Privacy Policy & Collection Notice
EasyAML Privacy Policy & Collection Notice
EasyAML Pty Ltd (“EasyAML“, “we” and “us“) is the provider of an end-to-end Customer Due Diligence (CDD) compliance solution. We act on behalf of our clients (“Clients”) to verify the identities of their customers (“Customers”) as required by AML/CTF (Anti-Money Laundering and Counter-Terrorism Financing) laws and any other relevant regulatory requirements (“Applicable Laws“).
This privacy policy and Collection Notice (“Policy“) sets out how we collect, use, disclose and protect the Personal Information of:
A. Customers (see Section A); and
B. Clients, website visitors, and others (see Section B),
(together, “you” and “your”).
In this Policy:
- “Personal Information” means any information about an identifiable individual, or an individual who is reasonably identifiable, and includes any data that can be used to identify or contact a single person.
- “Service Providers” means the third party service providers we procure services from, together with our business and analytics partners.
- “Outsourced IT Management Provider” refers to Scantek Solutions as our service provider for Verification of Identity (VOI) services and management of easyAML’s IT infrastructure, networks and operational systems.
EasyAML is an Australian Privacy Principle (APP) entity, as defined by the Privacy Act 1988 (Cth) (Privacy Act), and as such is committed to handling personal information in accordance with applicable privacy laws.
EasyAML may use Artificial Intelligence (AI) as part of an automated decision making process, such as identity verification or fraud detection. When EasyAML uses AI it will take steps to prevent algorithmic bias to ensure the AI is used fairly.
EasyAML may also use your information to market information to you. If you do not wish us to do this you have the opportunity to opt-out.
We may update this Policy from time to time, and any changes will be published directly to our website and will be effective from the date of publication.
This Privacy Policy (Policy) includes:
- 2. Information we collect and disclose
- 3. How long we retain information
- 4. How we use and share your Personal Information
- 4. Accessing, correcting, erasing and your other rights
- 5. Contact information
Section B: Clients, website visitors and others
- 1. Personal Information we collect
- 2. How we use and share your Personal Information
- 3. Accessing, correcting, erasing and your other rights
- 4. Complaints
Our Company Wide Commitment to Your Privacy
End-to-end AML/CTF compliance management is EasyAML’s business, handling all your Personal Information securely and in accordance with the APPs is essential to that business.
Every EasyAML employee undertakes mandatory training in the identification and handling of personal information as part of their onboarding process. Protection of personal information is discussed regularly in team and company-wide meetings, and considered when making any business decision. EasyAML maintains its own records about how personal information is handled, what information has been shared and with whom and the specific purpose of any sharing activity.
Our Clients are contractually required to comply with the requirements of the Privacy Act, to comply with the security requirements of any Service Providers, and to protect all the Personal Information they receive.
Retrieval Process
EasyAML generally collects Personal Information under four scenarios:
- From our Clients (current and potential) and their staff, we receive information necessary to set up and manage their contracts and provide services to them.
- From Clients we receive contact details for a Customer to facilitate the identity verification checks they require
- From Customers we receive their Personal Information during the ‘verification of identification’ (VOI) process.
- From Clients and Customers we receive Customers’ Personal Information contained in documents uploaded for the ‘know your customer’ (KYC) processes.
If a Client has asked us to do your CDD check, they do so because they require this to be completed prior to performing a service for you. They may not perform that service without receiving and sharing your Personal Information with providers of VOI and KYC services. If you have any concerns or questions, you should contact the Client for further explanation about their requirements, legal obligations and processes.
Section A: Customer
If you're dealing with us as a Customer, we might request and handle your Personal Information in two circumstances:
- For your current provider: We have received a request from, and are acting for a specific financial institution, law firm, accounting firm, real estate agent, or any other service you've hired, which are legally required to perform identity checks to complete the service ("Current Provider").
- For future providers: In limited circumstances allowed by Applicable Laws, and only if you or your authorised person approves, we can also hold your personal information for future use by a Service Provider ("Future Provider").
