Welcome to the word of CTZN.

Privacy Policy


This is the privacy policy of Australian Vintage Limited ABN 78 052 179 932 and our related entities. The purpose of this policy is to clearly express an up-to-date policy about our company’s management of personal information.

We are committed to protecting your personal information. By submitting your personal information to us, or by using our services, you acknowledge and consent to us using your personal information in accordance with this policy.

This policy is intended to enhance the transparency of our company’s operations, notify you of your rights and our obligations and provide information regarding:

  1. the kinds of personal information which we will collect and hold;
  2. how we will collect, hold, use and disclose personal information;
  3. the purpose for which we collect, hold, use and disclose personal information;
  4. how you may access personal information that is held by us and seek correction of such information;
  5. how you may complain about a breach of the Australian Privacy Principles (APP) or registered APP code (if any) that binds us and how we will deal with such complaint;
  6. whether we are likely to disclose personal information to overseas recipients;
  7. if we are likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located and if practical specify the countries in the policy.


This privacy policy sets out how we comply with its obligations under the Privacy Act 1988 (as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012) (the Act) and the General Data Protection Regulation (GDPR).



We acknowledge that we must take reasonable steps when handling personal information.

Whilst we cannot warrant that this policy will be followed in every instance, we will endeavour to follow this policy on each occasion. Similarly, while we cannot warrant that loss, misuse or alteration of information will never occur, we will take all reasonable steps to prevent these things from occurring. 

Our company has taken reasonable steps to endeavour to comply with the APPs and the Act, some examples are noted below.  

  1. Implementation of the privacy policy.
  2. Staff training and education (including a handbook for our staff).
  3. Use of checklists to ensure that all APPs are complied with.
  4. Clear and transparent procedures regarding handling of complaints and disclosure of information.


Our policy is available on our website however should you require a hardcopy please contact us and we will provide you with a copy.




It is our usual practice to collect personal information directly from the subject individual or their authorised representative(s).   

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether or not recorded in a material form, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Some examples of some personal information we might collect are:

  1. name;
  2. address;
  3. contact details (such as telephone numbers, addresses, email addresses);
  4. date of birth; and
  5. payment details/credit card information.


Sensitive information is a type of personal information and includes information about your health, race, ethnic origin, and religious and political beliefs, among other things. 


We may collect health information about you but will not generally otherwise collect sensitive information. An example of health information we may collect is information about a health service provided, or to be provided, to you, and in particular information about your COVID-19 vaccination status (including number of doses received) or why you cannot receive a COVID-19 vaccination. However, you may wish to provide us with other sensitive information about you from time-to-time. 


If we do collect sensitive information about you we will only do so with your consent or where the collection is required or authorised by law (for example, any relevant public health directions or other laws in the jurisdiction of the request for your COVID-19 vaccination status). 

We also use different types of technology to collect your personal information, including tracking technologies such as cookies. Please refer below and to our Terms of Use for more information regarding how we use cookies. 


You may choose to interact with us using a pseudonym and/or not identify yourself.  

In circumstances where we are required to do so, or are authorised by law, a court or tribunal to ask for your identification, we will request your personal information. 

Further, it is likely that it will be impractical for us to interact with you without some form of identification, and therefore we will request identification details from you at the beginning of each transaction.  

For example, we will not be able to open a commercial credit trading account or process a commercial credit application for you without obtaining identification details.  

If you do not consent to the collection or your personal information, in accordance with this privacy policy, we may not be able to assist you with the provision of certain services. 



We only collect and hold personal information by lawful and fair means.

In some circumstances, we may collect and hold personal information that has been collected from a third party or publicly available source. This will likely occur in instances where:

  1. you have provided personal information directly to us in the course of business dealings or through use of our mobile application;
  2. you have consented for this collection (which would usually be via our privacy policy and/or credit application form);
  3. you would reasonably expect us to collect your personal information in this way and it is necessary for us to collect this information for a specific purpose (such as investigation of a complaint); or
  4. the collection is authorised or required by law.

We will take steps to hold personal information in a manner which is secure and protected from unauthorised access.

Your information may be held in either a physical form or in electronic form on our IT system.

Where stored in electronic form on our IT system, we will take steps to protect the information against modification, disclosure or misuse by including such things as physical restrictions, password protections, internal and external firewalls, and anti-virus software.

We will also endeavour to ensure that our service providers have protection for electronic IT systems and other necessary restrictions.

We will endeavour to ensure our staff are trained with respect to the security of the personal information we hold, and we will restrict any access where necessary.

While we retain information for as long as necessary in relation to the purposes for which it is collected, we will endeavour to destroy and de-identify the personal information once it is no longer required, except as required for business record purposes.

