Privacy policy - header image

Privacy Policy

Updated 2 July 2025 

  1. Introduction 

This Privacy Policy explains how Frollo Australia Pty Ltd ABN 49 613 113 269 (‘Frollo’, ‘we’, ‘us’ or ‘our’) collects, uses, stores and discloses your personal information and Consumer Data Right (CDR) data when you use our services. 

Frollo provides a range of digital services, including but not limited to:  

  • the Frollo App (iOS and Android); 
  • the Frollo platform accessible via frollo.com.au
  • Frollo services enabling consumers to share CDR data with other parties as permitted by the CDR, including their nominated trusted advisers;  
  • Frollo services for third-party businesses, including as a service provider to other CDR accredited entities; and  
  • data categorisation, enrichment and analysis services that support responsible lending, credit advice, financial advice and lending decisions. 

As part of these services, we may request your consent to access and handle personal or CDR data (such as identity and financial transaction information). We do this in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and our obligations as an Accredited Data Recipient under the CDR regime. Our operations also align with recognised security standards, including SOC 2 and APRA Prudential Standard CPS 234. For more on how we protect your information, visit trust.frollo.com.au  

Frollo also provides services to third parties including mortgage brokers, and accredited entities such as banks. All services involving CDR data are governed by contractually binding terms which require recipients to comply with applicable CDR data handling obligations and implement appropriate safeguards. These services involve the handling of personal and CDR data under the CDR regime. Our roles may include: 

  • collecting and managing CDR consents on behalf of other businesses (as a CDR Gateway); 
  • handling CDR data of individuals who have appointed a trusted adviser (e.g. mortgage brokers, accountants, solicitors etc); 
  • categorising, enriching and analysing financial transaction data to assist our customers (e.g. lenders and banks) in understanding their own customers’ financial position. 

By accessing and/or using our services or providing us with personal information or CDR data, you consent to the collection, use and handling of your information in accordance with this Privacy Policy and any applicable agreements or consents you provide.  

  1. Updates to this Privacy Policy 

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. If we make a material change, we will notify you by email, app or website notice. The most current version is available at frollo.com.au/privacy and we encourage you to review the Policy periodically.  

  1. What information do we collect? 

When you register or create an account with Frollo in connection with any of our Services, we collect certain personal information to identify and communicate with you. This may include: 

  • your first name and last name; 
  • your email address; and 
  • other contact or professional details as required depending on the service. 

This information is necessary to create your account, provide notifications and service updates, verify your identity where required, and deliver relevant features and content. 

  1. Your Consent 

To use certain Frollo Services we will need to access your financial data. Where access is provided to your CDR data under the CDR regime, no banking username or password is required and you will always be asked to provide your explicit consent. You will be presented with a detailed, step-by-step consent flow that clearly identifies the data being requested, the purposes for its use, and the duration of the consent. 

In cases where your financial institution does not support connection via the CDR, this will be clearly indicated to you during the connection process. In such instances, you will be given the option to continue by clicking the “Continue with screen-scraping” button in the Frollo app. 

If you choose to proceed, you will be directed to a secure account aggregation platform provided by Yodlee Inc., a company based in the United States. This platform retrieves your account information using a method known as screen scraping, which involves Yodlee logging into your online banking using your credentials (such as your username and password) and collecting specific account and transaction data. Frollo does not access or store your credentials. 

By proceeding with the screen-scraping service provided by Yodlee, you acknowledge and agree that: 

  • Yodlee acts as your agent, not ours; 
  • you provide your login credentials directly to Yodlee through a secure vault; 
  • Yodlee uses those credentials to access and retrieve account data on your behalf; 
  • your personal information, including transaction data, may be transferred to, stored in or accessed from the United States; 
  • the laws of the United States do not require Yodlee to handle your data in accordance with the APPs under the Privacy Act 1988 (Cth); 
  • we require Yodlee to implement reasonable security measures and limit use of your data to agreed purposes, but we do not control its privacy practices; 
  • you accept that there are certain risks applying to this service as outlined in the Yodlee Fastlink Terms of Use, including that the service is provided “as is” and “as available”; 
  • you may revoke this access at any time using in-app settings or by contacting us. 

Please click on the following link to obtain more information about Yodlee, including its Privacy Policy: http://www.yodlee.com/au

  1. Trusted Adviser Services 

Where you nominate a person (such your mortgage broker, accountant, financial adviser or financial planner) using our platform as your Trusted Adviser under the CDR regime, we will collect and share your CDR data with them on your behalf. 

  1. Information we collect about Trusted Advisers 

If you are a Trusted Adviser using our Service, we collect your personal information (such as your name, business contact details, professional membership, licence information and eligibility evidence) for the purposes of: 

  • verifying your eligibility under Rule 1.10C of the CDR Rules; 
  • managing and maintaining your account access and credentials; 
  • assisting CDR consumers to nominate you through name-matching or search features; 
  • responding to enquiries or complaints relating to your access; and 
  • monitoring compliance with our service terms and security protocols. 

We may use your personal information as reasonably necessary to provide, support, or enforce your use of the Service. This includes disclosures to professional bodies, regulators, or the relevant CDR consumer, where required by law or contract. 

Your information is handled in accordance with this Privacy Policy and the APPs. You may contact us to access or update your information, or to raise concerns about how your information is being handled. 

