Legal

CDR Policy

Consumer Data Right Policy · Last updated: 1 April 2026

Version 2026.04.01

This policy explains how MyPelican handles your Consumer Data Right (CDR) data under Australia's open banking framework, administered by the ACCC.

1. Who We Are

MyPelican is operated by Apoorv Kumar trading as MyPelican (ABN 65 983 953 179). We access your banking data as an Accredited Data Recipient (ADR) under the Consumer Data Right framework via our CDR data provider, Basiq Pty Ltd.

2. What CDR Data We Collect

With your explicit consent, we collect the following CDR data:

  • Account data: account names, types, balances, and available funds.
  • Transaction data: transaction amounts, dates, descriptions, categories, and merchant information.
  • Account details: account numbers, BSB, interest rates, and account features.

We only collect the minimum data necessary to provide our service (data minimisation principle).

3. How We Use CDR Data

We use your CDR data solely to:

  • Display your account balances and transaction history within the MyPelican app.
  • Generate personalised AI financial insights and savings recommendations.
  • Calculate your Savings Score and net worth timeline.
  • Detect bill increases and unusual spending patterns.

We do NOT use your CDR data for advertising, profiling for third parties, or any purpose other than providing the MyPelican service.

4. Your Consent Rights

Under CDR rules, you have the following rights regarding your consent:

  • Give consent: You control which data you share and for how long.
  • Withdraw consent: You can disconnect your bank at any time from Settings → Disconnect bank. This immediately revokes our access and deletes your data.
  • Amend consent: You can update what data you share by disconnecting and reconnecting with new consent settings.
  • View consent: You can see your active consents within the MyPelican app and through your bank's CDR dashboard.

5. Data Retention & Deletion

We retain your CDR data in accordance with CDR rules:

  • While your consent is active, we retain your data to provide the service.
  • When you withdraw consent or disconnect your bank, we delete all CDR data within 24 hours.
  • When you delete your account, all data including CDR data is deleted within 30 days.
  • We do not retain CDR data beyond what is required by law.

6. Data Security

We protect your CDR data using:

  • 256-bit AES encryption at rest.
  • TLS 1.3 encryption in transit.
  • Row-level security — only you can access your own data.
  • Australian-hosted infrastructure (Supabase AU region).
  • Regular security reviews and access controls.

7. Sharing Your CDR Data

We do not sell or share your CDR data with third parties for commercial purposes. We share data only as follows:

  • Basiq Pty Ltd: our CDR data provider who retrieves your banking data from your bank on our behalf.
  • Supabase: our database infrastructure provider, bound by strict data processing agreements.
  • Anthropic: we send anonymised spending summaries (not raw transactions) to generate AI insights. No personally identifiable information is sent.

8. Complaints & Disputes

If you have a complaint about how we handle your CDR data:

  • Contact us first at admin@mypelican.com.au. We will respond within 3-4 business days.
  • If unsatisfied, you may contact the Australian Competition and Consumer Commission (ACCC) at accc.gov.au.
  • You may also contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Contact Us

  • Email: admin@mypelican.com.au
  • Trading as: MyPelican
  • ABN: 65 983 953 179
  • Location: Perth, Western Australia, Australia

For more information about the Consumer Data Right, visit the ACCC at cdr.gov.au or the OAIC at oaic.gov.au.