Legal

Privacy Policy

How MoneyPattern collects, uses, and protects your personal information — and the rights you have over it.

Effective Date: 14 May 2026 Version: 3.0

1. Introduction

MoneyPattern (operated by MoneyMind Profile Pty Ltd, ABN 33 672 152 073 — referred to in this policy as "MoneyPattern," "we," "us," or "our") values the privacy of everyone who uses our website and Services. We are committed to protecting your Personal Information and being transparent about how we handle it.

This Privacy Policy explains:

  • What Personal Information we collect and why
  • How we use, share, and protect that information
  • Your rights regarding your Personal Information
  • How to contact us with privacy questions or concerns

We operate globally, serving users in Australia, the United Kingdom, and the United States. This Privacy Policy is designed to comply with applicable data protection laws in all jurisdictions where we operate, including:

  • Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • United Kingdom: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
  • United States: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other applicable state privacy laws

2. Scope and Application

2.1 What This Policy Covers

This Privacy Policy applies to Personal Information we collect, use, and disclose when you:

  • Visit our websites (including www.moneymindprofile.com and related domains)
  • Use our MoneyPattern Profile assessment and related services ("Services")
  • Communicate with us via email, chat, or other channels
  • Attend our events, webinars, or training sessions
  • Subscribe to our newsletter or other communications

2.2 Our Business Model

MoneyPattern is a direct-to-consumer platform. We provide an AI-powered psychological assessment that helps you understand your unique relationship with money — the patterns shaping how you save, invest, plan for retirement, and respond when markets get messy. Our Services include:

  • The MoneyPattern™ Profile assessment
  • Personalised results, archetype analysis, and behavioural insights
  • Educational content and tools to help you act on your results
  • Optional access to certified coaches and additional resources

We collect information directly from you so we can deliver and improve these Services.

3. Definitions

For purposes of this Privacy Policy:

"Applicable Data Protection Laws" means all applicable data protection and privacy laws, including: (i) in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles; (ii) in the United Kingdom, the UK GDPR and the Data Protection Act 2018; (iii) in the United States, the CCPA (as amended by the CPRA), VCDPA, CPA, and other applicable state privacy laws; and (iv) any other applicable data protection or privacy laws.

"Controller" (or "Business" under US laws) means the entity that determines the purposes and means of processing Personal Information. We act as the Controller of your Personal Information.

"Data Subject" (or "Consumer" under US laws) means an identified or identifiable natural person whose Personal Information is processed.

"Personal Information" (or "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. This includes information defined as "personal information" under the Privacy Act 1988 (Cth), "personal data" under the UK GDPR, and "personal information" under the CCPA.

"Processing" means any operation performed on Personal Information, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

"Sensitive Personal Information" includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, sex life or sexual orientation, and in some jurisdictions, financial account information, Social Security numbers, precise geolocation, and contents of communications.

"Services" means the MoneyPattern platform, the MoneyPattern™ Profile assessment, applications, tools, features, and related services we provide.

"You" and "User" mean the individual using our Services or visiting our websites.

4. Our Role as Data Controller

We are the data controller (or business, under US laws) for all Personal Information we collect through our Services and through your interactions with us.

This means we determine the purposes and means of processing your Personal Information, and we are responsible for honouring your rights under Applicable Data Protection Laws. Section 14 explains those rights in detail and how to exercise them.

5. Personal Information We Collect

The Personal Information we collect depends on how you interact with us and which Services you use.

5.1 Account and Identity Information

When you create an account or use our Services, we may collect:

  • Full name
  • Email address
  • Phone number (optional)
  • Date of birth or age range (for assessment context and age verification)
  • Country and approximate location
  • Username and account ID
  • Password (stored in encrypted/hashed form)
  • Multi-factor authentication credentials

5.2 Assessment Responses

The MoneyPattern™ Profile is an assessment about your relationship with money. When you take it, you provide responses to questions about your beliefs, habits, emotions, and financial behaviours. We use these responses to generate your profile, your primary archetype, and your personalised insights.

5.3 Financial and Billing Information

  • Billing name and address
  • Payment method details (processed and stored by our third-party payment processor; we do not store full credit card numbers)
  • Purchase history and transaction records
  • Subscription plan details (where applicable)

5.4 Communications

  • Support requests and help-desk interactions
  • Chat messages and correspondence
  • Feedback and survey responses
  • Training, event, and webinar participation

5.5 Automatically Collected Information

When you visit our website or use our Services, we collect certain information automatically:

  • IP address and approximate geolocation
  • Browser type and version
  • Operating system and device identifiers
  • Referring website
  • Pages visited, time spent, and links clicked
  • Login history and session data
  • Features accessed and navigation patterns
  • Timestamps and duration of use

5.6 Sensitive Personal Information

Some of the information you choose to share with us through the assessment — for example, your responses about money attitudes, financial anxieties, or financial circumstances — may be considered Sensitive Personal Information in some jurisdictions. We process this information only to provide your profile and the related Services, and we apply enhanced protections (see Section 12). We do not require Sensitive Personal Information beyond what is reasonably needed to deliver the assessment.

