CREDIT INFORMATION PRIVACY MANAGEMENT POLICY

Including Statement of Notifiable Matters and More Information

Cash Lab, Australian Credit Licence No: 390571.

Please read this document BEFORE you provide Cash Lab with ANY personal information in connection with applying for a loan from us. If you provide us with this personal information, we will assume that you have followed this instruction and that you have read and understood this Policy.

SECTION A

INTRODUCTION

1. Introduction

1.1 This document is the Privacy Statement of Cash Lab ABN: 67 595 859 152 ("Cash Lab, we or us").

1.2 The purpose of this Privacy Statement is to tell you how we collect, use, hold, disclose and protect your Personal Information.

1.3 Please refer to Cash Lab' Credit Reporting Statement for information about how we manage your Personal Information collected in connection with a credit application or facility.

1.4 We act to protect your Personal Information in accordance with the Australian Privacy Principles ("APP") and the Privacy Act 1988 (Cth) (together "Privacy Laws").

1.5 Please always check the privacy policy page on our website regularly for amendments and updates to our Privacy Statement and Credit Reporting Statement.

1.6 This Privacy Statement does not cover information that you submit on other websites, even if we communicate with you on those sites. For example, if contact us via Instagram, Facebook, Pinterest, Twitter, or YouTube, that information is governed by the privacy policies on those websites and is not governed by this Privacy Statement.

SECTION B

INFORMATION WE MAY COLLECT

2. What is Personal Information?

2.1 Personal Information is any information or opinion about you that is capable, or reasonably capable, of identifying you, whether the information or opinion is true or not and is recorded in material form or not. Personal Information includes Sensitive Information.

2.2 Sensitive Information includes such things as your racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record, that is also personal information. Your health, genetic and biometric information and biometric templates are also Sensitive Information.

2.3 We only collect Sensitive Information about you if we obtain prior consent to the collection of the information or if the collection is required or authorised by law.

2.4 What Kind of Personal Information Do We Collect and Hold?

2.5 The Personal Information we collect and hold generally includes or consists of:

  • identification information such as your name, postal or email address, telephone numbers and date of birth;
  • other contact details such as social media handles;
  • your tax file number and tax residency status;
  • financial and transactional information;
  • health and biometric information (where permitted);
  • information about how you interact with us when you use our website (such as device information - which browser you use and your operating system language, your location or activity including IP address and geolocation data based on the GPS of your mobile device (when accessing our services) and whether you've accessed third party sites); and
  • other information we think is necessary.

2.6 Over the course of our relationship with you, we may collect and hold additional pieces of Personal Information about you, including transactional information, account or policy information, complaint or enquiries about your product or service.

2.7 We are required by law to identify you if you are opening a new account or adding a new signatory to an existing account. The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) ("Anti-Money Laundering Laws") require us to sight and record details of certain documents (i.e. photographic and non-photographic documents) in order to meet the standards set under those laws.

SECTION C

CONSENT

3. Consent

3.1 In most cases, before or at the time of collecting your Personal Information, we obtain your consent for the purposes for which we intend to use and disclose your Personal Information.

3.2 If you don't give us consent, we may not be able to provide you with the products or services you want. This is because we are required to collect this Personal Information to provide you with the products or services.

4. Withdrawing Consent

4.1 Having provided consent, you are able to withdraw it at any time. To withdraw consent, please contact us. Please note that withdrawing your consent may lead to us no longer being able to provide you with the product or service you enjoy given that, as mentioned above, it is impracticable for us to treat some customers differently.

SECTION D

WHEN AND HOW WE COLLECT PERSONAL INFORMATION

5. How Do We Collect Personal Information?

5.1 We collect most Personal Information about you directly from you whether in person, over the phone or electronically. For example:

  • when you apply for, register your interest in or enquire about a product or service;
  • when you provide us with feedback or make a complaint;
  • when you visit our website or social media channels;
  • when you complete a form on our website;
  • when you talk to us or do business with us; and
  • when you subscribe to our newsletter.

5.2 We may collect Personal Information about you from others, such as from:

  • service providers;
  • agents;
  • advisors;
  • employers; or
  • friends/family members.

5.3 We may take steps to verify the information we collect for example, a birth certificate provided as identification may be verified with records held by the Registry of Births, Deaths and Marriages to protect against impersonation, or we may verify with an employer that employment and remuneration information provided in an application for credit is accurate.

