1 . Background and purpose of this policy 

We are committed to managing personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). This policy explains how and why we collect, use, hold and disclose your personal information.

”We”, “us” and “our” means Wingman Money Pty Ltd ACN 680 671 336 of 502/24 Norman Crescent, Norman Park QLD 4170.

You consent to us collecting, holding, using and disclosing your personal and sensitive information in accordance with this policy.        

                                                                                                                 ‌

2 . What is personal information?

Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.

‍

3 . What personal information we collect

Members and prospective members

‍

Certain personal information is required to become a member with us.

‍

When you enquire about our services or when you become a member with us, a record is made which includes your personal information.  The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us, but will typically include: 

‍

1. identity data including your full name, address, date of birth and gender
2. contact details such as your address, phone number and email address
3. financial data including bank account summaries, transactions and balances (via manual input or our Open Banking provider Basiq Pty Ltd)
4. marketing preferences, including communications opt-ins, referrals and waitlist interactions
5. credit data including credit score and summary information (via our third party provider Equifax)
6. identity verification data including government-issued documents and facial data used for verification (via our third party provider Persona)
7. any additional personal information you provide to us or authorise us to collect as part of your interaction with us, including details of enquiries or complaints you make

‍

Other individuals

‍

We may collect personal information about other individuals who are not members. This includes customers and members of the public who participate in events we are involved with, individual service providers and contractors, and other individuals who interact with us on a commercial basis. The kinds of personal information we collect will depend on the capacity in which you are dealing with us. Generally, it would include your name, contact details, and information regarding our interactions and transactions with you. 

‍

If you are participating in an event we are managing or delivering, we may take images or audio-visual recordings which identify you.

‍

Website and App

We may collect information about how you access, use and interact with our website and app. We do this by using a range of tools such as Google Analytics and other third party marketing analytics providers. This information may include:

1. the location from which you have come to the site and the pages you have visited; and
2. device data, which may include IP address, the types of devices you are using to access the website, device attributes, browser type, language and operating system, mobile device identifiers; and
3. usage data, which may include how you use the app, feature interactions, spending categories, goals. 

We may also use cookies and similar tracking technologies on our website and app. A cookie is a small text file that the website may place on your device to store information. Cookies involve the collection of information about you (which may or may not be personal information) in a way that may not be obvious to you. Generally, the information collected through cookies relates to a device used to access online content, such as an IP address or location data about the device. Cookies may also collect information about the behaviours of the user of the device, such as the websites visited by the user and their activity on the website. 

‍

In some circumstances, the information collected through cookies may be combined with information that identifies the end user of the relevant device. Any personal information we collect in this way is handled in accordance with this policy.

You may refuse to use cookies by selecting the appropriate settings on your browser or device. However, please note that if you do this, you may not be able to use the full functionality of the website or app.

‍

4.  What sensitive information we collect

Sensitive information is any information or opinion about things such as an individual’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information. 

‍

We generally don’t collect sensitive information, but when we do, we will only use your sensitive information: 

‍

1. for the same purpose we collected it from you;
2. if the disclosure is directly related to a purpose that you would reasonably expect; or
3. with your consent or where required or authorised by law.

‍

5 . ‌How we collect your information

We will collect your personal information through the following means:

‍

1. when you create an account or register via our website or app
2. when you connect your bank accounts to your Wingman account using our Open Banking provider, Basiq Pty Ltd
3. when you verify your identity via Persona or consent to credit checks via Equifax
4. when you contact us by telephone, facsimile, email, or visit our website or social media
5. when you use our financial wellness tools or complete our surveys
6. when you participate in our marketing programs, referral campaigns, or beta features
7. via cookies and analytic tools on our website and app

All financial and credit data is collected with your express consent and is securely managed in line with Australian regulations.

‍

6 . How we use your information      

We collect, hold and use your personal information so that we can:

1. provide you with products and services, and manage our relationship with you
2. provide personalised financial wellness insights and tools
3. help you track spending, understand trends, and improve money habits
4. display credit scores and help explain the factors affecting them
5. verify your identity and protect against fraud
6. send you statements and invoices
7. contact you, for example, to respond to your queries or complaints or to communicate with you about product updates, education or marketing (if opted in)
8. understand how our users engage with Wingman
9. improve our website, app performance and user experience
10. support analytics and marketing
11. inform you of our activities, events, facilities and services
12. research, develop and expand our facilities and services
13. if you consent, operate our AI chatbot 
14. comply with our legal obligations and assist government and law enforcement agencies or regulators

We may use your personal information for a secondary purpose if that secondary purpose is related to those purposes in clause 6(a) – (n), if we have your consent or if otherwise provided for under the Privacy Act.

‍

If you do not provide us with your personal information we may not be able to provide you with our services, communicate with you or respond to your enquiries.

‍

Note: Some financial insights may be powered by machine learning algorithms to provide personalised nudges, financial health scores, or trend alerts. These tools are general in nature and do not constitute financial, legal, or investment advice.

‍

7 . Consumer Data Right and Open Banking

Wingman uses Basiq Pty Ltd (Basiq) to retrieve your financial data from your financial institutions. 

Basiq is an Accredited Data Recipient under Australia’s Consumer Data Right (CDR).  The CDR allows consumers to safely share the data that banks and businesses hold about them and is strictly regulated by the Australian Government.  All Australian banks are required to participate in the CDR.

