Privacy Policy

Catena Group Privacy Policy v1.0 as at 24 July 2025

Entity identification

Catena Digital Pty Ltd (ACN 669 901 302) and its parent company Catena Digital Holdings Pty Ltd (ACN 670 788 324) (together, Catena Group) collect and manage personal information as described below. Contact us at info@catenadigital.com.au or Level 37, 259 George St, Sydney NSW 2000 for privacy enquiries.

Types of data collected

We collect the following types of personal information, with examples:

  • Personal and contact details: e.g. full name, address, phone number, email address, date of birth
  • Government-issued identification (copies) identifiers: e.g. Tax File Number, Medicare number and copies of government identification documents
  • Identification document copies: e.g. a copy of your driver’s licence
  • Transactional information: e.g. records of transactions you make using our products and services
  • Photographs, video or audio recordings: e.g. recordings of video or audio calls, with consent
  • Interaction and behavioural information: e.g. your interactions with us, including your queries or complaints; pages viewed and browsing behaviour on our websites and any applications that enable you to interact with us ('apps'); how you navigate through and interact with our webpages and apps, including fields completed in forms; date and time and geographical information about website and app visits
  • Publicly available information: e.g. searches of ASIC or other government registers, social media platforms
  • Employment details and family commitments (where relevant)
  • Sensitive information: e.g. information relating to your citizenship, residency status and biometric data to verify your identity and authorise transactions) where necessary and with your consent

Collection methods

We collect personal information:

  • Directly from you in person or through forms, consultations, online portals (e.g. apps, cookies, contact us page on the website), calls and correspondence
  • From third-party service providers (e.g., identity verification providers such as Sumsub for KYC checks)
  • From your representative, if you are business or institutional client
  • From publicly available sources or third parties when legally required
  • If we infer or generate information about you based on your transactions, preferences, and behaviours (including through the use of data analytics)

If we receive unsolicited personal information, we will destroy or de-identify it unless it is required for our functions or activities.

Cookies and Website Tracking

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and assist in security measures. A cookie is a small data file stored on your device that allows a website to recognise repeat users.

We may collect information such as your IP address, browser type, operating system, pages visited, and access times to improve the security, performance, and usability of our website.

You can manage or disable cookies through your browser settings. Please note that disabling cookies may impact the full functionality and user experience of our website.

Providing Information About Others

Where you provide personal information about another individual to us (for example, by submitting someone else's contact details through a form), you must ensure that the individual is aware of this Privacy Policy, understands its content, and consents to you providing their information to us.

Where required, we will provide specific collection notices or obtain your consent at the point your information is gathered. These notices may reference or link to this Privacy Policy to explain how your data will be handled.

Purpose of collection

We collect, hold, use and disclose personal information to:

  • Provide financial services and manage your relationship with us
  • Comply with our legal obligations under the Corporations Act 2001 and Anti-money Laundering and Counter-terrorist Financing Act 2006 (AML-CTF Act)
  • Conduct due diligence checks
  • Respond to your enquiries or complaints
  • Send marketing materials (where legally permitted)
  • Improve our products and services and the products and services of third parties that facilitate our business: e.g. by conducting data analytics and generating insights from that data analysis, noting that any output shared with third parties will be de-identified 
  • Enhance our customer relationships
  • Mergers and acquisitions and other sales/funding arrangements: e.g. to facilitate actual or prospective divestments, acquisitions, investments, debt/loan sales or other changes (and potential changes) to entities that make up our corporate group

We will not collect, use, or disclose your government identifiers (e.g., Medicare numbers) unless authorised by law.

If you choose not to provide your personal information, we may be unable to provide you with certain services or respond to specific enquiries.

Sensitive information

We only collect sensitive information where it is directly relevant to our services and with your explicit consent. "Sensitive information" includes information about your health, racial or ethnic origin, political opinions, religious beliefs, trade or professional memberships, sexual orientation, criminal record, genetic or biometric information, and similar categories defined under the Privacy Act 1988 (Cth).

Direct Marketing & Marketing opt-out

In addition to the purposes above, we may use your personal information to send marketing communications about our services where you would reasonably expect us to do so, or where you have provided consent. You may opt out of receiving direct marketing communications at any time by contacting unsubscribe@catenadigital.com.au or following the instructions in our communications. We action unsubscribe requests within 5 business days.

Data sharing

We may share your personal information (including your sensitive information) with:

  • Regulatory bodies: e.g. ASIC, AUSTRAC
  • Financial institutions and service providers
  • Credit reporting agencies
  • Cloud storage and IT providers
  • Overseas recipients where necessary for service provision: e.g. Sumsub based in Cyprus under European Union General Data Protection Regulation (GDPR)-equivalent protections

We require that overseas recipients comply with privacy standards equivalent to the Australian Privacy Principles.

Overseas transfers

We may disclose personal information (including your sensitive information) to overseas recipients for the purposes notes above, including Sumsub and other service providers involved in identity verification and compliance operations. Data may be transferred to and processed by our swervices providers overseas, which are likely to be located in Germany, the United Kingdom, the United States, Cyprus, Singapore, and the United Arab Emirates (UAE). Where data is transferred outside Australia, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or equivalent protections. We rely on Sumsub’s compliance with GDPR and other local data protection laws to ensure your information remains protected.

Data storage & security

We take reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure: e.g.

  • Your information is stored in encrypted databases and secure cloud servers
  • Access to our information systems is controlled through identity and access management controls
  • Our employees and representatives are: bound by internal information security policies; required to keep personal information secure; and required to complete training about privacy and information security
  • We monitor and review our compliance with internal policies
  • We regularly assess our security measures against industry best practices. 

Data retention

We retain personal information for 7 years after you cease using our services, as required by the AML-CTF Act. After this period, if it is no longer needed, we will take reasonable steps to securely destroy or de-identify the information, including secure erasure of digital records and shredding of physical documents.

Access/ correction rights

To access or correct the personal information we hold about you, please contact our Privacy Officer by emailing privacy@catenadigital.com.au. You may be asked to verify your identity before access is granted or a correction is made. We aim to respond to requests within 30 days. If your request is complex, we may charge a reasonable administrative fee, which we will notify you of in advance.

We are not required to provide you with access to your personal information in certain limited circumstances, for example where a Court or Tribunal order requires us to deny access. There are also certain circumstances in which we are not required to correct your personal information – for example, where we are not satisfied that the information we have on record for you is inaccurate, out-of-date, incomplete, irrelevant or misleading. 

However, if we refuse to give you access to or to correct your personal information, we will give you a notice explaining our reasons (except to the extent it would be unreasonable or unlawful for us to do so) and provide you with information on how you can complain about our refusal.

Complaints process

Privacy complaints should be directed to privacy@catenadigital.com.au 

If unsatisfied with our response, you may contact the Australian Financial Complaints Authority

GPO Box 3

Melbourne VIC 3001

Phone: 1800 931 678 (free call)

Email: info@afca.org.au

Online: www.afca.org.au.

Under the Privacy Act you may complain to the Office of the Australian Information Commissioner (OAIC) if you have raised a complaint with us and you’re not happy with our response or have concerns about the way we handle your personal information:

GPO Box 5288

Sydney NSW 2001

Phone: 1300 363 992

Online: www.oaic.gov.au 

Online enquiries: Enquiry form

Policy updates

We may update this Privacy Policy from time to time to reflect changes to our practices, regulatory requirements, or for other operational reasons. The most current version will always be available at Catena Privacy . Where material changes are made, we will notify you by placing a prominent notice on our website.

This Privacy Policy was published 24 July 2025.