Privacy Policy

Firma Foreign Exchange Corporation (ARBN 113 919 869, AFSL #306556) (referred to as ‘Firma’, ‘we’, ‘our’, ‘us’) is committed to safeguarding your personal information in adherence to Australian Privacy Principles (‘APPs’) and the Privacy Act 1988 (‘Privacy Act’).

Firma is owned by OFX Group Limited, listed on the Australian Stock Exchange as OFX. OFX is a global company with offices and employees around the world. To offer our services to you, your information may be shared with other companies in the OFX group and be processed in accordance with the OFX Privacy Policy. When your information is transferred outside of Australia, we will treat your information with the same privacy principles as required under Australian law.

Personal Information means information or an opinion relating to an individual, which can be used to identify that individual, and can include the individual’s name, address, phone number, etc.

Note that only your information as an individual is protected under the APP and Privacy Act. Our privacy policy, however, extends to both individuals and businesses, and other than the individual rights in section 5 of this policy, which do not apply to a business, we protect business information in the same way as information on an individual.

This Privacy Policy describes how we collect information, how we use the information we collect, who we share this information with, and the rights that you as an individual have over this information.

This Policy applies to Firma Foreign Exchange Corporation, Level 19, 60 Margaret St, Sydney NSW 2000 Australia, and covers all of our operations and functions. All Third Parties that have access to or use personal information collected and held by Firma must comply with this Privacy Policy. Firma makes this Policy available free of charge and it can be downloaded from

In this Privacy Policy:

  • Credit information is personal information (other than sensitive information) that relates to an individual’s credit history or credit worthiness, and is further defined in the Privacy Act. Credit information includes information that we have obtained from Third Parties, including individuals, other credit providers and credit reporting bodies (‘CRBs’);
  • Disclosure of Information means providing information to persons outside Firma;
  • Individual means all persons whose personal information we collect, hold, use or disclose;
  • Privacy Officer means the contact person within Firma for questions regarding Firma’s Privacy You can contact the Privacy Officer via email at [email protected] or in writing at Firma Foreign Exchange Corporation, , Level 19, 60 Margaret St, Sydney NSW 2000 Australia;
  • Sensitive Information is personal information that includes information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences and criminal record, and also includes health information;
  • Third Parties mean clients, suppliers, sub-contractors, agents or other people having a commercial relationship with Firma; and
  • Use of Information means use of information within Firma.
  1. The Information that We Collect About You, and Why
  2. The Security of Your Information
  3. Disclosure of Your Information to Third Parties
  4. How Long We Keep Your Information
  5. Your Individual Rights
  6. Who to Contact
  7. Updates to this Policy

1.  The Information that We Collect About You, and Why?

We collect only the information that we need for the purposes of providing you with superior services. In order to collect your information, we will either ask for your permission, or make you aware that the information is required for legal or contractual reasons before providing you with our services.

Who Do We Collect Personal Information From?

We may collect personal information about the following individuals:

  • clients;
  • potential clients;
  • service providers, suppliers or contractors; and
  • other Third Parties with whom we come into contact.

What Kinds of Personal Information Do We Collect and Hold?

We may collect and hold the following kinds of personal information about individuals:

  • name;
  • date of birth;
  • contact details;
  • employment details;
  • details of the individual’s foreign exchange preferences and aversion or tolerance to risk;
  • driver’s licence, passport and other identification document details; and
  • any other information that is relevant to the services that we provide.

Website Cookies

Our website,, uses cookies, which are small bits of information that are placed on your computer to help you experience our website better. For more information about our use of cookies and how they may affect your privacy, please consult our Cookie Policy.

Information from Our Website, Contact Details and Basic Information

You may choose to provide information about yourself by filling in a form on our website. This can include your name, email address, phone number, and address, as well as other information about you or your business.

We may also collect your business contact information through a third party, a referral, from your website, or directly from a personal meeting with you.

