M
Monitrax
Version v1.0-2026-05-24·Effective from 2026-05-24

Privacy Policy

Effective from: 24 May 2026

This Privacy Policy explains how ReNew Holding Company Pty Ltd ACN 675 267 311, trading as Monitrax, collects, uses, stores, protects, and discloses personal information.

In this Policy:

  • Monitrax, we, us and our mean ReNew Holding Company Pty Ltd;
  • you and your mean a person who accesses or uses Monitrax;
  • Service means the Monitrax software platform, website, applications, dashboards, calculators, modelling tools, reports, AI-assisted features, data connections, and related services we provide;
  • personal information has the meaning given in the Privacy Act 1988 (Cth);
  • CDR data means Consumer Data Right data handled under the Consumer Data Right regime.

We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Cth).

Where Monitrax's Open Banking feature is enabled and we handle Consumer Data Right data as a CDR representative, outsourced service provider, affiliate, agent, or other legally recognised CDR participant role, we will handle that CDR data in accordance with the Competition and Consumer Act 2010 (Cth), the Consumer Data Right Rules, applicable CDR Privacy Safeguards, our agreement with the relevant accredited data recipient, and the CDR consent you provide at the bank-connection step.

This Policy should be read together with our:

  • Terms of Service;
  • AFSL, Credit and Tax Boundary Disclosure;
  • CDR collection notices and consent screens, where applicable;
  • any CDR policy, data retention schedule, or complaints process we make available.

1. What personal information we collect

The personal information we collect depends on how you use Monitrax.

We only collect personal information that is reasonably necessary for our functions and activities, or that you choose to provide to us.

1.1 Account information

We may collect:

  • your name;
  • email address;
  • mobile number;
  • account login details;
  • account creation date;
  • last login time;
  • login IP address;
  • authentication status;
  • multi-factor authentication enrolment and security settings;
  • subscription, plan, and billing status.

Authentication may be handled by third-party identity providers, including Google Identity Platform, Firebase Auth, or another provider we identify. Passwords are not stored in plaintext by Monitrax.

1.2 Financial information you enter or upload

You may choose to enter, upload, or connect information about your financial position, including:

  • properties;
  • loans;
  • bank accounts;
  • spending;
  • income;
  • expenses;
  • assets;
  • liabilities;
  • investments;
  • superannuation;
  • tax-related information;
  • transactions;
  • entity structures, including companies, trusts, SMSFs, partnerships, and individuals;
  • ownership relationships;
  • user-created assumptions, goals, and scenarios;
  • documents such as receipts, statements, trust deeds, loan documents, invoices, contracts, or similar records.

You are responsible for the accuracy and completeness of information you provide.

1.3 Tax File Number information

You may choose to provide your Tax File Number.

Providing your TFN is optional. We request a TFN only if a feature requires it for a purpose you choose, such as record organisation, modelling, or tax-related data display.

You may use Monitrax without providing your TFN, although some features may be unavailable, incomplete, or less useful.

Where you choose to provide a TFN, we apply additional technical and access controls, including encryption at rest using envelope encryption or another appropriate encryption method.

We do not use your TFN as your Monitrax account identifier.

1.4 Open Banking and Consumer Data Right data

Monitrax may offer Open Banking features using the Consumer Data Right regime.

Open Banking under the Consumer Data Right is active in Australia. Monitrax's Open Banking feature will only operate when we enable it for users.

If you choose to connect a bank or other data holder through an Open Banking feature, data may be shared with Monitrax through our accredited data partner or another legally permitted CDR arrangement.

Depending on your consent, this may include:

  • account names;
  • account numbers or truncated account numbers;
  • account type;
  • balances;
  • transactions;
  • merchant or transaction descriptions;
  • repayment or direct debit information;
  • connection status;
  • consent metadata;
  • other data types shown to you at the time of consent.

A separate CDR consent will be requested at the bank-connection step. That consent is separate from your acceptance of this Privacy Policy or our Terms of Service.

1.5 Automatically generated technical and usage information

When you use Monitrax, we may collect:

  • device type;
  • browser type;
  • operating system;
  • IP address;
  • approximate location derived from IP address;
  • pages, screens, and features used;
  • error logs;
  • diagnostic data;
  • security events;
  • audit logs of significant actions, such as sign-in events, account changes, data exports, consent actions, settings changes, and administrative access;
  • timestamps and session information.

We use this information to operate, secure, troubleshoot, improve, and audit the Service.

1.6 Communications and support information

We may collect information you provide when you:

  • contact support;
  • send feedback;
  • submit complaints;
  • respond to surveys;
  • communicate with us by email or in-app message;
  • communicate with professionals through features routed by Monitrax;
  • participate in testing, pilot, or beta programmes.

