Privacy Policy

Introduction 

This Privacy and Credit Reporting Policy (“Policy”) outlines how Bluestone Group Pty Limited, Bluestone Servicing Pty Limited, and related entities (“Bluestone”, “we”, “us”, or “our”) handle your personal information (including credit-related information) in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”), the Australian Privacy Principles (“APPs”), the Privacy (Credit Reporting) Code 2024 (“CR Code”) and other applicable laws.  

We understand how important it is to protect your personal information. It is important to us that you are confident that any personal information we hold about you will be treated in a way which ensures protection of your personal information.   

Any personal information we collect about you will only be used for the purposes indicated in this Policy or as allowed under the law.   

Definition of personal information (including credit-related information)  

When we refer to “personal information”, we mean information or an opinion that can reasonably identify you, whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.  

The personal information we hold about you may also include credit-related information.     

“Credit-related information” means:  

• “Credit information”, which is information which includes your identity; the type, terms and maximum amount of credit provided to you, including when that credit was provided and when it was repaid; repayment history information, financial hardship information (including information that any repayments are affected by a financial hardship arrangement),  default information (including overdue payments); payment information; new arrangement information; details of any serious credit infringements; court proceedings information; personal insolvency information and publicly available information; and  
• “Credit eligibility information”, which is credit reporting information disclosed to us by a credit reporting body, and any information that we derive from it.  

We collect and use your credit-related information to assess your eligibility to be provided with finance.  Usually, credit-related information is exchanged between credit providers and credit reporting bodies (“CRBs”).   

The types of personal information we may collect about you include your name, date of birth, age, address, details about dependants and cohabitants, account details, employment and income details, contact information, identity document numbers and any other information we may need to identify you.    

How we collect your personal information  

We may collect personal information in a number of different situations, including when you:  

• contact us via email, phone or our website to make an enquiry;  
• apply to be a borrower or guarantor with us;  
• attend an event hosted by us; or  
• apply for accreditation as a broker, aggregator or loan introducer.  

Where it is reasonable and practical, we will only collect your personal information from you directly and in accordance with our legal obligations.   

We may also collect information about you from third parties including CRBs, referrers (e.g. brokers and mortgage originators) and contractors who supply services to us.  As authorised by you, we may also collect personal information that is publicly available, such as public registers or social media, or from third parties.  

Why we collect your personal information  

We may collect, use, hold and disclose personal information (including credit-related information) about you for the following purposes:  

• to arrange or provide credit to you (including to action your instructions, contact you, verify your identity, and to assess your creditworthiness);  
• to manage that credit (including to assess hardship applications and to collect overdue payments);  
• to provide you with industry updates;  
• for direct marketing (unless you opt out) of products and services offered by Bluestone or an organisation Bluestone is affiliated with or represents;  
• securitisation or related purposes;  
• to comply with our legal obligations, including those under the National Consumer Credit Protection Act 2009 (Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);   
• establishing and managing a customer loyalty program;  
• to facilitate our operations (including to comply with any legal requirements);  
• to manage our relationship with you (including to invoice you and to deal with any complaints or enquiries); or  
• for statistics and security.  

If you do not want to provide us with your personal information, we may not be able to arrange or provide credit to you or provide other services.   

Disclosing your personal information  

We may disclose your personal information to:  

