Consumer Data Right Policy

About this policy

This CDR Policy provides information about how Tiimely collects, holds, uses and discloses CDR data that customers consent to sharing with us in our capacity as an accredited data recipient (ADR) or in our capacity as an outsourced service provider for other ADRs.If you would like to know about how we manage your personal information outside of the CDR regime, please see our Privacy Policy available on our website here.

In this policy, Tiimely, we, us or our means Tiimely Pty Ltd and references to data means CDR data.

About the CDR

The CDR was introduced by the Australian Government to provide consumers with greater control and choice about sharing the data that designated businesses hold about them with third party service providers of their choosing.For the banking sector, this is often referred to as Open Banking.

If you choose to use Consumer Data Right to share your data, your information is transferred in encrypted form using secure technology. The process has been designed to give you greater choice and control through the convenience of a simple and secure process.

Service providers must go through a rigorous process to become an accredited data recipient (or ADR) to receive CDR data and provide services or products to you using CDR data. The Australian Competition and Consumer Commission (ACCC) manages this process.

More information about the CDR is available here: Homepage | Consumer Data Right

Provision of CDR services by Tiimely

Tiimely is an unrestricted accredited data recipient under the CDR regime.

Tiimely is not yet an active accredited data recipient which means that we are not yet providing CDR services directly to our retail customers.Tiimely is currently an outsourced service provider to other accredited data recipients and in that capacity we will use, disclose and hold CDR data on behalf of the accredited data recipient in accordance with their instructions and the terms of their customers’ consents.

The information in our CDR policy reflects that Tiimely currently receives CDR data in its capacity as an outsourced service provider. This policy will be updated prior to Tiimely becoming active on the CDR Register.

The CDR data we may collect/receive and ways we may use CDR data

Tiimely does not currently collect CDR data directly from data holders on behalf of consumers. However, Tiimely does receive CDR data as an outsourced service provider to other accredited data recipients (ADRs) and we use that data in accordance with their instructions and the terms of the consumer consents that they have obtained. In this capacity we may receive, hold, use and disclose the following types of CDR data:

Account balance and details

• Name and type of account
• Account number
• Account balance
• Credit limits (if applicable)
• Fees
• Interest rates
• Discounts
• Account terms
• Account mail address

Transaction details

• Incoming and outgoing transactions
• Amounts
• Dates
• Descriptions of transactions including details of who you have sent money to or received money from (ie names).

CDR data may be used, with the ADR’s instructions and consumer consent, for purposes such as categorising CDR data and analysing or aggregating it to verify and assess a consumer’s financial position.

All CDR data that Tiimely receives and stores on behalf of an ADR is held in servers located in Australia.

Correction of CDR data

If you identify at any time that the CDR data we have collected about you is incorrect, you can contact us to investigate the issue and request that your data is corrected. Please see Contact Us below. In cases where we are acting as an outsourced service provider for an ADR, we will usually need to refer you to the ADR so that they can receive and manage the correction request in accordance with their CDR Policy.

No fee will be charged to manage your request. Where we are acting in our capacity as an ADR, we will notify you within 10 business days after receipt of your request what steps we have taken in response.

In some cases, we may need to refer you to the relevant data holder (bank) to resolve the issue as the source of the data we have received. If they correct your data, we will seek to collect it again to update our records if your consent for us to do so is still valid.

Disclosure of CDR data

Where we are acting as an outsourced service provider to an ADR, we may disclose your CDR data to third parties as directed by the ADR and in accordance with the consumer consents that they have obtained.

Further details of any disclosures of CDR data will be updated prior to Tiimely being an active on the CDR Register.

Withdrawing consent and deletion of data

At any time, you may withdraw your consent by:

• through the consent dashboard that the relevant ADR provides to you; or
• through the data holder (bank) consent dashboard available in your bank’s app or online banking service.

It is also possible to email Tiimely to request the withdrawal. Please see Contact Us below. In cases where we are acting as an outsourced service provider for an ADR, we will usually need to refer you to the ADR so that they can receive and manage the withdrawal request in accordance with their CDR Policy. This includes instructing Tiimely to delete or de-identify CDR data if required following receipt of a withdrawal request.