1.7 Sensitive information

Monitrax is not designed to collect sensitive information such as health information, racial or ethnic origin, religious beliefs, sexual orientation, political opinions, trade union membership, criminal record information, or similar sensitive information.

Please do not upload sensitive information unless it is necessary for your use of the Service.

If sensitive information is included in documents, notes, messages, or data you choose to upload or provide, we will handle it in accordance with this Policy and applicable law.

1.8 Unsolicited information

If we receive personal information we did not request and could not lawfully have collected, we will take reasonable steps to destroy or de-identify it where lawful and reasonable.

2. How we collect personal information

We may collect personal information:

  • directly from you when you create an account, enter information, upload documents, connect accounts, make payments, contact support, or use Monitrax;
  • from third-party services you authorise, including Open Banking providers or other data connection services;
  • from payment processors when you subscribe to a paid plan;
  • from authentication providers when you log in;
  • from technical systems when you use the Service;
  • from professionals or third parties you choose to interact with through Monitrax;
  • where required or authorised by law.

Where practical, we collect personal information directly from you.

3. Why we collect, use, and disclose personal information

We collect, use, and disclose personal information to provide, operate, secure, maintain, improve, and support Monitrax.

This includes using information to:

  • create and manage your account;
  • authenticate you;
  • provide dashboards, reports, summaries, calculators, projections, and scenario modelling;
  • display, organise, classify, and analyse information you provide;
  • process subscriptions and payments;
  • provide customer support;
  • respond to enquiries, complaints, and requests;
  • send transactional communications, such as security alerts, billing notices, account notices, consent notices, and important service updates;
  • monitor, protect, and improve security;
  • detect, investigate, and prevent fraud, misuse, unauthorised access, unlawful conduct, and security incidents;
  • troubleshoot errors and maintain technical performance;
  • improve Monitrax in aggregated, de-identified, or privacy-protective form;
  • comply with legal, regulatory, accounting, tax, recordkeeping, reporting, and dispute-resolution obligations;
  • enforce our Terms of Service and other rights;
  • protect Monitrax, users, third parties, and the public;
  • send marketing communications only if you have explicitly opted in.

We will not use or disclose personal information for purposes that are unrelated to the purpose of collection unless you have consented, would reasonably expect the use or disclosure, or the use or disclosure is required or authorised by law.

4. AI-assisted features

Monitrax may include AI-assisted features that help explain factual concepts, summarise information, classify data, answer user-directed questions, support onboarding, or model scenarios.

AI-assisted features are intended to provide factual information, software assistance, and user-directed modelling only. They do not provide professional advice.

To provide AI-assisted features, we may send limited information to AI service providers, including Anthropic, Google Gemini, or other providers we identify.

We take reasonable steps to minimise the information sent to AI providers.

Where possible, we redact, minimise, aggregate, or de-identify information before AI processing.

We do not use your personal information or CDR data to train general AI models unless we have clearly told you and obtained any consent required by law.

We do not disclose CDR data to AI providers unless this is permitted under the CDR Rules, covered by the relevant CDR consent and contractual arrangements, and reasonably necessary to provide the specific feature you requested.

AI outputs may be incomplete, inaccurate, outdated, or unsuitable for your circumstances. You should independently verify AI outputs before relying on them.

5. Who we disclose personal information to

We may disclose personal information to third parties where reasonably necessary to provide, secure, maintain, improve, or support Monitrax, or where required or authorised by law.

5.1 Service providers

We may disclose information to service providers, including providers of:

  • cloud hosting;
  • database hosting;
  • file storage;
  • authentication;
  • payment processing;
  • email delivery;
  • analytics;
  • customer support;
  • error monitoring;
  • cybersecurity;
  • AI processing;
  • Open Banking and data connection services;
  • professional marketplace infrastructure;
  • legal, accounting, insurance, and professional services.

Current or expected providers may include:

  • Google Cloud Platform for cloud hosting, database infrastructure, file storage, and related services;
  • Firebase Auth or Google Identity Platform for authentication;
  • Vercel for front-end hosting and deployment;
  • Basiq or another accredited data partner for Open Banking / CDR services;
  • Stripe for payment processing;
  • SendGrid or Resend for transactional and marketing email delivery;
  • Anthropic and Google Gemini for AI-assisted features.

We take reasonable steps to ensure service providers handle personal information consistently with applicable privacy obligations.

5.2 Professionals you choose to engage

Monitrax may allow you to connect with third-party professionals, such as accountants, tax agents, lawyers, financial advisers, mortgage brokers, buyer's agents, or other service providers.

If you choose to submit a request, message, or information to a professional through Monitrax, we may disclose the information reasonably necessary to facilitate that engagement.

We will not disclose your personal financial data to a professional unless you choose to do so, consent to the disclosure, or the disclosure is otherwise authorised by law.

