Privacy Policy

Updated on

November 6, 2025

SECTION A – INTRODUCTION

1. INTRODUCTION

1.1 As part of Speedle Pty Limited’s (“Speedle”) process to ensure that it continues to maintain the highest levels of professional integrity and ethical conduct, Speedle has adopted this Privacy Policy (“Policy”) to manage Personal Information in an open and transparent manner.

1.2 The provisions of this Policy will assist Speedle in complying with the requirements of the Privacy Act 1988 (Cth), the Privacy Regulation 2013 (Cth) and the Privacy (Credit Reporting) Code 2025 (Cth) and the Australian Privacy Principles in protecting the Personal Information Speedle holds about its clients.

2. WHEN DOES THIS POLICY APPLY?

2.1 This Policy applies to all representatives and employees of Speedle at all times and the requirements remain in force on an ongoing basis.

3. GLOSSARY

TERM DEFINITION

Affected Information Recipient Means:

(a) a mortgage insurer; or

(b) a trade insurer; or

(d) a person who:

(i) is involved in processing an application for credit made to Speedle; or

(ii) manages credit provided by Speedle; or

(e) an entity, a legal adviser of the entity or professional adviser of the entity.

APP Entity means an agency or organisation as defined in section 6 of the Privacy Act 1988.

Australian law means

(a) an Act of the Commonwealth or of a State or Territory;

(b) or regulations, or any other instrument, made under such an Act; or

(d) a rule of common law or equity.

Collects Speedle collects Personal Information only if Speedle collects the Personal Information for inclusion in a record or generally available publication.

Court/Tribunal Order means an order, direction or other instrument made by:

(a) a court; or

(b) a tribunal; or

(d) a magistrate (including a magistrate acting in a personal capacity) or a person acting as a magistrate; or

(e) a member or an officer of a tribunal;

and includes an order, direction or other instrument that is of an interim or interlocutory nature.

CR Code refer to the the Privacy (Credit Reporting) Code 2025 (Cth). This is written code of practice about credit reporting. The CR code supplements the credit reporting provisions contained in Part IIIA of the Privacy Act 1988. A breach of the CR code is a breach of the Privacy Act 1988. The CR code is registered on the OAIC Privacy Register.

Credit Eligibility Information means Credit Reporting Information that was disclosed to the Credit Provider by a Credit Reporting Body or CP Derived Information. Credit eligibility information is generally held by a Credit Provider and may be disclosed to Affected Information Recipients and other entities in specific circumstances.

Credit Provider - The following entities are included as credit providers for the purposes of the Privacy Act:

(a) a bank;

(b) an organisation or Small Business Operator if a substantial part of its business is the provision of credit, such as a building society, finance company or a credit union;

(d) an organisation or Small Business Operator that supplies goods and services where payment is deferred for seven (7) days or more, such as a telecommunications carriers and energy and water utilities; and

(e) certain organisations or Small Business Operators that provide credit in connection with the hiring, leasing or renting of goods.

Importantly, the following entities are not credit providers:

(a) real estate agents;

(b) general insurers; and

CP Derived Information means any Personal Information (other than Sensitive Information) about an individual:

(a) that is derived from Credit Reporting Information about the individual that was disclosed to a Credit Provider by a Credit Reporting Body; and

(b) that has any bearing on the individual’s credit worthiness; and

Credit Information means Personal Information that is:

(a) identification information about the individual; or

(b) consumer credit liability information about the individual; or

(d) a statement that an information request has been made in relation to the individual by a Credit Provider, mortgage insurer or trade insurer; or

(e) the type of consumer credit or commercial credit, and the amount of credit, sought in an application:

(i) that has been made by the individual to a Credit Provider; and

(ii) in connection with which the provider has made an information request in relation to the individual; or

(f) default information about the individual; or

(g) payment information about the individual; or

(h) new arrangement information about the individual; or

(i) court proceedings information about the individual; or

(j) personal insolvency information about the individual; or

(k) publicly available information about the individual:

(i) that relates to the individual’s activities in Australia or the external Territories and the individual’s credit worthiness; and

(ii) that is not court proceedings information about the individual or information about the individual that is entered or recorded on the National Personal Insolvency Index; or

(l) the opinion of a Credit Provider that the individual has committed, in circumstances specified by the provider, a serious credit infringement in relation to consumer credit provided by the provider to the individual.

