This platform is software sold to ACL-holding mortgage brokers; it is not a credit licensee. Nothing here is credit assistance or financial advice.

← All legal documents

Privacy Policy

Last updated: [date to be inserted at launch]

This Privacy Policy describes how RefNet ("we", "us", "our") collects, uses, stores, and handles personal information. It applies to all users of our platform, including mortgage broker customers ("Customers") and consumers whose personal information is submitted through a Customer's referral intake form.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").


1. Who we are

RefNet is a software-as-a-service provider (ABN 17 182 565 995). We operate an online platform that licensed Australian mortgage brokers use to administer their own Regulation 25 referrer programs under the National Consumer Credit Protection Act 2009 (Cth).

We are an APP entity for the purposes of the Privacy Act 1988 (Cth).

RefNet is operated by Christopher Mark Hughes, an Australian sole trader (ABN 17 182 565 995). For any privacy question, access or correction request, or complaint, contact us at privacy@refnet.com.au.


2. What we collect

We collect two categories of personal information:

Broker account information. When a mortgage broker creates or manages an account, we collect:

  • Full name and email address of the account holder and any team members added to the account.
  • Business name, branded subdomain, and logo/branding assets.
  • Stripe Connect account details for payout processing.
  • Billing contact name and email address.

We do not collect or store full payment card numbers — card processing is handled directly by Stripe.

Consumer personal information submitted through referrals. When a consumer is referred through a Customer's intake form, we collect the personal information that the Customer has configured that form to request. At minimum this includes:

  • Consumer full name
  • Email address
  • Phone number

Additional fields (such as loan purpose or estimated loan amount) may be included at the Customer's discretion. All consumer personal information is encrypted at rest.

We do not collect or store sensitive information (as defined under APP 3) such as health information, financial account numbers, or government-issued identification numbers through the standard referral intake flow.


3. Why we collect it

We collect broker account information to:

  • Create and manage the Customer's account and branded subdomain.
  • Provide access to the platform features (referrer intake, payout ledger, referral pipeline).
  • Process subscription billing and per-payout fees.
  • Send transactional notifications (account alerts, payout confirmations, team invitations).

We collect consumer personal information submitted through referrals solely to administer the referring broker's Regulation 25 referrer program. We use this information only to make it available within the Customer's dashboard and to enable payout processing against that referral record. We do not use consumer referral data for any other purpose — including marketing, profiling, sale to third parties, or cross-tenant analytics.


4. Controller and processor

The broker Customer is the data controller of personal information held in their tenant on this platform — including information about their referrers and consumers who submit referrals through the Customer's intake form.

RefNet acts as a data processor on behalf of each broker Customer, processing that personal information in accordance with these Terms and the Customer's instructions (as configured in the platform). We do not determine the purpose or means of processing referrer or consumer personal information — the Customer does.

Where a Customer provides us with consumer personal information, the Customer is responsible for ensuring they have a lawful basis to collect and share that information and that consumers have been given appropriate notice.


5. Consent and disclosure

Consumer consent is a central design feature of the platform. When a consumer is referred through a Customer's intake form:

  • The Regulation 25 written disclosure required by the Customer's referrer program is rendered to the consumer at the point of data entry.
  • The consumer's acceptance of that disclosure is timestamped and recorded server-side — the timestamp is set by the server at the moment of form submission, not by the user's browser clock.
  • The consent record (disclosure text presented, timestamp, and referral ID) is retained as a durable audit record for the life of the referral.

This design is intended to assist Customers in meeting the documentary requirements of Reg 25. Customers remain responsible for ensuring the disclosure text they configure is legally adequate for their program.


6. Storage and security

Encryption at rest. All consumer personal information is encrypted at rest at the database column level, using a separate encryption key for each referral record. After the applicable retention window the per-record key is destroyed ("crypto-shredding"), which renders that record's personal information permanently unrecoverable — including from backups — without our needing to locate and erase every copy individually.

Data residency. All data is stored and processed in ap-southeast-2 (Sydney, Australia) on Supabase's managed Postgres infrastructure. Primary storage does not leave Australia. (See Section 12 for sub-processor data flows that may involve overseas transmission.)

Security measures. We maintain the following technical and organisational measures:

  • Tenant data is isolated using PostgreSQL row-level security (RLS) policies — each broker's data is logically separated from all other tenants at the database layer.
  • Access to production infrastructure is restricted to authorised personnel.
  • Authentication is managed through Supabase Auth.
  • HTTPS is enforced for all connections.

We will notify affected Customers and (where required by law) the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach — see Section 11.


7. Who we share it with

We share personal information with the following sub-processors, solely as necessary to provide the service:

Sub-processorRoleData shared
StripePayment processing; payout rail for broker-to-referrer paymentsBroker billing details; referrer payout details (name, bank details as entered by the Customer)
ResendTransactional email deliveryEmail address and name of the recipient (account invitations, team notifications, payout alerts)
SupabaseDatabase hosting and authenticationAll platform data at rest and in transit within the database layer
Fly.ioApplication hostingApplication traffic; runtime processing of requests
Google Analytics (Google LLC)Website and platform usage analyticsIP address and usage events of website/platform visitors; only after analytics-cookie consent

Analytics. We use Google Analytics (provided by Google LLC) to understand how the platform and our website are used. Analytics cookies are set only after you consent via our cookie banner (see Section 13). Google Analytics receives your IP address and usage events; it does not receive referrer or consumer personal information held in the platform.

We do not sell, rent, or share personal information with advertising networks or data brokers, and we do not use analytics providers for advertising or ad-targeting purposes.

