Privacy Policy and Collection Statement

Version 4

Last Updated: Mar 07, 2025

What is the purpose of this Privacy Policy and Collection Statement?

Birchal Pty. Ltd. ACN 616 478 767 and its related bodies corporate (referred to as ‘we’ or ‘our’ or ‘us’ or ‘Birchal’) operate the website birchal.com (including any subdomains) across desktop, mobile, tablet and apps. We provide a variety of products and services via the website.

We are bound by the Privacy Act 1998 (Privacy Act), including the Australian Privacy Principles (APPs) and recognise the importance of ensuring the confidentiality and security of your personal information.

This Privacy Policy and Collection Statement (Privacy Policy) applies to our website, all products and services we provide and your interactions with us. It sets out how we collect, use, disclose and manage personal information.

Please read through it carefully because by accessing our website and using our products and services, you expressly agree to this Privacy Policy. If you do not agree, no hard feelings but we request you close this website and stop using our products and services now.

All third parties (including customers, suppliers and service providers) that have access to or use personal information collected and held by Birchal must also comply with this Privacy Policy.

Please also read our Terms of Service — those terms are important and also apply to you when you use our website and our products and services.

What kind of personal information do we collect and hold?

Personal information is information or an opinion relating to an individual, which can be used to identify that individual.

We may collect and hold a range of personal information about you to provide you with our products and services, including:

  • name
  • address
  • phone number
  • email address
  • details or images of your government issued identification, such as your passport, driver’s licence, or other forms of identification
  • bank account details
  • financial information such as income and net worth
  • IP address, browser and device type and other standard web log information
  • sensitive information (with your consent) such as your criminal record
  • other information relating to you that you have provide to us

Sensitive information is personal information that includes information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences, health and criminal record. Except where noted above, we do not have a need to collect sensitive information so we do not collect this information.

If the information does not disclose your identity or enable your identity to be ascertained, it will in most cases not be classified as "personal information" and will not be subject to this Privacy Policy. This may include where information has been aggregated, anonymised, pseudonymised or de-identified.

How we collect and hold personal information

We generally collect personal information directly from you. For example, personal information will be collected when you create a Birchal account, use our products and services, interact with our website, call us or send us correspondence, when you interact with our advertising, apply for a job, participate in discussion boards, take part in webinars or events or join us on social media.

We may also collect personal information about you from a third party, such as electronic verification services, payment providers, issuers, share registry providers, accountants, advisors, third party data providers, suppliers, social applications, marketing agencies and business partners.

We may collect some information about you when you visit our website, such as your IP address, browser and device type. We may also use third parties to analyse traffic at our website, which may involve the use of cookies and similar tracking technologies - we explain this more below.

We will not collect sensitive information about you without your consent, unless an exemption in the APPs applies. These exceptions include if the collection is required or authorised by law or necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.

If the personal information we request is not provided by you, we may not be able to provide you with the benefit of our services or meet your needs appropriately.

We may not give you the option of you dealing with us anonymously or under a pseudonym. This is because it is impractical, and, in some circumstances, unlawful for Birchal to deal with individuals who are not identified.

Unsolicited personal information

We may receive unsolicited personal information about you. We take reasonable steps to de-identify or destroy unsolicited personal information we receive, unless it is relevant to our purposes for collecting personal information. We may retain additional information we receive about you if it is combined with other information we are required or entitled to collect. If we do this, we will retain the information in the same way we hold your other personal information.

Who do we collect personal information about?

The personal information we may collect and hold includes (but is not limited to) personal information about:

  • customers and users
  • issuers and their directors, officers and employees
  • investors and shareholders
  • service providers or suppliers
  • prospective and current employees and contractors
  • other third parties who we come into contact with

Website collection, cookies & related technologies

We collect personal information when we receive completed online generated forms from our website www.birchal.com. We, our clients and our third-party partners, such as our advertising and analytics partners, may also use cookies, pixels and other tracking technologies.

We use these technologies to understand how users interact with our website, to compile aggregate data about our website traffic, including where our website visitors are located, and interaction so that we can offer better user experiences.

To use our website, you must consent to our use of cookies. You can also withdraw or modify your consent to our use of cookies at any time. If you no longer wish to receive cookies, you can use your web browser settings to accept, refuse and delete cookies. To do this, follow the instructions provided by your browser. Please note that if you set your browser to refuse cookies, you may not be able to use certain features of our website, products and services.

Cookies do not contain personal information in themselves, but can be used to identify a person when combined with other information. Cookies are small text files which are transferred to your computer’s hard drive through your web browser that enables our website to recognise your browser and capture and remember certain information. This includes facilitating your use of products and services.

We use Google Analytics and Google’s related services. The data collected in this way is anonymous to us and our users, however, the data we collect may be combined with other information which may be identifiable to you. You can read how Google uses the information (and how you can control it) here.

We use Meta/Facebook pixels to collect data, track conversions from Meta ads, optimise ads, build targeted audiences for future ads and remarket in connection with our products and services and users products and services. The data collected in this way is anonymous to us and our users, however, the data we collect may be combined with other information which may be identifiable to you. You can read how Meta uses the information (and how you can control it) here.

