Consumer Data Right Policy

About us

Tiimely Pty Ltd ("Tiimely") is a privately owned Australia platform technology company founded in 2015. Tiimely provides both Software as a Service and Platform as a Service product offerings to the Financial Services industries in Australia and New Zealand.

Tiimely’s retail business, Tiimely Home, provides digital home loan application, assessment, and approval services to customers in Australia. This business has been offering digital home loans since 2017.

For more information about Tiimely and Tiimely Home please visit:

• Tiimely
• Tiimely Home

In this policy, Tiimely, we, us, or our means TicToc Online Pty Ltd (trading as Tiimely).

About the Consumer Data Right (CDR)

The Consumer Data Right (CDR) was introduced by the Australian Federal Government to provide customers the right to share their data between accredited service providers of their choosing. This is often referred to as Open Banking. The intention is that consumers can help find the best products and pricing, and to help switch to new products and services.

If you choose to use Consumer Data Right, your information is transferred using secure automated data technology. The process has been designed to give you greater choice and control through the convenience of a simple, easy-to-use process.

The data transfer is done between the providers, but the Australian Government has designed and oversees the system to ensure it is safe and secure for consumers. Providers must go through a rigorous process to become accredited to provide Consumer Data Right services to you. The Australian Competition and Consumer Commission (ACCC) manages this process.

Tiimely is an accredited data recipient under the CDR allowing us to receive your data from an accredited data holder in actively participating industry sectors. We do not charge individuals for this service.

About this policy

This Consumer Data Right (CDR) Policy explains how Tiimely can collect, use, hold and disclose your data that you consent to sharing with us. This ensures transparency and trust between all parties involved. It also ensures the security, quality and integrity of your personal information under applicable CDR legislation and Privacy Laws.

If you want to know more about how we handle your personal information at Tiimely, see our Privacy Policy at:

• Tiimely - https://tiimely.com/privacy-policy
• Tiimely Home - https://tiimelyhome.com.au/legal-bits/privacy-policy

Tiimely will occasionally update our CDR Policy. You can always find the most current version on our website or alternatively you can ask us to send you a copy.

Your privacy and security

Your privacy and the security of your information is of paramount important to us. Tic:Toc will always protect your information and aim to be transparent about what we do with it. We adhere to relevant security and privacy regulations and maintain appropriate controls and capabilities to keep your information safe. Tiimely monitor every activity, and continuously invest in security upgrades, so we protect you and your data.

Your rights as a consumer regarding your data

As a consumer, you have control over who you share your data with. Any data recipient is accredited by the ACCC and is subject to:

• ongoing processes;
• internal dispute resolution;
• information security;
• service-level agreements;
• audits; and
• other requirements by the Data Accreditation Body.

You may choose to share your data that is held by an existing data holder (like a banking institution) with an accredited data recipient (like another banking institution or FinTech).

Granting and managing consent

Should you choose, you can consent to share your data with a data recipient like Tiimely.

CDR Legislation and Privacy Law gives you the right to choose how you share your data, including:

• which data types (like customer information, payments, transaction or account information);
• how long you’ll share your data for: as a once-off or ongoing;
• whether you want to receive direct marketing related to the data shared; and
• whether your data will be deleted or de-identified.

Consent can only last for a maximum of twelve (12) months. After 12 months your consent expires and you can either re-confirm your consent or explicitly withdraw your consent. If you don’t actively state your preference, your consent will automatically be withdrawn.

You may view and manage your consent in the consent dashboard of either of the organisations that receive or send your data. The three types of consent status include: active, expired or withdrawn.

What data will be available under the CDR?

As an accredited data recipient under the CDR legislation, we can receive specific sets of data shared by an accredited data holder that you consent to:

• Name, occupation and contact details
  • Name
  • Occupation
  • Phone
  • Email address
  • Mail address
  • Residential address
• Account balance and features of product you have with the data holder
  • Name and type of account
  • Account number
  • Account balance
  • Fees
  • Interest rates
  • Discounts
• Transaction details
  • Incoming and outgoing transactions
  • Amounts
  • Descriptions of transactions
• Direct debits and scheduled payments
  • Authorised direct debits
  • Scheduled outgoing payments
• Information about your data holder’s product and services

The types of CDR data we may ask you to share will depend on the service we provide to you. Other services we offer might provide you with the option to share whichever types of data you prefer, including those shown above.

