Privacy Policy

Version 1.0 15/01/2024
Privacy Policy

Version 4.0 – 7/11/2025

About us

Truyu means CBA New Digital Businesses Pty Ltd (NDB), a wholly owned subsidiary of the Commonwealth Bank of Australia (CBA).
You can find information about Truyu on the Truyu website at www.truyu.com.au.

Your privacy is important to us

At Truyu, we understand how important it is to keep any personal information we have, including about visitors browsing the Truyu Website www.truyu.com.au ("Website") or the Truyu app ("App") and registered members, private, protected and safe. We are committed to protecting the personal information of individuals with whom we deal.
Truyu (CBA New Digital Businesses Pty Ltd) is responsible for the collection and handling of your personal information in accordance with the Privacy Act 1988 (Cth). This Privacy Policy outlines how we can collect, use, hold and disclose your personal information.
Some of our service providers are located outside Australia — see ‘Sending Data Overseas’ below for more information.
Please read through this Policy carefully prior to using the Truyu Website or the App. The personal information we seek to collect about you is necessary for the service we provide. If you do not provide us with all of the information we require, we may not be able to deliver our service to you.
We update this Policy when things change. You can always find the most up-to-date version through the Website or the App.

How do we collect your information?

We collect your personal information directly from you most of the time, however on occasion, we may also collect information about you from other people and organisations.

We collect personal information when you:

  • onboard to use our products and services
  • enquire about or use our products or services
  • contact us to make an enquiry or give us feedback
  • visit our website or use our digital services
  • participate in other activities we offer, such as feedback surveys or customer offers in relation to other CBA products and services
  • talk to us or do business with us

What information do we collect?

We usually collect the following types of personal information:

Type Details
Contact Information Personal Information including your email address and phone number.
Identity Information Personal Information apart from Contact Information relating to your identity, including your full name, date of birth, identity documents, such as your driver’s licence or passport details and your address.
Sensitive information Our service provider, GBG, will collect an image of your face and images of your identification documents (such as driver’s licence or passport), for biometric identification purposes. This information will only be used to verify your identity so that we can make sure the ID you are monitoring belongs to you. We do this to protect you against identity fraud. GBG will delete these images after 7 days. We'll always ask you for your permission to collect these images. For more information, view GBG’s Privacy Policy. To use the Scam Checker service, we will collect an image or text message you provide, which may contain personal or sensitive information if you provide it. Our service provider will store this image or text message.
Information required to provide service Any information you or our service providers share with us where required to provide a service. This may include but is not limited to:
- Images or text messages you upload to the Scam Checker Service.
- Email address(es) that you register for monitoring in the Email Leaks Service.
- Card number(s) that you submit to the Card Leaks Service.
- Alert details that are returned from our service provider(s) to provide you with the Truyu Alerts Service.
- Feedback you provide on your experience in the app.
Interaction information We may collect details of your interactions with us, such as when you email us to make an enquiry, provide feedback, or make a complaint.
Usage and Device Information When you access the Website or the App, we collect your location information, IP address, mobile device and network information. The recording of such information enables us to optimise the App for our users, without identifying them. If you access the Website or the App, we will only store your personal information if you input it into the Website or the App through an online form, e.g. when you sign up, or email us.

If you do not create an account with Truyu, we collect Usage and Device Data. If you do not provide us with the information in whole or in part, we may not be able to provide you with our products and services.

How do we use your Personal Information?

We use your Personal Information for various purposes:

Purpose Details
To provide you with products and services We use your information to provide you with our services, including when we are required to verify your identity.
To improve our product We use aggregated insights from your interaction and usage data to improve our services and features.
To communicate important and marketing information with you We communicate important information about changes to our service, to resolve any issues you may have, or to provide our service. We may contact you, for example if we need to tell you something important, request customer feedback, or tell you about products or services we think may be of interest to you.
Managing security, risk, compliance and crime prevention We use your information to:
- Comply with our legal and regulatory obligations and assist government and law enforcement agencies or regulators.
- Support our administrative purposes and any other purposes permitted by law.
- Manage our risks and help identify and investigate any illegal activity, such as fraud.
We may use automated tools to detect fraud and manage our risks.
Generate insights and intelligence regarding scams, fraud and other misconduct We use your information to generate insights about scams and fraud affecting our customers. These insights are aggregate and de-identified. We share these insights with CommBank, CommBank’s intelligence partners and other third parties who identify, investigate and prevent fraud, scams or other misconduct (see ‘Who do we share your information with’ below for further detail).
Identity verification We collect information from your identity documents (e.g. a driver’s licence or passport) to verify your identity. We will disclose this information to credit reporting bodies, Commonwealth and state government departments and other verification partners who match your information with the information held by the issuer or official record holder via third party systems. You can find out more information about the operation and management of these services in the ID Match Privacy Statement.