We use your information to determine how you might get the most benefit out of the products and services we have to offer. If we see that our products and services might be a fit for you, we will use your contact details to reach out to you and establish a business relationship.

The information that we initially collect is your business contact information. If, however, you have provided us with your personal contact information, we understand that you have provided us with the information only for the purposes of contacting you, and we will use it only for this purpose. If at any time, you change your mind and no longer want to hear about our products and services, you can ask that your information be removed from our contact list. More information on this can be found in Sections 5 and 6.

Your Preferences and Opinions

We want to understand your preferences and opinions to help serve you better. We may ask how and when you like to be contacted, the information that you would like to receive from us, your opinions on our products and services, and what you would like to see from us in the future. We will collect this information through direct dealings with you, via anonymous surveys, or through online forms. You can manage your preferences through our email preferences page. More information on this can be found in Sections 5 and 6.

Account Opening Information

In order to use our services, we need to collect and verify information about you in order to satisfy our legal obligations under The Anti-Money Laundering and Counter Terrorism Financing Act 2006 (AML/CTF) Act and Regulations. These regulations include provisions to collect information on both organisations and individuals as well as verify this information using reliable sources.

For businesses, the information we collect can include registration documents, ownership information and general knowledge of your business operations.

The information we collect about you as an individual, will include personal information such as your legal name, home address, and date of birth occupation and phone number. We are required to collect your information if you set up an account for yourself, or if you are working on behalf of a business, such as being an owner, director, partner, or contact person for the business.

We may also require documents such as a copy of a valid driving license or passport to verify the information you have provided us.

The information that we collect will be mainly from you, however we will also collect information from other sources, such as from your website and government registries.

As mentioned above, your information is required by us to fulfil a legal obligation. If you want to open an account with us, you will need to supply your information. We will use this information for record keeping purposes and to fulfil our legal requirements under the AML/CTF Act. We will also use this information to contact you about your account, to send you confirmations and contracts, to notify you if there are security concerns on your account, to resolve disputes, and to give you general information about your account.

Most of the information that we send you will be about the operation of your account and is required for legal or contractual purposes. The exception to this is marketing material, which you can opt in or out of at any time.

If we are setting up an account for a business, and you are the contact for that business, we may ask you information about the owners or directors of the business. This information is for legal purposes under the AML/CTF Act. If these people are not otherwise contacts with us, we ask that you provide them with a copy of our privacy policy so that they are aware of how we protect their information. We will not use their information other than to fulfil our legal obligation under the act and regulations.

Banking Information

In order to process transactions for you, we will require general banking information such as the account owner, bank account number, account owner’s address, bank name, and banking Id (i.e. SWIFT code, Sort code).

The banking information that you provide may be your own, however may also be the information of the person you will be paying through us. When providing banking information that is not your own, we require that you share this privacy policy with that person so that they are aware of the privacy standards that we commit to, and can contact us if they have questions or concerns.

When we receive money from you, your bank will include a reference to your name, address, transaction reference and the bank that you used to perform the transaction. We collect this information as confirmation of your payment to us.

As per the AML/CTF Act, we are legally required to keep a record of your transaction information as well as a record of your payment instructions through Firma.

Credit Information

When you apply for certain products and services, such as high volume direct debits or zero deposit forward contracts, we will perform a credit check on you. This credit check ensures that we are not exposed to any financial risk when providing the product or service to you.

We may request financial information about your business, or perform a credit search using a reliable credit bureau. We will use this information to decide if these specific products and services can be offered to you. As this information is specific to these products or services, we will let you know before we collect this information so you are aware of our use of your information for these purposes. At that time, you can decide if you want to go forward with your application for these products or services, or choose to stick with our other products and services that do not require credit information.

Incidental Information, Minors, and Sensitive Information.

We will not ask for information about minors, and we ask that you do not supply information about minors to us. Individuals must be over 18 years of age to do business with Firma.

We will not request information that would not be necessary for you to do business with us, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, , health information or information concerning a person’s sex life or sexual orientation.

