Yodlee | Consumer Data Right

1. About this policy

The Consumer Data Right (CDR), also known as "open banking", gives you the right to consent to organisations accredited by the Australian Competition and Consumer Commission (ACCC) accessing specified data about you (CDR data).

The CDR regime is designed to give Australian consumers greater choice and control over how their data is collected, used, and disclosed. It allows you, with your consent, to share your data for specific purposes with any organisation that is accredited under the CDR regime, and in some cases, with third parties you nominate in accordance with the CDR Rules.

In this policy, references to "you" or "your" mean you as a user of our Services and a CDR consumer.

Marmalade Australia Pty Ltd (ABN 56 637 723 196) (Marmalade, we, us) is an Accredited Data Recipient participating in the government's open banking scheme under the CDR regime. Marmalade provides a business payments platform that enables small and medium-sized businesses to access cash from approved invoices immediately, for a one-time fee, without loans, interest, or personal guarantees. Marmalade provides its services via its website and mobile applications (the Services).

As part of delivering our Services, and in accordance with the consents you provide during the CDR consent process, we may collect, use, and share your CDR data for purposes including assessment of your financial position and invoice data, facilitating early payment of approved invoices, and, where you have provided a de-identification consent, de-identifying certain CDR data and securely retaining it to train and improve our transaction categorisation models and for general research purposes.

This Consumer Data Right (CDR) Policy (CDR Policy) has been created in accordance with the requirements of Division 5 of Part IVD of the Competition and Consumer Act 2010, the Competition and Consumer (Consumer Data Right) Rules 2020 and the CDR Privacy Safeguard Guidelines (CDR Legislation). In this CDR Policy, we explain how we manage your CDR data, how you can access your CDR data, how you can make a complaint, and how we de-identify, retain, and destroy your CDR data in line with your consents and the CDR regime.

2. Consumer Data Right information

The CDR data we collect from you and hold is classified as your "required consumer data" within your banking records which may include:

• your contact details;
• occupation;
• account information;
• transaction records;
• specific information about the financial products you may have with an organisation; or
• CDR data that includes data that may be derived from the original account information and transaction details.

Marmalade as an accredited organisation under the CDR regime:

• allows you to give your consent to share your selected financial data for specific purposes so that we can provide our Services to you; and
• with your consent, is able to de-identify certain CDR data and use the resulting de-identified data for training and improving our transaction categorisation models and related business finance tools, for general research purposes, and disclose the de-identified data in connection with those purposes as outlined in this policy.

We also set out in this CDR Policy how we will treat your data when it becomes redundant.

You control and decide when to share your CDR data, what CDR data you share, with whom, and for how long. As an accredited data recipient, we will only receive your CDR data with your consent.

We will also continue to manage your personal information in line with Marmalade's Privacy Policy and our obligations under the Privacy Act 1988. Please visit our Privacy Policy at www.marmalade.com.au/privacy-policy for further information.

3. How we hold CDR data

Marmalade collects and holds your data that you provide to us as our consumer, which enables and assists us to provide you with our Services. This data may include data classified as "CDR data" upon us receiving it after you have given your consent as an accredited data recipient under the CDR regime. Under the CDR regime:

Data Holder: is the organisation that holds your data and upon your consent shares your data with an accredited data recipient, for example, your financial services provider.

Accredited Data Recipient: is an organisation accredited under the CDR regime that you have provided your consent to receive and use your CDR data from the Data Holder. Marmalade is an Accredited Data Recipient.

In this policy, "Accredited Data Recipient" and "Data Holder" have the meanings given in the Competition and Consumer Act 2010 (Cth).

When you provide your consent to an Accredited Data Recipient to collect and use your CDR data, it is important to know that you are then entering into an agreement with them.

At Marmalade, we will hold your data for the period of time specified in your consent or until you withdraw your consent. Once you withdraw your consent or the period specified has expired, or we can no longer hold it under the CDR regime, we will delete your CDR data, unless it has been de-identified (see Sections 9 and 10).

Marmalade does not accept consumer requests to access additional voluntary products or consumer data that our Services do not already make available.

4. Your privacy and security

We will keep your CDR data in cloud-based, or other types of networked or electronic storage centres. The security of your CDR data is important to us. We will take appropriate technical and organisational precautions to secure your CDR data as required under the CDR regime.

