Privacy Policy

Version 2.0 · Last updated: 5 May 2026

This policy explains how The Rask Group Pty Ltd (ACN 622 810 995) collects, uses, stores, and protects personal information across the Rask platform — rask.au, app.rask.au, and any related services. We follow the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), our AFSL obligations, the Notifiable Data Breaches scheme, and — for cashflow / open-banking data — the Consumer Data Right (CDR) Privacy Safeguards.

1. Who we are

• The Rask Group Pty Ltd (ACN 622 810 995) owns the websites, content, tools, and platform, and is the data controller for personal information collected through them.
• Rask Advice Pty Ltd (ABN 68 683 296 291, CAR No. 1313447) provides personal financial advice through the /plan workspace inside app.rask.au, and is the data controller for personal information collected during that advice engagement.
• Rask Licensing Pty Ltd (AFSL 563 907) is the authorising licensee for both businesses and an AFCA member (member 111423).

2. What we collect

The information we collect depends on how you use Rask. We try to collect only what we need.

• Identity and contact details. Name, email, phone, postal address, and date of birth where required.
• Account and authentication data. Login identifiers, password hashes, multi-factor authentication state, security tokens, session metadata, and audit logs of significant actions.
• Financial information you provide. Information you enter into fact-finds, calculators, or onboarding forms — including assets, liabilities, income, expenses, goals, dependants, employer details, super fund and insurance details, and beneficiaries — plus documents you upload (super statements, payslips, insurance schedules, tax returns, etc.).
• Cashflow / open-banking data. If you connect a bank, super, credit card, or loan account via our open-banking partner, we receive transaction history, account balances, and account metadata. This is governed by the CDR Privacy Safeguards — see Section 6.
• Investment and portfolio data. Holdings, transactions, and pricing data from your connected portfolio integrations.
• Communications. Messages, chat transcripts, support tickets, webinar interactions, and any content you send to us.
• Usage data. Device, browser, IP address, page views, sanitised URL paths, feature interactions, error diagnostics, and similar telemetry — used to keep the platform secure, reliable, and improving.
• Cookies and similar technologies. See our Cookie Policy. Analytics cookies are disabled by default until you grant consent.

We do not knowingly collect "sensitive information" (as defined in the Privacy Act — including health, racial, political, religious, or sexual-orientation information) unless you choose to share it as part of a personal advice engagement and it is reasonably necessary for that advice.

3. How we use information

• To deliver, secure, and maintain the Rask platform and its services.
• To operate your account — authentication, role assignment, and access controls.
• To provide membership features (Free, Pro, Super, Ultra), general financial information, and platform tools.
• To support personal advice engagements with Rask Advice Pty Ltd, including preparing Statements of Advice and providing ongoing service.
• To process payments and bill subscriptions through our payment processor.
• To detect, prevent, and respond to fraud, misuse, and security incidents.
• To meet our legal, regulatory, audit, and record-keeping obligations under the Corporations Act, our AFSL, the AML/CTF Act, and the Privacy Act.
• To communicate with you about service updates, billing, support, and (where you have not opted out) Rask news and education content.
• To improve our products and services based on aggregated, de-identified usage patterns.

4. Sharing & disclosure

We don't sell your personal information. We share it only where it's necessary to deliver our services, where you have consented, or where the law requires it.

• Within the Rask group. Between The Rask Group, Rask Advice, and Rask Licensing — only as needed to provide the services you've engaged us for.
• Service providers (processors). Trusted vendors that operate parts of the platform under our instructions and contractual data-handling obligations. See Section 7 for the principal processor list.
• Your authorised representatives. Your assigned adviser, support staff, and any third party (such as an accountant) you have explicitly granted access through the platform.
• Referral partners. Where you have asked us to refer you (for example, mortgage broking or accounting), with your consent.
• Regulators and authorities. Where required by law or by an Australian regulator (e.g. ASIC, AUSTRAC, ATO), by AFCA, or by a court order or lawful subpoena.
• To protect rights and safety. Where reasonably necessary to enforce our terms, investigate fraud, or protect the rights, property, or safety of Rask, our users, or others.
• Business transactions. If Rask undergoes a merger, acquisition, or asset sale, we may transfer information to the successor entity under continuing privacy protections.

5. AI processing

AI features inside Rask — the AI assistant, advice drafting helpers, document summarisers, and Q&A — are powered by selected AI providers. We treat AI as one of our most sensitive data flows and apply specific controls.

• Providers. We currently use OpenAI, Anthropic, Google (Gemini), and xAI (Grok) for various AI features. Each operates under data-handling agreements.
• No training on your data. We do not permit our AI providers to use your prompts or outputs to train their models, and we configure their APIs accordingly.
• Data minimisation. We avoid sending unnecessary personal information into prompts. Identifiers are redacted or replaced with surrogates where practical.
• Human oversight. AI-generated content is supervised. Personal advice is always authored and reviewed by a human authorised representative before it reaches you.
• Caveats. AI outputs can be wrong or incomplete. You should never rely on AI output as personal advice unless it is delivered to you formally as part of a Statement of Advice or Record of Advice from Rask Advice Pty Ltd.

6. Consumer Data Right (CDR) — cashflow & open banking

When you connect a bank, super, credit card, or loan account through Rask's cashflow feature, we collect and use that data under the CDR Privacy Safeguards (Privacy Safeguards 1–13) in addition to the Australian Privacy Principles. The information below applies specifically to CDR data.

What we collect, why, and how

• We use a CDR-accredited data-recipient partner to collect transaction history (default 12 months unless a narrower range is requested), account balances, and account metadata for the accounts you choose to connect.
• You authenticate directly with your bank — Rask never sees your banking password.
• We use this data only to power the Rask cashflow tools you have engaged with, and (where you have engaged Rask Advice) to inform personal advice.

