2. What is personal information?

Personal information includes any information or opinion, about an identified individual or an individual who can be reasonably identified from that information. The information or opinion will still be personal information whether it is true or not and regardless of whether we have kept a record of it.

Some examples of personal information may include your:

1. name;
2. date of birth;
3. citizenship;
4. mailing or residential address details, the length of time at your current address;
5. contact details such as telephone numbers, email address, social media platform username (if you contact us through social media platforms);
6. occupation and place of work;
7. government issued identifiers such as Tax File Number, Medicare number or Driver’s License number;
8. bank account and credit card details;
9. your employment details and proof of earnings and expenses;
10. if you are applying for credit we may also collect the ages and number of your dependants and cohabitants;
11. credit history, credit capacity, ability to be provided with credit or credit worthiness (Credit Information);
12. signature, photograph, video or audio recording; and
13. in limited circumstances sensitive information such as information relating to your health, biometric data, criminal history, racial or ethnic origin.

Credit Information is information which we use to assess your eligibility to be provided with credit and may include any credit that you have outstanding, your repayment history and any defaults. Usually, Credit Information is exchanged between credit and credit providers and credit reporting bodies. We may use credit eligibility information being credit reporting information supplied to us by a credit reporting body, and any information that we derive from it to make decisions regarding your eligibility for credit.

3. How is Sensitive information handled?

We generally do not collect ‘sensitive information’ as defined under the Privacy Laws and we further restrict collection of such sensitive information unless it is necessary for us to provide our Services to you and where we have either obtained your express consent or a permitted general situation exists. For example, we may collect health information about you to assess certain claims, including hardship, or we may collect voice biometric information to verify your identity or authorise transactions.

Sensitive information is personal information that includes information relating to your racial or ethnic origin, criminal history, sexual orientation, membership of any trade or professional associations.

4. Wish to stay Anonymous!

You can withhold your personal information when speaking with us if you are making a general enquiry. However, if you wish for us to provide you with our Services, we will need to identify you.

5. Why we collect your personal information

Any personal information that we collect is first obtained through either notice or consent and the other legal basis for the processing of your personal information is either for:

1. the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract;
2. you are posting any comments or direct messages on social media sites;
3. our legitimate interests, namely:
• to comply with our legal and regulatory obligations;
• the proper administration of our website and business;
• monitoring and improving our website and Services;
• the proper management of our customer relationships;
• communications with users;
• the protection and assertion of our legal rights, your legal rights and the legal rights of others (as applicable);
• the proper protection of our business against risks; and
• for any other purpose permitted by law.

We collect personal information for the purposes of either working with you or your customers in assessing an application and eligibility for credit, managing that credit, identifying you and to comply with our legal obligations. We may also collect your personal information for the purposes of direct marketing and managing our relationship with you. From time to time we may offer you other Services.

6. How information is collected

Most information will be collected from you personally, this can be taken by us:

1. if you call or email us;
2. when we provide our Services to you;
3. when we manage our customer relationships and service provider relationships;
4. from credit reporting bodies and from mortgage brokers, mortgage managers, your representatives and other people such as accountants and lawyers;
5. if you provide us with feedback or make a complaint;
6. if we provide you with our Services;
7. if you apply for an account with us;
8. when CCTV footage is recorded at our offices or premises;
9. your information that is in the public domain;
10. if you subscribe to our newsletters and marketing lists; and
11. other information that may be collected include details provided on a resume sent to us relating to an employment opportunity.

We may obtain yourcredit related personal information:

1. When making an application or negotiating with a lender on your behalf.
2. From a Credit Reporting Body (“CRB“) when we have obtained your credit report with your consent.
3. We may also receive your personal information from another party by any other means. If we do, we will apply the Privacy Laws in deciding whether it is lawful to keep the information received.
4. We may also receive your personal information from third parties that we deal with on your behalf including brokers and mortgage managers and from our other service providers.
5. Any information we receive that we are not lawfully required to hold will be deleted or destroyed.

7. How we use your personal information

The main reason we collect, use, hold and disclose personal information is to provide you with products and Services (including where applicable, third party products and services) and to help us run our business. This includes:

1. confirming your identity;
2. checking whether you are eligible for our products or services;
3. assisting you where online applications are not completed;
4. providing our products or Services to you, including administration of our Services and notifications about changes to our Services;
5. helping manage the product or service that we provide to you;
6. helping us develop insights and conduct data analysis to improve the delivery of products, services, enhance our customer relationships and to effectively manage risks;
7. minimise risks and identify or investigate fraud and other illegal activities;
8. comply with laws and assist government or law enforcement agencies;
9. record-keeping purposes, technical maintenance, obtaining or maintaining insurance coverage, managing risks or obtaining professional advice, managing our business – that is, to carry on our business activities and provide our Services to you;
10. to prevent fraud, crime or other activity that may cause harm in relation to our Services and help us run our business and maintain integrity;
11. bringing you new products and services;
12. understanding your interests and preferences so we can tailor digital content;
13. as permitted by law and to comply with legislative or regulatory requirements in any jurisdiction, for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure, to prevent; and
14. In addition to the specific purposes for which we may process your personal information set out above, we may also process any of your personal information where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

