Tiimely Privacy Policy

This policy explains how Tiimely Pty Ltd (“Tiimely”, “we”, “us”, “our”) manages personal information that we collect, hold, use and disclose. It covers:

  • How and what information we collect.
  • How we use your information.
  • When and why we share your information.
  • How we protect your information.
  • How you can access, update and correct your information.
  • How to make a complaint.

The personal information we collect and how we manage it will depend on your relationship with us. This policy is structured to help you find the information most relevant to you:

  • Part A — Xapii Clients: If you are an entity licensed to use our Xapii platform products, or an authorised user of a Xapii Client.
  • Part B — Customers of Xapii Clients: If you are an applicant or customer of one of our Clients, whose personal information we receive through our Clients’ use of our products.
  • Part C — Website and Social Media Visitors: If you visit or interact with the tiimely.com website or our social media channels.
  • Part D — Home Loan Applicants: If you apply for a home loan product through a white-label lending solution powered by our technology, where Tiimely assesses and processes your application on behalf of one of our funders.

The general provisions in sections 1 through 9 below apply to all individuals whose personal information we handle. Parts A to D then provide additional, audience-specific information. You should read the general provisions together with the Part that applies to your relationship with us.

1. What is personal information?

Personal information includes any information, or an opinion, that could identify an individual or from which an individual can be reasonably identified. This includes things like your name, address, date of birth, email address or driver’s licence number, and your financial information.

Sensitive information is a subset of personal information that includes information about your health, biometric data, racial or ethnic origin, and other categories defined in the Privacy Act 1988 (Cth) (“Privacy Act”). We will only collect sensitive information with your consent or where otherwise permitted by law.

2. Storage and security of your personal information

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure. Our security measures include access controls, encryption, secure hosting infrastructure and regular security assessments.

Personal information collected through our products and services is stored in Australia, unless otherwise specified in the relevant Part of this policy.

When we no longer need to use your information for the purposes described in this policy, we will delete or de-identify it, unless we have a legal obligation to retain it.

3. How can you access, update, or correct your information?

In most cases you will be able to gain access to the personal information we hold about you. There may be some occasions where we are unable to provide you with access (for example, because granting you access would unreasonably impact on someone else’s privacy, or where the information relates to existing or anticipated legal proceedings). If we cannot provide you with access, we will let you know why in writing.

We assume that any information you give us is correct, but we will also take reasonable steps to amend or correct information about you to keep it accurate and up to date.

If you would like to access your information, update us on any changes, or request a correction, please contact us using the details in section 8 of this policy.

4. Can you deal with us anonymously?

Where it is lawful and practicable, you have the option of not identifying yourself, or using a pseudonym, when dealing with us. However, in many cases we will need to verify your identity to provide our products or services. For example, if you are a Home Loan Applicant, we are required by law to verify your identity and cannot offer you the option of remaining anonymous.

5. Overseas disclosure

There are some circumstances in which we may store or disclose personal information to recipients located overseas. Where we do so, we take reasonable steps to ensure the overseas recipient handles your personal information in accordance with the Australian Privacy Principles.

The specific countries and service providers relevant to your relationship with us are set out in the applicable Part of this policy. In general, the countries in which overseas recipients of your personal information are likely to be located include the United States, the European Union, Ireland and the Netherlands.

6. Online data and cookies

Whenever you use a website, app, or other internet service, certain information is created and recorded automatically by the systems necessary to operate that service. The same is true when you use our website or interact with our products.

We use cookies (small text files placed on your device) and similar technologies to enhance your experience, track performance and usage of our website, monitor advertising campaigns, and improve our products and services. You can disable cookies at any time by visiting the “settings” or “help” section of your browser.

We also use various analytics and social media platforms to provide targeted marketing content. To understand how these platforms use your information or to opt out of targeted marketing, please refer to their respective privacy policies. The platforms we use include Meta, X (formerly Twitter), LinkedIn, Google Analytics and Google Ads.

For more detail about how we use cookies on the tiimely.com website, please refer to our Cookie Policy.

7. Concerns or complaints

If you ever have an issue or complaint regarding your privacy or the way we’re using your personal information, please contact us using the details in section 8.

