‍

WEMONEY CDR POLICY

1. ABOUT THIS POLICY

The Consumer Data Right (CDR), also known as “open banking”, gives you the right to consent to organisations accredited by the Australian Competition and Consumer Commission (ACCC) accessing specified data about you (CDR data).

The CDR regime is designed to give Australian consumers greater choice and control over how their data is collected, used, and disclosed. It allows you, with your consent, to share your data for specific purposes with any organisation that is accredited under the CDR regime.

In this policy, references to “you” or “your” mean you as a user of our Services and a CDR consumer.

WeMoney Pty Ltd ACN 633 007 860, Australian Credit Licence 526330 (WeMoney or we or us) is an accredited data recipient participating in the government’s open banking scheme under the CDR regime.

WeMoney provides a smart money management service that connects all of your financial accounts in one place, tracks your overall financial health, provides details about your credit score, and offers information and tools to help you compare a range of products, credit providers and services. We may also tell you about products or promotions from our connected network of product providers. WeMoney provides its services via its website and mobile applications (the Services).

As part of delivering our Services, and in accordance with the consents you provide during the CDR consent process, we may collect, use, and share your CDR data for purposes including enrichment, transaction categorisation, personalised insights, and — where you have provided a de-identification consent — de-identifying certain CDR data and securely retaining it to train and improve our transaction categorisation models and for general research purposes.

This Consumer Data Right (CDR) Policy (CDR Policy) has been created in accordance with the requirements of Division 5 of Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 and the CDR Privacy Safeguard Guidelines (CDR Legislation). In this CDR Policy, we explain how we manage your CDR data, how you can access and correct your CDR data, how you can make a complaint, and how we de-identify, retain, and destroy your CDR data in line with your consents and the CDR regime.

2. CONSUMER DATA RIGHT INFORMATION

The CDR data we collect from you and hold is classified as your “required consumer data” within your banking records which may include:

(a) your contact details;
(b) occupation;
(c) account information;
(d) transaction records;
(e) specific information about the financial products you may have with an organisation; or
(f) CDR data that includes data that may be derived from the original account information and transaction details.

WeMoney as an accredited organisation under the CDR regime:

(a) allows you to give your consent to share your selected financial data for specific purposes so that we can provide our Services to you; and
(b) with your consent, is able to de-identify certain CDR data and use the resulting de-identified data for training and improving our transaction categorisation models and related personal finance tools, for general research purposes, and disclose the de-identified data in connection with those purposes as outlined in this policy

We also set out in this CDR Policy how we will treat your data when it becomes redundant.

The great benefit is that you control and decide when to share your CDR data, what CDR data you share, with whom you want to share your CDR data with and for how long.

As an accredited data recipient, we will only receive your CDR data with your consent.

We will also continue to manage your personal information in line with WeMoney’s Privacy Policy and our obligations under the Privacy Act (1988). Please visit our Privacy Policy at www.wemoney.com.au/privacypolicy for further information.

3. HOW WE HOLD CDR DATA

WeMoney collects and holds your data that you provide to us as our consumer, which enables us and assists us to provide you with our Services.

This data that we hold and collect, may include data that is classified as “CDR data” upon us receiving it after you have given your consent as an accredited data recipient under the CDR regime.

Under the CDR regime a:

Data holder: is the organisation that holds your data and upon your consent shares your data with an accredited data recipient, for e.g., your financial services provider.

Data recipient: is an accredited organisation under the CDR regime (for e.g., other banks and financial services organisations) that you have provided your consent to receive and use your CDR data from the Data holder. This is WeMoney.

When you provide your consent to an accredited organisation to collect and use your CDR data, it's important to know that you are then entering into an agreement with them.

At WeMoney, we will hold your data for a period of time as specified by you when you provide your consent or until you withdraw your consent. Once you withdraw your consent or the period of time that you have specified in your consent has expired, or we can no longer hold it under the CDR regime we will delete your CDR data that we hold about you, unless that data has been de-identified (see section 10. De-identified or Redundant Data).

