This privacy policy explains how Jydeon Pty Ltd (ACN 696 671 771, ABN 52 696 671 771) collects, uses, stores and shares your personal information when you use PayDay, our earned wage access service available at payday.jydeon.com.
We are committed to protecting your privacy and handling your data in accordance with the Australian Privacy Act 1988, the Consumer Data Right (CDR) framework, and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act).
1. What data we collect
We collect the following categories of personal information:
Account information -- your email address and password (hashed, never stored in plain text).
Identity documents -- a copy of your driver's licence or passport, plus a selfie, used for Know Your Customer (KYC) verification.
Bank and transaction data -- when you connect your bank account via Open Banking, we receive up to 90 days of transaction history including account balances, transaction descriptions and amounts.
Income and salary information -- we analyse your transaction data to detect salary patterns, verify your employer, and determine your advance eligibility.
Payment information -- bank account details needed to send you advance payouts and collect repayments.
Device and usage data -- minimal technical data such as IP address and browser type for security purposes.
2. Why we collect your data
We only collect data that is necessary to provide and improve our service:
Identity verification -- to confirm you are who you say you are, as required by law.
Income verification -- to identify your salary deposits and determine how much you can safely access early.
Advance eligibility -- to assess whether and how much we can advance to you.
Payment processing -- to send advances to your account and collect repayments on payday.
Fraud prevention -- to protect you and us from fraudulent activity.
Legal compliance -- to meet our obligations under AML/CTF, CDR and other Australian laws.
3. Consumer Data Right (CDR) data
Your bank data is accessed through Basiq, an Accredited Data Recipient under the Consumer Data Right framework. When you consent to share your banking data:
We only access the data you explicitly consent to share.
We use your CDR data solely for income verification and advance eligibility -- never for marketing or on-selling.
Your CDR data is handled in accordance with the CDR Rules and Privacy Safeguards set by the ACCC and OAIC.
You can withdraw your consent and request deletion of your CDR data at any time by contacting us.
We do not share your CDR data with any third party except as required to provide the PayDay service or as required by law.
4. How we store and protect your data
All data is stored on Google Cloud Platform servers located in Australia.
Data is encrypted in transit (TLS) and at rest.
KYC documents (ID and selfie) are stored in Google Cloud Storage in the Australia region with restricted access controls.
Passwords are cryptographically hashed -- we never store or see your plain-text password.
We use TOTP-based two-factor authentication (authenticator app) -- we do not use SMS-based 2FA and do not store biometric data.
Access to production systems is restricted to authorised personnel only.
5. Third parties we share data with
We share your data only with the following service providers, and only to the extent necessary to deliver our service:
Provider
Purpose
Data shared
Basiq
Open Banking data access (CDR)
Bank connection consent, transaction data retrieval
Zepto
Payment processing (NPP payouts, direct debit)
Name, bank account details, payment amounts
Refundid
Fraud risk assessment
Limited identity and transaction information
Google Cloud Platform
Infrastructure and storage
All data (hosted on Australian servers)
We do not sell your personal information. We do not share your data with advertisers or data brokers.
6. How long we keep your data
Active accounts -- we retain your data for the duration of your account.
After account closure -- we are required by the AML/CTF Act to retain identity verification records and transaction records for 7 years after the end of our relationship with you. This is an AUSTRAC requirement and we cannot delete this data earlier.
CDR data -- if you withdraw your Open Banking consent, we delete your CDR data promptly unless retention is required by law.
Other data -- any data not subject to legal retention requirements is deleted within 90 days of account closure.
7. Your rights
Under the Australian Privacy Act, you have the right to:
Access your personal information that we hold.
Correct any inaccurate or out-of-date information.
Request deletion of your data -- noting that we must retain certain records for 7 years under AML/CTF obligations.
Withdraw consent for Open Banking data access at any time.
Lodge a complaint if you believe we have mishandled your data.
To exercise any of these rights, contact us at gidon@jydeon.com.
8. Cookies and local storage
PayDay uses minimal browser storage. We store your authentication token (JWT) in your browser's local storage to keep you logged in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics or similar tracking services.
9. AUSTRAC reporting obligations
As a reporting entity under the AML/CTF Act, we are required to report certain matters to AUSTRAC (the Australian Transaction Reports and Analysis Centre). This may include suspicious matter reports, threshold transaction reports, and international funds transfer instructions. We are prohibited by law from informing you if a report has been made about your transactions.
10. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you via email or through the app before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
11. Contact us
If you have questions about this privacy policy, want to exercise your rights, or wish to make a complaint about how we handle your data, please contact us:
If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. For complaints related to CDR data, you can also contact the ACCC.