logo image
LoginGet Started

Privacy Policy

Introduction

NextGen AML Pty Ltd is an Australian company providing anti-money laundering (AML) and compliance technology services to regulated businesses. We are committed to protecting your privacy and handling personal information transparently, responsibly, and securely.

This Privacy Policy describes how we collect, use, store, disclose and protect personal information, and sets out your rights in relation to that information. We comply with the Privacy Act 1988 (Cth) (as amended by the Privacy and Other Legislation Amendment Act (2024), The Australian Privacy Principles (APPs), Privacy and Data Protection Act 2014 (VIC) and Identity Verification Services Act 2023(Cth).

Nothing in this policy limits any rights you may have under the Privacy Act 1988, the Spam Act 2003, or any other applicable Australian or international law.

If you have any specific needs or require this notice in an alternative format, or if you need assistance due to any special circumstances, please contact us.

1.  Scope of This Policy

This policy applies to:

  • visitors to our website(s) and digital platforms;
  • customers, prospects and suppliers who deal with us directly;
  • end users and clients whose identity is verified through our platform on behalf of our customers; and
  • any person whose personal information appears in our systems.

Our platform also processes data uploaded by, or on behalf of, our regulated customers (for example, their clients’ identity records). For that data, we act as a data processor under our customer contracts. The relevant customer’s own privacy notice governs that processing. If we receive a request about such data, we will forward it to the relevant customer unless we are required by law to act ourselves.

2. What Personal Information Do We Collect?

“Personal information” means information or an opinion about an identified, or reasonably identifiable, individual, whether true or not and in any form. This includes sensitive information (such as biometric and identity document data) that attracts heightened protection under the APPs.

The table below summarises the categories of personal information we collect and why:

Source

Typical Data Collected

Purpose

Directly from you (forms, calls, events, account setup)

Name, job title, employer, email, phone, billing details, identity documents, any other information you voluntarily provide

Account administration, service delivery, communications

End Users / Clients (during verification checks)

Full name, date of birth, address, nationality, identity document images and data, biometric data (facial geometry, liveness video), device/IP information, geolocation

AML/CTF identity verification on behalf of Customers

Automatically (cookies, analytics, logs)

IP address, device type, browser, pages visited, time on site, referring URL, usage statistics

Website improvement, security monitoring

Third parties (authorised sources)

Identity database records, AML/CTF watchlist data, credit reference data, mobile carrier verification data, government register data

Identity verification, fraud prevention, AML/CTF compliance

We collect personal information directly from you, from our customers on your behalf, or from authorised third parties (such as identity databases, government registers, credit reference agencies and mobile carriers) where lawful. Where we collect personal information indirectly, we take reasonable steps to notify you as required by applicable law.

For ID checks within Australia, the information you provide will be sent to the DVS Hub. Refer to Appendix B for further details.

3.  Why We Collect and Use Personal Information

We collect and use personal information for the following purposes:

  • Verification: Identity verification and AML/CTF compliance as required by AUSTRAC
  • Account management: Setting up, securing and administering your account
  • Support: Responding to enquiries, support requests and complaints
  • Communications: Sending service announcements, legal notices and operational updates
  • Marketing: Marketing our products and services (see Section 5)
  • Research & improvement: Conducting anonymised research, analytics and service improvement
  • Fraud & security: Detecting, investigating and preventing fraud, money laundering and security incidents
  • Legal compliance: Complying with legal and regulatory obligations (e.g., AML/CTF record-keeping, responding to lawful requests)
  • Retrieval / re-use: Facilitating the sharing of verified identity information with future providers upon your explicit consent
  • Other: Any other purpose you expressly authorise

We do not use end-user data for our own marketing or analytics. Where processing relies on your consent, you may withdraw that consent at any time, though this will not affect the lawfulness of any processing already carried out.

4.  Legal Basis for Processing

We process personal information only where we have a lawful basis to do so. Our legal bases include:

  • Contractual necessity: Performing a contract with you or taking steps at your request before entering a contract (e.g., providing verification services).
  • Legitimate interests: Pursuing our legitimate interests in operating a secure and effective AML compliance platform, subject to your rights not being overridden.
  • Consent: For the Retrieval Process, biometric processing, or marketing (withdrawable at any time).
  • Legal obligation: To comply with applicable laws, regulations, court orders or lawful regulatory requests.