Trusted Advisers must be verified members of an eligible class under Rule 1.10C of the CDR Rules. Their access to CDR data is limited to circumstances where you have provided express and informed consent and is for the purpose of assisting you with services you have requested. Trusted Advisers must maintain up-to-date credentials and implement appropriate safeguards to protect your data, including technical and organisational security measures. You may withdraw your consent at any time. 

  1. Frollo Business Services 

In addition to our obligations under the CDR Rules and Privacy Safeguards, Frollo may handle CDR data in the course of services we provide to other businesses who are accredited entities within the CDR regime. This includes handling and transmitting CDR data under consent frameworks managed by those entities, and providing those entities services such as financial data categorisation, enrichment and analysis to support responsible lending, credit advice, financial advice and lending decisions. While these activities are subject to the CDR regime, they are also governed by the Privacy Act and this Privacy Policy, where applicable. 

  1. Other Information that we may collect 

In addition to information collected during account setup and service use, we may collect other information depending on how you interact with our services. 

This may include: 

  • technical data about your use of our services, including website, app, dashboards or APIs; 
  • browser or device metadata; 
  • aggregated performance and diagnostic data; and 
  • user-submitted inputs during support requests or usage feedback. 

This information helps us improve the reliability, functionality, and security of all Frollo services. 

  1. Why do we collect this information? 

We collect personal and CDR data for a range of purposes across our service offerings, including to: 

  • provide, operate, maintain and improve our services (including personal finance management tools, Trusted Adviser services, business services and data categorisation, enrichment and analysis services); 
  • provide support and feedback arrangements to users of our service; 
  • comply with our legal and regulatory obligations (e.g. CDR Rules and Privacy Act); 
  • verify your identity or professional credentials where applicable; 
  • communicate with you about your account, features, or service updates; 
  • personalise your experience and develop new products or enhancements; and 
  • protect against fraud, misuse, or unauthorised access. 
  1. How do we collect this information? 

We collect your information directly from you when you: 

  • register for or use any Frollo service; 
  • provide consent to retrieve CDR data or nominate a Trusted Adviser;  
  • engage with our digital interfaces such as our websites, Apps, portals, dashboards or APIs; 
  • contact our support teams; or 
  • respond to surveys or communications, or otherwise provide us with feedback. 

We may also collect data automatically (e.g. usage data, log files) when you interact with our services, subject to applicable legal and consent requirements. 

  1. How do we protect your information? 

Frollo is SOC2 Type 2 certified and implements information security controls in line with industry standards and APRA Prudential Standard CPS 234. We are committed to taking reasonable steps to protect your personal information from misuse, interference, loss and unauthorised access, in accordance with APP 11. 

  1. Who do we disclose your data to? 

We may disclose your information for the purposes described in this Privacy Policy to: 

  • employees, secondees and our related bodies corporate; 
  • third parties who supply us with services (for example providers for the operation of our website, or for sending emails to our users) and specific third parties authorised by you to receive information from us; and 
  • other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorised or permitted by law. 

We may disclose information (or facilitate such disclosure) outside Australia only in limited circumstances, such as when you consent to the use of services that require offshore processing (e.g. data retrieval via Yodlee Inc. in the United States), or where we are otherwise authorised or required by law. 

  1. Consumer Data Right 

As an Accredited Data Recipient under the CDR regime, Frollo collects and handles your CDR data in accordance with the CDR Rules and Privacy Safeguards. 

You have the right to: 

  • access and correct your CDR data; 
  • withdraw your consent at any time via our app or by contacting us; and 
  • make a complaint about how your CDR data is handled. 

For more information, refer to our CDR Policy

  1. How to access, update or delete your information 

You also have the right under the CDR and the Privacy Act to access your data in a usable and readable format, and to request corrections to any incomplete or inaccurate information. 

Sometimes, we may not be able to provide you with access to all of your personal information and, where this is the case, we will tell you why (for example, we may refuse to give you access to your information if giving access would have an unreasonable impact on the privacy of other individuals, if you request for access is frivolous or vexatious, or if the information relates to existing or anticipated legal proceedings). 

We may also need to verify your identity when you request your personal information. 

If you think that any personal information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected. 

You may opt-out of receiving marketing materials from us by contacting us by email ([email protected]) or by using the opt-out facilities provided in any communication (e.g. the unsubscribe link). 

You may cancel your account at any time by contacting us via help.frollo.com.au 

Once you have requested us to cancel your account, to the extent reasonably possible, all information and credentials will be deleted from our systems, and nothing will be retained other than as required by law. However, portions of your information, consisting of aggregate data derived from your account information, may remain on our production servers indefinitely. 

Your data may also remain on a backup server or secure backup media. We keep these backups to ensure our continued ability to provide the services to you in the event of malfunction or damage to our primary production servers and it is not technically feasible for us to remove data which has been stored on a backup. These backups are securely maintained then destroyed in accordance with our retention practices.  

Please note that simply deleting the app will not give effect to termination and deletion of your information.  

  1. Complaints 

If you think we have breached the Privacy Act, or you wish to make a complaint about the way we have handled your personal information, you can contact us via email ([email protected]). Please include your name, email address and/or telephone number and clearly describe your complaint. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. 

It is our intention to resolve your complaint to your satisfaction. However, if you feel that your complaint has not been satisfactorily addressed or that it is taking too long to resolve your complaint, you are entitled to contact the Office of the Australian Information Commissioner (OAIC), on 1300 363 992 or the other contact details on the OAIC’s website (http://www.oaic.gov.au), who may investigate your complaint further.