Get started

Privacy Policy

Cirralto Limited

(ACN 099 084 143) 

(“Cirralto”)

  1. General

    1. This Privacy Policy (Policy) should be read in conjunction with Cirralto’s User Terms and Conditions (Terms and Conditions).

    2. Unless otherwise specified, capitalised terms used in this Policy have the same meaning as in the Terms and Conditions.

    3. In this Policy:

      1. Claim means any claim in law or equity, or under statute, for a remedy of any nature whatsoever, whether contingent, prospective, actual or otherwise and including any and all claims, actions, sums of money, arbitrations, suits, counterclaims, demands, causes of action, debts due, verdicts, judgments, Losses, User Account reckonings, proceedings and charges;

      2. Law means any law or legal requirement, including at common law, in equity, under any statute, regulation or by-law and any decision, directive, guidance, order, decree, guideline or requirements of any authority;

      3. Loss means any damage, loss, expense and cost whatsoever including any cost or expense regarding any Claim and any legal costs and expenses of any nature; and

      4. User, you or your means any person who accesses and uses Cirralto’s Platform.

    4. This Policy forms part of and is incorporated into the Terms and Conditions.

    5. This Policy has been prepared in accordance with: 

  1. applicable Australian privacy and data protection laws, including the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles contained therein; and


  1. the General Data Protection Regulation (EU) 2016/679 (GDPR),

as applicable.

  1. This Policy applies to Cirralto’s collection and disclosure of your Personal Information (as defined in clause 2.2) when you use the Platform or register a User Account.

  2. This Policy is intended to describe what information Cirralto collects and/or processes; how Cirralto uses it; and under what circumstances, if any, Cirralto discloses any Personal Information. Please read this Policy before using the Platform or before submitting any Personal Information to Cirralto. By using the Platform or otherwise providing or submitting any Personal Information to Cirralto, you are agreeing to, accepting the practices described, in this Policy.

  3. Cirralto may in its absolute discretion elect to amend or replace this Policy by uploading a revised Policy on the Platform from time to time. A copy of the most up to date version of this Policy will be made available to view on the Platform. Any changes made to this Policy will apply immediately from the date Cirralto uploads the revised Policy onto the Platform. In addition, Cirralto may, but is not obliged to, notify you by email of any updates to this Policy.  Cirralto strongly encourages you to refer to this Policy on an ongoing basis to understand your rights under this Policy. Unless otherwise stated, the most current version of the Policy will apply to all information Cirralto has about you. If you do not agree with the practices outlined in this Policy, you must immediately stop accessing  or using the Platform and take steps to cancel your User Account. 

  1. Types of Information Collected

    1. When you register for a User Account or use the Platform, Cirralto may collect Personal Information, Sensitive Information and Statistical Information which relate to you. Those terms are defined in clauses 2.2, 2.3 and 2.4 below, respectively.

    2. Personal Information includes information which identifies a natural person, or by which the person’s identity may be reasonably determined. It may include a person’s full name, mailing or residential address, date of birth, bank account details, signature, credit card details, phone number and email address, credit information, employee record information, tax file number information as well as “personal data” (for the purposes of the GDPR) or Sensitive Information. For the purpose of this Policy, the term Personal Information also includes:

      1. information we collect through your interactions with Cirralto or other interactions with Content and/or User Generated Content on the Platform; and 

      2. personal information obtained from a third party which, under and in accordance with the Privacy Act, may lawfully be exchanged.

    3. Sensitive Information includes information (or an opinion) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record, as well as information about an individual’s health, genetic information or biometric information.

    4. Statistical Information includes the internet protocol (IP) address of your device used to connect to the Platform created by Cirralto, time zone setting, language preferences, location data, information about your browser, phone, hardware and software (including your hardware model, operating system version, device memory, advertising or unique application or device identifiers and (potentially) information about your applications installed, battery level,) as well as other information which does not identify you personally, but which tracks your usage of the Platform.

    5. Cirralto also collects information automatically (through the use of cookies) on the Platform, as discussed in this Policy further below.