In the event we hold personal information that is unsolicited, and we were not permitted to collect it, the personal information will be destroyed as soon as practicable.

If we collect personal information about you from someone else, we will advise you as soon as practicable that this information has been collected and the circumstances which surround the collection.



When you visit our website, or use our mobile application, we may collect information about the session between your computer or mobile device and our website and/or mobile application through the use of cookies.

Cookies are text files which are stored on your computer or mobile device (by your web browser) that record specific information, such as which pages you visit, the information you have searched for, or the device you are using to access our website or mobile application.

We use cookies for the purposes of managing and improving our website and mobile application, improving our business functions, and gathering demographic information about the persons who visit our website and use our mobile application, among other things.

You may elect to disable or turn off cookies in your web browser, however, this may impact upon the services we are able to offer you on our website and may impact upon your ability to access certain features of our website.

We also use Google Analytics (provided by Google LLC), which enables us:

  1. to perform statistical analyses of the demographics and interests of those who visit our website (e.g. number of visitors, information on gender, age, location, interests and the like) to learn about our visitors; and
  2. to improve the website friendliness and usability (e.g. on the basis of website traffic measurements).


Google Analytics collects demographics and interests data from the following sources:

  1. third-party DoubleClick cookie;
  2. Android Advertising ID; and
  3. IOS Identifier for Advertisers (IDFA).


The above information will be available to Google Analytics when the user is logged into Google services, which include, but are not necessarily limited to: 

  1. Google Chrome browser
  2. YouTube;
  3. Gmail;
  4. Chromebook laptop devices;
  5. Android mobile devices.


Our server will also automatically record your Internet Protocol address (IP address).

An IP address is a numerical designation assigned to each device connected to a computer network by your internet service provider. While IP addresses can be used to identify the general physical location of a computer, they are otherwise anonymous, and we will not use your IP address to identify you. 



Personal information of children

Our mobile application does not address any person under the age of 18. 
We do not knowingly collect personal information from persons under the age of 18 years. In the event we have collected personal information from a person under 18 without parental consent, we will take steps to ensure that the personal information is destroyed.  

Consent and usage

You consent to the use of your personal information to the extent set out above upon downloading our mobile application. Should you not wish for us to collect and store your personal information, you must immediately inform us that you do not consent.  

You may at any time after downloading our mobile application withdraw your consent for us collecting and using your personal information.  

When using our mobile application, we will provide you with a prompt as to whether you want to provide access to your microphone, camera and/or location services (or any other service that may collect personal information) and any data that may be collected from those mobile phone functions. 

Our mobile application may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party’s site. We strongly recommend that upon being re-directed to a third party’s site, that you review the Privacy Policy of each site you may visit. 

We have no control over and assume no responsibility for the contact, privacy policies or practices of any third-party sites or services.  

We will take all reasonable steps to ensure that your personal information is kept secure. We cannot however guarantee its absolute security given that no method of electronic transmission or storage is 100% secure.  

Third Party service providers

We may from time to time utilise third party service providers (such as Google Analytics) in order to:

  1.  facilitate the use of our mobile application;
  2. provide our mobile application services on our behalf; or
  3. assist us in analysing how our mobile application is used (including tracking and reporting website traffic).


These third-party service providers will have access to your personal information only for the functions listed above. They are under an obligation not to disclose or use your personal information for any other purpose.  



If you apply for a position with us, we may also collect information about your experience, character, qualifications, and screening checks (including information concerning a candidate’s background, health (including vaccination status), references, financial probity, eligibility to work status, vocational suitability, and criminal record). Sensitive information will only be collected with your consent, unless the collection of the information is required or authorised by law. 



We will endeavour to only collect and hold personal information which is relevant to the operation of our company.     

Our purpose for collecting or holding personal information about you is so that it may be used directly for our functions or activities.    

We may use your personal information for the functions or activities of our company, which include, among other things:  

  1.  assessing credit applications;
  2.  reviewing existing credit terms;
  3.  assessing credit worthiness;
  4.  collecting overdue payments;
  5.  assessing credit guarantees (current and prospective);
  6.  internal management purposes;
  7.  complying with legal and regulatory requirements (or as otherwise required or authorised by law);
  8.  administering accounts;
  9.  facilitating product and service reviews;
  10.  business development purposes and direct marketing;
  11.  sales and billing;
  12.  training;
  13.  allowing you to participate in interactive features of our mobile application (if you choose to do so);
  14.  gathering analysis or valuable information in order to improve our mobile application;
  15.  monitoring the use of our mobile application (including addressing and preventing technical issues); and
  16.  providing customer support.


We may also collect personal information (including sensitive information) for both the primary purposes specified herein and purposes other than the primary purposes, including the purpose of direct marketing.