While Firma does not seek to collect the information described above, this information may be inadvertently captured through our interactions with you. For example, you may advise that you are feeling ill in the same email that you provide us with transaction instructions. Because we capture the email for recordkeeping purposes as it includes transaction details, we will have also inadvertently captured information about your health.

By agreeing to our privacy policy, you are agreeing that any incidental collection of this information is allowed, and you are aware that Firma will not use this information for any purpose other than store the information as part of our records. You are aware that unless we are legally required to, via a court ordered subpoena, we will not share this information with anyone.

In rare cases, we may inadvertently request personal information that we would otherwise not collect in normal business practices. For example, we may require the purpose of your transaction, or an invoice to support your transaction if it involves money going to a certain parts of the world. Let’s say that the purpose of your transaction is to pay for the medical bills for a child family member. If you provide that information to us, we would have collected information on a minor, information on that child’s health.

If we make a general request for information, we ask that you advise us that your answer could include personal information or information on a minor. We will then assess if we can satisfy our contractual or legal requirements in a different way, or if the information is necessary to facilitate your transaction request with us. If the information happens to be necessary, we will inform you. You can then make a choice to either provide us with the consent to process your information specifically for that transaction request, or you may choose to modify your transaction request with us.

Limitation of our Services and Anonymous Data

If the personal information we request from you is not provided, we may not be able to provide foreign exchange services to you, or meet an your needs appropriately.

Firma does not give individuals the option of dealing with us anonymously, or under a pseudonym. This is because it is impractical, and in some circumstances illegal, for Firma to deal with individuals who are not identified.

Unsolicited Personal Information

Firma may receive unsolicited personal information about individuals. We destroy or de-identify all unsolicited personal information, unless the personal information is relevant to Firma’s purposes for collecting personal information.


We will not use identifiers assigned by the Government, such as a tax file numbers or passport numbers for our own file recording purposes, unless one of the exemptions in the Privacy Act applies. Firma endeavours to avoid data-matching.

2.  The Security of Your Information

The APPs require us to take all reasonable steps to protect the security of personal information. Firma employees must respect the confidentiality of the personal information we collect.

Firma takes reasonable steps to protect personal information held from misuse, loss or interference and unauthorised access, modification or disclosure. All personal information contained in hard copy documents held by Firma is stored in locked cabinets. All personal information stored on Firma’s computer system is backed up regularly, and back-up copies are held in a secure location. In relation to our client database, we apply the following guidelines:

  • data ownership is clearly defined within Firma ;
  • passwords are routinely checked;
  • we change employees’ access capabilities when they are assigned to a new position;
  • employees have restricted access to certain sections of the system;
  • the system automatically logs and reviews all unauthorised access attempts;
  • the system automatically limits the amount of personal information appearing on any one screen;
  • unauthorised employees are barred from updating and editing personal information;
  • all personal computers which contain personal information are secured, physically and electronically;
  • data is encrypted during transmission over the network;
  • print reporting of data containing personal information is limited;

Regular Risk Assessments

We conduct regular risk assessments, which means that we review the risks that your information could be accessed, modified or lost. A risk assessment will include research on new and emerging fraud and security risks, and how they may affect the security of your information.

Using this risk assessment, we then build security controls to ensure the protection of your information, against both current and future fraud and security risks.

Controls and Monitoring

We use up to date firewalls and IT infrastructure to ensure that your information is protected. These systems are monitored on a regular basis to ensure that if malicious activity or risks to your personal information are found, they are stopped before any damage is done.

Regular Testing

Not only are our IT systems tested on a regular basis, but our people are too. Fraud isn’t only about hacking systems. It is also about ‘hacking’ individuals by tricking them into providing access to secure systems.

We regularly test both our systems and people to ensure that the controls that we place to protect your information are sound, and the people that are involved in those controls are well informed and aware of our security measures over your information.

