What Enters Our Records

Financial consulting requires access to specific details about your circumstances. We're not collecting indiscriminately—everything we gather serves a documented purpose tied to the advice we provide.

Most of this arrives directly from you during consultations, through forms, or via email. Some comes from third parties when you authorize us to liaise with your accountant, solicitor, or existing financial product providers.

How Records Move Through Our Practice

Once details reach us, they follow specific paths depending on what we're doing for you.

Internal Handling

Your records sit in our client management system, accessible only to advisers working on your file and administrative staff who need access to perform their roles. We don't have an "everyone can see everything" approach—access is granted based on actual job requirements.

When building your financial plan, advisers pull relevant sections of your information. They're analyzing your position, modeling scenarios, researching suitable products. During this phase, your details stay within our secure environment. Nobody outside caronithvel sees anything unless there's a specific reason (which we'll get to).

When Information Travels Externally

Strategic financial planning isn't conducted in isolation. Sometimes your details must move beyond our systems:

• Financial product providers need client information to process applications for investment platforms, insurance policies, or superannuation accounts you've decided to establish
• Our professional indemnity insurer receives de-identified case details for risk assessment, though they may access full records if a claim arises
• Technology vendors who maintain our client management software have technical access to systems, though contractual arrangements prohibit them from using client data for their own purposes
• Legal counsel may review files if disputes occur or if we need guidance on complex regulatory matters
• Regulatory bodies including ASIC can compel production of client files during investigations or compliance reviews
• Your other professional advisers (accountant, solicitor, mortgage broker) receive information when you've explicitly authorized us to collaborate on your behalf

Cross-Border Considerations

Our practice operates exclusively within Australia, and we prefer keeping client data onshore. However, some software systems we rely on use cloud infrastructure with servers in multiple jurisdictions including the United States and Singapore. These arrangements are governed by contracts requiring equivalent security standards regardless of server location.

If you're an Australian resident with offshore assets or international tax considerations, handling your file may require limited disclosure to foreign financial institutions or tax authorities—but only when legally required or explicitly authorized by you.

Legal Foundation for Processing

Australian privacy law requires us to have legitimate grounds for handling personal information. We're not relying on a single justification—different aspects of our work rest on different legal bases.

• Contractual necessity: When you engage us for financial advice, performing that contract requires processing the financial information you provide—there's no way to deliver strategic planning services without analyzing your position
• Legal compliance: Financial services regulations impose specific record-keeping obligations, identity verification requirements, and reporting duties that necessitate collecting and retaining certain details
• Legitimate business interests: Maintaining records of our advice protects both parties if questions arise later about what was recommended and why, though we balance this against your privacy rights
• Consent: For activities beyond core service delivery (like subscribing to our market insights newsletter), we seek explicit permission before adding you to communication lists

Where we're relying on consent, you can withdraw it. That doesn't retroactively erase processing that already occurred under valid consent, but it stops future use for that purpose.

Protection Measures

Financial records attract attention from those with malicious intent. We've implemented multiple defense layers, though no system is impenetrable.

Technical Safeguards

• Client management systems require multi-factor authentication—passwords alone don't grant access
• Data encryption applies both to stored files and information in transit across networks
• Our office network operates behind firewalls with intrusion detection systems monitoring for suspicious activity
• Regular security patches are applied to all systems, with critical updates implemented immediately
• Automated backups run daily, with copies stored in separate geographic locations to enable recovery if primary systems fail

Administrative Controls

Technology alone doesn't secure information—human practices matter equally. Staff receive regular training on handling sensitive client details. We maintain strict policies about not discussing client matters in public spaces, not leaving documents visible on desks, and not accessing client files out of curiosity.

Physical files (we still maintain some paper records for certain historical clients) stay in locked cabinets within our office premises, which has monitored access controls. Only authorized personnel can enter after hours.

What Could Still Go Wrong

Despite precautions, risks persist. Sophisticated cyber attacks could breach defenses. Employees might make mistakes or act maliciously. Third-party systems we rely on might be compromised. Natural disasters could affect backup systems.

If we discover a breach that likely results in serious harm to affected clients, we'll notify those individuals and report to the Office of the Australian Information Commissioner as required by law. "Serious harm" includes financial loss, identity theft, or significant damage to reputation.

How Long Records Persist

We don't keep client information indefinitely, but we also can't delete everything immediately when a relationship ends.