5. Consent to receiving your CDR data

5.1 Sharing your CDR data

You can choose to share your CDR data with Marmalade so we can provide you with our Services. You will need to give your consent to Marmalade as an accredited data recipient to receive your CDR data from your nominated financial institution or financial services provider (Data Holder).

Prior to actioning your request to share your CDR data with Marmalade, we will:

• identify you first using our authentication methods;
• obtain your consent to sharing your CDR data from your nominated financial institution or financial services provider with Marmalade;
• ask you to choose which accounts and information you would like to share with Marmalade; and
• ask you for what period of time you want to share your CDR data with Marmalade.

5.2 Manage your CDR data sharing with your Data Holder

You can log in with your Data Holder and manage your data sharing to view, manage, and stop your data sharing. Please note that managing or stopping your CDR data sharing with your Data Holder does not affect CDR data already collected by Marmalade prior to that action. To withdraw your consent with Marmalade, please refer to Section 13.

6. CDR data sharing and third-party access

Marmalade uses the entities listed below as its outsourced service providers (OSP) to provide the following services:

• Yodlee Inc. (Yodlee), Accredited Data Recipient: Manages the consent process with respect to accessing CDR data as an accredited data recipient, and provides additional insights by enhancing merchant and payer identification and category details around your transactions.
• Tata Consultancy Services Limited, Based in India (TCS): Provides customer servicing support, technology and infrastructure, and data processing services to Yodlee Inc. Yodlee service provider, covered in Yodlee's CDR policy.

Marmalade does not disclose your CDR data to any third parties other than to Yodlee Inc. as its outsourced service provider, as described above, which is necessary to facilitate access to and processing of your CDR data for the delivery of our Services. The website www.cdr.gov.au gives you more information regarding the accreditation process.

6.1 Use of your CDR data within the Marmalade platform

Marmalade uses your CDR data in the backend to facilitate the identification of payments for invoices and the facilitation of early payment of invoices. Marmalade does not share your CDR data with any third parties within the Marmalade platform. The only information visible to you within the Marmalade app in relation to your CDR data is which of your bank accounts are currently connected to our Services. You can disconnect a bank account at any time through the Settings section of the Marmalade app.

6.2 Third-party disclosure

Marmalade does not disclose your CDR data to third parties at your direction. Your CDR data is used solely for the purposes described in this policy, being the identification of payments for invoices and the facilitation of early payment of invoices, and is only shared with Yodlee Inc. as our outsourced service provider as required to deliver these Services.

7. How we use your CDR data

Marmalade offers its Services online, which enables businesses to access early payment on approved invoices, manage cash flow, and improve their financial position. Marmalade uses your CDR data to deliver its Services to you and to improve the overall service quality. This includes using CDR data to assess and verify your business's financial position and invoice data, evaluate your eligibility for Payments on Demand, and facilitate early payment of approved invoices.

As part of delivering our Services, and in accordance with the de-identification consent you provided during the CDR consent process, certain transaction data is de-identified and processed using our categorisation algorithms. These de-identified datasets may be securely retained and used to train and improve our models that support the identification of payments for invoices and the facilitation of early payment of invoices.

We will only collect and use the CDR data that is reasonably needed to provide our Services to you, including the de-identification and retention of selected transaction data for these purposes.

We may also use your data that has been de-identified or become redundant as set out in Section 9 (De-identified or Redundant Data).

8. Data enhancement

Marmalade enhances your CDR data to provide more meaningful and accurate financial insights. This involves identifying the parties to your transactions (such as customers and payers) and assigning categories to your income and expenditure. Enrichment helps us deliver features including the identification of payments for invoices and the facilitation of early payment of invoices.

Marmalade performs data enrichment directly. Enrichment is applied only to CDR data that Marmalade has collected in accordance with your consent and the CDR regime.

Where enrichment results in de-identified datasets being created, and you have provided de-identification consent in the CDR consent process, those de-identified datasets may be securely retained and used in accordance with Sections 9 and 10 of this policy.

9. De-identified or redundant data

This section describes how Marmalade handles your CDR data when it becomes redundant or is de-identified in the course of providing our Services.

