Data Aggregation &
De-Identification Policy

Table of Contents

1. Introduction and Purpose

2. Scope and Application

3. Definitions

4. Our Commitment to Privacy

5. Types of Data Processing

6. De-Identification Standards and Techniques

7. Aggregation Methodologies

8. Use Cases for Aggregated Data

9. Governance and Oversight

10. Technical and Organizational Safeguards

11. Data Quality and Validation

12. Transparency and Disclosure

13. Third-Party Sharing and Commercial Use

14. Rights and Limitations

15. Compliance and Legal Framework

16. Review and Updates

17. Contact Information

Contact Information

1. Introduction and Purpose
1.1 Purpose of This Policy
This Data Aggregation and De-Identification Policy ("Policy") establishes the standards, processes, and safeguards MoneyMind Profile Pty Ltd ABN 33 672 152 073 ("MoneyMind Profile," "we," "us," or "our") employs when creating, using, and sharing aggregated and de-identified data derived from our Services.

​

1.2 Our Commitment
MoneyMind Profile is committed to:

• Privacy by Design: Building privacy protections into our data aggregation processes from the outset

• Data Minimization: Collecting and processing only the data necessary for legitimate purposes

• Transparency: Being clear about what data we aggregate, how we use it, and with whom we share it

• Strong De-Identification: Applying rigorous technical measures to prevent re-identification

• Continuous Improvement: Regularly reviewing and enhancing our practices to reflect evolving privacy standards

1.3 Strategic Value
Aggregated and de-identified data provides significant value to:

• Our Business: Enabling product improvements, research, and innovation

• The Industry: Contributing to better understanding of financial behaviour and risk profiling

• Society: Advancing financial literacy and evidence-based policy development

• Our Customers: Providing benchmarking insights and industry comparisons

• This value must be balanced against the fundamental right to privacy, which this Policy is designed to protect.

​

2. Scope and Application
2.1 What This Policy Covers
This Policy applies to all aggregated and de-identified data created from:

• End-User Data: Personal information about clients of Subscribing Organizations (financial advisers' clients) that is processed through our Services

• Customer Data: Information about our Subscribing Organizations and their authorized users

• Usage Data: Information about how the Services are used

• Generated Data: Outputs, analyses, and insights created through our Services

2.2 What This Policy Does NOT Cover
This Policy does not govern:

• Personal Information in Identifiable Form: Governed by our Privacy Policy and Data Processing Agreement

• Confidential Business Information: Governed by confidentiality agreements

• Internal Operations Data: Not intended for external use or commercialization

2.3 Relationship to Other Policies
This Policy should be read in conjunction with:

• MoneyMind Profile Privacy Policy

• Terms of Use (Section 12: Data Aggregation)

• Data Processing Agreement

• Information Security Policy

• Acceptable Use Policy

In the event of any conflict, the Terms of Use and Data Processing Agreement shall prevail, except where this Policy imposes more stringent privacy protections.

​

2.4 Geographic Scope
This Policy applies to data aggregation activities in all jurisdictions where we operate:

Australia: Complies with the Privacy Act 1988 (Cth) and Australian Privacy Principles
United Kingdom: Complies with UK GDPR and Data Protection Act 2018
United States: Complies with CCPA/CPRA and applicable state privacy laws

3. Definitions
"Aggregated Data" means data that has been combined from multiple sources or individuals and presented in summary form such that individual data subjects cannot be identified. Aggregated Data is considered non-personal information under applicable privacy laws.

​

"Anonymization" means the process of irreversibly transforming Personal Information such that individuals can no longer be identified, directly or indirectly, by any means reasonably likely to be used.

"Data Controller" (or "Business") means an entity that determines the purposes and means of processing Personal Information.

"Data Minimization" means the principle of collecting and processing only the Personal Information that is adequate, relevant, and limited to what is necessary for specified purposes.

"De-Identified Data" means data from which all direct identifiers have been removed and to which technical safeguards have been applied to prevent re-identification. De-identified data may include pseudonymized data.

"Direct Identifier" means any data element that directly identifies an individual, including but not limited to: full name, email address, phone number, physical address, Social Security number, driver's license number, account number, IP address (in some contexts), device identifiers linked to personal information.

