Privacy Policy
1. Collection
1.1 We (as CreditCard.com.au Pty Ltd) will not collect personal information unless the information is necessary for one or more of our functions or activities.
1.2 If collecting personal information we will only do it by lawful and fair means and not in an unreasonably intrusive way.
1.3 At or before the time (or, if that is not practicable, as soon as practicable after) we collect personal information you, we will take reasonable steps to ensure that you are aware of:
(a) who we are and how to contact us
(b) the fact that you can to gain access to the information;
(c) the purposes for which the information is collected;
(d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for you if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, we will collect personal information about an individual only from that individual.
1.5 If we were to collect personal information about an individual from someone else, we will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
2. Use and disclosure
2.1 We will not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
(ii) You would reasonably expect us to use or disclose the information for the secondary purpose; or
(b) You have consented to the use or disclosure; or
(c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:
(i) it is impracticable for us to seek your consent before that particular use; and
(ii) we will not charge you for requesting to us not to receive direct marketing communications; and
(iii) you have not made a request to us not to receive direct marketing communications; and
(iv) in each direct marketing communication with you, we draw to your attention, or prominently display a notice, that you may express a wish not to receive any further direct marketing communications; and
(v) each written direct marketing communication we send to you (up to and including the communication that involves the use) sets out our business address and telephone number and, if the communication with you is made by fax, telex or other electronic means, a number or address at which the we can be directly contacted electronically; or
(d) if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:
(i) it is impracticable for us to seek your consent before the use or disclosure; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and
(iii) in the case of disclosure—we reasonably believe that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or
(e) We reasonably believe that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent threat to an individual’s life, health or safety; or
(ii) a serious threat to public health or public safety; or
(ea) if the information is genetic information which we have obtained in the course of providing a health service to the individual:
(i) we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety (whether or not the threat is imminent) of an individual who is a genetic relative of the individual to whom the genetic information relates; and
(ii) the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95AA for the purposes of this subparagraph; and
(iii) in the case of disclosure—the recipient of the genetic information is a genetic relative of the individual; or
(f) We have reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(g) the use or disclosure is required or authorised by or under law; or
(h) We reasonably believe that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from lawfully co‑operating with agencies performing law enforcement functions in the performance of their functions.
Note 2: Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.
Note 3: An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.
2.2 If we were to use or disclose personal information under paragraph 2.1(h), we must make a written note of the use or disclosure.
3. Data quality
We take reasonable steps to make sure that the personal information we collect, use or discloses is accurate, complete and up‑to‑date.
4. Data security
4.1 We take reasonable steps to protect the personal information we hold from misuse and loss and from unauthorised access, modification or disclosure.
4.2 We take reasonable steps to destroy or permanently de‑identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
5. Openness
5.1 We have here and in a document set out and clearly expressed policies on its management of personal information. We will make a copy of this document available to anyone who asks for it.
5.2 On request by a person, we must take reasonable steps to let the person know, generally, what sort of personal information we hold, for what purposes, and how we collect, hold, use and discloses that information.
6. Access and correction
6.1 If we hold personal information about you, we must provide you with access to the information on your request, except to the extent that:
(a) in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information—providing access would pose a serious threat to the life or health of any individual; or
(c) providing access would have an unreasonable impact upon the privacy of other individuals; or
(d) the request for access is frivolous or vexatious; or
(e) the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or
(f) providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(g) providing access would be unlawful; or
(h) denying access is required or authorised by or under law; or
(i) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely to prejudice:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or
(ii) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the public revenue; or
(iv) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or
(v) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;
by or on behalf of an enforcement body; or
(k) an enforcement body performing a lawful security function asks us not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 However, where providing access would reveal evaluative information generated within our organisation in connection with a commercially sensitive decision‑making process, we may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
Note: An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.
6.3 If we are not required to provide you with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), we must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 If we charge for providing access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a request for access.
6.5 If we hold personal information about you and you are able to establish that the information is not accurate, complete and up‑to‑date, we must take reasonable steps to correct the information so that it is accurate, complete and up‑to‑date.
6.6 If you and CreditCard.com.au Pty Ltd disagree about whether the information is accurate, complete and up‑to‑date, and you ask us to associate with the information a statement claiming that the information is not accurate, complete or up‑to‑date, we must take reasonable steps to do so.
6.7 CreditCard.com.au Pty Ltd must provide reasons for denial of access or a refusal to correct personal information.
7. Identifiers
7.1 We must not adopt as our own identifier of an individual an identifier of the individual that has been assigned by:
(a) an agency; or
(b) an agent of an agency acting in its capacity as agent; or
(c) a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.
7.1A However, subclause 7.1 does not apply to the adoption by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before those matters are prescribed: see subsection 100(2).
7.2 We must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary for us to fulfil our obligations to the agency; or
(b) one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied before the matters mentioned in paragraph (c) are prescribed: see subsections 100(2)
and (3).
7.3 In this clause:
Identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name or ABN (as defined in the A New Tax System (Australian Business Number) Act 1999) is not an identifier.
8. Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
9 . Transborder data flows
CreditCard.com.au Pty Ltd may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:
(a) we reasonably believe that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and CreditCard.com.au Pty Ltd, or for the implementation of pre‑contractual measures taken in response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between CreditCard.com.au Pty Ltd and a third party; or
(e) all of the following apply:
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that transfer;
(iii) if it were practicable to obtain such consent, the individual would be likely to give it; or
(f) we have taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.
10.California Consumer Privacy Act (“CCPA”)
Under CCPA, Californian residents have the right to declare their preferences on the sale of data for advertising and marketing purposes. If you wish to change your preferences, click this link to launch our preference portal:
We use a third-party to provide monetisation technologies for our site. You can review their privacy and cookie policy here.
11. Sensitive information
10.1 We must not collect sensitive information about you unless:
(a) you have consented; or
(b) the collection is required by law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
(i) is physically or legally incapable of giving consent to the collection; or
(ii) physically cannot communicate consent to the collection; or
(d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
CreditCard.com.au Pty Ltd stores your details if you subscribe to a CreditCard.com.au Pty Ltd email newsletter service. We cannot be held responsible for breach of security and any losses due to any breach of security. Details that you enter when you sign up to receive updates will be used to fulfil our obligations to you. These include:
- Answering enquiries.
- Responding to feedback, comments, or any other contact.
- Sending you email newsletters that you have subscribed to.
Your information will also be used by us for:
- Analysis and assessment.
- Carrying out competitions.
Your information will only be passed to third parties and authorities involved in fraud detection and prevention.
You are able to request access to information held about you by CreditCard.com.au Pty Ltd. To make such a request, please write a letter to us at:
CreditCard.com.au Pty Ltd
Attn: Privacy Manager
Level 10, 99 York Street, Sydney, 2000
CreditCard.com.au Pty Ltd takes your privacy seriously and if any issue has arisen in relation to privacy and the use of this site, you may contact us at [email protected]