You may also encounter cookies (or similar) on certain pages of our website that has been placed by third parties (e.g. if you view a web page created by a user, there may be a cookie placed within that web page). We do not control the use of cookies by third parties.

Why we collect and hold personal information and how we use it

We may use and disclose the information we collect about you for the following purposes:

  • operate our website and business
  • provide you with our products and services
  • verify your identity
  • review and meet your ongoing needs, including support and communication
  • enhance our products and services and develop new ones for you
  • analyse, aggregate and report
  • provide you with information we believe may be relevant or of interest to you
  • market to you and to let you know about our other products or services
  • participate in testing our products and services or conduct surveys, research and feedback about our website, products and services
  • combine your personal information with information that we have collected from our service providers, third parties or cookies in order to provide you with a better or more personalised experience and to enhance the quality of our products and services
  • help issuers attract investment
  • enhance advertising and analytics in connection with our products and services and the products and services of our users
  • consider any concerns or complaints you may have
  • detect and prevent malicious activity
  • consider you for an employment opportunity
  • comply with relevant laws, regulations and other legal obligations
  • help us improve the products and services offered to our users and enhance our overall business

We may use and disclose your personal information for any of these purposes. We may also use and disclose your personal information for secondary purposes which are related to the primary purposes set out above, or in other circumstances authorised by the Privacy Act.

Sensitive information will be used and disclosed only for the purpose for which it was provided (or a directly related secondary purpose), unless you agree otherwise, or an exemption in the Privacy Act applies.

Who might we disclose personal information to?

We may disclose personal information to:

  • other companies in the Birchal group of companies and our directors, employees and shareholders
  • our customers and users in connection with providing our products and services (e.g. if you express interest in investing in a company or begin or complete an application to invest in a company, we will provide your details to that company and vise versa)
  • our and our users' third party service providers, suppliers and partners in connection with providing our products and services to you (e.g. if you make an investment in a company, we may provide your information to our payment processor or to the company’s share registry to manage your investment)
  • third party service providers and suppliers we engage to assist us to carry out or improve our business, such as lawyers, accountants, advisers, marketing partners and other business partners
  • users of our website, products or services, e.g. if you make comments on a discussion board or social applications, express interest in a company
  • third parties engaged in connection with our products and services, such as electronic verification services, share registry providers and advisors
  • organisations involved in managing payments, including payment merchants and other financial institutions, such as banks
  • regulatory bodies, government agencies, law enforcement bodies and courts
  • organisations involved in a transfer or sale of all or part of our assets or business
  • anyone else to whom you authorise us to disclose it or is required by law

If we disclose your personal information to service providers that perform business activities for us, they may only use your personal information for the specific purpose for which we supply it. We will use reasonable endeavours to ensure that our contractual arrangements with third parties adequately address privacy issues and we will make third parties aware of this Privacy Policy.

Sending information overseas

We may disclose personal information to our related entities, employees, contractors, service providers and suppliers, including data hosting and cloud-based IT service providers, located outside of Australia. For example, we transfer data outside of Australia to our service providers in order to obtain secure storage, back-up and data retrieval services.

While it is not practical to list all of the countries in which personal information is likely to be disclosed, the key countries include The Philippines, India, Japan, Singapore, Taiwan, Germany and the USA.

We will not send personal information to recipients outside of Australia unless we have taken reasonable steps to ensure that the recipient does not breach the Act and the APP, the recipient is subject to an information privacy scheme similar to the Privacy Act or the individual has consented to the disclosure.

If you consent to your personal information being disclosed to an overseas recipient and the recipient breaches the APPs, we will not be accountable for that breach under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

Management of personal information

We recognise the importance of securing personal information. We take reasonable steps to protect your personal information from misuse, interference or loss and unauthorised access, modification or disclosure.

Your personal information is generally stored in digital format on our computer database and on secure servers. Any paper files are stored in secure areas.

We apply the following guidelines:

  • multi-factor authentication is enabled
  • email addresses are verified
  • passwords are required to access the system and password complexity is enforced
  • employees have restricted access to certain sections of the system
  • the system automatically logs and reviews all unauthorised access attempts
  • security procedures are reviewed periodically to consider appropriate new technology and updated methods

Payment information is transmitted securely using Secure Sockets Layer (SSL) encryption technology and processed through our payment processor’s secure payment gateway (which is PCI-DSS compliant). We do not store your payment information (such as bank account details, credit card or debit card information) on our websites’ servers or databases. You will see some of your bank account information in your profile, this is a masked version of the information which is necessary for the payment validation process.

Even after these measures and despite our reasonable efforts, no security measure is ever perfect or impenetrable. If you suspect any misuse or loss of, or unauthorised access to, your personal information, please contact us as soon as you can using our contact details below.

How long do we keep your personal information

The length of time we keep your personal information (whether or not your Birchal account is deactivated) depends on what it is and whether we have an ongoing business need to retain it (e.g., to provide our services or to comply with our legal, tax, accounting or other regulatory obligations).