We may also collect personal information from other credit providers, Credit Reporting Body (CRB) and any other third parties for the purposes of our functions and activities including, but not limited to, credit, sales, marketing and administration.  



We will endeavour to only use and disclose personal information for the primary purposes noted above in relation to the functions or activities of our company.   

In addition, we may also use and disclose personal information (including sensitive information) for both the primary purposes specified herein and purposes other than the primary purposes, including the purpose of direct marketing.  

Unless one or more of the below scenarios has occurred, we will take necessary steps to prevent personal information from being given to government agencies or other organisations.    

  1.  You have provided your consent.
  2.  You would reasonably expect that your information would be so disclosed.
  3.  We have informed you that that your personal information will be provided to a third party.
  4.  We are required by law to provide your personal information (including sensitive information) to a government agency or other organisation.
  5.  The disclosure of the information will prevent a serious threat to somebody’s life or health.
  6.  The disclosure of the information reasonably necessary for the enforcement of criminal law.

Further, we will endeavour to only disclose personal information for the purpose in which it was collected, unless disclosure is reasonably necessary to:

  1.   assist in locating a missing person;
  2.   lessen or prevent a serious threat to life, health or safety;
  3.   take appropriate action with suspected unlawful activity or serious misconduct;
  4.  facilitate or assist with diplomatic or consular functions or activities;
  5.  assist certain defence force activities outside Australia;
  6.  establish or exercise a defined legal or equitable claim; or
  7.  facilitate or assist confidential alternative dispute resolution activities.



We will take steps not to disclose personal information for direct marketing purposes unless consent has been provided.

In any event you will be provided with an opt out option with respect to direct marketing should you wish to be excluded from direct marketing.

If you do not elect to ‘opt out’ to receiving direct marketing material from us, you consent to us using personal information (other than sensitive information) provided to us for direct marketing purposes.

We may however use sensitive information for direct marketing purposes if you provide your consent to do so.

You may at any point in time, request to no longer receive direct marketing material from us by opting out.

We will record this information on our opt out register.


Direct Marketing and Third Parties

We may also from time to time, if we have received your consent, provide your personal information to a third party for the purposes of direct marketing.

You may at any time request the source of the personal information that has been disclosed.



We will endeavour not to use or disclose a government related identifier unless:

  1. the use or disclosure of the identifier is reasonably necessary for us to verify your identity for the purposes of our activities or functions; or
  2. the use or disclosure of the identifier is reasonably necessary for us to fulfil our obligations to an agency or a State or Territory authority; or
  3. the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
  4. a permitted general situation (as that term is defined in the Act) exists in relation to the use or disclosure of the identifier; or
  5. we reasonably believe that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.


Disclosure to CRB’s

We may disclose personal information to a CRB in accordance with the permitted disclosures as defined under the Act.

We may disclose your Credit Information to the following CRB’s listed below.

Level 15,
100 Arthur Street
NSW 2060
Tel: 1300 921 621

Level 2,
165 Grenfell St
Tel: 1800 882 820

Level 2,
143 Coronation Drive
Tel: 07 3360 0600

Creditor Watch
Level 13,
109 Pitt Street
Tel: 1300 501 312

Level 6,
549 St Kilda Road
Tel: 03 9699 0100


A copy of the credit reporting policy for the CRB’s listed above will be available on their website or will be provided in hard copy upon request.



You are entitled to access your personal information held in our possession. 

We will endeavour to respond to your request for personal information within a reasonable time period or as soon as practicable in a manner as requested by you. We will normally respond within 30 days.  

You can make a request for access by sending an email or letter addressed to our Privacy Officer, details specified below.  

The Privacy Officer  
Australian Vintage Limited 
275 Sir Donald Bradman Drive COWANDILLA  SA  5033 
Phone:  08 8172 8301 
Fax:  08 8172 8399 
Email:  privacy@australianvintage.com.au


With any request that is made we will need to authenticate your identity to ensure the correct person is requesting the information.   

We will not charge you for making the request, however if reasonable we may charge you with the costs associated with your request.   

You will only be granted access to your personal information where we are permitted or required by law to grant access. We are unable to provide you with access that is unlawful.  

Further we are not required to and will not, give access to personal information to the extent that:

  1. we reasonably believe that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
  2. giving access would have an unreasonable impact on the privacy of other individuals; or
  3. the request for access is frivolous or vexatious; or
  4. The information relates to existing or anticipated legal proceedings and the information would not be accessible in normal discovery procedures; or
  5. giving access would reveal the intentions of us in relation to negotiations and this disclosure would prejudice those negotiations; or
  6. denying access is required or authorised by or under an Australian law or a court/tribunal order; or
  7. we have reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, or may be engaged in;
  8. giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
  9. giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  10. giving access would reveal evaluative information generated within us in connection with a commercially sensitive decision-making process.
  11. If we refuse access to the information, written notice will be provided to you setting out:
  12. the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so); and
  13. the mechanisms available to complain about the refusal; and
  14. any other matter prescribed by the regulations.