Credit Reporting Body means a business or undertaking that involves collecting, holding, using or disclosing Personal Information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.

Credit Reporting Information means Credit Information or Credit Reporting Body derived information about an individual.

De-identified Personal Information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.

Holds Speedle holds Personal Information if it has possession or control of a record that contains the Personal Information.

Identifier of an individual means a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual, but does not include:

(a) the individual’s name; or

(b) the individual’s ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999); or

Permitted General Situation As defined in s16A of the Privacy Act 1988

Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Sensitive Information means

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual orientation or practices; or

(ix) criminal record;

that is also Personal Information; or

(b) health information about an individual; or

Small Business Operators is a person or organisation that has an annual turnover of $3,000,000 or less. For the purposes of the Privacy Act 1988 health service providers or businesses that trade in Personal Information are not Small Business Operators.

SECTION B – COLLECTION OF INFORMATION (SOLICITED INFORMATION)

This Section B applies to the collection of information that is solicited by Speedle.

4. PERSONAL INFORMATION

4.1 The Personal Information Speedle collects may include the following:

(a) name;

(b) address;

(d) gender;

(e) marital status;

(f) occupation;

(g) bank account details;

(h) contact details (including telephone, facsimile and e-mail);

(i) financial information (including transactional and trading history); and

(j) any other information Speedle considers necessary to their functions and activities.

4.2 Speedle must not collect Personal Information (other than Sensitive Information) unless the information is reasonably necessary for one or more of Speedle’s functions or activities.

4.3 Speedle’s functions or activities include:

(a) operate as credit provider to provide unsecured personal loans that relate to:

(i) Personal loans

(ii) Small amount loans;

(iii) Medium amount loans..

(b) typical consumers are Australian Citizens and Residents, residing in Australia, over the age of 18 years, employed with a level of income which supports the affordability of credit product(s) provided by Speedle.

5. SENSITIVE INFORMATION

5.1 Speedle must not collect Sensitive Information about an individual unless:

(a) the individual consents to the collection of the information and the information is reasonably necessary for one or more of Speedle’s functions or activities (as described in section 4.3); or

(b) the collection of the information is required or authorised by or under an Australian law or a Court/Tribunal Order; or

(d) a permitted health situation exists in relation to the collection of the information by Speedle.

(e) the collection of the information is inadvertently derived from, and limited to, bank transaction data and grouping of financial transactions for one or more of Speedle’s functions or activities (as described in section 4.3).

6. CREDIT-RELATED INFORMATION

6.1 Where Speedle receives a request for credit, the prospective client will be required to provide Speedle with Credit Information. Please refer to Speedle’s Credit Reporting Policy for further information.

6.2 Please note that consent is not required for Credit Information requests under the CR Code, however, before making such a request, we will provide you with a notice that:

(a) we may obtain information about you from a Credit Reporting Body for a permitted credit-related purpose;

(b) your consent is not required for this request;

(d) the existence of this enquiry may affect your credit score or credit rating in general terms;

(e) further details of the Credit Reporting Bodies we use and how you may obtain a copy of your credit report, request a correction, or make a complaint are particularised in our Credit Report Policy and Credit Reporting Statement available on our website.

7. MEANS OF COLLECTION

7.1 Speedle must only collect Personal Information by lawful and fair means.

7.2 Speedle must only collect Personal Information about an individual from the individual (rather than someone else), unless it is unreasonable or impracticable to do so or the individual has instructed Speedle to liaise with someone else.

7.3 Speedle will collect Personal Information from an individual when:

(a) Speedle’s Application Form is completed;

(b) a Client provides the information to Speedle’s representatives over the telephone or via email;

7.4 Speedle may collect Personal Information from an individual from others, such as from:

(a) service providers;

(b) agents;

(d) employers; or

(e) family members.