5.7 Information From Third Parties

We may receive Personal Information about you from:

  • Payment processors — confirmation that your payment was successful, partial card details, billing information
  • Analytics providers — aggregated usage data
  • Identity verification services — where age or identity verification is required
  • Social sign-in providers — if you choose to register or log in using a third-party identity provider, that provider may share basic profile information with us (e.g., name and email address)

6. How We Collect Personal Information

6.1 Direct Collection

We collect information directly from you when you:

  • Register and create an account
  • Complete the assessment or otherwise input information into the Services
  • Complete forms, questionnaires, or surveys
  • Communicate with our support team
  • Subscribe to newsletters or marketing communications
  • Attend events or webinars
  • Apply for employment or contractor positions

6.2 Automatic Collection

We use the following technologies to collect information automatically:

  • Cookies and similar tracking technologies (see Section 15)
  • Web server logs
  • Analytics tools
  • Session recording for quality assurance and product improvement (with notice)

6.3 Third-Party Sources

We may receive information from service providers we engage on your behalf (payment processors, analytics services, identity verification providers) and from publicly available sources.

6.4 Anonymous and Pseudonymous Use

Website: You may visit our website anonymously. However, certain features and interactive elements may not be available without providing some Personal Information.

Services: Due to the nature of our Services (which require secure authentication and personalised functionality), anonymous use is not practical. You may use a pseudonym for certain communications where lawful and practicable.

7. How We Use Personal Information

We use Personal Information for the purposes described below and only where we have a lawful basis to do so (see Section 8).

7.1 To Provide and Maintain the Services

  • Creating and managing your account
  • Authenticating you and preventing unauthorised access
  • Delivering the assessment and generating your results
  • Providing access to features, reports, and tailored content
  • Storing your responses and profile
  • Providing customer support and technical assistance
  • Troubleshooting and resolving issues
  • Performing backups and ensuring business continuity

7.2 To Improve and Develop the Services

  • Understanding how users interact with our Services
  • Analysing usage patterns and trends
  • Identifying areas for improvement
  • Developing new features and functionality
  • Conducting research and analytics
  • Testing new products and beta features
  • Refining our assessment, scoring, and archetype models

7.3 For Business Operations

  • Processing payments and managing subscriptions
  • Maintaining internal records
  • Performing accounting, auditing, and financial analysis
  • Managing vendor and service-provider relationships
  • Conducting due diligence for business transactions
  • Protecting our business interests and enforcing our rights

7.4 For Communication and Marketing

  • Sending transactional emails (account notifications, results, service updates, billing statements)
  • Providing customer support via email or chat
  • Sending newsletters and marketing communications (with consent where required)
  • Inviting you to events, webinars, and training sessions
  • Conducting surveys and requesting feedback
  • Sharing product updates and feature announcements

You may opt out of marketing communications at any time using the unsubscribe link in our emails or by contacting us.

7.5 For Security and Fraud Prevention

  • Detecting and preventing fraud, abuse, and unauthorised access
  • Investigating security incidents and policy violations
  • Monitoring for malicious activity and threats
  • Maintaining the security and integrity of our systems
  • Enforcing our Terms of Use and Acceptable Use Policy
  • Protecting against legal liability

7.6 For Compliance and Legal Obligations

  • Complying with applicable laws, regulations, and legal process
  • Responding to lawful requests from authorities
  • Defending legal claims and protecting legal rights
  • Maintaining records as required by law
  • Conducting internal audits and compliance reviews
  • Meeting regulatory reporting obligations

7.7 With Your Consent

Where required by applicable law, we will obtain your consent before using Personal Information for purposes not covered above.

8. Legal Bases for Processing (International Users)

For users in jurisdictions requiring a legal basis for processing (such as the UK and EU under GDPR), we rely on the following legal bases:

8.1 Contract Performance

We process Personal Information to perform our contract with you, including:

  • Providing access to the Services
  • Delivering your assessment results
  • Providing customer support
  • Processing payments

8.2 Legitimate Interests

We process Personal Information for our legitimate business interests, including:

  • Improving and developing the Services
  • Conducting marketing and business development
  • Preventing fraud and enhancing security
  • Analysing usage and performance
  • Managing business operations

We conduct balancing assessments to ensure our legitimate interests do not override your rights and interests.

