M
Monitrax
Version v1.0-2026-05-24·Effective from 2026-05-24

Consumer Data Right Policy

Effective from: 24 May 2026

This Consumer Data Right Policy explains how ReNew Holding Company Pty Ltd ACN 675 267 311, trading as Monitrax, manages Consumer Data Right data when Monitrax's Open Banking features are enabled.

In this Policy:

  • Monitrax, we, us and our mean ReNew Holding Company Pty Ltd;
  • you and your mean a person who uses Monitrax;
  • CDR means Consumer Data Right;
  • CDR data means Consumer Data Right data handled under the Consumer Data Right regime;
  • Open Banking feature means any Monitrax feature that allows you to connect banking data through the CDR regime.

This Policy applies only to CDR data. Our Privacy Policy applies to personal information generally.

Open Banking under the CDR is active in Australia. Monitrax's Open Banking feature will only operate when we enable it for users.

1. Monitrax's CDR role

Monitrax intends to provide Open Banking features through an accredited data partner or another legally permitted CDR arrangement.

Depending on the final arrangement, Monitrax may handle CDR data as a CDR representative, outsourced service provider, affiliate, agent, or another recognised CDR role.

Where Monitrax handles CDR data, we will do so in accordance with applicable CDR laws, rules, privacy safeguards, CDR consents, and our agreements with relevant accredited data recipients or service providers.

2. When we collect CDR data

We collect or receive CDR data only if you choose to connect an account through an Open Banking feature and provide a valid CDR consent.

You do not have to connect CDR data to use Monitrax unless a particular feature requires it.

Before any CDR data is collected, you will be shown a separate CDR consent flow. That consent flow is separate from your acceptance of Monitrax's Terms of Service and Privacy Policy.

3. What CDR data we may collect

The CDR data we collect depends on the consent you provide.

It may include:

  • account names;
  • account types;
  • account numbers or truncated account numbers;
  • balances;
  • transactions;
  • merchant or transaction descriptions;
  • direct debit or scheduled payment information;
  • connection metadata;
  • consent metadata;
  • other CDR data types shown to you at the time of consent.

We will not collect CDR data unless it is reasonably needed for the feature you are using and covered by your CDR consent.

4. Why we collect CDR data

We use CDR data only for the purposes covered by your CDR consent and permitted under CDR law.

Those purposes may include:

  • displaying connected accounts and balances;
  • importing transaction data;
  • categorising transactions;
  • showing spending summaries;
  • modelling cash flow;
  • modelling loan and repayment scenarios;
  • generating dashboards, reports, and user-directed calculations;
  • helping you maintain records in Monitrax.

We do not use CDR data for unrelated advertising, direct marketing, AI training, third-party promotion, professional referrals, or unrelated analytics unless this is permitted by CDR law and covered by valid consent.

5. Consent duration and management

Your CDR consent will be time-limited.

The consent screen will explain:

  • what data is requested;
  • why it is requested;
  • who will collect and handle it;
  • how long the consent lasts;
  • whether data will be disclosed;
  • how to withdraw consent;
  • what happens when consent expires or is withdrawn.

You may manage or withdraw CDR consent using the consent tools we provide in Monitrax, or by contacting us.

6. Withdrawal, expiry, deletion, and de-identification

You may withdraw CDR consent at any time.

When consent expires or is withdrawn, we will delete or de-identify the relevant CDR data in accordance with applicable CDR rules, privacy safeguards, and our CDR data lifecycle process.

We may retain limited records where required or permitted by law, such as records needed for audit, security, complaints, consent history, or legal compliance.

Where information is retained, we will limit access and use to the purpose for which it is retained.

7. Disclosure of CDR data

We disclose CDR data only where permitted by CDR law and covered by your consent or another lawful basis.

This may include disclosure to:

  • our accredited data partner;
  • service providers who help provide the Open Banking feature;
  • technology providers needed to securely process, store, display, or manage the data;
  • regulators or authorities where required or authorised by law.

We do not sell CDR data.

We do not disclose CDR data to professional marketplace participants unless you specifically consent and the disclosure is permitted under CDR law.

8. Overseas disclosure of CDR data

CDR data will only be disclosed overseas if permitted under the CDR Rules, covered by the relevant CDR consent and contractual arrangements, and consistent with applicable CDR privacy safeguards.

Where we use overseas service providers for non-CDR data, those arrangements are described in our Privacy Policy.

9. Security of CDR data

We take reasonable steps to protect CDR data from misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure.

Security measures may include:

  • encryption in transit;
  • encryption at rest;
  • access controls;
  • audit logging;
  • consent logging;
  • restricted administrative access;
  • security monitoring;
  • backup and recovery controls;
  • deletion and de-identification controls;
  • staff and contractor access restrictions.

Security controls may vary depending on the relevant CDR arrangement, feature, provider, and product rollout stage.

10. Accuracy and correction

We take reasonable steps to ensure CDR data we use or disclose is accurate, up-to-date, complete, and not misleading.

Where practical, Monitrax may display connection status, sync times, and source information.

If you believe CDR data shown in Monitrax is incorrect, you may contact us. We may ask you to check the data with the relevant data holder, such as your bank, because Monitrax may display data received from that source.

11. Access to CDR data

Where required by law, you may request access to CDR data we hold about you.

We may need to verify your identity before responding.

We will respond within a reasonable time and in accordance with applicable CDR obligations.

12. Complaints about CDR data

If you have a CDR complaint, contact us first.

Please include enough information for us to understand and investigate the complaint.

We aim to acknowledge CDR complaints within 5 business days and respond within a reasonable time, usually within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner or another relevant regulator or external dispute resolution body.

13. Changes to this Policy

We may update this CDR Policy from time to time.

If we make a material change, we will take reasonable steps to notify you.

The updated Policy will apply from the effective date stated in the updated version.

Contact

ReNew Holding Company Pty Ltd ACN: 675 267 311 Email: admin@monitrax.com.au Postal address: 10 Fairview St, Guildford NSW 2161, Australia

Version: v1.0-2026-05-24 Effective from: 24 May 2026