1. Who This Policy Applies To
This Privacy Policy applies to:
- Visitors to our Website: Individuals who browse our website to learn about InvestStream and our Services.
- Representatives of Financial Institutions: Individuals representing current or prospective client financial institutions who interact with us regarding our Services (e.g., during sales inquiries, product demonstrations, technical support).
- Authorised Users of our Software: Individuals who are authorised by our client financial institutions to access and use our Services.
2. Information We Collect
The types of personal information we collect depend on your interaction with InvestStream and the Services provided.
A. Information Collected from Website Visitors:
Contact Information
(e.g. Name, email address, phone number, company name, and job title
The “Contact Us” form on the website collects this information. InvestStream uses it to respond to enquiries and provide the requested information
Usage Data
(e.g. IP address, browser type, operating system, referring URLs, pages viewed, time spent, access dates)
To analyse website performance and improve user experience
B. Information Collected from Representatives of Financial Institutions:
Business Contact Information
(e.g. Name, job title, company name, business email address, business phone number, and business address)
To manage commercial relationships and provide services
Communication Records
(e.g. Emails, meeting notes, call recordings where permitted)
To maintain records of communications
Account Information
(e.g. Contract details, billing information, service preferences)
To administer and manage client accounts
C. Information Collected from Authorised Users of our Software:
InvestStream primarily processes this information on behalf of our client financial institutions or enterprise clients:
User Credentials
(e.g. Usernames, passwords, authentication details)
To provide secure system access.
Account & Portfolio Data
(e.g. Client identifiers, transaction data, portfolio details, balances, performance data)
To enable platform functionality and reporting.
Communication Data
(e.g. Records of communications processed through our systems)
To facilitate client-user interactions
Technical Data
(e.g. IP addresses, device identifiers, operating system versions, and software usage statistics)
To maintain security and system integrity
D. Information Collected in Connection with SUGAI™ and SuperAnne™ :
Where InvestStream provides SUGAI™ or SuperAnne™ to a superannuation fund or a relevant financial institution, we may process certain personal and financial information relating to authorised users, either:
(a) provided to us by the relevant fund; or
(b) provided directly by the user during the conversational experience, where the fund does not hold that information.
The types of information processed may include:
To personalise the experience and facilitate user interaction
To support cash flow projections
To support cash flow projections
Superannuation Account Balance
To generate retirement projections and scenario modelling
Current investment strategy (growth, balanced etc)
To model projected retirement outcomes
Other financial calculator inputs (e.g. contributions cap balance)
To support modelling and projections
Information about the fund
Information may be uploaded by the fund to support conversations with members
As we enhance our modelling tools, we may request additional information where reasonably necessary to provide functionality. If certain information is not provided, some features of our Services, including modelling tools, may not operate as intended.We seek to limit the collection of personal information to what is reasonably necessary for the relevant modelling and service functionality and may process certain data in de-identified or pseudonymised form.
3. How We Use Your Information
We collect, use and disclose personal information only where it is reasonably necessary for our functions and activities, or as otherwise permitted or required by law.
We use personal information for the purposes described in Section 2 and for the following additional purposes where reasonably necessary to operate and improve our Services:
A. Service Delivery and Operations:
- To provide, maintain, improve, and support our software solutions in accordance with client agreements.
- To perform system administration, maintenance, upgrades and troubleshooting
- To provide technical and customer support
B. Security and Integrity:
- To monitor system activity, detect unauthorised access, prevent fraud, and protect the integrity of our systems
- To investigate and respond to security incidents
C. Legal and Regulatory Compliance
- To comply with applicable laws, regulatory requirements, contractual obligations, and lawful requests from authorities
- To make information available to our clients to fulfill their obligations under their financial services licence and other regulatory obligations
D. Aggregated and De-identified Data
- To generate aggregated or anonymised data for analytics, product improvement, service benchmarking, and research purposes, without identifying individuals
Where we process personal information on behalf of our clients, we do so in accordance with our contractual obligations and the lawful instructions of the relevant client.
4. How We Share Your Information
InvestStream does not sell, rent or lease personal information. We only use or disclose personal information for the primary purpose for which it was collected, for related purposes reasonably expected by you, with your consent, or where required or authorised by law. We may share information in the following circumstances:
- With Service Providers: We may engage trusted third-party service providers to perform functions on our behalf, such as hosting, data analytics, customer support, and IT infrastructure. These service providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed. Access to personal information by third-party service providers, including where services are performed outside Australia, is subject to contractual confidentiality obligations, appropriate security controls, and oversight measures.
- With Our Client Financial Institutions: For authorised users of our software, information processed within our systems is accessible by the respective client financial institution that has engaged InvestStream for the Services, in accordance with their own privacy policies and agreements with their end-users.
- For Legal Reasons: We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe such action is necessary to (a) comply with a legal obligation, (b) protect and defend the rights or property of InvestStream, (c) act in urgent circumstances to protect the personal safety of users of the Services or the public, or (d) protect against legal liability.