5.3 Authorities and legal compliance

We may disclose personal information where required or authorised by law, including in response to:

  • court orders;
  • subpoenas;
  • regulator requests;
  • law enforcement requests;
  • taxation or corporate recordkeeping obligations;
  • mandatory reporting obligations;
  • legal claims or disputes.

We may also disclose information where reasonably necessary to protect the safety, rights, property, or security of Monitrax, users, third parties, or the public.

5.4 Business transfers

If we are involved in a merger, acquisition, restructure, financing, sale of assets, or transfer of business, personal information may be disclosed to relevant parties and advisers for that transaction.

Where this occurs, we will take reasonable steps to protect personal information and ensure it remains subject to appropriate privacy protections.

5.5 We do not sell personal information

We do not sell your personal information.

We do not sell CDR data.

If we introduce referral fees, marketplace fees, professional partner fees, sponsorship arrangements, or other commercial arrangements involving third parties, we will disclose this clearly before you use the relevant feature.

6. Consumer Data Right data

This section applies when Monitrax's Open Banking feature is enabled and you choose to connect data through the Consumer Data Right regime.

6.1 Separate CDR consent

Before we collect or handle CDR data, you will be shown a separate CDR consent flow.

That consent flow will explain, where applicable:

  • who will collect the data;
  • the data holder;
  • the data types requested;
  • the purpose of collection;
  • the duration of consent;
  • how the data will be used;
  • whether any data will be disclosed;
  • how you can manage or withdraw consent;
  • what happens when consent expires or is withdrawn;
  • how deletion or de-identification works.

Your CDR consent is separate from your acceptance of this Privacy Policy or the Terms of Service.

You may choose not to connect CDR data.

6.2 Use and disclosure of CDR data

We use and disclose CDR data only in accordance with the specific CDR consent you provide, applicable CDR laws and rules, and our relevant CDR arrangements.

We do not use CDR data for unrelated analytics, advertising, marketing, AI training, professional referrals, or third-party promotion unless this is permitted under the CDR Rules and covered by a valid consent.

6.3 Withdrawal of CDR consent

You may withdraw CDR consent at any time through your account settings or the consent management tools we provide.

When consent expires or is withdrawn, we will delete or de-identify the relevant CDR data in accordance with the CDR Rules, applicable CDR Privacy Safeguards, and our CDR data lifecycle process.

6.4 CDR dashboards and notifications

Where required, we will provide tools or notices that allow you to view and manage CDR consents, including relevant details about active, expired, or withdrawn consents.

Where required, we will record and notify you of permitted CDR data disclosures, including who received the data, what was disclosed, when, and why.

6.5 Accuracy and quality of CDR data

We take reasonable steps to ensure CDR data we use or disclose is accurate, up-to-date, and complete.

Where practical, Monitrax may display sync times, connection status, or data-source information so you can understand when data was last updated.

You should check source data before relying on any Monitrax output.

6.6 Security and retention of CDR data

CDR data is subject to additional access controls, audit logging, retention limits, and deletion or de-identification processes under our CDR data lifecycle process and applicable CDR arrangements.

7. Direct marketing

We will only send you marketing communications if you have explicitly opted in.

Marketing opt-in is separate from your acceptance of our Terms of Service and Privacy Policy.

Marketing opt-in is off by default.

Every marketing email will include a clear unsubscribe option.

You can unsubscribe at any time using the unsubscribe link in the email or by changing your preferences in account settings.

We will action unsubscribe requests within 5 business days.

Transactional or service communications are not marketing. These may include:

  • security alerts;
  • login alerts;
  • billing notices;
  • payment failure notices;
  • subscription notices;
  • account notices;
  • privacy notices;
  • CDR consent notices;
  • breach notices;
  • important service updates.

We may send transactional or service communications even if you have unsubscribed from marketing.

8. Storage, security, and data protection

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification, and unauthorised disclosure.

Security measures may include:

  • encryption in transit;
  • encryption at rest;
  • role-based access controls;
  • audit logging;
  • secure cloud infrastructure;
  • restricted administrative access;
  • signed URLs or time-limited access links for file storage;
  • multi-factor authentication for users where available;
  • multi-factor authentication or equivalent controls for administrative access;
  • monitoring, logging, and alerting;
  • vulnerability management;
  • backup and recovery controls;
  • staff and contractor access restrictions;
  • data minimisation and retention controls.

For TFNs, where you choose to provide one, we apply additional safeguards such as encryption at rest and restricted access.

Some security controls may vary depending on the system, feature, provider, environment, or stage of product rollout.

We regularly review and improve security controls as Monitrax develops.

No system is completely secure. You are responsible for keeping your login credentials secure and notifying us promptly if you suspect unauthorised access.

9. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

If we suspect an eligible data breach has occurred, we will promptly assess the incident.

