Privacy Policy

This Privacy Policy applies to all personal information collected by WILIER LABS PTY LTD (ABN 57 681 703 328), trading as COVE MONEY (we, us or our) via the Cove Money mobile application and the website located at covemoney.com.au (together, the Service).

1. What information do we collect?

The Personal Information we collect depends on how you use the Service. This may include:

• Account information such as your email address, name, and authentication identifiers used to sign you in through WorkOS
• Financial data accessed through the Consumer Data Right (CDR) framework via Fiskil, an ACCC-accredited data recipient, including account balances and transaction history
• AI interaction data, such as prompts, responses, and related context you choose to submit when using AI-powered features
• Service communication data such as email delivery and message metadata for account and product messages sent through Resend
• Device and usage information collected automatically when you use the app

2. Types of information

The Privacy Act 1988 (Cth) (Privacy Act) defines types of information, including Personal Information and Sensitive Information.

Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether it is recorded in a material form or not.

Sensitive Information is defined in the Privacy Act as including information or opinion about such things as an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a professional body, criminal record or health information. Sensitive Information will be used by us only: (a) for the primary purpose for which it was obtained; (b) for a secondary purpose that is directly related to the primary purpose; and (c) with your consent or where required or authorised by law.

3. How we collect your Personal Information

We collect Personal Information when you create an account, sign in, use the Service, or provide it to us in any other way.

Financial data is collected through Australia's Consumer Data Right (CDR) framework via Fiskil Pty Ltd, an ACCC-accredited data recipient. Fiskil holds the CDR accreditation and acts as the accredited intermediary to securely access your bank data with your explicit consent. Cove Money receives this data on a read-only basis.

We also use trusted service providers to support the Service, including WorkOS for authentication and identity management and Resend for transactional email delivery.

Where reasonable and practicable, we collect your Personal Information from you only. If we receive information from a third party, we will take steps to make you aware.

4. Purpose of collection

We collect Personal Information to:

• Provide the Cove Money Service, including account aggregation, spending insights, and the AI financial companion
• Improve and personalise your experience
• Communicate with you about your account and Service updates

We do not sell, share, or disclose your Personal Information or financial data to third parties for advertising, marketing, or any purpose unrelated to the operation of the Service.

5. Website technologies and analytics

We currently do not use third-party advertising cookies on the website. Public pages may load technical resources such as fonts, scripts, or other static assets from third-party infrastructure, which can result in those providers receiving technical request information such as your IP address, browser details, and request timing.

We may collect basic technical logs and device or usage information needed to operate, secure, and improve the Service. If we later introduce additional analytics, tracking, or similar technologies, we will update this Privacy Policy.

6. Third-party providers

We rely on a small number of third-party providers to operate the Service securely and reliably. Our key providers currently include:

• Fiskil Pty Ltd for Consumer Data Right bank connections and consented financial data access
• WorkOS for authentication and identity management
• Resend for transactional email delivery
• Cloudflare AI Gateway as the routing and billing layer for AI-powered features, with one or more upstream AI model providers that may include providers such as OpenAI and Anthropic

These providers may use their own service providers and subprocessors to help deliver their services. We take reasonable steps to work with reputable providers and to review their privacy and security commitments.

7. Data storage, retention and security

Core application and financial data are hosted in Australia. This includes the main application data and financial data we store to operate the Service.

We also use trusted third-party providers for supporting services. In particular, WorkOS processes authentication and identity data, and Resend processes transactional email data and delivery metadata. These providers may process limited Personal Information outside Australia, such as your name, email address, authentication identifiers, and service email delivery metadata.

Where AI-powered features are used, we may route requests through Cloudflare AI Gateway with one or more upstream AI model providers, which may include providers such as OpenAI and Anthropic. Where supported, we may configure zero data retention settings for AI requests. However, retention and logging behaviour can depend on the upstream provider, Cloudflare gateway settings, and the specific request path used.

We protect your Personal Information using 256-bit TLS encryption and store it in a manner that reasonably protects it from unauthorised access, misuse, modification or disclosure. Your bank credentials are never stored by Cove Money. Bank connections are handled through Fiskil and the CDR framework using secure tokens and consent-based access.

We retain Personal Information only for as long as reasonably necessary to operate the Service and meet our legal, regulatory, security, fraud-prevention, dispute resolution, and record-keeping obligations. When we no longer require your Personal Information, we will take reasonable steps to destroy, anonymise or de-identify it, subject to those obligations.

8. Bank connection data and consent

Financial data accessed through Australia's Consumer Data Right framework via Fiskil is governed by the CDR rules set by the ACCC. You have the right to:

• View exactly which data you have consented to share
• Withdraw your consent at any time — directly in the app or through your bank
• Request deletion of your bank connection data, which will be actioned promptly, subject to any legal, regulatory, security, fraud-prevention, dispute resolution, or record-keeping requirements that apply

We practise minimal data collection — we only request the data necessary to provide the features of the Service.

9. Access and correction

The Australian Privacy Principles permit you to obtain access to the Personal Information we hold about you (Australian Privacy Principle 12) and allow you to correct inaccurate Personal Information subject to certain exceptions (Australian Privacy Principle 13).

To request access or correction, please contact us at [email protected].

10. Complaint procedure

If you have a complaint concerning the manner in which we maintain the privacy of your Personal Information, please contact us using the details below. All complaints will be considered and we may seek further information from you to clarify your concerns. If we agree that your complaint is well founded, we will take appropriate steps to rectify the problem. If you remain dissatisfied with the outcome, you may refer the matter to the Office of the Australian Information Commissioner.

11. Overseas transfer

Some limited Personal Information may be disclosed to, stored by, or processed by our trusted third-party service providers outside Australia where this is reasonably necessary to operate the Service. This includes WorkOS for authentication and identity management, Resend for transactional email delivery, and Cloudflare AI Gateway and one or more upstream AI model providers for AI-powered features.

Depending on how those providers and their subprocessors operate, limited Personal Information may be processed in jurisdictions outside Australia, including the United States and other jurisdictions in which those providers or their subprocessors operate.

Where we engage overseas providers, we take reasonable steps to work with reputable service providers and to ensure your information is handled with appropriate safeguards. By using the Service, you acknowledge that some supporting service providers may process limited Personal Information outside Australia.

12. Contact us

If you have any queries, or if you seek access to your Personal Information, or if you have a complaint about our privacy practices, you can contact us at:

[email protected]

WILIER LABS PTY LTD (ABN 57 681 703 328)
Trading as COVE MONEY
Australia