"End-User" means a client of a Subscribing Organization whose Personal Information is processed through our Services.

"Indirect Identifier" (or "Quasi-Identifier") means data that, when combined with other data, could potentially identify an individual, such as: age, gender, occupation, geographic region, dates (birth, transaction, activity), demographic characteristics.

"Personal Information" (or "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person.

"Pseudonymization" means the processing of Personal Information such that it can no longer be attributed to a specific individual without the use of additional information (the "key"), which is kept separately and subject to technical and organizational measures to prevent re-identification.

"Re-Identification" means the process of matching de-identified or pseudonymized data back to the specific individual to whom it relates.

"Sensitive Personal Information" includes Personal Information revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, sex life or sexual orientation, and in some jurisdictions, financial account information, Social Security numbers, and precise geolocation.

"Services" means MoneyMind Profile software, applications, tools, and related services.

"Statistical Disclosure Control" means techniques applied to data to prevent the disclosure of information about individuals while preserving data utility.

"Subscribing Organization" means a financial advisory firm, wealth management company, or individual financial adviser that uses our Services to profile and serve their clients.

4. Our Commitment to Privacy
4.1 Privacy-First Approach
We design our data aggregation processes with privacy as a foundational principle, following the framework of "Privacy by Design and by Default":

Privacy by Design:

• Privacy protections are embedded into our systems and processes from the outset

• We anticipate privacy risks and build safeguards proactively

• Privacy is a core business requirement, not an afterthought

Privacy by Default:

• The strictest privacy settings apply automatically

• No action is required by individuals to protect their privacy

• Only necessary data is processed for each specific purpose

4.2 Data Minimization Principle
We adhere strictly to data minimization:

• We collect only the minimum data necessary for aggregation purposes

• We retain source data only as long as necessary for de-identification and aggregation

• We delete source Personal Information promptly after aggregation is complete

• We limit the granularity of aggregated data to what is necessary for its intended purpose

4.3 Purpose Limitation
Aggregated data is used only for the purposes disclosed in:

• This Policy

• Our Privacy Policy

• Our Terms of Use (Section 12)

• Specific disclosures to Subscribing Organizations

We do not use aggregated data for purposes incompatible with these disclosures without obtaining appropriate consent or providing additional notice.

​

4.4 Accountability and Responsibility
We take full responsibility for:

• Ensuring de-identification techniques are effective

• Preventing re-identification of individuals

• Maintaining the security of aggregation processes

• Training personnel on privacy requirements

• Conducting regular audits and assessments

5. Types of Data Processing
5.1 When We Act as Data Controller
We are the data controller (business) for aggregated data created from:

• Customer usage and activity data (how Subscribing Organizations use our Services)

• Aggregate industry research conducted with explicit participant consent

In these scenarios, we determine the purposes and means of aggregation and are responsible for compliance with applicable privacy laws.

​

5.2 When We Act as Data Processor
When Subscribing Organizations use our Services to profile their clients, we act as a data processor (service provider) for End-User Personal Information. In this role:

Limited Aggregation Rights:

• We may aggregate End-User data only as permitted by our Data Processing Agreement

• Subscribing Organizations retain primary control over their clients' data

• We may create aggregated insights only after applying rigorous de-identification

• Aggregation is conducted in accordance with Section 12 of our Terms of Use

Contractual Authorization: Our Terms of Use (Section 12.1–12.3) provide contractual authorization from Subscribing Organizations to:

• Aggregate End-User data across multiple Subscribing Organizations

• Use de-identified aggregated data for service improvement, research, and product development

• Share aggregated data with third parties (subject to this Policy's protections)

5.3 Source Data Categories
We aggregate data from the following categories:

​

Behaviour Profile Data:

• Responses to behaviour profiling questionnaires

• Financial personality assessments

• Behavioral traits and tendencies

• Decision-making patterns

Risk Profile Data:

• Risk capacity assessments

• Risk tolerance scores

• Financial goals and risk need

Demographic Data:

• Age ranges

• Geographic regions (country, state, metropolitan area)