  2. Personal Information about third parties

    1. If at any time you supply Cirralto with Personal Information or Sensitive Information about another person, you must ensure that you have written consent from that person to do so, and you must agree to inform that person about Cirralto, this Policy and the fact that Cirralto may use and disclose their Personal Information in accordance with and for the purposes outlined in this Policy.

  3. How Cirralto collects Personal Information

    1. Cirralto will not ordinarily collect any Personal Information about you except where you provide it to Cirralto (either directly, or through posting or interacting with Content and/or User Generated Content on the Platform), or where it is provided to Cirralto with your authority.

    2. Cirralto collects Personal Information when you:

  1. take steps to register a User Account, enquire about or sign up for and use the Platform;

  2. interact with Content and/or User Generated Content on the Platform; 

  3. provide Cirralto with feedback, make an enquiry or request of Cirralto or make a complaint; and/or

  4. do business with Cirralto or other Users via the Platform.

  1. In the event Cirralto receives unsolicited Personal Information about you (ie. where Cirralto has taken no active steps to collect the Personal Information), it will only be collected where:

    1. such collection is reasonably necessary for one or more of Cirralto’s functions or activities or that of the Platform; and

    2. Cirralto either:

      1. obtains your consent; or

      2. is authorised or required to do so by Law.

  2. Where clause 4.3 does not apply, Cirralto will (as soon as practicable) destroy or de-identify any unsolicited Personal Information that Cirralto receives.

  3. In addition, Cirralto may come into contact with or process your Personal Information in the course of providing the Services to other Users with whom you transact or do business with via the Platform. Whilst this Policy governs how Cirralto will process Personal Information Cirralto may receive from Users, Cirralto makes no representations or warranties regarding how Personal Information is collected or used by other Users. Cirralto encourages you to familiarise yourself with the privacy policy of those Users’ websites you visit or the privacy policies of other Users with whom you transact or do business with via the Platform for an understanding of your rights.

  4. Where clause 4.3 applies, Cirralto will treat the Personal Information in accordance with the Privacy Act and this Policy.

  1. How Cirralto uses Personal Information

    1. Cirralto may use Personal Information for the purposes set out in clauses 5.2 to 5.4. Cirralto will make every reasonable effort to advise you of the specific purposes for which Cirralto is required to collect your Personal Information before that Personal Information is to be collected.

    2. To provide, develop and improve the Services

You authorise Cirralto to use your Personal Information to:

  1. contact you in relation to your use of the Platform or your interaction with Cirralto, including (without limitation) to notify you of any modifications to Cirralto’s Terms and Conditions or this Policy;

  2. provide the Services, including (without limitation) to facilitate payments for transactions effected between Users via the Platform and to create corresponding records of these transactions between Users;

  3. notify you about promotions or other communications related to other Users whose User Generated Content you have consented to receive;

  4. make improvements to the Platform. For example, Cirralto may track any troubleshooting issues and compatibility issues with various operating platforms and devices to ensure Users have proper and stable access to the Platform, and to implement updates where necessary; and

  5. measure the performance of Cirralto’s Services and to understand how the Services are used. For example, Cirralto may analyse Users’ interactions with the Platform so Cirralto can optimise the experience of its Users.

  1. To ensure compliance 

Additionally, the purposes for which Cirralto will generally collect and use your Personal Information (to which you authorise Cirralto to do so) will include:

  1. to comply with all Laws (including but not limited to, where considered necessary by Cirralto, verifying your identity to prevent fraud or other unauthorised or illegal activity);

  2. to co-operate with authorities in relation to any investigation into any User of the Platform;

  3. to perform Cirralto’s administrative operations, including accounting, risk management, payment processing, record keeping, archiving, and development and testing; and

  4. to manage Cirralto’s rights and obligations under the Terms or Conditions or this Policy.

  1. Marketing and other Communications

Cirralto may send you email marketing and SMS notification and other communications to (variably):

  1. provide you with information about the Platform, products or Services;

  2. invite you to participate in promotions or ask you for feedback; 

  3. provide you with User Generated Content that you have consented to receive from other Users; and/or

  4. communicate with you for other marketing purposes. 