Hosting, encryption, and access

• Persistent CDR data is hosted on Google Cloud Platform within Australia (Melbourne region).
• Provider credentials are encrypted with AES-256-GCM at the application layer before they're written to disk; data at rest is additionally protected by GCP at-rest encryption.
• Webhook callbacks from our open-banking partner are signature-verified before they're accepted.
• Access to CDR data inside Rask is gated by role-based access control, audit logging, and (for cashflow product surfaces) a verified-email plus multi-factor-authentication requirement.

No sale, no commercial disclosure, no de-identification re-use

• We do not sell CDR data or insights derived from CDR data.
• We do not commercially disclose CDR data to third parties.
• Where CDR data becomes redundant (no longer needed for the purpose for which it was collected), our default position is deletion. We do not retain redundant CDR data for de-identified research or general analytics use.

Disconnect and delete

• Disconnect. You can disconnect a connected account at any time from inside the cashflow workspace. Disconnecting stops future collection and deletes the encrypted provider credentials for that connection.
• Full cashflow data delete. You can request deletion of your cashflow data at any time. This deletes your cashflow connections, credentials, accounts, transactions, merchants, rules, budgets, recurring series, import batches, and rollups. Backup media is overwritten on the standard backup-rotation cycle.
• Consequences of withdrawing consent. When you disconnect or withdraw consent: future provider collection stops; provider credentials are deleted; you may lose access to cashflow features and historical insights derived from that connection; remaining redundant CDR data is deleted in line with the position above.

CDR notifications

You will receive notifications from us in connection with CDR events including: collection, the giving or amendment of consent, withdrawal of consent, consent expiry, disclosure to other parties (where applicable), correction responses, and any eligible data breach affecting your CDR data.

CDR complaints

If you have a CDR-specific complaint, contact us at compliance@rask.au. If we cannot resolve it, you can escalate to the Office of the Australian Information Commissioner (OAIC), which is the regulator for CDR privacy, at oaic.gov.au, or to AFCA at afca.org.au.

7. Cross-border / overseas transfers

Where reasonably possible we host data in Australia. Some of our service providers process data outside Australia. Before we engage a provider, we satisfy ourselves that they have appropriate security, contractual, and (where relevant) cross-border-transfer protections in place.

The table below summarises our principal processors and where they handle Rask data. We don't list every transient subprocessor used by these providers, but the controls that apply to them flow through our agreements with the providers below.

Personal advice files (Statements of Advice, Records of Advice, fact-find documents, uploaded supporting documents) are stored in Australia and are not sent to overseas AI providers.

8. Storage, security, retention

• Encryption. Data is encrypted in transit (TLS 1.2+) and at rest. Open-banking provider credentials carry an additional layer of AES-256-GCM application-level encryption.
• Access controls. Role-based access on every API and database query. Per-client document folders are segregated. Sensitive support-side reads can require an explicit reason and are audit-logged.
• Network. Internal services run on private networking; production databases and caches are not directly reachable from the public internet.
• Backups. Daily database backups with point-in-time recovery, retained on a rolling window (currently seven days). Storage buckets have lifecycle policies that move older content to cold storage.
• Retention. We retain personal information for as long as needed to provide our services and meet our legal and regulatory obligations. Australian financial-services records have specific retention requirements (commonly seven years for advice records; longer for some specific records). When information is no longer required, we securely delete or de-identify it. Backup media is rotated and overwritten on the normal cycle.

9. Your rights and choices

• Access. Request a copy of the personal information we hold about you.
• Correct. Update or correct information that is inaccurate, incomplete, or out of date.
• Delete. Request deletion of your personal information. We may need to retain certain records to meet our legal and AFSL obligations (e.g. advice records).
• Withdraw consent. Withdraw consents you have given (such as a cashflow connection or marketing). See Section 6 for the consequences of withdrawing CDR consent.
• Object to direct marketing. Opt out at any time using the link in any marketing email or by contacting us.
• Manage cookies. Use the consent banner or your browser settings — see the Cookie Policy.
• Anonymity and pseudonymity. Where lawful and practical, you can interact with us without identifying yourself (e.g. browsing rask.au).

To exercise any right, email compliance@rask.au. We will verify your identity before acting on a request and respond within 30 days.

10. Notifiable Data Breach commitment

Rask is subject to the Australian Notifiable Data Breaches scheme. If we suffer an "eligible data breach" — a breach likely to result in serious harm — we will notify affected users and the OAIC as soon as practicable, in line with our internal Incident Response Runbook. Additional notification obligations apply where CDR data is involved, and we will follow those.

11. Children

Rask is not directed at children under 18. We do not knowingly collect personal information from a child for our own use. If you believe a child has provided us with personal information, please contact us and we'll take appropriate steps to delete it.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the platform or by email. The current version is always available at rask.au/legal/privacy-policy.

13. Contact us & complaint pathway

For privacy questions, requests, or complaints, email compliance@rask.au. You can also write to:

The Privacy Officer
The Rask Group Pty Ltd
Suite 4, Level 4, 50 Queen St
Melbourne VIC 3000

If you are unsatisfied with our response, you can:

• Refer the matter to the Office of the Australian Information Commissioner (OAIC) — oaic.gov.au. The OAIC is the regulator for the Privacy Act and the Consumer Data Right.
• For financial-services privacy disputes, refer the matter free of charge to the Australian Financial Complaints Authority (AFCA) — afca.org.au, 1800 931 678. Rask Licensing Pty Ltd is an AFCA member (member 111423).