Privacy Policy

Privacy Policy

Version: 1.0
Effective date: 6 March 2026
Next review date: 6 March 2027 (or earlier if a material operational or regulatory change occurs)

Introduction & Purpose of this Policy

The Property Collective (the Agency) provides real estate services including sales, projects and property management in the Australian Capital Territory and New South Wales.

We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) which regulate the collection, use and disclosure of personal information.

In providing real estate services in the ACT and NSW, we also operate within the real estate regulatory frameworks applicable to each jurisdiction. Where those frameworks require us to collect, retain or produce records that contain personal information, we handle that information in accordance with this policy and applicable law.

The Agency is committed to maintaining professional standards of confidentiality and responsible information handling. The Agency is a member of the Real Estate Institute of New South Wales (REINSW) and the Real Estate Institute of the ACT (REIACT), and is committed to professional standards including confidentiality and responsible information handling consistent with the Privacy Act, the APPs, and applicable professional standards.

This Privacy Policy explains:

  • the scope of our Privacy Policy;
  • why we collect personal information;
  • what personal information we collect;
  • how we collect and use your personal information;
  • how we disclose your personal information;
  • your right to access your personal information;
  • your right to correct your personal information;
  • how we protect the integrity of your personal information;
  • your right to make a privacy complaint; and
  • how you can contact us regarding privacy concerns.

We reserve the right to review and if necessary, change this Privacy Policy. We will post changes to this Privacy Policy on our website. This Privacy Policy is on our website.

Scope

This Privacy Policy governs all personal information collected by and provided to us and must be adhered to by all persons who access, use, process, control or otherwise deal with personal information on our behalf. This policy applies to independent contractors and job applicants, as well as individuals who provide us with personal information.

This policy applies to personal information handled in connection with our real estate services in both the Australian Capital Territory and New South Wales, including sales, leasing, auctions, inspections, tenancy applications, property management, maintenance coordination, and related communications.

Interpretation

Personal pronouns: except where the context otherwise provides or requires:

  • the terms We, Us or Our refers to the Agency; and
  • the terms You or Your refers to any person who provides us with personal information in any form or by any means.

What is personal information?

Personal information is any information that can be used to identify you. This includes any information or an opinion about you (including information or an opinion forming part of a database), whether true or not, and no matter how the information or opinions are recorded. The information may be collected from you directly or provided to us by another party.

Why do we collect personal information?

We collect personal information from you for the following purposes:

  • to allow us to lawfully carry out our real estate functions and activities;
  • to enable us to deliver the products and services that you requested;
  • to provide you with further information about the products and services you requested;
  • to personalise and customise your experiences with us;
  • to help us review, manage and enhance our services;
  • to communicate more effectively with you;
  • for administration purposes, including charging, billing and collecting debts;
  • to promote and market our products and services which we consider may be of interest to you;
  • when considering making offers to job applicants and prospective employees or for employment purposes;
  • to receive services from you or the organisation which employs you;
  • to notify other stakeholders including valuers and building inspectors so they can contact you to inspect the property as required and solicitors so they may be instructed regarding the matter;
  • to arrange and conduct inspections, open homes and appointments;
  • to verify identity where required for transaction integrity, fraud prevention or compliance;
  • to prepare and administer agency agreements, management authorities, tenancy agreements and related documents;
  • to communicate with parties to a transaction (vendors, purchasers, landlords, tenants, guarantors, co-owners, authorised representatives);
  • to manage keys, access logs and security for properties (including where surveillance cameras are used);
  • to arrange repairs, maintenance and compliance works for managed properties;
  • to liaise with strata managers, building managers and utilities where relevant to the property;
  • to comply with ACT and NSW real estate regulatory requirements;
  • to respond to lawful requests, notices, audits, investigations or proceedings; and
  • to maintain records required by law or reasonably required for risk management and dispute handling.

We may also collect, hold, use and/or disclose personal information if you consent or if required or authorised under law.

What personal information do we collect?

We collect personal information that is reasonably necessary for one or more of our functions or activities.

