1. About This Policy

This policy applies to all personal information collected through the Origin8 platform, including our website, mobile applications, and any related services. It covers information collected from lenders, brokers, borrowers, and other platform users.

We are bound by the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth). This policy should be read alongside our Terms of Service.

2. Information We Collect

We collect the following categories of personal information:

2.1 Account Information

• Name, email address, phone number
• Business name, ABN, ACN, ACL number
• Entity type and structure
• State of operation

2.2 Identity Verification

• Government-issued identification documents
• Proof of address
• Director and beneficial owner information

2.3 Financial Information

• Asset and liability declarations (provided via deal listings)
• Income information and financial statements
• Property valuations and security details
• Credit report data (obtained with your consent)
• Payment and billing information

2.4 Usage Information

• Log data, IP addresses, browser type
• Pages visited and features used
• Device information
• Communication records within the Platform

3. How We Use Your Information

We use your personal information to (APP 6):

• Operate and improve the Platform
• Verify your identity and prevent fraud
• Facilitate deal listings, offers, and settlements
• Process payments and manage subscriptions
• Generate Deal Profile scores and analytics
• Send you notifications, updates, and communications about your account and deals
• Comply with our legal and regulatory obligations, including AML/CTF requirements
• Resolve disputes and enforce our Terms of Service
• Produce de-identified, aggregated market analytics

4. Staged Disclosure of Information

Origin8 operates a unique staged disclosure model designed to protect borrower privacy while providing lenders with sufficient information to make lending decisions:

Stage 1 — Listing

When a deal is first listed, only anonymised information is shared with lenders: property type and suburb (not full address), aggregated financial position, loan amount, and term. No personally identifiable information about the borrower is disclosed.

Stage 2 — Offer

When a lender submits an offer that is being considered, additional information may be shared, including more detailed property information and borrower entity details, subject to the broker’s approval.

Stage 3 — Accepted Offer

Full borrower details, property addresses, and financial documentation are disclosed only to the lender whose offer has been accepted by the broker and borrower. Access is logged and watermarked.

This approach ensures that sensitive borrower information is only shared with parties who have a legitimate need to access it, minimising the risk of data misuse.

5. Data Sharing and Disclosure

We may share your personal information with (APP 6, APP 8):

• Other Platform Users: In accordance with the staged disclosure model described above.
• Service Providers: Third-party providers who help us operate the Platform, including cloud hosting, payment processing, identity verification, and credit reporting services.
• Legal and Settlement Professionals: Lawyers and conveyancers involved in deal settlement.
• Regulators and Law Enforcement: Where required by law, regulation, or legal process.
• Professional Advisers: Our accountants, auditors, and legal advisers as needed.

We do not sell your personal information to third parties. We do not share your information for direct marketing by third parties.

Our service providers may be located overseas, including the United States (cloud hosting) and other jurisdictions. We take reasonable steps to ensure overseas recipients comply with the APPs (APP 8).

6. Data Security

We take the security of your information seriously and implement a range of measures to protect it (APP 11):

• AES-256-GCM encryption for sensitive data at rest
• TLS 1.3 encryption for all data in transit
• bcrypt password hashing with high work factor
• Role-based access controls
• Comprehensive audit logging
• Document watermarking to trace unauthorized sharing
• Regular security assessments and penetration testing
• Australian-hosted infrastructure (where feasible)

While we take reasonable steps to protect your information, no system is completely secure. We encourage you to use strong, unique passwords and to report any suspected security incidents to us immediately.

7. Your Rights

Under the Privacy Act, you have the right to (APP 12, APP 13):

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of inaccurate, incomplete, or outdated information.
• Complaint: Make a complaint about how we handle your personal information.

To exercise these rights, contact us using the details in Section 13. We will respond to access and correction requests within 30 days. In some cases, we may need to verify your identity before processing a request.

We may refuse access where the law permits, for example where giving access would unreasonably impact the privacy of others, or where the information relates to legal proceedings.

8. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences
• Understand how you use the Platform (analytics)
• Improve Platform performance and features

We use essential cookies (required for the Platform to function) and analytical cookies (to understand usage patterns). We do not use advertising or tracking cookies from third-party advertisers.

You can manage cookie settings through your browser. Disabling essential cookies may affect Platform functionality.

9. Third-Party Services

The Platform integrates with third-party services that have their own privacy policies:

• Payment Processing: Stripe (for subscription billing)
• Credit Reporting: Equifax (for commercial credit reports)
• Property Data: CoreLogic (for automated valuations)
• Identity Verification: Third-party KYC providers
• Cloud Hosting: Australian and international cloud providers

We encourage you to review the privacy policies of these services. We are not responsible for the privacy practices of third-party providers.

10. Data Retention

We retain personal information for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods:

• Active accounts: For the duration of your account plus 7 years.
• Financial records: 7 years (as required by tax law).
• AML/CTF records: 7 years from account closure or transaction completion.
• Audit logs: 7 years.
• De-identified analytics: Indefinitely.

When personal information is no longer needed, we will take reasonable steps to destroy or de-identify it.

11. Children

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform. The “Last Updated” date at the top of this page indicates when the policy was last revised.

13. Contact and Complaints

If you have questions, requests, or complaints about your privacy, contact our Privacy Officer:

• Email: privacy@origin8.au
• Post: Privacy Officer, Origin8 Finance Pty Ltd, Melbourne, Victoria 3000, Australia

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.