When we're handling your personal information for a Current Provider, we are doing it on their behalf in accordance with their legal requirement. In these cases, this policy doesn't apply. Any questions or requests about your personal information in this circumstance you must contact that Current Provider, and they'll instruct us if necessary.
When we're handling your personal information for potential Future Providers, we are doing it on your behalf and this policy does apply.
Note: By virtue of you visiting our website, parts of Section B (below) may also apply to you.
2. Information we collect and disclose
When we are managing your personal information during the Retrieval Process we request and collect it from you directly and your Current Providers, and then may share it, when necessary, with:
- Your Current Provider;
- Our Service Providers; and
- Future Providers (subject to regulatory requirements and your authorisation)
This includes the following types of personal information (the “Retrieved Information”) which includes sensitive data:
| Category | Information we Collect |
| Customer Contact Information | First and last nameEmailPhone numberAddress |
| Biometric Information | Faceprints (and facial mapping and scans of digitised images) |
| Sensory Information | Photos, videos or recordings of you and your environment |
| Unique Identifiers | Unique Device IDIP AddressIdentification number (such as Passport or Drivers Licence number) |
| Demographic Information | Age / date of birth contained on your identification documentsNationality indicated on your identification documentsSex indicated on your identification documents |
| Geographic Information | Geographic location |
3. How long we retain information
We aim to keep your information for only as long as it is legally required for your Current Provider, or for as long as you request it for Future Providers.
Factors that may influence how long we retain your data include fulfilling our legal or regulatory obligations, responding to a question or complaint, or being unable to delete the data for technical reasons.
4. How we use and share your Personal Information
EasyAML collects, uses and holds your Personal Information so that we can conduct CDD checks on behalf of our Client who requested it. We may also use it for specific purposes that you have consented to including internal business purposes. In general, we use your information to minimise risks and protect against fraud, misuse or loss of data, and to improve our services. We may also use it to comply with laws, obligations or provide assistance to regulatory, government and law enforcement authorities.
In addition to providing our products and services, we may use Personal Information we collect for a range of internal business purposes. EasyAML will ensure that it obtains your consent where necessary if the Personal Information will be used for secondary purposes. These purposes may include:
- improving, testing and developing our products, services and systems;
- research, analytics, data modelling and business planning;
- fraud detection, risk management, compliance monitoring and security;
- quality assurance, staff training and auditing;
- developing new products or features, including through the use of automated or data-driven technologies; and
- other administrative, operational and governance purposes reasonably connected to the operation of our business.
EasyAML contracts Scantek Solutions as its Outsourced IT Management Provider (OITMP) to manage underlying IT infrastructure, networks, operational systems and provide VOI services. You can find more details on Scantek Solutions at https://scantek.com/ EasyAML will disclose your Personal Information to Scantek Solutions to enable us to conduct CDD checks on behalf of our Client.
EasyAML shares sufficient of your Personal Information with the requesting Client to enable them to meet their legal obligations. We may share limited Personal Information to identify you or your CDD so that we may respond to a Client’s enquiry about your CDD.
If compelled by law, we may disclose your information in response to a subpoena, court order, or a request for cooperation from a law enforcement or government agency. We may also disclose information when we believe it is appropriate to investigate illegal activity, suspected fraud, or to protect the rights, property, or safety of our company, users, and employees. In the event of a reorganisation, merger, or sale of EasyAML, we may transfer any and all Personal Information we collect to the relevant third party.
We do not disclose, use or adopt government identifiers except where the use and disclosure of the identifier is necessary to perform the CDD requested by the Client.
Agency Checks
In order to complete a CDD we may perform checks with government and other source checking agencies.
Source checking agencies verify a person's identity and background against specific databases, this may include (but is not limited to):
- Document Verification Service (DVS): The DVS is an Australian government service that verifies the details on a person's identity documents, such as a driver's license or passport, against the records held by the issuing authority. This helps confirm the document is legitimate.