Tiimely only receives shared data from data holders as required under CDR legislation (required consumer data). To learn more about accreditation, please visit cdr.gov.au.

How is CDR data held?

As an accredited data recipient, Tiimely stores data securely in Australia, as outlined in our Privacy Policy and in accordance with legal requirements. We will not disclose your CDR data to accredited persons outside Australia, unless you specifically ask us to share your data with an overseas recipient that is accredited under the CDR regime.

We use services from third parties in order to provide our services, this includes Cloud Service Providers that allow information to be analysed and categorised in a secure environment. These service providers are located in Australia, they are not Accredited Data Recipients under CDR rules and only provide very specific services to us. It is important to note these service providers do not have access to the CDR information.

Withdrawing consent

At any time you may withdraw your consent in 3 ways:

1. Through the data recipient consent dashboard;
2. Through the data holder consent dashboard; or
3. In writing to either party.

If you use the consent dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your wishes almost immediately. If you opt to withdraw your consent in writing, this will be completed by the data recipient or holder within two business days.

We’ll only use your data for the purpose you have agreed to. If you withdraw your consent or the consent expires, we’ll delete all personally identifiable data. If your data has been used to generate statistical, unidentifiable trend information, it will remain part of the statistical base for this information after your transaction and account data has been deleted.

Remember, if you withdraw your consent, it will affect the service or features we’ve offered you, as we won’t be able to use your CDR data.

Consent notifications

Tiimely will notify you:

• When you consent to collect, use and/or disclose your CDR data
• When you amend or withdraw a consent
• When we disclose to any accredited persons
• When we access your data the consent dashboard will update when your data was last accessed in your linked accounts
• Every 90 days for each active consent
• When you request a correction of your data
• In the event of a data breach e.g. someone gaining unauthorised access which results in loss of CDR data, we would notify you as soon as practical in order to take appropriate action if required

How to make a complaint

If you have a question or complaint about how your personal information is being handled by us, our affiliates or outsourced service providers, please contact us first by using the contact details below.

Complaints may be made by customers in the following ways:

• To a Complaints Officer
• To an individual employee member
• To Tiimely generally in any of the following forms:
  • By Telephone: 1300 842 405
  • By Email: contact@tiimely.com
  • By written letter:

Tiimely
GPO Box 1371
Adelaide SA 5001
AUSTRALIA

Please include the following information when submitting your complaint.

• Your name;
• Your contact details;
• Your preferred contact method of complainant (phone / email / letter); and,
• The details of your complaint.
• If any additional assistance is required with lodging the complaint

A CDR complaint can be made at any time. Once we receive your complaint, we will:

• acknowledge it within 24 hours or one business day and let you know if any further information is needed to resolve your complaint;
• do everything we reasonably can to fix the problem;
• keep you informed of our progress;
• keep a record of your complaint;
• give you our name, and contact details so that you can follow up if you want to.

Tiimely will investigate your complaint and attempt to provide you with a written response to resolve the complaint, within fifteen (15) calendar days of receipt of your complaint.
When the complaint is resolved, you will receive a ‘final response’ letter within 30 days, informing you of:

• the final outcome of your complaint or dispute;
• your right to take their complaint or dispute to External Dispute Resolution; and
• if you are not satisfied with the response, you may lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolution service.

If your complaint remains outstanding within thirty (30) days, Tiimely must write to you to:

• inform you of the reasons for the delay;
• specify a date when a decision can be reasonably expected;
• informs you of your right to take your complaint or dispute to an External Dispute Resolution; and
• if you are not satisfied with our response, you may lodge a complaint with the Australian Financial Complaints Authority.

You can contact the Australian Financial Complaints Authority via:

Email: info@afca.org.au

Phone: 1800 931 678 (free call)

Mail: Australia Financial Complaints Authority
GPO Box 3
Melbourne, VIC 3001

Online: www.afca.org.au

Availability of policy

This policy is available electronically on our website.

A hardcopy of this policy can be obtained by emailing contact@tiimely.com

Policy version

This is version 1.1 of the Tiimely CDR Policy (November 2023).