CONSUMER DATA RIGHT POLICY
version 1.2
In this Consumer Data Right Policy “we”, “us”, “our” or “Waave” means Waave Technologies Pty Ltd (ABN 60 642 784 030). Waave offers a new way to pay and is powered by Open Banking.
The Consumer Data Right (“CDR”) aims to provide Australian consumers with choice and control over how their data is used and disclosed. The CDR regulates the collection and handling of CDR data. In accordance with our obligations as an accredited data recipient under the CDR laws, we set out in this Consumer Data Right Policy information about how we manage your CDR data.
Classes of CDR data
The CDR laws give you the ability to share your data with accredited data recipients (which could include financial institutions, banks, and other companies). The objective of the CDR is to allow consumers to have greater control of their data, use the data to obtain products or services and have greater transparency on how their data is used.
With your consent, we collect and hold the following classes of CDR data:
-
Contact information (information about the person using the product):
- Full name;
- Contact details, including address, email and mobile phone number; and
- Occupation.
-
Account balance and details:
- Details of any bank account you link to Waave, including its BSB, account number, account name, account balance, discounts, account terms, fees, account mail address and type.
-
Transaction data (information about a person’s use of a product):
- Full transaction history of linked accounts (including incoming and outgoing transactions, who the transactions are from or to, the dates of the transactions, descriptions of the transactions and the amounts of the transactions); and
- Any authorisations you provide in connection with making a payment via Waave.
-
Organisation information (information about an organisation’s use of a product)
- Agent name and role;
- Details about the organisation, including its name, ABN or CAN, charity status, establishment date, industry , type, country of registration; and
- Contact details of the organisation, including its address, mail address and phone number.
-
Direct debits and Scheduled Payments
- Direct debit authorisations; and
- Scheduled, outgoing payments.
-
Payees
- Details of saved payee accounts.
We store CDR data in Australia with Amazon Web Services through their Open Banking cloud storage offering.
Purposes of collection, storage, use and disclosure of CDR data
We collect, hold, use and disclose CDR data for the following purposes:
- to provide the Waave services to you, including:
- allowing you to access the Waave mobile application;
- helping facilitate payments via the Waave mobile application;
- providing Personal Finance Management via the mobile application to:
- help you keep track of your spending habits;
- view a record of your bank account transactions;
- view insights about your transactions;
- to contact and communicate with you about the Waave services, including to provide you support for the Waave services;
- for our internal record-keeping, reporting and administrative purposes;
- in a de-identified form for analytics and fraud detection and prevention (as further described below in the ‘Our deletion and de-identification policy’ section);
- to comply with our legal obligations and resolve any disputes that we may have; and
- if otherwise required or authorised by law.
Your data is held by Waave in a secure and audited environment. Data is only stored in Australia and shared (with your consent) with accredited parties in Australia.
Disclosure of CDR data
In carrying out the purposes listed above, we disclose CDR data to outsourced service providers and third parties as follows:
- Adatree – based in Australia, who is an accredited data recipient, and our CDR outsourced service provider for CDR data collection, CDR data for storage, deletion and de-identification services (all data stored in Australia); and
- Experian – based in Australia, who is appointed as a CDR outsourced service provider for data enrichment services (all data stored in Australia).
We require that our outsourced service providers store CDR data in Australia.
If we share your CDR data with any accredited person, we will ensure that we have your consent before doing so.
Notifications
We will notify you of events in relation to your CDR data as required under the CDR, including as follows:
- when you give us consent to collect, use and disclose your CDR data;
- when we need to check in with you to let you know your consent is still current;
- when you amend or withdraw your consent;
- when your consent is due to expire;
- at the time of the collection of your CDR data;
- when your CDR data is disclosed to an accredited person (including what CDR data was disclosed and when, along with details of the accredited person to whom the CDR data was disclosed);
- when we respond to your correction request; and
- if there is an eligible data breach that affects you under the Notifiable Data Breaches Scheme.
Your consent can only be given for 12 months. In the 6 months prior to your consent expiring, we will invite you on at least two (2) occasions to extend your consent for another 12 months.
Your CDR data rights
Access: You may request access to the CDR data that we hold about you. Where you submit an access request to us we will provide you access to your CDR data in accordance with the CDR access requirements.
