CDR Policy

This Consumer Data Right Policy explains how WILIER LABS Pty Ltd (ABN 57 681 703 328), trading as COVE MONEY (we, us or our), handles Consumer Data Right data through the Cove Money mobile application and the website located at covemoney.com.au (together, the Service).

This policy should be read with our Privacy Policy, our Terms of Service, and Fiskil's CDR Policy.

Cove Money is not an Accredited Data Recipient. Cove Money operates as a CDR Representative of Fiskil Pty Ltd (ACCC Accreditation Number ADRBNK000246). Fiskil is the Accredited Data Recipient that collects and discloses CDR Data on behalf of Cove Money.

Bank data is accessed only through the Consumer Data Right framework and only after you give consent through the applicable consent flow.

The CDR Data we request depends on the features you choose to use and the accounts you choose to connect. It may include:

• account details, including product names, account types, account numbers or masked account numbers, account status, nicknames, interest rates, fees, and related product information;
• balance details, including current balances and available funds;
• transaction details, including amounts, dates, descriptions, incoming and outgoing transactions, and transaction status;
• direct debit, scheduled payment, and payee information where available and needed for the Service;
• profile or contact information made available through the CDR where needed to provide or support the Service.

We apply data minimisation. We only request CDR Data that is reasonably needed to provide the Cove Money features you authorise.

When you connect a bank account, Fiskil collects CDR Data from your bank or other data holder through secure CDR APIs after you authorise the data sharing. Cove Money receives or accesses that CDR Data as Fiskil's CDR Representative so we can provide the Service.

Cove Money does not receive or store your bank login credentials. Authentication and consent are handled through the CDR flow made available by your bank, Fiskil, and the CDR framework.

We use CDR Data to provide and support Cove Money, including:

• showing connected accounts, balances, transactions, bills, and cashflow;
• categorising transactions and identifying spending patterns;
• providing personal finance insights, summaries, and forecasts;
• powering AI features that answer questions about your money using the data you have authorised;
• operating, securing, supporting, troubleshooting, and improving the Service;
• meeting legal, regulatory, CDR, security, fraud-prevention, dispute resolution, and record-keeping obligations.

We do not sell CDR Data. We do not use CDR Data for advertising or unrelated direct marketing.

CDR Data may be handled by Fiskil as our CDR Principal and Accredited Data Recipient. We may also disclose or process limited CDR Data where reasonably necessary to provide Cove Money features, comply with law, protect the Service, or respond to your requests.

Where AI-powered features are used, selected transaction or account context may be sent to AI service providers through our approved AI infrastructure so the feature can respond. We only use AI model providers that operate under a zero data retention policy for API requests.

You choose which eligible accounts and data types to share. CDR consents are time-limited and may be active for up to 12 months unless withdrawn earlier. You may withdraw consent at any time through Cove Money where supported, through your bank's CDR dashboard, or by contacting us.

If you withdraw consent, we will stop collecting CDR Data under that consent. Some Cove Money features may stop working or become less complete.

You may request deletion or correction of CDR Data by contacting us at [email protected]. We will work with Fiskil where needed to action requests under the CDR Rules.

When consent expires or is withdrawn, CDR Data that is no longer required will be deleted or de-identified, subject to legal, regulatory, CDR, security, fraud-prevention, dispute resolution, and record-keeping requirements. Some consent and data-sharing records may need to be retained for the period required by the CDR framework.

We use reasonable technical and organisational measures designed to protect CDR Data from unauthorised access, misuse, interference, loss, modification, or disclosure. Your bank credentials are not stored by Cove Money.

Core application and financial data for Cove Money are hosted in Australia. Fiskil's CDR Policy states that CDR Data handled by Fiskil resides in Australia.

If we become aware of a data breach involving CDR Data, we will assess the incident, notify Fiskil as soon as reasonably practicable, and take steps to contain, investigate, and remediate the issue. Where required, affected individuals and regulators will be notified in accordance with applicable law.

If you have a question or complaint about how Cove Money handles CDR Data, contact us at [email protected]. We will consider your complaint and work with Fiskil where the issue relates to Fiskil's role as Accredited Data Recipient.

You may also contact Fiskil's Complaints Officer at [email protected]. If you remain dissatisfied, external complaint options may include the Australian Financial Complaints Authority or the Office of the Australian Information Commissioner, depending on the nature of the complaint.

We may update this CDR Policy from time to time. If we make material changes, we will take reasonable steps to notify you, including by updating the date at the top of this page or by notifying you through the Service where appropriate.

For CDR questions, requests, or complaints, contact us at:

[email protected]

WILIER LABS Pty Ltd (ABN 57 681 703 328)
Trading as COVE MONEY
Australia