8.3 Legal Obligations

We process Personal Information to comply with legal and regulatory obligations, including:

  • Responding to lawful requests
  • Meeting record-keeping requirements
  • Complying with tax and financial regulations

8.4 Consent

Where required or appropriate, we process Personal Information based on your consent, including:

  • Marketing communications (where consent is required)
  • Certain cookie uses
  • Processing Sensitive Personal Information (where applicable)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

8.5 Vital Interests

In rare circumstances, we may process Personal Information to protect vital interests (yours or another person's), such as in emergency situations.

9. How We Share and Disclose Personal Information

We do not sell, rent, or lease Personal Information to third parties. We share Personal Information only as described below.

9.1 Service Providers and Subprocessors

We engage trusted third-party service providers to perform functions on our behalf, including:

Infrastructure and hosting:

  • Cloud hosting providers (data centres and servers)
  • Content delivery networks
  • Data backup and disaster recovery services

Payment processing:

  • Payment gateways and processors
  • Billing and invoicing platforms

Communication and support:

  • Email delivery services
  • Chat and messaging platforms
  • Customer relationship management systems
  • Help-desk and ticketing systems

Analytics and performance:

  • Website and application analytics
  • Performance monitoring and error tracking
  • User-behaviour analysis

Security and fraud prevention:

  • Identity verification services
  • Fraud detection and prevention tools
  • Security monitoring services

Marketing and outreach:

  • Email marketing platforms
  • Event management systems
  • Webinar and video-conferencing tools

All service providers are bound by contractual obligations to:

  • Use Personal Information only for the specified purposes
  • Implement appropriate security measures
  • Comply with Applicable Data Protection Laws
  • Not use Personal Information for their own purposes

9.2 Within the MoneyPattern Organisation

We may share Personal Information among MoneyPattern entities and affiliates for:

  • Internal administration and reporting
  • Customer support and service delivery
  • Business operations and management
  • Product development and improvement

All internal sharing is subject to appropriate data-protection safeguards.

9.3 Business Transfers

If we are involved in a merger, acquisition, asset sale, reorganisation, bankruptcy, or similar transaction, Personal Information may be transferred as part of that transaction. We will:

  • Provide notice before Personal Information is transferred
  • Ensure the receiving party maintains protections at least as protective as this Privacy Policy
  • Provide you with choices regarding the use of your Personal Information

9.4 Legal and Regulatory Requirements

We may disclose Personal Information when required or permitted by law, including:

To comply with legal obligations:

  • Court orders, subpoenas, or other legal process
  • Regulatory investigations and examinations
  • Tax authorities and financial regulators
  • Law-enforcement requests (where lawful)

To protect rights and interests:

  • Defending legal claims
  • Enforcing our Terms of Use and policies
  • Protecting against fraud, abuse, or illegal activity
  • Safeguarding the security and integrity of our Services
  • Protecting the safety of individuals

With your consent or direction:

  • When you authorise us to share your information
  • When you direct us to integrate with third-party services
  • When you participate in co-sponsored events or programs

We will notify you of legal requests for your Personal Information unless prohibited by law or where notice would be counterproductive.

9.5 Aggregated and De-Identified Information

We may share aggregated, anonymised, or de-identified information that cannot reasonably be used to identify you, including:

  • Aggregated assessment data
  • Statistical data and research findings
  • Industry benchmarks and trends
  • Usage analytics and performance metrics

Such information is not Personal Information and is not subject to this Privacy Policy.

9.6 No Sale of Personal Information

We do not sell Personal Information. Under California law (CCPA), "sale" has a broad meaning that includes sharing for monetary or other valuable consideration. We do not engage in such activities.

10. International Data Transfers

10.1 Global Operations

MoneyPattern operates globally and may transfer Personal Information to countries other than where you are located, including:

  • Australia (where our primary operations are based)
  • United States (where our cloud hosting infrastructure is located)
  • United Kingdom (where we maintain offices)
  • Other countries where our service providers operate

10.2 Adequacy Decisions

Where possible, we transfer Personal Information to countries recognised as providing adequate protection. The European Commission has recognised certain countries (including the UK, post-Brexit) as providing adequate protection for personal data.

10.3 Safeguards for International Transfers

When transferring Personal Information to countries not recognised as providing adequate protection, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs):

  • We use the European Commission's Standard Contractual Clauses for transfers from the EU/EEA
  • We use the UK International Data Transfer Agreement (IDTA) or Addendum for transfers from the UK
  • These clauses provide contractual protections for your Personal Information

Supplementary measures:

  • Encryption in transit and at rest
  • Strict access controls and authentication
  • Regular security assessments
  • Data-minimisation practices

10.4 Your Consent

By using our Services or providing Personal Information, you acknowledge and consent (where required by law) to the transfer of your Personal Information to countries that may have different data-protection laws than your country of residence.