6. Do We Collect Information Electronically?

6.1 We may collect information from you electronically through internet browsing on our websites.

6.2 Each time you visit our websites, we may collect information about you which may include Personal Information (which is de-identified) and may include the following:

  • the date and time of visits;
  • the pages viewed and your browsing behaviour;
  • how you navigate through the site and interact with pages (including fields completed in forms and applications completed);
  • general location information;
  • information about the device used to visit our website (including your tablet or mobile device) such as device IDs; and
  • IP addresses.

6.3 We collect information using cookies when you use our website. Cookies are small pieces of information stored on your hard drive or in memory. One of the reasons for using cookies is to offer you increased security. They can also record information about your visit to our websites, allowing us to remember you the next time you visit and provide a more meaningful experience.

6.4 We may also collect information from third party websites, applications or platforms containing our interactive content or that interface with our own website such as Google Analytics.

6.5 We may collect Personal Information about you from social media platforms if you publicly comment. We NEVER ask you to supply Personal Information publicly over any social media platforms that we use. We may, invite you to send your details to us via private messaging, for example, to answer a question about your account. You may also be invited to share your Personal Information through secure channels to participate in other activities, such as online competitions.

7. How Do We Deal With Unsolicited Personal Information?

7.1 If we receive Personal Information that is not solicited by us, we only retain it, if we determine that it is reasonably necessary for one or more of our functions or activities and that you have consented to the information being collected or given the absence of your consent that it was impracticable or unreasonable for us to obtain it under the circumstances.

7.2 If these conditions are not met, we destroy or de-identify the information.

7.3 If such unsolicited information is Sensitive Information, we obtain your consent to retain it regardless of what the circumstances are.

SECTION E

PURPOSES FOR COLLECTING, USING AND DISCLOSING PERSONAL INFORMATION

8. Why Do We Collect, Use and Disclose Your Personal Information?

8.1 We collect, use and disclose your Personal Information so we can:

  • consider your request for products and services, including your eligibility;
  • process your application and provide you with the products and services;
  • provide information on other products and services offered by or through us;
  • confirm your identity;
  • manage our relationship with you;
  • complying with our legal obligations;
  • monitor and evaluate products and services;
  • gather and aggregate information for statistical, prudential, actuarial and research purposes;
  • assist you with queries; and
  • take measures to detect and prevent fraud.

8.2 We may not be able to provide you with the products or services you are seeking if you provide incomplete or inaccurate information.

SECTION F

INTEGRITY OF YOUR INFORMATION

9. Quality of Information

9.1 We ensure that the Personal Information we collect, use or disclose is accurate, up to date, complete and relevant.

9.2 Please contact us if any of the details you have provided to us change or if you believe that the information we have about you is not accurate or up to date.

9.3 We may also take steps to update information we hold, for example, an address, by collecting Personal Information from publicly available sources such as telephone directories or electoral rolls.

10. How Do We Protect and Hold Your Personal Information?

10.1 We are committed to ensuring that we protect any Personal Information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.

10.2 For this purpose, we have a range of practices and policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them.

10.3 We have the following security measures in place to protect against misuse, loss and alteration of Personal Information under our control. Our security measures include, but are not limited to:

  • educating our staff as to their obligations with regard to your personal information;
  • requiring our staff to use passwords when accessing our systems;
  • encrypting data sent from your computer to our systems during Internet transactions and customer access codes transmitted across networks;
  • employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems;
  • using dedicated secure networks or encryption when we transmit electronic data for purposes of outsourcing;
  • providing secure storage for physical records; and
  • employing physical and electronic means such as alarms, cameras and guards (as required) to protect against unauthorised access to buildings.

10.4 Where Personal Information we hold is identified as no longer needed for any purpose, we ensure it is effectively and securely destroyed, for example, by shredding or pulping in the case of paper records or by degaussing (demagnetise of the medium using alternating electric currents) and other means in the case of electronic records and equipment.

10.5 The Personal Information retained by us could include transactional and financial information along with contact details. The Personal Information does include the records that have been stored on the secure server. Where we retain adequate records for legal and accounting purposes, the Personal Information is stored and held securely in controlled facilities.