Where we are acting in our capacity as an ADR, if you use our consumer dashboard to withdraw your consent, the status of your consent will be updated in near real-time and reflect your change almost immediately. We will also irretrievably delete your data as soon as practicable of any of the following events:

• your consent expires;
• you stop sharing data with us before consent expires via an election on your consent dashboard;
• you request data sharing to stop via the data holder that provided your data; or
• you notify us in writing that you withdraw your consent.

When any of these events occur, we will delete all the data you shared with us from our systems, unless it is required to be held by law.Tiimely will also retain records that are required by the CDR Regime to allow us to track activities such as consents, consent withdrawal and data sharing in accordance with our obligations under the CDR Regime. We will delete these records at the end of six years as required.

Notifications

Where we are acting in our capacity as an ADR, Tiimely will notify you:

• when you provide a data sharing consent that enables the collection, use or disclosure of CDR data. We will also notify you when your data has been collected or where we disclose CDR data to an accredited party;
• when your consent expires, or when you withdraw or amend your consent;
• every 90 days for any ongoing consent for data sharing (where you have not interacted with our consent dashboard);
• when you request a correction of your data; or
• in the event of a data breach affecting your CDR data under the Notifiable Data Breach Scheme in the Privacy Act 1988 (Cth).

Where Tiimely is acting as an outsourced service provider, the ADR provides these notifications to you.

Complaints process

If you have a question or complaint about how your CDR data is being handled, there are a number of options for contacting us. Please see Contact Us below.

Where we are acting in our acting as an outsourced service provider, we will usually need to refer your complaint to the ADR to be managed in accordance with their complaints handling processes.

What to include when making a complaint

Please include the following information when submitting your complaint:

• your name;
• your preferred contact details for managing the complaint (phone / email / letter); and,
• the details of your complaint including what you would like us to do to resolve your complaint and any supporting documentation;
• if any additional assistance is required with lodging the complaint.

Complaints process

Once we receive your complaint, we will:

• acknowledge it within 24 hours or one business day and let you know if any further information is needed;
• do everything we reasonably can to fix the problem;
• keep you informed of our progress;
• keep a record of your complaint;
• provide you with contact details of the Complaints Officer handling your complaint.

Tiimely will investigate your complaint and attempt to provide you with a written response to resolve the complaint within fifteen (15) calendar days of receipt of your complaint.

If this timeframe cannot be met, you will receive a ‘final response’ letter within 30 days, informing you of:

• the final outcome of your complaint or dispute; and
• your right to take the complaint or dispute to External Dispute Resolution.

If we cannot provide a final response within thirty (30) days, we will tell you the reason for the delay and when you can expect to hear an outcome and keep you updated on our progress.

Options for redress

There are a range of potential options for resolving a complaint including:

• an explanation of the circumstances giving rise to the complaint;
• an apology;
• provision of assistance and support;
• a payment of compensation;
• correcting incorrect or out of date records; or
• undertaking to put in place improvements to systems or processes.

External dispute resolution

Tiimely does not provide an internal review process for complaint responses. However, if you are not satisfied with our response to your complaint, you may lodge a dispute with the Australian Financial Complaints Authority (AFCA). AFCA is a free and independent complaint resolution service.

• Website: https://www.afca.org.au/
• Email: info@afca.org.au
• Phone: 1800 931 678 (Free call)
• Address: GPO Box 3, Melbourne, VIC, 3001

You can also contact the Office of the Information Commissioner about CDR or privacy related complaints:

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Address: GPO Box 5288, Sydney NSW 2001

Contact Us

Our website https://tiimely.com/contact-us has ways you can get in touch with us.

Availability of Policy

This policy is available electronically on our website here: Consumer Data Right

A hardcopy of this policy can be obtained by emailing contact@tiimely.com.

Policy Version

This is version 1.4 of the Tiimely CDR Policy (September 2025).

Tiimely will occasionally update this CDR Policy.You can always find the most current version on our website or alternatively you can ask us to send you a copy.