We may also use your personal information to tell you about our Services we think may interest you or for a purpose related to the primary purpose of collection or where you would reasonably expect that we would use the information in such a way, subject to legal restrictions on using your personal information for marketing purposes.

We may also de-identify your personal information which we have collected for the purposes described in this Privacy Policy.

8. Disclosing your personal information

We may disclose your personal information:

1. to any member of the Columbus Capital Group of companies insofar as reasonably necessary for the purposes of this Privacy Policy and providing our Services, and on the legal bases allowed under the Privacy Laws and as set out in this Privacy Policy;
2. to prospective funders or other intermediaries in relation to your credit requirements;
3. to other organisations that are involved in managing or administering your credit such as third party suppliers, brokers, mortgage managers, aggregators, lenders mortgage insurers, trade insurers, valuers, third party service providers, service providers for the purposes of verifying your identity, surveyors, accountants, credit reporting bodies, recoveries firms, debt collectors, lawyers, call centres, printing and postal services;
4. to regulatory and supervisory bodies;
5. to associated businesses that may want to market products to you;
6. to companies that provide information and infrastructure systems to us;
7. to anybody who represents you, such as mortgage brokers, mortgage managers, your representatives, lawyers, and accountants;
8. related entities and third party service providers who assist us in our operations and certain tasks including the verifying of your identity and information technology services;
9. to our suppliers or subcontractors insofar as reasonably necessary to provide the relevant Services to you;
10. to anyone, where you have provided us with your consent;
11. where we are required to do so by law, such as under the Anti-Money Laundering and Counter- Terrorism Financing Act 2006 (Cth); or
12. to investors, agents or advisers, or any entity that has an interest in our business;
13. organisations that provide products or services used or marketed by us; or
14. to your employer or referees.

Prior to disclosing any of your personal information to another person or organisation, we will take all reasonable steps to satisfy ourselves that:

• the person or organisation has a commitment to protecting your personal information at least equal to our commitment;
• is legally able to seek access to your personal information in accordance with the Privacy Laws or any other laws; or
• you have consented to us making the disclosure.

9 Overseas Recipients

Prior to disclosing your personal information to an overseas recipient, unless a permitted general situation applies, we will take all reasonable steps to ensure that:

1. the overseas recipient does not breach the Privacy Laws; or
2. the overseas recipient is subject to a law, or binding scheme, or contractual terms that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way your personal information is protected under the Privacy Laws; or
3. you have consented to us making the disclosure.

Acceptance of any of our Services via an application in writing, orally or electronic means, will be deemed as giving consent to the disclosures detailed herein.

Currently we are handling, storing, and processing your data in the following locations Australia, Asia and the Pacific (via our contact centres in Fiji and Philippines) and USA through the use of Microsoft products, Salesforce, AWS, 8x8, Twillio, cloud storage, technological products and services via other service providers.

The locations where we handle, store and process your data may change as our business needs changes and we appoint other service providers from time to time.

10. Direct Marketing

We may use your personal information for direct marketing. This means we may send information to you that relates to promotions within our Columbus Capital Group companies.

You have the right to object to our processing of your personal information for direct marketing purposes. If you make such an objection, we will cease to process your personal information for this purpose.

If you do not wish to receive marketing information, you may at any time decline to receive such information by calling us on 1300 462 209 or by writing to us at PO Box A992 Sydney South NSW 1235. If the direct marketing is by email you may also use the unsubscribe function.

We will not sell your personal information to other companies or organisations.

11. Credit information

Credit Reporting Bodies (CRB) are authorised by law to handle your credit related information. If you apply for credit, we may disclose your personal information to, or collect personal credit related information from a CRB and other entities.

CRBs may include credit related information provided by the Columbus Capital Group in reports
provided to other credit providers to assist such other credit providers to assess the individual’s credit worthiness.