The type of information that we collect and hold may depend on your relationship with us. For example:

  • Candidate: if you are a candidate seeking employment with us, we may collect and hold information including your name, address, email address, contact telephone number, gender, age, employment history, references, resume, medical history, emergency contact, taxation details, qualifications, payment details.
  • Customer: if you are a customer of the Agency, the Agency may collect and hold information including your name, address, email address, contact telephone number, gender, age, bank account details, credit card or debit card details (including card number, expiry date and cardholder name), and copies of identification documents (including but not limited to driver’s licence, passport or other government-issued photographic identification).
  • Tenant / Applicant: if you are a tenant or prospective tenant, the Agency may collect and hold information including your name, address, email address, contact telephone number, date of birth, identification documents, rental history and references, employment and income information, affordability indicators, emergency contact details, pet ownership details, co-tenant and occupant details, and any information provided in connection with a tenancy application or ongoing tenancy management.
  • Vendor / Landlord: if you are a vendor or landlord, the Agency may collect and hold information including your name, address, email address, contact telephone number, proof of identity and authority to sell or lease, ownership and contact details for co-owners or authorised agents, property access and security details (keys, alarm instructions, access permissions), instructions about marketing preferences and communications, and solicitor or conveyancer contact details for transaction coordination.
  • Supplier: if you are a supplier of the Agency, the Agency may collect and hold information including your name, address, email address, contact telephone number, business records, billing information, information about goods and services supplied by you, insurance details, and licence or qualification details where relevant.
  • Third party service providers: we may also collect and hold personal information about trades and contractors engaged for repairs and maintenance, strata and building managers, valuers and building inspectors, solicitors and conveyancers, IT and cloud service providers, and marketing service providers (photography, copywriting, portal advertising) where they receive or process personal information on our behalf or in connection with our services.

Sensitive information

We will only collect sensitive information where you consent to the collection of the information and the information is reasonably necessary for one or more of the Agency’s functions or activities.

Sensitive information includes, but is not limited to, information or an opinion about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.

If you feel that the personal information that we are requesting at any point is not information that you wish to provide, please feel free to raise this with us.

Retention of Credit Card Details and Identification Documents

Credit card details

Where we collect your credit card or debit card details, we do so for the following purposes:

  • to process payments for services rendered by the Agency, including but not limited to property management fees, sales commissions, marketing costs and maintenance charges;
  • to facilitate recurring payment arrangements where you have authorised such arrangements; and
  • to process refunds or adjustments where applicable.

We will retain your credit card details only for the duration of the specific transaction or, where you have authorised recurring payments, for the duration of the recurring payment arrangement. Upon completion of the transaction or termination of the recurring payment arrangement, your credit card details will be securely destroyed within 30 days unless retention is required by law.

Credit card details are processed and stored in our agency agreements which are kept on file in Agentbox. Full credit card numbers are not stored in plain text on any Agency system.

Identification documents

Where we collect copies of your identification documents, we do so for the following purposes:

  • to verify your identity in connection with tenancy applications, lease agreements, property sales or auction registrations;
  • to comply with our obligations where we are required by law to deal with individuals who have identified themselves; and
  • to satisfy identity verification requirements where applicable.

We will retain copies of your identification documents only for the period reasonably necessary to fulfil the purpose for which they were collected. Where the purpose is identity verification at the time of a transaction (e.g., lease signing, auction registration), copies will be securely destroyed within 30 days (unless retention is required by law) of the verification being completed, and a notation of the verification (including document type, partial document number and date of verification) will be retained in place of the copy.

Where retention of identification document copies beyond the verification period is required by law or for a continuing lawful purpose, such copies will be stored in an encrypted, access-controlled system and will be destroyed upon expiry of the required retention period.

Copies of identification documents are protected by multi-factor authentication required for access.

Where you provide a copy of your identification in accordance with this policy, we will retain that copy only for the period and in the manner described in this section unless required by law to keep it for a longer period.