For special-category or sensitive information (such as biometric data), we rely on explicit consent or another applicable lawful basis under the APPs. If you decline to provide certain information, we may be unable to complete the relevant verification process, which may affect your ability to access services provided by our customers.

5.  Direct Marketing & Communications

We only send marketing communications to Australian business contacts where we have inferred or, preferably, express consent. We will always:

  • clearly identify us as the sender;
  • provide a simple, one-click unsubscribe mechanism in each message; and
  • honour opt-out requests promptly, in line with the Spam Act 2003.

To stop receiving marketing communications, click the unsubscribe link in any marketing email or contact us at privacy@nextgenaml.com.au. Note that opting out of marketing does not affect service, operational or legal notices that we are required to send you.

6.  Disclosing Personal Information

We may disclose personal information to the following categories of recipients where necessary and lawful:

  • other entities within the NextGen AML group;
  • trusted service providers and sub-processors (e.g., cloud hosting, CRM, analytics, identity database providers);
  • identity verification platforms and document issuers;
  • credit bureaus, mobile carriers and other authorised data sources used for verification;
  • professional advisers, auditors and insurers;
  • law enforcement agencies, regulators or courts where required or authorised by law; and
  • anyone else with your explicit consent.

We will never sell your personal information. Any third-party recipients are required to handle personal information in accordance with this policy and applicable privacy laws.

7.  International Data Transfers

Our primary production data for Australian customers is hosted in AWS ap-southeast-2 (Sydney), with ap-southeast-4 (Melbourne) for disaster recovery. Some of our support tools and sub-processors operate in other jurisdictions, including:

  • United States
  • United Kingdom
  • Singapore
  • India

This may occur for purposes such as:

  • identity verification services;
  • customer support;
  • platform maintenance and monitoring;
  • software development and testing; and
  • compliance and operational support.

Where personal information is accessed or processed outside Australia, we take reasonable steps to ensure appropriate privacy and security protections are maintained.

We work with trusted service providers and take reasonable measures to help protect personal information in accordance with applicable privacy laws.

8.  Security

We implement robust technical and organisational security measures designed to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

Our security measures include:

  1. encryption of sensitive information in transit using TLS and at rest using industry-standard encryption mechanisms;
  2. role-based access controls (RBAC), least privilege principles, and multi-factor authentication (MFA) for administrative and privileged access;
  3. logical tenant isolation controls designed to segregate customer data between organisations within the platform;
  4. continuous security monitoring, vulnerability management, audit logging, and alerting designed to detect suspicious activity and unauthorised access attempts;
  5. regular security reviews, penetration testing, and vendor risk assessments where appropriate;
  6. backup, disaster recovery, and business continuity processes designed to support operational resilience and data recovery;
  7. restricted access to customer information to authorised personnel who require access for legitimate operational, compliance, security, or support purposes;
  8. staff training and internal policies relating to privacy, cybersecurity, information handling, and incident management;
  9. segregation of development, testing, and production environments to reduce operational and security risks;
  10. secure API and integration controls using authentication, authorisation, and encrypted communication protocols; and
  11. oversight of third-party service providers and sub-processors, who are required to maintain appropriate technical and organisational security measures consistent with applicable privacy and security obligations.

Customer production data for Australian customers is primarily hosted within Australia using AWS cloud infrastructure located in the Sydney region, with disaster recovery capabilities configured within Australia where applicable.

Sensitive verification information, including biometric information collected, is subject to heightened security and access controls.

While we take reasonable precautions to protect personal information, no method of transmission over the internet or electronic storage is completely secure. Accordingly, we cannot guarantee absolute security.

If we become aware of an eligible data breach that is likely to result in serious harm, we will respond in accordance with our legal obligations under the Privacy Act 1988 (Cth), including the Notifiable Data Breaches (NDB) scheme and, where required, notification to affected individuals and the Office of the Australian Information Commissioner (OAIC).

9.  Biometric Information

We may collect biometric information (such as facial geometry scans and liveness video) for identity verification purposes only. Biometric data is:

  • collected only with your knowledge and, where required, your explicit consent;
  • used solely to verify your identity and prevent identity fraud;
  • never used for marketing, profiling beyond verification, or any purpose other than identity verification; and
  • subject to the same or higher security standards as other sensitive information.

Sub-processors may process biometric information in jurisdictions with comparable privacy protections, including Australia, New Zealand, the United Kingdom and the United States of America.

