1. Introduction

Sun Card Pty Ltd (ABN 33 079 249 595), trading as Flagship AML (referred to as we, us or our), is committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, disclose, store and otherwise handle personal information in connection with the Flagship AML platform and our AML/CTF compliance services.

2. Scope

This Privacy Policy applies to personal information collected through the Flagship AML platform, our website and related services. It is intended to provide transparency regarding our data handling practices. This Policy does not limit or modify any obligations imposed on users under applicable AML/CTF legislation, and users remain responsible for complying with their own legal obligations in relation to customer due diligence.

3. Personal Information

“Personal information” has the meaning given in the Privacy Act 1988 (Cth) and includes information or an opinion about an identified individual or an individual who is reasonably identifiable. In the context of our platform, this may include identification details such as name, date of birth and contact information, as well as information relating to customer due diligence, beneficial ownership, control structures and risk assessments. Sensitive information may include information used for identity verification and government related identifiers. We do not collect or store biometric information or other sensitive information unless required for AML/CTF compliance purposes.

4. Information We Collect

We collect personal information that is reasonably necessary to operate the platform and provide AML/CTF compliance services. This includes account and user information, client and engagement information, compliance records such as KYC data, risk assessments and monitoring records, as well as technical and usage data required for system functionality and security.

In some cases, information derived from identity documents (such as name, date of birth and document reference details) is temporarily processed for the purpose of electronic identity verification where required for customer due diligence.

Flagship AML does not store copies of identity documents, biometric information or raw government verification responses. Following completion of the electronic identity verification process, personal information that is no longer required is securely removed from the verification record. The platform retains only the information reasonably necessary to demonstrate consent, verification outcomes, audit history and compliance with applicable AML/CTF obligations.

We collect and retain only the personal information reasonably necessary for the performance of our functions and activities as an AML/CTF compliance service provider.

5. Collection of Personal Information

We collect personal information directly from users of the platform, from authorised representatives acting on behalf of clients, and through the operation of the platform itself, including system-generated logs and technical data. Users are responsible for ensuring that they are authorised to provide personal information to us and that they have obtained all necessary consents from individuals whose information is submitted to the platform.

6. Use of Personal Information

We use personal information for the purpose of providing AML/CTF compliance services, including facilitating customer due diligence processes such as identity verification and risk assessment. Personal information is also used to operate, maintain and improve the platform and to comply with applicable legal and regulatory obligations.

6A. Purpose Limitation

Personal information collected through the platform, including information used for identity verification, is used solely for the purposes of providing AML/CTF compliance services, facilitating customer due diligence and risk assessment, and meeting legal and regulatory obligations. Flagship AML does not use personal information obtained through identity verification processes for profiling, marketing, advertising or market research purposes.

7. Disclosure

We may disclose personal information to third-party service providers, including identity verification providers and gateway service providers, for the purposes described in this Policy. We do not sell personal information.

8. Overseas Storage and Processing

Personal information collected and processed through the Flagship AML platform is stored using secure cloud infrastructure located outside Australia, including in Singapore. Core platform data is hosted in Singapore, while documents and compliance records may be stored using globally distributed storage infrastructure.

As a result, personal information may be transferred to, stored and processed in multiple jurisdictions, including Singapore, the United States, the European Union and other locations in which our service providers operate. By using the platform, users acknowledge and consent to the transfer of personal information outside Australia.

We take reasonable steps to ensure that any overseas recipient of personal information does not breach the Australian Privacy Principles in relation to that information. This includes implementing contractual, technical and organisational safeguards designed to protect personal information in accordance with Australian privacy law. Where it is not practicable to ensure such compliance, we will not disclose personal information to the overseas recipient.

9. Use of Third-Party Infrastructure Providers

Flagship AML uses third-party service providers to host, store, secure and deliver the platform. These providers include cloud infrastructure providers such as DigitalOcean and web infrastructure and security providers such as Cloudflare.

These providers may have access to personal information solely to the extent necessary to provide hosting, infrastructure, storage and security services. They do not use personal information for their own independent purposes. Flagship AML takes reasonable steps to ensure that such providers handle personal information in accordance with applicable privacy and security standards.

