Privacy Policy

We collect the following categories of personal and financial information:

• Account information — your name, email address, and authentication credentials (managed securely through Clerk; we never see your password).
• Financial data — bank account details, transaction histories, balances, budget figures, income, and savings goal progress that you enter manually or that is imported via Open Banking.
• Open Banking data — if you connect your bank via the Australian Consumer Data Right (CDR) framework, we receive read-only access to your account and transaction data through our accredited CDR provider. Your bank login credentials are never shared with us.
• Usage data — pages visited, features used, session length, and interaction patterns, collected to improve the platform and personalise your experience.
• Device & technical data — IP address, browser type, operating system, and device identifiers used for security, fraud prevention, and platform optimisation.
• AI interaction data — prompts and content you submit to AI-powered features (such as Cowry Chat or financial insights) processed by our AI provider to generate your responses.
• Consent records — a timestamped record of when you agreed to our Terms & Conditions and this Privacy Policy, retained for legal compliance purposes.

We collect information in the following ways:

• Directly from you when you register, enter data, or contact us.
• Via Open Banking APIs through our CDR-accredited provider when you authorise a bank connection.
• Automatically through cookies, server logs, and analytics tools as you use the platform.
• From third-party authentication providers (Clerk) when you sign up or log in.

We collect and use your information for the following purposes:

• Providing the platform — to operate, maintain, and personalise your Cowry account, including budgets, transaction categorisation, savings goals, financial score, and insights.
• Open Banking sync — to retrieve and display your bank transactions and balances according to your chosen sync schedule.
• AI-powered features — to generate personalised financial insights, chat responses, and recommendations based on your data.
• Security & fraud prevention — to detect unauthorised access, protect your account, and ensure platform integrity.
• Legal compliance — to meet our obligations under Australian law, including the Privacy Act, CDR Rules, and financial record-keeping requirements.
• Platform improvement — to analyse usage patterns, diagnose issues, and develop new features. This is done using aggregated, de-identified data wherever possible.
• Communication — to send you account notices, security alerts, and (where you have opted in) product updates.

We do not sell your personal information to third parties. We do not use your data for advertising or share it with advertisers.

Protecting your financial data is one of our highest priorities. We apply industry-standard security practices including:

• Encryption in transit and at rest — all data transmitted between your browser and our servers is encrypted via TLS. Data stored in our databases is encrypted at rest.
• Zero bank-credential storage — Cowry never stores your bank username or password. Open Banking access is facilitated via CDR-compliant APIs; you authenticate directly with your bank.
• Access controls — employee access to customer data is restricted to authorised personnel on a need-to-know basis and is logged and audited.
• Secure infrastructure — our platform is hosted on Google Cloud, leveraging enterprise-grade security and redundancy.
• Authentication security — user authentication is handled by Clerk, which provides multi-factor authentication, brute-force protection, and secure session management.
• Incident response — we maintain a data-breach response plan and will notify you and the Office of the Australian Information Commissioner (OAIC) if a notifiable breach occurs.

We share your information only where necessary to provide the platform or comply with the law:

• CDR data-access provider — to facilitate Open Banking connections under the CDR framework.
• AI service provider (Groq) — transaction descriptions, categories, amounts, and your prompt text are sent to Groq solely to generate AI responses. We do not share your name, email, or bank credentials with Groq.
• Authentication provider (Clerk) — your email and session data are managed by Clerk for sign-in and security purposes.
• Infrastructure providers — Google Cloud (hosting and database) and other sub-processors who have agreed to process data only on our behalf and under confidentiality obligations.
• Legal obligations — we may disclose information where required by law, court order, or to protect the rights, property, or safety of Cowry, our users, or the public.

We retain your personal and financial data for as long as your account is active or as required by law (e.g. financial record-keeping obligations). When you delete your account, your data is removed from live systems within 30 days and from backup systems within 90 days, except where we are required by law to retain it longer.

Consent records are retained indefinitely for legal compliance purposes.

Under the Australian Privacy Principles you have the right to:

• access the personal information we hold about you;
• request correction of inaccurate or out-of-date information;
• request deletion of your account and data (subject to legal retention obligations);
• withdraw Open Banking consent at any time through your bank or via Cowry Settings;
• opt out of non-essential communications at any time.

To exercise these rights, contact us at privacy@cowry.com.au.

We use cookies and similar technologies to maintain your session, remember your preferences, and analyse platform usage. You can disable cookies in your browser settings; however, some features of the platform may not function correctly without them.

Your data may be processed by our service providers in countries outside Australia, including the United States (Google Cloud, Clerk, Groq). We ensure these providers maintain data-protection standards substantially similar to the Australian Privacy Principles.

We may update this Privacy Policy from time to time. Where changes are material we will notify you via email or an in-app notice and, where required by law, seek your renewed consent. The version number and date at the top of this page always reflect the current policy.

For privacy-related queries, access requests, or complaints, contact our Privacy Officer at privacy@cowry.com.au. If you are not satisfied with our response you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).