When you trust Alex Bank Pty Ltd (ABN 13 627 244 848, Australian Financial Services Licence and Australian Credit Licence 510805) and its related bodies corporate (Alex, we, us or our) with your personal information, you expect us to protect it and keep it safe.
We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and will protect your personal information in accordance with the Australian Privacy Principles set out in the Privacy Act. The Australian Privacy Principles govern how we can collect, use, hold and disclose your personal information, as well as ensuring the quality and security of your personal information.
About this policy
Here are a few principles to keep in mind as you read through this policy:
- From time to time we may collect personal information about you that is ‘sensitive information’, collection of which is restricted to circumstances where we have obtained your express consent and to other permitted situations under law. Please carefully read the section “What kinds of personal information do we collect and hold?” to understand what kind of information this includes.
- If you would like more information about how we protect your privacy, please contact us using the details below:
Email – you can email us at firstname.lastname@example.org; or
Phone – you can call us on 13 ALEX.
Credit Reporting Policy
Our Credit Reporting Policy is here. This policy provides information on our management of your credit information and contains information about:
- how you may access the credit eligibility information we hold about you;
- how you can seek to correct the credit related information we hold about you; and
- how you may complain about a breach of ours to comply with the privacy law including the Privacy (Credit Reporting Code) 2014 v 2.1.
What is personal information?
“Personal information” includes any information or opinion, about an identified individual or an individual who can be reasonably identified from their information. The information or opinion will still be personal information whether it is true or not and regardless of whether we have kept a record of it. Personal information includes sensitive information and credit reporting information which are subject to additional protections under the Privacy Act.
What kinds of personal information do we collect and hold?
The personal information that we seek to collect about you will depend on the products or services that we provide. If you do not allow us to collect all of the information we request, we may not be able to deliver those products and services to you.
Personal information that we collect may include (but is not limited to) the following:
- residential address
- contact details (including email and telephone numbers)
- date of birth
- tax file number (if we are authorised to collect it and if you choose to supply it)
- transaction data that we receive from credit reporting bodies
- credit information
Throughout the life of any product or service you obtain from us, we may also collect and hold additional personal information about you and your use of our product or service. This could include transaction information or records of queries or complaints you make.
From time to time, the personal information we collect may include sensitive information. This may include health information required to assess any financial hardship status relevant to your credit application, as well as any relevant information about your religion, racial or ethnic origin, political opinions, criminal record, sexual orientation and biometric information (including photo and video identification). We only collect this sort of information if it is necessary to provide you with a specific product or service and you have consented to that collection. For example, we may collect financial hardship information and identity document information about you to process a credit application or collect voice bio-metric information to verify your identity and authorise transactions.
Credit information that we may collect can include identification information, consumer credit liability information, repayment history information, financial hardship information, default information, court proceeding information, personal insolvency information, publicly available information, information relating to an individual's credit worthiness and information about a serious credit infringement.
You do not have to provide us with any personal information. However, if you do not do so, this may limit our ability to fulfil the applicable purpose for collection and the assistance we are able to provide you. For example, we may not be able to consider or process an application you have made, or provide a product or service you have requested.
How do we collect personal information?
We collect personal information from existing and prospective customers, consumers and other individuals for the purposes set out in this policy.
We may collect personal information from you in the following ways:
- through your access to and use of our website and mobile applications, including when you register with us or apply for our products or services;
- through our interactions with you (for example through customer support or our conversations with you via telephone, emails or other messages you send to us online); or
- otherwise in the course of your dealings with us.
We may also collect personal information about you indirectly from other people or organisations. This may happen without your direct involvement. For instance, we may collect personal information about you from third party sources, including:
- our affiliates and related bodies corporate;
- publicly available sources of information, such as public registers;
- your authorised representatives (including your legal adviser, mortgage broker, financial adviser, executor, administrator, guardian, trustee, or attorney);
- your employer;
- other organisations, who jointly with us, provide products or services to you;
- third party organisations such as credit reporting agencies;
- commercial information service providers, such as companies that provide fraud prevention reports; and
- law enforcement agencies and government entities.
