Privacy Policy

Table of Contents

Introduction
Scope and Application
Definitions
Our Role and Your Data Controller
Personal Information We Collect
How We Collect Personal Information
How We Use Personal Information
Legal Bases for Processing (International Users)
How We Share and Disclose Personal Information
International Data Transfers
Aggregated and De-Identified Data
Data Security
Data Retention
Your Privacy Rights
Cookies and Tracking Technologies
Third-Party Links and Services
Children's Privacy
Data Breach Notification
Changes to This Privacy Policy
Jurisdiction-Specific Information

1. Introduction
MoneyMind Profile Pty Ltd ABN 33 672 152 073 ("MoneyMind Profile," "we," "us," or "our") values the privacy of everyone who visits our website and uses our software and services. We are committed to protecting your Personal Information and being transparent about our data practices.

This Privacy Policy explains:

What Personal Information we collect and why
How we use, share, and protect that information
Your rights regarding your Personal Information
How to contact us with privacy questions or concerns

We operate globally, serving customers in Australia, the United Kingdom, and the United States. This Privacy Policy is designed to comply with applicable data protection laws in all jurisdictions where we operate, including:

Australia: Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
United Kingdom: UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
United States: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other applicable state privacy laws

2. Scope and Application

2.1 What This Policy Covers
This Privacy Policy applies to Personal Information we collect, use, and disclose when you:

Visit our websites (including www.moneymindprofile.com and related domains)
Use our MoneyMind Profile software and services ("Services")
Communicate with us via email, phone, chat, or other channels
Attend our events, webinars, or training sessions
Enter into a business relationship with us

2.2 Our Business Model
We provide MoneyMind Profile software and related support services to organizations such as financial advisory firms, wealth management companies, and individual financial advisers ("Customers" or "Subscribing Organizations"). These Customers use our Services to:

Conduct behaviour profiling of their clients
Perform risk profile analysis
Generate financial planning reports
Manage client relationships and advisory workflows

2.3 Important Distinction: Controller vs. Processor

When We Are a Data Processor (Service Provider):
When a Subscribing Organization (Customer) uses our Services to process Personal Information about their clients (End-Users), that organization is the data controller (under GDPR/UK GDPR) or business (under CCPA) of that Personal Information. We act as a data processor (or service provider) on their behalf.
In this capacity:

The Subscribing Organization determines what Personal Information is collected and how it is used
The Subscribing Organization's privacy policy applies to their clients
We process End-User Personal Information only on the Subscribing Organization's documented instructions
End-Users should contact the relevant Subscribing Organization regarding their Personal Information

When We Are a Data Controller (Business):
We act as a data controller (or business) for:

Personal Information of our Customers (Subscribing Organizations and their authorized users)
Website visitors
Newsletter subscribers
Event attendees
Marketing contacts
Prospective customers

2.4 Who This Policy Does NOT Cover
If you are a client (End-User) of a financial advisor, fund provider, or organization that uses our Services, your Personal Information is controlled by that organization, not by us. Their privacy policy governs how they collect, use, and share your Personal Information. We only process your information on their behalf according to their instructions.
Please contact your financial advisor or the relevant organization for questions about how they handle your Personal Information.

3. Definitions
For purposes of this Privacy Policy:

"Applicable Data Protection Laws" means all applicable data protection and privacy laws, including: (i) in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles; (ii) in the United Kingdom, the UK GDPR and the Data Protection Act 2018; (iii) in the United States, the CCPA (as amended by the CPRA), VCDPA, CPA, and other applicable state privacy laws; and (iv) any other applicable data protection or privacy laws.

"Controller" (or "Business" under US laws) means the entity that determines the purposes and means of processing Personal Information.

"Customer" or "Subscribing Organization"** means the financial advisory firm, wealth management company, or individual financial advisor that subscribes to our Services.

"Data Subject" (or "Consumer" under US laws) means an identified or identifiable natural person whose Personal Information is processed.

"End-User" means a client of a Subscribing Organization whose Personal Information may be processed through our Services.
"Personal Information" (or "Personal Data") means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable natural person. This includes information defined as "personal information" under the Privacy Act 1988 (Cth), "personal data" under the UK GDPR, and "personal information" under the CCPA.

"Processing" means any operation performed on Personal Information, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

"Processor" (or "Service Provider" under US laws) means an entity that processes Personal Information on behalf of a Controller.

"Sensitive Personal Information" includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, sex life or sexual orientation, and in some jurisdictions, financial account information, Social Security numbers, precise geolocation, and contents of communications.

"Services" means our MoneyMind Profile software platform, applications, tools, features, and related services.

4. Our Role and Your Data Controller
4.1 When We Control Your Personal Information
We are the data controller (or business) for:
Customer Personnel: If you work for a Subscribing Organization and use our Services in your professional capacity (as a financial advisor, administrator, or other authorized user), we control Personal Information credentials as described in this Privacy Policy.
Direct Contacts: If you interact with us directly (as a website visitor, newsletter subscriber, event attendee, prospective customer, or business contact), we control your Personal Information.

4.2 When We Process on Behalf of Others
When Subscribing Organizations use our Services to process their clients' Personal Information, we act as a processor (or service provider).

In this role:

We process Personal Information only on the Subscribing Organization's documented instructions
We do not use End-User Personal Information for our own purposes
The Subscribing Organization remains responsible for compliance with privacy laws regarding their clients
End-Users should exercise their privacy rights through the Subscribing Organization

4.3 Contact Your Financial Adviser
If you are a client of a financial adviser using our Services: Your financial adviser or the organization they work for is responsible for your Personal Information. Please contact them directly regarding:

What Personal Information they collect about you
How they use your information
Your rights to access, correct, or delete your information
Their privacy practices and policies

We cannot directly respond to privacy requests from End-Users as we process this information only on behalf of the Subscribing Organization.

