AU

Privacy Policy


Finstro Privacy Policy

Last updated 1st November 2025.


Who are we?

‘We’, ‘us’ and ‘our’ refer to Finstro Holdings Pty Limited ACN 605 121 364, any wholly owned subsidiaries of Finstro Holdings Pty Ltd and the following related businesses:

  • Finstro Securities Pty Ltd ACN 632 777 238

  • Finstro Payments Pty Ltd ACN 150 098 203

  • Finstro Operations Pty Ltd ACN 605 121 524

  • Finstro Card Services Pty Ltd ACN 623 510 323

  • IN.C.C Payments Pty Ltd ACN 623 555 699

(collectively, “Finstro”).

Finstro provides tailored financial solutions for credit & payments via a Finstro Mastercard, flexible business line of credit for working capital and funding business assets, and business trade account for making repeat purchases from suppliers.


Our commitment to protect your privacy

The privacy of your personal information is important to us at Finstro.

We are committed to respecting your right to privacy and to protecting your personal information in accordance with our legal obligations, including those under the Privacy Act 1988 (Cth) (Privacy Act), Australian Privacy Principles (APPs) and any applicable Privacy Credit Reporting Code registered and in force in Australia from time to time (Credit Reporting Code).

Any personal information we collect about you will only be used and disclosed for the purposes for which we have collected it, as set out in this Privacy Policy, or as permitted under the law.


About this Privacy Policy

This Privacy Policy outlines how we manage your personal information (including credit-related information) when your business uses our products or services, you are a guarantor in relation to credit provided or arranged by us, or you otherwise interact or deal with us. Further, it describes the nature of the information held, the purposes for which it is held, and the way it is collected and disclosed.

Our Privacy Policy applies to all your dealings with us whether through one of our introducers, associates, or with Finstro directly via our websites, telephone calls or mobile applications. Depending on the products or services your business uses and your dealings with us, you may be provided with additional privacy related information to supplement this Privacy Policy.

We may change this Privacy Policy from time to time. We will post any changes to this Privacy Policy on our website, which will take effect when it is published. We encourage you to check our website regularly for any updates to our Privacy Policy.


Personal information we collect and hold

“Personal information” is information or an opinion about an identified individual or an individual who is reasonably identifiable.

The personal information that we collect and hold about you depends on our relationship with you. The types of personal information we typically collect includes:

  • full name, age, date of birth, gender and marital status

  • occupation, job title and employer

  • contact details (such as, address, phone number, email address)

  • relationship to our clients and others

  • residency status, country of birth, nationality and tax residency

  • tax file number

  • identity documents (such as, passport number, driver licence number, Medicare number)

  • biometric template (where you choose to use our biometric identification system)

  • photos (including a “selfie” where you choose not to use our biometric identification system)

  • financial information (such as, bank account information and statements, income, assets, expenses, financial liabilities and other financial records)

  • information about your use of our products and services, including transaction information

  • if you a proprietor, director or owner of a business applying for credit or you offer to be a guarantor, credit-related information (see “Credit-related information we collect and hold” below)

  • other information Finstro considers necessary to provide our products, perform our services and meet our legal and regulatory obligations

  • details of your interactions with us, including any information you give us when you provide feedback or make a complaint (including where we collect and store call recordings)

“Sensitive information” is a type of personal information that includes information about your racial or ethnic origin, political opinions or associations, religious or philosophical beliefs or affiliations, membership of a professional or trade association, membership of a trade union, health information, sexual orientation or practices, criminal record or biometric information.

We may collect and hold sensitive information about you where it is reasonably necessary for our functions and activities. For example, to verify your identity where you have opted to use our biometric identification system or when you share sensitive information with us in connection with a hardship application or a customer service enquiry (such as, medical certificates). We will not collect your sensitive information without your consent, except in limited circumstances, including when:

  • the collection is required or authorised under Australian law or a court or tribunal order; or

  • another exception under the Privacy Act applies.


Credit-related information we collect and hold

“Credit-related information” is a type of personal information that includes:

  • credit information, which includes your identity; the type, terms and maximum amount of credit provided to you, including when that credit was provided and when it was repaid; repayment history information, default information (including overdue payments); payment information; financial hardship information (including information that any repayments are affected by a financial hardship arrangement); commercial and consumer credit information from a Credit Reporting Body; customer identification by a Credit Reporting Body; financial information; new arrangement information;

  • details of any serious credit infringements; court proceedings information; personal insolvency information; and, publicly available information; and

  • credit eligibility information, which includes credit information supplied to us by a credit reporting body, your bank statements, and in some circumstances your ATO business activity statements and ATO integrated client account statement, and any information that we derive from that information, such as your credit score, credit risk ratings, summaries and evaluations.

