Privacy Policy

Version – 6 November 2024

 

1. About Us

Kit (“We”, “Us” and “Our”) means CBA New Digital Businesses Pty Ltd (NDB) trading as Hey Kit and a wholly owned subsidiary of the Commonwealth Bank Group which includes the Commonwealth Bank of Australia (CBA) and its subsidiaries (the Group). CBA NDB is responsible for the distribution of the Card and Account and customer service support for Cardholders. Kit is distributed via the Kit app and provides a service for parents or guardians and their children to help raise the financial capability of the next generation by providing simple tools, tips and supporting ideas that promote financial saving, financial independence, and achieving financial goals. Hay the product issuer is responsible for the settlement of transactions using the Card. You can find information about Kit on the Kit website at www.heykit.com.au.

 

2. Your privacy is important to Us

At Kit, We understand how important it is to keep any personal information We have, including about visitors browsing the Kit website (www.heykit.com.au) (“Website”) or the Kit app (“App”) and registered members of the Website or the App (“You” and “Your”) private, protected and safe. We are committed to protecting the personal information of individuals with whom We deal.

 

You can be confident that We comply with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles for the protection and use of personal information. This Kit Privacy Policy (Policy) outlines how We can collect, use, hold and disclose Your personal information.

 

Please read through this Policy carefully prior to using the Website or the App. The personal information We seek to collect about You is necessary for the service We provide. If You do not provide Us with all of the information We require, We may not be able to deliver Our service to You.

 

We update this Policy when things change. You can always find the most up-to-date version through Website or the App.

 

3. What information do We collect?

When You access the Website or the App We collect Your location information, IP address, mobile device and network information. The recording of such information enables Us to optimise the App for Our users, without identifying them.

 

If You access the Website or the App, We will only store Your personal information if You input into the Website or the App through an online form, e.g. log in, or email to Us.

 

Identity and Related Information

If You register for a Kit Account and Kit Card through the App, We will collect personal information directly from You. This will include identification information such as:

  • Your full name, address and date of birth;
  • Your contact details, such as Your email address and phone number;
  • Your identity documents, such as Your driver’s licence or passport;
  • Your tax residency status; and
  • Details about Your children including their names and age.

 

Information about your child

We will collect some information from You about Your child. If You register for a Kit Account and Kit Card We will also collect Your child’s name and age from You. We will also collect the following information about Your child from their use of the Kit App and the Kit Card:

  • their transactional data including spending history on the Kit Card;
  • the names and amounts of Your child’s savings goals;
  • Their interactions with the educational content in the Kit App and learning data;
  • Feedback on whether they are enjoying the Kit App

 

Information about third parties and service providers

We work with organisations who provide services on Our behalf, such as Hay Limited ABN 34 629 037 403 (“Hay”) who are the issuer of the Kit Account and Kit Card and other third parties who assist with providing access to the Website and the App and delivering Our services. We may collect and share Identity and Related Information with those organisations for those purposes.

 

We may also collect information from third parties if you choose to link external services to Your Kit account. For example, if you link a Commonwealth Bank of Australia (CBA) account to Your Kit account, We will collect Your CBA bank account details.

 

Sensitive information

It is unlikely that We will collect information about Your health or ethnicity, from You but if We need to as part of providing You with Our products and services, We’ll ask Your permission and only use it for that purpose.

 

Our service provider, Jumio, will collect an image of your face and images of your identification documents (such as driving license or passport), for biometric identification purposes on our behalf so we can verify your identity when you open an account.

 

4. How do We use Your information?

We will use Your personal information for the reason We collected it and in order to provide You with Our services. We collect, use and exchange Your information to:
  • Establish and verify Your identity;
  • Service Your account with Us including linking external services to Your Kit account;
  • Improve the products and services on the Website and the App;
  • Manage customer offers provided by CBA in relation to Our products and services;
  • Manage Our risks and help identify and investigate any illegal activity, such as fraud;
  • Contact You, for example if We need to tell You something important or tell You about products or services We think may be of interest to You;
  • Handle Your inquiries and communicate with You on Your inquiries;
  • Provide any other relevant customer support;
  • Conduct internal system development testing and analysis;
  • Conduct research and analytical activities; heykit.com.au
  • Comply with Our legal and regulatory obligations and assist government and law enforcement agencies or regulators;
  • Support Our administrative purposes and any other purposes permitted by law; and
  • Any other reason which We specifically notify You of and seek Your consent to prior to using Your personal information.
If You do not provide Us with the information in whole or in part, We may not be able to provide You with Our products and services.
 
By submitting an email to Us or registering via the Website or the App, We may contact You for purposes We prescribe using the personal information You have provided. This includes for responding to Your product or service queries, responding to Your complaints and to share general information and updates about Us with You.
 
How do we use information we collect about Your child?
Spend, savings and learning data we collect about your child is used to provide de-identified, aggregated data insights about how the Kit App is used, that allows us to improve our product and services.
 