WeMoney does not accept consumer requests to access additional voluntary product or consumer data that our Services does not already make available.

4. YOUR PRIVACY AND SECURITY ‍

We will keep your CDR data in a cloud-based, or other types of networked or electronic storage centres. The security of your CDR data is important to us. We will take appropriate technical and organisational precautions to secure your CDR data as required under the CDR regime.

5. CONSENT TO RECEIVING YOUR CDR DATA

5.1 Sharing your CDR Data

You can choose to share your CDR data with WeMoney so we can provide you with our Services.

You will need to give your consent to WeMoney as an accredited data recipient to receive your CDR data from your nominated financial institution or financial services provider (data holder).

Prior to actioning your request to share your CDR data with WeMoney, we will:

(a)     need to identify you first using our authentication methods;

(b)     obtain your consent to sharing your CDR data from your nominated financial institution or financial services provider with WeMoney;

(c)      ask you to choose which accounts/information you would like to share with WeMoney; and

(d)     what period of time you want to share your CDR data with WeMoney.

IMPORTANT: Please note that your data holder will have their terms and conditions that you need to comply with when requesting to share your data with WeMoney.

5.2 Manage your CDR data sharing with your data holder

You can log in with your data holder and manage your data sharing to view your data sharing, manage your data sharing and stop your data sharing.

6. CDR DATA SHARING BY WEMONEY

WeMoney uses the entities listed below as its outsourced service providers (OSP) to provide the following services:

Some of our OSPs—such as Experian and Mastercard—are also accredited data recipients (ADRs) under the CDR regime. However, in their role providing services to WeMoney, they do not act in that capacity. When processing or enriching your data under our instructions, they operate solely as OSPs under a CDR outsourcing arrangement with WeMoney(see Section 9). Their access and use of your CDR data is limited to what is permitted under that arrangement and your consent.

Where you have provided de-identification consent in the CDR consent process, certain OSPs (such as Mastercard, Yodlee, and Experian) may create and retain de-identified datasets in accordance with that consent and the CDR regime. These de-identified datasets may be used for the purposes specified in your consent, including training and improving transaction categorisation models and for general research purposes, as described in Sections 8, 9, 10, and 11 of this policy.

We may with your consent disclose your CDR data to other accredited data recipients that you may authorise from time to time, and we will seek your consent and provide you with a link to their CDR policy before you provide your consent.

IMPORTANT: Only accredited data recipients authorised by you are able to access your CDR data. The website www.cdr.gov.au gives you more information regarding the accreditation process.

7. HOW YOU CAN ACCESS YOUR SHARED CDR DATA WITH WEMONEY

CDR data that we have received will be made available to you securely via our Services. In addition, WeMoney allows you to update specific CDR data such as account holder information securely via our Services. Please note that for any data updates to other organisations that are  data holders you will need to contact them directly to correct and update your CDR data.

You can log in to theWeMoney Services to view your data sharing, manage your data sharing and stop your data sharing with us and any accredited data recipient that you have authorised for us to share your CDR data with.

Where you have provided a de-identification consent in the CDR consent process, some of your CDR data may be de-identified and retained in accordance with that consent. Once your data has been de-identified, it can no longer be used to identify you and will not be available to viewed, updated, or deleted as your CDR data will not be able to be linked to you. For more information, see Sections 8, 10, and 11.

8. HOW WE USE YOUR CDR DATA

WeMoney offers its Service online, which enables users to manage their personal finances. Features include account aggregation of Australian bank accounts, calculating a user’s net worth, providing insights into income and spending, defining and tracking savings goals, and participating in the WeMoney community.

WeMoney uses your data to deliver its Services to you and to improve the overall service quality in the long-term.