Usually, credit-related information is exchanged between credit providers (such as Finstro) and credit reporting bodies.

If you are a proprietor, director or owner of a business applying for credit or you are providing a guarantee, we may obtain a report from a credit reporting body containing credit-related information about you. We may also collect the ages and number of your dependants and cohabitants, the length of time you have resided at your current address, your employment details and proof of earnings and expenses.

See “How we use your credit-related information” and “Disclosure of credit-related information and notifiable matters” below for further information about how we use and disclose your credit-related information.


Digital information we collect and hold

When you use our website or mobile applications, we may collect information about your location or activity including IP address, telephone number and whether you have accessed third party sites, the date and time of visits, the pages that are viewed, information about the device and operating system used and other user location information. We collect some of this information using cookies and web beacons (for more information please see our Terms of Use https://www.finstro.com/en-au/legal.

We may link this digital information with personal information that we hold about you. For example, this can happen when you are signed into your account on our website or mobile applications or commence Finstro’s account creation process.


How we collect your personal information

We will, if it is reasonable and practicable to do so, collect your personal information directly from you. For example, this may happen when you fill out a web-form, a product or service application or an administrative form (e.g. a change of address form), or when you give us personal information over the telephone, or through our website or mobile app.

In certain cases, we will collect your personal information from third parties. For example, we may need to collect personal information from a credit reporting body, other credit providers, your representative (such as, your employer, financial advisor or legal adviser), publicly available sources of information, or from any of the organisations identified below under "Disclosing your personal information".

We will not ask you to supply personal information publicly over Facebook, Twitter, or any other social media platform that we use.


How we use your personal information

We may use your personal information to:

  • confirm your identity

  • assess an application for credit or your capacity to be a guarantor

  • provide our products and services

  • enter into, administer and manage our relationship with you or your business

  • facilitate your participation in a loyalty program operated by our loyalty and rewards partner, including benefits and offers

  • respond to your enquiry, feedback or complaint

  • analyse and improve our business, products and services

  • communicate with you about our products and services

  • market and promote products, services and offers that we think may be of interest to you, including sending direct marketing by email, SMS, app push notifications, post, phone, social media and targeted online ads

  • manage our business operations and administration, including collecting and recovering money that is owed to us, financial management, planning, reporting, audit and corporate governance purposes

  • manage security and risk, including to detect, prevent, investigate and respond to suspicious, unlawful, dishonest, fraudulent or malicious activities, security incidents and breaches of our terms and policies

  • to comply with our legal and regulatory obligations and protect our legitimate rights and interests.

See “Marketing our products and services” below for further information about our marketing practices, including how you can tell us you no longer wish to receive direct marketing from us.


How we use your credit-related information

We may use your credit-related information for the purposes of:

  • confirming your identity

  • assessing an application for credit, your capacity to be a guarantor (if applicable) and managing that credit, including deriving scores, risk ratings, summaries and evaluations relating to your credit worthiness and your ability to fulfil relevant obligations

  • identifying and investigating any fraud or other unlawful activities (or any suspected fraud or other unlawful activities)

  • managing risk, complying with our legal and regulatory obligations (including under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)) and protecting our legitimate rights and interests such as collecting overdue payments

  • sharing information with credit reporting bodies, where the law permits us to do so.


Use of automated decision making

We may use technology (including artificial intelligence) to make certain automated decisions based on personal information we have collected from you or obtained from other sources such as credit reporting bodies to help inform our credit application assessment and approval process.

These decisions may affect the products or services we offer to you and your business, including whether we approve an application for credit or a proposed guarantor.

You have the right to request access to and correction of any personal information that we hold about you that may have informed our decision in accordance with this Privacy Policy (see “Access and correction to your personal and credit-related information” below).


Disclosing your personal information

We may disclose your personal information to third parties for the reasons outlined in “How we use your personal information” or where the law authorises, requires or otherwise permits us to do so.

In line with modern business practices, and depending on your specific circumstances (such as, for example, where you have a financial adviser or mortgage broker), we may disclose your personal information to the organisations described below.

