Ember

Legal

Consumer Data Right Policy

Version 1.0 · Effective from 19 May 2026

Plain-English summary

  • When you connect a bank account to Ember, we use a separate company called Basiq (the accredited Open Banking data recipient) to fetch your account names, balances, and transactions from your bank.
  • We only request what we need: accounts and transactions. We do not ask for your identity, occupation, contact details, or any other CDR data.
  • Your consent lasts 12 months. You can withdraw it at any time inside Ember — “Disconnect” on the connected-banks page revokes it at your bank.
  • When you delete a bank connection, your synced transactions are removed. A small audit log of access events (when consent was granted, when data was fetched) is kept for 6 years, as required by CDR law. The audit log does not contain transactions.
  • We never sell CDR data, share it with advertisers, or share it with insurers, employers, or other banks.

This policy is in addition to our Privacy Policy. It covers Open Banking / CDR data specifically.

1. Who we are and our role

Ember is operated by EmberFI (ABN 72 568 450 529), an Australian small business. We provide a cash-flow management app for Australian consumers.

Under the Consumer Data Right (CDR) regime, EmberFI is not directly accredited as a data recipient. Instead, we operate as an Outsourced Service Provider (OSP) under the Principal / Representative model. The accredited data recipient (ADR) is:

Basiq Pty Ltd — ABN 38 615 376 815
CDR Accreditation Number: ADRBNK000208
Basiq's CDR Policy

Basiq is the entity that receives CDR data from your bank under your consent. Basiq then shares the data with us (EmberFI) so we can categorise it and display it to you inside Ember. Both Basiq and EmberFI are bound by the CDR Privacy Safeguards.

2. What CDR data we collect (data minimisation)

The Consumer Data Right Privacy Safeguard 11 requires us to only collect CDR data necessary for the goods or services you have requested. We have configured our consent policy with Basiq to request the following scopes only:

  • Account name, type, and balance— your account display name (e.g. “Personal Savings”), account type (savings / transaction / credit card / loan), and current balance.
  • Account balance and details — finer-grained balance details for dashboards.
  • Transaction details — the descriptions, amounts, dates, and account the transaction belongs to. This is the core data Ember needs to categorise your spending.
  • Saved payees— your bank's list of saved payees, kept for potential future features (e.g. scheduled-payment forecasting). Not currently used.

We do not request, and Basiq does not pass to us:

  • Your name, date of birth, address, or occupation
  • Your contact details (email, phone) from your bank
  • Organisation profile data (business name, ABN)
  • Direct debits, scheduled payments, account-product disclosures, or any other CDR scope

Our consent policy version is reviewed at every roadmap change. If we ever need a new scope, you'll see it on the bank consent screen before granting and we'll update this policy.

3. Why we collect it

We use CDR data to:

  1. Show you your transactions and account balances, automatically refreshed each day without you needing to upload CSVs.
  2. Categorise each transaction using our merchant-resolution rules and (optionally) an LLM fallback for unfamiliar merchants — see the Privacy Policy §8 for what is sent to that LLM and how.
  3. Build cash-flow summaries, pace-relative spending indicators, recurring-charge detection, and the rest of Ember's features.
  4. Detect and prevent duplicate transactions (across CDR, email, and CSV imports).

We do not use CDR data for marketing, advertising, profiling for third parties, or for any purpose other than running Ember for you.

4. Consent — granting, duration, withdrawing

Granting.When you tap “Connect a bank” inside Ember, you are redirected to Basiq's secure hosted consent screen, then to your bank's login. You authenticate with your bank (Ember never sees your banking password) and tick the consent boxes. Your bank shares the consented data with Basiq, which shares it with us.

Duration. Your consent lasts 365 days(the maximum permitted under the CDR rules). You'll see a reminder in Ember a few days before expiry to re-confirm.

Historical retrieval span. When you first connect a bank, we ask Basiq to fetch up to 12 monthsof historical transactions. This populates your dashboard's baseline. Subsequent syncs are incremental — only new transactions since the last sync.

Withdrawing. Open Settings → Connected banks and tap Disconnect on any connection. This:

  • Revokes your consent at your bank via Basiq
  • Stops further CDR data syncing into Ember for that bank
  • Marks the linked accounts inactive (historical transactions stay visible)

Alternatively you can revoke consent directly through your bank's Open Banking consent dashboard, or contact Basiq.