5. Personal Information We Collect
The Personal Information we collect depends on how you interact with us and the Services you use.
5.1 Information We Collect About Customer Personnel
When you register for an account, use our Services, or interact with us as a representative of a Subscribing Organization, we may collect:

Identity and Contact Information:

Full name
Email address
Phone number
Business address
Job title and role
Professional credentials and licenses
Organization/firm name

Account and Authentication Information:

Username and account ID
Password (stored in encrypted/hashed form)
Security questions and answers
Multi-factor authentication credentials
Professional Information:
Professional licenses and registrations
Areas of specialization
Years of experience
Professional association memberships

Usage and Activity Information:

Login history and session data
Features and services accessed
Content created, uploaded, or modified
Search queries and navigation patterns
Device information (IP address, browser type, operating system, device identifiers)
Time stamps and duration of use

Communications:

Support requests and help desk interactions
Chat messages and correspondence
Feedback and survey responses
Training and webinar participation

Financial and Billing Information:

Billing name and address
Payment method details (processed and stored by our third-party payment processor; we do not store full credit card numbers)
Purchase history and transaction records
Subscription plan details

End-User Information You Input:

When you use our Services to profile your clients, you input information about them (names, dates of birth, financial information, risk tolerance responses, etc.). This information is controlled by you (the Subscribing Organization), and we process it only as your processor. See Section 4.2.

5.2 Information We Collect From Website Visitors
When you visit our website, we may collect:

Automatically Collected Information:

IP address and approximate geolocation
Browser type and version
Operating system
Referring website
Pages visited and time spent
Links clicked
Device identifiers

Information You Provide:

Contact form submissions
Newsletter subscriptions
Demo or trial requests
Event registrations
Cookie preferences

5.3 Information From Third Parties
We may receive Personal Information from:

Service Providers and Integration Partners:

Payment processors (billing information)
Analytics providers (usage data)
Customer relationship management platforms
Marketing and communication platforms
Financial advice platforms
Identity verification services

Publicly Available Sources:

Professional licensing databases
Business directories
LinkedIn and other professional networks
Regulatory registers

Subscribing Organizations:

If your employer or firm subscribes to our Services, they may provide your information to set up your account

5.4 Sensitive Personal Information
Important: Our Services are designed to minimize the collection of Sensitive Personal Information. However, we acknowledge that:

Financial advisors using our Services may input Sensitive Personal Information about their clients (financial information, questionnaire information, information revealing racial or ethnic origin in demographic data, etc.)
When Subscribing Organizations input such information, they remain the controller and are responsible for obtaining appropriate consents and complying with applicable laws
We process this information only as a processor on their behalf

We do not require or request Sensitive Personal Information from Customer personnel. If you choose to provide Sensitive Personal Information to us, you consent to our processing of that information for the purposes described in this Privacy Policy and in accordance with Applicable Data Protection Laws.

6. How We Collect Personal Information
We collect Personal Information through the following methods:

6.1 Direct Collection
When You Provide It to Us:

Registration and account creation
Using our Services and entering data
Completing forms, questionnaires, or surveys
Communicating with our support team
Subscribing to newsletters or marketing
Attending events or webinars
Applying for employment or contractor positions

6.2 Automatic Collection
Through Technologies:

Cookies and similar tracking technologies (see Section 15)
Web server logs
Analytics tools
Session recording for quality assurance and training (with notice)

6.3 Third-Party Sources
From Service Providers:

Payment processors
Analytics and monitoring services
Marketing platforms
CRM systems
Identity verification providers

From Subscribing Organizations:

When they set up user accounts for their personnel
When they provide contact information for billing or support

From Publicly Available Sources:

Professional licensing registers
Business contact databases
Company websites and directories

6.4 Anonymous and Pseudonymous Use
Website: You may visit our website anonymously. However, certain features and interactive elements may not be available without providing some Personal Information.

Services: Due to the nature of our Services (which require secure authentication and personalized functionality), anonymous use is not practical. You may use a pseudonym for certain communications, where lawful and practicable.

7. How We Use Personal Information
We use Personal Information for the purposes described below and only where we have a lawful basis to do so (see Section 8).

7.1 To Provide and Maintain the Services

Creating and managing user accounts
Authenticating users and preventing unauthorized access
Providing access to features and functionality
Processing and storing data you input
Generating reports and outputs
Providing customer support and technical assistance
Troubleshooting and resolving issues
Performing backups and ensuring business continuity

7.2 To Improve and Develop the Services

Understanding how users interact with our Services
Analyzing usage patterns and trends
Identifying areas for improvement
Developing new features and functionality
Conducting research and analytics
Testing new products and beta features
Benchmarking performance and reliability

7.3 For Business Operations

Processing payments and managing subscriptions
Maintaining internal records
Performing accounting, auditing, and financial analysis
Managing vendor and service provider relationships
Conducting due diligence for business transactions
Protecting our business interests and enforcing our rights

7.4 For Communication and Marketing

Sending transactional emails (account notifications, service/feature updates, billing statements)
Providing customer support via email, phone, or chat
Sending newsletters and marketing communications (with consent where required)
Inviting you to events, webinars, and training sessions
Conducting surveys and requesting feedback
Sharing product updates and feature announcements
You may opt out of marketing communications at any time using the unsubscribe link in emails or by contacting us.

7.5 For Security and Fraud Prevention

Detecting and preventing fraud, abuse, and unauthorized access
Investigating security incidents and policy violations
Monitoring for malicious activity and threats
Maintaining the security and integrity of our systems
Enforcing our Terms of Use and Acceptable Use Policy
Protecting against legal liability

7.6 For Compliance and Legal Obligations

Complying with applicable laws, regulations, and legal process
Responding to lawful requests from authorities
Defending legal claims and protecting legal rights
Maintaining records as required by law
Conducting internal audits and compliance reviews
Meeting regulatory reporting obligations

7.7 With Your Consent
Where required by applicable law, we will obtain your consent before using Personal Information for purposes not covered above.

