Privacy Policy

BeMoved Pty Ltd (ABN 37 649 325 940), a wholly owned subsidiary of Housed Group Limited (we, us, our) values your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, hold, use and disclose personal information when you interact with our services, including:

• BeMoved — our energy and telecommunications connection, disconnection and switching service (bemoved.com.au);

• One Click Switch — our energy plan comparison and switching service (oneclickswitch.com.au and associated partner portals);

• RateGuard — our ongoing energy plan monitoring and notification service (rateguard.com.au);

• any other websites, applications, products and services we operate from time to time (together, the Services).

We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and (in respect of Consumer Data Right data) the Competition and Consumer Act 2010 (Cth) and the Consumer Data Right Rules.

Information about Consumer Data Right (CDR) data is set out at a high level in clause 6 below. The detailed rules for our handling of CDR data are set out in our separate CDR Policy, which is available at https://www.bemoved.com.au/legal/cdr-policy. CDR data is only used by One Click Switch and RateGuard — BeMoved does not use CDR data.

1. About this Privacy Policy

1.1 This Privacy Policy applies to personal information collected by us or on our behalf in connection with the Services.

1.2 It applies to the following kinds of people:

(a) Consumers — individuals who use the Services to connect, disconnect, compare, switch or monitor their energy or telecommunications plans;

(b) Service Providers — energy retailers, telecommunications providers and other businesses we work with to deliver the Services;

(c) Affiliates — businesses that use our platform on a white-label or referral basis to offer comparison, switching or connection services to their own customers, including real estate agents (particularly for BeMoved);

(d) Others — visitors to our websites, recipients of our communications, and anyone else whose personal information we hold.

1.3 This Privacy Policy does not apply to:

(a) our employees, contractors and job applicants (separate privacy arrangements apply);

(b) personal information collected by third party services that we link to but do not operate (each such third party has its own privacy policy);

1.4 We may update this Privacy Policy from time to time. The current version is always available on our websites. If we make material changes, we will take reasonable steps to notify you (for example, by email or in-platform notice). Continued use of the Services after the changes take effect constitutes your acceptance of the updated Privacy Policy. Where the changes require your specific consent under law, we will seek that consent separately.

2. What is personal information

2.1 Personal information has the meaning given to it in the Privacy Act. In general terms, it means information or an opinion about an identified or reasonably identifiable individual, whether or not the information or opinion is true and whether or not it is recorded in a material form.

2.2 Sensitive information is a subset of personal information defined in the Privacy Act. It includes health information, information about racial or ethnic origin, political opinions, religious beliefs, sexual orientation and biometric information. We handle sensitive information in accordance with clause 7.

2.3 Information that does not identify you and cannot be linked back to you is not personal information for the purposes of this Privacy Policy. We may use de-identified, anonymous or aggregated information for any purpose.

3. The personal information we collect

3.1 We collect different categories of personal information depending on who you are and how you interact with us.

3.2 Consumers. If you are a consumer, the personal information we may collect about you includes:

identity and contact details: your full name, date of birth or age, residential address, previous address (relevant for BeMoved moves), email address, mobile number and other phone numbers. These details may be provided directly by you or, where you have given the relevant CDR consent, received from your energy retailer or other CDR participant as customer profile or customer contact data;
account information: your username, password (which we store in hashed form only), account preferences, communication preferences, consent records, account status and whether you have an active Account, an active RateGuard Account or a Dormant Profile;
energy supply details: your current energy retailer, supply address, NMI or MIRN, meter and tariff details, usage information, billing information, current plan information, rates, fees, discounts, benefit periods and other information relevant to comparing, switching or monitoring your energy plan. Some of this information may be collected as CDR Data via One Click Switch or RateGuard — see clause 6 and our CDR Policy;
CDR customer detail data: where you have given the relevant CDR consent, customer profile and contact information made available under the Consumer Data Right, which may include your name, email address, phone number, mailing address, residential address and other customer details made available by your energy retailer or another CDR participant. We use this information only for the purposes you have authorised, including creating or managing your Account, creating or managing an active RateGuard Account where RateGuard monitoring is activated, delivering operational communications, managing CDR consents and providing the Services;
telecommunications service details (for BeMoved): your current or new telecommunications provider, service address, account or service identifiers, products selected, and other information needed to connect, disconnect or transfer a telco service;
verification information: information used to verify your identity or your status as the account holder, including identification document details where required by an energy retailer or telco provider to complete a connection, disconnection or switch;
medical devices and life support: information you provide about life support equipment at your supply address (this is sensitive information — see clause 7);
interaction and communications data: records of your interactions with the Services, support enquiries, surveys, alerts and notifications sent to you, and your engagement with those communications (for example, whether you opened an email or clicked an SMS link);
payment-related information: where relevant to a Savings Campaign payment, the details required to deliver that payment (for example, the email address linked to a digital gift card). We do not store full credit card or bank account details — these are handled by our payment providers;
device and online information: your IP address, device type, browser information, approximate location (derived from IP), and information about how you use our websites and applications (see clause 9 on cookies and analytics).