Employee records

This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record. This exclusion applies only to current employees and only in relation to information directly related to the employment relationship.

An employee record is a record of personal information relating to the employment of an employee. Examples of personal information relating to the employment of the employee include, but are not limited to, health information and information about the engagement, training, disciplining, resignation, termination, terms and conditions of employment of the employee.

How do we collect and hold personal information?

We must collect personal information only by lawful and fair means. We will collect personal information directly from you if it is reasonable or practicable to do so.

We may collect personal information in a number of ways, including without limitation:

  • through application forms;
  • by email or other written mechanisms;
  • over a telephone call;
  • in person;
  • through transactions;
  • business cards;
  • contracts;
  • through our website;
  • through surveillance cameras;
  • by technology that is used to support communications through the use of our online services including cookies, web beacons, log files and analytical tools that record your IP address, browser type, referring pages, pages visited and the date and time of each visit; and
  • from third parties, including through publicly available information sources (which may include telephone directories, the internet and social media sites).

Where we collect credit card or debit card details, we do so through secure, encrypted channels. We do not accept credit card details via unencrypted email, text message or handwritten notation. Credit card details provided over the telephone are processed immediately and are not recorded or stored in written or audio form beyond the duration of the call.

Where we collect copies of identification documents, we do so in person, through secure electronic upload or through a certified digital identity verification service. We do not accept copies of identification documents via unencrypted email or messaging services.

Before engaging service providers who handle personal information on our behalf, we take reasonable steps to ensure they will handle information consistently with the APPs.

Automated decision-making (ADM)

When we collect personal information about you through publicly available information sources, such information will be managed in accordance with the APPs.

We use ADM and profiling technologies to improve the efficiency and accuracy of our services. This involves using computer programs or algorithms to evaluate your personal information and make or assist in making decisions that may affect you.

Specific processes where we utilise ADM include:

  • Tenancy Applications: We may use automated systems to assess your eligibility for a rental property by evaluating your credit history, rental references and affordability.
  • Property Valuations: We use Automated Valuation Models (AVMs) to provide instant estimates of property market values based on historical sales data and market trends.
  • Marketing and Lead Scoring: Our systems may automatically rank your interest in specific properties or services based on your interactions with our website and emails to provide you with more relevant information.

The personal information used in these processes may include your contact details, financial capacity, employment history and digital activity on our platforms.

ADM tools used for tenancy applications, marketing and other decisions are configured and monitored to reduce risk of unfair bias and to support lawful, fair decision-making consistent with applicable anti-discrimination requirements.

Where a decision is made solely by automated means and has a legal or significant effect on you (such as the rejection of a rental application), you have the right to:

  • be informed that an automated decision has been made;
  • request an explanation of the logic involved and the potential consequences;
  • request confirmation that ADM was used and the main factors considered; and
  • request a human review of the decision by contacting our Privacy Officer.

Where professional judgment is required (for example, assessing suitability in a property management context or responding to disputes), the Agency does not rely solely on automated tools and applies professional oversight consistent with its professional standards.

A suitably trained staff member will review contested ADM outcomes and will consider any additional information provided by the individual.

Unsolicited personal information

Unsolicited personal information is personal information that we receive which we did not solicit. Unless we determine that we could have collected the personal information in line with the APPs or the information is contained within a Commonwealth record, we must destroy the information to ensure it is de-identified.

How do we use your personal information?

We will only use and disclose your personal information for purposes which are related to those identified in this policy or if we get your consent to do so and it is in accordance with this Privacy Policy and the Privacy Act.

We will not use your personal information for any purpose for which you would not reasonably expect us to use it for. Additionally, we will not disclose your sensitive information without your consent, unless there is a need to disclose such information in accordance with the Privacy Act or to comply with any other regulatory requirement.

In the context of our ACT and NSW real estate practice, individuals would reasonably expect information to be used for transaction progression, due diligence coordination and property management administration.

Is personal information used for direct marketing?

We may use or disclose personal information (other than sensitive information) about you for the purpose of direct marketing (for example, advising you of new goods and/or services being offered by us).