As part of delivering our Services, and in accordance with the de-identification consent you provided during the CDR consent process, certain transaction data is de-identified and processed using our categorisation algorithms. These de-identified datasets may be securely retained and used to train and improve our models that support transaction categorisation models, budgeting tools, and other personal finance insights.

We will only collect and use the CDR data that is reasonably needed to provide our Services to you, including the de-identification and retention of selected transaction data for these purposes.

We may also use your data that has been de-identified or become redundant as set out in section 10 (De-identified or Redundant Data).

9. DATA ENHANCEMENT

WeMoney enhances your CDR data to provide more meaningful and personalised financial insights. This involves identifying the parties to your transactions (such as merchants and payers) and assigning categories to your income and expenditure. Enrichment helps us deliver features like spending analysis, income and expense tracking, and personalised financial product recommendations.

We also use enriched data to determine which loan and credit opportunities may be more relevant to your financial profile, based on your transaction patterns and income insights. These insights help us tailor recommendations relevant to your financial circumstances and improve the personalisation of our Services.

Enrichment may be performed by WeMoney directly or by our outsourced service providers (OSPs). Where enrichment is performed by an OSP, it is applied only to CDR data that the provider has either collected on our behalf (e.g. Mastercard and Yodlee) or that WeMoney has shared with them in accordance with your consent and the CDR regime (e.g. Experian).

Where enrichment results in de-identified datasets being created, and you have provided de-identification consent in the CDR consent process, those de-identified datasets may be securely retained and used in accordance with Sections 8 and 10 of this policy.

For more information about third-party roles in enrichment, see Section 6. For more information about how de-identified or redundant data is handled, see Sections 10 and 11.

9.1 Mastercard

As an OSP of WeMoney, Mastercard collects CDR data on our behalf and provides additional enrichment services, including categorisation and income verification services. This enables WeMoney to deliver insights about the income sources that have been identified from our transaction data, your spending  and your overall financial behaviour. This enrichment is applied only to the CDR data collected by Mastercard as our OSP. WeMoney then uses these categorised outputs, along with other internal processing, to generate insights and deliver enhanced services. Where enrichment produces de-identified datasets, these may be retained in de-identified form in accordance with your de-identification consent (see Sections 8 and 10).

9.2 Yodlee

Yodlee provides transaction categorisation and assists with account connectivity as an OSP appointed by WeMoney. Where Yodlee collects your CDR data on our behalf, it applies enrichment by identifying merchants and payers and assigning categories to the transactions. WeMoney uses this categorised data to produce insights tailored to your financial situation. Where enrichment produces de-identified datasets, these may be retained in de-identified form in accordance with your de-identification consent (see Sections 8 and 10).

For more information about how redundant or de-identified data is handled following enrichment, see Sections 10 and 11.

9.3 Experian

WeMoney may share your CDR data with Experian to provide transaction enrichment and categorisation services. Experian processes this data and returns the categorised outputs to WeMoney, which we then use to generate personalised financial insights tailored to your needs.

For information about how Experian handles de-identified data following enrichment, see Section 11.

10. DE-IDENTIFIED OR REDUNDANT DATA

This section describes how WeMoney handles your CDR data when it becomes redundant or is de-identified in the course of providing our Services.

10.1 De-identified Data

During the consent process, we may also seek your consent to de-identify certain CDR data and use the resulting de-identified data for:

(a) our general research purposes;

(b) training and improving our transaction categorisation models and related personal finance tools; and

(c) disclosing the de-identified data in connection with our general research purposes.

Once the data has been de-identified and used for the purposes outlined above, it cannot be deleted once it becomes redundant data. However, this de-identified data cannot be used to identify you as an individual and will continue to be held in the de-identified form.

For the purposes of this section, “general research purposes” includes providing feedback to the ACCC and participants of various data standard workgroups regarding WeMoney’s CDR connection statistics, using high level de-identified data for statistics about CDR connections in WeMoney press releases, and identifying opportunities for improvement in how we collect, handle and use CDR data to deliver better Services to you.

