Privacy Policy

Last updated: March 2026

DRAFT — This policy is pending legal review and sign-off.

1. Introduction

SEQURE PTY LTD (ABN pending), trading as Sequre Information Management (“Sequre”, “we”, “our”, or “us”), is an Australian company that provides authentication and identity verification infrastructure. We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains what personal information we collect, how we use it, how we protect it, and your rights in relation to it. It applies to all users of our services, including our websites (seq.im and related subdomains), authentication services, and identity verification services.

We may also have obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) in connection with identity verification services. Where applicable, this policy should be read alongside our AML/CTF compliance program.

2. Information We Collect

2.1 Account Registration

When you create a Sequre account, we collect:

  • Email address
  • Phone number
  • Display name (if provided)

2.2 Authentication Data

When you use our authentication services, we process data necessary to verify your identity and maintain your session. This includes:

  • Passkey and WebAuthn credentials: Public key credentials registered with your account. Your biometric data (such as fingerprint or facial recognition) is processed entirely on your device and is never transmitted to or collected by Sequre.
  • Session and OAuth tokens: Temporary tokens used to maintain authenticated sessions across services.
  • Device information: Device type, operating system, and browser used for authentication, to support security and fraud detection.
  • Federated sign-in: If you sign in via Google or Apple, we receive only the information you authorise those providers to share (typically name and email address).

2.3 Identity Verification (KYC)

When identity verification is required (for example, to meet regulatory obligations or to access services that require a verified identity), we offer two verification paths:

ConnectID (Preferred)

Where available, we use ConnectID — a federated identity verification service supported by major Australian banks (Commonwealth Bank, NAB, ANZ, and Westpac). ConnectID allows you to verify your identity using credentials you have already established with your bank, without sharing your raw identity documents with us.

When you verify via ConnectID, Sequre receives only a verification assertion (confirmation that your identity has been verified to a specified level). We do not receive or store your underlying identity documents, government ID numbers, or other personal information held by your bank.

ConnectID is available to customers who have completed in-branch identity verification with a participating bank within the required timeframe (which varies by bank, typically between 3 and 10 years).

Direct Verification (Fallback)

Where ConnectID is not available, we facilitate identity verification through a third-party identity verification provider. In this case, the following information may be collected and transmitted to the third-party provider for processing:

  • Full legal name
  • Date of birth
  • Residential address (where required by the verification provider)
  • Government-issued document type (e.g., driver’s licence, passport)
  • Government-issued document number
  • Photographic proof of the government-issued document
  • Selfie photograph (optional, for improved verification level with reduced risk)

Important: Sequre does not store your raw identity documents, government ID numbers, selfie photographs, or other identity verification source material. This information is transmitted directly to our third-party verification provider, which processes it and returns a verification result.

What Sequre Retains After Verification

Following identity verification (via either path), Sequre retains only:

  • Verification assertion: A record that your identity has been verified, including the verification level achieved and the date of verification.
  • Document fingerprint: A cryptographic hash derived from the identity document used for verification. This fingerprint cannot be reversed to reveal the original document or its contents.

2.4 Biometric Information

Sequre does not collect, store, or process biometric data.

  • Passkey authentication: Biometric verification (fingerprint, facial recognition) occurs entirely on your device using your device’s built-in security. Sequre receives only a cryptographic confirmation that authentication succeeded — never the biometric data itself.
  • Selfie verification: Where you provide a selfie for identity verification, it is transmitted to and processed by our third-party identity verification provider. The provider may perform facial feature matching as part of the verification process. Sequre does not receive, store, or process the selfie or any biometric data derived from it.

2.5 Usage and Technical Data

When you visit our websites or use our services, we automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and interactions with our website
  • Referring website or source
  • Date and time of access

3. How We Use Your Information

We use your personal information for the following purposes:

  • Providing authentication services: Verifying your identity and maintaining secure sessions across integrated services.
  • Identity verification: Facilitating KYC checks as required by law or by services you access through our platform.
  • Fraud prevention: Using device information and verification records to support the security of our services.
  • Service improvement: Analysing usage patterns to improve the performance, security, and usability of our services.
  • Communication: Responding to your enquiries and, with your consent, sending you relevant service updates.
  • Legal compliance: Meeting our obligations under the Privacy Act 1988, the AML/CTF Act 2006, and other applicable laws.

4. How We Share Your Information

We do not sell your personal information. We may share your information with the following categories of third parties, only as necessary to provide our services:

4.1 Third-Party Identity Verification Provider

When you verify your identity via the direct verification path, your identity documents and personal information are transmitted to our third-party identity verification provider for processing. This provider is contractually bound to process your information solely for the purpose of performing the verification and in accordance with applicable privacy laws.

