Skip to main content

Circit Consumer Data Right Policy

Clodagh Vance avatar
Written by Clodagh Vance
Updated over a year ago

1. Circit Consumer Data Right Policy

1.1. This Consumer Data Right Policy (the CDR Policy) explains how Circit Ltd (Circit) collects, uses, stores, and discloses your data that you consent to sharing with us. Circit maintains this CDR Policy for transparency and trust between all parties, as well as to ensure the security of your personal information under applicable CDR legislation and Privacy Laws.

1.2. Please refer to the Privacy Notice on our website for more information on the management of your personal data.

2. What is the CDR?

2.1. The Consumer Data Right (CDR) is the enacting regulations for open data initiatives, which provides greater choice and control for Australians over how their data is used and disclosed. In the financial services sector, the CDR gives you control about the financial data that you share with banks, other financial institutions and accredited third parties. This is commonly referred to as Open Banking, which helps you securely share your data with other firms with your affirmative consent, full knowledge, and granular control. Open Banking will allow you to ask that your data be sent to other banks, financial institutions, and other authorised organisations on your terms as you control who receives your data and how it is used for your benefit.

3. Who is Circit and How Are You Able to Offer This Service?

3.1. Circit provides a platform of digital tools for improving audit coverage, quality and efficiency of a company’s financial statements and related data. We are regulated in the European Union (by Central Bank of Ireland) and the United Kingdom (by the Financial Conduct Authority) to provide Account Information Services, a service which has similarities to CDR.

3.2. Circit Limited is an Accredited Data Recipient under the Australia Consumer Data Right legislation. Our registration number is ADR777820 and you can view our accreditation here.

3.3. As a user of the Circit platform under CDR, you have been asked, or will be asked, by your auditor if are willing to consent to sharing your business banking data with them via the Circit platform.

4. How CDR Data is Managed

4.1 What Data Does Circit Hold?

4.1.1.Circit only works with business bank accounts. Should you consent to share your business account information, Circit is permitted to store the following information for your use by your auditors:

· Account information such as account number and balance

· Transaction details such as amount, date, description

· The exact data that you share with us can differ depending on with which financial institution(s) you have accounts and relationships.

4.1.2.For your auditor to be able to invite you to consent to share your business account data, Circit will process the following information, some of which will have been input by your auditor:

  • Name

  • Email address

  • Mobile phone number

  • Entity/Company name

  • IP address

4.2 Where Your Data is Stored

4.2.1 Your data is stored in Microsoft’s data centres in Europe, specifically Ireland and a backup location in the Netherlands. 

4.3 De-identification of Data

4.3.1 Circit does not offer the de-identification of CDR data, opting only for deletion when data becomes redundant

4.4 Deletion of Data

4.4.1 Circit will deem your data redundant:

  • 7 years after the end of the audit period for which you have shared CDR data with your auditor.

  • Should you agree with your auditor that they may inform Circit they no longer need your data.

4.4.2.Circit will delete within 30 days of your data becoming redundant.

4.5 General research and Published Statistics

4.5.1.If you consent to share your data, Circit may use an anonymised version of it for analysis, product development and innovation research, so that we can offer you and your auditor better services and features in the future.

4.5.2.Research and analysis will only ever be conducted on aggregated, non-personal CDR data e.g. transaction value, date, account type.

4.6 Marketing

4.6.1.Circit may use aggregated, non-personal CDR data e.g. transaction value, date, account type for marketing purposes.

4.6.2.Your CDR data will never be used for direct marketing purposes by Circit, nor will it be shared with any third party for direct marketing purposes.

5. Your Rights Under The CDR

5.1 You have control over with whom you share your financial data. Circit is accredited by the Australian Competition & Consumer Commission (ACCC) and maintains ongoing programmes for dispute resolution, information security, audit and other requirements mandated by the accreditation regime. You may choose to share your data that is held by an existing data holder (for example, a banking institution) with us for use by the Circit platform.

6. Granting and Managing Consent

6.1. If you consent to share your data with your auditor in Circit, it is your right to choose the following:

  • Which data types (for example, profile, payments, transaction, or product information).

  • How long you will share your data for, and whether one-off share or ongoing sharing.

  • Business users of CDR data can have an active consent for up to (7) years, unless you withdraw consent, re-grant consent or the consent expires.

  • You can view and manage your consent in the Circit consent dashboard, or one provided by the data holder of the accounts you have shared with Circit.

7. Withdrawing Consent

7.1. You may withdraw your consent at any time. You can withdraw your consent in multiple ways, including:

  • Through the Circit application’s consent dashboard

  • Through the data holder’s consent dashboard; or

  • By emailing [email protected]

  • In writing to the data holder(s)

7.2. A consent revocation request will be completed within two business days if notified in writing. If you choose to revoke consent yourself through the consent dashboard, the dashboard will be updated in near real-time to reflect your change in consent status.

7.3. Withdrawing consent means that Circit will no longer be able to access your business’ bank transactions. Whilst the transactions that you have already shared remain visible to your auditors, Circit will not be able to update the transactions that we hold.

8. Deletion of CDR Data

8.1. Circit processes your CDR data because your auditor has requested that you consent to share it with them for the purposes of performing a financial audit.