8. Legal Bases for Processing (International Users)
For users in jurisdictions requiring a legal basis for processing (such as the UK and EU under GDPR), we rely on the following legal bases:

8.1 Contract Performance

We process Personal Information to perform our contract with you or the Subscribing Organization, including:
Providing access to the Services
Delivering customer support
Processing payments

8.2 Legitimate Interests
We process Personal Information for our legitimate business interests, including:

Improving and developing the Services
Conducting marketing and business development
Preventing fraud and enhancing security
Analyzing usage and performance
Managing business operations
We conduct balancing tests to ensure our legitimate interests do not override your rights and interests.

8.3 Legal Obligations

We process Personal Information to comply with legal and regulatory obligations, including:

Responding to lawful requests
Meeting record-keeping requirements
Complying with tax and financial regulations

8.4 Consent
Where required or appropriate, we process Personal Information based on your consent, including:

Marketing communications (where consent is required)
Certain cookie uses
Processing Sensitive Personal Information (where applicable)

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

8.5 Vital Interests
In rare circumstances, we may process Personal Information to protect vital interests (yours or another person's), such as in emergency situations.

9. How We Share and Disclose Personal Information
We do not sell, rent, or lease Personal Information to third parties. We share Personal Information only as described below.

9.1 Service Providers and Subprocessors
We engage trusted third-party service providers to perform functions on our behalf, including:

Infrastructure and Hosting:

Cloud hosting providers (data centers and servers)
Content delivery networks
Data backup and disaster recovery services
Payment Processing:
Payment gateways and processors
Billing and invoicing platforms

Communication and Support:

Email delivery services
Chat and messaging platforms
Customer relationship management systems
Help desk and ticketing systems

Analytics and Performance:

Website and application analytics
Performance monitoring and error tracking
User behavior analysis

Security and Fraud Prevention:

Identity verification services
Fraud detection and prevention tools
Security monitoring services
Marketing and Outreach:
Email marketing platforms
Event management systems
Webinar and video conferencing tools

All service providers are bound by contractual obligations to:

Use Personal Information only for the specified purposes
Implement appropriate security measures
Comply with Applicable Data Protection Laws
Not use Personal Information for their own purposes

A list of our key subprocessors is available on our website at www.moneymindprofile.com.

9.2 Within the MoneyMind Profile Organization
We may share Personal Information among MoneyMind Profile entities and affiliates for:

Internal administration and reporting
Customer support and service delivery
Business operations and management
Product development and improvement

All internal sharing is subject to appropriate data protection safeguards.

9.3 Business Transfers
If we are involved in a merger, acquisition, asset sale, reorganization, bankruptcy, or similar transaction, Personal Information may be transferred as part of that transaction.

We will:

Provide notice before Personal Information is transferred
Ensure the receiving party maintains protections at least as protective as this Privacy Policy
Provide you with choices regarding the use of your Personal Information

9.4 Legal and Regulatory Requirements
We may disclose Personal Information when required or permitted by law, including:

To Comply with Legal Obligations:

Court orders, subpoenas, or other legal process
Regulatory investigations and examinations
Tax authorities and financial regulators
Law enforcement requests (where lawful)

To Protect Rights and Interests:

Defending legal claims
Enforcing our Terms of Use and policies
Protecting against fraud, abuse, or illegal activity
Safeguarding the security and integrity of our Services
Protecting the safety of individuals

With Your Consent or Direction:

When you authorize us to share your information
When you direct us to integrate with third-party services
When you participate in co-sponsored events or programs
We will notify you of legal requests for your Personal Information unless prohibited by law or where notice would be counterproductive.

9.5 Aggregated and De-Identified Information
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify a "Customer" or "Subscribing Organization", or "End-User" including:

Questionnaire data
Statistical data and research findings
Industry benchmarks and trends
Usage analytics and performance metrics

Such information is not Personal Information and is not subject to this Privacy Policy.

9.6 No Sale of Personal Information
Important: We do not sell Personal Information. Under California law (CCPA), "sale" has a broad meaning that includes sharing for monetary or other valuable consideration. We do not engage in such activities.

10. International Data Transfers
10.1 Global Operations
MoneyMind Profile operates globally and may transfer Personal Information to countries other than where you are located, including:

Australia (where our primary operations are based)
United States (where our cloud hosting infrastructure is located)
United Kingdom (where we maintain offices)
Other countries where our service providers operate

10.2 Adequacy Decisions
Where possible, we transfer Personal Information to countries recognized as providing adequate protection:

The European Commission has recognized certain countries (including the UK, post-Brexit) as providing adequate protection for personal data
Australia is recognized under the EU-Australia adequacy decision

10.3 Safeguards for International Transfers
When transferring Personal Information to countries not recognized as providing adequate protection, we implement appropriate safeguards, including:

Standard Contractual Clauses (SCCs):
We use the European Commission's Standard Contractual Clauses for transfers from the EU/EEA
We use the UK International Data Transfer Agreement (IDTA) or Addendum for transfers from the UK
These clauses provide contractual protections for your Personal Information

Binding Corporate Rules:

As we expand, we may implement Binding Corporate Rules for intra-group transfers

Supplementary Measures:

Encryption in transit and at rest
Strict access controls and authentication
Regular security assessments
Data minimization practices

10.4 Your Consent
By using our Services or providing Personal Information, you acknowledge and consent (where required by law) to the transfer of your Personal Information to countries that may have different data protection laws than your country of residence.

10.5 Data Localization
For some Subscribing Organizations, particularly those in highly regulated industries or jurisdictions, we may offer options to:

Store data in specific geographic regions
Limit cross-border transfers
Implement additional security and access controls

Please contact us to discuss data localization options.