Our People

Our employees go through vigorous security checks in order to work for us. We ensure that they do not have any criminal history and can be trusted with your information. As an additional measure, your information can only be viewed by employees who specifically require access to your information in order to provide services to you, or by employees who are in security or regulatory reporting roles.

A few of the ways we control access to your information is through measures such as swipe cards to access our offices, passwords to open our computers, further passwords to open applications on those computers, and limits on access according to job function.

All new employees are provided with timely and appropriate access to Firma’s Privacy Policy. Employees must read and understand this Policy and ensure that they understand the privacy issues that relate to Firma’s business activities.

Notifiable Data Breach Scheme

Firma is obligated to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches.

A data breach is defined as personal information held by Firma that is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference, and where serious harm would result based on the breach.

Firma actively takes measures to ensure the security of personal information. In the unlikely event that there is a data breach, we will notify the OAIC and individuals affected when the following criteria are satisfied;

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that Firma holds,
  2. this is likely to result in serious harm to one or more individuals, and
  3. Firma has not been able to prevent the likely risk of serious harm with remedial action.

3.  Disclosure of Your Information to Third Parties

Firma may use and disclose personal information for the primary purposes for which it is collected, for reasonably expected secondary purposes which are related to the primary purpose and in other circumstances authorised by the Privacy Act. Sensitive information will be used and disclosed only for the purpose for which it was collected or a directly related secondary purpose, unless the individual agrees otherwise, or where certain other limited circumstances apply (e.g. where required by law).

In relation to sensitive information held by us, wherever possible, Firma will attempt to destroy or de-identify the information. We also undertake to destroy or de-identify all personal information about an individual when it is no longer needed or relevant.

We will not share your information with any third party, other than what is necessary to perform a service that you have requested or for our own internal business needs. In these situations, we prohibit that person from using personal information about the individual except for the specific purpose for which we supply it. We prohibit that person from using the individual’s information for the purposes of direct marketing their products or services. We will share your information in the following circumstances:

To Communicate With You

When we reach out to you for surveys, e-newsletters, or similar emails, we may use a third party provider (software or other service) to facilitate that service. The third parties that we use are under contract so that they do not use your information for their own purposes and do not share your information further. We also do regular checks to make sure that the third party adheres to security protocols designed to protect your information.

To Keep Your Information Up to Date

We may use a third party service to provide us with updates about your business, for example if you have changed addresses, your website, or other business information. In order to do so, we need to provide the third party with your basic details, and they will update our records accordingly, based on public information about your business. When we do so, we ensure that the third party is under contract, and not able to use your information for any other reason.

To Facilitate Your Transactions

If you request a payment through us, we will need to share your information with our banking partners in order to facilitate your request.

When we process your information, we may also use third party software programs to do so. This includes software used for business operations, fraud prevention, client management, customer service, security, and other important functions to make your transactions safe, secure, and timely.

Similar to the services we use to communicate with you, the third parties that we use to facilitate your transactions are also under contract so that they do not use your information for their own purposes, do not share your information further, and hold your information securely.

To Offer Other Services

Some of the products and services that we offer to you, may be provided by one of Firma’s partners as opposed to being provided by Firma directly. If this occurs, we will notify you of this relationship and you will have the option of accepting or declining this offer. If you accept the offer, the personal information that you provide to Firma’s partner will be the responsibility of the partner, and bound by their privacy policy.

To Verify Your Identity

We verify the information you provide to us on our set up forms for fraud prevention purposes. We don’t want to open up an account for someone pretending to be you, and relying on false information. We are also obligated to verify your identity by the AML/CTF Act.

In order to verify your information as an individual, we will provide your information to a third party credit reporting agency who will use your credit records to tell us if the information we supplied to them is correct or not.

We verify the information about your business by reviewing your business filings and other registry documents. This does not include any sharing of your information with these registries.

