Skip to main content

Privacy Policy

Last updated: 19/03/2026

1. Who we are

PEXA AML Pty. Ltd. ACN 648 626 699 (“we”, “us”, or “our”) provides software and services that help real estate sector participants assess and manage anti‑money laundering and counter‑terrorism financing (AML/CTF) risk (the Platform). We are committed to protecting privacy and managing personal information in an open and transparent way.

This Privacy Policy explains how we collect, use, disclose and protect personal information in Australia in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we support customers that are, or will become, AML/CTF reporting entities, we also handle information to assist them to meet obligations under the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006 (Cth) and the AML/CTF Rules.

Note on AML/CTF reforms: From 1 July 2026, AML/CTF obligations will extend to certain real estate services (often referred to as “Tranche 2” reforms). This Policy is designed to support both current requirements and those reforms as they commence. If the law changes, we will update this Policy.

2. How this Policy applies to you

We act in different roles depending on context:

  • Platform end users and website visitors – we are responsible for the personal information we collect directly from you (for example, when you create an account, use the Platform, or contact support).
  • Individuals whose information is uploaded to the Platform by our customers (for example, buyers, sellers, beneficial owners, directors, agents, referees) – we handle your information to provide services to a customer (such as a real estate agency, developer, conveyancer, or lawyer). In these cases, our customer primarily decides why and how your information is processed. We also implement our own privacy and security obligations under the APPs and our contracts.

If you are providing us with information about someone else, you must ensure you have authority to do so and have provided any required notices to that person.

3. The personal information we collect

The kinds of personal information we collect and generate include: 

  • Identity and contact: names, aliases, date and place of birth, residential and postal addresses, email, phone number, nationality/citizenship, gender (optional), and similar.
  • Government‑related identifiers and identity documents: driver licence, passport, Medicare card, birth/marriage certificates, visa/immigration details, and identification numbers shown on those documents. We do not adopt government identifiers as our own identifiers, but we may collect and use them to verify identity or as required or authorised by law.
  • Customer due diligence (CDD/KYC) information: beneficial ownership details, occupation, source of funds/wealth information provided by you or our customer, information about the purpose and intended nature of the business relationship or transaction, and risk ratings produced by our systems.
  • AML/CTF screening results: matches against sanctions, watchlists and law enforcement lists (as supplied by reputable data providers), politically exposed person (PEP) status, adverse media results, and screening metadata (for example, confidence scores and decision logs).
  • Biometric and liveness data (if enabled): face images, video selfies and derived templates used by third‑party identity verification providers to compare with your ID document photo. We do not retain biometric templates longer than necessary for verification and fraud prevention.
  • Transaction and property information: details about a property, contracts, settlement dates, valuation and trust account details, funds flow information, counterparties and referrers, and other information relevant to assessing ML/TF risk.
  • Device and usage data: IP address, device identifiers, browser type, access times, pages viewed, clickstream data, cookies and similar technologies used for security (including fraud detection) and to operate the Platform.
  • Support and communications: enquiries, feedback, call recordings/chats with our team, and content of forms you submit.

Where we collect sensitive information (for example, biometric data or criminal history information contained in official records), we will do so with your consent where required or where authorised by law.

4. How we collect personal information

We collect information: 

  • Directly from you via online forms, onboarding workflows, document uploads, web chat and support interactions.
  • From our customers when they onboard you to the Platform or share information to complete CDD or risk assessments.
  • From third‑party data sources such as identity service providers (including access to the Commonwealth Document Verification Service via approved intermediaries), sanctions/PEP/adverse media data providers, corporate registries, credit reference sources (where permitted e.g. ID Match), property data services, and public records.
  • Automatically through your browser or device when you access the Platform or our websites (see Cookies below).

If you do not provide requested information, we or our customer may be unable to verify your identity, assess AML/CTF risk, or proceed with a transaction.

5. Why we collect, use and disclose personal information

We collect, use and disclose personal information where it is reasonably necessary for our functions and activities, including to:

  1. Provide and improve the Platform – set up and manage accounts, deliver features, provide support, respond to enquiries, and improve user experience.
  2. Enable AML/CTF customer due diligence for our customers – verify identity; identify and verify beneficial owners; determine PEP/sanctions exposure; conduct ongoing due diligence and transaction monitoring; maintain records; and generate reports, logs and audit trails.
  3. Manage ML/TF risk – create risk profiles and scores, apply rules and models, and support our customers’ compliance programs.
  4. Prevent, detect and investigate fraud, financial crime and abuse of our services.
  5. Comply with laws – including the AML/CTF Act and Rules (once applicable), sanctions laws, law enforcement requests, court/tribunal orders, and regulatory notices.
  6. Operate our business – billing, account management, training, quality assurance, analytics (including use of de‑identified data), security and governance.
  7. Marketing and communications – send service communications, and (separately) send you marketing about our services where permitted by law and your communication preferences. We will not use personal information collected for AML/CTF checks for unrelated direct marketing.

We may combine information we hold about you with information from other sources for the above purposes, subject to the APPs.