- AML/CTF: These services are used to screen individuals against international watchlists for money laundering, sanctions, and politically exposed persons.
- Australian Criminal Intelligence Commission (ACIC): This is a government body that provides criminal history checks.
- Visa Entitlement Verification Online system (VEVO): This system verifies a person's visa status and entitlements in Australia.
How long we will keep your information (Data Retention)
We aim to keep your information for only as long as we need it. Factors that may influence for how long we may keep your data include:
- Fulfilling our legal or regulatory obligations, and our Client’s legal or regulatory obligations;
- Responding to a question or complaint; or
- Being unable to delete the data for technical reasons.
When we no longer have a good reason to hold onto your personal info, we'll either delete it or make it anonymous so it can't identify you. If we can't delete or anonymise it straight away (like if it's stuck in backup files), we'll keep it safe and separate it from any new processing until we can.
Security and storage
EasyAML implements a comprehensive array of physical, technical, organisational, and administrative security measures to protect the Personal Information we hold from unauthorised access, use, and disclosure. EasyAML uses specific measures to protect personal information, such as data encryption, firewall protections, access control policies, and backup processes.
The servers used for storing Customer data, which may include Personal Information, are operated by Amazon Web Services and are located in Sydney, Australia. These data centres are certified to SOC 1, SOC 2, and ISO 270001 standards, ensuring robust security protocols. They feature continuous, round-the-clock security, automatic fire detection and suppression systems, redundant power supply systems, and strict controls for physical access.
Data held on our servers is inaccessible to anyone who has not entered into a contract with EasyAML that includes confidentiality obligations. Data is encrypted both in transit (when being sent to and from our servers) and at rest (when stored). Specifically, 256-bit SSL/TLS encryption is employed to protect data in transit, while 256-bit AES encryption safeguards data at rest.
EasyAML maintains stringent policies and management oversight of security, and we conduct mandatory staff security awareness training. While we strive to protect the security of the Personal Information we hold, it is important to be aware that no method of transmitting data over the internet or storing data is completely secure. EasyAML has contractual protections, encryption, strict access controls, and due diligence checks to ensure all Australian and overseas recipients are subject to appropriate privacy and security protections.
Limited circumstances we may send personal information to overseas recipients
Generally EasyAML keeps all Personal Information on third-party encrypted and secure servers within Australia. EasyAML ensures that overseas third-party cloud platforms comply with security standards noted above. The circumstances where Personal Information may be disclosed to or viewed by an overseas recipient include:
- When Service Providers used to support our operations store, process or access information from outside Australia, including through cloud-based systems or overseas personnel. Where this occurs, we take reasonable steps to ensure overseas handling of personal information is subject to appropriate privacy and security protections.
- When the CDD being requested requires the verification of information by an overseas entity such as verification of a visa or other document not possible to verify through an Australian document verification service.
- When you are interacting with virtual assistant(s) used by our Client(s) which may be based overseas and use third-party cloud platforms.
- When a Client who has requested a CDD has overseas personnel involved in their processes who are working overseas or using overseas systems. The Australian Document Verification Service only allows access to their services from within Australia except where an application for an exemption is made. These applications are made and approved by the DVS on a case-by-case basis.
- When a third-party that relies on a Client’s CDD in compliance with section 37A or 38 of the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006 (Cth) has overseas personnel or systems involved in their processes. CDD reliance disclosures are strictly regulated by the AML/CTF Act and are required to comply with the Privacy Act.
Unsolicited personal information and de-identification
- We solicit and retain only Personal Information required to achieve accurate execution of our business activities and functions. Should we receive unsolicited Personal Information that information is destroyed immediately upon detection.
- We will de-identify personal information collected and stored where it is appropriate and practicable to do so.
4. Accessing, correcting, erasing and your other rights
You are entitled to know and confirm the accuracy of all your Personal Information recorded by EasyAML, and all such requests will be addressed free of charge. However, Personal Information from a CDD is held on behalf of the Client who requested the CDD, and any requests in relation to this information must be directed to the Client.