SECTION G

DISCLOSURE OF PERSONAL INFORMATION

11. Who Do We Share Your Personal Information With?

11.1 We may share your Personal Information with third parties to help deliver or support the provision of products or services to you.

11.2 In all circumstances where your Personal Information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. Contractors, agents and outsourced service providers are not able to use or disclose Personal Information for any purposes other than our own.

11.3 We take our obligations to protect your Personal Information very seriously we make every effort to deal only with parties who share and demonstrate the same attitude.

11.4 Depending on the product or service you have, the entities we exchange your Personal Information with include but are not limited to:

  • brokers and agents;
  • affiliated product and service providers and external product and service providers for whom we act as agent (so that they may provide you with the product or service you seek or in which you have expressed an interest);
  • auditors we appoint to ensure the integrity of our operations;
  • any person acting on your behalf, including your solicitor, settlement agent, accountant, executor, administrator, trustee or guardian;
  • your referee (to confirm details about you);
  • if required or authorised to do so, regulatory bodies and government agencies;
  • credit reporting bodies;
  • debt collectors;
  • insurers, including proposed insurers and insurance reference agencies (where we are considering whether to accept a proposal of insurance from you and, if so, on what terms);
  • medical practitioners (to verify or clarify, if necessary, any health information you may provide);
  • other financial institutions and organisations at their request if you seek credit from them (so that they may assess whether to offer you credit);
  • investors, advisers, trustees and ratings agencies where credit facilities and receivables are pooled and sold (securitised);
  • other organisations who in conjunction with us provide products and services (so that they may provide their products and services to you); and
  • professional associations or organisations with whom we conduct an affinity relationship (to verify your membership of those associations or organisations).

11.5 We may also disclose your Personal Information to others where:

  • we are required to disclose information by law e.g. under court orders or statutory notices pursuant to taxation or social security laws or under laws relating to sanctions, anti-money laundering or counter-terrorism financing;
  • you may have expressly consented to the disclosure or your consent may be reasonably inferred from the circumstances; or
  • we are otherwise permitted to disclose the information under applicable Privacy Laws.

12. Do We Disclose Your Personal Information Overseas?

12.1 We may utilise overseas service providers for some of our activities. These service providers may be located in:

  • India;
  • Philippines;

12.2 We only disclose your Personal Information when permitted to do so by the Privacy Act and after we ensure that:

  • the overseas recipient does not breach the APPs; or
  • you are able to take action to enforce the protection of a law or binding scheme that has the effect of protecting the information in a way that is at least substantially similar to the way in which the APPs protect the information; or
  • you have consented to the disclosure after we expressly informed you that there is no guarantee that the overseas recipient does not breach the APPs; or
  • the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order.

12.3 We may store your Personal Information in cloud-based software or other types of networked or electronic systems. As electronic or networked systems can be accessed from various countries via an internet connection, it's not always practicable to know in which country your Personal Information may be held. If your Personal Information is stored in this way, disclosures may occur in countries other than those listed.

12.4 Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we are not responsible for that disclosure.

13. Do We Use or Disclose Your Personal Information for Direct Marketing?

13.1 We only use or disclose the Personal information we hold about you for the purpose of direct marketing if we have received the Personal Information from you and you have not requested not to receive such information.

13.2 Direct marketing includes, but is not limited to, contacting our clients to provide you with information on our products and services that may interest you.

13.3 If you wish to opt-out of receiving marketing information altogether, you can:

  • call us on admin@cashlab.com.au and
  • write to us at 6/401 Great Eastern Highway, Midland ,WA 6056

13.4 In direct marketing communication we always inform you of your right to opt out of receiving direct marketing communications.

SECTION H

ACCESS TO AND CORRECTION OF YOUR PERSONAL INFORMATION

14. How Can You Access Your Personal Information?

14.1 You can request us to provide you with access to the Personal Information we hold about you.

14.2 Requests for access to limited amounts of Personal Information, such as checking to see what address or telephone number we have recorded, can generally be handled over the telephone.

14.3 Following receipt of your request, we provide you with an estimate of the access charge and confirm that you want to proceed.

14.4 We do not charge you for making the request for access, however access charges may apply to cover our costs in locating, collating and explaining the information you requested. The charges are based on a rate of $120 per hour.