10. Electronic Identity Verification and DVS

Flagship AML may facilitate electronic identity verification as part of customer due diligence under applicable AML/CTF legislation. Where electronic identity verification is used, personal information may be provided to a third-party identity verification provider, including gateway service providers, for the purpose of verifying an individual’s identity using reliable and independent data sources.

Electronic identity verification is conducted only after the individual has provided express consent through the provider’s verification process.

Following completion of the verification process, Flagship AML retains only the information reasonably necessary to demonstrate that the verification occurred, the identity opinion reached, the audit trail and the individual’s consent. This includes the person’s display name on the identity verification record, which links the verification to the relevant engagement and KYC file. Personal information that is no longer required for these purposes is securely removed from the verification record in accordance with our data minimisation practices.

Flagship AML processes verification responses received from its identity verification provider solely for the purpose of generating an identity verification outcome. The platform does not retain raw government verification data or personal information beyond what is reasonably necessary to support the verification outcome, audit trail and applicable legal obligations. Instead, the platform records and presents a limited verification outcome or identity opinion for use as part of the customer due diligence process.

Electronic identity verification forms only one component of customer due diligence and does not replace the obligation to identify, verify and assess clients in accordance with applicable AML/CTF laws. Flagship AML does not represent that electronic identity verification constitutes confirmation of identity and users must rely on their own assessment in accordance with AML/CTF obligations.

11. Sanctions, PEP and Watchlist Screening

Flagship AML may facilitate sanctions, politically exposed person (PEP) and other watchlist screening as part of a subscriber's customer due diligence and ongoing monitoring obligations under applicable AML/CTF legislation.

Where screening is undertaken through the platform, personal information may be provided to third-party screening providers for the purpose of identifying potential sanctions, PEP or other watchlist matches. Screening is conducted solely to assist subscribers in meeting their AML/CTF compliance obligations and does not constitute a legal determination that an individual is or is not subject to sanctions or other regulatory restrictions.

Flagship AML records sufficient information to demonstrate that screening was undertaken, including the individual screened, the screening performed, the date and time of the search, and the screening outcome. This information forms part of the subscriber's compliance audit trail.

Consistent with our Privacy by Design principles, information used solely for sanctions, PEP and watchlist screening is retained only to the extent reasonably necessary to demonstrate that screening occurred, the search performed and the outcome returned. Personal information that is no longer required for these purposes is securely removed where appropriate in accordance with our data minimisation practices.

Flagship AML does not use information obtained through sanctions, PEP or watchlist screening for profiling, marketing, advertising or market research purposes.

12. Security

We implement appropriate technical and organisational safeguards to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. These measures include encryption of data in transit and at rest, access controls, authentication mechanisms and secure cloud infrastructure.

13. Retention of Personal Information

We retain personal information only for as long as reasonably necessary to provide our services and to comply with applicable legal and regulatory obligations, including record-keeping requirements under AML/CTF legislation.

Where personal information has been collected solely for the purpose of electronic identity verification, Flagship AML applies data minimisation principles. Once the verification process has been completed and the necessary audit records have been created, personal information that is no longer required is securely removed from the verification record.

Audit information, consent records, verification outcomes and other compliance records are retained for evidentiary, regulatory and audit purposes.

14. Access and Correction

Individuals may request access to, or correction of, their personal information held by us. We will respond to such requests in accordance with applicable privacy laws.

15. Complaints

If you have a complaint about how we handle personal information, you may contact us using the details below. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.

16. Consent and Acknowledgement

By using the platform and submitting personal information, users acknowledge that personal information may be disclosed to third-party service providers and identity verification providers for the purposes described in this Policy, and that such information may be transferred to, stored and processed outside Australia.

Users are responsible for ensuring that they have obtained all necessary consents from individuals whose personal information is submitted to the platform, including any consent required for electronic identity verification.

17. Contact

Privacy Officer

Sun Card Pty Ltd trading as Flagship AML

Email: info@flagshipaml.com.au