- In Connection with Business Transfers: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
- With Your Consent: We may share your information with third parties when we have your explicit consent to do so.
InvestStream implements robust technical, administrative, and physical security measures to protect personal information from unauthorised access, use, disclosure, alteration, or destruction. We treat personal information as highly sensitive and apply enhanced protection controls, including strict access restrictions and encryption safeguards.
6. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies (e.g., web beacons, pixels) to enhance your browser experience, analyse website traffic, and personalise content.
- Cookies: Small data files stored on your device that help us remember your preferences and understand how you interact with our website.
- Types of Cookies We May Use:
- Strictly Necessary Cookies: Essential for the website to function correctly (e.g., navigating pages, accessing secure areas).
- Analytical Cookies: Help us understand how visitors use our website, which pages are most popular, and identify any errors.
We retain personal information only for as long as it is reasonably necessary for the purposes for which it was collected, or as required by law or contractual obligation.
Retention periods may vary depending on the type of data, the nature of our contractual arrangements, regulatory obligations, and legitimate business requirements, including audit, security monitoring, and dispute resolution purposes.
- For Representatives of Financial Institutions: We retain your information for as long as you maintain an active relationship with us or as necessary to provide you with services and fulfil our legitimate business purposes.
- For Authorised Users of our Software: We retain personal information processed on behalf of our client financial institutions according to the terms of our agreements with them and in compliance with applicable laws and regulations. Our clients are responsible for determining the retention periods for their end-users' data. Upon termination of a client agreement, client data is deleted or returned in accordance with our contractual commitments and documented internal retention procedures.
Upon expiration of the applicable retention period, we will securely dispose of or anonymise your personal information. In certain circumstances, including where subject to legal hold, litigation, or regulatory investigation, we may be required to retain information beyond standard retention periods.
8. ACCESS, CORRECTION AND OTHER RIGHTS
Depending on your jurisdiction, you may have certain rights regarding your personal information, including:
- Right to Access: The right to request a copy of the personal information we hold about you.
- Right to Rectification: The right to request that we correct any inaccurate or incomplete personal information.
- Right to Erasure (Right to be Forgotten): The right to request the deletion of your personal information, under certain circumstances.
- Right to Restriction of Processing: The right to request that we restrict the processing of your personal information, under certain circumstances.
- Right to Data Portability: The right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.
- Right to Object: The right to object to the processing of your personal information, under certain circumstances (e.g., for direct marketing purposes).
- Right to Withdraw Consent: Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time.
To exercise any of these rights, please contact us using the contact details provided in Section 12. We will respond to your request in accordance with applicable laws.
For individuals in Australia, we will respond to access and correction requests within a reasonable period, may require verification of identity, and may refuse requests in circumstances permitted by law, in which case we will provide written reasons where required.
Please Note for Authorised Users of our Software: If you are an authorised user of our software and wish to exercise your rights regarding data processed by InvestStream on behalf of your financial institution, please direct your request to your financial institution. As the data controller, they are primarily responsible for responding to such requests, and we will cooperate with them as required by our contractual agreements and applicable law.
9. International Data Transfers
InvestStream operates globally and may store and process your personal information in various locations outside Australia. Based on the location of our current service providers and infrastructure, personal information may be transferred to or accessed from countries where our third-party service providers operate from time to time. We will update this policy if the countries to which we disclose personal information materially change.
We take appropriate steps to ensure that personal information transferred overseas remains protected in accordance with this Privacy Policy and the applicable privacy laws, including by implementing contractual, technical, and organisational safeguards with overseas recipients. These safeguards may include:
- Transferring data to countries recognised as providing an adequate level of data protection;
- Implementing Standard Contractual Clauses or equivalent contractual protections; and
- Obtaining your explicit consent where required.
Our website may contain links to third-party websites that are not operated by us. This Privacy Policy does not apply to such third-party websites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party websites you visit.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated Privacy Policy on our website with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of our website or Services after any modifications to this Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide and be bound by the updated Privacy Policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at
enquiries@investstream.ioIf you have a concern or complaint about how we have handled your personal information, we encourage you to contact us in the first instance using the contact details in Section 12. Please include your full name, contact details, a clear description of your concern, and any relevant dates or reference numbers.
We will acknowledge your complaint promptly and aim to respond in writing within 30 days. We will investigate your complaint and advise you of the outcome and any steps we intend to take to address it. If we are unable to resolve your complaint within that timeframe, we will keep you informed of our progress.
If you are not satisfied with our response, you may escalate your complaint to the relevant privacy or data protection authority in your jurisdiction. For individuals located in Australia, this is the Office of the Australian Information Commissioner (OAIC):
Phone: 1300 363 992
Website:
www.oaic.gov.auPost: GPO Box 5218, Sydney NSW 2001
Last Updated: 17 April 2026