Cirralto will always provide you with the option to unsubscribe from Cirralto’s marketing communications. If you do not want to receive marketing communications from Cirralto, please contact Cirralto through the Platform or by email.

  1. Disclosure of Personal Information

    1. By accessing the Platform, you consent to the disclosure of your Personal Information in accordance with this Policy. You acknowledge that in using the Platform you are consenting to the disclosure of Personal Information, which you provide in the course of using and interacting with the Platform, to other Users with whom you transact or do business from time to time via the Platform.

    2. Cirralto takes the protection of your Personal Information very seriously. Cirralto will only disclose your Personal Information to its employees, officers, insurers, professional advisers, agents or contractors (including potentially where these parties are based overseas) insofar as such disclosure is necessary to enable Cirralto to perform its obligations and to act in accordance with this Policy. Such Personal Information will not be disclosed or used other than as specified in this Policy without your express consent, which will be stored in Cirralto’s records.

    3. Cirralto will not use or disclose your Personal Information for any purpose other than as disclosed in this Policy unless:

      1. Cirralto has obtained your consent to its use or disclosure; or

      2. the purpose is related to the purposes disclosed in this Policy and an individual would reasonably expect Cirralto to use or disclose that Personal Information in that manner.

    4. Cirralto may also disclose your Personal Information to other third parties from time to time. Subject to what is permitted by Law, the types of third parties to whom Cirralto may disclose your Personal Information may include:

      1. Cirralto’s agents, contractors and external advisors (such as legal and financial advisors) whom Cirralto engages from time to time to carry out, or advise on, Cirralto’s functions and activities;

      2. business partners; and/or

      3. regulatory bodies, government agencies, law enforcement agencies and courts.

    5. Unless otherwise specified in this Policy or as required by Law, you authorise Cirralto to disclose your Personal Information and Statistical Information to third parties:

      1. where Cirralto assigns, transfers, sells or otherwise licenses its rights under the Terms and Conditions to a third party. Where this occurs, Cirralto will notify you using the Personal Information linked to your User Account;

      2. where Cirralto reasonably believes (acting in good faith) that such disclosure is necessary in order to investigate, prevent or take action regarding illegal activities (including without limitation actual or suspected fraud), situations involving potential threats to the physical safety of any person, violations of the Terms and Conditions or this Policy, or as otherwise required by Law;

      3. in a business transaction including (but not limited to) a merger with or acquisition by another company, or the sale of all or a substantial portion of Cirralto’s assets, of which your Personal Information and Statistical Information may be among the assets transferred. Where this occurs, Cirralto will (if possible) notify you using the Personal Information linked to your User Account; and

      4. where such disclosure is required by Law, or where Cirralto reasonably believes in good faith that such disclosure is necessary to protect Cirralto’s rights.

    6. You consent to Cirralto disclosing Statistical Information to third parties including, without limitation, to analytics companies and Cirralto’s business partners, to help Cirralto understand usage patterns, to assist in the Platform and product development and for advertising purposes (subject to what is permitted by Law).

    7. Cirralto may from time to time disclose your Personal Information to overseas entities who may not be bound by Australian Law. Where Cirralto discloses your Personal Information to overseas recipients, Cirralto will make every reasonable effort in the circumstances to ensure that the overseas recipients comply with this Policy and any applicable Australian Law concerning the protection of Personal Information, unless:

      1. Cirralto reasonably believes, or no less onerous than, that the overseas recipient is bound by privacy Laws that are substantially similar to the Privacy Act which can be enforced against the overseas recipient; or 

      2. you give Cirralto an informed consent to the disclosure of your Personal Information to an overseas recipient who may not be bound by Australian Law; or

      3. the disclosure to an overseas recipient is authorised or required by Australian Law (including the Privacy Act).

  2. How Cirralto Uses Cookies

    1. If you register a User Account or continue to access the Platform, you agree to Cirralto’s use of tracking technologies, referred to as cookies, to track and record your usage. Cookies are text files placed on your computer or Compatible Device to collect standard internet log information and visitor behaviour information.

    2. When you access or use the Platform, Cirralto will automatically use cookies to collect technical information including: 

  1. Statistical Information; and


  1. information about your interaction with the Platform, activity on third party websites which are linked to the Platform, and views and interactions with Content and/or User Generated Content.