Feedback on whether Your child is enjoying the Kit App is used to calculate Our Net Promoter Score (NPS), the framework we use to internally measure the product is meeting customer expectations.
 
We do not share information collected about Your child with any third parties.
 
Sending data overseas
We may send Your information to recipients located overseas, including to service providers and other third parties who operate or hold data outside Australia. The purposes for which We may send Your data overseas include for identity verification purposes, managing customer service, reporting and analytical purposes, and system development testing purposes.
 
When We send Your information overseas, it is likely to be to the United Kingdom or the United States of America, these service providers include Apple, Google, Hubspot, ComplyAdvantage, Jumio, Branch, The Trade Desk, Twilio and Sentry. If this happens, We require such organisations to have the appropriate data handling and security arrangements in place to ensure compliance with this Policy and the law.
 
Using data
Improvements in technology enable organisations, like Us, to collect and use information to get a more integrated view of users and provide better products and services. We may combine user information with information available from a wide variety of external sources (for example census or Australian Bureau of Statistics data) to analyse the data in order to gain useful insights.
 
We may share Your information with Our parent company, CBA, for the purposes of identifying whether You are also a customer of CBA, and to tell you about offers provided by CBA in relation to Our products and services. If You are not a customer of CBA, Your information will not be used for marketing purposes by CBA.
 
Do We use information for direct email marketing?
We may use personal information We collect about You to provide direct email marketing offers for Kit products and services, which We think, may be of interest to You, unless You tell Us not to by opting out at any time. Optout may be in the form of an email or other electronic means
 

5. Cookies and analytics

What are cookies?
Cookies are text files that are downloaded to Your computer or mobile device when You access a website. As You browse, cookies gather and store some information about the way You use that website.
 
Cookies allow the website to recognise Your device each time You visit, providing You with a better experience because the site learns Your preferences as You browse. Some types of cookies also perform essential functions to enhance how the site works.
 
How We use cookies on the Website and the App
Cookies are used on the Website to track Your journey through the Website. The type of cookie We use collects no personal information at all. This simply allows Us to see at a glance which pages and information are of most interest to visitors and members. Most browsers can be configured to refuse to accept cookies. You can also delete cookies, however, doing so may hinder Your access to valuable areas of information within the Website.
 
The App uses Your device’s storage to collect Your device information, such as Your device ID, and to remember Your login details while the App is open on Your device. To delete Your device information, You will need to delete or uninstall the App from Your device.
 
Google Analytics Advertising Features and the cookies it uses
We use Google Analytics features based on Display Advertising. You can opt-out of Google Analytics Advertising Feature by using the Google Ad Settings within the web-browser (https://adssettings.google.com/). In addition, you can use the Google Analytics Opt-Out Browser Add-on (https://tools.google.com/dlpage/gaoptout/) to disable tracking by Google Analytics.
 
We use Google Analytics Demographics and Interest-Reporting to understand the spread of age ranges, gender, and geographic locations of Our users. This enables Us to tailor the Website, content and Our marketing around Our users’ interests.
 
We may use “Remarketing” with Google Analytics and other platforms such as Facebook Retargeting to advertise online. This will utilise different cookies. Third-party vendors, including Google, Facebook and media agencies, show Our ads on websites across the internet. These third-party vendors use the cookies on Our Website to inform, optimise and serve ads based on Your past visits to Our Website.
 
For further information about how Google Analytics collects and processes information, please refer to "How Google uses information from sites or apps that use our services", (located at https://policies.google.com/technologies/partner-sites).
 
Branch Tracking
We use Branch to track when the Kit app is installed from our paid media and other marketing activities. Branch uses various matching mechanisms to detect Your device, operating system and browser and combine that with cookies to check whether You have the app installed, where You are in the customer on boarding process and which channel You downloaded the Kit app from.
 
Device ID’s and Profiling
We will share your device ID with Ryvalmedia, The Trade Desk and SCA Listnr for the purposes of analytics and user profiling to allow us to gather insights and refine our advertising. Foxcatcher will develop those insights based on encrypted data and will not have access to the device ID’s. Device IDs are captured from the device You use to open Your Kit Account.
 