11. Aggregated and De-Identified Data
11.1 Our Use of Aggregated Data
We create aggregated, anonymized, and de-identified data from "Customer" or "Subscribing Organization", or "End-User" Information to:

Improve the Services and develop new features
Conduct research and analytics
Generate industry insights and benchmarks
Produce statistical reports and trends
Enhance our algorithms and risk assessment models

11.2 De-Identification Process
When we aggregate and de-identify data:

We remove all direct identifiers (names, email addresses, account IDs)
We apply statistical techniques to prevent re-identification
We ensure the data cannot reasonably be linked back to individuals
We combine data from multiple users to prevent identification
We apply our Data Aggregation and De-Identification Policy.

11.3 Ownership and Use
Aggregated Data created from End-User information (clients of Subscribing Organizations):

We may create aggregated data in accordance with our Data Processing Agreement
Such data is fully de-identified and cannot identify individual End-Users
We may use and license this aggregated data for our business purposes
This use is disclosed to Subscribing Organizations in our Terms of Use

Aggregated Data created from Customer personnel information:

We may create aggregated usage analytics and benchmarks
Such data helps us improve the Services and identify trends
This data is fully anonymized and cannot identify individuals or organizations

11.4 No Re-Identification

We commit to not attempting to re-identify aggregated or de-identified data and to implementing measures to prevent others from doing so.

12. Data Security
12.1 Our Commitment to Security

We take data security seriously and implement comprehensive administrative, technical, and physical safeguards to protect Personal Information against unauthorized access, use, disclosure, alteration, or destruction.

12.2 Technical Safeguards
Encryption:

Data in transit is encrypted using Transport Layer Security (TLS 1.2 or higher)
Data at rest is encrypted using industry-standard encryption algorithms
Database encryption protects stored information
Password storage uses strong cryptographic hashing

Access Controls:

Multi-factor authentication (MFA) for user access
Role-based access controls (RBAC) limiting access to authorized personnel
Least privilege principle (users have only necessary access)
Regular access reviews and revocations
Secure API authentication and authorization

Network Security:

Firewalls and intrusion detection/prevention systems
Network segmentation and isolation
DDoS protection and mitigation
Regular security patching and updates
Vulnerability scanning and penetration testing

Application Security:

Secure software development lifecycle (SDLC)
Code reviews and security testing
Input validation and sanitization
Protection against common vulnerabilities (OWASP Top 10)
Security headers and configurations

12.3 Administrative Safeguards
Policies and Procedures:

Comprehensive information security policies
Data classification and handling procedures
Incident response and disaster recovery plans
Vendor management and due diligence
Regular policy reviews and updates

Personnel:

Background checks for employees with access to Personal Information
Confidentiality and non-disclosure agreements
Security awareness training and education
Clear roles and responsibilities
Separation of duties

Monitoring and Auditing:

Security information and event management (SIEM)
Log monitoring and analysis
Regular security assessments and audits
Third-party security certifications (SOC 2, ISO 27001 in progress)
Continuous compliance monitoring

12.4 Physical Safeguards
Data Centers:

Our infrastructure is hosted in secure, certified data centers
Physical access controls and monitoring
Environmental controls (fire suppression, climate control)
Redundant power and network connectivity
24/7 security monitoring

Office Security:

Secured office facilities with access controls
Visitor management and escort policies
Secure disposal of physical media
Clean desk and screen lock policies

12.5 Your Responsibilities
While we implement robust security measures, security is a shared responsibility. We encourage you to:

Use strong, unique passwords
Enable multi-factor authentication
Keep login credentials confidential
Log out when finished using the Services
Report suspicious activity immediately
Keep your devices and software up to date
Use secure networks when accessing the Services
Be cautious of phishing attempts

12.6 No Absolute Security
Despite our efforts, no security measures are perfect or impenetrable. We cannot guarantee absolute security of Personal Information. Internet transmissions are never completely private or secure, and any information you transmit may be intercepted by others.

12.7 Security Incidents
In the event of a data breach or security incident affecting Personal Information, we will:

Promptly investigate and contain the incident
Notify affected individuals as required by applicable law
Notify relevant regulatory authorities
Take steps to prevent recurrence
Cooperate with investigations

See Section 18 for more details on data breach notification.

13. Data Retention
13.1 Retention Principles
We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

13.2 Retention Periods
Customer Account Information:

Active accounts: For the duration of your subscription plus up to 30 days after termination (to allow for reactivation)
Terminated accounts: Deleted or anonymized within 30 days of subscription termination, unless longer retention is required by law
Backup copies: Retained for an additional 90 days in backup systems, then permanently deleted

End-User Information (Processed as Processor):

Controlled by the Subscribing Organization
Retained according to the Subscribing Organization's instructions
Deleted or returned upon subscription termination as directed by the Subscribing Organization
Subscribing Organizations are responsible for their own retention policies and legal obligations

Financial and Transaction Records:

Billing and payment information: Retained for 7 years to comply with tax and accounting requirements
Invoice records: Retained for 7 years

Communications and Support:

Support tickets and correspondence: Retained for 3 years
Chat logs: Retained for 1 year
Marketing communications: Until you unsubscribe, then deleted within 30 days

Website Analytics and Logs:

Server logs: Retained for 90 days
Analytics data: Aggregated and anonymized data may be retained indefinitely

Legal and Compliance:

Records required by law: Retained for the period required by applicable law
Litigation hold: Personal Information relevant to legal proceedings retained until matter resolution

13.3 Secure Deletion
When Personal Information is no longer needed:

We delete it from production systems
We overwrite or degauss physical media
We ensure backups are purged according to retention schedules
We use secure deletion methods to prevent recovery

13.4 Requesting Deletion
You may request deletion of your Personal Information at any time (see Section 14). We will honor such requests subject to:

Legal obligations requiring retention
Legitimate business needs (e.g., fraud prevention)
Technical limitations (e.g., backup retention cycles)

13.5 Exceptions
We may retain Personal Information longer than standard retention periods when:

Required by applicable law or regulation
Necessary for legal claims or disputes
Needed for audit or compliance purposes
Subject to a litigation hold or investigation
Required to protect rights, property, or safety

14. Your Privacy Rights
Depending on your jurisdiction, you may have various rights regarding your Personal Information. We respect these rights and provide mechanisms to exercise them.