We will address your complaint as quickly as possible and aim to have everything resolved within 30 days. If you are dissatisfied with our response, you can contact an external body:

Office of the Australian Information Commissioner (OAIC) — if your complaint is about how we handle your personal information (including credit-related information).

Australian Financial Complaints Authority (AFCA) — if your complaint is about the financial products or services we provide or arrange.

8. Contact us

If you have any questions about this policy, or would like to request a printed copy, please contact us:

Email: privacy@tiimely.com

Post:
Privacy Officer
Tiimely Pty Ltd
Level 7, 121 King William Street, Adelaide SA 5000

9. Changes to this policy

We may review and update this policy from time to time. Changes will be posted on our website. We encourage you to check back regularly for the latest updates.

Part A — Clients

This Part applies to you if you are an entity licensed by Tiimely to use Xapii products, including any of your authorised users (“Client”).

This Part should be read together with the general provisions in sections 1 through 9 of this policy.

A1. How we collect your information

We collect personal information about Clients and their authorised users in the following ways:

  • Directly from you when your authorised users engage with us, enter into agreements, or use our products and services.
  • Through your use of the Xapii platform, including information generated in the course of delivering our services.

A2. What information we collect

The types of personal information we may collect from Clients and their authorised users include:

  • Name, email address, phone number and other contact details of authorised users.
  • Xapii account credentials and access information.
  • Details about how you interact with our products, including activity data, technical information (such as IP address, browser version, operating system and time-zone settings), and behavioural metrics.

This information may be linked to your account for fraud detection and prevention purposes.

A3. How we use your information

We use Client information to:

  • Facilitate your use of the features and functions of our products and services.
  • Operate, maintain and support the Xapii platform.
  • Enhance and further develop our products and services, including creating new features, refining the user experience, and increasing performance.
  • Authenticate and verify your identity, and to detect and protect against security events and other illegal activity.
  • Provide product updates, subscription renewals, payment reminders, alerts and other notices relating to our products and services.

A4. When we share your information

We may use or disclose Client information to:

  • Diagnose and resolve technical issues, including sharing information with third parties to resolve those issues.
  • Comply with our legal and regulatory obligations, or where we have a reasonable belief that disclosure is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our Terms of Service.

A5. Overseas disclosure

We use HubSpot to manage relationships with current and prospective Clients, including maintaining records of meetings and communications. We disclose personal information (name, email, phone number, physical addresses and social media links) to HubSpot for these purposes. This information is stored in the European Union.

HubSpot’s privacy policy is available at legal.hubspot.com/privacy-policy.

Some of our operational tools and services used by Clients may also store limited personal information (generally your name, corporate email address and username) in overseas locations. These include services hosted in the United States and the European Union. We conduct due diligence on these services before use to ensure appropriate security standards are met.

A6. Direct marketing

From time to time, we may use your personal information to provide you with marketing materials about our products and services that we think may be of interest to you. You can opt out of receiving marketing communications from us at any time by following the opt-out instructions provided in the communications, or by contacting us using the details in section 8.

Part B — Customers of Xapii Clients

This Part applies to you (“Customer”) if you are an applicant or customer (or potential applicant or customer) of one of our Clients, whose personal information we receive through our Client’s use of our Xapii products.

This Part should be read together with the general provisions in sections 1 through 9 of this policy.

Important: Our Client’s own privacy policy will contain more detailed information about their collection and use of your personal information in connection with their products and services. We encourage you to review the Client’s privacy policy.

B1. How we collect your information

When our Clients use our Xapii products to manage any part of their dealings with you (for example, where a Client uses Xapii to process or assess a credit application), we collect the personal information we receive about you in the course of providing our products and services to the Client.

We generally do not collect personal information directly from you in this context. Rather, we receive it from or through our Client’s use of our platform.

B2. What information we collect

The types of personal information we may receive about you include:

  • Your name, contact details, and other identification information.
  • Bank account and financial information.
  • Information generated through the processing of your personal information by our products (for example, categorisation or analysis of financial data).

The specific information collected will depend on the products and services our Client uses and the nature of your dealings with them.

B3. How we use your information

Personal information received about Customers is typically used in connection with an application and/or assessment process for a product or service being provided by the Client.

In accordance with the arrangements with each Client, we may also use the information collected through use of our products to create anonymised, aggregated or de-identified information for the purposes of product analytics and insights, service and product improvement, and feature development.