We may also disclose personal information if required to do so by law (e.g., a court order or regulator demand), or to protect the rights, property, or safety of RefNet, our Customers, or others.


8. Retention and destruction

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected, or as required by law.

Consumer referral records are retained for the life of the referral relationship and for a minimum period following final payout to support the Customer's Reg 25 audit obligations and to handle any disputes. After the applicable retention period, consumer PII fields are scheduled for destruction.

Broker account data is retained for the life of the subscription and for a reasonable period after termination to support billing dispute resolution and any applicable statutory record-keeping obligations.

On account termination, Customer data is made available for export for 30 days and then deleted from production systems. Residual copies in automated backups are purged on a rolling basis in accordance with our backup retention schedule.

We collect the minimum personal information reasonably necessary for the purpose — we do not collect personal information speculatively.

By default, the personal information attached to a referral is destroyed shortly after the referral concludes — when it is rejected, expires unactioned, or completes — following a short dispute-grace window (and, where a payout occurs, after that payout settles). A broker Customer can configure the referral retention window for their own program, within the limits the platform allows. Once the grace window passes, the per-record encryption key is destroyed as described in Section 6, and residual copies in automated backups age out on our rolling backup schedule.


9. Access and correction

Under APP 12 and APP 13, individuals have the right to request access to, and correction of, personal information we hold about them.

To make an access or correction request, contact us at privacy@refnet.com.au. We will respond within 30 days. In some circumstances we may be required to decline an access request (for example, where granting access would adversely affect the rights of a third party or is otherwise permitted under the Privacy Act). Where we decline, we will give reasons.

Where a request relates to personal information held in a Customer's tenant (such as a consumer's referral record), we may need to refer the request to the relevant Customer as the data controller for that information.


10. Complaints

If you believe we have handled your personal information in a way that does not comply with the Australian Privacy Principles, you may make a complaint.

Please direct complaints in the first instance to privacy@refnet.com.au. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 business days. If we cannot resolve the complaint to your satisfaction, you may escalate to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

11. Data breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

If we become aware of an eligible data breach — that is, unauthorised access to or disclosure of personal information that is likely to result in serious harm to one or more individuals — we will:

  1. Assess the suspected breach as quickly as possible (and no later than 30 days after becoming aware).
  2. Notify the OAIC using the prescribed form if the breach is eligible.
  3. Notify affected individuals (or, where it is not practicable to do so, publish a notice on our website).

Where a breach relates to personal information held in a Customer's tenant, we will notify the Customer promptly so that they can assess their own notification obligations as the data controller.


12. Overseas disclosure

Our primary data storage is in Australia (ap-southeast-2, Sydney). However, some of our sub-processors operate infrastructure outside Australia as part of delivering the service:

  • Stripe — Stripe Inc. is a US-incorporated company. Payment processing infrastructure and payout data may be processed and stored in the United States and other jurisdictions.
  • Resend — Resend's email delivery infrastructure may route or store the recipient's name and email address through servers in the United States.
  • Supabase — Supabase's primary data storage for this platform is in ap-southeast-2. However, Supabase's own corporate infrastructure and support systems are US-based.
  • Fly.io — Application hosting is configured for Sydney. Fly.io is a US-incorporated company and its management plane may be US-located.
  • Google LLC — Google Analytics is operated by Google LLC, a US-incorporated company. Where you consent to analytics cookies, your IP address and usage events may be processed and stored in the United States and other jurisdictions in which Google operates.

Before transferring personal information to an overseas sub-processor, we take reasonable steps under Australian Privacy Principle 8.1 to ensure that each sub-processor handles personal information in a manner consistent with the APPs, including by entering into contractual data-processing terms with each sub-processor.

For each overseas transfer, our APP 8.1 "reasonable steps" rest on the data-processing terms that each of these sub-processors makes available to its customers, which require the sub-processor to handle personal information consistently with applicable data-protection law (the APPs and/or the EU GDPR). Where contractual terms are not available for a particular transfer, we rely on the APP 8.2 grounds — including that the transfer is reasonably necessary to provide the very service for which the information was collected. The overseas transfers described above are disclosed to you through this policy.


13. Cookies and analytics

We do not use advertising cookies. We do not integrate any third-party advertising network or ad-targeting system.

Analytics cookies are consent-gated. We use Google Analytics (see Section 7) to understand how the platform and our website are used. Google Analytics sets its _ga cookie (and related _ga_* cookies) only after you accept analytics cookies via our cookie banner — until then no analytics cookie is set, and you can decline analytics at any time through the banner. We do not use Meta Pixel or any advertising or ad-targeting tracking script.

We also use technically necessary cookies solely for session management and authentication. These cookies are session-scoped or have a limited lifetime and are not used for tracking across sites; they are not subject to the analytics consent banner because they are strictly required to operate the platform.


14. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material — particularly to how we collect, use, or share personal information — we will notify Customers by email and by a notice in the platform dashboard at least 30 days before the change takes effect.

The current version of this policy is always available at /legal/privacy-policy.


15. Support tickets and feature feedback

When you contact us through the in-app support feature, we process the contents of your ticket and our correspondence to provide and improve support. Support tickets are private to you and the RefNet operations team.

When you post to the feature-feedback board, your submission (its title and details) is visible to all RefNet users and may be retained for as long as we operate the board, even after a status change. Your identity is not shown to other users — feedback is anonymous to your peers; only the RefNet team can see who submitted an item, together with whether you posted as a broker or a referrer. Please do not include any client or consumer personal information in feedback submissions. We may remove submissions that contain personal information or are otherwise inappropriate.