7.5 Speedle may verify an individual’s identity using the Commonwealth Document Verification Service (DVS). This is a secure system operated under the Identity Verification Services Act 2023 (Cth) that enables information on an individual’s identity documents (such as driver’s licence, passport, or Medicare card) to be checked against official government records. Speedle may use this service only with the express consent of the individual before any DVS check occurs.

7.6 Speedle may also collect certain financial and transactional information including bank account and bank transaction data directly from an individuals nominated bank account via secure upload or through an accredited third-party service provider using screen scraping technology (for example, through illion Open Data Solutions Pty Ltd or Experian Australia Operations Pty Ltd). This process allows Speedle to verify your income, expenses, and financial position as part of your credit application.

7.7 At the time of collection of bank account and bank transaction data, individuals are to be notified that this process will occur and are required to provide consent before any information is retrieved. Individuals are then directed to the third-party service provider’s website in order for them to provide authorisation for the collection of account information for a single use (e.g. for Speedle’s loan application assessment). The third-party service provider will complete a one-time retrieval of the individual’s account information (using the Credentials they have entered which may include username/account name and password). Where access to the account information is made by using an individual’s Credentials, the third-party service provider will immediately destroy the Credentials after they use them. For further information relating to the third party services providers use and collection of account information including Credentials see illion Open Data Solutions Pty Ltd's Illion End User Terms and Experian Australia Operations Pty Ltd's Experian Privacy Policy.

8. PURPOSE OF COLLECTION

8.1 Primary Purpose of Collection

8.2 If an individual is acquiring or has acquired a product or service from Speedle, the individual’s Personal Information will be collected and held for the purposes of:

(a) checking whether an individual is eligible for Speedle’s product or service;

(b) providing, managing and administering the requested credit or financial service;

(d) collecting payments that are owed to Speedle in respect of any credit previously provided to the individual;

(e) protecting against fraud, crime or other activity which may cause harm in relation to Speedle’s products or services;

(f) complying with legislative and regulatory requirements in any jurisdiction, including the National Consumer Credit Protection Act 2009 (Cth) (“NCCP Act”), the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (“AML/CTF Act”), the Privacy Act 1988 (Cth) and the Privacy (Credit Reporting) Code (“CR Code”);

(g) responding to a complaints, hardship requests or disputes; and

(h) supporting Speedle’s internal governance, compliance reviews, and audit processes.

8.3 Identity Verification through the Document Verification Service (DVS)

Where identity information is verified through the DVS, it is used solely to confirm that details provided on an individual’s identification documents match those held by the issuing agency. Speedle retain identification details that an individual provides directly (such as your driver licence number, medicare card or passport details) as part of the customer file, for lawful purposes including identity verification, compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and credit record keeping. Information retrieved from the DVS itself (for example, match results) is not stored beyond what is necessary for compliance or audit purposes.

8.4 Bank Transaction and Financial Information

Speedle collects certain financial and transactional data — including bank-account and bank-transaction information provided through secure upload or electronic retrieval (screen scraping) — for the following primary purposes:

a) Responsible Lending (NCCP Act): to verify income (such as salary deposits or government benefits), confirm regular expenses and liabilities, and assess serviceability to ensure any loan is not unsuitable;

b) Customer Due Diligence (AML/CTF Act): to verify the source of funds, detect unusual or suspicious transactions, and maintain records for AUSTRAC reporting requirements; and

c) Fraud Prevention and Identity Verification: to cross-check application information and detect identity theft, falsified documents, or unauthorised third-party applications;

d) Complaints: to respond to complaints, hardship requests or disputes.

8.5 Speedle does not collect, store or access any individual’s internet-banking credentials (such as usernames or passwords)

8.6 Secondary Purposes of Collection

Speedle may also use or disclose Personal Information for secondary purposes where:

a) the individual has expressly consented;

b) the use or disclosure is reasonably expected and directly related to the primary purpose (for example, quality assurance, system maintenance, training, or responding to regulators)

c) is required or authorised by law; or

d) it is necessary to assist Speedle in the ordinary operation of its business, including communicating with related service providers, technology contractors, or professional advisers who are subject to confidentiality obligations.