Correction: If you believe that any CDR data we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you have the right to request the correction of your CDR data. When you submit a correction request to us we will promptly take steps to correct your CDR data. You can also ask the Data Holder to correct the information.
Withdrawal of consent: If you have given us consent to collect and manage your CDR data, you may withdraw your consent at any time. However, if you withdraw your consent, while you may retain access to the Waave mobile application, we may not be able to continue providing some or all of the Waave services to you. If you withdraw your consent, we’ll delete your data.
Deletion request: A data recipient can only ask for data that is absolutely necessary and can only hold it for the minimum amount of time it is need to provide the service. You may request that we delete redundant data that we hold about you. Where you submit a deletion request to us we will promptly respond to your deletion request and take the steps described in the ‘Our deletion and de-identification policy’ section below. We only use your data for the purpose you have agreed to and we will delete it after it has been used for that purpose. When you withdraw your consent, your data is automatically deleted.
Submitting requests: You may submit the above requests via the functionality in the mobile application (otherwise known as the consumer dashboard) or by contacting us at the contact details at the end of this Consumer Data Right Policy. Where we receive a request, we may require that you provide further information so that we can respond to your request. We will respond to your request and let you know the outcome of your request.
Our deletion and de-identification policy
Redundant data: When CDR data is no longer required for any purpose permitted by law it becomes redundant data. We will destroy, delete or de-identify redundant data unless we have a legal obligation to maintain the data, such as for legal reporting purposes or by a court or tribunal order, or if we need or reasonably anticipate that we will need the redundant data for legal or dispute resolution proceedings. Unless you have asked us to delete your redundant data, our general policy is to decide whether to delete, destroy or de-identify redundant data once it becomes redundant.
Deletion process: Where we delete or destroy CDR data we delete it from our storage, we delete all copies of it and if we have disclosed it to any third party we ask them to delete it.
De-identification process: Where we de-identify CDR data, we do this using the tokenisation processes established by Amazon Web Services, our storage provider, for their Open banking offering. It removes all personally identifiable information within the CDR dataset and any other information that could identify you.
De-identification: We may also de-identify CDR data that has not become redundant in the process of creating analytics. We use these analytics to inform our product improvement and development. Sometimes we also disclose these analytics to merchants we partner with and to you to provide you with general insights about users of Waave. We may also share de-identified with third-party fraud prevention tools for the purpose of fraud detection and prevention.
If a service does not require the ongoing use of your de-identified CDR data, you have the option to have it deleted. You can decide this when you first grant consent and at any time during the consent lifecycle.
Complaints
If you wish to make a complaint, please contact us at any time using the contact details below and provide us with your name, your contact details, your preferred contact method and full details of your complaint. We will aim to send an acknowledgement of your complaint within 5 business days of receiving your complaint.
We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint.
The remedy for a complaint will depend on the nature of the complaint made. Remedies could include:
- an apology;
- correction or deletion of CDR data;
- an explanation of the circumstances giving rise to the complaint;
- provision of assistance or support; or
- an undertaking to set in place improvements to systems, procedures or products.
We aim to provide a full response within 28 days but sometimes this may take longer. If there is a delay, we will let you know and explain why. Within 14 days of your complaint (unless there is a delay) we will provide a final response letter confirming the final outcome of your complaint and your right to lodge a complaint with:
Australian Financial Complaints Authority (AFCA):
Online: www.afca.org.au
Email: info@afca.org.au
Phone: 1800 931 678 (free call)
Mail: Australian Financial Complaints Authority GPO Box 3 Melbourne VIC 3001
and
Office of the Australian Information Commissioner (OAIC):
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
www.oaic.gov.au
Amendments
We may from time to time update this Consumer Data Right Policy by publishing the updated version on our website. We recommend you check our website regularly to ensure you are aware of our current Consumer Data Right Policy. You can also always ask us to provide a copy electronically or in hard copy.
For any questions or notices, please contact the Chief Technology Officer at:
Waave Technologies Pty Ltd (ABN 60 642 784 030)
Address: PO Box 789 Rose Bay NSW 2029
Email: contact@waave.com
Last update: 29 Aug 2024