  1. You may control the technical information Cirralto collects, including through your browser or device settings. In doing so, you:

    1. acknowledge some of the Services may not function properly if you choose to disable cookies; and

    2. release Cirralto and any of its related bodies corporate from any and all Claims, liability and Losses which may arise out of, result from, or relate in any way to your decision to disable cookies (including any limitation on your ability to use the Services). 

  1. GDPR

    1. Cirralto will comply with the principles of data protection (including as set out in the GDPR) for the purpose of fairness, transparency and lawful data collection and use.

    2. Cirralto will process Personal Information as a processor and/or, to the extent relevant, as a controller (as those terms are defined in the GDPR).

    3. Cirralto must have a legal basis to process Personal Information which it collects. Cirralto relies on several legal bases to process Personal Information in accordance with this Policy, including:

  1. where the person has consented to the processing of Personal Information by Cirralto (which consent may be withdrawn at any time);


  1. for Cirralto’s legitimate interests to operate, provide or improve the Platform or its products and Services;


  1. where necessary to provide access to, and use of, the Platform; and/or


  1. where Cirralto is authorised or required by Law to do so.

  1. Cirralto will only process any Personal Information that is considered Sensitive Information if the person expressly consents to it being provided to Cirralto.

  2. Where a person has (directly or indirectly) provided consent to Cirralto processing their Personal Information, the consent may be withdrawn at any time with future effect – i.e. the withdrawal of consent does not affect the lawfulness of processing based on the consent before its withdrawal. If consent is withdrawn, Cirralto will only continue processing the person’s Personal Information where Cirralto is permitted or obliged to do so by Law (including under the GDPR).

  1. Your Rights Under this Policy 

    1. This clause 9 sets out the rights you have in relation to how your Personal Information is obtained and used.

    2. Except as otherwise provided by Law, you have the following rights in connection with your Personal Information we have collected:

  1. the right to be informed how your Personal Information is being used;


  1. the right to access your Personal Information (and Cirralto will provide you with a free copy of it);


  1. the right to correct your Personal Information if it is inaccurate or incomplete;


  1. the right to delete your Personal Information (which is also known as “the right to be forgotten”);


  1. the right to restrict processing of your Personal Information;


  1. the right to retain and reuse your Personal Information for your own purposes;


  1. the right to object to your Personal Information being used; and


  1. the right to object against automated decision making and profiling.

  1. You are encouraged to contact Cirralto at any time if you wish to exercise your rights in relation to this Policy. Cirralto reserves the right to request you verify your identity before Cirralto acts on any request made by you.

  1. Storage of Personal Information

    1. Cirralto implements a variety of security measures to maintain the safety of your Personal Information. Your Personal Information is held on our company servers located in Australia (as determined by Cirralto from time to time) in a controlled, secure environment where it is protected from unauthorised access, use or disclosure.

    2. Cirralto ‘s servers may at times in future be located overseas in countries which are not bound by the Privacy Act, including, without limitation, the United States of America, and you hereby expressly consent to the disclosure of your Personal Information to overseas recipients. In doing so, you agree that Cirralto is not obliged to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. 

  2. Security of Personal Information

    1. Cirralto will use all reasonable efforts to keep secure your Personal Information, Statistical Information and all other information that you transmit to Cirralto through your use of the Platform, your interaction with Cirralto or otherwise. Cirralto will take all reasonable care to protect and prevent unauthorised access to, or modification and disclosure of, your Personal Information.

    2. Notwithstanding clause 11.1 above, you acknowledge the internet is inherently insecure and no data transmission online can be guaranteed as fully secure. Accordingly, Cirralto cannot guarantee or warrant the security of any information (including Personal Information) you provide through your use of the Platform. You understand that any Personal Information you send online or otherwise provide to us is done so at your own risk.

    3. If Cirralto becomes aware of a breach of security in relation to your Personal Information, Cirralto will immediately use all reasonable endeavours to take action to remedy the security breach, in order to limit the risk caused by unauthorised access to, or unauthorised disclosure of, your Personal Information before any serious harm is suffered as a result of the breach.