10.2 Redundant Data

Any CDR data that we no longer need for the purposes as disclosed in this policy and for which we have no other lawful basis under the CDR regime to retain, will be treated as redundant data.

For data accessed via Mastercard:

Redundant CDR data will be deleted. Note however that where you have provided de-identification consent in the CDR consent process and your CDR data has been de-identified in accordance with that consent, it may be retained in accordance with clause 10.1 above.

For data accessed via Yodlee:

During the consent process, you may choose to have your redundant CDR data deleted. If you do not make a deletion choice, we may either delete or de-identify it at our discretion. Please note that once your CDR data has been de-identified, it can no longer be deleted upon expiry or revocation of your consent, as it will no longer be able to be used to identify you as an individual. In such cases, the data will continue to be retained in its de-identified form.

‍11. HANDLING OF DE-IDENTIFIED DATA BY THIRD PARTIES

This section describes how third-party outsourced service providers (OSPs) may handle de-identified data after completing their services for WeMoney.

Some of our OSPs may perform de-identification of CDR data as part of providing enrichment, categorisation, verification, or other processing services. Where you have provided de-identification consent in the CDR consent process, an OSP may, in accordance with that consent and the CDR regime, securely retain de-identified datasets for the purposes specified in your consent — including training and improving transaction categorisation models and related personal finances tools, and for general research purposes (such as aggregated analysis, reporting, and identifying ways to improve their services).

These practices apply whether the CDR data was originally collected by the service provider on WeMoney’s behalf or was shared with them by WeMoney under a CDR outsourcing arrangement.

Before retention, the data is de-identified so that it can no longer be used to identify you. This involves removing all personal information and any transaction attributes that could be reasonably be used, alone or in combination with other information, to re-identify you.

- WeMoney requires that where our OSP’s retain any de-identified data sets, they are permitted to do so only in accordance with the following restrictions: De-identified data sets are not permitted to be re-identified; and

- De-identified data sets are retained solely for the purposes permitted by your consent.

‍12. OVERSEAS STORAGE PRACTICES

WeMoney holds and stores data with SOC2 and ISO27000 compliant data centres in Australia and the USA. We will keep your CDR data stored securely and encrypted in electronic form in accordance with this policy complying with the CDR regime and WeMoney’s Privacy Policy.

Where your CDR data is accessed or processed from overseas — for example, by certain OSPs listed in Section 6 — such access will occur only in accordance with the CDR regime (including the Privacy Safeguards). All overseas access is subject to contractual and technical safeguards to ensure that your CDR data is protected to the same standards required in Australia.

13. HOW WE NOTIFY CONSUMERS

On several occasions, you will receive notifications via the Services. Such notifications will include:

(a)     relevant lifecycle events regarding your CDR data (which includes when you set up, amend, stop sharing and where your CDR data sharing arrangement expires);

(b)     requesting your consent to use your CDR data;

(c)      the withdrawal of your consent;

(d)     the collection of your CDR data, i.e., when updating your financial transactions;

(e)     if you request and we correct your CDR data; and

(f)      if our CDR accreditation is surrendered, suspended or revoked. 

14. CONSEQUENCES OF WITHDRAWING CONSENT

You can withdraw your consent authorisation to share your CDR data with or by WeMoney at any time via the Services or simply by letting us know by email that you are withdrawing your consent. Our email address to withdraw consent is hello@wemoney.com.au.

You may also withdraw your consent by:

(a)     disconnecting an individual bank account within the Services or by withdrawing your consent remotely via your financial institution; or

(b)     by deactivating your WeMoney account altogether.

Once WeMoney receives your consent withdrawal in any form, we will permanently delete your CDR data from our systems within 30 days of your request, unless it has been de-identified in accordance with your de-identification consent you provided in the CDR consent process, and is retained as described in Sections 8, 10, and 11 of this policy.

