Privacy Policy | Greenlane Group

Purpose

Greenlane Group Pty Ltd and its subsidiaries and related bodies corporate (collectively Greenlane, we, our or us) are committed to protecting the privacy and security of personal information.

This Privacy Policy explains how Greenlane collects, uses, holds, discloses and manages personal information in accordance with the:

The types of personal information we collect depend on the nature of our relationship with you and the services we provide.

Australian Privacy Principles contained in the Privacy Act 1988 (Australia)
the Privacy (Credit Reporting) Code 2014
the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and associated Rules.

This policy applies to personal information collected in connection with the provision of financial services including:

lending and finance activities
investment into the Greenlane Contributory Mortgage Fund
administration of investor and borrower relationships.

We recognise that any personal information we collect about you will only be used for the purposes we have collected it for or as allowed under the law. It is important to us that you are confident that any personal information we hold about you will be treated in a way which ensures protection of your personal information.

Our commitment in respect of personal information is to abide by the Australian Privacy Principles (APPs) and Part IIIA of the Privacy Act, the Privacy (Credit Reporting) Code 2014 and any other relevant law.

What is Personal Information?

When used in this Privacy Policy, the term “personal information” has the meaning given to it in the Privacy Act. In general terms, it is any information about a person which identifies them. This information may include information or an opinion about you.

The types of personal information we collect depend on the nature of our relationship with you and the services we provide.

Types of Personal Information we Collect?

The types of personal information we collect depend on the nature of our relationship with you and the services we provide.

This may include:

Identification Information

full name
date ofbirth
residential address
contact details including email and telephone number
occupation and employment information

Identity Verification Information

To comply with AML/CTF legislation we may collect identity verification information including:

document type (e.g. passport or driver licence)
document number
issuing country or state
expiry date
verification method
verification outcome
records of identity verification checks.

Financial and Account Information

bank account details
tax file number (where permitted by law)
investment details
transaction records
loan and repayment information.

Beneficial Ownership Information

Where Greenlane provides services to companies, trusts, partnerships or other entities, we may collect information about individuals who ultimately own or control those entities (beneficial owners).

This information may include identity and verification information relating to directors, trustees, partners, shareholders and other controlling persons.

Additional Information for Lending

Where you apply for finance or provide a guarantee we may also collect:

employment details
income and financial position
proof of earnings and expenses
details of dependents and living arrangements.

Additional Information for Investors

investment instructions
investor contribution details
authorised signatories
accountant certificates confirming wholesale investor status
trust deeds, partnership agreements or constitutions where applicable.
including information relating to powers of attorney or for probate and estate administration.

Credit-related information

The personal information we hold about you may also include credit-related information. Greenlane may collect and exchange credit-related information in accordance with the Privacy Act. Credit-related information may include:

credit history information
repayment history information
default information
publicly available insolvency or court information
credit reports obtained from credit reporting bodies.

This information is used to assess applications for finance, manage lending relationships and meet regulatory obligations. Greenlane will only collect what is ‘reasonably necessary’ to carry out our AML/CTF obligations or other matters.

Greenlane may exchange credit-related information with credit reporting bodies including Equifax Pty Ltd and other credit reporting bodies where permitted by law.

Why we collect your personal information?

Greenlane collects personal information for purposes including:

assessing applications for finance or investment
verifying identity
establishing and administering accounts
managing lending and investment relationships
communicating with clients and investors
managing risk and preventing fraud
complying with legal and regulatory obligations
maintaining records and reporting obligations
improving our services and systems.

We may also use personal information to inform you about products or services that may be of interest to you, unless you request that we do not do so.

How do we Collect and Hold Personal Information?

We may collect personal information through various methods including:

application forms
telephone or face-to-face communications
email and written correspondence
our website
financial advisers or brokers
professional advisers such as accountants or lawyers
credit reporting bodies
identity verification providers
publicly available sources.

Where possible, we collect personal information directly from the individual concerned.

Electronic Identity Verification

Greenlane may verify identity using electronic verification systems and third-party identity verification providers. These systems compare information you provide against independent data sources and generate a verification record confirming the outcome of the verification process.

Storage and Security

Your personal information may be held in physical or electronic form on our systems. In order to assist with the prevention of unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure. Our employees, contractors, service providers and authorised agents are obliged to respect the confidentiality of personal information held by us.

Website Information and Cookies

When you access our website, certain technical information may be collected automatically, including:

IP address
device information
website usage statistics
browsing patterns

This information is generally collected in aggregated or anonymised form and is used to improve website performance and user experience.

Our website may also use cookies to personalise content and analyse website traffic.

You can control cookie preferences through your browser settings.