We may use or disclose sensitive information about you for the purpose of direct marketing if you have consented to the use or disclosure of the information for that purpose.

Our direct marketing practices comply with applicable Australian marketing laws, including opt-out mechanisms and respecting marketing preferences. Marketing communications are conducted professionally and personal information is not used in a way that is misleading, intrusive or inconsistent with reasonable expectations.

You can opt out of receiving direct marketing communications from the Agency by:

  • contacting the Privacy Officer in writing at concierge@thepropertycollective.com.au;
  • where available, accessing the Agency’s website and unsubscribing appropriately;
  • using the unsubscribe link in any marketing email;
  • replying STOP to any marketing SMS (where used); or
  • making a telephone request to the Privacy Officer (identity verification may be required).

We will record opt-out requests and apply them within a reasonable period. Marketing lists are maintained accurately and opt-outs are implemented promptly.

What happens if you do not provide your personal information?

You are not obliged to give us your personal information. If you would like to access any of our services on an anonymous basis or using a pseudonym, we will take reasonable steps to comply with your request. However, we will require you to identify yourself (including providing us a copy of your identification) if:

  • we are required by law to deal with individuals who have identified themselves; or
  • it is impracticable for us to deal with you if you do not identify yourself or elect to use a pseudonym. This might include ensuring the safety of others for whom we have responsibility; or
  • you intend to make a formal offer on a property being sold via private treaty or bid at an auction.

Where you provide a copy of your identification in accordance with the above, we will retain that copy only for the period and in the manner described in the section of this policy titled “Retention of Credit Card Details and Identification Documents”.

Please be aware that your request to be anonymous or to use a pseudonym may affect our ability to provide you with the requested services.

When do we disclose your personal information?

You acknowledge and agree that we may disclose your personal information for any of the purposes for which it was collected, as indicated in this policy, or where we are under a legal duty to do so.

Disclosure will usually be internally and to related entities or to third parties such as contracted service suppliers.

Disclosures are limited to what is reasonably necessary for the purpose of collection and for professional service delivery in a real estate context, and are made in a manner consistent with professional confidentiality expectations.

Where the Agency acts for multiple parties in a transaction (e.g., vendor and prospective purchasers as customers), it manages information in accordance with its professional obligations and only uses or discloses information as authorised, required or reasonably expected in the circumstances.

Before we disclose personal information about you to a third party, we will take steps as are reasonable in the circumstances to ensure that the third party does not breach the APPs in relation to the information.

Disclosure to regulators and authorities

We may disclose personal information to ACT and NSW regulators and authorities where required or authorised, including for compliance, audit, investigation and enforcement activities, and in response to lawful requests and statutory notices.

Disclosure for professional standards processes

Where relevant and lawful, we may disclose information to REINSW or REIACT for handling professional conduct complaints, professional standards monitoring and dispute resolution processes, but only where permitted under the APPs and applicable law and limited to what is reasonably necessary. Where reasonable and lawful, we will limit disclosed information (e.g., redaction or minimisation) to protect third-party privacy and confidentiality.

Do we send information overseas?

We are likely to disclose personal information to overseas recipients.

Before we disclose personal information about you to an overseas recipient, we will take steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information.

The countries in which overseas recipients are likely to be located include:

  • The Philippines

Before disclosing personal information overseas, we take reasonable steps including:

  • assessing the recipient’s security controls;
  • imposing contractual confidentiality and data handling obligations where practicable;
  • limiting disclosure to what is necessary; and
  • maintaining auditability of access where feasible.

Individuals may request further information about overseas disclosures by contacting the Privacy Officer.

Access to your personal information

If we hold personal information about you, you may request access to that information by putting the request in writing and sending it to the Privacy Officer. Your request should include sufficient detail to identify the records sought. We will respond to any request within a reasonable period, and a charge may apply for giving access to the personal information.

We may require reasonable verification of your identity before providing access, to protect privacy and prevent unauthorised disclosure. Access may be provided by inspection, copy (electronic or hard copy) or summary depending on what is reasonable and lawful in the circumstances.

