Privacy Policy

1. Introduction and Scope

Jokuda Pty Ltd ("Jokuda", "we", "our", or "us") is committed to protecting your privacy and safeguarding your personal and financial information. As a financial technology (fintech) company providing financial services in Australia, we are bound by strict regulatory obligations and privacy standards.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information in compliance with:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• Privacy and Other Legislation Amendment Act 2024 (effective 10 December 2024)
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
• Australian Securities and Investments Commission (ASIC) regulations
• National Consumer Credit Protection Act 2009 and Australian Credit Licence requirements
• Australian Transaction Reports and Analysis Centre (AUSTRAC) requirements
• Notifiable Data Breaches (NDB) scheme

By using our services, you consent to the collection, use, and disclosure of your personal information as described in this policy.

2. Information We Collect

2.1 Identity Verification and KYC Information

• Full name, date of birth, and residential address
• Government-issued identification documents (driver's license, passport, Medicare card)
• Proof of address documents (utility bills, bank statements)
• Tax File Number (TFN) where required by law
• Visa or citizenship status for foreign nationals
• Politically Exposed Person (PEP) status declarations
• Source of wealth and income verification documents

2.2 Financial and Transaction Information

• Bank account details and BSB numbers
• Credit and debit card information (tokenized and encrypted)
• Transaction history, amounts, dates, and counterparties
• Payment patterns and behavioral analytics
• Credit history and credit bureau reports
• Investment portfolio details and trading activity
• Loan applications and financial statements
• Insurance claims and beneficiary information

2.3 Employment and Income Information

• Employment status, employer details, and occupation
• Salary, wages, and other income sources
• Payslips, tax returns, and financial statements
• Business ownership and directorship information
• Professional licenses and qualifications

2.4 Risk Assessment and Compliance Data

• Investment experience and risk tolerance questionnaires
• Financial goals and investment objectives
• Suspicious transaction monitoring data
• Sanctions screening and watchlist checks
• Fraud detection and prevention metrics
• Customer due diligence (CDD) and enhanced due diligence (EDD) records

2.5 Digital and Technical Information

• IP addresses, device identifiers, and geolocation data
• Browser type, version, operating system, and platform
• Login timestamps and session duration
• Biometric data for authentication (fingerprints, facial recognition)
• Website and application usage analytics
• Cookies, web beacons, and similar tracking technologies
• Call recordings for quality assurance and compliance

2.6 Third-Party and Public Information

• Information from credit bureaus and financial institutions
• Data from identity verification services (Document Verification Service)
• Social media profiles and publicly available information
• Information from data aggregators and marketing partners
• Court records, bankruptcy registers, and adverse media checks

3. How We Use Your Information

3.1 Primary Purposes (Service Delivery)

• Providing financial products and services (loans, investments, payments)
• Processing applications, transactions, and account management
• Customer identification and verification under AML/CTF requirements
• Risk assessment, credit decisioning, and underwriting
• Portfolio management and investment advisory services
• Customer support, enquiry resolution, and service improvements

3.2 Regulatory and Legal Compliance

• Meeting obligations under the AML/CTF Act and AUSTRAC reporting requirements
• Suspicious matter reporting (SMRs) and threshold transaction reporting (TTRs)
• International funds transfer instruction (IFTI) reporting
• Tax reporting to the Australian Taxation Office (ATO)
• ASIC reporting and regulatory compliance
• Court orders, subpoenas, and law enforcement requests
• Internal and external audit requirements

3.3 Risk Management and Fraud Prevention

• Detecting, investigating, and preventing fraud, money laundering, and financial crime
• Transaction monitoring and behavioral analysis
• Sanctions screening and watchlist checking
• Cybersecurity threat detection and incident response
• Account security and access control management

3.4 Secondary Purposes (With Consent)

• Direct marketing of financial products and services
• Market research and customer satisfaction surveys
• Product development and service enhancement
• Analytics and business intelligence
• Third-party marketing partnerships (with explicit consent)

4. Information Sharing and Disclosure

4.1 Required Disclosures (No Consent Required)

• AUSTRAC: Transaction reports, suspicious matter reports, and compliance data
• ASIC: Licensing, conduct, and market integrity reporting
• Australian Taxation Office: Tax-related information and reporting
• Law Enforcement: Court orders, warrants, and investigation assistance
• Financial Intelligence Units: International information sharing agreements
• Liquidators and Administrators: In cases of insolvency or administration

4.2 Service Provider Disclosures

• Financial Institutions: Banks, payment processors, and settlement systems
• Technology Providers: Cloud hosting, software platforms, and IT support
• Identity Verification Services: Document verification and fraud prevention
• Credit Bureaus: Credit reporting and assessment services
• Professional Advisors: Auditors, lawyers, and compliance consultants
• Outsourced Functions: Customer service, data processing, and administration

4.3 Business Transfer Disclosures

In the event of a merger, acquisition, restructure, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

4.4 Consent-Based Disclosures

• Marketing partners and affiliates (with explicit opt-in consent)
• Third-party financial product providers
• Research and analytics companies (anonymized data)
• Joint venture partners and strategic alliances

5. International Data Transfers

We may transfer your personal information to overseas recipients in the following countries:

• United States: Cloud hosting providers, technology platforms
• Singapore: Regional data processing and backup facilities
• United Kingdom: Group companies and regulatory reporting
• European Union: Compliance services and fraud prevention

All international transfers are governed by appropriate safeguards including contractual clauses, adequacy decisions, and binding corporate rules to ensure your information receives equivalent protection.