Do we use information for direct marketing?

We may use personal information we collect about you to provide direct marketing offers for Truyu products and services, which we think may be of interest to you, unless you tell us not to by opting out at any time. Opt-out may be in the form of an email or other electronic means.

How safe and secure is the information we hold about You?

We take great care with the information We hold about You. Our aim is to ensure that any details are securely protected from misuse, interference and loss, and unauthorised access, modification or disclosure. We will take reasonable care to make sure that We keep Your information in an accurate, complete and up-to-date manner.
The Website and the App is professionally hosted and operates in a secure environment. The Website and the App uses encryption techniques to enhance Your privacy and security when using the Website and the App. You should however be aware that there is always an inherent risk in transmitting Your personal information via the internet.

Access Seeker Authorisation

Your personal information and authority for us to act as your access seeker will be retained until the end of your subscription. If your subscription expires, your authority for us to act as your access seeker will continue for 120 days after expiration of your service. This is to enable us to resubscribe you to Credit Activity Alerts if you change your mind. We will retain your personal information for 12 months from the date your subscription expires, or as otherwise required by law.
Where you tell us that you no longer wish for us to hold your personal information, or you wish to withdraw the authority for us to act as your access seeker so you no longer receive Credit Activity Alerts, you may ask us to delete your account and personal information by contacting us at contact@truyu.com.au or by using the app. Truyu will take reasonable steps to destroy or de-identify your personal information unless there is a legal requirement for us to retain it.

Who do we share your information with?

We disclose personal information to third parties for the reasons mentioned in ‘How do we use your Personal Information?’. Where we share information with third-party service providers, we require them to comply with strict privacy and security obligations consistent with this Policy and the Privacy Act 1988 (Cth). The types of third parties are listed below:

  • Our parent company, the Commonwealth Bank of Australia and other members of the CommBank Group;
  • Our service partners who help us deliver our products and services to you, including credit bureaus, identity checking providers and dark web monitoring providers;
  • Our suppliers, agents, associates, contractors and external service providers;
  • Our financial advisers, legal advisers or auditors;
  • Regulatory bodies, government agencies and law enforcement bodies in any jurisdiction; and
  • External dispute resolution schemes; and
  • Scams and fraud intelligence partners. We will share the information contained within any text message uploaded by you to the Scam Checker service with CommBank who will generate insights and provide intelligence to:
    • organisations that assist CommBank to identify, investigate, or prevent fraud, scams or other misconduct; and
    • regulatory bodies, government agencies and law enforcement bodies to prevent, detect and investigate suspicious or fraudulent activities, including the Anti-Scam Intelligence Loop coordinated by the Australian Financial Crimes Exchange and National Anti-Scam Centre.
  • We may also provide personal information about you to external organisations in circumstances where we are required or authorised by law, or with your express consent.
  • We will share aggregate data on the performance of the Website and the App and user behaviour analytics with our parent company, the Commonwealth Bank of Australia Group, this may include subsidiaries located outside Australia.

Sending data overseas

We may send your information to recipients located overseas, including to service providers and other third parties who operate or hold data outside Australia. The purposes for which we may send your data overseas include for identity verification purposes, managing customer service, reporting and analytical purposes, and system development testing purposes.
When we send your information overseas, it is likely to be the United States of America, these service providers include Twilio, SendGrid and Enzoic. If this happens, we require such organisations to have the appropriate data handling and security arrangements in place to ensure compliance with this Policy and the law.

Cookies and analytics

What are cookies?

Cookies are text files that are downloaded to your computer or mobile device when you access a website. As you browse, cookies gather and store some information about the way you use that website.
Cookies allow the website to recognise your device each time you visit, providing you with a better experience because the site learns your preferences as you browse. Some types of cookies also perform essential functions to enhance how the site works.

How we use cookies on the Website and the App

Cookies are used on the Website to track your journey through the Website. The type of cookie we use collects no personal information at all. This simply allows us to see at a glance which pages and information are of most interest to visitors and members. Most browsers can be configured to refuse to accept cookies. You can also delete cookies, however, doing so may hinder your access to valuable areas of information within the Website.
The App uses your device’s information, such as your device ID, and uses local secure storage to remember your login details. To delete your device information, you will need to delete or uninstall the App from your device or clear your local storage.