11. Aggregated and De-Identified Data

11.1 Our Use of Aggregated Data

We create aggregated, anonymised, and de-identified data from user information to:

  • Improve the Services and develop new features
  • Conduct research and analytics
  • Generate industry insights and benchmarks
  • Produce statistical reports and trends
  • Enhance our assessment, scoring, and archetype models

11.2 De-Identification Process

When we aggregate and de-identify data:

  • We remove all direct identifiers (names, email addresses, account IDs)
  • We apply statistical techniques to prevent re-identification
  • We ensure the data cannot reasonably be linked back to individuals
  • We combine data from multiple users to prevent identification

11.3 No Re-Identification

We commit to not attempting to re-identify aggregated or de-identified data and to implementing measures to prevent others from doing so.

12. Data Security

12.1 Our Commitment to Security

We take data security seriously and implement comprehensive administrative, technical, and physical safeguards to protect Personal Information against unauthorised access, use, disclosure, alteration, or destruction.

12.2 Technical Safeguards

Encryption:

  • Data in transit is encrypted using Transport Layer Security (TLS 1.2 or higher)
  • Data at rest is encrypted using industry-standard encryption algorithms
  • Database encryption protects stored information
  • Password storage uses strong cryptographic hashing

Access controls:

  • Multi-factor authentication (MFA) for user access
  • Role-based access controls (RBAC) limiting access to authorised personnel
  • Least-privilege principle (users have only necessary access)
  • Regular access reviews and revocations
  • Secure API authentication and authorisation

Network security:

  • Firewalls and intrusion detection/prevention systems
  • Network segmentation and isolation
  • DDoS protection and mitigation
  • Regular security patching and updates
  • Vulnerability scanning and penetration testing

Application security:

  • Secure software development lifecycle (SDLC)
  • Code reviews and security testing
  • Input validation and sanitisation
  • Protection against common vulnerabilities (OWASP Top 10)
  • Security headers and configurations

12.3 Administrative Safeguards

Policies and procedures:

  • Comprehensive information-security policies
  • Data classification and handling procedures
  • Incident response and disaster recovery plans
  • Vendor management and due diligence
  • Regular policy reviews and updates

Personnel:

  • Background checks for employees with access to Personal Information
  • Confidentiality and non-disclosure agreements
  • Security awareness training and education
  • Clear roles and responsibilities
  • Separation of duties

Monitoring and auditing:

  • Security information and event management (SIEM)
  • Log monitoring and analysis
  • Regular security assessments and audits
  • Third-party security certifications (SOC 2, ISO 27001 in progress)
  • Continuous compliance monitoring

12.4 Physical Safeguards

Our infrastructure is hosted in secure, certified data centres with physical access controls, environmental controls, redundant power and network connectivity, and 24/7 security monitoring. Our offices employ access controls, visitor management, secure disposal of physical media, and clean-desk policies.

12.5 Your Responsibilities

Security is a shared responsibility. We encourage you to:

  • Use a strong, unique password
  • Enable multi-factor authentication
  • Keep your login credentials confidential
  • Log out when finished using the Services
  • Report suspicious activity immediately
  • Keep your devices and software up to date
  • Use secure networks when accessing the Services
  • Be cautious of phishing attempts

12.6 No Absolute Security

Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee absolute security of Personal Information. Internet transmissions are never completely private or secure, and any information you transmit may be intercepted by others.

12.7 Security Incidents

In the event of a data breach or security incident affecting Personal Information, we will promptly investigate and contain the incident, notify affected individuals as required by applicable law, notify relevant regulatory authorities, take steps to prevent recurrence, and cooperate with investigations. See Section 18 for more detail.

13. Data Retention

13.1 Retention Principles

We retain Personal Information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

13.2 Retention Periods

Account and assessment information:

  • Active accounts: For the duration of your relationship with us, plus up to 30 days after account closure to allow for reactivation
  • Closed accounts: Deleted or anonymised within 30 days of account closure, unless longer retention is required by law
  • Backup copies: Retained for an additional 90 days in backup systems, then permanently deleted

Financial and transaction records:

  • Billing and payment information: Retained for 7 years to comply with tax and accounting requirements
  • Invoice records: Retained for 7 years

Communications and support:

  • Support tickets and correspondence: Retained for 3 years
  • Chat logs: Retained for 1 year
  • Marketing communications: Until you unsubscribe, then deleted within 30 days

Website analytics and logs:

  • Server logs: Retained for 90 days
  • Aggregated and anonymised analytics data may be retained indefinitely

Legal and compliance:

  • Records required by law: Retained for the period required by applicable law
  • Litigation hold: Personal Information relevant to legal proceedings retained until the matter is resolved

13.3 Secure Deletion

When Personal Information is no longer needed, we delete it from production systems, overwrite or degauss physical media, ensure backups are purged according to retention schedules, and use secure deletion methods to prevent recovery.