6. Data Security and Protection Measures

6.1 Technical Security Controls

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Multi-factor authentication, role-based access, and least privilege principles
• Network Security: Firewalls, intrusion detection systems, and network segmentation
• Data Loss Prevention: Monitoring and blocking of unauthorized data transfers
• Vulnerability Management: Regular security scanning and penetration testing
• Incident Response: 24/7 security operations center and incident response team

6.2 Compliance and Certifications

• PCI DSS Level 1: Payment card data security compliance
• ISO 27001: Information security management systems
• SOC 2 Type II: Security, availability, and confidentiality controls
• APRA CPS 234: Information security requirements for financial institutions

6.3 Physical and Personnel Security

• Secured data centers with biometric access controls
• Background checks and security clearances for staff
• Privacy and security training for all employees
• Clean desk policies and secure document destruction

7. Data Breach Response and Notification

In the event of a data breach that is likely to result in serious harm, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) within 72 hours
• Notify affected individuals as soon as practicable
• Provide clear information about the breach and recommended actions
• Implement immediate containment and remediation measures
• Conduct a thorough investigation and post-incident review
• Enhance security controls to prevent similar incidents

Our incident response team is available 24/7 to respond to security incidents and data breaches.

8. Your Privacy Rights and Controls

8.1 Access and Correction Rights (APP 12 & 13)

• Right to Access: Request a copy of your personal information we hold
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Explanation: Understand how we use and disclose your information
• Response Timeframe: We will respond within 30 days of receiving your request

8.2 Consent Withdrawal and Opt-Out Rights

• Marketing Opt-Out: Unsubscribe from marketing communications at any time
• Consent Withdrawal: Withdraw consent for secondary uses (subject to legal obligations)
• Cookie Controls: Manage cookie preferences through browser settings
• Third-Party Sharing: Opt-out of information sharing with marketing partners

8.3 Enhanced Rights Under 2024 Amendments

• Erasure Rights: Request deletion of personal information (subject to retention obligations)
• Portability Rights: Request transfer of your data to another provider
• Automated Decision-Making: Right to human review of automated credit decisions
• Direct Action Rights: Take direct action against us for privacy breaches in certain circumstances

8.4 Limitations on Rights

Your privacy rights may be limited where:

• Required by law to retain information (AML/CTF, tax, and corporate records)
• Necessary for fraud prevention and risk management
• Would interfere with law enforcement activities
• Would compromise the privacy of other individuals

9. Data Retention and Destruction

When the retention period expires, we securely delete or anonymize your information using industry-standard data destruction methods, unless ongoing retention is required by law or legitimate business interests.

10. Cookies and Digital Technologies

10.1 Types of Cookies We Use

• Essential Cookies: Required for website functionality and security
• Performance Cookies: Analytics and website optimization
• Functional Cookies: User preferences and personalization
• Targeting Cookies: Marketing and advertising (with consent)

10.2 Other Digital Technologies

• Web Beacons: Email tracking and engagement measurement
• Device Fingerprinting: Fraud prevention and security
• Local Storage: Offline functionality and performance
• APIs and SDKs: Third-party service integration

You can manage cookie preferences through our cookie consent manager or your browser settings. Note that disabling essential cookies may affect website functionality.

11. Third-Party Services and Links

Our platform may integrate with or link to third-party services, including:

• Banking and payment platforms
• Investment and trading platforms
• Identity verification services
• Social media platforms
• Customer support tools
• Analytics and marketing platforms

These third-party services have their own privacy policies and terms of use. We encourage you to review their privacy practices before sharing your information.

12. Policy Updates and Changes

We may update this Privacy Policy to reflect:

• Changes in privacy laws and regulations
• New products, services, or business practices
• Enhanced security measures or technologies
• Feedback from customers and regulators

We will notify you of material changes through email, website notice, or in-app notification at least 30 days before the changes take effect. Continued use of our services constitutes acceptance of the updated policy.

13. Privacy Complaints and Dispute Resolution

13.1 Internal Complaint Process

1. Initial Contact: Contact our Privacy Officer at [email protected]
2. Investigation: We will investigate your complaint within 30 days
3. Response: You will receive a written response with our findings and proposed resolution
4. Appeal: If unsatisfied, you may appeal to our executive management team

13.2 External Complaint Avenues

If you are not satisfied with our response, you may lodge a complaint with:

13.3 Direct Action Rights (2024 Amendment)

Under the Privacy and Other Legislation Amendment Act 2024, you may have the right to seek compensation directly from us in Federal Court for certain privacy breaches, subject to specific conditions and limitations.

14. Contact Information

For privacy-related enquiries, requests, or complaints, please contact us: