CDR Consent Knowledge Base

The Consumer Data Right (CDR) is an Australian Government initiative that gives consumers greater control over their data. It regulates how CDR data is collected, used, and disclosed in line with privacy safeguards and rules that: • Ensure your data is managed securely. • Provide you with control over how your data is shared and used. Wealthra Pty Ltd (ACN 693 425 393) is a CDR Representative operating under the accreditation of our principal Accredited Data Recipient (ADR), Basiq Pty Ltd. Under the CDR representative model, Basiq holds the ADR accreditation granted by the Australian Competition and Consumer Commission (ACCC), and Wealthra acts on their behalf to receive and manage consumer data securely. As a CDR Representative, we are required to: • Transparently disclose how your data is used. • Ensure secure storage and transfer of your data. • Implement privacy safeguards to protect your consent. • Comply with the CDR Rules and privacy safeguards as they apply to CDR Representatives. Key Benefits for You • Choice and Control: You decide what data to share, how it is used, and who it can be disclosed to. • Manage Consent: You can view, modify, or revoke your consents at any time. • Data Deletion Requests: You can request data deletion or de-identification at any time.

We only collect the minimum CDR data necessary to deliver and improve the Wealthra personal financial management service. CDR data we request may include account details, transaction history, and product information from your financial institution. We use CDR data collected under the CDR framework for the following purposes: • Personalised Financial Management: Providing budgeting, spending analysis, transaction categorisation, and tailored financial insights based on your banking data. • Operational Purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data to improve the service. • Communication: Sending you updates and notifications aligned with your preferences and relevant to your use of Wealthra. We will not use your CDR data for direct marketing unless you explicitly consent and it is permitted under CDR Rules. We will never sell your CDR data. For full details of all personal information we collect and how it is used, please refer to our Privacy Policy.

When you give consent to share your CDR data with Wealthra, you remain in control. We will seek your explicit, informed, voluntary, and time-limited consent before collecting any CDR data. The consent process will clearly state: • What data will be shared. • How it will be used. • Who will have access to it. • The duration of the consent (up to 12 months, or as you specify). • How to manage or withdraw your consent. You can easily manage your consent at any time — whether that means reviewing, updating, or withdrawing it — using any of the following methods: Method 1 — Through the Wealthra App (Preferred) Navigate to Settings → Connected Accounts in the Wealthra app to view all active consents. From there you can review the details of each consent, modify data sharing preferences, or revoke consent entirely. Method 2 — By Contacting Our Support Team Email us at info@wealthra.io with your request. Please include the email address associated with your Wealthra account. We will action your request within 2 business days. When you withdraw consent: • We will immediately stop collecting new CDR data under that consent. • Existing data will be deleted or de-identified in accordance with our retention policy (see Section 4 below). • Withdrawal of consent does not affect the lawfulness of any data processing that occurred prior to revocation.

You have the right to request data deletion at any time. Upon withdrawal or expiry of consent: • Your CDR data will be securely deleted or de-identified, depending on legal requirements. • Redundant data will be destroyed, except where we are required by law to retain it for a longer period. • We will ensure that any third-party processors securely erase any data that was shared with them. De-identification Process De-identification involves removing identifiable information while retaining anonymised data for operational purposes such as analytics and fraud prevention. Steps include: • Removing your personal information from transaction records. • Stripping timestamps and descriptions that could reveal specific details about you. • Aggregating data to ensure anonymity. We may use de-identified data for improving our services, creating insights, and operational analysis. De-identified data cannot be used to re-identify you. Retention Policy We will always: • Ensure your CDR data is deleted or de-identified promptly when it is no longer required. • Delete or de-identify CDR data upon consent expiry. • Action data deletion within 24 hours of receiving a consent revocation request. • Retain non-CDR data only as long as necessary for our legitimate purposes or as required by law (e.g., 7 years for financial records under Australian law).

We take reasonable steps to protect your CDR data from misuse, interference, loss, unauthorised access, modification, or disclosure. • Encryption: All CDR data is encrypted at rest and in transit using industry-standard encryption (e.g., AES-256). • Access Controls: Strict role-based access controls limit who within our organisation can access CDR data. • Secure Infrastructure: Data is stored on secure servers in Australia. We comply with CDR information security requirements under Privacy Safeguard 12. • Monitoring and Audits: We conduct regular security audits and monitoring to detect and respond to threats. • Data Breaches: If a data breach occurs that is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme.

Under the CDR framework and Australian privacy law, you have the right to: • Access the CDR data we hold about you (subject to limited exceptions). • Request correction of any inaccurate, outdated, or incomplete information. • Withdraw consent at any time via the methods described in Section 3. • Request deletion of your CDR data at any time. • Lodge a complaint if you believe we have breached your privacy or the CDR Rules. We will respond to access and correction requests within 30 days.

If you believe we have breached your privacy or the CDR Rules, please contact us first at info@wealthra.io. We will investigate and respond within 30 days. If you are not satisfied with our response, you can lodge a complaint with: • The Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au or call 1300 363 992. • The Australian Competition and Consumer Commission (ACCC) for CDR-specific matters: www.accc.gov.au.

If you have any questions about this policy, your CDR data, or how to manage your consent, please contact us: Email: info@wealthra.io You can also manage your consent directly through the Wealthra app at any time — navigate to Settings → Connected Accounts.