EasyAML periodically reviews the data it retains and verifies its accuracy.
Correction of Personal Information may not be possible once a CDD is completed as this information has been used to verify your identity in accordance with Applicable Laws and needs to be retained to support the CDD. During relevant parts of the CDD you will be presented with the opportunity to correct any data our system has not properly recorded.
If we cannot correct Personal Information as requested, EasyAML will respond in written form as to the reasons for denial of the correction along with the appropriate avenue for complaint. In this case should an individual request a statement be associated with that information, such a statement may be recorded and associated with the applicable data.
If you have any questions, concerns or would like to make a complaint about any of our data handling practices, please contact us.
5. Contact information
If you have any questions, concerns or would like to make a complaint about any of our data handling practices, please contact us by:
- Emailing us at privacy@easyaml.com
- Calling us on 1300 425 495; or
- via the EasyAML website contact form
We aim to respond to your dispute within 30 days. We take all complaints seriously and are committed to a quick and fair resolution. Individuals making complaints or enquiries will be afforded the right to anonymity where it is practicable to do so, however we may require certain information to confirm your identity.
We also encourage you to seek further information about your rights from (and, where you think it necessary, complain directly to) the Australian privacy authority the Office of the Australian Information Commissioner (OAIC): http://www.oaic.gov.au/privacy/privacy-complaints
Section B: Clients, website visitors and others
This section sets out how we process your Personal Information.
1. Personal Information we collect
When you visit our website EasyAML gathers information that doesn't directly identify you. This can include things like your job, language, postcode, area code, unique device ID, location, IP address, and the time zone. We might collect information about what Clients do on our website and with our products and services. We combine all this to help us give more useful information to our Clients and their Customers, and to see what parts of our products and services are most popular.
To offer location-based services on EasyAML products, EasyAML and our partners might collect, use, and share exact location data.
We may use non-personalised information to monitor activity that deviates from the norm using Security Information and Event Management (SIEM) tools and take appropriate action as part of our security and cyber crimes prevention processes.
1.1 Information Collected Directly
We might collect some Personal Information directly from you, and share it with our Service Providers or anyone else you authorise us to. This includes things like:
| Category | Information we Collect |
| Contact Information | First and last nameEmailPhone numberAddressUnique Identifiers |
| Professional related information | Job title |
| Other identifying information that you voluntarily choose to provide | Identification documentsOther identifying information in emails, letters or documents you provide to us |
| Audio, electronic, visual, thermal, olfactory, or similar information | Feedback and enquiries that you send to usContent from messages, emails, phone calls or phone call transcripts from communications that you provide to us. |
| Other | Survey Information |
| Biometric information | For example facial images, voiceprints or other biometric identifiers |
1.2 Information Collected Automatically
Also, when you visit our website or use our services, we might automatically collect some Personal Information. We might then share this with our Service Providers or anyone else you authorise us to. This includes:
| Category | Information we Collect |
| Device / IP Information | IP addressDevice IDDomain ServerHardware and software attributes such as Type of device / operating system / browser . time zone |
| Web analytics | Web page interactionsReferring webpageNon-identificable request IDsStatistics associated with the interaction between device or browser and our website |
| Geolocation information | IP-address-based location informationGPS |
1.3 Cookies and Other Technologies
EasyAML’s website, online services, interactive applications, email messages, and advertisements may use “cookies” and other technologies such as pixel tags and web beacons.
These technologies help us better understand user behaviour, tell us which parts of our website people have visited, and facilitate and measure the effectiveness of advertisements and web searches.
We treat information collected by cookies and other technologies as non-personal information. However, to the extent that Internet Protocol (IP) residential histories or similar identifiers are considered personal information by local law, we also treat these identifiers as Personal Information. Similarly, to the extent that non-personal information is combined with Personal Information, we treat the combined information as Personal Information.