Once legal retention periods expire, we assess whether continued storage serves any legitimate purpose. If not, records are destroyed—paper documents through secure shredding services, electronic records through data wiping that meets Australian Government standards for media sanitization.

Some historical records might be retained longer for statistical analysis (in de-identified form) or because they're part of our corporate archives. But identifiable client information gets deleted once we no longer have a valid reason to keep it.

Your Control Options

Australian privacy law grants individuals certain rights over their personal information. Here's what you can do regarding records we hold:

Access Your File

You can request a copy of the personal information we hold about you. We'll provide this within 30 days, in a commonly used electronic format where practical.

There are exceptions—we might withhold commercially sensitive information about our internal processes, or information that would reveal details about other individuals, or material covered by legal professional privilege. But those situations are uncommon. In most cases, you'll receive a comprehensive copy of your client file.

Request Corrections

If details in your file are inaccurate, outdated, or incomplete, let us know. We'll update records once we've verified the correct information. This matters particularly for financial records—errors in recorded asset values or liability amounts could affect future advice.

If we disagree about whether information is inaccurate, we'll note your objection in the file even if we don't change the underlying record. That way, anyone reviewing the file later sees there's a dispute about that particular detail.

Object to Processing

You can object to how we're using your information. The success of such objections depends on what we're doing and why.

If we're processing your details to deliver financial advice you've engaged us to provide, objecting essentially means terminating the advisory relationship—we can't perform the service without processing the relevant information.

But if we're using your contact details for marketing our services, or if we're processing information for purposes beyond core service delivery, you can absolutely object and we'll stop that particular use.

Request Deletion

You can ask us to delete your records. Whether we can comply depends on legal obligations.

If we're still within the 7-year retention period for advice records, we can't delete those files—doing so would violate Corporations Act requirements. Same goes for client identification records while anti-money laundering retention periods apply.

But once legal retention periods expire, or for information we were holding based solely on consent, we'll process deletion requests.

Data Portability

In some circumstances, you can request that we transfer your information directly to another financial services provider. This right applies to information you provided to us, where processing is based on consent or contract performance, and where transfer is technically feasible.

Practically speaking, this might involve exporting your financial position summary, documented goals, and strategy recommendations in a format that another adviser's systems can import. We'll work with you and the receiving provider to facilitate such transfers when requested.

How to Exercise Rights

Contact us using the details at the end of this document. We'll respond to your request within 30 days, either fulfilling it or explaining why we can't.

We don't charge fees for routine access or correction requests. If your request is manifestly unfounded or excessive (particularly if repetitive), we might charge a reasonable fee covering administrative costs or refuse to act on the request.

Automated Decision-Making

Some financial planning processes involve automated analysis—software that models different scenarios, calculates projected retirement balances, or assesses insurance needs based on inputs.

These tools assist our advisers but don't replace professional judgment. Every significant recommendation undergoes review by a qualified financial planner who considers factors that algorithms can't capture—your specific circumstances, qualitative aspects of your goals, market conditions, regulatory environment.

We don't use automated systems to make consequential decisions about your financial future without human oversight. You won't be accepted or rejected for services based purely on algorithmic assessment.

Children and Minors

Our services target adults managing their financial affairs. We don't knowingly collect information from individuals under 18 except in specific contexts—for example, when parents or guardians engage us for estate planning that involves minor beneficiaries, or when setting up investment structures for children.

In those situations, we deal with the parent or guardian and process only the minimal information necessary about the minor to fulfill the specific planning objective.

Changes to This Statement

Information handling practices evolve as regulations change, technology advances, or our business operations adapt. When we update this statement, the revised version appears on our website with a new effective date.

For minor clarifications or administrative updates, we might not notify clients individually. But if changes materially affect how we handle information or reduce protections, we'll alert affected clients via email or through written correspondence.

Continued use of our services after changes take effect constitutes acceptance of the revised practices. If you disagree with modifications, your recourse is ending the advisory relationship—though that doesn't retroactively change how we handled information under prior versions of this statement.

Regulatory Oversight

Multiple regulators oversee how we handle client information:

• The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act 1988 and investigates complaints about information handling
• The Australian Securities and Investments Commission (ASIC) regulates financial services and can review our record-keeping practices
• AUSTRAC monitors compliance with anti-money laundering obligations including client identification procedures

If you believe we've mishandled your information, you can lodge complaints with these agencies. However, we'd appreciate the opportunity to address concerns directly before you escalate to regulators—many issues can be resolved through discussion.