The relevant organisations include:

  • related entities who help us carry out our functions and activities

  • our agents, contractors, service providers and other organisations who help us operate our business and provide our products and services, including persons who assist us to provide our products to you like finance brokers, mortgage managers and originators, investors, funders or other intermediaries; trade and other insurers, re-insurers and underwriters; card producers and card schemes; valuers, assessors and investigators; debt collection agencies; ratings agencies; organisations that help identify and prevent illegal activities and fraud; auditors; identity verification providers; third party service providers including for statement production, debt recovery, claims, information technology infrastructure, systems or support, call centres, marketing, business and product planning and development, printing and posting, legal advisors and other professional services; and, our loyalty and reward program partners

  • other organisations involved in our funding arrangements and normal business practices, including in connection with trustee or custodial services, funding arrangements involving securitisation, and any proposed transfer of or dealing with your credit or credit you have guaranteed

  • your representatives or third parties acting on your behalf, including your legal advisers, finance consultants, mortgage brokers, guardians, persons holding power of attorney, and accountants, and any of their service providers

  • your employer, former employers or referees

  • your co-applicants or borrowers, guarantors and any other person who has an interest in your credit (or their representatives)

  • if you are a guarantor, the applicants or borrowers of the credit you have guaranteed, any joint guarantor and any other person who has an interest in the credit you have guaranteed (or their representatives)

  • financial institutions and other organisations involved in the payments system including financial institutions, merchants and payment organisations (for example, to process payments or a claim for mistaken payment)

  • government and law enforcement agencies and regulators, courts and tribunals, dispute resolution bodies, industry bodies, and other third parties where we are required or authorised by law (such as under the Anti-Money or Laundering and Counter Terrorism Financing Act 2006 (Cth))

  • credit reporting bodies (see “Disclosing your credit-related information” below)

  • prospective investors or purchasers of our business or assets, entities involved in a corporate re-organisation, and their advisors

  • any other third party where you consent.

Although in certain circumstances we may collect government related identifiers such as your passport number, drivers licence number, or Medicare number, we do not disclose this information other than when required or authorised by law or where you have consented to the disclosure (for example, for identity verification purposes).


Disclosure of credit-related information and notifiable matters

The law requires us to advise you of ‘notifiable matters’ in relation to how we may use and disclose your credit-related information. You may request to have these notifiable matters (and this Privacy Policy) provided to you in an alternative form (see “Contacting Us” below).

We exchange your credit-related information with credit reporting bodies, where the law permits us to do so. We use the credit-related information that we exchange with the credit reporting body to confirm your identity, assess your creditworthiness, assess a relevant application for credit or your capacity to be a guarantor and manage your credit, and any other purpose described under “How we use your credit-related information” above.

The information we exchange with credit reporting bodies includes your identification details, what type of loans you have, how much you have borrowed, whether or not you have met your loan payment obligations, whether you have entered into a financial hardship arrangement (either with us or some other third party), if you default, and if you have committed a serious credit infringement (such as fraud).

Consent is not required for Finstro to disclose your personal information to a credit reporting body, however, we will need your consent for the credit reporting body to disclose credit-related information to us. Any information request we make to a credit reporting body may be recorded and used to assess your creditworthiness and might affect your credit score or credit rating. Credit reporting bodies may also include information about our information request in reports to other credit providers to help them assess your creditworthiness.

We may also disclose your credit-related information to other credit providers (including through CreditorWatch), an external dispute resolution scheme such as the Australian Financial Complaints Authority, a government and law enforcement agency or regulator, and any other person that you authorise or that we are required or permitted by law to disclose your credit-related information to.

If you fail to meet your payment obligations in relation to any credit that we have provided or arranged, or if you have committed a serious credit infringement, Finstro may undertake the following:

  • disclose this information to a credit reporting body

  • issue prescribed notices under Credit Reporting Code advising payments which have become overdue more than 60 days

  • issue prescribed notices under Credit Reporting Code a payment default has occurred with Finstro advising a credit reporting body

  • engage collections agencies and or legal counsel to collect payments which have become overdue

  • request a credit reporting body not to disclose information about you if you believe you are a victim of fraud.

You have the right to request access to the credit-related information that we hold about you and make a request for us to correct that credit-related information if needed. Please see “Access and correction to your personal information and credit-related information” below.

Sometimes your credit information will be used by credit reporting bodies for the purposes of ‘pre- screening’ credit offers on the request of credit providers. You can contact the credit reporting body at any time via their respective websites to request that your credit information is not used in this way.

