Last updated 6 July 2026 · Vertial Holdings Pty Ltd (ABN 72 629 494 926) trading as StatementIQ, Level 32, 101 Miller Street, North Sydney NSW 2060
This policy explains how StatementIQ handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Banking data shared through the Consumer Data Right is additionally governed by our CDR Policy, which prevails for that data.
StatementIQ is a service of Vertial Holdings Pty Ltd (ABN 72 629 494 926) of Level 32, 101 Miller Street, North Sydney NSW 2060 (“StatementIQ”, “we”, “us”). We provide income and expense verification software to Australian businesses such as debt-management firms, lenders and finance brokers (“firms”), using bank data shared by individuals through the Consumer Data Right (CDR).
For privacy matters, contact our Privacy Officer at privacy@statementiq.com.au or by post at the address above.
We do not collect banking usernames or passwords — ever. Your bank verifies you directly with a one-time code.
We do not sell personal information. We do not use CDR data for marketing, profiling beyond the consented purpose, or identified benchmarking.
CDR (banking) data and derived reports are processed and stored onshore in Australia. Limited contact and technical information — such as an email address or mobile number used to deliver a message you requested, and website log information — may be handled by service providers located overseas, including in the United States. Our own website analytics is aggregate and cookieless (see section 9). Where information is handled overseas we take reasonable steps to ensure it is handled consistently with the APPs.
We protect personal information with least-privilege access controls, encryption in transit and at rest, and audit logging of access to reports. We never store banking credentials.
We keep personal information only as long as needed for the purposes above or as the law requires, then delete or de-identify it (APP 11.2). CDR data and derived reports are deleted automatically after our retention period — 90 days from preparation of your summary by default, or immediately upon withdrawal of your consent. Minimal audit records (that a request existed and what happened to it) are retained for compliance and contain no banking data.
Bank transactions can incidentally reveal sensitive information (for example medical, pharmacy or gambling merchants). We do not seek to derive sensitive-information insights, and we handle any incidental sensitive information in accordance with APP 3.3 and only for the consented purpose. Our services are intended for adults; we do not knowingly collect personal information from people under 18.
StatementIQ does not collect, hold or disclose “credit information” or “credit eligibility information” within the meaning of Part IIIA of the Privacy Act, and we are not a credit reporting body. Banking data shared with us under the CDR is governed by our CDR Policy, not the credit-reporting regime.
Our websites use a small number of strictly necessary cookies: a session cookie to keep firm users signed in to the portal, and security cookies. These are essential to operate the service and cannot be turned off. We do not use advertising, marketing or cross-site tracking cookies.
Website analytics. On our public pages we use our own cookielessanalytics to understand, in aggregate, how the site is used (for example, which pages are visited and roughly where visitors arrive from). It sets no cookies, does not identify you, and does not track you across other websites. We do not use it on the consumer bank-connection (consent) pages or inside the firm portal, and the aggregate data is held by us and not shared with advertising networks or data brokers. We honour your browser’s “Do Not Track” setting — if it is enabled, we do not record your visit.
A short notice about our cookies and analytics appears on your first visit. You can block cookies in your browser at any time, but the portal sign-in will not function without its session cookie.
Messages we send to individuals during the consent process are service communications, not marketing. If we ever send marketing to firm users, it will identify us, and will include a working unsubscribe facility as required by the Spam Act 2003 (Cth); you can also opt out at any time by emailing privacy@statementiq.com.au.
You may request access to, or correction of, the personal information we hold about you (APPs 12 and 13) by emailing privacy@statementiq.com.au. We will verify your identity, respond within 30 days, and provide access unless a lawful exception applies (in which case we will tell you why in writing). There is no charge for making a request.
If a data breach occurs that is likely to result in serious harm, we will act under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), including containing and assessing the breach and notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.
If you believe we have mishandled your personal information, contact our Privacy Officer at privacy@statementiq.com.au. We will acknowledge your complaint within 1 business day and aim to resolve it within 30 days. Full details, including escalation options, are in our Feedback & Complaints policy.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner: oaic.gov.au · 1300 363 992 · GPO Box 5288, Sydney NSW 2001.
We may update this policy from time to time. We will post the current version on this page and update the “last updated” date; material changes will be notified to firm users by email or through the portal.