• other credit providers and financial institutions;  
• to other guarantors or borrowers (if more than one);  
• to borrowers or prospective borrowers, including in relation to any credit you guarantee or propose to guarantee;  
• to prospective funders or other intermediaries (such as finance or mortgage brokers, mortgage originators, mortgage managers) and persons who assist us to provide our products to you;  
• to any person who represents you, such as finance brokers, lawyers, mortgage brokers, guardians, persons holding power of attorney and accountants;  
• any industry body, tribunal, court or otherwise in connection with any complaint regarding the approval or management of your loan (for example, if a complaint is lodged about any mortgage broker or lender who dealt with your loan);  
• to other organisations that are involved in managing or administering your finance, such as third party suppliers, printing and postal services, call centres, lenders, mortgage insurers, trade insurers and CRBs;  
• to companies that provide information and infrastructure systems to us;  
• to our agents, contractors or external service providers to outsource certain functions, for example, statement production, debt recovery and information technology support;   
• any person where we are required by law to do so (for example, pursuant to subpoena or to a government agency such as tax authorities in Australia and overseas);  
• any of our associates, marketing agencies, related entities (in Australia and overseas) or contractors (for example, policy printing houses or mail houses);  
• to our auditors, insurers, re-insurers and health care providers;  
• to claims related providers, such as assessors and investigators who help us with claims;  
• to investors, agents or advisers, trustees, rating agencies or any entity that has an interest in your finance or our business;  
• to your employer, former employer, referees or identity verification services;  
• to associated businesses that may want to market products to you;  
• organisations that provide products or services used or marketed by us; or  
• to anyone where you have provided us with consent.   

Credit-related information  

If you apply for a credit product with us or offer a guarantee, we may exchange credit-related information about you with CRBs.  One of our checks may involve obtaining a credit report about you.  

When we obtain credit eligibility information from a CRB about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed.  

Comprehensive Credit Reporting   

We participate in Comprehensive Credit Reporting (“CCR”).  CCR has transformed the way lenders share credit-related information with CRBs in Australia.  

CCR allows lenders to access not only the negative marks on your credit file but also the positive financial behaviours you’ve built up over time that have been reported to the CRB. This gives a fuller, fairer picture of your credit history.  

Under CCR the way we exchange credit-related information with CRBs include:   

• reporting repayment history information, including whether you have made your repayments on time. This means that over time, your credit report will provide a more accurate assessment of how you manage credit; and  
• reporting financial hardship information – including the fact that you have entered a financial hardship arrangement with us.   

For more information on the types of information reported under CCR, visit CreditSmart’s Guide to CCR: creditsmart.org.au 

If you have any queries about our participation in CCR, and how this impacts you, please contact us. See ‘ENQUIRIES AND COMPLAINTS’ below for further information.  

Notifiable matters  

The law requires us to advise you of “notifiable matters” in relation to how we may use your credit-related information. You may request to have these notifiable matters (and this Policy) provided to you in an alternative form, such as a soft copy.  

We exchange your credit-related information with CRBs. We use the credit-related information that we exchange with the CRBs to confirm your identity, assess your creditworthiness, assess your application for finance, and to manage that finance.   

We are not required to obtain your consent before making a credit enquiry when you apply for finance or request an increase to existing finance. A CRB may record our enquiry on your credit file, disclose it to other credit providers, and use this information to assess your creditworthiness and calculate your credit score or credit rating. A credit enquiry may impact your credit score or credit rating, as CRBs may take into account the number and frequency of such requests when calculating your credit score.  CRBs may disclose your credit file to other credit providers to help them assess your creditworthiness. 

The information we may exchange with CRBs includes your identification details, what type of loans you have, how much you have borrowed, whether or not you have met your loan payment obligations, whether you have entered into a financial hardship arrangement (either with us or some other third party), and if you have committed a serious credit infringement (such as fraud).  

If you fail to meet your payment obligations in relation to any finance that we have provided or arranged, or you have committed a serious credit infringement, we may disclose this information to a CRB.  

You can ask a CRB not to use your credit-related information for the purposes of pre-screening or direct marketing. You can also ask a CRB not to use or disclose your credit-related information if you have reasonable grounds to believe that you have been, or are likely to be, a victim of fraud. 

You have the right to request access to the credit-related information that we hold about you and make a request for us to correct that credit-related information if needed. See ‘ACCESSING AND CORRECTING YOUR PERSONAL INFORMATION (INCLUDING CREDIT-RELATED INFORMATION)’ below for further information.  