14.1 Rights Under Australian Privacy Law
If you are in Australia, you have the right to:

Access: Request access to the Personal Information we hold about you. We will provide access unless an exception applies under the Privacy Act.
Correction: Request correction of inaccurate, outdated, incomplete, or misleading Personal Information.
Complaints: Lodge a complaint with us about our handling of your Personal Information. We will investigate and respond to complaints in accordance with the APPs.

14.2 Rights Under UK GDPR
If you are in the UK or EU, you have the right to:

Access: Request a copy of the Personal Data we process about you (subject access request).
Rectification: Request correction of inaccurate or incomplete Personal Data.
Erasure: Request deletion of your Personal Data in certain circumstances (right to be forgotten).
Restriction: Request that we restrict processing of your Personal Data in certain circumstances.
Portability: Request to receive your Personal Data in a structured, commonly used, machine-readable format and transmit it to another controller.
Object: Object to processing based on legitimate interests or for direct marketing purposes.
Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (our Services do not make fully automated decisions with such effects).
Withdraw Consent: Where processing is based on consent, withdraw that consent at any time.
Complain: Lodge a complaint with a supervisory authority (Information Commissioner's Office in the UK).

14.3 Rights Under US Privacy Laws (CCPA, VCDPA, CPA, etc.)
If you are in California, Virginia, Colorado, or another state with consumer privacy rights, you have the right to:

Know: Request information about the categories and specific pieces of Personal Information we collect, use, disclose, and sell (if applicable) about you.
Delete: Request deletion of your Personal Information, subject to certain exceptions.
Correct: Request correction of inaccurate Personal Information (in some states).
Opt-Out: Opt out of the "sale" or "sharing" of Personal Information (note: we do not sell or share Personal Information as defined by these laws).
Limit Use of Sensitive Personal Information: Limit the use of Sensitive Personal Information to certain permitted purposes (in some states).
Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights.
Authorized Agent: Designate an authorized agent to make requests on your behalf.
Appeal: Appeal our decision regarding your privacy request (in some states).

14.4 How to Exercise Your Rights
To exercise any of these rights, please contact us using:

Email: support@moneymindprofile.com

15. Cookies and Tracking Technologies

15.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They help websites remember information about your visit, such as your preferences and login status.

15.2 Types of Cookies We Use

Essential Cookies: These cookies are necessary for the Services to function properly and cannot be disabled.

Authentication cookies (to keep you logged in)
Security cookies (to detect authentication abuse and fraud)
Session cookies (to maintain your session state)
Load balancing cookies (to distribute traffic efficiently)

Performance and Analytics Cookies: These cookies help us understand how visitors interact with our Services by collecting and reporting information anonymously.

Google Analytics (website traffic and usage patterns)
Application performance monitoring
Error tracking and debugging
Heat mapping and session recording (with notice)

Functionality Cookies: These cookies enable enhanced functionality and personalization.

User preference settings
Language and region preferences
Feature toggles and A/B testing
Customized interface settings

Marketing and Advertising Cookies: These cookies track your activity across websites to deliver relevant marketing content.

Marketing campaign tracking
Conversion tracking
Retargeting and remarketing
Social media integration

15.3 Third-Party Cookies
We use cookies from trusted third-party service providers, including:

Google Analytics (analytics and performance)
HubSpot (marketing automation)
Intercom (customer communication)
LinkedIn Insights (marketing analytics)
Stripe (payment processing)

These third parties may use cookies to collect information about your online activities over time and across different websites.

15.4 Other Tracking Technologies

Web Beacons (Pixels): Small graphic images embedded in emails or web pages to track opens, clicks, and conversions.

Local Storage: HTML5 local storage and session storage to store preferences and application state.

Device Fingerprinting: Collection of device and browser characteristics for fraud prevention and security purposes.

15.5 Managing Cookies and Tracking

You have control over cookies and tracking technologies:

Browser Settings: Most browsers allow you to:

Block all cookies
Block third-party cookies only
Delete cookies after each session
Receive notifications before cookies are stored

Please note that blocking essential cookies may prevent you from using certain features of our Services.

Cookie Preference Center: When you first visit our website, you can manage your cookie preferences through our cookie banner. You can update your preferences at any time by clicking the "Cookie Settings" link in the website footer.

Opt-Out Tools:

Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
Network Advertising Initiative: https://optout.networkadvertising.org/
Digital Advertising Alliance: https://optout.aboutads.info/

Do Not Track (DNT): Our Services do not currently respond to Do Not Track signals because there is no industry standard for compliance. We will continue to monitor developments in DNT technology.

Mobile App Tracking: For mobile applications, you can control tracking through your device settings:

iOS: Settings > Privacy > Tracking
Android: Settings > Google > Ads > Opt out of Ads Personalization

15.6 Cookie Retention

Cookies remain on your device for different periods:

Session cookies: Deleted when you close your browser
Persistent cookies: Remain until expiration date or manual deletion
Our cookies typically expire between 30 days and 2 years

15.7 Updates to Cookie Practices We may update our use of cookies and tracking technologies. We will update this section and our cookie notice accordingly.

