify the information, we will disclose to you the personal information we hold about you. We will also correct, amend or delete any personal information that we agree is inaccurate, irrelevant, out of date or incomplete.

We do not charge for receiving a request for access to personal information or for complying with a correction request.

In some limited cases, we may need to refuse access or a request for correction. We will advise you as soon as possible if this is the case and the reasons for our refusal.

Compliance with the Australian Anti-Encryption Bill

The laws have recently changed here in Australia to compel companies to share data with intelligence agencies or build in data sharing mechanisms which will report directly to the Australian Government. While we endeavor to protect your data and our platform from vulnerabilities wherever possible, we can’t break the law, nor can we tell you when your data may be at risk due to the orders of the Government. By using our platform or website, you expressly exclude us from any liability which arises from sharing data or building data sharing mechanisms (including ‘back-doors’ and vulnerabilities) at the direction of Australian Government and its agencies.

What happens if you want to complain?

If you have any concerns about whether we have complied with the Privacy Act 1988 (Cth), the Australian Privacy Principles, or this Privacy Policy, please write to us using the contact details shown below.

Your complaint will be considered by us through our internal complaints resolution process and we will try to respond with a decision within 30 days of you making the complaint.

If your complaint is not resolved, you may refer it to the Office of the Australian Information Commissioner who can be contacted by phone at 1300 363 992, by email at [email protected], by post at GPO Box 5218, Sydney NSW 2001 or you can go to www.oaic.gov.au.

If your complaint reasonably requires us to contact a third party, we may need to give some of theinformation contained in your complaint to that party.

Updating this Privacy Policy

We may update this Privacy Policy at any time by publishing it on our website.

Tell us what you think

We welcome your questions and comments about privacy.

Contact us

Contact us for requests for access and alterations, concerns or complaints or questions and comments at [email protected] or PO Box 8318, Woolloongabba, QLD, 4102.

Last Updated: 17th December 2018

3442-2281-5244, v. 1