Anti-Money Laundering, Sanctions Screening, and Risk Management

Australian economic sanctions require that business do not facilitate business with countries, businesses, or individuals listed on Australian sanctions lists. We screen all clients and parties to a transaction against known sanctioned individuals, and consider other areas of risk and compliance when processing transactions. In order to fulfil this requirement, we may share your name, date of birth and address information with a third party provider, who specialises in these services.

To Give you Credit

Some of our products and services require us to assess your credit risk to us. If you apply for any of these products or services, we will pull a credit report on your business, which involves us sharing your business and contact details to do so.

You may make a request for us not to pull a credit report on your business, however this may impact the transaction limits that we can supply you with.

For Legal Reasons

We must provide information to law enforcement or regulatory authorities where we are required to do so. We may also share your information with our own lawyers if it is necessary to solve a dispute.


You may have been referred to us by an affiliate. An affiliate is someone who has an agreement with us, where they let us know about companies that would likely benefit from our products and services. In exchange, we may provide them with an incentive for doing so.

If you were referred to us by an affiliate, and they are promised an incentive in return by us, they will get a breakdown of the number of clients that they have referred to us, as well a total number of transactions they have done. This breakdown is not client specific and will not include your name or identifiable details, however if the affiliate only has one referral, they could infer your transaction amounts and frequency through us.

For Our Own Statistics

We may share your information with a third party service provider in order to get statistical data on our client base. We do this to understand what kind of clients appreciate our services, and to determine if we are serving you in the way we intend to. When we do this, we ensure that the service provider is under contract and is not allowed to use your information for other purposes.

Mergers and Acquisitions

It is possible that Firma could buy, merge with, or be bought by another company. Prior to a merger or acquisition, we may need to share your information with the interested party and their advisors. This is done to determine the value of our assets prior to the merger or acquisition.

If the merger or acquisition is successful, your information will be transferred to the new owner/company. Your information will continue to be bound by this privacy agreement until it is updated or amended.

Sending Information Overseas

We are likely to store personal information on data servers that are located in Canada and the United Kingdom. We will not send personal information to recipients outside of Australia unless:

  • we have taken reasonable steps to ensure the recipient does not breach the Privacy Act and the APPs;
  • the recipient is subject to an information privacy scheme similar to the Privacy Act; or
  • the individual has consented to the disclosure.

Direct Marketing

Firma does not use your personal information for the purposes of direct marketing, unless:

  • the personal information does not include sensitive information; and
  • you would reasonably expect us to use or disclose the information for the purpose of direct marketing or you have provided consent; and
  • we provide a simple way of opting out of direct marketing; and
  • you have not requested to opt out of receiving direct marketing from us.

In relation to sensitive information, Firma may only use or disclose sensitive information about you for the purpose of direct marketing if the you have consented to the use or disclosure of the information for that purpose.

You can opt out of direct marketing by contacting us, and we must give effect to the request within a reasonable period of time. You may also request that Firma provides you with the source of their information. If such a request is made, Firma must notify you of the source of the information free of charge within a reasonable period of time.

Contractual Arrangements with Third Parties

Firma must ensure that all contractual arrangements with third parties adequately address privacy issues. Firma will make third parties aware of this Privacy Policy. Third parties will be required to implement policies to ensure they comply with the Privacy Act, including:

  • regulating the collection, use and disclosure of personal and sensitive information;
  • de-identifying personal information wherever possible;
  • ensuring that personal information is kept securely, with access to it only by authorised employees or agents of the third parties; and
  • ensuring that the personal information is only disclosed to organisations which are approved by Firma.

4.  How Long We Keep Your Information

If you are our client, we are legally required to retain your information for 7 years from the date of your last transaction with us. If you set up an account but did not conduct a transaction, we keep your information for 7 years from the date your account was set up. In some instances, for example due to a dispute, law enforcement request, or to protect our interests, we may hold your information for longer than 7 years.

If you are not our client, you will have provided us with your information for contact and marketing purposes. You may remove your consent at any time, and we will remove your information from our systems.