13.4 Requesting Deletion

You may request deletion of your Personal Information at any time (see Section 14). We will honour such requests subject to:

  • Legal obligations requiring retention
  • Legitimate business needs (e.g., fraud prevention)
  • Technical limitations (e.g., backup retention cycles)

13.5 Exceptions

We may retain Personal Information longer than standard retention periods when required by applicable law or regulation, necessary for legal claims or disputes, needed for audit or compliance purposes, or subject to a litigation hold or investigation.

14. Your Privacy Rights

Depending on your jurisdiction, you may have various rights regarding your Personal Information. We respect these rights and provide mechanisms to exercise them.

14.1 Rights Under Australian Privacy Law

If you are in Australia, you have the right to:

  • Access: Request access to the Personal Information we hold about you. We will provide access unless an exception applies under the Privacy Act.
  • Correction: Request correction of inaccurate, outdated, incomplete, or misleading Personal Information.
  • Complaints: Lodge a complaint with us about our handling of your Personal Information. We will investigate and respond in accordance with the APPs.

14.2 Rights Under UK GDPR

If you are in the UK or EU, you have the right to:

  • Access: Request a copy of the Personal Data we process about you (subject access request).
  • Rectification: Request correction of inaccurate or incomplete Personal Data.
  • Erasure: Request deletion of your Personal Data in certain circumstances (right to be forgotten).
  • Restriction: Request that we restrict processing of your Personal Data in certain circumstances.
  • Portability: Request to receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (our Services do not make fully automated decisions with such effects).
  • Withdraw consent: Where processing is based on consent, withdraw that consent at any time.
  • Complain: Lodge a complaint with a supervisory authority (e.g., the Information Commissioner's Office in the UK).

14.3 Rights Under US Privacy Laws (CCPA, VCDPA, CPA, etc.)

If you are in California, Virginia, Colorado, or another state with consumer privacy rights, you have the right to:

  • Know: Request information about the categories and specific pieces of Personal Information we collect, use, and disclose about you.
  • Delete: Request deletion of your Personal Information, subject to certain exceptions.
  • Correct: Request correction of inaccurate Personal Information (in some states).
  • Opt out: Opt out of the "sale" or "sharing" of Personal Information (we do not sell or share Personal Information as defined by these laws).
  • Limit use of Sensitive Personal Information: Limit the use of Sensitive Personal Information to certain permitted purposes (in some states).
  • Non-discrimination: Not receive discriminatory treatment for exercising your privacy rights.
  • Authorised agent: Designate an authorised agent to make requests on your behalf.
  • Appeal: Appeal our decision regarding your privacy request (in some states).

14.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@moneymindprofile.com. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before fulfilling your request.

15. Cookies and Tracking Technologies

15.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help websites remember information about your visit, such as your preferences and login status.

15.2 Types of Cookies We Use

Essential cookies — necessary for the Services to function properly and cannot be disabled:

  • Authentication cookies (to keep you logged in)
  • Security cookies (to detect authentication abuse and fraud)
  • Session cookies (to maintain your session state)
  • Load-balancing cookies (to distribute traffic efficiently)

Performance and analytics cookies — help us understand how visitors interact with our Services:

  • Google Analytics (website traffic and usage patterns)
  • Application performance monitoring
  • Error tracking and debugging
  • Heat mapping and session recording (with notice)

Functionality cookies — enable enhanced functionality and personalisation:

  • User preference settings
  • Language and region preferences
  • Feature toggles and A/B testing
  • Customised interface settings

Marketing and advertising cookies — track your activity across websites to deliver relevant marketing content:

  • Marketing-campaign tracking
  • Conversion tracking
  • Retargeting and remarketing
  • Social-media integration

15.3 Third-Party Cookies

We use cookies from trusted third-party service providers, including Google Analytics, HubSpot, Intercom, LinkedIn Insights, and Stripe (payment processing). These third parties may use cookies to collect information about your online activities over time and across different websites.

15.4 Other Tracking Technologies

  • Web beacons (pixels): small graphic images embedded in emails or web pages to track opens, clicks, and conversions.
  • Local storage: HTML5 local storage and session storage to store preferences and application state.
  • Device fingerprinting: collection of device and browser characteristics for fraud prevention and security purposes.

15.5 Managing Cookies and Tracking

You have control over cookies and tracking technologies:

Browser settings: Most browsers allow you to block all cookies, block third-party cookies only, delete cookies after each session, or receive notifications before cookies are stored. Blocking essential cookies may prevent you from using certain features of our Services.

Cookie preference centre: When you first visit our website, you can manage your cookie preferences through our cookie banner. You can update your preferences at any time by clicking the "Cookie Settings" link in the website footer.