As permitted by law, we may collect, hold, use or disclose credit related information held about you for the purposes of:

1. credit liability information being information about your existing credit which includes the name of the credit provider, whether the credit provider holds an Australian Credit Licence, the type of credit, the day the credit is entered into, the terms and conditions of the credit, the maximum amount of credit available, and the day on which the credit was terminated;
2. repayment history information which is information about whether you meet your repayments on time;
3. information about the type of credit that you are applying for;
4. assessing and forming decisions as to whether to provide you with credit or to accept an individual as a guarantor;
5. participating in the exchange of credit related information with other credit providers including obtaining from and providing information to CRBs and other credit providers and/or trade suppliers as permitted by Part IIIA of the Privacy Act and the Credit Reporting Code;
6. to assist you with debt management and administration;
7. to provide you with our Services;
8. default and payment information;
9. to undertake debt recovery and enforcement activities, including in relation to guarantors, and to deal with serious credit infringements;
10. court proceedings information;
11. to deal with complaints and meet legal and regulatory requirements; and
12. to assist other credit providers to do the same.

When we obtain credit information from a credit reporting body about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed.

12. Credit Information handling and Credit Reporting

In assessing your credit application and providing the Services to you, we may exchange your personal information, as well as your consumer and commercial credit information with the following entities, including but not limited to:

1. Obtaining credit information about you from Equifax Australia Information Services and Solutions Pty Limited (ABN 26 000 602 862) (Equifax) and we may provide to Equifax your personal information with respect of:
• request for access seeker services in accordance with section 6L of the Privacy Act; and
• request for your credit information and credit report.
2. Equifax and its related companies may use and disclose your personal information to manage the provision of credit reporting information and the access seeker services, and to undertake data management for quality related purposes. The Equifax privacy policy is available on the Equifax website at https://www.equifax.com.au/privacy,and contains information about how Equifax handles personal information (other than credit reporting information), including how an individual may access his or her personal information held by Equifax and its related companies and seek the correction of that information, and how an individual may complain about a breach of the Australian Privacy Principles and how Equifax and its related companies will deal with such a complaint.
3. The Equifax Credit Reporting Policy contains information about how Equifax collects and handles credit reporting information and is available on the Equifax website at https://www.equifax.com.au/credit-reporting-policy.
4. Obtaining your financial information via our third party Service Provider illion Australia Pty Ltd ABN 95006399677 (Ilion) who is the owner of illion BankStatements(www.bankstatements.com.au) whereby with your consent they can access your banking transaction data and categorise it in an income and expense report which assists us with assessing your ability to service the loan applied for.
5. The Ilion privacy policy is available on the Ilion website at https://www.illion.com.au/privacy-policy-risk-marketing-solutions/,and contains information about how Ilion handles personal information, including how an individual may access his or her personal information held by Ilion and its related companies and seek the correction of that information, and how an individual may complain about a breach of the Australian Privacy Principles and how Ilion and its related companies will deal with such a complaint.
6. Other credit providers for the purposes of assessing your creditworthiness, credit standing, and credit history or credit capacity.
7. Finance brokers, mortgage managers, our accountants, lawyers, mortgage insurers and such other persons who assist us to provide our Services to you such as:
• Lenders Mortgage Insurers (LMIs) who hold, use and disclose your personal information and credit information for the purposes of assessing whether to provide insurance to us, including to assess the risk of you defaulting or the risk of a guarantor being unable to meet their liability, managing the insurance, dealing with claims, enforcing any mortgage and recovering proceeds, conducting risk and credit assessments, fraud prevention, and verifying personal information provided by us or any purpose under the insurance contract. The LMIs that we may disclose your personal information and credit information to are:
1. Genworth Financial Mortgage Insurance Pty Ltd ACN 106 974 305 who can be contacted and a copy of their privacy policy can be obtained by calling on 1300 655 422 or their website at https://www.genworth.com.au/privacy-policy/;
2. QBE Lenders Mortgage Insurance Limited ACN 000 511 071 who can be contacted and a copy of their privacy policy can be obtained by calling on 1300 367 764 or their website at https://www.qbe.com/lmi/about/governance/privacy-policy; and
3. Arch Lenders Mortgage Indemnity Limited ACN 074 042 934 who can be contacted and a copy of their privacy policy can be obtained on their website at https://mortgage.archgroup.com/wp-content/uploads/sites/4/LMI-Privacy-Policy.pdf.
• Our Funders we may use include:
1. Perpetual Corporate Trust Limited ACN 000 341 533 a copy of their privacy policy can be found on their website at https://www.perpetual.com.au/privacy-policy
2. Permanent Custodians Ltd (and associated entities) ACN 001 426 384 a copy of their privacy policy can be found on their website at https://www.bnymellon.com/au/en/index.jsp#ir/privacy.
• Indue Ltd ABN 97 087 822 464 as the Visa Debit card issuer, if a loan product that we provide to you includes access to a Visa Debit card, a copy of their privacy policy can be found on their website at www.indue.com.au/legal-privacy-policy-cookies.

