ForeFlow - CDR Data Policy

CDR Data Policy

Effective date: 19 March 2026

1. Introduction

1.1 ForeFlow Pty Ltd (ABN 41 693 400 029) (“ForeFlow”, “we”, “us”, “our”) is committed to protecting the privacy and security of data accessed through Australia’s Consumer Data Right (CDR) framework.

1.2 ForeFlow operates as an accredited representative under Cuscal Limited (via Basiq), a Principal Accredited Data Recipient under the CDR regime. This means we are authorised to access your banking data through secure, regulated open banking channels.

1.3 This CDR Data Policy explains how we collect, use, store and delete CDR data — specifically, the banking data we access when you connect your bank account to ForeFlow. This policy applies only to CDR data. For information about how we handle other personal information, please see our Privacy Policy.

1.4 We may update this policy from time to time. The updated version will be published at this URL and will take effect from the date of publication.

2. What CDR data we collect

2.1 When you connect your bank account to ForeFlow, we access the following data from your financial institution through the CDR framework:

Account information: Account names, account numbers (masked), account types (e.g. transaction, savings, loan), account balances and available funds.

Transaction data: Transaction dates, amounts, descriptions, merchant names, payment channels and transaction categories for the current financial year.

2.2 We only request data that is necessary to provide ForeFlow’s financial intelligence features. We do not request data beyond what is required for the purposes described in this policy.

3. Why we collect CDR data

3.1 We use your CDR data solely to provide the following ForeFlow features:

Bank balance tracking: Displaying your current and historical bank balances across connected accounts on the CashDash dashboard.

Cashflow forecasting: Using your real bank balance as the starting point for forward-looking cashflow projections.

Spending analysis: Categorising and summarising your business transactions to identify spending patterns and trends (available on Pro and Enterprise plans).

3.2 We do not use your CDR data for marketing, advertising, credit scoring, or any purpose other than delivering the ForeFlow features described above.

4. Who we share CDR data with

4.1 We do not share your CDR data with any third party. Your banking data is only accessible to you (and any team members you have authorised within your ForeFlow business account).

4.2 Your CDR data is stored securely in ForeFlow’s database infrastructure (hosted by Supabase on AWS). It is not sent to any other service, platform or third party.

4.3 ForeFlow’s AI features (FlowPilot and FlowLab) use aggregated business summaries and key performance indicators to generate insights. Individual bank transactions are not sent to AI service providers.

5. How we protect CDR data

5.1 We take the security of your CDR data seriously and implement the following protections:

All CDR data is accessed through Basiq’s secure, CDR-compliant API infrastructure.
Data is encrypted in transit using TLS and at rest within our database.
Row-level security policies ensure your banking data is isolated from all other users on our platform.
API keys used to access banking data are scoped to minimum required permissions and rotated every 90 days.
Access to CDR data within ForeFlow is restricted to authenticated users with appropriate roles within your business account.

6. How long we retain CDR data

6.1 We retain your CDR data for as long as your bank feed connection is active and your ForeFlow account remains open.

6.2 When your consent is revoked, expires, or your bank feed is disconnected, we permanently delete all CDR data associated with that connection. This includes all stored bank transactions, account balances, daily balance summaries and account details. This deletion is automated and occurs immediately upon consent revocation or expiry.

6.3 If your ForeFlow subscription is downgraded to a plan that does not include bank feed access, your bank feed connection is automatically disconnected and all CDR data is deleted as described above.

7. How to manage or revoke your consent

7.1 You are in control of your CDR data at all times. You can manage or revoke your consent using either of the following methods:

Method 1 — Within ForeFlow: Navigate to Settings > Bank Feeds and click “Disconnect”. This will immediately revoke your consent at your bank and delete all CDR data from ForeFlow.

Method 2 — Contact us: Email [email protected] and request that your bank feed consent be revoked. We will process your request within 2 business days.

7.2 Revoking your consent will not affect any other data in your ForeFlow account (such as data from Xero, Simpro or ServiceM8). Only CDR data from your bank feed will be deleted.

7.3 You may reconnect your bank feed at any time by initiating a new consent through ForeFlow. A new consent period will begin from the date of reconnection.

8. Your rights

8.1 Under the CDR framework, you have the right to:

Know what CDR data we hold about you;
Revoke your consent at any time (see section 7);
Request deletion of your CDR data; and
Lodge a complaint if you believe your CDR data has been mishandled.

8.2 To exercise any of these rights, contact us at [email protected].

9. About the Consumer Data Right

9.1 The Consumer Data Right (CDR) is an Australian Government initiative that gives consumers and businesses greater control over their data. In the banking sector, CDR is known as “Open Banking” and allows you to securely share your banking data with accredited and authorised services like ForeFlow.

9.2 The CDR is administered by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). For more information about the CDR, visit cdr.gov.au.

10. Contact us and complaints

10.1 If you have any questions about how we handle your CDR data, or if you wish to make a complaint, please contact us at:

Email: [email protected]

10.2 We will investigate your query or complaint and aim to respond within 30 days.

10.3 If you are not satisfied with our response, you may contact:

Office of the Australian Information Commissioner (OAIC): oaic.gov.au | 1300 363 992
Australian Competition and Consumer Commission (ACCC): accc.gov.au | 1300 302 502