16. Third-Party Links and Services

16.1 Links to External Websites

Our Services and website may contain links to third-party websites, applications, and services that are not operated or controlled by MoneyMind Profile, including:

Financial institutions and regulatory bodies
Professional associations and industry organizations
Educational resources and research publications
News articles and blog posts
Social media platforms
Partner and integration services

16.2 No Responsibility for Third-Party Practices

We are not responsible for:

The privacy practices of third-party websites
The content, accuracy, or opinions expressed on external sites
The security of information you provide to third parties
Third-party terms of use or privacy policies
Products or services offered by third parties

16.3 Third-Party Privacy Policies Apply

When you click on a link to a third-party website or use a third-party service:

You leave our Services and their privacy policy applies
We encourage you to read their privacy policy before providing Personal Information
Third parties may collect different information and use it differently than we do
Third-party data practices are beyond our control

16.4 Third-Party Integrations

Our Services may integrate with third-party applications and platforms, such as:

Financial Planning Software:

Financial planning software
CRM platforms

Data Providers:

Market data feeds
Research databases
Regulatory information services

Communication Tools:

Email platforms
Video conferencing
Document sharing services

When You Enable Integrations:

You may need to authorize access to your account
The third party may access certain information from our Services
The third party's privacy policy governs their use of your information
You can revoke integration access at any time through your account settings

16.5 Social Media Features

Our Services may include social media features and widgets (e.g., LinkedIn share button, Twitter feed). These features may:

Collect your IP address and which page you're visiting
Set cookies to enable proper functionality
Be hosted by the social media platform or directly on our Services

Your interactions with social media features are governed by the privacy policy of the company providing them.

16.6 Embedded Content

We may embed content from third-party services (e.g., YouTube videos, Presentations or Questionnaires). Embedded content may:

Place cookies on your device
Track your interaction with the content
Collect analytics data
Be subject to the third party's privacy policy

16.7 No Endorsement

Links to third-party sites do not imply endorsement of those sites, their content, products, or services. We provide links for convenience and informational purposes only.

16.8 User-Generated Links

If Subscribing Organizations or users share links within our Services, we are not responsible for the content or privacy practices of those linked sites.

16.9 Your Responsibility

You are responsible for:

Reviewing third-party privacy policies before providing information
Understanding how third parties use your information
Making informed decisions about sharing information with third parties
Protecting your information when using external services

17. Children's Privacy

17.1 Age Restrictions

Our Services are not directed to, and we do not knowingly collect Personal Information from, children under the age of 18 (or the applicable age of majority in their jurisdiction).

Services Are for Adults: MoneyMind Profile Services are designed for use by:

Financial advisors and professionals
Subscribing Organization personnel
Adult clients of financial advisors

17.2 No Intentional Collection from Children

We do not:

Knowingly collect Personal Information from children under 18
Market our Services to children
Allow children to create accounts
Knowingly allow children to use our Services

17.3 Parental Rights

If we become aware that we have collected Personal Information from a child under 18 without parental consent, we will:

Delete the information as soon as possible
Terminate any associated account
Prevent future collection from that individual
Notify the parent or guardian if contact information is available

17.4 Parent or Guardian Notice

If you are a parent or guardian and believe your child has provided Personal Information to us, please contact us immediately at: Email: support@moneymindprofile.com Subject: Children's Privacy Concern

Please provide:

Your name and contact information
Your child's name and age
Description of the information provided
Any relevant account details

We will promptly investigate and take appropriate action.

17.5 Age Verification

While we do not specifically verify the age of users, we:

Require users to represent that they are at least 18 years old
Include age restrictions in our Terms of Use
Reserve the right to request age verification
Will terminate accounts if we learn the user is under 18

17.6 Educational Use

If an educational institution wishes to use our Services for training purposes involving students:

The institution must ensure all participants are at least 18 years old
The institution acts as the data controller for student information
Appropriate parental consents must be obtained if required
The institution is responsible for compliance with applicable laws (e.g., FERPA in the US)

17.7 Compliance with Children's Privacy Laws

We comply with applicable children's privacy laws, including:

Children's Online Privacy Protection Act (COPPA) in the United States
Age-appropriate design code in the United Kingdom
Similar laws in other jurisdictions where we operate

17.8 Information About Minors as End-Users

Important Note: While we do not collect information from children directly, we acknowledge that:

Financial advisors may use our Services to manage information about minor clients (e.g., children's investment accounts, college savings plans, trust beneficiaries)

In such cases:

The Subscribing Organization (financial advisor) is the data controller
The Subscribing Organization is responsible for obtaining appropriate parental consents
We process this information only as a processor on the Subscribing Organization's instructions
Parents/guardians should contact the Subscribing Organization regarding their child's information

18. Data Breach Notification

18.1 Our Commitment to Security

While we implement comprehensive security measures (see Section 12), we recognize that no system is completely secure. In the event of a data breach affecting Personal Information, we are committed to transparency and prompt action.

18.2 What Constitutes a Data Breach

A data breach includes:

Unauthorized access to Personal Information
Accidental or unlawful destruction of Personal Information
Loss, alteration, or disclosure of Personal Information
Any compromise of security leading to Personal Information exposure
Ransomware or malware incidents affecting Personal Information
Insider threats or unauthorized employee access

18.3 Our Incident Response Process

Detection and Verification:

Continuous monitoring for security incidents
Rapid investigation of potential breaches
Verification of incident scope and impact
Documentation of all findings

Containment and Mitigation:

Immediate steps to stop the breach
Isolation of affected systems
Prevention of further unauthorized access
Preservation of evidence for investigation

Assessment:

Determination of affected individuals
Identification of compromised Personal Information
Evaluation of potential harm
Assessment of legal notification obligations

Notification:

Notification of affected individuals as required by law
Reporting to relevant regulatory authorities
Communication with Subscribing Organizations if their data is affected
Public disclosure if required

Remediation:

Steps to prevent recurrence
Security improvements and updates
Enhanced monitoring and controls
Review and update of security policies

18.4 Notification to Individuals

If a data breach is likely to result in a risk to your rights and freedoms, we will notify you without undue delay.