9.1 De-identified data

During the consent process, we may also seek your consent to de-identify certain CDR data and use the resulting de-identified data for:

• our general research purposes;
• training and improving our transaction categorisation models and related business finance tools; and
• disclosing the de-identified data in connection with our general research purposes.

Once the data has been de-identified and used for the purposes outlined above, it cannot be deleted once it becomes redundant data. However, this de-identified data cannot be used to identify you as an individual and will continue to be held in de-identified form.

For the purposes of this section, "general research purposes" includes providing feedback to the ACCC and participants of various data standard workgroups regarding Marmalade's CDR connection statistics, using high-level de-identified data for statistics about CDR connections in Marmalade press releases, and identifying opportunities for improvement in how we collect, handle and use CDR data to deliver better Services to you.

9.2 Redundant data

Any CDR data that we no longer need for the purposes disclosed in this policy and for which we have no other lawful basis under the CDR regime to retain will be treated as redundant data.

Redundant CDR data will be deleted. Note however that where you have provided de-identification consent in the CDR consent process and your CDR data has been de-identified in accordance with that consent, it may be retained in accordance with Sections 9 and 10.

During the consent process, you may choose to have your redundant CDR data deleted. If you do not make a deletion choice, we may either delete or de-identify it at our discretion. Please note that once your CDR data has been de-identified, it can no longer be deleted upon expiry or revocation of your consent, as it will no longer be able to be used to identify you as an individual. In such cases, the data will continue to be retained in its de-identified form.

10. Handling of de-identified data by third parties

Marmalade does not provide your CDR data to any outsourced service providers (OSPs) beyond what is strictly necessary to facilitate access to and processing of your CDR data through Yodlee Inc. as described in Section 6. This section describes how Yodlee, as our OSP, may handle de-identified data.

Where you have provided de-identification consent in the CDR consent process, Yodlee may, in accordance with that consent and the CDR regime, securely retain de-identified datasets for the purposes specified in your consent, including training and improving transaction categorisation models and related business finance tools, and for general research purposes.

Before retention, the data is de-identified so that it can no longer be used to identify you. This involves removing all personal information and any transaction attributes that could reasonably be used, alone or in combination with other information, to re-identify you.

Marmalade requires that where our OSPs retain any de-identified datasets, they are permitted to do so only in accordance with the following restrictions:

• De-identified datasets are not permitted to be re-identified; and
• De-identified datasets are retained solely for the purposes permitted by your consent.

11. Overseas storage practices

Marmalade holds and stores CDR data in SOC 2 compliant data centres in Australia. We will keep your CDR data stored securely and encrypted in electronic form in accordance with this policy, the CDR regime, and Marmalade's Privacy Policy.

Where your CDR data is accessed or processed from overseas, for example by Tata Consultancy Services Limited (TCS) based in India in its capacity as a service provider to Yodlee, such access will occur only in accordance with the CDR regime (including the Privacy Safeguards). All overseas access is subject to contractual and technical safeguards to ensure that your CDR data is protected to the same standards required in Australia.

12. How we notify consumers

On several occasions, you will receive notifications via the Services. Such notifications will include:

• relevant lifecycle events regarding your CDR data (including when you set up, amend, or stop sharing, and where your CDR data sharing arrangement expires);
• requesting your consent to use your CDR data;
• the withdrawal of your consent;
• the collection of your CDR data;
• if you request information about your CDR data;
• if our CDR accreditation is surrendered, suspended or revoked; and
• consent receipts confirming the scope and duration of your CDR consent arrangements.

13. Consequences of withdrawing consent

You can withdraw your consent authorisation to share your CDR data with or by Marmalade at any time via the Services or by letting us know by email. Please note that if you withdraw your consent, Marmalade will no longer be able to provide its Services to you, as access to your CDR data is necessary for the identification of payments for invoices and the facilitation of early payment of invoices. Additionally, Marmalade will not be able to delete your CDR data while you have funded invoices that remain unpaid, as retention of that data is necessary to manage those obligations. Our email address to withdraw consent is support@withmarmalade.com.

You may also withdraw your consent by:

• disconnecting an individual bank account within the Services or by withdrawing your consent remotely via your financial institution; or
• deactivating your Marmalade account altogether.