10.  Automated Decision-Making

We may use automated processing as part of identity verification (e.g., biometric matching and document authentication). We do not make solely automated decisions that produce legal effects or significantly affect you without human oversight. You have the right to request a human review of any automated decision that affects you.

11.  Data Retention

We retain personal information for as long as reasonably necessary to:

  1. provide our services;
  2. support our customers’ AML/CTF compliance obligations;
  3. comply with legal, regulatory, security, and operational requirements; and
  4. resolve disputes and enforce our agreements.

Retention periods may vary depending on the type of information, the services provided, and applicable to legal obligations.

Identity verification records, audit logs, and related compliance information may be retained for periods required under applicable AML/CTF laws and regulatory obligations.

When personal information is no longer required, we take reasonable steps to securely delete, de-identify, or destroy the information.

Customers may request deletion of certain information, subject to our legal, regulatory, security, and contractual obligations.

We do not store copies of your identity documents after the DVS check is completed. This information will be retained for as long as it is required for the purposes outlined above.

12.  Your Privacy Rights

You have the following rights in relation to the personal information we hold about you. Rights under the APPs and (where applicable) the GDPR are summarised below:

Right

Description

Access

Request a copy of the personal information we have about you.

Correction / Rectification

Ask us to correct personal information that is inaccurate, incomplete, or out of date.

Erasure (Right to be Forgotten)

Request deletion of your data where there is no compelling reason to retain it, subject to our legal obligations.

Restriction of Processing

Ask us to limit how we use your data in certain circumstances (e.g., while accuracy is disputed).

Object to Processing

Object to processing based on our legitimate interests, or to direct marketing at any time.

Data Portability

Receive your data in a structured, machine-readable format or have it transferred to another provider.

Withdraw Consent

Where processing relies on your consent, withdraw it at any time (this does not affect prior to lawful processing).

Human Review of Automated Decisions

Request human review if an automated decision has a significant legal or similar effect on you.

Anonymity / Pseudonymity

Where lawful and practicable (e.g., browsing our public website), deal with us anonymously or under a pseudonym (APP 2).

To exercise any of these rights, please contact us at privacy@nextgenaml.com.au with sufficient details for us to verify your identity. We will respond within a reasonable time, and in any event within 30 days. Where a request relates to data we hold as a processor on behalf of a customer, we will forward it to that customer.

13.  Cookies & Website Analytics

13.1 Types of Cookies We Use

Our website uses the following categories of cookies:

  • Strictly necessary: Required for core site functionality and cannot be disabled.
  • Performance & Analytics: Collect anonymised data (via Google Analytics) to help us understand how visitors use our site and improve it.
  • Functionality: Remember your preferences (e.g., language, font size) to personalise your experience.
  • Advertising / third-party: May be used by third-party services (e.g., Google AdWords) to deliver relevant advertising.

13.2 Managing Cookies

You can manage or disable cookies through your browser settings. Disabling strictly necessary cookies may affect the functionality of our website or platform. For Google Analytics, you can opt out using Google’s opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.

13.3 Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently before providing any personal information.

14.  Notifiable Data Breaches

If we become aware of an eligible data breach that is likely to result in serious harm, we will:

  • notify affected individuals as soon as practicable; and
  • notify the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

15.  Complaints & Escalation

If you have a complaint or concern about how we handle your personal information, we encourage you to contact us first:

Step 1: Contact Us

Email: privacy@nextgenaml.com.au or raise a support ticket through our portal.

Step 2: Internal Review

If you are not satisfied with our initial response, ask to have your complaint escalated to our Chief Privacy Officer. We will acknowledge complaints within 5 business days and aim to resolve them within 30 days.

Step 3: OAIC

If our response does not resolve your concern, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5218, Sydney NSW 2001

16.  Contact Details

If you have any further enquiries about how we handle your personal information, how you can access and seek correction of the personal information that we hold about you, and how to raise a privacy complaint, you can communicate with us with additional enquiries following our contact details provided below. 

NextGen AML Pty Ltd

ABN: 31 551 154 091

Registered Office: ‘2’, 1 Railway Crescent, Croydon VIC 3136, Australia 

Privacy Officer Email: privacy@nextgenaml.com.au

Website: www.nextgenaml.com.au

17.  Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The revised policy will be published on our website with an updated effective date. We encourage you to review this policy periodically. Continued use of our services after publication of a revised policy constitutes your acceptance of the changes.