Our website may contain links to the websites of third party providers of goods and services (Third Party websites). If you have accessed Third Party websites through our website, and if those third parties collect information about you, we may also collect or have access to that information as part of our arrangements with those third parties

Where you access a Third Party website from our website, cookie information, information about your preferences or other information you have provided about yourself may be shared between us and the third party.

Compliance with AML/CTF Laws

Greenlane is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing regime administered by AUSTRAC.

In order to provide designated financial services, we are required to;

identify and verify the identity of customers
undertake customer due diligence
monitor transactions
assess and manage money laundering and terrorism financing risk.

We may also be required to provide certain information or reports to Australian Transaction Reports and Analysis Centre.

Sanctions and Politically Exposed Person Screening

To comply with our legal and regulatory obligations, Greenlane may screen customers, beneficial owners and related parties against sanctions lists, politically exposed person (PEP) databases and other regulatory watchlists.

These checks assist Greenlane in assessing money laundering and terrorism financing risks and may be conducted at onboarding and periodically during the course of the business relationship.

Ongoing Transaction Monitoring and Customer Due Diligence

Greenlane may undertake ongoing monitoring of customer relationships in order to manage money laundering and terrorism financing risks.

This may include periodic review of identification information, screening against sanctions and regulatory databases, and monitoring of transactions or investment activity.

Where necessary, Greenlane may request updated information or documentation during the course of the business relationship.

Greenlane is required under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 to retain certain records relating to customer identification procedures, customer due diligence and transactions for seven years after the business relationship has ended.

Personal information that is no longer required will be securely destroyed or de-identified using methods appropriate to the format of the information (for example secure digital deletion or physical destruction of paper records).

Reporting to AUSTRAC and Confidentiality Obligations

Greenlane may be required to submit reports to the Australian Transaction Reports and Analysis Centre (AUSTRAC), including suspicious matter reports, threshold transaction reports and other regulatory reports.

In accordance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Greenlane is prohibited from disclosing to any person (including the individual concerned) that such a report has been made or that a suspicion has been formed.

This restriction is commonly referred to as “tipping off”.

Data Retention and Destruction (AML/CTF Act)

AML Data Retention and Destruction

From 1 April 2026, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Privacy Act 1988 will require an entity to minimize data held and lenders must only retain sufficient information to demonstrate compliance but must not retain unnecessary personal information (especially full copies of ID documents).

Records relating to customer identification procedures, due diligence and transactions may be retained for seven years after the end of the business relationship.

To comply with privacy obligations, Greenlane adopts a data minimisation approach consistent with the Privacy Act 1988, while retaining sufficient information to comply with obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Identity Document Handling

Where identity documents such as passports, driver licences or other government-issued identification are provided to Greenlane for verification purposes, those documents may be temporarily collected or viewed in order to complete identity verification.

Where full copies of identity documents have been obtained, Greenlane will securely delete or destroy those copies once they are no longer reasonably required for verification or compliance purposes.

Destruction methods may include secure deletion of electronic files or physical destruction of paper records.

Third-Party Verification and Settlement Platforms (ARNECC)

In some circumstances, identity verification may be conducted by third parties involved in property transactions, including legal representatives, conveyancers or electronic settlement platforms operating under the Australian Registrars’ National Electronic Conveyancing Council (ARNECC) framework.

These parties may be subject to separate legal and regulatory obligations, including requirements to collect and retain copies of identity documents.

Greenlane does not control the retention practices of these third parties. However, Greenlane will take reasonable steps to ensure that such parties are appropriately regulated and handle personal information in accordance with applicable privacy and security obligations.

Designated Services

Where the designated service is the provision of a financial service to a borrower (via loans and other financing products), the types of records that will be retained can include;

Information obtained in the course of carrying out the applicable customer identification procedures.
A record of the applicable identification procedure (customer due diligence) carried out in respect of a customer.
A record made by us of information relating the provision of a designated service to the customer.
Transaction records.

Where the designated service is an investment offered via the Contributory Mortgage Fund (via AFSL Licence), the types of records that will be retained can include;

Information obtained in the course of carrying out the applicable customer identification procedures.
A record of the applicable identification procedure (customer due diligence) carried out in respect of a customer.
A record made by us of information relating the provision of a designated service to the customer.
Transaction records.