Purposes for which we collect, hold, use and disclose personal information
The main reason we collect, use, hold and disclose personal information for the following purposes:
- to identify and communicate with you;
- to check whether you are eligible for the product or service;
- to assist you where online applications are not completed;
- to collect and process payments;
- to provide you with requested information, products or services;
- to help us manage and enhance our products or services;
- to personalise and customise your experiences on our website and apps;
- to manage and administer any account you may hold with us;
- to help us manage our business operations;
- for any other purpose communicated to you at or around the time we collect your personal information; or
- as we believe to be necessary or appropriate to:
- comply with legislative or regulatory requirements;
- respond to requests from public and government authorities; or
- protect the rights, property or safety of us, our customers or third parties in any jurisdiction, prevent fraud, crime or other activity that may cause harm in relation to our products or services.
As permitted by applicable law, we may also use your information for marketing and promotional purposes. See ‘Do we use or disclose personal information for marketing?’ below for more details.
What laws require or authorise us to collect personal information?
We are required or authorised to collect:
- certain identification information about you by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No.1);
- your Tax File Number, if you choose to provide it, by the Income Tax Assessment Act 1936 (Cth); and
- if you have applied for credit or provide a guarantee, certain information about your financial position under the National Consumer Credit Protection Act 2009 (Cth), and if you give us a mortgage security, certain identification information under property laws in some states and territories.
How do we hold personal information?
We will take active steps to ensure that the personal information we hold is accurate, up-to-date and complete. We will remind you from time-to-time to keep personal information up-to-date and will update our records promptly.
Much of the information we hold about you will be stored electronically in secure data centres which are located in Australia and owned by either Alex or external service providers. Information that we collect may from time to time be stored, processed in or transferred between parties located in countries outside of Australia. See “Do we disclose personal information overseas?” section below for more detail.
Some information we hold about you will be stored in paper files. We use a range of physical and electronic security measures to protect the security of the personal information we hold and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. For example:
- access to information systems is controlled through identity and access management;
- employees are bound by internal information security policies and are required to keep information secure; and
- we regularly monitor and review our compliance with internal policies and industry best practice.
We take reasonable steps to destroy or permanently de-identify any personal information after it can no longer be used for the purposes for which it was collected.
Who do we disclose your personal information to, and why?
We may share your personal information with our related bodies corporate and other companies within the Alex group of entities.
The third parties we may disclose your personal information to include:
- our agents, contractors and external service providers (for example, mailing houses and technology service providers);
- authorised representatives and credit representatives who sell products and services on our behalf;
- payment systems operators (for example, merchants receiving card payments);
- other organisations, who jointly with us, provide products or services to you;
- other financial services organisations, including banks, superannuation funds, stockbrokers, custodial, funds managers and portfolio service providers;
- debt collectors;
- our financial advisers, legal advisers or auditors;
- your representatives (including your legal adviser, accountant, mortgage broker, financial adviser, executor, administrator, guardian, trustee, or attorney);
- credit reporting agencies or similar bodies for verification of your identity, other regulatory requirements and in accordance with our Credit Reporting Policy;
- fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct;
- external dispute resolution schemes; and
- regulatory bodies, government agencies and law enforcement bodies in any jurisdiction.
We may also disclose your personal information to others outside Alex where:
- we are required or authorised by law to do so;
- you may have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances;
- we are otherwise permitted to disclose the information under the Privacy Act; or
- there is a change of control in our business or a sale or transfer of business assets, in which case we reserve the right to transfer to the extent permissible at law our user databases, together with any personal information and non-personal information contained in those databases. This information may be disclosed to a potential purchaser under an agreement to maintain confidentiality. We would seek to only disclose information in good faith and as reasonably required.
Do we disclose personal information overseas?
We may disclose your personal information including your credit information or credit eligibility information to a recipient which is located outside Australia. In particular, your personal information including your credit information or credit eligibility information may be disclosed to third parties located in the United States, Hong Kong, Singapore, Taiwan, Finland, Belgium, Ireland, Chile, Hungary and the Netherlands. This includes information which we are legally required to store such as personal identification information for anti-money laundering and counter-terrorism financing laws, and our Australian Credit Licensing responsibilities in relation to your loans.