Appendix A:  Cookie Policy Summary

The following cookie categories are used on our website. You may manage preferences via your browser settings; however, disabling strictly necessary cookies may impair site functionality.

Cookie Type

Purpose

Can You Opt Out?

Strictly Necessary

Required for core site functionality (e.g., login, security).

No. The site may not function correctly without these.

Performance / Analytics

Collect anonymised usage data via Google Analytics.

Yes. via browser settings or Google opt-out tool.

Functionality

Remember your preferences (e.g., language, region).

Yes. via browser settings.

Advertising / Third-Party

Deliver relevant ads via Google AdWords or similar.

Yes. via browser settings or ad platform opt-outs.

Appendix B:    DVS HUB data handling policy and procedure

For ID checks within Australia, the information you provide will be sent to the DVS Hub, administered by the Attorney-General’s Department, and matched against official records held by the government agency responsible for issuing the identity document (document issuer).

The DVS Hub will advise us of whether the information you provide matches official records.

How will the Attorney-General’s Department handle your personal information?

The DVS Hub facilitates information transfer between Nextgen AML Pty. Ltd. and the document issuer. The DVS Hub itself does not retain any personal information, and the Attorney-General’s Department cannot view or edit any of the personal information transmitted through the DVS Hub. 

The Attorney-General’s Department engages a third-party provider as a managed service provider for the DVS, who is required to adhere to the APP requirements and security standards to ensure the use and disclosure of personal information is limited to explicitly defined purposes including:

  1. for the purposes of the contract with the department; and
  2. to comply with any request under section 95C of the Privacy Act. 

The Attorney-General’s Department is authorised to operate the DVS Hub for the purpose of verifying individual identities under the IVS Act.

For more information on how the Attorney-General’s Department may handle your personal information, see the Attorney-General’s Department’s ‘Privacy Statement – Identity Verification Services’ at: https://www.idmatch.gov.au/resources/privacy-statement-identity-verification-services.

How will the document issuer handle your personal information?

Your personal information will be shared by the Attorney General’s Department via the DVS Hub with the government agency that issued your identity document to verify it against their official records. These agencies already hold your personal information as part of their official records, in line with their own privacy policies and legal obligations.

What happens if you don’t provide your personal information?

You do not have to agree to verify your identity documents through the DVS. You can choose instead to utilize alternative methods of identity verification as provided by your services provider – for example, attend to a service provider to verify your identity in person.

However, if you do not provide the personal information we require to verify your identity, we may not be able to provide you with certain products, services or offerings such as ‘if you do not provide your personal information, we are unable to verify your identity in accordance to the AML/CTF compliance requirement of AUSTRAC and provide the designated services as required.

Other disclosures

Where necessary, Nextgen AML may disclose your personal information to third parties, including:

  • the following categories of intermediary service providers involved in the use of the DVS who may receive your identification information to make or receive an information match request:
    • outsourced service providers that connect us to the DVS Hub;
    • identity service providers;
    • customer service providers such as call center operators that respond to customer enquiries and escalate technical support requests; 
  • law enforcement agencies in certain circumstances.

The Attorney-General’s Department’s verification assistance service

There may be circumstances in which we will require assistance to verify your identity. If we request assistance from the Attorney-General’s Department to verify your identity through the DVS, the Attorney-General’s Department will collect your personal information for the purposes of verifying your identity document(s) through the DVS.

The Attorney-General’s Department may also disclose your personal information to the relevant document issuer to assist them with verifying your identity documents. This collection is authorised under APP 5.2(c) and section 27 of the IVS Act which permits the collection of your personal information from someone other than yourself when it is authorised under an Australian law.

The Attorney-General’s Department will handle your personal information in accordance with their obligations under the Privacy Act.

Where the identity document(s) you need to be verified include information regarding other individuals (such as a Medicare card covering multiple individuals), it will be assumed that you have advised those individuals and obtained their consent to the disclosure. This information will only be used for the purposes of verifying your identity document(s) through the DVS. Any personal information of other individuals will otherwise be managed in the same way as your personal information.

There may be overseas disclosure of your personal information to recipients located in New Zealand where New Zealand government agencies or private organisations request for verification assistance of your identity document(s).

If you don’t provide your personal information to the Attorney-General’s Department, the Department will be unable to verify your identity document(s).

More information about the verification assistance service is set out in the Attorney-General’s Department’s Identity Verification Services Privacy Statement.