Opt-out tools:

Do Not Track (DNT): Our Services do not currently respond to Do Not Track signals because there is no industry standard for compliance. We continue to monitor developments in DNT technology.

Mobile-app tracking: For mobile applications, you can control tracking through your device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads > Opt out of Ads Personalisation).

15.6 Cookie Retention

Session cookies are deleted when you close your browser. Persistent cookies remain until expiration date or manual deletion — our cookies typically expire between 30 days and 2 years.

16. Third-Party Links and Services

16.1 Links to External Websites

Our Services and website may contain links to third-party websites, applications, and services that are not operated or controlled by MoneyPattern.

16.2 No Responsibility for Third-Party Practices

We are not responsible for the privacy practices of third-party websites, the content or accuracy of external sites, the security of information you provide to third parties, third-party terms of use or privacy policies, or products or services offered by third parties.

16.3 Third-Party Privacy Policies Apply

When you click on a link to a third-party website or use a third-party service, you leave our Services and their privacy policy applies. We encourage you to read their privacy policy before providing Personal Information.

16.4 Social-Media Features

Our Services may include social-media features and widgets (e.g., LinkedIn share button, Twitter feed). These features may collect your IP address and which page you are visiting, set cookies to enable proper functionality, and be hosted by the social-media platform or directly on our Services. Your interactions with these features are governed by the privacy policy of the company providing them.

16.5 Embedded Content

We may embed content from third-party services (e.g., YouTube videos, surveys). Embedded content may place cookies on your device, track your interaction with the content, collect analytics data, and be subject to the third party's privacy policy.

16.6 No Endorsement

Links to third-party sites do not imply endorsement of those sites, their content, products, or services. We provide links for convenience and informational purposes only.

17. Children's Privacy

17.1 Age Restrictions

Our Services are not directed to, and we do not knowingly collect Personal Information from, children under the age of 18 (or the applicable age of majority in their jurisdiction). MoneyPattern is designed for adults.

17.2 No Intentional Collection from Children

We do not knowingly collect Personal Information from children under 18, market our Services to children, allow children to create accounts, or knowingly allow children to use our Services.

17.3 Parental Rights

If we become aware that we have collected Personal Information from a child under 18 without parental consent, we will delete the information as soon as possible, terminate any associated account, prevent future collection from that individual, and notify the parent or guardian if contact information is available.

17.4 Parent or Guardian Notice

If you are a parent or guardian and believe your child has provided Personal Information to us, please contact us immediately at support@moneymindprofile.com with subject "Children's Privacy Concern" and include your name and contact information, your child's name and age, a description of the information provided, and any relevant account details. We will promptly investigate and take appropriate action.

17.5 Age Verification

While we do not specifically verify the age of users, we require users to represent that they are at least 18 years old, include age restrictions in our Terms of Use, reserve the right to request age verification, and will terminate accounts if we learn the user is under 18.

17.6 Compliance with Children's Privacy Laws

We comply with applicable children's privacy laws, including the Children's Online Privacy Protection Act (COPPA) in the United States, age-appropriate design code in the United Kingdom, and similar laws in other jurisdictions where we operate.

18. Data Breach Notification

18.1 Our Commitment to Security

While we implement comprehensive security measures (see Section 12), we recognise that no system is completely secure. In the event of a data breach affecting Personal Information, we are committed to transparency and prompt action.

18.2 What Constitutes a Data Breach

A data breach includes unauthorised access to Personal Information, accidental or unlawful destruction of Personal Information, loss, alteration, or disclosure of Personal Information, any compromise of security leading to Personal Information exposure, ransomware or malware incidents affecting Personal Information, and insider threats or unauthorised employee access.

18.3 Our Incident-Response Process

Detection and verification: continuous monitoring for security incidents, rapid investigation of potential breaches, verification of incident scope and impact, and documentation of all findings.

Containment and mitigation: immediate steps to stop the breach, isolation of affected systems, prevention of further unauthorised access, and preservation of evidence for investigation.

Assessment: determination of affected individuals, identification of compromised Personal Information, evaluation of potential harm, and assessment of legal notification obligations.

Notification: notification of affected individuals as required by law, reporting to relevant regulatory authorities, and public disclosure if required.

Remediation: steps to prevent recurrence, security improvements and updates, enhanced monitoring and controls, and review and update of security policies.

18.4 Notification to Individuals

If a data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. Our notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of individuals affected
  • Categories and approximate number of records affected
  • Likely consequences of the breach
  • Measures we have taken or propose to take to address the breach
  • Contact information for questions and further information
  • Recommended steps you should take to protect yourself

Method of notification: email to the address on file, prominent notice on our website, direct communication through the Services, postal mail if email is not available, or other appropriate means based on the circumstances.

