Privacy Policy¶
| Code | PRI-001 |
| Domain | Privacy & Data Rights |
| Owner | Privacy Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD01 |
| Review date | 2027-03-25 |
Regulations: Privacy Act 2020 · Privacy Act 1988¶
Purpose¶
Govern the platform's privacy management framework, including the privacy by design obligation, the Privacy Officer role, and the overarching obligations under the NZ Privacy Act 2020 and AU Privacy Act 1988.
Scope¶
All personal information collected, used, stored, or disclosed by the platform across NZ and AU, and all staff, systems, and third parties that handle such information.
Policy statements¶
The platform SHALL appoint a Privacy Officer responsible for overseeing compliance with privacy obligations in NZ and AU. The Privacy Officer SHALL have direct access to the Board and the CCO and shall be consulted on all projects involving personal information.
Privacy by design SHALL be applied to all new products, services, system changes, and data processing activities. A Privacy Impact Assessment (PIA) SHALL be completed before implementing any new or changed processing of personal information that is material in scope or risk.
The platform SHALL collect personal information only for a lawful purpose directly related to a function or activity of the platform (NZ Information Privacy Principle 1 / AU APP 3). The purpose SHALL be disclosed to customers at or before the time of collection.
Personal information SHALL be used and disclosed only for the purpose for which it was collected, or for a directly related secondary purpose, or with the individual's consent, or as otherwise authorised by law.
The platform SHALL take reasonable steps to ensure that personal information is accurate, up-to-date, complete, and relevant for its purpose. Customers SHALL be able to request correction of their information.
Personal information SHALL be retained only for as long as required by law or for the purpose for which it was collected. At the end of the retention period it SHALL be securely deleted or anonymised.
The privacy management framework SHALL be reviewed annually by the Privacy Officer and approved by the Board.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-009 | eIDV & document verification | AUTO |
Identity data collected only for verification purpose — purpose limitation enforced at collection |
| MOD-043 | EventBridge domain event governance | AUTO |
Event payloads must not contain PII — personal data referenced by entity ID only, retrieved from the authoritative domain store |
| MOD-049 | Open banking consent management | GATE |
requireConsent() workspace library throws 403 CONSENT_NOT_GRANTED if no active row in app.consents (or app.ob_consents for OB purposes) exists for the customer + purpose tuple — personal data access is blocked without prior consent. |
| MOD-052 | Role-scoped data access | AUTO |
Personal data access limited to authorised roles — principle of minimum necessary enforced |
| MOD-068 | Authentication & session management | GATE |
Access to customer data requires a valid, unrevoked session tied to a verified identity — no anonymous data access is permitted. |
| MOD-072 | Customer profile & settings | AUTO |
Customers can view and correct all personal information held about them — the profile module provides a self-service interface for data accuracy rights. |
| MOD-073 | Document vault | GATE |
Customer documents are stored with access controls scoped to the owning customer and authorised bank staff only — no cross-customer document access is permitted. |
| MOD-084 | Open banking data access — data recipient | AUTO |
Retrieved open banking data is used only for the purpose declared at consent and is deleted after the consuming workflow (migration, affordability assessment, or account pre-fill) completes — purpose-binding is enforced per jurisdiction profile requirements |
| MOD-087 | Transaction enrichment engine | LOG |
Enrichment processing is logged with source signals so data minimisation audits can verify that only the fields required for classification are retained. |
| MOD-088 | Expense classification engine | LOG |
Classification signals and model inputs are logged to support data minimisation review and individual access requests under PRI-001. |
| MOD-089 | Geo-spatial processor | LOG |
Location cluster data is subject to data minimisation policy; processing basis and retention period are recorded per PRI-001. |
| MOD-090 | Auto rules engine | LOG |
User-defined and inferred classification rules constitute personal financial data; rule creation, modification, and application events are logged for data minimisation audits and individual access requests. |
| MOD-091 | Receipt processor | LOG |
Receipt images and extracted data are classified as personal financial data; retention and access are logged per PRI-001. |
| MOD-092 | Tax logic engine | LOG |
Tax position calculations and deductibility determinations reference personal financial data; all computation inputs and outputs are logged for data minimisation audits. |
| MOD-093 | Accounting mapper | LOG |
Classified transaction data pushed to Xero and MYOB constitutes personal financial data; all outbound data transfers are logged for data minimisation audits and individual access requests. |
| MOD-094 | Property attribution engine | LOG |
Property P&L data and rental attribution records constitute personal financial data; all processing and access events are logged for data minimisation audits. |
| MOD-095 | Ring-fencing logic engine | LOG |
Ring-fenced loss carry-forward registers and property tax positions constitute personal financial data; computation inputs and register writes are logged for data minimisation audits. |
| MOD-100 | External asset connector | LOG |
Akahu consent token, scope, and expiry recorded per customer — consent audit trail maintained for Privacy Act 2020 compliance. |
| MOD-103 | Neon database platform bootstrap | GATE |
Database roles and column-level permissions are configured at bootstrap to enforce the data minimisation principle — application roles are granted access only to the schemas and columns they require. |
| MOD-108 | Product offer engine | GATE |
Behavioural personalisation of offer terms requires the customer's active consent record for data-driven marketing — no behavioural offer is generated without a valid consent. |
| MOD-114 | Direct debit mandate management | GATE |
Mandate data (biller name, account reference) is stored and accessible only to the account holder and authorised bank staff — not shared with third parties beyond the payment rail. |
| MOD-125 | Joint account management | AUTO |
Each joint account holder's personal data is processed with individual consent; each holder has individual rights of access, correction, and portability over their own data. |
| MOD-126 | Power of attorney and third-party authority | GATE |
The account holder's consent is required before any third-party authority is registered — except where a court order provides the authority directly. |
| MOD-128 | Credit bureau enquiry and CCR integration | GATE |
Bureau enquiries are made only with the applicant's explicit consent, recorded in the consent management layer before any call is placed to the bureau API. |
| MOD-133 | Trust account management | AUTO |
Each trustee's and beneficial owner's personal data is processed with individual consent; privacy rights (access and correction) are applied per person, not at the trust account level. |
| MOD-134 | Community account management | AUTO |
Each signatory's personal data is processed with individual consent; their data is not shared with other signatories beyond the minimum necessary. |
| MOD-138 | Deceased customer and estate management | GATE |
Account access for a legal personal representative (LPR) requires verification of their identity and their legal authority (probate/letters of administration) before any access is granted; no access is provided based on claimed authority alone. |
| MOD-148 | Privacy access request (DSAR) workflow | AUTO |
Customer access requests are received, triaged, and fulfilled within the statutory timeframe — the workflow enforces the SLA and escalates automatically if it is at risk. |
Part of Privacy & Data Rights · Governance overview
Compiled 2026-05-22 from source/entities/policies/PRI-001.yaml