The CRBs we may exchange your personal and credit-related information with are: 

• Equifax Pty Limited – www.equifax.com.au – contact on 13 83 32; see credit reporting policy at https://www.equifax.com.au/privacy; 

• Illion (Australia) Pty Limited – www.illion.com.au – contact on 13 23 33; see credit reporting policy at https://www.illion.com.au/privacy-policy; and 

• Experian Australia Credit Services Pty Limited – www.experian.com.au – contact on 1300 783 684; see credit reporting policy at https://www.experian.com.au/privacy-policy-terms-conditions. 

Overseas disclosures  

We may disclose your personal information (including your credit-related information) to overseas entities that provide support functions to us.  Recipients may be located in New Zealand, the Philippines, the United Kingdom, Ireland and the United States.   

Before we disclose any of your personal information to another entity, we will take all reasonable steps to satisfy ourselves that the entity has a commitment to protecting your personal information at least equal to our commitment or you have consented to us making the disclosure.   

The personal information we hold about you may be held by us in electronic form on our secure servers and may also be held in paper form. We may use cloud storage to store this credit-related information. The cloud storage and the IT servers may be located outside Australia.    

We will not share any of your credit-related information with a CRB unless it has a business operation in Australia.  We are not likely to share credit eligibility information with any person or organisation unless they have business operations in Australia.  

Digital information and tools   

Cookies  

A “cookie” is a small text file placed on your computer by a web page server that may later be retrieved by web page servers. We use cookies on our website to provide you with a better experience.  

Our use of cookies does not allow us to collect personally identifiable information about you, but is or may be used (for example) to determine if you have previously visited our website or other websites, to personalise your web browsing experience, to track and report on website usage and performance, and for statistical and security purposes.  

We may also use cookies for the purposes of site usage analytics, reporting, auditing, and personalisation of content for advertising and marketing. Any data collected from cookies may be shared with third parties for the purpose of providing you with relevant advertising when you visit other websites.  

You can configure your browser to refuse cookies or delete existing cookies from your hard drive. Rejecting cookies may have the effect of limiting access to or functionality of parts of our website.  

IP addresses  

Your IP address is used to identify your computer whenever you use the internet. We may need to collect your IP address so you can interact with various parts of our websites.  

Remarketing tools  

We may use remarketing tools like Google AdWords. These tools are used to tailor our marketing, for example by only displaying advertisements that are relevant to you or that better suit your needs.  

Advertising and tracking  

Our advertising company uses cookies and in some cases web beacons to collect information when you view our advertisements on other websites you visit. This information may include things like:  

• your computer server details;  
• the type of browser you’re using;  
• the time and date of your visit; and  
• how you interact with our advertisements.  

When you visit our website after seeing one of our advertisements on a third-party site, the advertising company may collect information on how you use our website. This may include whether you start or complete our enquiry form, and which website pages you view.  

Online applications and enquiries  

We keep the information you provide when you send us a completed online enquiry. We will then be able to use that information to provide you with our services as required.  

Anonymity and pseudonymity  

If it is ever practicable to do so, we will offer you the opportunity to deal with us without providing your personal information (for example, if you make general inquiries about interest rates or current promotional offers).   

Sensitive information  

Sensitive information is any information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information.  

We may collect sensitive information about you but only if that sensitive information relates directly to our ability to arrange or provide credit to you or manage the credit provided to you.  

Unsolicited personal information  

Sometimes people share information (including sensitive information) with us that we have not sought out. This could be through using our website, making a general enquiry, requesting us to resolve a dispute, or requesting us to assess a hardship application. We may also receive unsolicited personal information about you (including sensitive information) by mistake. If we receive such information about you, we will determine whether we would have been permitted to collect that information.  

If not and the information is not contained in a Commonwealth record, then we will destroy or de-identify it as soon as practicable, but only if it is lawful and reasonable to do so.  