You may want to request that we do not use your information for our marketing to you, instead of requesting us to remove your information completely. That way, we can have a record of your contact details, along with a record of your request for no contact. If you ask us to delete your information completely, then we will not have either record and may accidentally contact you in the future if we come across your contact information on the internet or elsewhere.

5.  Your Individual Rights

To Update or Correct Your Information

We want to make sure that we have correct information about you. If you see that something is inaccurate, reach out to us through your contact with Firma and let us know. We will then update our records to make sure that your information is corrected.

We may ask for additional documents to verify the information you are supplying. This is part of our obligations under the AML/CTF Act to verify the information that you provide to us. If you are unable to provide the documents we request, we may need to delay the update of your information until you are able to provide us with them.

To Request a Copy of Your Information

We will let you know if we have any of your information and we will provide you with a copy of the information that we have collected about you. You can request all of your information, or you can be specific with your request. You can request this by reaching out to your contact with us, or by sending us an email to [email protected]. If you use our email, we will then reach out to you to explain our process for sending your information.

In short, though, we will first need to verify that the person making the request is you. We don’t want to provide your information to anyone that requests it. We will verify that it is you, by either requesting a copy of an identification document or asking you a series of questions that only you would know.

Once we have verified that it is you, we will need time to process your request. It may take up to 30 days to process your request. If we are having unforeseen issues, and need more time, we will let you know and provide you with the timeframe for completing your request. If we refuse to provide access, we will provide reasons for the refusal.

Limitations on Requesting Your Information

We have no problem with facilitating most requests to provide you with your information, however we reserve the right to charge a reasonable fee for repeated, or excessive requests. For example, if you request for all of your information to be provided once a month, each month, even though your information will not have changed, we will calculate the cost of doing so for the second and subsequent requests and ask that you provide a payment for this service.

To Withdraw Consent and Delete Your Information

You may withdraw your consent for us to use your information at any time. This means that you do not want your information used by us in any way. With that said, we will need to retain records of your information as part of our obligations under the AML/CTF Act where applicable.

Withdrawing consent to use your information will mean that we can no longer offer our products and services to you, as your information is contractually and legally required to be able to offer our services.

Where we do not have a legal reason to hold your information, we will then make efforts to remove your information from our records. If we cannot do so for legal reasons, we will let you know, as well as provide you with the date in the future when your information can be deleted.

To Opt Out

As opposed to removing your consent altogether, you have the option of removing your consent from specific products and services that we have to offer. For example, if you no longer want us to email you our newsletter, you can opt out at any time, while continuing to benefit from our other products and services.

To ask about this option, talk to your contact with us, and we will make the effort to provide you with exactly the products and services that you want.

Your Right to Lodge a Complaint

Firma has an effective complaints handling process in place to manage privacy risks and issues, which involves:

  • identifying (and addressing) any systemic compliance problems; and
  • handling individual complaints about privacy quickly and effectively.

Individuals can make a complaint to Firma about the handling of their personal information by lodging a complaint with the Privacy Officer. If you have any questions about our privacy procedures, or if you wish to make a complaint about how we have handled your personal information you may lodge a complaint with us in any of the following ways:

  • by telephoning – 1300 456 239
  • by writing to – Firma Privacy Officer, Level 19, 60 Margaret St, Sydney NSW 2000 Australia
  • by emailing – [email protected]

If you are not satisfied with the result of your complaint to Firma you can also refer your complaint to the Office of the Australian Information Commissioner. You can contact the Office of the Australian Information Commissioner:

  • by telephoning – 1300 363 992
  • by writing to – Director of Complaints, Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
  • by emailing – [email protected]

6.  Who to Contact

If you have any questions or would like to contact us to make a request about your information, we ask that your first contact be with your regular contact with Firma. Otherwise, you can contact us via the information below:

Email: [email protected]


Attn: Privacy Officer FIRMA

Level 19, 60 Margaret St Sydney NSW 2000 Australia

7.  Updates to this Policy

This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and the business environment.