8.7 Direct Marketing

Speedle may also collect and use Personal Information to let individuals know about products or services that may better meet their needs or other opportunities in which they may be interested. Please refer to Section G for further information on direct-marketing practices and opt-out rights.

SECTION C – COLLECTION OF INFORMATION (UNSOLICITED INFORMATION)

9. DEALING WITH UNSOLICITED PERSONAL INFORMATION

9.1 If Speedle:

(a) receives Personal Information about an individual; and

(b) the information is not solicited by Speedle

Speedle must, within a reasonable period after receiving the information, determine whether or not it was permitted to collect the information under Section B above.

9.2 Speedle may use or disclose the Personal Information for the purposes of making the determination under paragraph 9.1.

9.3 If Speedle:

(a) determines that it could not have collected the Personal Information; and

(b) the information is not contained in a Commonwealth record,

Speedle must as soon as practicable, destroy the information or ensure that the information is De-identified, only if it is lawful and reasonable to do so.

SECTION D – NOTIFICATION OF THE COLLECTION OF INFORMATION

10. CREDIT REPORTING AND PRIVACY STATEMENT

10.1 Speedle’s Director must ensure that at all times it maintains a clearly expressed and up-to-date Credit Reporting and Privacy Statement that:

(a) is current and reflects the latest applicable Australian laws;

(b) contains the following information: and

(i) the kinds of Credit Information, Credit Eligibility Information and Personal Information that Speedle collects and holds, and how Speedle collects and holds that information;

(ii) the kinds of CP Derived Information that Speedle usually derives from Credit Reporting Information disclosed to Speedle by a Credit Reporting Body;

(iii) the purposes for which Speedle collects, holds, uses and discloses Credit Information, Credit Eligibility Information and Personal Information;

(iv) how an individual may access Credit Eligibility Information and Personal Information held by Speedle and seek a correction of such information;

(v) how an individual may complain about a failure of Speedle to comply with the Privacy Act 1988 or CR Code and how Speedle will deal with such a complaint;

(vi) whether Speedle is likely to disclose Credit Information and Credit Eligibility Information to entities that do not have an Australian link; and

(vii) where Speedle is likely to disclose Credit Information or Credit Eligibility Information to entities that do not have an Australian link, the countries in which such entities are likely to be located.

(i) we may obtain information about you from a Credit Reporting Body for a permitted credit-related purpose;

(ii) your consent is not required for this request;

(iii) a record of the request may be included in your credit report and visible to other credit providers; and

(iv) the existence of this enquiry may affect your credit score or credit rating in general terms.

10.2 Speedle must ensure that Speedle’s Credit Reporting and Privacy Statement is available free of charge and in such form as appropriate. Speedle will make the Credit Reporting and Privacy Statement available on its website.

10.3 If the Credit Reporting and Privacy Statement is requested in a particular form, Speedle will take such steps as are reasonable to provide the Credit Reporting and Privacy Statement in the form requested.

SECTION E – USE OR DISCLOSURE OF INFORMATION

11. USE OR DISCLOSURE OF PERSONAL INFORMATION

11.1 Where Speedle holds Personal Information about an individual that was collected for a particular purpose (“the primary purpose”), Speedle must not use or disclose the information for another purpose (“the secondary purpose”) unless:

(a) the individual has consented to the use or disclosure of the information; or

(b) the individual would reasonably expect Speedle to use or disclose the information for the secondary purpose and the secondary purpose is:

(i) directly related to the primary purpose (if the information is Sensitive Information); or

(ii) related to the primary purpose (if the information is not Sensitive Information); or

(c) the use or disclosure of the information is required or authorised by or under an Australian law or a Court/Tribunal Order; or

(d) a Permitted General Situation exists in relation to the use or disclosure of the information by Speedle; or

(e) Speedle reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

11.2 Where Speedle uses or discloses Personal Information in accordance with section 11.1(e), Speedle will keep a copy of this disclosure (e.g. the email or letter used to do so).

11.3 This section 11 does not apply to:

(a) Personal Information for the purposes of direct marketing; or

(b) government related identifiers.