Google Analytics Advertising Features and the cookies it uses

We use Google Analytics features based on Display Advertising. You can opt-out of Google Analytics Advertising Feature by using the Google Ad Settings within the web-browser. In addition, you can use the Google Analytics Opt-Out Browser Add-on to disable tracking by Google Analytics.
We use Google Analytics Demographics and Interest-Reporting to understand the spread of age ranges, gender, and geographic locations of Our users. This enables Us to tailor the Website, content and Our marketing around Our users’ interests.
We may use “Remarketing” with Google Analytics and other platforms such as Facebook Retargeting to advertise online. This will utilise different cookies. Third-party vendors, including Google, Facebook and media agencies, show Our ads on websites across the internet. These third-party vendors use the cookies on Our Website to inform, optimise and serve ads based on Your past visits to Our Website.
For further information about how Google Analytics collects and processes information, please refer to "How Google uses information from sites or apps that use our services", (located at https://policies.google.com/technologies/partner-sites).

Using data

Improvements in technology enable organisations, like us, to collect and use information to get a more integrated view of users and provide better products and services. We may combine user information with information available from a wide variety of external sources to analyse the data in order to gain useful insights.

Keeping your information safe

We take great care with the information we hold about you. Our aim is to ensure that details are securely protected from misuse, interference, and unauthorised access, modification or disclosure service. We take great care to make sure that we keep your information in an accurate, complete and up-to-date manner.
The Website and the App are professionally hosted and operate in a secure environment. The Website and the App use encryption techniques to enhance your privacy and security when using the Website and the App. You should however be aware that there is always an inherent risk in transmitting your personal information via the internet, including by email.
The period of time we keep your information will depend on the type of information we hold about you. Generally, your information will be retained while we have an ongoing relationship and for a period of time as required under specific legislation relating to the type of information held.

Accessing, updating and correcting your information

Refer to “What information do we collect?” and “How do we use your Personal Information?” for more details on information we collect and store from You. You can contact Us if you have specific questions pertaining to your information. There is no fee to ask Us for Your personal information. We try to respond to Your personal information requests within 30 days after You ask Us for it. Before We give You the information, We will need to confirm Your identity. In some cases, We may refuse access or only give You access to certain information. If We do this, We’ll write to You explaining Our decision.
If You wish to access a copy of Your full free Experian credit report, please visit Experian's website at https://www.experian.com.au/consumer/order-credit-report.
We might contact You periodically or prompt You to update Your personal information when You log into the App. You can find information on how to contact Us under the Contact Us section of this Privacy Policy.
If You wish to update any information We hold about You, please delete your account and create your account using Your updated information.
If You think there is a mistake with Your credit reporting information, then it is important to first check Your credit report which You can obtain from Experian. If any details are wrong, You can ask either Experian or Your credit provider to have them corrected.

Other important information

Changes to the privacy policy

Sometimes we update our Privacy Policy. Any modifications will be effective immediately upon posting the amended Privacy Policy on the Website or the App. We may contact you or notify you when you log into the Website or the App that there have been changes to our Privacy Policy. You can always find the most up-to-date version on the Truyu website at truyu.com.au.

Making a privacy complaint

We try to get things right the first time – but if we don’t, we’ll do what we can to fix it. If you are concerned about your privacy, you can make a complaint by emailing us at complaints@truyu.com.au and we’ll do our best to sort it out.
Once the complaint has been received, we’ll look into the issue and try to resolve it as soon as possible. If we can’t we’ll write to you to let you know how we’ll manage the complaint.
If your complaint is about how we handle your personal information, you can also contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner (OAIC)

Website: www.oaic.gov.au

Ph: 1300 363 992

Postal address: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW, 2001

Contact Us

Please contact us if you:

  • Have a concern about the handling, use or disclosure of your personal information;
  • Would like further information about the way we manage the personal information that we hold;
  • Wish to access or update your personal information; or
  • Have any other query or concern

You can contact us via email at contact@truyu.com.au

Our registered business address is:

CBA New Digital Business Pty Ltd

Commonwealth Bank Place South

Level 1

11 Harbour Street

Sydney NSW 2000

ID Verification Privacy Collection Notice

ID Verification Privacy Collection Notice

About this notice

This notice explains how CBA New Digital Businesses Pty Ltd trading as Truyu (“Truyu”, “we”, “our”, “us”) collects, uses and discloses personal information when you verify your identity or enable identity-related features in the Truyu app.

What we collect

When you complete identity verification or activate related features, we collect personal information such as:

  • Identity details, including your name, date of birth, and address
  • Contact details, including your email address and phone number
  • Identity documents and facial images, used only for identity verification. These images are deleted shortly after verification, and we always ask for your consent before collecting them.

