Privacy Policy
Our Privacy Policy.
1. About this Policy
This Privacy Policy explains how MCP Financial Services (Australian Credit Licence 385476) and its associated entities (together, “MCP”, “we”, “our” or “us”) collect, hold, use and disclose your personal information. MCP’s associated entities include any brand or business operating under the MCP Group from time to time.
MCP is bound by the Privacy Act 1988 (Cth) (the Privacy Act) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 of that Act. As an Australian Credit Licence holder, MCP is also subject to the credit reporting provisions in Part IIIA of the Privacy Act and the Credit Reporting Privacy Code registered by the Office of the Australian Information Commissioner (OAIC).
This Policy also incorporates MCP’s practices in relation to the use of artificial intelligence (AI) tools. Where relevant, the AI provisions of this Policy reflect the guidance issued by the OAIC on the use of commercially available AI products and the automated decision-making transparency requirements that commence on 10 December 2026.
If you have any questions, please contact us using the details set out in Section 14.
2. What is Personal Information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Examples of personal information we may collect include your name, address, contact details, date of birth, identification documents, financial information, employment details and photographs.
3. Kinds of Personal Information We Collect
The kinds of personal information we collect and hold will depend on the services we provide to you. They may include:
• identity information — your name, date of birth, address, phone number, email address, identification documents (such as driver’s licence or passport) and signature;
• financial information — your income, expenses, assets, liabilities, bank statements, tax returns, business financial statements, superannuation details and details of existing loans or credit facilities;
• credit information — credit reports, credit scores, repayment history, default information and other information obtained from credit reporting bodies under Part IIIA of the Privacy Act;
• employment information — your employer, occupation, length of employment and employment contracts;
• information about your objectives, requirements and circumstances relevant to the finance broking services we provide; and
• any other information you provide to us or that we are required to collect by law, including for the purpose of verifying your identity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
3.1 Sensitive Information
MCP does not routinely collect sensitive information. However, we may collect health information or other sensitive information where it is directly relevant to the provision of our services and only with your consent or as otherwise permitted by law.
4. How We Collect Personal Information
Where practical, we collect personal information directly from you, including through application forms, correspondence, telephone calls, meetings and our website. We may also collect information about you from third parties where the Privacy Act permits, including:
• credit reporting bodies;
• your legal, financial or other professional advisers;
• your employer or accountant;
• lenders, mortgage insurers and other credit providers;
• referral partners, mortgage aggregators and other intermediaries;
• publicly available sources, including ASIC registers, land title records and court records; and
• identity verification service providers.
The law may also require us to collect personal information. For example, we are required to verify your identity under Australian anti-money laundering legislation before providing certain services.
At or before the time (or as soon as practicable after) we collect your personal information, MCP will take reasonable steps to notify you of:
• our identity and contact details;
• the purpose of collection;
• the consequences if we do not collect the information;
• the third parties to whom we may disclose the information;
• your rights to access and correct your personal information; and
• how to make a complaint about a breach of the Privacy Act.
This notification may be provided through this Privacy Policy, our Credit Guide, application forms or other communications.
5. Why We Collect, Hold, Use and Disclose Your Personal Information
We collect, hold, use and disclose your personal information for the primary purpose of providing you with finance broking, debt advisory and related services. This includes:
• assessing your financial position and objectives;
• preparing and submitting credit applications on your behalf;
• identifying and recommending suitable credit products and lenders;
• preparing credit submissions, finance proposals, scenarios and supporting documentation;
• providing ongoing loan management and review services;
• meeting our obligations under the National Consumer Credit Protection Act 2009 (Cth), including maintaining records and undertaking preliminary credit assessments; and
• administering our business, including training, compliance and dispute resolution.
5.1 Direct Marketing
We may use your personal information to send you information about products, services or opportunities that we believe may be relevant to you, including via email, SMS or telephone. You may opt out of receiving direct marketing communications at any time by:
• using the unsubscribe function included in electronic communications;
• contacting us using the details in Section 14; or
• informing your broker directly.
We will promptly process all opt-out requests. We will not use or disclose your personal information for direct marketing if you have opted out.