12. WHO DOES Speedle DISLCOSE PERSONAL INFORMATION TO?

12.1 Speedle may disclose Personal Information collected from clients and prospective clients to the following:

(a) organisations involved in providing, managing or administering Speedle’s products or services such as third party suppliers, e.g. printers, posting services and our advisers;

(b) organisations involved in maintaining, reviewing and developing Speedle’s business systems, procedures and infrastructure, including testing or upgrading Speedle’s computer systems;

(d) organisations involved in the payments system, including financial institutions, merchants and payment organisations;

(e) organisations involved in product planning and development;

(f) other organisations, who jointly with Speedle’s, provide its products or services;

(g) authorised representatives who provide Speedle’s products or services on its behalf;

(h) the individual’s representatives, including your legal advisers;

(i) Credit Reporting Bodies including Equifax Pty Ltd, illion Australia Pty Ltd, Experian Australia Pty Ltd

(j) debt collectors including Capital Credit Solutions Pty Ltd and/or Incredit and/or AMPAC Debt Recovery Pty Ltd

(k) Speedle’s financial advisers, legal advisers or auditors;

(l) fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct;

(m) external dispute resolution schemes;

(n) regulatory bodies, government agencies and law enforcement bodies in any jurisdiction.

(o) approved DVS Gateway Service Provider(s) and Intermediary Service Providers (including GBG ANZ Pty LTd t/as Green ID Data Zoo Pty Ltd) who facilitate identity verification checks on our behalf. These providers are appointed as Information Match Agents under the DVS Access Policy and are bound by confidentiality, security, and data-handling obligations equivalent to those in our Participation Agreement;

(p) where required by the DVS Framework Administrator or Australian Government agencies responsible for the DVS, information about our use of the system (not your document details) may be disclosed for audit or compliance purposes.

12.2 Speedle may also disclose your Personal Information to others where:

(a) they are required to disclose information by law e.g. under court orders or statutory notices pursuant to taxation or social security laws or under laws relating to sanctions, anti-money laundering or counter-terrorism financing;

(b) an individual may have expressly consented to the disclosure or the individual’s consent may be reasonably inferred from the circumstances; or

12.3 Speedle may also disclose limited personal information derived from bank account and bank transaction data to third parties where necessary to assess an individual’s credit application, manage a loan, or comply with legal and regulatory obligations. This may include Credit Reporting Bodies (Equifax Pty Ltd, illion Australia Pty Ltd, Experian Australia Pty Ltd), external collection agencies (Capital Credit Solutions Pty Ltd and/or InDebted Australia Pty Ltd), and technical support providers who maintain our systems under strict confidentiality controls.

SECTION F – DIRECT MARKETING

13. DIRECT MARKETING

13.1 Speedle must not use or disclose the Personal Information it holds about an individual for the purpose of direct marketing.

14. EXCEPTION – PERSONAL INFORMATION OTHER THAN SENSITIVE INFORMATION

14.1 Speedle may use or disclose Personal Information (other than Sensitive Information) about an individual for the purposes of direct marketing if:

(a) Speedle collected the information from the individual; and the individual would reasonably expect Speedle to use or disclose the information for that purpose; or

(b) Speedle has collected the information from a third party; and either:

(i) Speedle has obtained the individual’s consent to the use or disclose the information for the purpose of direct marketing; or

(ii) it is impracticable for Speedle to obtain the individual’s consent; and

(c) Speedle provides a simple way for the individual to opt out of receiving direct marketing communications from Speedle;

(d) in each direct marketing communication with the individual Speedle:

(i) includes a prominent statement that the individual may opt out of receiving direct marketing; or

(ii) directs the individual’s attention to the fact that the individual may opt out of receiving direct marketing; and

(e) the individual has not made a request to opt out of receiving direct marketing.