• Occupation categories

• Income bands

• Expense bands

• Asset ranges

• Liability ranges

• Life stage indicators

Financial Data:

• Portfolio asset allocation data (aggregated)

• Asset class preferences

Usage and Interaction Data:

• Feature utilization patterns

• Questionnaire completion rates

• Report generation frequency

• Time spent on assessments

• User interaction patterns

Important: We do NOT include in aggregated data:

• Full names, email addresses, or contact information

• Specific account numbers or financial account identifiers

• Social Security numbers or government identifiers

• Precise geolocation data

• Health information (unless appropriately de-identified under HIPAA standards for research)

• Any data that would allow individual identification

​

In the Software we do NOT capture social security numbers, tax file numbers, national insurance numbers, driver's license numbers and passport numbers, financial account numbers (bank account, investment account, or credit card numbers), vehicle identification numbers (VINs).

6. De-Identification Standards and Techniques
6.1 De-Identification Framework
We employ a multi-layered de-identification framework based on industry best practices from organizations like Apple, Salesforce, and leading privacy research institutions.

Our approach follows the "De-Identification Triangle" principle:

• Remove Direct Identifiers: Strip all data elements that directly identify individuals

• Generalize Indirect Identifiers: Transform quasi-identifiers to reduce specificity

6.2 Removal of Direct Identifiers
Before any aggregation, we remove all direct identifiers, including:

• Full names (first, middle, last)

• Email addresses

• Phone numbers (mobile, landline)

• Physical addresses (street, unit number)

• Account identifiers and user IDs

• IP addresses (full or partial)

• Device identifiers (MAC addresses, IMEI, advertising IDs)

• Biometric data (fingerprints, facial recognition data)

• Web cookies or persistent identifiers linked to personal information

• Any other unique identifiers that could directly identify individuals

Technical Implementation:​

• Mandatory deletion before data enters aggregation processes

• Audit logs to verify complete removal

6.3 Generalization of Indirect Identifiers
Indirect identifiers (quasi-identifiers) are generalized to prevent re-identification through combination:

Age:

• Specific ages → Age ranges (e.g., 25-34, 35-44, 45-54)

• Ranges selected to ensure k-anonymity thresholds

Geographic Data:

• Specific addresses → Metropolitan area, state, or region

• Postal codes → Partial postal codes (first 3 digits) or geographic regions

• City-level data only for cities with population > 100,000

• Country-level aggregation as default for international data

Dates:

• Specific dates of birth → Month and year, or year only

• Transaction dates → Week, month, or quarter

• Temporal rounding to obscure precise timing

Income and Asset Data:

• Specific values → Broad bands (e.g., $50,000-$100,000, $100,000-$200,000)

• Band widths selected to ensure sufficient population in each band

• Top-coding applied to highest values to prevent identification of high-net-worth individuals

Financial Data:

• Portfolio asset allocation → allocations or value ranges

• Specific product names → Product categories

6.4 Advanced De-Identification Techniques

The below techniques may be used depending on the use case and data sets being aggregated.
Noise Addition (Differential Privacy):

• Random statistical noise added to datasets to prevent inference attacks

• Calibrated to maintain data utility while protecting privacy

• Ensures that inclusion or exclusion of any single individual does not significantly affect results

Data Suppression:

• Rare or unique combinations of attributes are suppressed entirely

• Outliers removed to prevent identification of exceptional cases

Data Swapping:

• Values of sensitive attributes swapped between records to break linkages

• Applied selectively to maintain overall statistical properties

Rounding and Binning:

• Continuous variables rounded to reduce precision

• Values grouped into bins or categories

• Applied consistently across all records

Pseudonymization vs. Anonymization
Pseudonymization:

• Used when we need to track entities over time without identifying them

• Random identifiers replace direct identifiers

• Keys kept separately under strict security controls

• Pseudonymized data is still considered Personal Information under GDPR/UK GDPR

• Used only for intermediate processing; final aggregated outputs are fully anonymized

Anonymization:

• Irreversible process; no key exists to re-identify individuals

• Aggregated data in its final form is anonymized

• No longer considered Personal Information under applicable laws

• Cannot be reversed using any reasonable means

7. Aggregation Methodologies
7.1 Aggregation Process Overview
Our aggregation process follows a rigorous multi-stage workflow:

Stage 1: Data Extraction

• Source data identified based on aggregation purpose

• Minimal necessary data extracted from production systems

• Extraction logged and audited

Stage 2: Pre-Processing

• Direct identifiers removed immediately upon extraction

• Data quality checks performed

• Missing or invalid data flagged

Stage 3: De-Identification

• Techniques from Section 6 applied systematically

• Automated and manual checks for residual identifiers

Stage 4: Aggregation

• Statistical aggregation performed (counts, means, medians, distributions)

• Thresholds applied (see Section 8)

Stage 5: Validation

• Re-identification risk assessment

• Data utility verified

• Compliance checks performed

Stage 6: Approval and Release

• Privacy Officer, Chief Technical Officer, or designated reviewer approves

• Aggregated data moved to approved repository

• Source Personal Information deleted (unless required for legal retention)

7.2 Statistical Aggregation Methods
Descriptive Statistics:

• Counts and frequencies

• Means, medians, and modes

• Standard deviations and variances

• Percentiles and quartiles

• Confidence intervals

Trend Analysis:

• Time-series aggregates (monthly, quarterly, annually)

Benchmarking:

• Industry averages and percentiles

• Peer group comparisons

• Normalized scores and indices

Segmentation:

• Cluster analysis to identify groups with similar characteristics

• Segment profiles based on aggregated attributes

Modeling and Inference:

• Models using aggregated data

• Predictive models trained on de-identified datasets

• Model outputs validated to ensure no individual identification

7.3 Geographic Aggregation

• Regions/States/Postal/ZIP Codes: Default geographic unit for most purposes

• Countries: Used for international comparisons

7.4 Cohort Analysis
We may create cohorts (groups) for analysis

• Cohorts defined by shared characteristics (e.g., "self-control or optimism behavioral characteristics")

• Tracking at cohort level only; no individual tracking

• Cohort definitions broad enough to prevent identification

8. Use Cases for Aggregated Data
8.1 Internal Business Uses
Product Development and Improvement:

• Identifying features that are most/least used

• Understanding user needs and pain points

• Developing new tools, features, and functionalities

• Optimizing user experience and workflows

Research and Innovation:

• Conducting research into financial behavior and decision-making

• Developing improved risk profiling

• Creating industry insights and thought leadership

• Contributing to academic and practitioner research

Quality Assurance and Performance Monitoring:

• Monitoring system performance and reliability

• Identifying and resolving technical issues

• Benchmarking service delivery

• Ensuring compliance with service level agreements

Business Analytics and Reporting:

• Internal reporting on product usage and engagement

• Board and investor reporting

• Financial planning and forecasting

• Strategic decision-making

8.2 Customer-Facing Uses
Benchmarking and Insights:

• Providing Subscribing Organizations with industry benchmarks

• Showing how their clients compare to peer groups

• Delivering insights to improve business practices

• Offering context for individual client profiles and cohorts

Training and Education:

• Educating financial advisers on behavior profiling best practices

• Providing case studies and examples (fully anonymized)

• Supporting professional development

Marketing and Thought Leadership:

• Publishing industry reports and white papers

• Presenting at conferences and webinars

• Demonstrating product value through aggregated results

• Building brand authority

8.3 Third-Party Commercial Uses
Subject to the safeguards in Section 13, we may commercialize aggregated data through:

Licensing to Research Institutions:

• Academic researchers studying financial behaviour

• Industry research organizations

• Think tanks and policy institutes

Licensing to Financial Services Firms:

• Financial advisory providers

• Investment managers seeking market insights

• Financial product providers

Licensing to Data Analytics Companies:

• Firms providing market intelligence

• Business intelligence platforms

• Consulting firms advising financial services clients

Media and Publishers:

• Providing data for news articles and industry publications

• Supporting journalism and public discourse

• Educational and non-profit uses

Important: All third-party licenses include contractual prohibitions on:

• Attempting to re-identify individuals

• Combining data with other sources to identify individuals

• Using data in ways inconsistent with this Policy

• Further distribution without approval

8.4 Prohibited Uses
We do NOT use aggregated data for:

• Discriminatory Purposes: Making decisions that discriminate based on protected characteristics

• Targeting Individuals: Creating profiles of or marketing to specific individuals

• Employment Decisions: Hiring, firing, or promoting based on aggregated data

• Surveillance: Monitoring or tracking specific individuals

• Harmful Purposes: Any purpose that could harm individuals or groups

9. Governance and Oversight
9.1 Privacy Officer Responsibility
Our Privacy Officer has overall responsibility for:

• Implementing and maintaining this Policy

• Approving aggregation projects and methodologies

• Conducting or overseeing re-identification risk assessments

• Reviewing third-party data sharing agreements

• Investigating privacy incidents related to aggregated data

• Reporting to senior management on compliance

9.2 Data Aggregation Review Committee
For significant aggregation projects, we may convene a Data Aggregation Review Committee comprising:

• Privacy Officer (Chair)

• Chief Technology Officer or delegate

• Data Scientist or Analytics Lead

• Legal Counsel or Compliance Officer

Committee Responsibilities:

• Reviewing proposed aggregation projects

• Assessing privacy risks and benefits

• Approving methodologies and techniques

• Monitoring ongoing aggregation activities

• Recommending policy updates

9.3 Approval Process
Standard Aggregation (Internal Use, Low Risk):

• Documented by Data Analyst or Data Scientist

• Reviewed and approved by Chief Technology Officer and Privacy Officer

• Quarterly reporting to management

Enhanced Aggregation (Commercial Use, Third-Party Sharing):

• Formal proposal submitted to Data Aggregation Review Committee

• Risk assessment conducted and documented

• Committee approval required before proceeding

• Annual review of ongoing commercial uses

High-Risk or Sensitive Data:

• Senior management approval required

• External privacy expert consultation may be required

• Enhanced monitoring and auditing

9.4 Documentation Requirements
All aggregation activities must be documented, including:

• Purpose: Why the aggregation is being conducted

• Data Sources: What Personal Information is being aggregated

• Methodology: De-identification and aggregation techniques used

• Risk Assessment: Re-identification risk evaluation

• Approval: Evidence of appropriate approval

• Safeguards: Technical and organizational measures applied

• Retention: How long source data and aggregated data will be retained

• Distribution: How aggregated data will be used or shared

• Documentation retained for audit and compliance purposes for at least 7 years.

​

9.5 Training and Awareness
Personnel involved in data aggregation must complete:

• Privacy Awareness Training: Annual training on privacy principles and legal requirements

• De-Identification Training: Specific training on de-identification techniques

• Role-Based Training: Specialized training for data scientists, analysts, and engineers

• Policy Training: Training on this Policy and related procedures

• Training records maintained and reviewed annually.

​

10. Technical and Organizational Safeguards
10.1 Access Controls
Principle of Least Privilege:

• Access to source Personal Information limited to personnel with legitimate need

• Role-based access controls enforced

• Regular access reviews and revocations

Segregation of Duties:

• Personnel conducting aggregation do not have direct access to identifiable data in production systems

• Extraction, de-identification, and approval performed by different individuals

• Peer review required for complex aggregations

Audit Logging:​

• All aggregation activities logged and monitored

• Logs reviewed regularly for anomalies

• Logs retained for at least 3 years

10.2 Secure Environments
Encryption:

• Data encrypted in transit (TLS 1.2+) and at rest

• Encryption keys managed according to industry best practices

• Regular key rotation

Secure Data Disposal:

• Source Personal Information securely deleted after aggregation (subject to legal retention)

• Multiple overwrite passes to prevent recovery

• Certificate of destruction for physical media

10.3 Technical Safeguards in Software
Automated De-Identification:

• Software tools to automatically detect and remove direct identifiers

• Algorithms to apply generalization, suppression, and noise addition

Query Controls:​

• Query logging and monitoring for suspicious patterns

Data Masking:

• Dynamic data masking for development and testing environments