You may contact the credit reporting body to advise them that you believe that you may have been a victim of fraud. For a period of 21 days after the credit reporting body receives your notification, the credit reporting body must not use or disclose that credit-related information.

We collect credit-related information from, and share credit-related information with, the following credit reporting bodies. For information about how to contact the credit reporting bodies and to see their policies on managing credit-related information, please visit their websites:


Identity Verification

We may disclose your name, residential address, date of birth, photo and other identification information you provide to us to third parties that help us verify your identity, including our identity service providers (such as Veriff), Credit Reporting Bodies and government bodies located in Australia. These third parties use this information to assess whether the information we have matches information held or accessible by that third party.

We will let you know if we are unable to verify your identity in this way. If you do not consent to us verifying your identity in this way, we will seek to verify your identity in another way, which may involve requiring you to provide various supporting identification documents (either original or certified copies).


Further information about the Australian Government’s Digital Verification Service

Where you provide identification information such as your Australian passport, State or Territory driver’s licence, Medicare card or any other government issued photo identification document for identification purposes, we may use the Australian Government’s document verification service (“DVS”) to match your identification information with records held by the official record holder. We access and use the DVS, including requesting information matches and receiving information match results, through an approved third party DVS gateway service provider and other third party systems.

The Privacy Act, the Identity Verification Services Act 2023 (Cth) and the DVS User Terms and Conditions govern the way in which we may collect, use, hold and disclose your identification information in connection with the DVS. Further information about the operation and management of the DVS can be found here at https://www.idmatch.gov.au/.


Biometric checks

We may also conduct biometric checks based on a photo of your face. We will separately ask for your consent before undertaking biometric checks.


Offshore disclosure of your personal information

Personal information (including credit-related information) may be held by us in electronic form on our secure servers and may also be held in paper form. We may use cloud storage to store this information. Our cloud storage and the IT servers are located in Australia.

Because we operate throughout Australia and overseas, we may need to disclose your personal information (including credit-related information) outside your State or Territory and/or outside of Australia.

We may also disclose your personal information (including credit-related information) to overseas entities that provide support functions or services to us, including mercantile agencies, collections houses, legal advisors and technology service providers.

The countries we are likely to disclose your personal information (which can sometimes include credit-related information) to are the United States of America, Europe, India, Vietnam, Estonia and the Philippines. Where this is the case, we will take reasonable steps to ensure the recipient complies with the APPs and that appropriate data handling and security arrangements are in place.


Marketing our products and services

We may use or disclose your personal information to let you know about, and develop, our products and services or products and services from businesses with whom we are associated that may better serve your financial, business and lifestyle needs, or to notify you of promotions or other opportunities which may be of interest to you. For example, we may do this after an initial marketing contact.

You can contact us at any time if you no longer wish to receive our direct marketing (see “Contacting Us” below). If the direct marketing is by email, you may also use the unsubscribe function contained in the email. We will not charge you for giving effect to your request and will take all reasonable steps to meet your request at the earliest possible opportunity.


Keeping your personal information accurate and up to date

We aim to make sure that the personal information we collect, use or disclose is accurate, complete and up-to-date and take reasonable steps to make sure this is the case. In this way we can ensure that we provide you with a better service.

If you believe your personal information is not accurate, not complete or not up to date, please contact us (see “Access and correction to your personal and credit-related information” below). We will generally rely on you to ensure the information we hold about you is accurate or complete.


Access and correction to your personal and credit-related information

You can request access to the personal information and credit-related information we hold about you at any time by making a request to the Finstro Privacy Officer at the “Contacting Us” details below. We may charge a fee for our costs of retrieving and supplying the information to you (but not for making the request).

We usually provide an initial response to you within 7 days of receiving your request, however, we may respond to you sooner depending on the nature of your request. We will try to make your information available within 30 days of your request.

We may need to contact other entities to properly investigate your request, and this may impact how quickly we are able to make your information available.

There may be situations where we are not required to provide you with access to your personal information or credit-related information. Factors affecting a right to access include:

  • access would pose a serious threat to the life or health of any individual

  • access would have an unreasonable impact on the privacy of others

  • a frivolous or vexatious request

  • the information relates to a commercially sensitive decision-making process

  • access would be unlawful

  • access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security function or negotiations with you

  • legal dispute resolution proceedings

  • denying access is required or authorised by or under law.

If we deny you access to the personal information or credit-related information we hold about you, we will write to you explaining the reasons for our decision.

If any of the personal information or credit-related information we hold about you is incorrect, inaccurate, or out of date, you may request that we correct the information by contacting us via the details at “Contacting Us” below.

