Consumer Data Right Policy

PFinance CDR policy

This policy describes how PFinance handles Australian Open Banking data under the Consumer Data Right for consumers who choose to connect bank data to their PFinance account.

About this policy

This CDR policy is separate from the PFinance privacy policy. It explains how PFinance manages Consumer Data Right data, how consumers can manage Open Banking sharing, and how enquiries or complaints are handled.

Who provides the service

PFinance is operated by Gamma Systems Pty Ltd. The direct Accredited Data Recipient path is the target path for Australian Consumer Data Right Open Banking. Production CDR data collection is enabled only after accreditation, Register onboarding, conformance testing, and production activation are complete.

Current Open Banking status

PFinance is preparing a read-only Open Banking service for personal finance management. Until activation is complete, PFinance does not collect production CDR data through Open Banking.

CDR data we request and hold

The v1 service is limited to consumer-consented bank account and transaction data. The scope set covers account discovery, account detail, account balances, transaction history, consent records, CDR receipts, collection summaries, and operational audit records needed to provide and evidence the service.

Data we do not request

PFinance does not request payment initiation access, does not move money, does not ask for bank login credentials, does not store full card numbers, and does not request broader CDR data classes unless the service and policy are updated before collection.

How CDR data is collected

PFinance collects CDR data only after the consumer gives consent and the data holder authorises the sharing arrangement through the CDR process. Data is collected through CDR APIs, not screen scraping, and the consumer authenticates directly with the data holder.

How CDR data is used

With consumer consent, PFinance will use CDR banking data to show account and transaction history, categorise spending, support budgets and insights, identify recurring payments, and create or review finance records in the user account.

How CDR data is held and protected

Production CDR data is held in the approved CDR data environment with access controls, encrypted token and secret handling, redacted logs, operational monitoring, and production/non-production separation. The service is designed so raw CDR data is not written to application logs or analytics events.

Disclosure and outsourced service providers

PFinance does not sell raw CDR data or disclose it for unrelated marketing. Service providers that support hosting, security, operations, and evidence handling are assessed through the outsourced service provider register and contractual review before they support CDR data handling.

Overseas disclosure

The v1 target is to keep production CDR data in approved Australian cloud locations where supported by the selected service. PFinance does not plan to disclose CDR data outside Australia for the v1 Open Banking service. If that changes, this policy and consumer disclosures will be updated before collection.

Consent management and notifications

Consumers can use the Open Banking dashboard to view consent status, data holder, data categories, collection summaries, CDR receipts, expiry, withdrawal events, and redundant-data handling. PFinance sends or records consent notifications required for consent creation, amendment, collection, withdrawal, expiry, and other CDR lifecycle events.

Withdrawal and deletion

Consumers must be able to withdraw sharing. Collection stops immediately after withdrawal. PFinance will revoke the sharing arrangement with the data holder and delete or de-identify redundant CDR data according to the consumer election and applicable retention requirements.

Access and correction

Consumers can ask for access to CDR records PFinance holds or request correction of inaccurate records. If the source data came from a data holder, PFinance may direct the consumer to the holder while correcting PFinance-controlled records and updating the Open Banking dashboard with the request outcome.

Complaints and external review

Consumers can ask for access, correction, support, or complaint handling through [email protected], [email protected], or 0406051122. CDR complaints follow the PFinance internal dispute resolution process and may be escalated to AFCA or OAIC where applicable.

Changes to this policy

PFinance updates this policy when the CDR service, data handling, support process, regulatory position, or outsourced service arrangements materially change.

Contact and support

Use the support page for CDR sharing, withdrawal, deletion, access, correction, privacy, and complaint questions. The CDR guide explains the consumer journey and management controls. The API reference describes the authentication and authorisation surfaces used by the Open Banking service.