The typical life cycle of the following documents is noted below:

Swipe to view full table

Typical Borrower Record Lifecycle
Financial services to borrowers (via loans and other financing products)
Stage	Retain	Destroy
Loan Origination/Loan Settlement	Identity data, verification record, risk assessment, AML/CTF screening results	None⁽¹⁾
Post-onboarding (7 years post settlement of loan)	ID data, verification record	passport scan driver licence image selfie verification image screenshots of ID
Loan Extension	OCDD review record, any new screening results or verification records	Unnecessary ID images
End of loan relationship (7 years past final repayment date on a loan)	Retain AML records for 7 years: KYC structured data verification records ML/TF risk rating and risk assessment Financial data Transaction monitoring notes and documents/contracts OCDD reviews (e.g., loan extension review)	destroy unnecessary personal data

(1) ARNECC (Australian Registrars’ National Electronic Conveyancing Council), retention of ID documents is required by the ARNECC verification standard

Typical Investor Record Lifecycle
Designated services offered via the Contributory Mortgage Fund (via AFSL Licence)
Stage	Retain	Destroy
Onboarding to CMF “Fund” Membership	Identity data, verification records, AML/CTF screening results Accountant certificate (Wholesale Investor Proof)	None
Post-onboarding to the CMF verified and onboarded successfully		Identity data (passport scan, licence scan, verification images, screenshots of ID)
Investment in a CMF Sub- scheme	Identity data, Verification records, Ongoing customer due diligence records AML/CTF screening results Accountant certificate (Wholesale Investor Proof)	None
End of investor relationship 7 years post registering as a member which did not proceed to invest in a CMF Subscheme. 7 years post the end date of the last investment in CMF Subscheme.	Retain AML records for 7 years: KYC structured data verification records ML/TF risk rating and risk assessment Accountant certificate (Wholesale Investor Proof) OCDD reviews (if multiple investments have been undertaken over the years, re-verification will be undertaken)	destroy unnecessary personal data

Disclosure of Personal Information

Generally, we only use and disclose information for the purpose for which it was disclosed or for related purposes which would reasonably be expected. Those purposes include:

to establish and administer your investment or account and your relationship with us;
for communication purposes;
to comply with our record-keeping, reporting, and tax obligations;
to protect legal rights and comply with legal obligations;
to prevent fraud and abuse;
for quality assurance and training purposes;
to our agents, contractors, external service providers to outsource certain functions, for example, statement production, debt recovery and information technology support;
to anyone, where you have provided us consent;
to external service providers including IT providers and cloud service providers;
to auditors, lawyers, consultants and professional advisers;
to trustees, custodians or fund administrators;
to other guarantors or borrowers, financial advisors or brokers (if more than one);
to borrowers or prospective borrowers including in relation to any credit you guarantee or propose to guarantee;
any investors or prospective investors looking to assess the potential of an investment in a loan or product offered by Greenlane;
to other financial institutions, for example to process a claim for mistaken payment;
organisations that provide products or services used or marketed by us
to enable us to provide information about new and existing products and services that will enhance our relationship with you. However, we do respect the right of individuals to ask us not to do this;
to handle any relevant enquiries or complaints; and
where we are authorised to do so by law, such as under the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth), government and law enforcement agencies or regulators.

In order to meet our investors’ needs and provide some investor services, such as administration of accounts and mailing of investor distribution statements, it may be necessary to release information or provide access to external service providers, for instance:

to prospective funders or other intermediaries in relation to your finance requirements;
to any organisations involved in providing, managing or administering our products systems or services such as custodians, registries, administrators, mail houses and software and information technology providers;
to investors, agents or advisers, trustees, rating agencies or any entity that has an interest in your finance or our business;
to auditors, consultants and other professional advisers;
to your financial adviser or broker;
to a legal personal representative, attorney or any other person who may be entitled to receive the proceeds from your investment or account with us;
to other financial institutions who hold an account in an investor’s name, for example, where amounts have been transferred to or from that account; and
to authorities investigating (or who could potentially investigate) alleged fraudulent or suspicious transactions in relation to an investment or account.

Prior to disclosing any of your personal information to another person or organisation, we will take all reasonable steps to satisfy ourselves that:

the person or organisation has a commitment to protecting your personal information at least equal to our commitment, or
you have consented to us making the disclosure.

Information about you or your dealings with us is not and will not be sold to any other company, individual, or group.

Greenlane does not sell personal information.

Credit-related information

We exchange credit-related information for the purposes of assessing your application for finance and managing that finance. If you propose to be a guarantor, one of our checks may involve obtaining a credit report about you.

This credit-related information may be held by us in electronic form and may also be held in paper form. We may use cloud storage to store the credit-related information we hold about you.

When we obtain credit eligibility information from a credit reporting body about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed.

Notifiable matters

The law requires us to advise you of ‘notifiable matters’ in relation to how we may use your credit-related information. You may request to have these notifiable matters (and this policy) provided to you in an alternative form.

We exchange your credit-related information with credit reporting bodies. We use the credit-related information that we exchange with the credit reporting body to confirm your identity, assess your creditworthiness, assess your application for finance or your capacity to be a guarantor and manage your finance.

The information we can exchange includes information such as; your identification details, what type of loans you have, how much you have borrowed, whether or not you have met your loan payment obligations and if you have committed a serious credit infringement (such as fraud).