Timing: without undue delay after discovery, within 72 hours where required by law (UK GDPR), as soon as practicable (Australian Privacy Act), or without unreasonable delay (US state laws). Specific timelines vary by jurisdiction.

18.5 Notification to Regulatory Authorities

UK and EU (GDPR): Information Commissioner's Office (ICO) in the UK within 72 hours of becoming aware; other EU supervisory authorities if applicable; documentation of breaches regardless of notification requirement.

Australia: Office of the Australian Information Commissioner (OAIC) if an eligible data breach, as soon as practicable after becoming aware, where serious harm is likely.

United States: state attorneys general as required by state breach-notification laws, Federal Trade Commission for certain breaches, and other regulatory bodies based on industry and data type. Timelines vary by state (typically 30–90 days).

18.6 Exceptions to Notification

We may delay or not provide notification if law enforcement requests delay for investigation purposes, notification would impede a criminal investigation, a competent authority determines notification is not necessary, the breach is unlikely to result in risk to individuals (after risk assessment), or appropriate technical and organisational measures render data unintelligible (e.g., strong encryption). We document the reasoning for any decision not to notify.

18.7 Your Responsibilities After a Breach

If we notify you of a data breach, we recommend you change your password immediately, enable multi-factor authentication if not already enabled, monitor your accounts for suspicious activity, review account statements and transaction history, be alert for phishing attempts exploiting the breach, consider placing fraud alerts or credit freezes (if applicable), and contact us if you notice any suspicious activity.

18.8 Reporting a Security Concern

If you discover or suspect a security vulnerability or data breach, contact us immediately at support@moneymindprofile.com with subject "Security Incident Report." Please include a description of the issue or incident, steps to reproduce (if applicable), potential impact, and any evidence or supporting information.

Please do not publicly disclose the vulnerability before we have addressed it, access or modify data beyond what is necessary to demonstrate the issue, or disrupt our Services or other users. We appreciate responsible disclosure and will work with security researchers to address reported vulnerabilities.

19. Changes to This Privacy Policy

19.1 Right to Modify

We reserve the right to modify, update, or change this Privacy Policy at any time to reflect changes in our Services or business practices, new legal or regulatory requirements, feedback from users and stakeholders, industry best practices and standards, technological developments, or organisational changes.

19.2 Types of Changes

Material changes significantly affect your rights or how we handle Personal Information, including new categories of Personal Information collected, new purposes for processing, new categories of third parties with whom we share information, significant changes to retention periods, changes to your rights or how to exercise them, and transfers to new countries or regions.

Non-material changes include clarifications or corrections, updates to contact information, formatting or organisational improvements, addition of examples or explanations, and updates to reflect current practices without substantive change.

19.3 How We Notify You of Changes

For material changes: email notification to registered users (at least 30 days before effective date), prominent banner on our website and in the Services, in-app notification upon next login, update to the "Effective Date" at the top of this Policy, and a summary of key changes in the notification.

For non-material changes: update to the "Effective Date" at the top of this Policy. Changes are reflected in the posted Privacy Policy with no separate notification required.

19.4 Advance Notice Period

For material changes, we will provide at least 30 days' notice before the changes take effect, allowing you time to review the changes and make decisions about continued use. You may object to material changes or close your account during this period.

19.5 Your Acceptance of Changes

By continuing to use our Services after changes become effective, you accept the updated Privacy Policy. If you disagree with changes, you may stop using the Services, close your account, or exercise your privacy rights (deletion, data portability, etc.). You will not be penalised for objecting to changes.

19.6 Legal Requirements

Some changes may be required by law or regulatory mandate. In such cases, we will implement changes as required by applicable law, may have limited ability to provide advance notice, will explain the legal basis for the change, and your continued use may be subject to the updated terms.

19.7 Consulting Previous Versions

To request a copy of a previous version of this Privacy Policy, contact us at support@moneymindprofile.com with subject "Privacy Policy Previous Version Request" and include the version number or effective date requested. We will provide the requested version within 14 days.

20. Jurisdiction-Specific Information

This section provides additional information for individuals in specific jurisdictions. These provisions supplement the rest of this Privacy Policy.

20.1 Australia

Governing law: This Privacy Policy and our data practices comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Australian Privacy Commissioner: Office of the Australian Information Commissioner (OAIC). Website: oaic.gov.au. Phone: 1300 363 992. Email: enquiries@oaic.gov.au.

Your rights: right to access your Personal Information (APP 12), right to correct your Personal Information (APP 13), and right to make a privacy complaint (APP 1).

Overseas disclosure: We may disclose Personal Information to overseas recipients, including cloud service providers in the United States and service providers in various jurisdictions (see Section 10 for safeguards we implement). You acknowledge and consent to such overseas disclosure. We take reasonable steps to ensure overseas recipients comply with the APPs.