4.2 ConnectID and Participating Banks

When you verify via ConnectID, the verification is facilitated by the ConnectID network and your participating bank. Sequre receives only the verification assertion — not your underlying bank or identity records.

4.3 Infrastructure Providers

Our services are hosted on Cloudflare infrastructure. Cloudflare may process technical data (such as IP addresses) as part of delivering and securing our services. Cloudflare’s processing is governed by their own privacy policy and our data processing agreement with them.

4.4 Integrated Services

When you use your Sequre identity to access a third-party service (such as a merchant or application), we share only the information necessary for authentication and any identity assertions you have authorised. We do not share your raw identity documents, government ID numbers, or other verification source material with integrated services.

4.5 Law Enforcement and Regulatory Bodies

We may disclose personal information where required by law, regulation, or court order, or where necessary to comply with our obligations under the AML/CTF Act 2006 or other applicable legislation.

5. Cross-Border Data Transfers

Some of our third-party service providers (including our identity verification provider and infrastructure providers) may process your information in countries other than Australia. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the recipient complies with the Australian Privacy Principles or is subject to a substantially similar privacy regime, in accordance with APP 8.

Where we cannot ensure equivalent protections, we will obtain your consent before transferring your personal information overseas, or ensure other lawful safeguards are in place.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit and at rest
  • Use of cryptographic hashing for document fingerprints (which cannot be reversed to reveal the original document)
  • Access controls and authentication for internal systems
  • Regular security assessments and monitoring
  • Minimisation of stored personal information (we do not retain identity documents or other verification source material)

No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

7. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes described in this policy or as required by law.

  • Account information (email, phone, display name) is retained for the life of your account and deleted upon account termination, subject to any legal retention obligations.
  • Authentication data (session tokens, OAuth tokens) is temporary and expires automatically.
  • Identity verification source material (documents, selfies, government ID numbers) are not retained by Sequre. They are processed by our third-party provider and not stored in our systems.
  • Verification assertions (the record that verification occurred and the level achieved) may be retained after account termination where required for regulatory compliance.
  • Document fingerprints (cryptographic hashes) are retained indefinitely, including after account termination. These are not personal information — they are irreversible cryptographic values that cannot be used to identify an individual or reconstruct the original document.
  • Usage and technical data is retained in aggregate or anonymised form for service improvement.

8. Your Rights

Under the Australian Privacy Principles, you have the following rights in relation to your personal information:

8.1 Access (APP 12)

You have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable period (and in any event within 30 days). We may charge a reasonable fee to cover the cost of providing access.

8.2 Correction (APP 13)

You have the right to request correction of any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading.

8.3 Account Termination and Deletion

You may request termination of your Sequre account at any time. Upon account termination, we will delete your personal information, including:

  • Account registration details (email, phone number, display name)
  • Authentication credentials and session data
  • Any other personal information associated with your account

The following are not deleted upon account termination:

  • Document fingerprints: As described in Section 7, these are irreversible cryptographic hashes that do not constitute personal information.
  • Verification assertions: Where retention is required for regulatory compliance (including obligations under the AML/CTF Act 2006).

8.4 Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details in Section 11. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

8.5 Marketing Communications

You may opt out of marketing communications at any time by using the unsubscribe link in any marketing email, or by contacting us directly. This does not affect service-related communications (such as security alerts or account notifications).

9. Cookies and Similar Technologies

Our websites use cookies and similar technologies to maintain your session, remember your preferences (such as theme and language), and collect usage data.

  • Essential cookies: Required for authentication and core functionality. These cannot be disabled.
  • Preference cookies: Used to remember your settings (such as light or dark mode). These can be managed through your browser settings.
  • Analytics cookies: Used to understand how visitors use our website. These can be managed through your browser settings.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or business practices. Where changes are material, we will notify you by email or through a prominent notice on our website. The “Last updated” date at the top of this policy indicates when it was most recently revised.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise any of your rights, or want to make a complaint, please contact us:

SEQURE PTY LTD
Trading as Sequre Information Management
Email: privacy@seqim.com.au
General enquiries: contact@seqim.com.au

12. Regulatory Framework

This Privacy Policy is governed by and should be read in conjunction with:

  • Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs)
  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), to the extent applicable to our identity verification services
  • Any applicable state or territory privacy legislation

In the event of any conflict between this policy and our legal obligations under the above legislation, our legal obligations will prevail.