If we determine there are reasonable grounds to believe an eligible data breach has occurred, we will notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable.

Where required, our notification will include:

  • the nature of the breach;
  • the kinds of information involved;
  • recommended steps affected individuals should take;
  • our contact details.

10. Overseas disclosure

Your personal information is primarily stored and processed in Australia where we use Australian-hosted infrastructure, including Google Cloud Platform's Sydney region where configured.

Some service providers may process limited personal information outside Australia in the course of providing services to us.

These providers may process information in countries including the United States and other locations where their infrastructure, support teams, or subprocessors operate.

Examples include:

  • Stripe for payment processing;
  • Anthropic or Google Gemini for AI-assisted features;
  • SendGrid or Resend for email delivery;
  • Vercel for hosting and deployment services;
  • other service providers or subprocessors reasonably required to provide the Service.

We take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles, including through contractual, technical, and organisational controls.

We do not treat your general use of Monitrax as a blanket waiver of our privacy responsibilities.

CDR data will only be disclosed overseas where permitted under the CDR Rules, applicable CDR consent, and relevant contractual arrangements.

11. Access, correction, export, and deletion

You may request access to personal information we hold about you.

You may request correction of personal information if you believe it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

You may export information you have entered into Monitrax using the export tools we make available.

You may request deletion of your account through your account settings or by contacting us.

When you request account deletion, we start a 30-day cancellable deletion period. During that period, you may export your data or cancel the deletion request.

After the 30-day period, we will delete or de-identify personal information and CDR data in accordance with this Policy, our CDR data lifecycle process where applicable, and any legal retention obligations.

We may need to verify your identity before actioning an access, correction, export, or deletion request.

We will respond to access and correction requests within a reasonable time, usually within 30 days.

We will not charge you for making an access or correction request, although we may charge a reasonable cost-recovery fee for providing access where permitted by law.

If we refuse a request, we will explain why, unless it would be unreasonable or unlawful to do so, and tell you how to complain.

Some information may be retained after deletion where reasonably required for:

  • legal compliance;
  • accounting, tax, or corporate recordkeeping;
  • payment records;
  • dispute resolution;
  • fraud prevention;
  • cybersecurity;
  • backup integrity;
  • enforcing our Terms of Service;
  • protecting Monitrax, users, or third parties.

Where information is retained, we limit access and use to the purpose for which it is retained.

12. Data quality

We take reasonable steps to ensure personal information we collect, use, or disclose is accurate, up-to-date, complete, relevant, and not misleading.

However, many Monitrax outputs depend on information provided by you or third-party data sources.

You are responsible for keeping your information accurate and up to date.

You should review outputs before relying on them.

13. Cookies and tracking

Monitrax uses cookies and similar technologies to provide, secure, and improve the Service.

We may use:

  • essential cookies to keep you signed in and maintain sessions;
  • security cookies to protect accounts and detect suspicious activity;
  • preference cookies to remember settings;
  • analytics or diagnostic tools to understand product performance and improve the Service.

We do not use third-party advertising cookies or cross-site behavioural advertising unless we clearly notify you and obtain any consent required by law.

You can manage cookies through your browser settings.

If you disable or clear cookies, some features may not work correctly and you may need to sign in again.

14. Children

Monitrax is not directed to children under 18.

You must be at least 18 years old to create an account or use Monitrax.

If you believe a child has provided personal information to us, please contact us and we will take reasonable steps to delete the information.

15. Changes to this Policy

We may update this Privacy Policy from time to time.

If we make a material change, we will take reasonable steps to notify you, such as by email, in-app notice, website notice, or requiring acknowledgement on next login.

The updated Policy will apply from the effective date stated in the updated version.

If you do not agree to a material change, you may stop using Monitrax and request account deletion before the change takes effect.

Changes that are administrative, corrective, or required by law may take effect immediately.

16. Complaints

If you have a privacy complaint, please contact us first.

Email: admin@monitrax.com.au

Please include enough information for us to understand and investigate your complaint.

We aim to acknowledge privacy complaints within 5 business days and respond within a reasonable time, usually within 30 days.

If you are not satisfied with our response, or you believe we have breached the Privacy Act, the Australian Privacy Principles, the CDR Privacy Safeguards, or applicable CDR Rules, you may contact the Office of the Australian Information Commissioner.

If your complaint relates to another regulator or external dispute resolution body, we will tell you where we reasonably can.

The Australian Financial Complaints Authority may only be available where the complaint concerns a financial firm or service within AFCA's jurisdiction.

17. Contact

Privacy Officer ReNew Holding Company Pty Ltd ACN: 675 267 311 Email: admin@monitrax.com.au Postal address: 10 Fairview St, Guildford NSW 2161, Australia

Version: v1.0-2026-05-24 Effective from: 24 May 2026