Privacy Policy

AMBYL Holdings Pty Ltd (ACN 697 533 761) ("AMBYL", "we", "us", "our")

Effective: 26 June 2026

1. Introduction and Scope

AMBYL Holdings Pty Ltd (ACN 697 533 761) is committed to protecting the privacy of individuals who interact with our platform, services, website, and mobile application (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, hold and protect your personal information, and the choices you have about that information.

This Policy applies to all users of the AMBYL platform, including visitors to our website (ambyl.com.au) and registered members.

By using our Services, you acknowledge that you have read and understood this Privacy Policy.

AMBYL is committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.

2. Who We Are

AMBYL Holdings Pty Ltd (ACN 697 533 761) is an Australian financial technology company. Our registered office is in Australia.

For all privacy enquiries, you may contact us at:

Email: support@ambyl.com.au

Subject line: Privacy Enquiry

3. What Personal Information We Collect

3.1 Information You Provide Directly

When you register or interact with AMBYL, we may collect:

• Name and contact details (email address, phone number)
• Account credentials
• Financial information you manually enter (bill names, amounts, due dates, biller details)
• Communications you send us, including support enquiries
• Optional information you choose to share about your financial preferences or goals

3.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device information (device type, operating system, browser type)
• Usage data (pages visited, features used, time spent in-app)
• Log data (IP address, access times, referring URLs)
• Cookies and similar tracking technologies (see Section 9)

3.3 Information from Open Banking and Third-Party Services

Where you choose to connect your bank accounts or financial institutions through our Services (using accredited open banking infrastructure), we may collect:

• Account balances and transaction history, to the extent you authorise
• Payment scheduling and direct debit information
• Biller and merchant information

We only collect financial data to which you have explicitly granted access. You may withdraw this access at any time through the AMBYL platform or directly with your financial institution.

AMBYL uses accredited data intermediaries and payment partners to access financial data. We do not store your banking passwords or credentials.

3.4 Sensitive Information

We do not intentionally collect sensitive information (such as health, racial, political, or religious information) as part of our standard Services. If sensitive information is incidentally included in data you provide, it will be handled with the additional care required by the Privacy Act 1988 (Cth).

4. How We Use Your Personal Information

We use your personal information for the following purposes:

• To provide, operate, and improve the AMBYL platform and Services
• To create and manage your account
• To process and facilitate bill payments and financial reminders
• To communicate with you about your account, Service updates, and support
• To send you product announcements and marketing communications (where you have consented or it is otherwise permitted)
• To personalise your experience within the platform
• To conduct analytics and research to improve our Services
• To detect, investigate, and prevent fraud, security incidents, and other harmful activity
• To comply with our legal obligations under Australian law
• To enforce our Terms of Use and other applicable agreements

4.1 Direct Marketing

We may use your contact details to send you information about AMBYL products, features, and offers that may be of interest to you. You may opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email
• Contacting us at support@ambyl.com.au

We will process opt-out requests promptly and in accordance with the Spam Act 2003 (Cth).

5. How We Disclose Your Personal Information

AMBYL does not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We engage trusted third-party providers to assist us in delivering the Services, including:

• Cloud hosting and infrastructure providers
• Payment processing and banking infrastructure partners
• Open banking data intermediaries (accredited under the Consumer Data Right regime)
• Analytics and product monitoring services
• Customer communications and support platforms

All service providers are required to handle your information in accordance with this Policy and applicable law.

5.2 Legal and Regulatory Obligations

We may disclose your information where required or permitted by law, including:

• In response to a valid court order, subpoena, or government request
• To ASIC, AUSTRAC, or other regulatory bodies where required
• To prevent or investigate suspected unlawful activity or serious misconduct

5.3 Business Transfers

If AMBYL is involved in a merger, acquisition, restructure, or sale of assets, your personal information may be transferred to the relevant successor entity, subject to equivalent privacy protections.

5.4 With Your Consent

We may share your information with third parties in other circumstances where you have given explicit consent.

6. Overseas Disclosure

Some of our service providers may be located or store data outside of Australia, including in the United States, European Economic Area, and other jurisdictions. Where personal information is disclosed overseas, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles.

By using our Services, you consent to the potential transfer of your personal information to overseas recipients in the circumstances described above.

7. How We Protect Your Information

We implement reasonable technical, physical, and organisational safeguards to protect your personal information from unauthorised access, use, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments and monitoring
• Staff training on privacy and security obligations

No method of transmission over the internet or electronic storage is completely secure. While we take data protection seriously, we cannot guarantee absolute security.

8. Retention of Personal Information

We retain your personal information for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. When your account is closed or data is no longer required, we will securely delete or de-identify your personal information in accordance with our data retention procedures.

Financial records may be retained for a minimum of seven (7) years to comply with applicable Australian tax and corporate law requirements.

9. Cookies and Tracking Technologies

AMBYL uses cookies and similar technologies to operate and improve the Services. Cookies are small data files stored on your device. We use:

• Essential cookies: required for the platform to function (e.g., session management, security)
• Analytics cookies: to understand how users interact with our Services
• Preference cookies: to remember your settings and personalise your experience

You may control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Services.

10. Your Rights and Choices

Under the Australian Privacy Act 1988 (Cth), you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate, incomplete or out-of-date information
• Make a complaint about how we have handled your personal information

To exercise any of these rights, contact us at support@ambyl.com.au. We will respond to your request within 30 days.

10.1 Consumer Data Right (CDR)

Where AMBYL participates in the Consumer Data Right regime as an accredited data recipient or through an accredited intermediary, you have additional rights under the Competition and Consumer Act 2010 (Cth) and the CDR Privacy Safeguards, including the right to withdraw CDR consent at any time.

11. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected information from a minor, please contact us immediately at support@ambyl.com.au.

12. Privacy Complaints

If you have a complaint about how AMBYL has handled your personal information, please contact us first at support@ambyl.com.au with subject line "Privacy Complaint". We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our Services. When we make material changes, we will notify you via email or a prominent notice in the platform. The updated Policy will be effective from the date indicated at the top of this document.

Your continued use of our Services after any changes constitutes your acceptance of the updated Policy.

14. Contact Us

For all privacy-related enquiries, please contact:

AMBYL Holdings Pty Ltd

Email: support@ambyl.com.au

Subject line: Privacy Enquiry

This Privacy Policy was prepared to reflect AMBYL's obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Consumer Data Right (CDR) framework, and the Spam Act 2003 (Cth).