14.5 We do respond to your request as soon as possible and in the manner requested by you. We endeavour to comply with your request within fourteen (14) days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request is dealt with within thirty (30) days. It helps us provide access if you can tell us what you are looking for.

14.6 Your identity is confirmed before access is provided.

15. Can We Refuse to Give Access?

15.1 In particular circumstances we are permitted by law to deny your request for access or limit the access we provide. We let you know why your request is denied or limited if this is the case. For example, we are not required to give you access where giving you access to your Personal Information would pose a serious threat to any person's life, health or safety or giving access would be unlawful or where we reasonably conclude your request to be frivolous or vexatious.

15.2 If we refuse to give access to the Personal Information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.

16. Correction

16.1 We are committed to and do take all reasonable steps in respect of maintaining accurate, timely, relevant, complete and appropriate information about our clients, website users and other people that we deal with in our business.

16.2 We correct all Personal information that we believe to be inaccurate, out of date, incomplete, irrelevant or misleading given the purpose for which that information is held or if you request us to correct the information.

16.3 If we correct your Personal Information that we previously disclosed to another APP entity you can request us to notify the other APP entity of the correction. Following such a request, we will give that notification unless it is impracticable or unlawful to do so.

16.4 We respond to any requests for correction within a reasonable time of receipt of the request. A reasonable time period is no longer than thirty (30) days after the request being received.

17. Refusal to Correct Information

17.1 If we refuse to correct the Personal Information as requested by you, we give you a written notice setting out the reasons for the refusal. Such reasons set out the grounds for refusal, the mechanisms available to complain and any other relevant matter.

18. Request to Associate a Statement

18.1 If we refuse to correct the Personal Information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that makes the statement apparent to users of the information.

SECTION I

NOTIFIABLE DATA BREACHES

19. Notifiable Data Breaches Scheme

19.1 From February 2018, the Privacy Act includes a new Notifiable Data Breaches ("NDB") scheme which requires us to notify you and the Office of the Australian Information Commissioner ("OAIC") of certain data breaches that is likely to result in serious harm to affected individuals and provide recommendations of steps you can take to limit the impacts of the breach.

19.2 If we believe there has been a data breach that impacts your Personal Information and creates a likely risk of serious harm, we notify you and the OAIC as soon as practicable and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.

19.3 If you believe that any Personal Information we hold about you has been impacted by a data breach, you can contact us using the contact details set out as per clause 21 below.

SECTION J

MAKING A PRIVACY COMPLAINT

20. Complaints

20.1 We offer a free internal complaint resolution scheme to all of our customers. Should you have a privacy complaint, please contact us to discuss your concerns. Our contact details set out as per clause 21 below.

20.2 To assist us in helping you, we ask you to follow a simple three-step process:

  • gather all supporting documents relating to the complaint;
  • contact us and we review your situation and if possible, resolve your complaint immediately; and
  • if the matter is not resolved to your satisfaction, please contact our Directors/Compliance Officer on (08) 9250 3074 or put your complaint in writing and send it to Cash Lab, 6/401 Great Eastern Highway, Midland, WA 6056.

20.3 We rectify any breach if the complaint is justified and take necessary steps to resolve the issue.

20.4 In certain situations, to deal with a complaint it may be necessary to consult with third parties. However, please note any disclosure of Personal Information to third parties is provided with your authority and consent.

20.5 After a complaint has been received, we send you a written notice of acknowledgement setting out the process. The complaint is investigated, and the decision is sent to you within thirty (30) days unless you have agreed to a longer time. If a complaint cannot be resolved within the agreed time frame or a decision could not be made within thirty (30) days of receipt, a notification is sent out to you setting out the reasons and specifying a new date when you can expect a decision or resolution.

20.6 If you are not satisfied with our internal privacy practices or the outcome in respect to complaint, you may approach the OAIC with your complaint:

  • Office of the Australian Information Commissioner
  • Address: GPO Box 5218, Sydney NSW 2001
  • Phone: 1300 363 992
  • Email: pfmidland@cashlab.com.au
  • Website: oaic.gov.au

SECTION K

CONTACT US

21. Contact Details

21.1 If you have any questions or would like further information about our privacy, credit reporting and information handling practices, please contact us by:

  • Email: pfmidland@cashlab.com.au or
  • Phone: (08) 9250 3074; or
  • Post: 6/401 Great Eastern Highway, Midland, WA 6056