6. Who We Disclose Your Personal Information To
We may disclose your personal information to third parties where necessary to provide our services or as required by law. These third parties may include:
• credit providers, banks and other lenders;
• credit reporting bodies (see Section 7 below);
• mortgage insurers and lenders mortgage insurance providers;
• valuers, quantity surveyors and other property professionals;
• mortgage aggregators, dealer groups and licensee networks;
• your legal, financial or other professional advisers;
• identity verification and fraud prevention service providers;
• IT service providers, cloud hosting providers and software platforms that support systems;
• our professional advisers, including lawyers, accountants and auditors;
• regulatory bodies, including ASIC and the OAIC;
• any other person with your consent or as required or authorised by law.
7. Credit Reporting
In providing finance broking services, MCP may need to access your credit information from a credit reporting body. By engaging MCP, you authorise us to:
• act as your agent in seeking access to your consumer credit information held by a credit reporting body; and
• obtain a credit report in connection with an application, or proposed application, by you for credit, or in relation to your existing credit arrangements.
The credit reporting bodies we may use include Equifax, Experian and illion. You can contact these bodies directly to request access to your credit reporting information or to request a correction.
Under Part IIIA of the Privacy Act and the Credit Reporting Privacy Code, you also have the right to:
• request access to the credit information and credit eligibility information we hold about you;
• request that we correct any information that is inaccurate, out of date, incomplete, irrelevant or misleading;
• request that a credit reporting body place a ban on your credit reporting information for a specified period if you believe you have been, or are likely to be, a victim of fraud; and
• make a complaint about our handling of your credit information.
8. Storage and Security of Your Personal Information
MCP takes reasonable steps to protect your personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Our security measures include:
• access controls that restrict access to personal information to authorised staff on a need-to-know basis;
• encryption of personal information in transit and at rest where appropriate;
• use of secure, access-controlled premises;
• regular staff training on privacy, data security and cyber risk;
• contractual requirements on third-party service providers to protect personal information; and
• regular review and testing of our information security practices.
We store personal information in electronic systems (including cloud-based platforms), in our customer relationship management systems and, to a limited extent, in physical files. Where personal information is stored electronically, it is primarily hosted in Australia, but may be hosted on third-party systems located overseas to the extent necessary for those providers to deliver services to us (see Section 9 below).
We retain personal information for as long as it is reasonably necessary for the purposes for which it was collected, and to comply with our legal and regulatory obligations. In particular, we are generally required to retain client records for a minimum period of 7 years under the National Consumer Credit Protection Act 2009 (Cth) and related regulatory requirements.
After this period, or when the information is no longer required, we will take reasonable steps to securely destroy or de-identify the information.
9. Overseas Disclosure
Some of the third parties to whom we disclose personal information, or who provide services to us, may be located outside Australia. This includes IT service providers, cloud hosting providers and AI tool vendors based in countries including India, the United States and the European Union.
Where personal information is disclosed to an overseas recipient, MCP takes reasonable steps to ensure that the recipient handles the information consistently with the APPs.
As electronic and cloud-based storage can be accessed from various countries, we may not always know in which country your information is held. If your information is stored in this way, disclosures may occur in countries other than those listed above.
10. Notifiable Data Breaches
MCP is subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If MCP becomes aware of an eligible data breach — that is, unauthorised access to, unauthorised disclosure of, or loss of, personal information that is likely to result in serious harm to any individual to whom the information relates — we will:
• take reasonable steps to contain the breach and mitigate any resulting harm;
• assess whether the breach is likely to result in serious harm;
• if serious harm is likely, notify the affected individuals and the OAIC as soon as practicable; and
• include in our notification a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take in response.
MCP maintains a data breach response plan and reviews it regularly.
11. Use of Artificial Intelligence (AI)
1.1 What We Mean by AI
In this Policy, “AI” means any software, system or service that uses machine learning, natural language processing, generative models or similar techniques to analyse information, generate content, draw inferences or assist in decisions. This includes:
• general-purpose generative AI tools (for example, enterprise versions of large language model assistants used to draft documents, summarise material or prepare correspondence);
• AI features embedded in business software MCP uses (for example, CRM, lending platform, document automation, meeting transcription, email productivity and cyber-security tools); and
• AI-enabled tools used by third parties that provide services to MCP, such as lenders, valuers, credit assessors and IT service providers.
11.2 How MCP Uses AI
MCP uses AI to support the efficient, accurate and timely delivery of its services. Typical uses include:
• drafting and reviewing correspondence, credit submissions, finance proposals, scenarios and file notes;
• summarising financial statements, tax returns, bank statements and other supporting documentation;
• preparing internal analysis such as serviceability screens, lender shortlisting, product comparisons and market commentary;
• transcribing and summarising meetings and phone calls where participants have been notified;
• enhancing productivity tools such as email, calendars, document search and knowledge management; and
• supporting cyber-security, fraud detection and quality assurance processes.