3.3 Dormant Profiles. Where you create an account for one Service, we may create a Dormant Profile for you in respect of our other Services to enable easy activation later (see our Terms and Conditions, Part C). A Dormant Profile holds only the personal information you have already provided to us, or that we are otherwise entitled to hold under these Terms. We do not collect new personal information under a Dormant Profile (in particular, we do not collect CDR Data under a Dormant Profile — CDR collection requires your express Consent at the point you activate the relevant Service). You can delete a Dormant Profile at any time.

3.4 Service Providers. If you are a representative of an energy retailer, telecommunications provider or other Service Provider, the personal information we may collect includes your name, business contact details, role, and the business and contractual information necessary to operate our commercial relationship.

3.5 Affiliates. If you are a representative of an Affiliate (including a real estate agent, financial institution or referral partner), the personal information we may collect includes your name, business contact details, role, bank account details for payments owing to your business, and the business and contractual information necessary to operate our commercial relationship.

3.6 Others. If you visit our websites, contact us, or engage with our marketing without becoming a Consumer, we may still collect limited information about you, such as your IP address, the contact details you provide, the content of your enquiry, and your engagement with our communications.

3.7 If you do not provide us with the personal information we request, we may not be able to provide some or all of the Services to you, or we may only be able to provide them in a limited form.

4. How we collect personal information

4.1 We generally collect personal information directly from you, including when you:

(a) create an account, fill out a form, or submit an application on our websites;

(b) upload a bill or enter information for a plan comparison (One Click Switch);

(d) submit an application to connect, disconnect or switch an energy or telecommunications service (BeMoved);

(e) contact us by phone, email, web chat, in-app messaging or social media;

(f) complete a survey, respond to a campaign, or interact with marketing material;

(g) access our websites or applications (we collect technical information automatically — see clause 9).

4.2 We may also collect personal information about you from third parties, including:

your energy retailer or telecommunications provider, where you have authorised us to obtain information from them, including via CDR for energy;
CDR participants, including our CDR Representative Principal and Accredited Data Recipient, Fiskil Pty Ltd, and your energy retailer as Data Holder, where you have given CDR consent for us to collect CDR Data. This may include customer profile and contact details, account and meter identifiers, plan information, usage information and billing information, depending on the data categories and purposes you have authorised;
identity verification providers we use to confirm your identity;
Affiliates and referral partners (including real estate agents, financial institutions and comparison sites) who refer you to us;
publicly available sources;
our service providers (for example, analytics providers, authentication providers, customer support providers and messaging providers who report on the delivery and engagement of communications);
law enforcement, regulators and government agencies, where permitted or required by law.

4.3 Where it is unreasonable or impracticable to collect personal information directly from you, we may collect it from a third party. Where we do, we will take reasonable steps to ensure that you are or have been made aware of the matters required by the APPs.

5. Why we collect, hold, use and disclose personal information

5.1 We collect, hold, use and disclose personal information for the purposes set out in this clause and for any other purpose disclosed to you at or before the time of collection.