There are certain circumstances in which we may refuse to grant you access to the personal information. In such situations we will give you written notice that sets out:

  • the reasons for the refusal; and
  • the mechanisms available to you to make a complaint.

Correction of your personal information

If we hold personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, we must take steps as are reasonable to correct the information.

If we hold personal information and you make a request in writing addressed to the Privacy Officer to correct the information, we must take steps as are reasonable to correct the information and we will respond to any request within a reasonable period.

There are certain circumstances in which we may refuse to correct the personal information. In such situations we will give you written notice that sets out:

  • the reasons for the refusal; and
  • the mechanisms available to you to make a complaint.

If we correct personal information that we have previously supplied to a third party and you request us to notify the third party of the correction, we will take such steps as are reasonable to give that notification unless impracticable or unlawful to do so.

Integrity and security of your personal information

We will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that we:

  • collect is accurate, up-to-date and complete; and
  • use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date and complete.

We will take steps as are reasonable in the circumstances to protect the personal information from misuse, interference, loss and from unauthorised access, modification or disclosure. This includes the following measures:

  • our employees only having access to information on approved devices;
  • a ‘strong password’ policy;
  • software used to prevent security breaches;
  • multi-factor authentication;
  • credit card details are processed and stored in compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and are tokenised or encrypted at all times;
  • copies of identification documents are stored in encrypted form with access restricted to authorised personnel on a need-to-know basis;
  • automated deletion protocols are applied to credit card details and identification document copies to ensure destruction upon expiry of the applicable retention period;
  • access to credit card details and identification document copies is logged and auditable;
  • regular security reviews are conducted to assess the adequacy of protections for high-risk personal information, including credit card details and identification documents;
  • secure storage of paper files;
  • secure disposal (shredding or secure bins) of physical documents containing personal information;
  • visitor controls for office areas where files are stored;
  • encryption in transit where available;
  • secure backups and recovery testing;
  • endpoint security and patch management; and
  • appropriate governance over technology used in real estate operations, including property management platforms, CRM systems, marketing automation tools and document storage systems, to ensure personal information is handled securely and consistently with this policy.

Notifiable Data Breaches

In the unlikely event there is a security breach, the Agency will comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) by:

  • promptly investigating any suspected data breach to determine whether an eligible data breach has occurred;
  • preparing a statement that includes the prescribed information for the Office of the Australian Information Commissioner (OAIC) and the affected individuals;
  • providing the statement to the OAIC and, as soon as practicable, notifying the affected individuals using the method required by the Privacy Act; and
  • keeping a register of all data breaches, whether or not they are notifiable, and reviewing security practices after each incident to mitigate future risk.

The Agency recognises that a data breach involving credit card details or copies of identification documents is likely to result in serious harm to affected individuals and will be treated as a priority incident requiring immediate investigation and, where applicable, notification to the OAIC and affected individuals.

In addition to the Notifiable Data Breaches scheme, the Agency will consider whether any notification to ACT or NSW regulators, REINSW or REIACT is required or appropriate in the circumstances, and will make such notifications where required by law or professional obligations.

Where notification to affected individuals is required, the Agency’s notification will include:

  • what happened (general description);
  • what information was involved (categories);
  • what steps the Agency has taken;
  • what steps individuals can take; and
  • how to contact the Privacy Officer.

Notification may occur by email, telephone, post, website notice or other method permitted or required, depending on the circumstances.

The Agency will also consider whether a privacy incident triggers notification to its insurer(s) under relevant policies, and will manage that process confidentially.

Staff and contractors are required to promptly report suspected privacy incidents to the Privacy Officer (and, if applicable, the principal or licensee in charge).

Incident response

The Agency maintains an internal incident response process comprising:

  • identification and containment;
  • assessment of whether an eligible data breach has occurred;
  • OAIC notification and affected individuals notification (where required);
  • remediation and prevention;
  • record keeping; and
  • preservation of relevant logs, emails and system records to support investigation and reporting.