B4. Access to your information

While we store and process personal information about Customers of Clients on our platform, access to that information is generally controlled by our Clients and their authorised users. There is limited access by Tiimely employees who perform administrative or service support functions.

If you wish to access, correct or make a complaint about the personal information we hold about you, you may contact us using the details in section 8 of this policy. In many cases, we may need to direct you to the relevant Client as the entity that controls how your information is used in connection with their products and services.

B5. Overseas disclosure

Personal information received about you through use of our Xapii products is stored in Australia.

B6. Direct marketing

Tiimely does not use your personal information for direct marketing purposes. Any use of your personal information for marketing in connection with the products or services you receive from our Client is managed by the Client in accordance with their own privacy policy.

Part C — Website and Social Media Visitors

This Part applies to you if you visit or interact with the tiimely.com website or Tiimely’s social media channels (“Visitor”).

This Part should be read together with the general provisions in sections 1 through 9 of this policy.

C1. How we collect your information

We collect personal information from Visitors in the following ways:

  • Directly from you when you interact with us, such as when you complete a web form, register for a webinar, or engage with our posts on social media.
  • Through cookies and analytics software when you browse our website (see section 6 of this policy).

C2. What information we collect

The types of personal information we may collect from Visitors include:

  • Name, email address, phone number and the business you work for (where you submit this information through a web form or registration).
  • Details about how you interact with our website, including pages visited, activity carried out, technical information (IP address, browser version, operating system, time-zone settings) and behavioural metrics.

C3. How we use your information

We use Visitor information to:

  • Respond to your enquiries and provide information about our products and services.
  • Send you communications about our products and services (subject to your right to opt out — see section C5).
  • Improve our website and marketing activities, including using small subsets of hashed information to tailor content to our website users.

C4. Social media

Tiimely connects with social media sites such as LinkedIn, X (formerly known as Twitter), Meta and YouTube. If you choose to “like” or “share” information from our website through these services, we recommend reviewing the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the site to connect your visits with other personal information.

C5. Direct marketing

From time to time, we may use your personal information to send you marketing materials about our products and services that we think may be of interest to you. You can opt out of receiving marketing communications from us at any time by following the opt-out instructions provided in the communications, or by contacting us using the details in section 8.

Part D — Home Loan Applicants

This Part applies to you if you apply for a home loan product marketed by one of our brand partners, where Tiimely assesses and processes your application on behalf of one of our funders (“Home Loan Applicant”).

This Part should be read together with the general provisions in sections 1 through 9 of this policy.

D1. About white-label home loans

Tiimely is not a credit provider. Tiimely provides credit services in relation to home loan products that are marketed under the brands of our commercial partners on behalf of the relevant credit provider and lender of record for these home loan products. These credit providers are Bendigo and Adelaide Bank Limited ABN 11 068 049 178 and Columbus Capital Pty Limited ABN 51 119 531 252, referred to in this Part as our ‘funders’.

As credit providers, each of our funders have obligations under Part IIIA of the Privacy Act 1988 (Cth) in relation to your credit information and credit eligibility information, including maintaining a credit reporting policy under section 21B of the Privacy Act. You should also refer to the relevant funder’s privacy and credit reporting policies for information about how they manage your credit-related information (see section D10).

This Part explains how Tiimely manages the personal information and credit-related information of individuals who apply for home loan products (marketed by one of our brand partners) where Tiimely assesses the application on behalf of the relevant funder.

Note: If you apply for a home loan product through the Tiimely Home brand, please refer to the Tiimely Home Privacy Policy available on the Tiimely Home website (tiimelyhome.com.au).

D2. What is credit-related information?

In this policy, credit-related information is personal information about your credit history which can influence an assessment of your creditworthiness and standing. This includes credit reporting information such as the information we receive from credit reporting bodies in your credit report, information about your past experiences with the relevant funder or other lenders, the kinds of credit products you have applied for (such as credit cards) and how you have managed your commitments including repayments.

D3. What information do we collect and hold?

When you apply for a home loan product, we need to collect your personal information so that we can assess your eligibility for the product you have applied for, and to comply with legal obligations to verify your identity.