MCP staff remain responsible for reviewing AI-generated outputs and for all advice, recommendations and decisions provided to clients and referral partners.
11.3 AI and Decisions That Affect You
MCP does not use AI to make final credit decisions. Credit decisions are made by lenders in accordance with their own credit policies. Where AI is used by MCP to assist in assessing suitability, preparing a recommendation or shortlisting lenders, the ultimate recommendation and the exercise of professional judgement rests with an MCP finance broker or credit representative.
Where MCP uses a computer program to make, or to assist in making substantially and directly, a decision that could reasonably be expected to significantly affect your rights or interests, MCP will disclose this to you.
11.4 How We Protect Your Information When Using AI
• Vendor due diligence — AI tools used by MCP are selected through a due diligence process that considers privacy, security, data location and vendor commitments.
• No training on your data — Where practical, MCP uses enterprise or business-tier AI products that contractually prohibit the use of MCP data for training the underlying model.
• Staff training — Staff are trained on what information can and cannot be entered into AI tools and are required to follow MCP’s internal AI Use Policy.
• Human oversight — Outputs generated by AI are reviewed by an MCP staff member before being relied on or sent to you.
• Access controls — Access to AI tools is restricted to authorised staff and is subject to the same information security controls that apply to MCP’s other systems.
• Privacy impact assessments — MCP’s privacy impact assessments are updated when new AI tools or materially different uses are introduced.
11.5 Overseas Disclosure in Relation to AI
Some AI tools used by MCP are provided by overseas vendors, including vendors based in the United States and the European Union. This may involve personal information being stored or processed outside Australia. Where this is the case, MCP takes reasonable steps to ensure the vendor’s handling of personal information is consistent with the APPs, including through contractual protections and by selecting vendors that maintain recognised information security certifications.
11.6 Purpose of Use
MCP uses AI only for purposes that are the same as, or directly related to, the primary purposes for which your personal information was collected, being the provision of finance broking, debt advisory and related services and the administration of MCP’s business. MCP does not use your personal information to train third-party AI models and does not disclose your personal information to AI vendors for that purpose.
12. Your Rights Under the Privacy Act
You have a number of rights in relation to the personal information MCP holds about you, including the right to:
• request access to the personal information we hold about you (APP 12);
• request correction of personal information that is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13);
• ask whether AI has been used in connection with your file and, in general terms, how;
• make a complaint about our handling of your personal information; and
• withdraw consent to a particular use or disclosure of your personal information where consent is the basis on which we rely, noting this may affect our ability to provide services to you.
To request access to, or correction of, your personal information, please contact us using the details in Section 14. We will respond to your request within a reasonable period and generally within 30 days. We may charge a reasonable fee for providing access where permitted by APP 12, but we will not charge you for making a request.
12.1 Statutory Tort for Serious Invasions of Privacy
Since 10 June 2025, individuals have had the right to take legal action for a serious invasion of their privacy under Schedule 2 of the Privacy Act. This is a separate right that does not depend on a complaint to MCP or the OAIC. If you believe your privacy has been seriously invaded, you may wish to seek independent legal advice about your options.
13. Complaints & Dispute Resolution
MCP takes all privacy complaints seriously. If you believe we have breached the APPs or mishandled your personal information, please contact our Customer Experience team:
Elizabeth Douglas
A – Level 2, 72 River Street, South Yarra, Vic 3141
E – e.douglas@mcpfinancial.com.au
T – 1300 510 816
We will acknowledge your complaint promptly and aim to resolve it within 30 days. We will keep you informed of the progress and outcome of your complaint.
If you are not satisfied with our response, you may contact:
Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Website: www.oaic.gov.au
The OAIC can investigate complaints about the handling of personal information by organisations bound by the Privacy Act.
14. How to Contact Us
If you have any questions about this Privacy Policy, wish to request access to or correction of your personal information, or would like to make a complaint, please contact us:
MCP Financial Services Pty Ltd
Mail: Level 2, 72 River Street, South Yarra, VIC 3141
Email: e.douglas@mcpfinancial.com.au
Phone: 1300 510 816
15. Changes to This Policy
MCP may update this Privacy Policy from time to time to reflect changes in our practices, applicable law or regulatory guidance. The current version will always be available on our website or on request. We encourage you to review this Policy periodically.
Thank you for your time in reviewing our Privacy Policy.