Direct marketing: We may use your Personal Information for direct marketing where you would reasonably expect us to do so, we provide a simple opt-out mechanism, or you have consented (for sensitive information).

Complaints process: If you have a privacy complaint, contact us using the details in Section 21. We will acknowledge your complaint within 7 days and investigate and respond within 30 days. If you are not satisfied, you may contact the OAIC.

Notifiable Data Breaches: We comply with the Notifiable Data Breaches (NDB) scheme. We will assess data breaches for likelihood of serious harm and notify you and the OAIC of eligible data breaches as soon as practicable.

Australian Consumer Law: Nothing in this Privacy Policy excludes, restricts, or modifies any rights you have under the Australian Consumer Law or other Australian consumer-protection laws.

20.2 United Kingdom

Governing law: Our data practices comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

Supervisory authority (United Kingdom): Information Commissioner's Office (ICO). Website: ico.org.uk. Phone: 0303 123 1113. Email: casework@ico.org.uk.

European Economic Area: Contact your local Data Protection Authority. Website: edpb.europa.eu.

Your rights: You have the rights described in Section 14.2, including access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), object (Article 21), and rights related to automated decision-making (Article 22).

Legal bases: We process your Personal Data based on performance of contract (Article 6(1)(b)), legitimate interests (Article 6(1)(f)), legal obligations (Article 6(1)(c)), consent (Article 6(1)(a)), and vital interests (Article 6(1)(d)). See Section 8 for detailed information.

International transfers: When we transfer Personal Data outside the UK/EEA, we use Standard Contractual Clauses (SCCs), implement supplementary measures as needed, and conduct transfer impact assessments. See Section 10 for more information.

Complaints: You have the right to lodge a complaint with the ICO or your local supervisory authority at any time.

Automated decision-making: Our Services do not make solely automated decisions that produce legal or similarly significant effects about you.

20.3 United States

State-specific privacy laws: We comply with applicable state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), and other state privacy laws.

Your rights: Depending on your state, you may have the rights described in Section 14.3, including the right to know what Personal Information we collect, the right to delete Personal Information, the right to correct inaccurate Personal Information, the right to opt out of sale/sharing, the right to limit use of Sensitive Personal Information, and the right to non-discrimination.

California-specific information: Under the CCPA/CPRA, California residents have specific rights regarding their Personal Information. We collect the categories described in Section 5, which may include identifiers (name, email, IP address), commercial information (purchase history, subscription details), internet/network activity (usage data, browsing history), and inferences (preferences, characteristics). We do not sell or share Personal Information as defined by the CCPA/CPRA. See Section 13 for retention periods. We do not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA Section 1798.121.

Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request information about our disclosure of Personal Information to third parties for their direct-marketing purposes. We do not disclose Personal Information to third parties for their direct-marketing purposes.

California minor rights: If you are under 18 and a registered user, you may request removal of content you posted publicly. Contact us using the information in Section 21.

Virginia, Colorado, Connecticut, Utah: Residents of these states have similar rights under their respective state privacy laws. You may exercise these rights using the methods described in Section 14.4.

Do Not Sell My Personal Information: We do not sell Personal Information. If our practices change, we will update this Privacy Policy and provide an opt-out mechanism.

Financial incentives: We do not offer financial incentives in exchange for Personal Information.

Authorised agents: You may designate an authorised agent to make privacy requests on your behalf. The agent must provide proof of authorisation.

Appeal rights: If we deny your privacy request, you may appeal by contacting us at support@moneymindprofile.com. We will respond to appeals within the timeframe required by applicable law.

20.4 Other Jurisdictions

Canada: We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

New Zealand: We comply with the Privacy Act 2020.

Other countries: If you are located in a jurisdiction not specifically mentioned, we will comply with applicable local data-protection laws. Contact us for jurisdiction-specific information.

20.5 Conflicts

If there is a conflict between the general provisions of this Privacy Policy and the jurisdiction-specific provisions, the jurisdiction-specific provisions control for individuals in that jurisdiction, the more protective provision applies if ambiguity exists, and we interpret this Privacy Policy in accordance with applicable law.

20.6 Translation

This Privacy Policy is provided in English. If we provide translations, the English version is the authoritative version, translations are provided for convenience only, and in case of discrepancies the English version prevails.

21. Contact Us

For privacy questions, requests, or concerns — including to exercise any of the rights described in Section 14 — please contact us:

Email: support@moneymindprofile.com

Postal mail: MoneyMind Profile Pty Ltd (trading as MoneyPattern)
ABN 33 672 152 073

We will respond to your inquiry as soon as practicable and within the timeframes required by applicable law.