Once Marmalade receives your consent withdrawal in any form, we will, in accordance with the CDR regime, permanently delete your CDR data from our systems as soon as practicable and in any event no later than 30 days of receiving your request, unless it has been de-identified in accordance with your de-identification consent and is retained as described in Sections 9 and 10 of this policy, or unless you have funded invoices that remain unpaid.

Once your CDR data is permanently deleted you will not be able to access it unless you provide a new consent for us to receive your CDR data.

You may manage your CDR consent arrangements through the Settings section of the Marmalade app. Withdrawal of consent takes effect immediately for future access.

14. Contacting us or making a complaint

14.1 Contacting us

Marmalade is here to help. If you want to know how we hold and manage your CDR data or you want to request information about your CDR data, please contact us via our Services, call us on 03 9917 8567, email us at support@withmarmalade.com, or write to us at Marmalade Australia Pty Ltd, L5/447 Collins St, Melbourne VIC 3000, Australia.

14.2 Making a complaint to us

If you are concerned about how we have handled your CDR data or you want to make a complaint or provide us with any feedback, you can contact us on the details outlined in Section 14.1 above. We will attempt to the best of our abilities to resolve any issue that you may have.

In order for us to assist you, please include your full name, email and contact details, as well as a preferred contact method. We may ask for additional information to identify and verify you. Please note a Marmalade representative will never ask you for your log-in account information such as your password via phone or email.

We will do our best to:

• try and resolve your complaint immediately, if possible;
• resolve your complaint within 5 business days. If this is not possible, we will confirm the outcome with you in writing. We will aim to resolve your complaint within 30 days. If we cannot meet these timeframes, we will explain why and provide an expected date for the outcome. We will keep you informed of progress; and
• explain our decision with respect to your complaint and notify you in writing for all complaints not resolved within 5 business days.

If you are not satisfied with the final outcome, you may lodge a complaint with the Australian Financial Complaints Authority (AFCA). AFCA provides a free and independent dispute resolution service for individuals and small business consumers who are unable to resolve their complaints directly with Marmalade.

Australian Financial Complaints Authority

Online: www.afca.org.au

Email: info@afca.org.au

Phone: 1800 931 678

Mail: GPO Box 3, Melbourne VIC 3001

You may also raise any CDR concerns directly with the Office of the Australian Information Commissioner (OAIC). OAIC acts as an impartial third party when investigating and resolving a complaint in relation to the handling of your CDR data.

Office of Australian Information Commissioner

Mail: GPO Box 5218, Sydney NSW 2001

Phone: 1300 363 992

Online: www.oaic.gov.au

Email: enquiries@oaic.gov.au

15. Notifiable data breaches

From February 2018, the Privacy Act includes a Notifiable Data Breaches scheme (NDB) which requires us to notify you and the Office of the Australian Information Commissioner (OAIC) of certain data breaches and recommend steps you can take to limit the impacts of a breach (for example, a password change). The NDB scheme requires us to notify you about a data breach that is likely to result in serious harm to affected individuals. There are exceptions where notification is not required, for example where we have already taken appropriate remedial action that removes the risk of serious harm to any individuals.

If we believe there has been a data breach that impacts your CDR data and creates a likely risk of serious harm, we will notify you and the OAIC as soon as possible and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy. If we believe there has been an information security incident, we will notify the Australian Cyber Security Centre (ACSC) as soon as practicable and in any case no later than 30 days after becoming aware of the security incident.

If you believe that your CDR data has been the subject of a data breach, you can contact us using the contact details outlined in Section 14.1 above.

16. Availability

This CDR Policy is available electronically by selecting "Settings", then "CDR Policy" within our Services. It is also available on the Marmalade website at [www.marmalade.com.au/cdrpolicy, URL to be confirmed], and on request by contacting us at support@withmarmalade.com.

We reserve the right to change this CDR Policy at any time. When we do, we will post the current version on our website and it will be available in "Settings", then "CDR Policy" within our Services. The revised CDR Policy shall apply from the date of publication on our website. Any subsequent access to, or use by you, of the Marmalade website or any of our Services will constitute acceptance of any varied or modified CDR Policy.

This CDR Policy is Version 1.0 dated 25/3/26.

We will not file a copy of the CDR Policy specifically in relation to each user or consumer. We recommend that you consider saving a copy of this CDR Policy for future reference.