Before we disclose any personal information including any credit information or credit eligibility information to an overseas recipient, we will make sure that all personal information is controlled and protected by the recipient in a way that is equivalent to the protections provided under the Australian Privacy Principles.
Do we use or disclose personal information for marketing?
As permitted by applicable law, we may send you, from time to time, information about us or about products or services that we believe may be of interest to you, including advertising and promotional material relating to Alex, our related entities or our preferred suppliers by means of mail, telephone and electronic messaging (such as email and SMS messages).
We will use your personal information to offer you products and services we believe may interest you. These products and services may be offered by a member of the Alex Group or one of its preferred suppliers. We may offer you products and services on an ongoing basis and by various means, including by mail, telephone, email, SMS or other electronic means such as through social media or targeted advertising via Alex Group or non-Alex Group websites. We may also disclose your personal information to companies outside the Alex Group who assist us to market products and services to you. When we market products and services to you, we will comply with applicable privacy and anti-spam laws to obtain your consent if required. If you don’t want to receive marketing offers from us, you may choose to unsubscribe by contacting us or choosing the option to opt-out when you receive the marketing offer.
Along with the Australian Privacy Principles, we will comply with the Spam Act 2003 (Cth) as well as the Do Not Call Register Act 2006 (Cth) in undertaking all marketing activities.
Do we collect personal information electronically?
Alex and other third party service providers (such as Google Analytics) may also use digital technologies such as data analytics, cookies, server logs, cloud service logs and web beacons in connection with Alex’s website and other online services to collect information from you electronically.
Each time you visit our website, we collect information about your use of the website, which may include the following:
- The date and time of visits;
- Which pages are viewed;
- How users navigate through the site and interact with pages (including fields completed in forms and applications completed);
- Location information about users;
- Information about the device used to visit our website; and
- IP addresses.
Access to and correction of personal information.
Alex will take reasonable steps to make sure that the personal information we collect, use or disclose is accurate, complete and up to date.
You may request access to and correction of the personal information we hold about you. To do so, please contact us using the contact information set out above.
At your request, Alex will provide you with a copy of any personal information which we hold about you, unless an exception under the Privacy Act or other applicable legislation applies which means we are not required or permitted to provide you with that information.
If we correct personal information which has been disclosed to us by another person or organisation, you may also request for us to notify that other person or organisation of the correction.
There is no fee payable for requesting to correct your personal information or for us to make corrections. However, in processing your request for access to your personal information, a reasonable cost may be charged. This charge covers such things as locating the information and supplying it to you.
We will respond to any request for access or correction within a reasonable period after the request is made. Access to personal information will be given in the format requested by you, given it is reasonable and practicable for us to do so.
Resolving your privacy concerns and complaints – your rights.
If you are concerned about how your personal information is being handled or if you have a complaint about a breach by us of the Australian Privacy Principles, please contact us using the details provided in the “Access to and correction of personal information” above.
We will acknowledge your complaint as soon as we can after receipt of your complaint and will let you know if we need any further information from you to resolve your complaint.
We aim to resolve complaints as quickly as possible. While we strive to resolve complaints within five business days, some complaints take longer to resolve. If your complaint is taking longer to resolve, we will let you know what is happening and a date by which you can reasonably expect a response.
If you are unhappy with our response, there are other bodies you can go to.
Australian Financial Complaints Authority
The Australian Financial Complaints Authority (AFCA) can consider most privacy complaints involving providers of financial services. AFCA can be contacted at:
GPO Box 3
Melbourne VIC 3001
Office of the Australian Information Commissioner
Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. The Commissioner can be contacted at:
GPO Box 5218
Sydney NSW 2001
1300 363 992
Notifiable Data Breaches
The Privacy Act now includes a Notifiable Data Breaches (NDB) scheme which requires us to notify you and the OAIC of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).
The NDB scheme requires us to notify about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.
If we believe there has been a data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as practicable and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.
If you believe that any personal information we hold about you has been impacted by a data breach, you can contact us using the contact details on the front page of this policy.