Destruction and de-identification

If we hold personal information and we no longer need the information for any purpose for which the information may be used or disclosed, the information is not contained in any Commonwealth record and we are not required by law to retain the information, we will take such steps as are reasonable in the circumstances to destroy the information or to ensure it is de-identified.

Record keeping and retention

Regulatory retention requirements

The Agency retains records (including those containing personal information) for as long as required by law and for legitimate business purposes such as dispute resolution and compliance.

Where ACT or NSW real estate regulatory frameworks require retention of transaction, trust account, agency or tenancy records, the Agency will retain those records accordingly. The destruction and de-identification obligation set out above is subject to these legal retention requirements.

Digital record management

Digital records are stored in secure, access-controlled systems with role-based access. Access to files is restricted to staff and contractors with a need to know. Digital records are securely deleted or de-identified when no longer required, subject to retention obligations.

Complaints

You have a right to complain about our handling of your personal information if you believe we have breached the APPs.

If you wish to make such a complaint to us, you should first contact the Privacy Officer in writing. Your complaint will be dealt with in accordance with our complaints procedure and we will provide a response within a reasonable period.

Our complaint handling process involves the following steps: acknowledgment, investigation and review, proposed resolution and any corrective actions and recording the outcome.

If you are unhappy with our response to your complaint, you may:

  • refer your privacy complaint to the Office of the Australian Information Commissioner (OAIC);
  • contact NSW Fair Trading for consumer-related complaints regarding our NSW real estate operations; or
  • contact REINSW or REIACT regarding professional conduct concerns, as applicable.

ACT-Specific Provisions

ACT real estate regulatory context

The Agency’s ACT real estate services are provided in accordance with the ACT real estate regulatory framework. Where that framework requires the Agency to collect, hold, retain or produce records containing personal information, the Agency will do so in accordance with those requirements and this policy.

ACT complaints pathway

Individuals dealing with the Agency’s ACT operations may also direct complaints to the relevant ACT regulatory body.

NSW-Specific Provisions

NSW real estate regulatory context

The Agency’s NSW real estate services are provided in accordance with the Property and Stock Agents Act 2002 (NSW) and the Property and Stock Agents Regulation 2022 (NSW). Where those requirements require the Agency to collect, hold, retain or produce records containing personal information, the Agency will do so in accordance with those requirements and this policy. This may affect whether the Agency can deal anonymously or by pseudonym and the Agency’s retention and destruction practices.

NSW-specific collection categories

In addition to the general collection categories set out above, the Agency’s NSW operations may collect and hold the following categories of personal information:

  • tenancy application information including rental history, references, employment and income details, and affordability indicators;
  • pet ownership details (relevant to NSW tenancy requirements);
  • co-tenant and occupant details;
  • emergency contact details for tenants;
  • strata information relevant to managed properties;
  • property inspection records; and
  • any other information reasonably necessary for the Agency’s NSW real estate functions.

NSW trust account information handling

Personal information collected in connection with trust account operations in NSW (including bank details, identification and transaction records) is handled in accordance with NSW trust account requirements and this policy.

NSW tenancy application data handling

Tenancy application data collected for NSW properties is used to assess suitability for the tenancy and is shared with landlords for the purpose of making a tenancy decision. Where an application is unsuccessful, the application data will be securely destroyed within 30 days of the decision unless the applicant consents to the Agency retaining it for future opportunities or retention is required by law.

NSW complaints pathway

Individuals dealing with the Agency’s NSW operations may also direct consumer-related complaints to NSW Fair Trading.

Privacy Officer contact details

Our Privacy Officer is the primary point of contact for any matters relating to this Privacy Policy, including requests to access or correct your personal information, opt-out requests, requests for human review of automated decisions, and privacy complaints.

Our Privacy Officer can be contacted in the following ways:

Telephone number: 6234 3800
Email address: concierge@thepropertycollective.com.au
Postal address: 47 Wentworth Avenue, Kingston ACT 2604