Often, it is not possible for us to neatly unbundle this information then destroy or de-identify only certain sections or parts of it, and we may need to store this information for future use, such as to help resolve disputes between us or assess future applications by you.   

We have many security safeguards in place to protect your information from interference, misuse, loss, unauthorised access, modification, or disclosure.  See further information under “SECURITY OF PERSONAL INFORMATION” below.  

Verifying your identity   

We may verify your identity using information held by a CRB.  To do this, we may disclose your personal information such as your name, date of birth, and address to the CRB to obtain an assessment of whether that personal information matches information held by the CRB.  The CRB may give us a report on that assessment, and to do so may use personal information about you and other individuals in their files.  Alternative means of verifying your identity are available on request. If we are unable to verify your identity using information held by a CRB, we will provide you with a notice and give you the opportunity to contact the CRB to update your information held by them.  

Document Verification Service  

To verify your identity, we may collect, use and disclose the information derived from your government issued documents (such as your Australian passport, state or territory driver licence, Medicare card, citizenship certificate or birth certificate) to the relevant government agency via the Document Verification Service (“DVS”), provided we have obtained your express consent to do so.   

Our collection, use and disclosure of your information to the DVS to verify your identity is subject to compliance with our legal obligations under the Privacy Act and APPs and our DVS Business User Participation Agreement.  Our use of the DVS may involve the use of third-party systems and services. The DVS verifies supplied information by checking it against information held by the government agency that originally issued that document.   

Verification of your identity is necessary for us to perform our functions and activities and provide products and services to you. If you do not provide evidence of your identity, or your express consent for us to verify your identity using the DVS, we may be unable to verify your identity and may not be able to arrange or provide credit to you or provide other services.   

If you wish to make a complaint relating to the collection, use and disclosure of your information for the purposes of verifying your identity with the DVS, or withdraw your consent at any time, you may contact us.  See ‘ENQUIRIES AND COMPLAINTS’ below for further information.  

You can find more information about the DVS, including information about the operation and management of the DVS Hub by the Attorney-General’s Department, at www.dvs.gov.au.  

Direct marketing  

We may use or disclose your personal information (other than sensitive information), including direct marketing, but only if you have not made a request not to participate in direct marketing by contacting us to opt out. If direct marketing is by email or SMS, you may also use the unsubscribe function. We will not charge you for making a request to opt out, and we will give effect to your request within a reasonable period.  

Other than by email and SMS, we may also conduct direct marketing activities via telephone, mail, or any other electronic means. We may also market you through third party channels (such as social networking sites).  

We may use or disclose your personal information (other than sensitive information) for direct marketing under circumstances where you would reasonably expect us to use or disclose the personal information for direct marketing.  

We will obtain your consent before using or disclosing sensitive information for the purpose of direct marketing.  

We do not disclose your personal information to any third party for the purpose of allowing them to market their products or services to you.  

Updating your personal information  

We will take reasonable steps to ensure that your personal information is accurate and up to date.   

If you wish to make any changes to your personal information, you may contact us.  We will generally rely on you to ensure that the information we hold about you is accurate or complete.  

You must notify us of any changes to your personal information that are required by any contracts you have with us.   

Security of personal information  

We may store your personal information in paper and electronic form. We have a range of technical, administrative and other security safeguards to protect your personal information from interference, misuse, loss, unauthorised access, modification or disclosure, including:  

• any paper records are accessible to Bluestone Staff only on a “as needed” basis;  
• we have a “clean desk” policy for all Bluestone Staff, and it requires, for example, that all paper records to be held within an office that is locked at night;  
• control of access to our building;  
• our electronic databases are password access only with virus protection software and firewalls installed;  
• our physical storage is protected by security measures such as alarm systems and security patrol; and  
• all Bluestone Staff receive mandatory training relating to this Policy.  

If we store your personal information physically or electronically with third party data storage providers, we will use contractual arrangements to ensure those providers take appropriate measures to protect your information and restrict the uses of that information.  