The information we collect directly from you includes:

  • Full name, date of birth and contact details.
  • Identification information such as your driver’s licence number, passport details and residency status (see section D8 below about our use of the Document Verification Service).
  • With your consent, we may also collect biometric information about you (in the form of a selfie you provide) to enable us to verify your identity using an automated digital identity verification provider.
  • Financial information including your income and expense details. We may give you the option of providing this information by uploading bank statements or by authorising a service provider to link your relevant bank accounts.
  • Marital status and number of dependents.
  • Where applicable, details of contracts of sale and property insurance.

There are other cases where we might collect personal information about you, such as:

  • From the website or application form through which you applied.
  • When you call, webchat or email us directly.
  • From other people or organisations, such as joint applicants for a product, our funder, our commercial partners, service providers or your employer.
  • From credit reporting bodies as part of the credit application process (refer to section D5).

D4. How do we use your information?

Generally, we use your personal information to help us assess your credit application. Some specific things we use your personal information for include:

  • Verifying your identity.
  • Assessing your application for home loan products.
  • Assisting with your questions or complaints.
  • Necessary business operations such as performance reporting, ongoing development and improvement of our credit services, record keeping, auditing, training, document verification or fraud detection (where we may use your digital profile and other behavioural information to identify unusual or suspicious activity).
  • Reporting and data analytics, including for regulatory, management and research purposes.
  • Complying with our legal and regulatory requirements.

D5. Direct marketing

Tiimely does not use the personal information of Home Loan Applicants for direct marketing purposes. Any use of your personal information for marketing in connection with the home loan product you applied for is managed by the relevant brand partner/funder in accordance with their own privacy policy.

D6. What credit-related information do we collect and hold?

When you apply for a home loan product, we collect and use your credit-related information on behalf of the relevant funder to assess your eligibility. We collect credit information as you progress through the application process so we can assess your eligibility for the product as you go. While this means faster decisions, it also means we may collect this information even when you do not complete and submit an application in one session.

The types of credit-related information we collect include:

  • Name, date of birth, gender, address (including prior addresses).
  • The kinds of credit products you have or have applied for.
  • Information on credit previously provided to you by credit providers/lenders.
  • How you have managed your obligations (which could include details of defaults and repayment history).
  • Information in a credit report from a credit reporting body.
  • Information about your creditworthiness that has been derived from a report about you (such as a credit score).
  • Details of credit-related court proceedings or insolvency.
  • Serious credit infringements.

D7. How do we use and share your credit-related information?

We use your credit-related information on behalf of the relevant funder for the following purposes:

  • Assessing credit applications.
  • Necessary business operations conducted on behalf of the funder, including risk management, audit investigations, performance reporting, research and product development and planning.

Your credit-related information is shared with the relevant funder in their capacity as the credit provider. The funder may use and disclose your credit-related information in accordance with its own privacy and credit reporting policies (see section D10).

D8. Credit reporting bodies (statement of notifiable matters)

The following information is provided on behalf of the relevant funder, in its capacity as the credit provider for the home loan products that are assessed by Tiimely. The Privacy Act requires a credit provider to advise you of ‘notifiable matters’ in relation to how your credit-related information may be used. You may request to have these notifiable matters (and this policy) provided to you in an alternative form.

When you apply for a home loan product, we collect credit-related information about you from credit reports provided by credit reporting bodies to assist in assessing your creditworthiness.

Dealings with the credit reporting bodies are reciprocal, so the relevant funder (as the credit provider) may also share credit-related information with credit reporting bodies about you, including:

  • How well you manage your repayments.
  • Whether you have entered into a financial hardship arrangement.
  • If you fail to meet your payment obligations in relation to any loan that our funder has provided.
  • If you have committed a serious credit infringement.

If a credit enquiry is made to a credit reporting body in connection with your application for credit or provision of a guarantee, your consent to the credit enquiry is not required. A record of the credit enquiry may be used and, as relevant, disclosed for the purposes of the credit reporting body or a credit provider assessing your creditworthiness, including calculation of a credit score or credit rating (subject to any limitations under the Privacy Act and the Privacy (Credit Reporting) Code 2025).

Credit enquiries on your credit report may impact your credit score or credit rating. For example, multiple credit enquiries recorded over a short period may lower your credit score. The impact will depend on the type and amount of credit you apply for, the frequency of credit enquiries and your credit history.