15. EXCEPTION – SENSITIVE INFORMATION

15.1 Speedle may use or disclose Sensitive Information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.

16. REQUESTS TO STOP DIRECT MARKETING

16.1 Where Speedle uses or discloses Personal Information about an individual for the purposes of direct marketing by Speedle or facilitating direct marketing by another organisation, the individual may request:

(a) that Speedle no longer provide them with direct marketing communications;

(b) that Speedle does not use or disclose the individual’s Personal Information for the purpose of facilitating direct marketing by another organisation;

16.2 Where Speedle receives a request from an individual under section 16.1, Speedle will:

(a) give effect to the request under section 16.1(a) or 16.1(b) within a reasonable period after the request is made and free of charge; and

(b) notify the individual of the source of the information, if the individual requests it, unless it is impracticable or unreasonable to do so.

16.3 This Section F does not apply to the extent that the following laws apply:

(a) the Do Not Call Register Act 2006;

(b) the Spam Act 2003; or

SECTION G – CROSS BORDER DISCLOSURE OF INFORMATION

17. DISCLOSING PERSONAL INFORMATION TO CROSS BORDER RECIPIENTS

17.1 Where Speedle discloses Personal Information about an individual to a recipient who is not in Australia and who is not Speedle or the individual, Speedle must ensure that the overseas recipient does not breach the Australian Privacy Principles (with the exception of APP1).

17.2 The countries we may disclose an individual’s Personal Information to include:

(a) Australia;

(b) United States of America;

(d) Philippines.

17.3 Personal information is not actively transmitted overseas, however, in limited cases, contractors engaged overseas may have incidental access when maintaining our systems or conducting office administration or collection services

17.4 Section 17.1 does not apply where:

(a) Speedle reasonably believes that:

(i) information is subject to a law or binding scheme that has the effect of protecting the information in a way that is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or

(b) both of the following apply:

(i) Speedle has informed the individual that if they consent to the disclosure of information Speedle will not take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles; and

(ii) after being so informed, the individual consents to disclosure;

(c) the disclosure of the information is required or authorised by or under an Australian law or a Court/Tribunal Order; or

(d) a Permitted General Situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Privacy Act 1988) exists in relation to the disclosure of the information by Speedle.

17.5 When Personal Information (including Credit Information) is stored in cloud environments accessible from multiple countries, Speedle will take reasonable steps to ensure those service providers comply with the Privacy Laws.

SECTION H – ADOPTION, USE OR DISCLOSURE OF GOVERNMENT IDENTIFIERS

18. ADOPTION OF GOVERNMENT RELATED IDENTIFIERS

18.1 Speedle must not adopt a government related identifier of an individual as its own identifier unless:

(a) Speedle is required or authorised by or under an Australian law or a Court/Tribunal Order to do so; or

(b) the identifier, Speedle and the circumstances of the adoption are prescribed by regulations.

19. USE OR DISCLOSURE OF GOVERNMENT RELATED IDENTIFIERS

19.1 Before using or disclosing a government related identifier of an individual, Speedle must ensure that such use or disclosure is:

(a) reasonably necessary for Speedle to verify the identity of the individual for the purposes of the organisation’s activities or functions; or

(b) reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or

(d) within a Permitted General Situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1) of the Privacy Act 1988; or

(e) reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(f) the identifier, Speedle and the circumstances of the adoption are prescribed by regulations.

SECTION I – INTEGRITY OF INFORMATION

20. QUALITY OF INFORMATION

20.1 Speedle will ensure that the Personal Information it collects and the Personal Information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.

21. SECURITY OF INFORMATION

21.1 Speedle will ensure that it protects any Personal Information it holds from misuse, interference, loss, unauthorised access, modification and disclosure.

21.2 Speedle will take reasonable steps to destroy or de-identify Personal Information it holds where:

(a) Speedle no longer needs the Personal Information for any purpose for which the information may be used or disclosed by Speedle; and

(b) the information is not contained in a Commonwealth record; and

22. STORAGE OF INFORMATION

22.1 Speedle stores Personal Information in different ways, including:

(a) hard copy on site at Speedle’s head office;

(b) electronically secure data centres which are located in Australia and owned by either Speedle or external service providers;

22.2 In order to ensure Speedle protects any Personal Information it holds from misuse, interference, loss, unauthorised access, modification and disclosure, Speedle implements the following procedure/system:

(a) access to information systems is controlled through identity and access management;

(b) employees are bound by internal information securities policies and are required to keep information secure;

(d) Speedle regularly monitors and reviews its compliance with internal policies and industry best practice; and

22.3 Speedle maintains and stores records of any Personal Information and any decline-notices issued under s 20U(3) of the Privacy Act 1988 for a minimum of seven (7) years in accordance with the CR Code.