Our notification will include:

Description of the nature of the breach
Categories and approximate number of individuals affected
Categories and approximate number of records affected
Likely consequences of the breach
Measures we have taken or propose to take to address the breach
Contact information for questions and further information
Recommended steps you should take to protect yourself

Method of Notification:

Email to the address on file
Prominent notice on our website
Direct communication through the Services
Postal mail if email is not available
Other appropriate means based on the circumstances

Timing:

Without undue delay after discovery
Within 72 hours where required by law (UK GDPR)
As soon as practicable (Australian Privacy Act)
Without unreasonable delay (US state laws)
Specific timelines may vary by jurisdiction

18.5 Notification to Regulatory Authorities

UK and EU (GDPR):

Information Commissioner's Office (ICO) in the UK within 72 hours of becoming aware
Other EU supervisory authorities if applicable
Documentation of breaches regardless of notification requirement

Australia:

Office of the Australian Information Commissioner (OAIC) if an eligible data breach
As soon as practicable after becoming aware
Notification required if serious harm is likely

United States:

State attorneys general as required by state breach notification laws
Federal Trade Commission for certain breaches
Other regulatory bodies based on industry and data type
Timelines vary by state (typically 30-90 days)

18.6 Notification to Subscribing Organizations

If a breach affects End-User information processed on behalf of Subscribing Organizations:

We will notify the affected Subscribing Organization promptly
We will provide details needed for them to meet their own notification obligations
We will cooperate with their incident response efforts
The Subscribing Organization is responsible for notifying their clients (End-Users)

18.7 Exceptions to Notification

We may delay or not provide notification if:

Law enforcement requests delay for investigation purposes
Notification would impede a criminal investigation
A competent authority determines notification is not necessary
The breach is unlikely to result in risk to individuals (after risk assessment)
Appropriate technical and organizational measures render data unintelligible (e.g., strong encryption)

We will document the reasoning for any decision not to notify.

18.8 Your Responsibilities After a Breach

If we notify you of a data breach, we recommend:

Change your password immediately
Enable multi-factor authentication if not already enabled
Monitor your accounts for suspicious activity
Review account statements and transaction history
Be alert for phishing attempts exploiting the breach
Consider placing fraud alerts or credit freezes (if applicable)
Contact us if you notice any suspicious activity

18.9 Our Commitment to Improvement

Following any data breach:

We conduct a thorough post-incident review
We identify root causes and contributing factors
We implement corrective actions to prevent recurrence
We update our security practices and incident response plans
We may engage third-party security experts for assessment
We learn from the incident to strengthen our overall security posture

18.10 Reporting a Security Concern

If you discover or suspect a security vulnerability or data breach:

Subject: Security Incident Report

Please include:

Description of the issue or incident
Steps to reproduce (if applicable)
Potential impact
Any evidence or supporting information

Do not:

Publicly disclose the vulnerability before we have addressed it
Access or modify data beyond what is necessary to demonstrate the issue
Disrupt our Services or other users

We appreciate responsible disclosure and will work with security researchers to address reported vulnerabilities.

19. Changes to This Privacy Policy

19.1 Right to Modify We reserve the right to modify, update, or change this Privacy Policy at any time to reflect:

Changes in our Services or business practices
New legal or regulatory requirements
Feedback from users and stakeholders
Industry best practices and standards
Technological developments
Organizational changes

19.2 Types of Changes

Material Changes: Material changes are those that significantly affect your rights or how we handle Personal Information, including:

New categories of Personal Information collected
New purposes for processing Personal Information
New categories of third parties with whom we share information
Significant changes to retention periods
Changes to your rights or how to exercise them
Transfers to new countries or regions

Non-Material Changes: Non-material changes include:

Clarifications or corrections
Updates to contact information
Formatting or organizational improvements
Addition of examples or explanations
Updates to reflect current practices without substantive change

19.3 How We Notify You of Changes

For Material Changes: We will provide prominent notice of material changes through:

Email notification to registered users (at least 30 days before effective date)
Prominent banner on our website and in the Services
In-app notification upon next login
Update to the "Last Updated" date at the top of this Policy
Summary of key changes in the notification

For Non-Material Changes:

Update to the "Last Updated" date at the top of this Policy
Changes reflected in the posted Privacy Policy
No separate notification required

19.4 Advance Notice Period

For material changes:

We will provide at least 30 days' notice before the changes take effect
This allows you time to review the changes and make decisions about continued use
You may object to material changes or terminate your account during this period

19.5 Version Control

We maintain version control of this Privacy Policy:

Current version number and effective date at the top
Previous versions archived and available upon request
Change log documenting significant updates
History of material changes accessible on our website

19.6 Your Acceptance of Changes

By continuing to use our Services after changes become effective, you accept the updated Privacy Policy.

If You Disagree with Changes:

You may stop using the Services
You may close your account (Subscribing Organizations should contact us)
You may exercise your privacy rights (deletion, data portability, etc.)
You will not be penalized for objecting to changes

For Subscribing Organizations:

Material changes may require agreement to updated Terms
We will work with you to address concerns about changes
You may terminate your subscription if you object to material changes

19.7 Legal Requirements

Some changes may be required by law or regulatory mandate. In such cases:

We will implement changes as required by applicable law
We may have limited ability to provide advance notice
We will explain the legal basis for the change
Your continued use may be subject to the updated terms

19.8 Consulting Previous Versions

To request a copy of a previous version of this Privacy Policy:

Include:

Version number or effective date requested
Reason for the request (optional)

We will provide the requested version within 14 days.

19.9 Questions About Changes

If you have questions about changes to this Privacy Policy:

Review the change summary we provide with material updates
Contact us using the information in Section 21 (Contact Us)
We will explain the changes and their implications
We are committed to transparency about our practices

19.10 Governance and Approval

Changes to this Privacy Policy are:

Reviewed by our legal and privacy teams
Approved by senior management
Assessed for compliance with applicable laws
Documented in our privacy governance records

20. Jurisdiction-Specific Information

This section provides additional information for individuals in specific jurisdictions. These provisions supplement the rest of this Privacy Policy.