Credit reporting body

We use Equifax Australia as the credit reporting body for Home Loan products. Equifax’s privacy and credit reporting policies contain information about how it manages your personal and credit-related information.

Equifax Australia

PO Box 964, North Sydney NSW 2059
Phone: 1300 762 207
Website: www.mycreditfile.com.au
Privacy Policy: www.equifax.com.au/privacy
Credit Reporting Policy: www.equifax.com.au/credit-reporting-policy

If you have been a victim of fraud (including identity fraud), or think you might have been targeted, you can ask a credit reporting body not to use or share the information they hold about you by getting in touch with them directly.

Sometimes your credit-related information will be used by credit reporting bodies for the purposes of “pre-screening” credit offers on the request of other credit providers. You can contact the credit reporting body at any time to request that your credit-related information is not used in this way.

You have the right to request access to the credit-related information that we or the funder hold about you, and to make a request to correct that information — see section 3 of this policy. You may also contact the relevant funder directly in relation to credit information and credit eligibility information it holds about you (see section D10 for our funders’ contact and policy details).

You may also make a complaint regarding the handling of your credit-related information — see section 7 of this policy.

D9. When do we share your personal information?

Sometimes we need to share your information outside of Tiimely. Some of the third parties we may share your personal information with include:

  • The relevant funder (see section D10).
  • The relevant brand partner.
  • Insurers providing lenders’ mortgage insurance, where applicable (see section D10).
  • Identity/document verification and fraud detection service providers, including the Australian Government’s Document Verification Service (DVS) administered by the Attorney-General’s Department, and our DVS Gateway Service Provider, GBG (see further information on the DVS below).
  • Information technology companies maintaining our systems and services, including cloud and data warehousing service providers and analytics platforms.
  • External advisers such as valuers, lawyers or auditors.
  • Government, law enforcement and regulatory bodies, as required by law.
  • External complaint resolution bodies.
  • Other joint loan applicants.
  • Your authorised representatives or advisers.

Information about the DVS

The DVS is administered by the Attorney-General’s Department under the Identity Verification Services Act 2023 (Cth). It checks whether the information you provide matches the records held by the government agency that issued the document (the document issuer). We access the DVS through our Gateway Service Provider, GBG, which has a direct connection to the DVS Hub. The DVS Hub facilitates the transfer of your information between GBG (on our behalf) and the document issuer. The DVS Hub itself does not retain your personal information, and the Attorney-General’s Department cannot view or edit the personal information transmitted through the Hub. For more information about how the Attorney-General’s Department handles your personal information in connection with the DVS, refer to the Identity Verification Services Privacy Statement at idmatch.gov.au/resources/identity-verification-services-privacy-statement.

D10. Do we send information overseas?

There are a few instances where we store or disclose personal information overseas in connection with home loan applications:

  • Our webchat provider, LiveChat; they store information provided during your webchat enquiry at their secure hosting facilities in the US.
  • We use Twilio to send you SMS notifications as you progress through your home loan application. Their solution is hosted in the US.
  • ThreatMetrix provides fraud detection services; this information is encrypted and stored within the US and the Netherlands.

D11. Our funders and insurers

To assess your application for a home loan product, we need to share your personal information and credit-related information with the relevant funder.

The funder’s credit reporting policy contains information about:

  • How you can access and seek correction of your credit eligibility information.
  • How you can seek correction of your credit information.
  • How you can complain about a breach of the credit reporting laws and how they will deal with a complaint.
  • Whether they disclose your credit information or credit eligibility information to overseas entities, and where practicable, which countries those recipients are located in.

Our funders’ privacy and credit reporting policies are available at www.bendigobank.com.au/public/privacy-policy.

Where applicable, we will also need to share personal information with our lenders’ mortgage insurer Helia Insurance Pty Limited ABN 60 106 974 305 trading as Smarter MI.

Their privacy policy is available at www.helia.com.au/privacy-policy.

D12. Unfinished applications

If you start but do not finish an online application, we may use the details you have provided so far to get in touch with you, or to offer help finishing the application. We do this to ensure you get what you need from us. However, you can let us know at any time if you do not wish to receive any further contact.

You can download a copy of the Tiimely Privacy Policy (PDF)