5. Right to delete CDR data

Under CDR Privacy Safeguard 12 you can request that we delete the CDR data we hold about you. Inside Ember: Settings → Connected banks Delete my bank data. This permanently removes:

  • All transactions synced from your banks (CDR-sourced)
  • All CDR-linked account records
  • All your connections to Basiq
  • Your Basiq user record (deleted from Basiq's systems too)

Your CSV-imported and manually-entered transactions are not affected — those are handled under the main Privacy Policy.

What we retain (CDR law requires this). CDR Rule 9.4 and Privacy Safeguard 12 require us to keep an audit log of CDR consent events and data-access events for 6 years, even after you delete the underlying data. The audit log contains the connection identifier, the household, the type of event (consent grant, transaction fetch, consent revoke, data delete) and a timestamp — it does notcontain transaction descriptions, amounts, or any financial content. This is the same retention we'd be subject to as an OSP under Basiq.

6. Access log — what we've done with your data

For transparency, Ember keeps an access log of every time CDR data is read on your behalf. You can view it inside Ember at any time, scoped to each connection.

Each entry shows: timestamp, action (consent_grant, transactions_fetch, consent_revoke, data_delete), source (webhook, cron, or manual), and counts (number of rows fetched / committed / deduped). No transaction content.

7. Where CDR data is stored and processed

ProviderRoleLocation
Basiq Pty LtdCDR-accredited data recipient. Receives consented data from your bank, passes it to EmberFI as the OSP.Australia (AWS Sydney + Melbourne)
EmberFI (us)Outsourced Service Provider — categorises, stores, displays the CDR data inside Ember.Australia (Supabase Sydney, ap-southeast-2)

CDR data is stored in Australia only. The CDR rules restrict overseas storage of CDR data; we do not transfer CDR-sourced records overseas, and our sub-processors that process CDR data are likewise in Australia.

One subtlety: the LLM categorisation step (Anthropic, US) may receive an individual transaction description for an unfamiliar merchant — but only after PII redaction and only if you have AI categorisation turned on. See Privacy Policy §8.

8. Who we share CDR data with

We do not sell, share for advertising, or pass CDR data to insurers, employers, credit-reporting bodies, or other banks.

CDR data flows are limited to the entities listed in §7 (Basiq → EmberFI), plus the sub-processors used to run the core service:

  • Supabase — our database; CDR data lives here (Sydney region).
  • Vercel — web hosting; pages displaying CDR data are rendered close to you. Persisted CDR data is not stored on Vercel.
  • Anthropic — LLM categorisation, optional and opt-out-able via Settings → AI categorisation. Receives an individual transaction description with PII patterns redacted server-side first. No other transactions or CDR data are sent.

We may disclose CDR data if required by Australian law (court order, regulator request). We will only disclose what is strictly required.

9. How we secure CDR data

  • All CDR data is encrypted in transit (TLS 1.2+) and at rest.
  • Database access is gated by row-level security — your data is only readable by you and household members you have explicitly added.
  • Basiq webhooks delivering CDR events are HMAC-signed (Standard Webhooks spec); we reject any payload with an invalid or expired signature.
  • CDR consent events (grant, refresh, revoke, delete) and data-access events are logged in the audit table (see §5, §6) for 6 years.
  • All operational accounts (Supabase, Vercel, Basiq dashboard, our developer email) are protected by multi-factor authentication.

We follow a documented breach-response plan aligned with both the Notifiable Data Breaches scheme (Privacy Act Part IIIC) and the CDR-specific breach-notification obligations under the Competition and Consumer (Consumer Data Right) Rules 2020.

10. Complaints

If you have a complaint about how we handle CDR data, email tech@emberfi.com.au with “CDR complaint” in the subject. We will acknowledge within 7 days and respond substantively within 30 days.

If you are not satisfied with our response, you can also lodge a complaint with:

  • The Office of the Australian Information Commissioner (OAIC) — Phone 1300 363 992 · oaic.gov.au/privacy/privacy-complaints
  • Basiq(the ADR) — see Basiq's CDR Policy linked in §1 for their contact path

11. Changes to this policy

We will update this policy when our CDR practices change. The Version and Effective from at the top of the page indicate the current version; prior versions are preserved in our git history. Material changes (e.g. requesting a new CDR scope) will be notified to users with active connections and may require fresh consent before taking effect.