5.2 The primary purposes for which we collect, hold, use and disclose personal information include:

providing the Services to you, including facilitating energy and telecommunications connections, disconnections and switches (BeMoved), running plan comparisons (One Click Switch), facilitating switches with energy retailers (One Click Switch), providing ongoing monitoring (RateGuard), and delivering notifications;
creating and managing your Account, including using contact details you provide directly to us or, where you have given the relevant CDR consent, contact details received through CDR customer detail data;
creating and managing an active RateGuard Account where you activate RateGuard directly, or where RateGuard monitoring is included in the One Click Switch service you select and you complete the relevant CDR consent flow. An active RateGuard Account allows us to monitor your energy plan, generate alerts and send operational monitoring communications for the duration of your active CDR consent;
creating and managing Dormant Profiles for Services you have not yet activated. A Dormant Profile is not an active service. In particular, for RateGuard, a Dormant Profile does not involve CDR collection, plan monitoring, savings calculations, RateGuard alerts or switching activity unless and until you activate RateGuard and provide the required consents;
verifying your identity, your status as the account holder and your eligibility for Savings Campaigns and other offers;
communicating with you about the Services, including operational communications, support, account notices, security notices, CDR consent notices, CDR consent expiry reminders, RateGuard alerts where you have activated RateGuard, and invitations to activate a Dormant Profile;
sending marketing communications, but only where you have given express opt-in consent. We do not treat your use of the Services, your creation of an Account, your creation of a Dormant Profile, or your CDR consent as consent to receive unrelated marketing;
calculating, storing and providing savings estimates, plan comparisons, alerts, eligibility outcomes and personalised insights;
disclosing information to energy retailers, telecommunications providers, CDR participants, service providers, outsourced service providers, Affiliates and referral partners where reasonably necessary to provide the Services or as otherwise described in this Privacy Policy and our CDR Policy;
managing our commercial relationships with Service Providers and Affiliates, including calculating and paying referral fees and commissions;
improving the Services, including through analytics, research, product development, testing, troubleshooting and security monitoring;
investigating complaints, suspected breaches of our terms, suspected fraud, data quality issues, security incidents and other unlawful or harmful conduct;
complying with our legal, regulatory and contractual obligations;
any other purpose that is reasonably necessary to operate our business or that you would reasonably expect, provided that where CDR Data is involved, we will only use or disclose it in accordance with your CDR consent, the CDR Rules and our CDR Policy.

5.3 We will only use personal information for a secondary purpose that is related to the primary purpose of collection, where you would reasonably expect such use, or where you have consented to it or it is otherwise permitted by law.

6. CDR Data — relationship to this Privacy Policy

6.1 CDR data is only used by One Click Switch and RateGuard. BeMoved does not collect or use CDR data.

6.2 Some of the personal information we hold about you may also be CDR Data — that is, data shared with us under the Consumer Data Right framework with your express CDR consent.

6.3 While we hold CDR Data, it is regulated under the CDR Privacy Safeguards in the Competition and Consumer Act 2010 (Cth) and the CDR Rules, rather than under the Australian Privacy Principles. Our handling of CDR Data is governed by our CDR Policy, not by this Privacy Policy.

6.4 When CDR Data is validly de-identified in accordance with the CDR Rules, it is no longer CDR Data and ceases to be regulated under the CDR Privacy Safeguards. When CDR Data is disclosed to a third party (such as an energy retailer to facilitate a switch) with your consent, it may also cease to be CDR Data in the hands of that third party.

6.5 In summary:

(a) for our handling of CDR Data, see our CDR Policy;

(b) for our handling of other personal information about you (including personal information that derives from but is no longer CDR Data), this Privacy Policy applies;

(c) your rights, the consents you give and how to withdraw them, and how to make a CDR-related complaint, are described in detail in our CDR Policy.

6.6 Where there is any inconsistency between this Privacy Policy and our CDR Policy in respect of CDR Data, the CDR Policy prevails.

7. Sensitive information

7.1 We generally do not seek to collect sensitive information about you. The most common circumstance in which we may collect sensitive information is where you provide information about life support equipment at your supply address (which is health information for the purposes of the Privacy Act). We may need this information to complete a connection, disconnection or switch with an energy retailer, who is subject to specific regulatory requirements concerning life support customers.

7.2 We will only collect sensitive information about you where:

(a) you have given your express consent;

(b) the collection is necessary for the Service you have requested; and

7.3 Sensitive information is held, used and disclosed only for the purposes for which it was collected and as otherwise required or permitted by law.

8. Minors

8.1 The Services are intended for adults aged 18 years or over. We do not knowingly collect personal information from individuals under 18.

8.2 If you believe we have inadvertently collected personal information from a person under 18, please contact us using the details in clause 20 and we will take reasonable steps to delete that information.

9. Cookies, analytics and tracking

9.1 When you visit our websites or use our applications, we and our service providers may collect information using cookies, pixels, software development kits (SDKs), tags and similar tracking technologies.

9.2 We use these technologies for purposes such as:

(a) operating and securing the Services (these are strictly necessary and cannot be turned off);

(b) remembering your preferences and login state;

(d) measuring the effectiveness of our marketing, including campaigns run in partnership with Affiliates and other partners (only with your consent where required).

9.3 The third party analytics and tracking providers we use include

Google Analytics 4 and Google Tag Manager, to measure website and application usage, traffic sources, conversion events and service performance;
Meta Pixel and Meta Business Tools, to measure the effectiveness of Meta advertising campaigns and related conversion events;
HubSpot tracking code, forms and related analytics, to manage forms, customer journeys, communications and campaign performance;
Mixpanel, to measure product usage, funnels, feature engagement and service performance. Where Mixpanel receives data derived from CDR activity, we configure it to receive only De-identified Data as described in our CDR Policy;
Hotjar, Microsoft Clarity or similar session analytics tools, where enabled, to understand how users interact with our websites and improve user experience;
other analytics, attribution or consent-management tools identified in our cookie banner or Service Provider Register from time to time.