If you fail to meet your payment obligations in relation to any finance that we have provided or arranged or you have committed a serious credit infringement then we may disclose this information to a credit reporting body.

You have the right to request access to the credit-related information that we hold about you and make a request for us to correct that credit-related information if needed. Please see the heading ‘Can you access and amend your personal information?’ below.

Sometimes your credit information will be used by credit reporting bodies for the purposes of ‘pre- screening’ credit offers on the request of other credit providers. You can contact the credit reporting body at any time to request that your credit information is not used in this way.

You may contact the credit reporting body to advise them that you believe that you may have been a victim of fraud. For a period of 21 days after the credit reporting body receives your notification the credit reporting body must not use or disclose that credit information. You can contact any of the following credit reporting bodies for more information:

Equifax Pty Ltd – www.equifax.com.au,

Can you access and amend your personal information?

In most cases, you can have access to your personal information collected and held by us however there are some exceptions to this as specified in APP 12 (Australian Privacy Principles) where access may be denied.

We will only grant access to personal information of an individual where appropriate identification verification has been provided, which may be required in writing. We reserve the right to impose reasonable charges for providing such access to information.

Depending on the type of request that you make we may respond to your request immediately, otherwise we usually respond to you within seven days of receiving your request. We may need to contact other entities to properly investigate your request.

There may be situations where we are not required to provide you with access to your personal or credit- related information, for example, if the information relates to existing or anticipated legal proceedings, if your request is vexatious or if the information is commercially sensitive.

An explanation will be provided to you, if we deny you access to the personal or credit-related information we hold about you.

If any of the personal or credit-related information we hold about you is incorrect, inaccurate or out of date you may request that we correct the information by telephoning us on (08) 6444 1739 or by writing to us at 320 Rokeby Road, Subiaco, WA 6008 or email to admin@greenlanegroup.com.au.

If appropriate we will correct the personal information at the time of the request, otherwise, we will provide an initial response to you within seven days of receiving your request. Where reasonable, and after our investigation, we will provide you with details about whether we have corrected the personal or credit-related information within 30 days.

We may need to consult with other finance providers or credit reporting bodies or entities as part of our investigation.

If we refuse to correct personal or credit-related information we will provide you with our reasons for not correcting the information.

How safe and secure is your personal information?

Greenlane takes reasonable steps to protect personal information from:

misuse
interference
loss
unauthorised access
modification
disclosure.

Security measures include:

secure IT infrastructure
access controls
secure document management systems
staff confidentiality obligations.

Can you complain?

Yes. If you have a complaint about a breach of this Privacy Policy including the manner in which we have collected, held, used, disclosed, kept, or given people access to your personal information, then you may make a complaint to us using the contact details set out below. You will need to provide us with sufficient details regarding your complaint and any supporting evidence.

Your complaint will be referred to our Privacy Officer/Finance and Compliance Officer who will investigate the issue and determine the steps we will take to resolve your complaint. We may ask you to provide additional information.

We will acknowledge your complaint within seven days and aim to resolve the complaint as quickly as possible. We will provide you with a decision on your complaint within 30 days.

If you are dissatisfied with the response of our Privacy Officer/Finance and Compliance Officer you may make a complaint to the Privacy Commissioner which can be contacted on either www.oaic.gov.au or 1300 363 992.

Notifiable Data Breaches

You can email us at admin@greenlanegroup.com.au;
You can write to us and request a copy be mailed or emailed to you.
Our postal address is: 320 Rokeby Road, Subiaco WA 6008;
You can call us on 08 6444 1739.

If there is a suspected or actual data breach which may compromise personal information, we will promptly undertake an assessment of the incident. Where relevant, immediate steps will be taken to contain the breach. These steps may include limiting any further access or distribution of the affected personal information, or the possible compromise of other personal information.

A copy of our current Privacy Policy (this document) is available from us free of charge as follows:

If the unauthorised access, disclosure or loss of personal information is likely to cause serious harm to one or more individuals and the likely risk of serious harm has not been prevented by remedial action, we will notify all of the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable. The notification will include our identity and contact details, a description of the incident, the kind/s of information concerned and any recommended steps for affected individuals.

Are copies of this Privacy Policy available?

Following any data breach incident, we will undertake a review process to help prevent future breaches in accordance with our Data Breach Response Plan and Breach Reporting Template.

Where this occurs, Greenlane takes reasonable steps to ensure that such providers maintain privacy protections consistent with Australian privacy laws.

Will your information be sent overseas?

However, some service providers (including cloud technology providers) may store or process information in overseas jurisdictions.

Greenlane generally stores personal information in Australia.

Changes to this Policy

Greenlane may update this Privacy Policy from time to time to reflect changes in law, regulatory requirements or business practices.