6. Disclosures of personal information

We disclose personal information to:

  • Our customers (for example, real estate agencies, developers, conveyancers) and their advisers so they can meet their AML/CTF obligations and manage risk.
  • Service providers that help us deliver the Platform, including cloud hosting, identity verification (including DVS access via an approved gateway), sanctions/PEP/adverse media screening, analytics, security, communications and support tools. These providers are bound by confidentiality and security requirements.
  • Regulators and law enforcement where required or authorised by law (for example, to AUSTRAC or a State/Territory police service following a lawful demand), or to respond to subpoenas, warrants or court orders.
  • Professional advisers and insurers (lawyers, auditors, accountants) for the purposes of obtaining advice and managing disputes or claims.
  • Related corporate entities (if any) for operational purposes consistent with this Policy.
  • Other third parties with your consent.

We do not sell personal information.

7. Overseas disclosures

Our service providers and data centres may be located in Australia and other countries. Likely overseas recipients include Singapore. Where we disclose personal information overseas, we will take reasonable steps to ensure the recipient does not breach the APPs in relation to that information (for example, by using contractual protections, due diligence and technical controls). In some cases, an exception under APP 8 may apply (for example, where the disclosure is required or authorised by Australian law, or you expressly consent after being informed that APP 8.1 will not apply).

8. Data security

We implement administrative, technical and physical safeguards appropriate to the nature of the information we hold, including:

  • access controls and role‑based permissions;
  • encryption in transit and at rest for key data sets;
  • network security, logging and monitoring;
  • secure software development practices and vulnerability management;
  • personnel vetting, confidentiality obligations and security awareness training; and
  • vendor risk management and data processing agreements.

We only retain personal information for as long as needed for the purposes described in this Policy or to comply with legal obligations. Where we handle AML/CTF records for or on behalf of customers, we retain those records for at least 7 years from the relevant date (for example, from the end of the business relationship or completion of an occasional transaction), unless a longer period is required by law or contract. When information is no longer required, we take reasonable steps to de‑identify or securely destroy it.

9. Your choices

  • Anonymity and pseudonymity (APP 2): Where lawful and practicable, you may interact with us without identifying yourself. However, AML/CTF laws and our customers’ CDD obligations usually require verified identity before a transaction can proceed.
  • Communication preferences: You can opt out of marketing communications at any time by using the unsubscribe link in our emails or contacting us. Service and transactional communications are essential and you cannot opt out of them.
  • Cookies: You can control cookies through your browser settings. Some cookies are necessary for security and core Platform functions and cannot be disabled.

10. Access and correction (APPs 12 and 13)

You may request access to personal information that we hold about you and ask us to correct any that is inaccurate, out‑of‑date, incomplete, irrelevant or misleading. We may ask you to verify your identity before fulfilling a request.

Where we process your information on behalf of a customer, we may refer your request to that customer (who will usually be the primary contact point). We will cooperate with our customer to respond to your request within a reasonable period.

We may refuse access in circumstances permitted by the APPs (for example, where giving access would unreasonably impact the privacy of others or is unlawful). If we refuse access or correction, we will tell you why and how you can complain.

11. Data breaches

If a data breach involving personal information is likely to result in serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme, including assessing the breach and notifying affected individuals and the Office of the Australian Information Commissioner (OAIC), as required. Where a breach involves information we handle for a customer, we will also notify and coordinate with that customer.

12. Children’s privacy

Our services are intended for use by businesses and their adult customers. We do not knowingly collect personal information of children under 16, except where a minor is involved in a property transaction and information is provided by a parent/guardian or our customer in accordance with law.

13. Third‑party services and links

The Platform may contain links to third‑party websites or services. Those services are not governed by this Policy, and we are not responsible for their privacy practices. We encourage you to review their privacy policies.

14. Changes to this Policy

We may update this Policy from time to time. The updated Policy will be posted on our website with a new “Last updated” date. Significant changes will be notified via the Platform or by email where appropriate.

15. Contact us

If you have questions, want to request access or correction, or wish to make a complaint, please contact us:
Privacy Officer
PEXA AML Pty. Ltd. 648 626 699
Tower 4, Level 16, 727 Collins Street, Victoria, 3008
Email: support@pexaclear.com.au
We aim to respond within a reasonable period. If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

16. Additional information for AML/CTF contexts

To support customers’ AML/CTF programs, we also:

  • maintain auditable logs of CDD decisions, rule outcomes and overrides;
  • allow customers to configure risk models and review screening matches;
  • provide workflows to assist with ongoing customer due diligence and event‑driven KYC reviews; and
  • support export of records to assist customers to meet 7‑year retention and regulatory audits.

Where we assist a customer to prepare or file reports required by law (for example, suspicious matter reporting), we do so under the customer’s instructions and subject to applicable secrecy and confidentiality requirements.

17. Definitions

  • Personal information has the meaning given in the Privacy Act: information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in material form or not.
  • Sensitive information includes information about an individual’s biometric identifiers or templates, health, racial or ethnic origin, religious beliefs, sexual orientation, union membership and criminal record.
  • Reporting entity means a person or organisation that provides a designated service under the AML/CTF Act.