We’ll retain your personal information for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, or as otherwise required by law. Following that period, we’ll take reasonable steps to delete or de-identify it. Most of your personal information is or will be stored by us for a minimum of 7 years.

If you would like us to do so, we will deactivate your Birchal account on your request. After your Birchal account is deactivated, it will be removed from our websites and you will no longer be able to login, however, we may retain your personal information as described in this Privacy Policy. To make a deactivation request, please send an email using the contact details below.

Direct marketing

By agreeing to this Privacy Policy, you confirm that we (or our business partners on our behalf) may send you direct marketing communications and information about your Birchal account, our products and services and other offers, promotions, goods or services which we believe may be of interest to you.

Otherwise, we may only use personal information we collect from you for the purposes of direct marketing without your consent if:

  • the personal information does not include sensitive information; and
  • you would reasonably expect us to use or disclose the information for the purpose of direct marketing; and
  • we provide a simple way of opting out of direct marketing; and
  • you have not requested to opt out of receiving direct marketing from us.

If we collect personal information about you from a third party, we will only use that information for the purposes of direct marketing if you have consented (or it is impracticable to obtain your consent), and we will provide a simple means by which you can easily request not to receive direct marketing communications from us. We will draw your attention to the fact you may make such a request in our direct marketing communications.

You may opt-out of receiving marketing materials from us by using the “unsubscribe” link at the bottom of our emails or via your Birchal account. You have the right to request us not to use or disclose your personal information for the purposes of direct marketing or for the purposes of facilitating direct marketing by other organisations. We must give effect to the request within a reasonable period of time. You may also request that we provide you with the source of their information. If such a request is made, we must notify you of the source of the information free of charge within a reasonable period of time.

A company you follow, express an interest in or begin or complete an application to invest in, may also send you direct marketing communications and information. If you do not wish to receive marketing information from that company we encourage you to contact the company or use that company’s unsubscribe facilities. As you can appreciate, we are not responsible for the activities of a third party.

Identifiers

We do not adopt identifiers assigned by the Government (such as drivers’ licence numbers) for our own file recording purposes, unless one of the exemptions in the Privacy Act applies.

How do we keep personal information accurate and up-to-date?

We are committed to ensuring that the personal information we collect, use and disclose is relevant, accurate, complete and up-to-date.

Once you have created a Birchal account, you can review and change your personal information, including your name, company, address, phone number, bank account details and your password. You must update your personal information as soon as you can after it changes.

We also encourage you to contact us to update any personal information we hold about you. If we correct information that has previously been disclosed to another entity, we take reasonable steps to notify the other entity within a reasonable period of the correction. Where we are satisfied that the information is inaccurate, we will take reasonable steps to correct the information within 30 days, unless you agree otherwise. We do not charge you for correcting the information.

Accessing your personal information

Subject to the exceptions set out in the Privacy Act, you may gain access to the personal information that we hold about you by contacting our Privacy Officer. We will provide access within 30 days of your request. If we refuse to provide the information, we will provide reasons for the refusal.

We will require identity verification and specification of what information is required. An administrative fee for search and photocopying costs may be charged for providing access.

External links

Our website may contain links to, and interfaces with, websites, services and widgets operated by third parties, such as social media buttons and features (e.g. “likes” and “shares”), search engines, companies seeking investment through our websites or other partners. Third parties are responsible for informing you about their own privacy practices so if you use these businesses, we encourage you to check out their privacy policies.

As you can appreciate, we make no representations or warranties in relation to the privacy practices of any third party website and we are not responsible for the privacy policies or the content of any third party website.

Your rights

You have rights. This Privacy Policy contains information about how:

  • you may access the personal information we hold about you
  • you may seek the correction of your personal information
  • you may complain about a breach of the Privacy Act, including the APPs
  • we will deal with a privacy complaint

You have the right to request deletion of your personal information collected through our website or via social media platforms such as Facebook. To request deletion of your data, please Contact Us, and include your Facebook user ID if applicable. We will verify your identity and aim to process your request within 7 days.

Contact us or make a complaint

If you have any questions about this Privacy Policy or if you wish to make a complaint about how we have handled your personal information, you can lodge a complaint with us by:

  • Email: support@birchal.com
  • Writing: Birchal Financial Services, Level 2, Podium East, Rialto, 525 Collins Street, Melbourne VIC 3000
  • Website: Contact Us

We have an effective complaints handling process in place to manage privacy risks and issues. The complaints handling process involves:

  • identifying (and addressing) any systemic or ongoing compliance problems
  • increasing consumer confidence in our privacy procedures
  • helping to build and preserve our reputation and business

If you are not satisfied with our response to your complaint, you can also refer your complaint to the Office of the Australian Information Commissioner by:

  • Online submission: via the OAIC’s Privacy complaint form
  • Telephone: 1300 363 992
  • Writing: Director of Complaints, Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001

Updates to this Privacy Policy

We may update this Privacy Policy from time to time. We encourage you to check our website periodically to ensure that you are aware of our current Privacy Policy.