App first
Live consent should be reviewed, updated or withdrawn inside Brolly where possible.
CDR consent
Brolly Consent Management
Manage how your Consumer Data Right data is shared, used, retained, deleted or de-identified. The app is the preferred place to manage live consent; support can help if you need it.
Consent system
Control should feel obvious before the legal document starts.
This page bridges product trust and formal CDR wording. The summary cards below keep the key controls visible before the detailed consent information starts.
Support fallback
If the app path is not available, support needs a visible route for consent help.
Deletion and retention
Deletion, de-identification and retention language should stay close to the consent story.
Introduction to the Consumer Data Right (CDR)
The Consumer Data Right (CDR) regulates the collection and handling of CDR data in line with privacy safeguards and rules that:
- Ensure your data is managed securely
- Provide you with control over how your data is shared and used
Accredited Data Recipients (ADRs)
An Accredited Data Recipient (ADR) is an organisation approved under the CDR framework to receive and manage consumer data securely. ADRs are required to follow strict privacy and security rules, ensuring consumer data is used only with consent. ADRs and ADR representatives or partners are expected to:
- Transparently disclose how data is used
- Ensure secure storage and transfer of consumer data
- Implement privacy safeguards to protect user consent
Key benefits for users
- Choice and control: You decide what data to share, how it is used, and who can access it.
- Manage consent: You can view, modify, or revoke consents at any time.
- Data deletion requests: You can request data deletion or de-identification.
Data usage under CDR
Data collected under the CDR framework can be used for:
- Personalised services: Tailoring recommendations to your activities.
- Operational purposes: Preventing fraud, detecting abuse, and generating analytical insights using de-identified data.
- Communication: Sending updates and notifications aligned with your preferences.
Brolly transparently discloses the specific purposes for which we will use the data we collect from you and only requests the minimum data necessary to fulfil those purposes.
Data security requirements
Data security is a core element of CDR compliance. Data must be managed securely through strict protocols, including:
- Storage: Data must be securely stored in Australia only.
- Encryption: Encryption of data in transit and at rest.
- Access control: Access restricted to authorised personnel only.
- Audits: Regular audits to verify adherence to security practices.
Check your current consent status
Use the Brolly app or contact support to review whether consent is active, expired or withdrawn.
Methods of managing consent
When you give consent, you remain in control. You can easily manage your consent at any time — whether that means reviewing, updating, or withdrawing it — using any of the following methods:
- Directly through the Brolly app. This is the easiest and preferred method.
- By contacting our support team via email at [email protected].
- By calling our support team during business hours.
Data retention and de-identification
Data deletion process
You have the right to request data deletion at any time. Upon withdrawal of consent:
- Data will be securely deleted or de-identified by Brolly
- Redundant data will be destroyed, except where Brolly is required by law to retain data for a longer period
- Brolly will take steps so third-party processors securely erase any shared data where required
De-identification process
De-identification involves removing identifiable information while retaining anonymised data for operational purposes, such as analytics and fraud prevention. Steps include:
- Removing user IDs from transactions
- Stripping timestamps and descriptions that reveal specific details
- Aggregating data to support anonymity
De-identified data can be used for improving services, creating insights, and operational analysis. You may also request deletion of de-identified data if it is no longer necessary.
Retention policy
Brolly follows these guidelines for managing your data:
- Ensure your data is deleted promptly when it is no longer required, upon data sharing consent expiry, or within 24 hours of receiving a consent revocation request
- Comply with retention toggle settings for automatic deletion, ensuring configurations align with privacy and security requirements
Contact Support to Manage Consent
For assistance with managing your consent, please contact us at [email protected]. Our team will be happy to help.