If appropriate we will correct the personal information at the time of your request, otherwise, we will provide an initial response to you within 7 days of receiving your request. Where reasonable, and after our investigation, we will provide you with details about whether we have corrected the personal information or credit-related information (usually within 30 days).

We may need to consult with other finance providers, credit reporting bodies or entities as part of our investigation.

If we refuse to correct your personal information or credit-related information, we will write to you explaining our reasons for not correcting the information.


Doing business anonymously

In most circumstances it will be necessary for us to identify you in order to successfully conduct business with you, however, where it is lawful and practicable to do so, we will offer you the opportunity of conducting business with us without providing us with personal information, for example, if you make general inquiries about interest rates or current promotional offers.


Protecting your personal information

Records of your personal information are kept in several forms including both paper and electronic form. The security of your personal information is important to us and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure and from loss or misuse. These precautions include:

  • confidentiality requirements for our employees

  • document storage security policies

  • security measures for systems access

  • providing a discreet environment for confidential discussions

  • only allowing access to personal information where the individual seeking access has satisfied our identification requirements

  • access control for our buildings

  • a data breach response plan to enable us to respond quickly to any suspected data breach

  • the security measures described below under “Our website and app security

If Finstro receives any personal information which we did not solicit the information, Finstro will determine whether or not we could have collected the information if we had reasonably solicited the information. If not, we will take reasonable steps destroy this information.


Your privacy on the internet

Our website and app security

We take care to ensure that the personal information you give us on our websites and mobile applications are protected, with electronic security systems in place, including the use of firewalls and data encryption. User identifiers, passwords or other access codes may also be used to control access to your personal information. Please refer to the website and mobile applications which you transact electronically for more information on our website and mobile application specific privacy and security procedures.

There are some simple steps you can take to help us keep your personal information and account secure, including:

  • choosing a strong and unique password

  • turning on multi-factor authentication (where available)

  • using facial ID

  • keep your user identifiers, passwords or other access codes safe

  • telling us immediately if you see any unusual activity on your account

Cookies

We use cookies and web beacons in accordance with our Terms of Use. The purpose of this collection is to provide you with better and more customised service and with a more effective website, for troubleshooting and support purposes, behavioural and support purposes, as well as for fraud and security purposes.

Links to Other Sites

You may be able to access external websites by clicking on links we have provided. Those other websites are not subject to our privacy standards, policies and procedures. You will need to contact or review those websites directly to ascertain their privacy standards, policies and procedures.

Un-submitted online applications

If you start but do not submit an online application, Finstro may contact you using any of the contact details you supply, to offer help completing it. If you do not submit the online application, the information in it will be kept by Finstro for a period of time before being destroyed.


Complaints

If you are not satisfied with how we have dealt with your personal information, or you have a complaint about our compliance with the Privacy Act, APPs or the Credit Reporting Code, you may contact the Finstro Privacy Officer through the details at “Contacting Us” below.

We will acknowledge your complaint within seven days and aim to resolve the complaint as quickly as possible. We will use reasonable endeavours provide you with a decision on your complaint within 30 days.

If you are not satisfied with the response of the Finstro Privacy Officer, you are entitled to make a complaint to the Australian Financial Complaints Authority (AFCA) or the OAIC, care of any of the following details:

AFCA

OAIC

  • Phone: 1300 363 992

  • Website: www.oaic.gov.au

  • Post: GPO Box 5288, Sydney NSW 2001


Contacting Us

At Finstro we care about your privacy, and your trust is important to us. Should you have any queries or concerns about your privacy, please provide full details of the nature of your concerns by contacting the Finstro Privacy Officer, care of any of the following details:

  • Phone: 1800 693 467

  • Email: privacy@finstro.com.au

  • Post: Privacy Officer, PO Box H173, Australia Square, Sydney 1215

Finstro wins innovation awards
Get it on Google Play
Website Terms and Conditions   |   Privacy Policy   |   Mastercard® Terms and Conditions

© Copyright 2025 Finstro Holdings Pty Ltd | ABN 46 605 121 364 | | | +61 2 8311 8061 | Level 24, 259 George St., Sydney NSW 2000

The Finstro Mastercard is issued by EML Payment Solutions Limited ABN 30 131 436 532 AFSL 404131 pursuant to license by Mastercard Asia/Pacific Pte. Ltd. Mastercard and the circles design are registered trademarks of Mastercard International Incorporated.