We may also collect information from our trusted partners to support certain features, including the Identity Protection Scan which includes a one-off historic scan of:

  • Identity Checks: details of where your verified identity has been used, such as telcos or banks.
  • Dark Web Leaks: information on whether your identity details have been found in data breaches.

Why we collect this information

We collect this information to confirm your identity and to provide features that depend on verified identity information — for example, showing where your ID has been used or alerting you if your details have appeared in data breaches.

Who we share it with

We share this information with our service providers who help deliver these features (such as identity checking and dark web monitoring providers). Some of our service providers may store or process data outside of Australia, including in the United States.

Privacy Policy

For more information, read our Privacy Policy. It tells you:

  • How to access your information and correct it if it's wrong
  • How to make a privacy-related complaint (including about our compliance with the Australian Privacy Principles) and how we'll deal with it
Card Leaks Privacy Collection Notice

Card Leaks Privacy Collection Notice

About this notice

This notice explains how CBA New Digital Businesses Pty Ltd trading as Truyu (“Truyu”, “we”, “our”, “us”) collects, uses and discloses personal information when you use the Card Leaks feature or related dark web checking services in the Truyu app. Read this together with our Privacy Policy, which explains your rights and how to contact us.

What we collect

When you use Card Leaks, we collect your card number so we can check whether it has appeared in certain dark web or data breach sources.

Why we collect this information

We collect this information to provide card checking and monitoring services, and to notify you if your card information is found in potential data breaches.

Who we share it with

We share your card information only with our dark web monitoring third-party service provider, which performs these searches securely on our behalf. This provider is located in the United States and uses the information only to deliver this service. You can learn more about how to access or correct your information, or make a complaint, in our Privacy Policy.

Subscription Services Privacy Collection Notice

Subscription Services Privacy Collection Notice

About this notice

This notice explains how CBA New Digital Businesses Pty Ltd trading as Truyu (“Truyu”, “we”, “our”, “us”) collects, uses and discloses personal information when you subscribe to Truyu’s ongoing monitoring and alert services.

What we collect

When you subscribe, we use and disclose personal information needed to register and deliver your monitoring services. This includes your verified name, date of birth, address, email and phone.

We may also collect information from our third-party service providers to support certain features. While you are subscribed and as our service monitors, we may continue to receive information including:

  • Credit File Checks: information about accesses to your credit file
  • Dark Web Leaks: information on whether your details have been found in data breaches and additional information that appears alongside your identity details (e.g. passwords)
  • Card Leaks: information on whether your card number has been found in sources such as the dark web
  • Identity Checks: details of where your verified identity has been used, such as telcos or banks

Why we collect this information

We collect and use this information to register you for and provide the Truyu alert and monitoring services.

Who we share it with

We share this information with our third-party partners who help deliver these features. These include identity checking and dark web monitoring providers, as well as credit bureaus who hold your credit file. If you don’t already have a credit file, the credit bureau may create one when we begin monitoring, and we’ll then monitor that file. Some of our service providers may store or process data outside of Australia, including in the United States.

Privacy Policy

For more information, read our Privacy Policy. It tells you:

  • How to access your information and correct it if it's wrong
  • How to make a privacy-related complaint (including about our compliance with the Australian Privacy Principles) and how we'll deal with it
Truyu Logo
Get the app
Privacy PolicyTerms & ConditionsContact Us

Truyu is a brand of CBA New Digital Businesses Pty Ltd ABN 38 633 072 830 trading as Truyu.

CBA New Digital Businesses Pty Ltd is a wholly owned but non-guaranteed subsidiary of the Commonwealth Bank of Australia ABN 48 123 123 124. CBA New Digital Businesses Pty Ltd is not an Authorised Deposit-taking Institution for the purposes of the Banking Act 1959 and its obligations do not represent deposits or other liabilities of Commonwealth Bank of Australia.

To access detailed terms and conditions about Truyu please click here. For information on how we collect and handle personal information, see our Privacy Policy.

*The Identity Check Alert Service is not comprehensive. Importantly, you will only receive a notification if GBG has informed us that your first name, last name and date of birth have been used at an Australian merchant that is onboarded by GBG as part of our Identity Check Alert Service. As at 5 February 2025, GBG handles over 60% of online identity checks run by Australian merchants. 

**There is an initial three-month trial, for all new customers. A monthly subscription fee of $4.99 will be debited from your Apple App Store or Google Play Store payment method once the trial is completed, unless you cancel your subscription before the end of the trial.

Apple and the Apple Logo are trademarks of Apple Inc. Google Play and the Google Play logo are trademarks of Google LLC.

Truyu 2024. All rights reserved.