Should we hold personal information and it is inaccurate, out of date, incomplete, irrelevant or misleading, or incorrect you have the right to make us aware of this fact and request that it be corrected.  

If you would like to make a request to correct your information, please contact our Privacy Officer on the details above.   

In assessing your request, we need to be satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading.  We will then take all reasonable steps to ensure that it is accurate, up to date, complete and not misleading.  

It is our normal policy to resolve any correction requests within 30 days. If we require further time, we will notify you in writing and seek your consent.  

Should we refuse to correct your personal information, written notice will be provided to you setting out:  

  1. the reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so); and
  2. the mechanisms available to complain about the refusal; and
  3. any other matter prescribed by the regulations.


We will endeavour to notify any relevant third parties of the correct personal information where necessary and required.   



In the event that you wish to make a complaint about a failure of us to comply with our obligations in relation to the Act or the APP’s please raise this with our Privacy Officer on the contact details above.   

We will provide you with a receipt of acknowledgment as soon as practicable. 

We will then endeavour to respond to your complaint and attempt to resolve the issues within 30 days.  

In dealing with your complaint, we may need to consult another credit provider or third party. 

If we fail to deal with your complaint in a manner that you feel is appropriate, you may choose to report your complaint to an external dispute resolution scheme (EDR Scheme).  

We note that we are currently not a member of any EDR Scheme, and we are exempt from any requirement to be a member of any EDR Scheme. 

If you are not satisfied with the process of making a complaint to our Privacy Officer, you may make a complaint to the Information Commissioner, details of which are below.  

Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001
Email: enquiries@oaic.gov.au
Telephone: 1300 363 992
Facsimile: 02 9284 9666


The Information Commissioner can decline to investigate a complaint on a number of grounds including: 

  1. where the complaint wasn’t made at first to us;
  2. if the Information Commissioner considers the complaint has already been dealt with by a recognised EDR scheme; or
  3. if the complaint would be more effectively or appropriately dealt with by a recognised EDR scheme of which we are a member.



We may choose to, if permitted by law, share and/or disclose your personal information with recipients outside of Australia.   

We are required to notify you with a list of any countries which personal information may be transmitted to or disclosed, where it is practical for us to do so.   

At this point in time, we may share and/or disclose personal information to overseas entities in countries including the UK, the USA and Japan. 

If you have any queries regarding our credit reporting policy or wish to find out more regarding any of privacy policies, please contact our Privacy Officer on the details listed above. 



We are bound by the GDPR when dealing with the personal information of EU residents. 

For EU residents, set out below is a list of additional rights in relation to the handling of your personal information by us. 

These rights are subject to restrictions under the GDPR, including exemptions. These rights may only apply to certain types of information and processing.  

We note that we may not be able to fulfil a request made by you regarding your personal information due to our legal requirements or where the request would compromise the privacy of others. 

For the avoidance of doubt, in the event of an inconsistency between this section of the privacy policy and the remainder of the policy, the former will prevail to the extent of the inconsistency in relation to EU residents. 

  1. Consent: We are required to obtain your consent for some of the ways we use your personal information. You may withdraw your consent at any time.
  2. Access: You may request confirmation from us regarding whether your personal information is being processed and, if so, for what purpose.
  3. Erasure: You may request that all records of your personal information be deleted.
  4. Object to processing: You may object to the processing of your personal information.
  5. Restriction to processing: ou may request a restriction to the processing of your personal information.
  6. Automated processing: ou may request that we be restricted from making decisions about you based solely on automated processing.
  7. Data portability: ou may request that your personal information be transferred to you in a structured, commonly used and machine-readable format. You are entitled to transmit the personal information to another entity, or request that we do this for you.
  8. Data breach notification:  a data breach occurs, we will, where feasible, notify the supervisory authority within 72 hours after becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals. We will also notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
  9. Overseas transfer: our personal information may be transferred to countries or international organisations outside the EU, provided that:

(a) the EU Commission has decided that the country or organisation ensures an adequate level of data protection; or

(b) appropriate safeguards have been implemented and enforceable rights and remedies are available for individuals.


Any requests to us in accordance with the GDPR can be made by contacting the Privacy Officer on the details above. 



We will update this privacy policy from time to time. We therefore recommend that you read it each time you visit our website. If you do not agree with the privacy policy at any time, please do not continue to use or website. If you do continue to use our website, you are deemed to have accepted the terms of the privacy policy as they appear at the time of use.