Australian Privacy Act Compliance

This Privacy Policy outlines how personal information is collected, used, stored, and disclosed in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It ensures that all reasonable steps are taken to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

This policy applies to all employees, representatives, and contractors, including Australian Credit Licensees and Australian Credit Representatives handling personal information in connection with credit services.

Under the Privacy Act 1988:

• Organisations must comply with the Australian Privacy Principles (APPs).
• The Act regulates the handling of personal information by government agencies and the private sector.
• Credit Licensees and Representatives must handle personal information in accordance with applicable codes and industry practices when dealing with Credit Providers (CPs) and Credit Reporting Bodies (CRBs).

The organisation maintains an APP-compliant Privacy Policy that:

• Identifies the types of personal information collected
• Explains how personal information is used and disclosed
• Details how individuals can access or correct their information
• Explains how complaints regarding breaches can be made
• Discloses whether personal information may be transferred overseas
• This policy is made available free of charge and in an accessible format.

Tax File Numbers are classified as sensitive information and must not be used or disclosed improperly. Any unauthorised use or disclosure is a breach of the Privacy Act and may result in penalties under the Criminal Code Act 1995.
All documents containing TFNs must be securely handled and any copies must have TFNs fully removed or redacted before storage.

Clients must be provided with a Privacy Consent form that:

• Acknowledges compliance with privacy obligations
• Authorises the collection, use, and disclosure of their personal information

A signed copy must be obtained and retained on the client file.

Personal information may only be used for direct marketing where:

• The individual has provided consent, or
• The individual would reasonably expect such use

All communications must include an option to opt out of receiving marketing materials. Client preferences must be recorded and respected.

A data breach occurs where:

1. There is unauthorised access, disclosure, or loss of personal information
2. The breach is likely to result in serious harm to one or more individuals
3. The organisation has been unable to prevent the risk of harm through remedial action
   

Examples of Data Breaches:

• Loss or theft of devices containing personal information
• Cybersecurity breaches or hacking incidents
• Sending personal information to the wrong recipient
  

Response Requirements:

1. Contain the breach and conduct a preliminary assessment
2. Evaluate the risks associated with the breach
3. Notify affected individuals and the OAIC where required
4. Implement measures to prevent future breaches

All staff and representatives must:

• Obtain and retain signed Privacy Consent forms
• Ensure TFNs are removed or redacted from stored documents
• Record and respect client marketing preferences
• Follow data breach response procedures when required

The Privacy Policy must be:

• Available on the organisation’s website
• Included or referenced in email signatures and communications
• Accessible via business documentation

Personal information is collected to:

• Assess finance needs and borrowing capacity
• Submit applications to lenders
• Manage ongoing client relationships
• Provide updates, services, and communications

If sufficient information is not provided, services may be limited.

Personal information is stored securely in electronic and/or physical formats. Security measures are implemented to protect information against unauthorised access or misuse.
Information may be stored using cloud or networked systems, which may involve overseas storage locations.

Personal information may be disclosed to overseas entities for:

• Data storage and hosting
• Reporting and analytics
• System development and testing
  

Countries may include:

• United States
• Singapore
• Serbia
• Philippines
  

Reasonable steps are taken to ensure these entities comply with privacy obligations, though they may be subject to foreign laws.

Personal information will not be sold, traded, or rented.

Information may be disclosed:

• To service providers and contractors
• In the event of business restructuring
• Where required by law

All third parties are expected to maintain confidentiality and data security.

Individuals may request access to or correction of their personal information by contacting the Privacy Officer.

Requests must:

• Be in writing
• Include sufficient information to identify the individual

No fee is charged for access or correction requests.

By engaging services, individuals consent to the collection, use, and disclosure of their personal information as outlined in this policy.

Questions, concerns, or complaints regarding this policy should be directed to the Privacy Officer.

Contact details:

• Name/Title: Jessica Graff
• Phone: 1300 826 382
• Email: jess@loamfinance.au

This policy will be reviewed regularly to ensure ongoing compliance with legal and regulatory requirements.