    4. If Cirralto becomes aware of a breach of security, and a third party has, without authorisation:

      1. accessed your Personal Information; or

      2. disclosed your Personal Information to another third party,

(Data Breach),

and a reasonable person would conclude that such unauthorised access or disclosure is likely to result in serious harm to you, then Cirralto will (as required by Law) notify you and the Office of the Australian Information Commissioner (OAIC) with details of the Data Breach, including details of how Cirralto believes the Data Breach has occurred and to what Personal Information such Data Breach relates, and the steps that you can take in response to the Data Breach.

  1. If Cirralto becomes aware of a Data Breach in which your Personal Information is lost, and Cirralto has reasonable grounds to believe that:

    1. unauthorised access to, or unauthorised disclosure of, your Personal Information is likely to occur; and

    2. if unauthorised access to, or unauthorised disclosure of, your Personal Information occurs, a reasonable person would conclude that such unauthorised access or disclosure is likely to result in serious harm to you,

then Cirralto will notify you and the OAIC with the details of the Data Breach, including details of how Cirralto believes the Data Breach has occurred and to what Personal Information such Data Breach relates, and the steps that you can take in response to the Data Breach.

  1. You acknowledge and understand that if you access the Platform from outside Australia, other entities including, potentially, foreign governments, may collect, use and disclose your Personal Information in ways which differ from this Policy and the Laws of Australia, and that Cirralto will in such circumstances have no control over such collection, use and disclosure of your Personal Information (and is not liable in relation to such collection).

  1. How long your Personal Information is stored

    1. You consent to Cirralto retaining your Personal Information for as long as necessary to fulfil the purposes for which Cirralto has collected it, including in order to satisfy any Law.

    2. To determine the appropriate retention period for Personal Information, Cirralto will consider the amount, nature and sensitivity of the Personal Information collected from you, the potential risk of unauthorised use or disclosure of your Personal Information, the purposes for which Cirralto processes the Personal Information and whether Cirralto can achieve those purposes through other means. Cirralto will also at all times have regard to the applicable legal requirements under the GDPR and/or the Privacy Act (as applicable).

  2. Third parties

    1. Where Cirralto provides your Personal Information to third parties in accordance with this Policy, you acknowledge and agree that:

      1. the use of your Personal Information by third parties is not in Cirralto’s reasonable control;

      2. third party websites may place their own cookies or other files on your computer or telephone, solicit Personal Information from you and may or may not use your Personal Information in accordance with their own privacy policies which may differ from this Policy; and

      3. it is your responsibility to familiarise yourself with the privacy policy of any third party website you visit, which collects Personal Information about you and to use your discretion when providing such Personal Information.

    2. If Cirralto discloses Personal Information to a third party, Cirralto will always act to protect it in accordance with this Policy. However, you agree that Cirralto will not be liable for any Loss or liability which may be incurred as a result of, or in connection with, or in relation to any use of your Personal Information by a third party to whom Cirralto validly disclosed the Personal Information (and you agree to make no claim against Cirralto in that regard).

  3. How to Contact Cirralto

    1. If you believe that the privacy of your Personal Information has been compromised or that your Personal Information has not been used in accordance with this Policy, you should contact Cirralto as soon as possible using the means on the Platform or at:

Email: privacy@spenda.co  

Telephone: 1300 682 521; or

Mail: Attention: Privacy Compliance Officer [Justyn Stedwell]
Cirralto Limited, Suite 103
Level 1, 2 Queen Street
Melbourne, VIC, 3000

  1. Your complaint will be taken seriously and addressed in accordance with clause 16 of the Terms and Conditions in relation to Dispute Resolution.

  1. How to Contact the Office of the Australian Information Commissioner

If you do not receive a satisfactory response from Cirralto, or you believe that Cirralto has not handled your complaint satisfactorily, you may wish to refer your complaint to the Office of the Australian Information Commissioner at:

Address: GPO Box 5218, Sydney NSW 2001

Email: enquiries@oaic.gov.au

Phone: 1300 363 992


Apply for payments

Please fill out the form and one of our team members will be in touch to discuss your requirements.