20.1 Australia

Governing Law: This Privacy Policy and our data practices comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Australian Privacy Commissioner: Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au Phone: 1300 363 992 Email: enquiries@oaic.gov.au

Your Rights:

Right to access your Personal Information (APP 12)
Right to correct your Personal Information (APP 13)
Right to make a privacy complaint (APP 1)

Overseas Disclosure: We may disclose Personal Information to overseas recipients, including:

Cloud service providers in the United States
Service providers in various jurisdictions
See Section 10 for safeguards we implement

You acknowledge and consent to such overseas disclosure. We take reasonable steps to ensure overseas recipients comply with the APPs.

Direct Marketing: We may use your Personal Information for direct marketing purposes where:

You would reasonably expect us to do so
We provide a simple opt-out mechanism
You have consented (for sensitive information)

Complaints Process: If you have a privacy complaint:

Contact us using the details in Section 21
We will acknowledge your complaint within 7 days
We will investigate and respond within 30 days
If you are not satisfied, you may contact the OAIC

Notifiable Data Breaches: We comply with the Notifiable Data Breaches (NDB) scheme:

We will assess data breaches for likelihood of serious harm
We will notify you and the OAIC of eligible data breaches
Notification will be as soon as practicable

Australian Consumer Law: Nothing in this Privacy Policy excludes, restricts, or modifies any rights you have under the Australian Consumer Law or other Australian consumer protection laws.

20.2 United Kingdom

Governing Law: Our data practices comply with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR).

Supervisory Authority: United Kingdom: Information Commissioner's Office (ICO) Website: https://ico.org.uk Phone: 0303 123 1113 Email: casework@ico.org.uk

European Economic Area: Your local Data Protection Authority Website: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Your Rights: You have the rights described in Section 14.2, including:

Right to access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Rights related to automated decision-making (Article 22)

Legal Bases: We process your Personal Data based on:

Performance of contract (Article 6(1)(b))
Legitimate interests (Article 6(1)(f))
Legal obligations (Article 6(1)(c))
Consent (Article 6(1)(a))
Vital interests (Article 6(1)(d))

See Section 8 for detailed information.

International Transfers: When we transfer Personal Data outside the UK/EEA:

We use Standard Contractual Clauses (SCCs)
We implement supplementary measures as needed
We conduct transfer impact assessments

See Section 10 for more information.

Data Protection Officer: While we are not currently required to appoint a Data Protection Officer, you may contact our privacy team: Email: support@moneymindprofile.com

Complaints: You have the right to lodge a complaint with the ICO or your local supervisory authority at any time.

Automated Decision-Making: Our Services do not make solely automated decisions that produce legal or similarly significant effects about you.

20.3 United States

State-Specific Privacy Laws: We comply with applicable state privacy laws, including:

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Other state privacy laws

Your Rights: Depending on your state, you may have the rights described in Section 14.3, including:

Right to know what Personal Information we collect
Right to delete Personal Information
Right to correct inaccurate Personal Information
Right to opt out of sale/sharing
Right to limit use of Sensitive Personal Information
Right to non-discrimination

California-Specific Information:

California Privacy Rights: Under the CCPA/CPRA, California residents have specific rights regarding their Personal Information.

Categories of Personal Information Collected: We collect the categories described in Section 5, which may include:

Identifiers (name, email, IP address)
Commercial information (purchase history, subscription details)
Internet/network activity (usage data, browsing history)
Professional information (job title, credentials)
Inferences (preferences, characteristics)

Business/Commercial Purpose: We use Personal Information for the purposes described in Section 7.

Sources of Personal Information: We collect Personal Information from sources described in Section 6.

Categories of Third Parties: We share Personal Information with the categories of third parties described in Section 9.

Sale/Sharing of Personal Information: We do not sell or share Personal Information as defined by the CCPA/CPRA.

Retention Period: See Section 13 for retention periods.

Sensitive Personal Information: We do not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA Section 1798.121.

Shine the Light Law: California Civil Code Section 1798.83 permits California residents to request information about our disclosure of Personal Information to third parties for their direct marketing purposes. We do not disclose Personal Information to third parties for their direct marketing purposes.

California Minor Rights: If you are under 18 and a registered user, you may request removal of content you posted publicly. Contact us using the information in Section 21.

Virginia, Colorado, Connecticut, Utah: Residents of these states have similar rights under their respective state privacy laws. You may exercise these rights using the methods described in Section 14.4.

Do Not Sell My Personal Information: We do not sell Personal Information. If our practices change, we will update this Privacy Policy and provide an opt-out mechanism.

Financial Incentives: We do not offer financial incentives in exchange for Personal Information.

Third-Party Marketing: We do not share Personal Information with third parties for their own marketing purposes.

Authorized Agents: You may designate an authorized agent to make privacy requests on your behalf. The agent must provide proof of authorization.

Appeal Rights: If we deny your privacy request, you may appeal by contacting us at privacy@moneymindprofile.com. We will respond to appeals within the timeframe required by applicable law.

20.4 Other Jurisdictions

Canada: We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

New Zealand: We comply with the Privacy Act 2020.

Other Countries: If you are located in a jurisdiction not specifically mentioned, we will comply with applicable local data protection laws. Contact us for jurisdiction-specific information.

20.5 Updates to Jurisdiction-Specific Information

As privacy laws evolve and we expand to new jurisdictions, we will update this section accordingly. Check the "Last Updated" date at the top of this Privacy Policy for the most current information.

20.6 Conflicts

If there is a conflict between the general provisions of this Privacy Policy and the jurisdiction-specific provisions:

The jurisdiction-specific provisions control for individuals in that jurisdiction
The more protective provision applies if ambiguity exists
We interpret this Privacy Policy in accordance with applicable law

20.7 Translation

This Privacy Policy is provided in English. If we provide translations:

The English version is the authoritative version
Translations are provided for convenience only
In case of discrepancies, the English version prevails
You acknowledge acceptance of the English version

Document Version: 2.0

Effective Date: 20 January 2026