Where practicable, we will destroy the personal information we hold seven years after our relationship with you ends (unless that information is contained in a Commonwealth record, or we have to retain it by or under an Australian law or a court/tribunal order).   

Sometimes it is impossible or impractical to isolate certain parts of your information and then destroy or de-identify that information, and we may need to store your information for future use, such as to help resolve disputes between us or assess future applications by you. The same security safeguards will be in place to protect your information.  

Accessing and correcting your personal information (including credit-related information)  

Accessing your personal information  

You may request access to the personal information (including credit-related information) we hold about you. We will need to verify your identity before allowing access.  

We will give access in the manner you have requested if it is reasonable to do so. We may charge you a fee for our cost of retrieving and supplying the information. If we do, the fee will not be excessive and will not apply to the making of the request.  

We will respond to your request within a reasonable period. Depending on the type of request that you make, we may respond to your request immediately, otherwise we usually respond to you within seven days of receiving your request. We may need to contact other entities to properly investigate your request.  

There may be situations where we are not required to provide you with access to your personal information, for example, if the information relates to existing or anticipated legal proceedings, if your request is vexatious, or if the information is commercially sensitive.  

If we decide not to give you access, we will provide reasons for the refusal and further information on how you can complain about the refusal.  

If we refuse to give access or we cannot give access in the manner you have requested, access may be given using a mutually agreed intermediary.  

Correcting your information  

If any of the personal information we hold about you is incorrect, inaccurate or out-of-date, you may request that we correct the information by contacting us.  

If appropriate, we will correct the personal information at the time of your request.  Otherwise, we will provide an initial response to you within seven days of receiving your request.  Where reasonable, and after our investigation, we will provide you with details about whether we have corrected your personal information within 30 days.  

We may need to consult with other finance providers or credit reporting bodies or entities as part of our investigation.  

If we refuse to correct your personal information, we will, within a reasonable timeframe, provide reasons for the refusal and further information on how you can complain about the refusal.   

Enquiries and complaints  

Enquiries  

If you have any queries about this Policy or if you would like to opt out of direct marketing or access or correct your personal information, please contact us on one of the options below:  

(02) 8115 5000 or 13 25 83  
customerservice@bluestone.com.au  
PO Box 1136, QVB Post Shop, NSW, 1230.  

Complaints  

If you are not satisfied with how we have dealt with your personal information (including credit-related information), or you have a complaint about our compliance with the Privacy Act and the CR Code, you may contact our complaints officer via the options below:  

(02) 8115 5000 or 13 25 83  
complaints@bluestone.com.au  
PO Box 1136, QVB Post Shop, NSW, 1230.  

We will acknowledge your complaint within 24 hours and aim to resolve the complaint as quickly as possible.  We will provide you with a decision on your complaint within 30 days after receiving your complaint.  

We have Internal Dispute Resolution (“IDR”) procedures in place. We will follow this procedure in handling your complaint. We will provide our customers with a copy of our IDR procedures free of charge if one is requested.  

If you are not satisfied with the outcome, you may lodge a complaint with the Australian Financial Complaints Authority (“AFCA”). AFCA provides fair and independent financial services complaint resolution that is free to consumers.  

• Website: www.afca.org.au   
• Email: info@afca.org.au   
• Phone: 1800 931 678 (free call)  
• Mail: Australian Financial Complaints Authority GPO Box 3, Melbourne VIC 3001  

If you are still not satisfied, you can complain to the OAIC using the details provided above.  

If you would like further advice regarding your privacy rights, you can contact the OAIC by email at enquiries@oaic.gov.au or by phone on 1300 363 992.  

Changes to this policy  

We will review this Policy periodically. We will amend this Policy as the need arises, such as reflecting emerging legislative and technological developments, industry practice, and market expectations.  

If we do so, we will notify you by posting an updated version on our website.  

This Policy was last updated in October 2025.