We also use cookies and other technologies to remember Personal Information when you use our website, online services, and applications. Our goal in these cases is to make your experience with EasyAML more convenient and personal.
Most browsers automatically accept cookies, but you can usually modify your browser setting to disable cookies. Please note that certain features of the EasyAML website will not be available once cookies are disabled.
As is true of most websites, we gather some information automatically and store it in log files. This information includes Internet Protocol (IP) residential histories, browser type and language, Internet service provider (ISP), referring and exit pages, operating system, date/time stamp, and clickstream data.
1.4 Children
EasyAML does not knowingly collect Personal Information from children under 13. If we learn that we have collected the Personal Information of a child under 13 without first receiving verifiable parental consent we will take steps to delete the information as soon as possible.
2. How we use and share your Personal Information
2.1 How we use your Information
We only handle your Personal Information if we have a good reason under the law. The reason depends on the information itself and why we collected it. Generally, here are our main reasons:
- Because of a contract: We need your Personal Information to do what we've agreed to do for you, like providing our services. If you don't give us this information, we might not be able to offer you our services.
- Our legitimate interests: We might use your Personal Information when we think it's for our legitimate business reasons, or a third party's, as long as it doesn't outweigh your basic privacy rights.
Examples of these legitimate interests include:
- improving, testing and developing our products, services and systems;
- research, analytics, data modelling and business planning;
- fraud detection, risk management, compliance monitoring and security;
- quality assurance, staff training and auditing;
- developing new products or features, including through the use of automated or data-driven technologies; and
- other administrative, operational and governance purposes reasonably connected to the operation of our business.
We might have other legitimate interests, and if so, we'll tell you clearly at the time.
- With your consent: Sometimes, we'll use your Personal Information because you've clearly provided your consent.
- Legal requirement: Rarely, we might need to use your Personal Information to follow a legal rule, or if it's really important for your safety or the safety of others, or if it's for something that benefits the public.
2.2 When we might share your Information
Usually, we won't share your Personal Information with anyone else but we might have to share it with a government or regulatory body, or the police, if the law says we have to. We can also share your Personal Information with anyone else you request us to. We definitely won't sell your Personal Information.
We will only share or disclose biometric information to a third party with your express consent or when disclosure is specifically required or authorised by an Australian law or a court or tribunal order.
In the event of a reorganisation, merger, or sale of EasyAML we may transfer any and all Personal Information we collect to the relevant third party.
3. Accessing, correcting, erasing and your other rights
On top of your other rights in this policy, you can get in touch with us anytime to see your personal information and ask us to:
- Fix or add to it: If you think any of the Personal Information we have about you is wrong or missing.
- Delete it: Either all of it or just some of it.
- Take back your permission: If you gave us consent to use your Personal Information (we would have told you when we collected it).
- Get more information or a copy: About the Personal Information we hold on you
- Limit how we use or share it: For some or all reasons.
- Stop marketing messages: You can use the "unsubscribe" link in our emails or contact us at privacy@easyaml.com.
Before you can do any of these things, we'll need to check who you are (or who's asking on your behalf). Then we'll deal with your request as quickly as we can, following the privacy laws. We'll only ever hold back information or not fix something if we have to by law, and if that happens, we'll tell you why in writing.
If you are not satisfied with how we deal with your query or complaint, you may contact the Office of the Australian Information Commissioner (OAIC) by:
- calling their Privacy Hotline on 1300 363 992; or
- visiting the OAIC website
4. Complaints
To exercise your rights under this Privacy Policy, or applicable law, or if you have a dispute regarding an individual’s Personal information, you may do so by:
- Calling us on 1300 425 495; or
- via the EasyAML website contact page
We aim to respond to your dispute within 30 days. We take all complaints seriously and are committed to a quick and fair resolution.
If you are not satisfied with how we deal with your query or complaint, you may contact the Office of the Australian Information Commissioner (OAIC) by:
- calling their Privacy Hotline on 1300 363 992; or
- visiting the OAIC website