SECTION J – ACCESS TO PERSONAL INFORMATION

23. ACCESS

23.1 Speedle must give an individual access to the Personal Information it holds about the individual if so requested by the individual.

23.2 An individual can request access to their Personal Information by contacting Speedle’s Complaints Officer on 02 8365 2322 or put their request in writing and send it to complaints@speedle.com.au.

23.3 Speedle must respond to any request for access to Personal Information within a reasonable period after the request is made.

23.4 Speedle must give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so and must take such steps as are reasonable in the circumstances to give access in a way that meets the needs of Speedle and the individual.

23.5 Speedle must not charge an individual for making a request, and must not impose excessive charges for the individual to access their Personal Information.

24. WRITTEN NOTICE OF CREDIT REFUSAL

24.1 If Speedle decline an application for consumer credit wholly or partly based on information obtained from a Credit Reporting Body, they will issue a written notice that:

(a) states that the decision was based wholly or partly on information from a Credit Reporting Body;

(b) identifies the Credit Reporting Body used and provides its contact details; and

(c) advises the individual of their right to obtain a free copy of your credit report from that Credit Reporting Body within 90 days and to seek correction of any errors.

24.2 Speedle are not required to provide detailed reasons for a credit refusal, but will ensure that any information relied upon has been obtained and used in compliance with the Privacy Laws.

25. EXCEPTIONS

25.1 Speedle is not required to give an individual access to their Personal Information if:

(a) Speedle reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or

(b) giving access would have an unreasonable impact on the privacy of other individuals; or

(d) the information relates to existing or anticipated legal proceedings between Speedle and the individual, and would not be accessible by the process of discovery in those proceedings; or

(e) giving access would reveal intentions of Speedle in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

(f) giving access would be unlawful; or

(g) denying access is required or authorised by or under an Australian law or a Court/Tribunal Order; or

(h) Speedle has reason that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or

(i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or

(j) giving access would reveal evaluative information generated within Speedle in connection with a commercially sensitive decision-making process.

26. REFUSAL TO GIVE ACCESS

26.1 If Speedle refuses to give access in accordance with section 23 or to give access in the manner requested by the individual, Speedle will give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and

26.2 Where Speedle refuses to give access under section 25.1(j) Speedle may include an explanation of the commercially sensitive decision in its written notice of the reasons for denial.

SECTION K – CORRECTION OF INFORMATION

27. CORRECTION OF INFORMATION

27.1 Speedle must take reasonable steps to correct all Personal Information, having regard to the purpose for which the information is held where:

(a) Speedle is satisfied the information is inaccurate, out of date, incomplete, irrelevant or misleading; or

(b) the individual requests Speedle corrects the information.

27.2 An individual can request Speedle correct any the information held by contacting Speedle’s Complaints Officer on 02 8365 2322 or put their request in writing and send it to complaints@speedle.com.au

27.3 Where Speedle corrects Personal Information about an individual that Speedle previously disclosed to another APP Entity and the individual requests Speedle to notify the other APP Entity of the correction, Speedle must take reasonable steps to give that notification, unless it is impracticable or unlawful to do so.

28. REFUSAL TO CORRECT INFORMATION

28.1 If Speedle refuses to correct Personal Information as requested by the individual, Speedle will give the individual a written notice that sets out:

(a) the reasons for the refusal except to the extent that it would be unreasonable to do so; and

(b) the mechanisms available to complain about the refusal; and

29. REQUEST FROM A CLIENT TO ASSOCIATE A STATEMENT WITH THEIR INFORMATION

29.1 If:

(a) Speedle refuses to correct Personal Information as requested by the individual; and

(b) the individual requests that Speedle associate a statement noting that the information is inaccurate, out of date, incomplete, irrelevant or misleading, with the individual’s information,

Speedle must take such steps as are reasonable in the circumstances to associate the statement (as described in section 29.1(b)) with the individual’s Personal Information. The statement should be associated with the information in such a way that will make the statement apparent to users of the information.