13. Your Rights in Relation to CRBs

You may be asked to participate in a “pre-screening“. This is where your credit related information is provided to a CRB to use, to provide marketing relating to your credit related circumstances. You have the right to contact the CRB and ask that you be excluded from this process.

If you have been or have a reasonable belief that you are likely to be a victim of fraud, you can contact the CRB and request for a “ban-period“. For a period of 21 days after the credit reporting body receives your notification the credit reporting body must not use or disclose that credit information.
The CRB will not be permitted to use your personal or credit related information during this time.

14. Notifiable matters

From February 2018, the Privacy Act includes a newNotifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC) of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change).

The NDB scheme requires us to notify about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required. For example, where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.

If we believe there has been a data breach that impacts your personal information and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.

If you believe that any personal information, we hold about you has been impacted by a data breach, you can contact us using the contact details below.

15. Updating your personal information

It is important to us that the personal information we hold about you is accurate and up to date. During the course of our relationship with you, we may ask you to inform us if any of your personal information has changed.

If you wish to make any changes to your personal information, you may contact us. We will generally rely on you to ensure the information we hold about you is accurate or complete.

16. Your Privacy Rights

In this section 16, we have summarised the rights that you have under the Privacy Laws. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

The summary of your principal rights under Privacy Laws are:

1. to request, at any time, for us to inform you of the personal information we hold about you;
2. the right to access your personal information and we will respond to you within 30 days of making a request;
3. the right to rectification of your personal information;
4. the right to erasure (where we have no legitimate right or business requirements to retain your personal information);
5. the right to restrict or object to processing (where we have no legitimate right or business requirements to process your personal information);
6. the right to complain to a supervisory authority; and
7. the right to withdraw your consent (where we have no legitimate right or business requirements to retain or process your personal information).

We may refuse to give you access to personal information we hold about you if we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to the public health or safety, where giving access would be unlawful, where giving access would have an unreasonable impact on the privacy of other individuals, if there are legal proceedings, or if we consider the request to be frivolous or vexatious.
If we refuse to give you access to or to correct your personal information, we will give you a notice explaining our reasons except where it would be unreasonable to do so.

17. How safe and secure is your personal information that we hold?

We will take reasonable steps to protect your personal information by storing it in a secure environment. We may store your personal information in paper and electronic form. We will also take reasonable steps to protect any personal information from misuse, loss and unauthorised access, modification or disclosure.

If we are no longer required or wish to keep your personal information for the purpose it was collected, we will securely destroy it or remove all identity features from the information unless we are legally required to keep it for a period of 7 years after an account is closed.

18. Complaints Handling

Contact Us

You may exercise any of your rights in relation to your personal information by contacting us. If you have a question or complaint about how your personal information is being handled by the Oxygen Home Loans, our affiliates or contracted service providers, please contact us first on the following email: oxygen@oxygen.com.au.
We will try to have your complaint resolved within 5 business days, but it may take longer depending on the complaint. If this is the case, we will aim to resolve your complaint within 30 days.

You can request further information about the way we manage the personal information that we hold, or make a complaint, by contacting our:

• telephoning: 1300 855 699
• e-mailing: oxygen@oxygen.com.au
• writing to: Oxygen Home Loans
  Level 12, 92 Pitt St
  Sydney NSW 2000

If you are dissatisfied with the response of our Complaints Officer you may make a complaint to our External Dispute Resolution Scheme:

Australian Financial Complaints Authority Limited (AFCA)

• GPO Box 3
• Melbourne VIC 3001
• Telephone: 1800 931 678
• Email: info@afca.org.au
• Website: www.afca.org.au/

The Office of the Australian Information Commissioner

Under the Privacy Laws you may also complain to the Office of the Australian Information Commissioner (OAIC) about the way we handle your personal information. Please note the OAIC requires that any complaint be first made to the respondent organisation, which is us. The law also allows 30 days for the respondent organisation to deal with the complaint before a person may make a complaint to the OAIC.
The Commissioner can be contacted at:

Office of the Australian Information Commissioner

• GPO Box 5218
• Sydney NSW 2001
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Website: www.oaic.gov.au

19. Amendments

We may update this Privacy Policy from time to time by publishing a new version on our website.
You should check this page occasionally to ensure you are happy with any changes to this Privacy Policy.
This Privacy Policy is dated 1 June 2022.

20. Consent for Electronic Acceptance and Notices

You consent to us giving you notices and other documents in connection with our dealings with you by email. You understand that upon your giving of this consent:

1. we will no longer send paper copies of notices and other documents to you;
2. you should regularly check your nominated email address below for notices and other documents;
3. you may withdraw your consent to the giving of notices and other documents by email at any time; and
4. you have facilities to enable you to print the notice or other document that we send to you by email if you desire.