8.2. Section 307B(c) of the Corporations Act 2001 provides that an auditor or a member of an audit firm must retain all audit working papers prepared by or for, or considered or used by, the auditor in accordance with the requirements of the Australian Auditing Standards until:

  1. the end of 7 years after the date of the audit report prepared in relation to the audit or review to which the audit working papers relate; or

  2. an earlier date determined for the audit working papers by ASIC under subsection (6).

8.3. This means that Circit will retain your CDR data for no more than 7 years after the date of your audit period unless your auditor asks us to delete it on an earlier date.

8.4. The CDR data will be deleted within 30 days of the date determined in 8.3.

9. Correcting or deleting your personal information

9.1. A user can request correction or deletion of their data through the contact us channels listed below:

  • Support within the Circit application can be accessed using the chat widget

  • By emailing [email protected]

  • By posting your request to
    Customer Support
    Circit Limited
    NCI Business Centre,
    Mayor Street, IFSC, D1
    Dublin

  • By calling the Circit Customer Support Team on +35319060718

9.2. Sufficient details must be provided to assess and correct the data that is incorrect. If notified by phone or email, Circit will update the consumer data as soon as is practical, with the request and later with the notification of the corrective action if applicable.

9.3. Once assessed, a response will be given by email. The response will set out what Circit did in response to the request, any corrective action or comments, and the complaint mechanism available to the consumer if they are not satisfied.

10. CDR Data Breach

10.1. In the event of a data breach e.g. someone gaining unauthorised access which results in loss of CDR data, we will notify a CDR consumer as soon as practical for the consumer to take appropriate action if required.

11. Disclosure

11.1. Circit does not share or make your data accessible or visible to any third parties other than the audit firm that you agreed to you share your CDR data with, and the sub processors listed in 12.1. Circit employs stringent up to date information security controls.

11.2. Circit develops and maintains all its software in-house.

12. CDR outsourcing arrangements

12.1. Circit uses the services of the following sub processors to deliver its software:

  • Microsoft Azure – for the hosting of the Circit software platform. The Circit application is hosted in Dublin, Ireland. Whilst Microsoft Azure hosts our platform, and therefore holds CDR data, Microsoft has a policy of not accessing any customer systems. You can read more at https://learn.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data.

  • Brevo:SendInBlue – for email system notifications generated by the Circit application. Brevo:SendInBlue are based in France. Please note that Brevo:SendInBlue does not have access to or host any CDR data.

13. Making a Complaint

If you believe that there has been a breach of the CDR rules by Circit, you can submit a CDR consumer data complaint in a number of ways.

The following must be included when submitting your complaint.

  • Your name

  • Your contact details

  • The details of the complaint

We will respond using the medium by which you have contacted us. However, we may request your email address if we need to send you a more structured response e.g., Excel document.

A CDR complaint can be made at any time. Once your complaint is received, Circit will acknowledge receipt of the complaint within one (1) business day.

Acknowledging a complaint

Circit will acknowledge receipt of the complaint within one (1) business day of it being received.

Circit’s default method of response will be to use email. However this may change depending on whether you have specified that you would prefer to be contacted by phone, letter, or social media account.

Responding to a complaint

Circit will investigate your complaint and provide you with a full written response to resolve the complaint, within thirty (30) calendar days of receipt of your complaint. We may contact you before that to request additional information relating to your complaint.

Using a representative

You may use a representative to lodge a complaint on your behalf or continue to be the recipient of communications relating to a complaint. Such representatives might include financial counsellors, legal representatives, family, friends, and members of parliament. Once we have been notified that you have authorised a representative, we will not contact you directly unless:

  • you specifically request direct communication with us.

  • Circit reasonably believes that the representative is acting against your best interests.

  • Circit reasonably believes that the representative is acting in a deceptive or misleading manner with the complainant and/or Circit.

  • Circit reasonably believes that the representative is not authorised to represent you; or

  • at the time Circit is dealing with the complaint, the representative has been excluded by AFCA from representing complainants in relation to any complaint lodged with AFCA.


What your complaint response will include

When the complaint is resolved, you will receive a ‘final response’ letter, known as an IDR response. The Australian Securities & Investments Commission Internal Dispute Resolution Regulatory Guide 271 mandates that our response to you must contain:

· the outcome of your complaint or dispute.

· your right to take the complaint to Australian Financial Complaints Authority (AFCA) if they are not satisfied with our response; and and

· the contact details for AFCA.


If we reject your complaint

If Circit rejects or partially rejects your complaint, we will clearly set out the reasons for the decision by:

identifying and addressing the issues raised in the complaint.

· setting out our findings on material questions of fact and referring to the information that supports those findings; and

· providing enough detail for you to understand the basis of the decision and to be fully informed when deciding whether to escalate the matter to AFCA or another forum.


Raising your complaint with AFCA

If you wish to refer your complaint to AFCA, they can be contacted using the details below

Online: www.afca.org.au
Email: [email protected]
Phone: 1800 931 678
Mail: Australia Financial Complaints Authority
GPO Box 3
Melbourne, VIC 3001

Contact Us

You can contact us in the following ways:

· By emailing [email protected]

· Using the contact form at https://www.circit.io

· By calling the Circit Customer Support Team on +35319060718

Last Reviewed 1st February 2024

You may request a PDF copy of these terms by emailing [email protected].

Did this answer your question?