As an Accredited Data Recipient, Basiq must comply with the rules, standards and privacy safeguards under the Competition and Consumer (Consumer Data Right) Rules 2020, including:

1. taking steps to secure their network and systems within the CDR data environment;
2. taking steps to limit, prevent, detect and remove malware in regard to their CDR environment; and,
3. implementing processes to limit the risk of inappropriate or unauthorised access to its CDR data environment

You can view Basiq’s CDR policy here.

When you create an account with us:

4. you have the option to provide your consent for Basiq to securely access your bank account data under the Consumer Data Right;
5. if you provide your consent, your financial institution will verify your identity and ask you to confirm which bank account data you would like to share with Basiq;  
6. upon confirming your selected bank account data is shared with Basiq using secure automated technology;
7. we then receive your processed data from Basiq for use within Wingman.

You can withdraw your consent for Basiq to access your bank account data at any time via the app or by contacting us.  However, please note that if you withdraw consent, you may not be able to use the full functionality of the website or app.

‍

8 . Disclosure of your information

We may disclose personal information to external service providers so that they may perform services for us or on our behalf.  These may include:

‍

1. Our trusted service providers who assist us in hosting, analytics, identity verification (e.g. Persona), credit checks (e.g. Equifax), marketing (e.g. Klaviyo), and operations
2. Our legal or business advisors, as required for compliance or dispute resolution
3. Partners or acquirers, if the ownership or control of all or part of our business changes, we may transfer your personal information to the new owner

We may also disclose your personal information to others where:

1. we are required or authorised by law to do so;
2. you have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances; or
3. we are otherwise permitted to disclose the information under the Privacy Act

We do not sell your personal information to third parties.

‍

9. Overseas disclosure

Some of our service providers, including cloud storage and analytics platforms, may store or process your information overseas. 

‍

In the event that we do disclose your personal information to a recipient located outside Australia, we will take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles (other than APP 1) in relation to that information, except where this is not required by law. 

‍

10. Data storage, retention and security

We store most information about you in computer systems and databases operated by either us or our external service providers. Some information about you is recorded in paper files that we store securely.

We implement and maintain processes and security measures to protect personal information which we hold from misuse, interference or loss, and from unauthorised access, modification or disclosure.

These processes and systems include:

1. the use of identity and access management technologies to control access to systems on which information is processed and stored
2. processing online payments, credit checks and identification verification through third party providers
3. end-to-end encryption of sensitive data
4. secure authentication and access controls
5. minimal internal access on a need-to know basis
6. requiring all employees to comply with internal information security policies and keep information secure
7. penetration testing and regularly monitoring and reviewing our practice against our own policies and against industry best practice

We retain your personal information only as long as necessary to provide our services, comply with legal obligations, resolve disputes, or enforce our agreements.

‍

We will take reasonable steps to destroy or de-identify personal information once we no longer require it for the purposes for which it was collected or for any secondary purpose permitted under the APPs.

‍

In the event of a data breach, we will follow the Notifiable Data Breaches (NDB) scheme requirements and notify affected users as required. 

‍

11. Your rights and choices

You may request access to, correction of, or deletion of the personal information that we hold about you by contacting us. Our contact details are set out in clause 14. There are some circumstances in which we are not required to give you access to your personal information.

There is no charge for requesting access to your personal information but we may require you to meet our reasonable costs in providing you with access (such as costs for time spent on collating large amounts of material).

We will respond to your requests to access, correct or delete personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, up to date and complete.

‍

12. Marketing and communications

If you opt in to receiving marketing communications from us, we may send you:

‍

1. product updates
2. financial education or insights
3. referral program updates and special offers

Where you receive electronic marketing communications from us, you can opt out anytime via the unsubscribe link in our emails or by updating your preferences in the app.  We never send marketing communications without your consent.                                                                                                                

‍

We may use information we have collected from our website and app in accordance with clause 4 for marketing purposes, such as the way you interact with our website and app.  

‍

We may also use your personal information for marketing and advertising purposes on Facebook, Instagram, TikTok, LinkedIn and Youtube, in compliance with the terms and conditions provided by Facebook and Instagram at the relevant time.  This may include, but is not limited to, uploading your personal information (in a secure format) to Facebook for the purpose of creating customised advertising campaigns. 

‍

13. Children’s privacy

Wingman is not intended for individuals under the age of 16.  We do not knowingly collect personal information from children.  If you believe that a child has provided us with personal information, please contact us and we will delete it promptly.

‍

14. Complaints

We take privacy complaints seriously. If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us. Our contact details are set out below.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation within 30 days.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) for guidance on alternative courses of action which may be available.

If you have any questions, comments, requests or concerns, please contact us at:

Phone:

Email: privacy@wingmanmoney.com.au

Website: wingmanmoney.com

Postal address: 502/24 Norman Crescent, Norman Park QLD 4170

‍

15. Changes to this policy

From time to time, we may update this Privacy Policy to reflect changes to our practices, legal obligations, or product features. If the changes are material, we’ll notify you via email or in-app messaging at least 7 days in advance.

You may obtain a copy of our current policy from our website, app or by contacting us at the contact details above.

‍

This policy was last updated on 21 October 2025.