6. Who do We share Your information with?

We disclose personal information to organisations that help Us provide Our services to You. These may include:
  • Our parent company, the Commonwealth Bank of Australia ABN 48 123 123 124 (CBA);
  • Our third-party product issuer of the Kit Account and Kit Card;
  • Online identity verification and authentication providers;
  • Our suppliers, agents, associates, contractors and external service providers (including, for example, our product issuer, card manufacturer, information technology and marketing technology);
  • Our financial advisers, legal advisers or auditors;
  • Regulatory bodies, government agencies and law enforcement bodies in any jurisdiction; and
  • External dispute resolution schemes
These organisations include Hay Limited, Visa Inc, Cuscal Limited, GPS, Placard Pty Ltd, Vix Verify, ComplyAdvantage, Twilio Inc, Microsoft Corp (Azure), Amazon Web Services, Featurespace, Look Who’s Charging Pty Ltd, Auth0 Inc (multi-factor authentication), Hubspot, Sentry, MeaWallet, Branch, Ryvalmedia, The Trade Desk, SCA Listnr, Jumio, Apple and Google. For more information about how they use and handle Your personal information, please refer to their privacy policies.
We may also provide personal information about You to external organisations in circumstances where We are required or authorised by law, or with Your express consent.
We will share aggregate data on the performance of the Website and the App with the Group, this may include subsidiaries located outside Australia.
 

7. Keeping Your information safe

We take great care with the information We hold about You. Our aim is to ensure that details are securely protected from misuse, interference, and unauthorised access, modification or disclosure. We take great care to make sure that We keep Your information in an accurate, complete and up-to-date manner.
 
The Website and the App are professionally hosted and operate in a secure environment. The Website and the App use encryption techniques to enhance Your privacy and security when using the Website and the App. You should however be aware that there is always an inherent risk in transmitting Your personal information via the internet, including by email.
The period of time we keep your information will depend on the type of information we hold about you. Generally, your information will be retained while we have an ongoing relationship and for a period of 7 years afterwards, or such other period of time as required under specific legislation relating to the type of information held (for example under the Anti-Money Laundering and Terrorism-Financing Act 2006 (Cth)).
 
We may also retain database backups for 12 months which may contain personal information We have collected from You under this Privacy Policy. This information may be retained for the purposes of complying with applicable laws or for Our own security policies. We may continue to retain de-identified information for analytical and reporting purposes.
 

8. Accessing, updating and correcting Your information

You can access the personal information We hold about You within the App. If You are having trouble accessing the information You can also contact Us and ask to access, update and correct Your information. We try to make Your personal information available within 30 days after You ask Us for it. Before We give You the information, We will need to confirm Your identity. In some cases, We may refuse access or only give You access to certain information. If We do this, We’ll write to You explaining Our decision.
 
Please note, We will not include on the App Your previous address details or Your date of birth for security purposes.
 
It is important for Us, and for You, that the information We hold is accurate and up to date. We allow You to edit certain parts of Your personal information, including Your password, email address and home address details in the Account Settings section on the App. We might contact You periodically or prompt You to update Your personal information when You log into the Website. If Your information isn’t correct or needs updating, let Us know straight away so We can assist You in updating Your information. You can find information on how to contact Us under the Contact Us section of this Privacy Policy.
 

9. Other important information

Links to other websites
We provide You with links from Our Website to other third-party sites. The provision of a link does not imply any endorsement, nor can We accept responsibility for the conduct of third parties linked to Our Website. Once You transfer from Our Website to another website, We are not responsible for the conduct or practices of those third-party websites. When You transfer to another website and before disclosing Your personal information on that website, You should check the applicable privacy policy of that website.
Changes to the privacy policy
Sometimes We update Our Privacy Policy. Any modifications will be effective immediately upon posting the amended Privacy Policy on the Website or the App. We may contact You or notify You when You log into the Website or the App that there have been changes to Our Privacy Policy. You can always find the most up-todate version on the Website at www.heykit.com.au/privacy-policy
 

10. Making a privacy complaint

We try to get things right the first time – but if We don’t We’ll do what We can to fix it. If You are concerned about Your privacy, You can make a complaint by emailing us at support@heykit.com.au and We’ll do Our best to sort it out.
 
Once the complaint has been received, We’ll look into the issue and try to resolve it as soon as possible. If We can’t We’ll write to You to let You know how We’ll manage the complaint.
 
If You’re not satisfied with how We manage Your complaint or Our decision after You have been through Our internal complaints process, the Australian Financial Complaints Authority (AFCA) offers a free independent dispute resolution service for consumer and small business customers of financial service providers.
 
Australian Financial Complaints Authority (AFCA)
Website: www.afca.org.au 
Email: info@afca.org.au 
Phone: 1800 931 678 (free call)
Postal Address: Australian Financial Complaints Authority, GPO Box 3, Melbourne, VIC, 3001
 
If Your complaint is about how We handle Your personal information, You can also contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Ph: 1300 363 992
Postal address: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW, 2001
 

11. Contact Us

Please contact Us if You:
  • Have a concern about the handling, use or disclosure of Your personal information;
  • Would like further information about the way We manage the personal information that We hold;
  • Wish to access or update Your personal information; or 
  • Have any other query or concern
You can contact Us via email at support@heykit.com.au

Our registered business address is: CBA New Digital Businesses Pty Ltd trading as HeyKit

Commonwealth Bank Place South
Level 1
11 Harbour Street
Sydney NSW 2000