Once your CDR data is permanently deleted you will not be able to access it unless you provide a new consent for us to receive your CDR data.

15. CONTACTING US OR MAKING A COMPLAINT

15.1 Contacting Us

WeMoney is here to help! If you want to know how we hold and manage your CDR data or you want to request a copy of your CDR data, please contact us via either our Services, call us on 1300 629 510, email us at hello@wemoney.com.au or by writing to us at WeMoney Pty Ltd, 81-83 Campbell Street, Surry Hills, NSW 2010, Australia.

15.2 Making a Complaint to Us

If you are concerned about how we have handled your CDR data or you want to make a complaint or provide us with any feedback, you can contact us on the details outlined in section 14.1 above. We will attempt to the best of our abilities to resolve any issue that you may have.

In order for us to assist you, please include your full name, email and contact details, as well as a preferred contact method in your email to us. We may ask for additional information to identify and verify you. Please note a WeMoney representative will never ask you for your log-in account information such as your password via phone or email.

We will do our best to:

(a) try and resolve your complaint immediately, if possible;

(b) resolve your complaint within 5 business days. If this isn’t possible, we will confirm the outcome with you in writing. We will aim to resolve your complaint within 30 days. If we can’t meet these timeframes, we will explain to you why and will provide to you an expected date for the outcome of your complaint. We will keep you informed of progress; and

(c) We will explain to you about our decision with respect to your complaint and notify in writing for all complaints that are not resolved within 5 business days.

If you are not satisfied with the final outcome, you may choose to lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides a free and independent dispute resolution service for individuals and small business consumers who are unable to resolve their complaints directly with WeMoney.

Australia Financial Complaints Authority

Online: www.afca.org.au

Email: info@afca.org.au

Phone: 1800 931 678

Mail: GPO Box 3, Melbourne, VIC 3001 

You may also raise any CDR concerns directly with the Office of the Australian Information Commissioner (OAIC). OAIC acts as an impartial third party when investigating and resolving a complaint in relation to the handling of your CDR data. You can contact the OAIC on:

Office of Australian Information Commissioner

Mail: GPO Box 5218, Sydney, NSW 2001

Phone: 1300 363 992

Online: www.oaic.gov.au

Email: enquiries@oaic.gov.au

16. NOTIFIABLE DATA BREACHES

From February 2018, the Privacy Act includes a new Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC)of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).

The NDB scheme requires us to notify you about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.

If we believe there has been a data breach that impacts your CDR data and/or your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy. If we believe there has been an information security incident, we will notify the Australian Cyber Security Centre (ACSC) as soon as practicable and in any case no later than 30 days after becoming aware of the security incident.

If you believe that your CDR data or personal information has been the subject of a data breach, you can contact us using the contact details outlined in Section 14.1 above.

17. AVAILABILITY

This CDR Policy is available electronically by selecting “Settings”, then “CDR Policy” within our Services. It is also available on the WeMoney website by visiting www.wemoney.com.au/cdrpolicy, and on request by contacting us at hello@wemoney.com.au.

We reserve the right to change this CDR Policy, at any time and when we do, we will post the current version on our website and will be available in “Settings”, then “CDR Policy” within our Services.

The revised CDR Policy shall apply from the date of publication of the revised CDR Policy on our website, and is made available in “Settings”, then “CDR Policy” within our Services. You hereby waive any right you may otherwise have to be notified of, or to consent to, revisions of the CDR Policy.

Any subsequent access to, or use by you, of the WeMoney website or any of our Services will constitute acceptance of any varied or modified CDR Policy.

We will not file a copy of the CDR Policy specifically in relation to each user or consumer and, if we update the CDR Policy, the version to which you originally agreed may no longer be available on our WeMoney website or made available in “Settings”, then “CDR Policy” within our Services. We recommend that you consider saving a copy of the CDR Policy for future reference.

This CDR Policy is Version 5.4 dated 18 September 2025.