30. DEALING WITH REQUESTS

30.1 Speedle must:

(a) respond to requests under this Section K within thirty (30) days after the request is made; and

(b) must not charge the individual for the making of the request, for correcting the Personal Information or for associating the statement with the Personal Information.

SECTION L – MAKING A PRIVACY COMPLAINT

31. COMPLAINTS

31.1 Speedle offers a free internal complaint resolution scheme to all customers. Should a client have a privacy complaint, they are to contact Speedle to discuss their concerns using the following contact details:

(a) Email: complaints@speedle.com.au

(b) Phone: 02 8365 2322

31.2 To assist Speedle in helping customers, Speedle asks customers to follow a simple three-step process:

(a) gather all supporting documents relating to the complaint;

(b) contact Speedle to review your situation and if possible, resolve your complaint immediately; and

(c) if the matter is not resolved to the customer’s satisfaction, customers are encouraged to contact Speedle’s Complaints Officer on 02 8365 2322 or put their complaint in writing and send it to complaints@speedle.com.au.

31.3 Speedle will rectify any breach if the complaint is justified and takes necessary steps to resolve the issue.

31.4 In certain situations, to deal with a complaint it may be necessary to consult with third parties. However, any disclosure of Personal Information to third parties will be provided with the customer’s authority and consent.

31.5 After a complaint has been received, Speedle sends the customer a written notice of acknowledgement setting out the process. The complaint is investigated, and the decision sent to the customer within thirty (30) days unless the customer has agreed to a longer time. If a complaint cannot be resolved within the agreed time frame or a decision could not be made within thirty (30) days of receipt, a notification will be sent to the customer setting out the reasons and specifying a new date when the customer can expect a decision or resolution.

32. IF YOU ARE UNHAPPY WITH OUR RESPONSE

If the customer is not satisfied with Speedle’s internal privacy practices or the outcome in respect to complaint, the customer may approach the following with their complaint:

(a) Office of the Australian Information Commissioner

Address: GPO Box 5218, Sydney NSW 2001

Phone: 1300 363 992

Web Complaint Form: OAIC Privacy Complaint Form

Website: oaic.gov.au

(b) Australian Financial Complaints Authority Limited

Address: GPO Box 3 Melbourne VIC 3001

Phone: 1800 931 678

Fax: (03) 9613 6399

Email: info@afca.org.au

Website: https://www.afca.org.au/

AFCA is an independent and external dispute resolution scheme, of which Speedle is a member.

SECTION M – MISCELLANEOUS

33. POLICY BREACHES

33.1 Breaches of this Policy may lead to disciplinary action being taken against the relevant party, including dismissal in serious cases and may also result in prosecution under the law where that act is illegal. This may include re-assessment of bonus qualification, termination of employment and/or fines (in accordance with the Privacy Act 1988.

33.2 Staff are trained internally on compliance and their regulatory obligation to Speedle. They are encouraged to respond appropriately to and report all breaches of the law and other incidents of non-compliance, including Speedle’s policies, and seek guidance if they are unsure.

33.3 Staff must report breaches of this Policy directly to the Director.

34. RETENTION OF NOTIFIABLE DATA BREACH FORMS

34.1 The Compliance Officer will retain the completed Notifiable Data Breach Forms for seven (7) years in accordance with Speedle’s Document Retention Policy. The completed forms are retained for future reference and review.

34.2 As part of their training, all staff are made aware of the need to practice thorough and up to date record keeping, not only as a way of meeting Speedle’s compliance obligations, but as a way of minimising risk.

35. POLICY REVIEW

35.1 Speedle’s Privacy Policy will be reviewed on at least an annual basis by the Compliance Officer of Speedle, having regard to the changing circumstances of Speedle. The Compliance Officer will then report to the Director on compliance with this Policy.

Issued by Speedle Pty Limited – 6 November 2025

‍