We do not intentionally send CDR Data to advertising pixels, session replay tools or third party marketing platforms. 9.4 You can manage cookies through your browser settings. Some browsers offer a “Do Not Track” signal; we currently do not respond to Do Not Track signals because there is no industry-wide standard for how to interpret them.9.5 Information collected via these technologies may be combined with other personal information we hold about you.

10. Marketing communications — express opt-in

10.1 We only send marketing communications to people who have given express opt-in consent. We do not assume marketing consent from your use of the Services.

10.2 Marketing consent is sought separately from any operational consent (such as consent to receive RateGuard alerts, transactional messages about a switch you are completing through One Click Switch, or invitations to activate a Dormant Profile). You can give marketing consent at sign-up, in your account settings, or in response to specific offers.

10.3 Marketing communications may include news, offers, promotions, surveys, and information about our products and services or those of our Affiliates and partners. We will only send you marketing for products or services that are related to the categories you have consented to.

10.4 CDR Data limitation. We will not use CDR Data to market products or services that are unrelated to the comparison, switching or monitoring of your energy services. This is a commitment under our CDR Policy and we apply it strictly.

10.5 Withdrawing marketing consent. You can withdraw your marketing consent at any time by:

(a) using the unsubscribe link in any electronic marketing message;

(b) replying STOP (or the equivalent) to any SMS marketing message;

(d) contacting our Privacy Officer (clause 20).

10.6 Withdrawing marketing consent does not stop operational communications (such as account, security, switching-process, Dormant Profile and CDR-consent expiry messages), which are necessary for us to deliver the Services and to comply with our legal obligations.

10.7 All electronic marketing is sent in accordance with the Spam Act 2003 (Cth). Telemarketing is conducted in accordance with the Do Not Call Register Act 2006 (Cth).

10.8 Third party marketing. We do not provide your personal information to third parties for them to use for their own unsolicited marketing without your express consent.

11. Automated decision-making and analytics

11.1 We use automated processes, including statistical models and machine learning techniques, to:

(a) calculate personalised savings estimates and rank plans for you (One Click Switch);

(b) monitor your energy plan and decide when to send a notification (RateGuard);

(d) detect possible fraud, misuse or anomalies in how the Services are being used;

(e) improve the Services through analytics and product research.

11.2 These processes do not generally produce decisions with significant legal effect on you. Where an automated outcome materially affects you (for example, a determination that you are not eligible for a Savings Campaign payment), you can request that we explain our decision and (where appropriate) review the outcome. You can do so by contacting our Privacy Officer (clause 20).

12. How we share and disclose personal information

12.1 We may disclose your personal information to the following categories of recipients, where it is necessary for the purposes set out in clause 5:

(a) Energy Retailers — where you direct us to facilitate a connection, disconnection or switch (BeMoved or One Click Switch), we disclose to your chosen Energy Retailer the information necessary to complete the application (your name, contact details, supply address, NMI or MIRN, identification information, medical devices declaration and, where authorised, usage information);

(b) Telecommunications Providers — where you direct us to facilitate a telecommunications connection, disconnection or transfer (BeMoved), we disclose to your chosen provider the information necessary to complete the application (your name, contact details, service address, account or service identifiers, identification information, and product selections);

(c) Affiliates and referral partners — where you accessed the Services through an Affiliate (for example, a real estate agent, financial institution or comparison site), we may share with that Affiliate information necessary to administer the referral arrangement, including whether you completed a connection, disconnection or switch and (in aggregated or de-identified form) campaign performance;

(d) CDR partners — our CDR Representative Principal and Accredited Data Recipient (Fiskil Pty Ltd) and other CDR participants, in accordance with the CDR Policy;

(e) Service providers and outsourced service providers — third parties who help us deliver the Services, including cloud hosting and infrastructure providers (such as Amazon Web Services), messaging and communications providers (such as Twilio, MessageMedia, SendGrid and Mailgun), identity verification providers, authentication providers (Clerk), product analytics providers (Mixpanel, which only receives de-identified events), payment and gift card providers (such as Prezzee), customer support tooling, and professional advisers;

(f) Related bodies corporate — our parent and related entities (including Housed Group Limited and other entities within our corporate group) for the purposes described in clause 5;

(g) Authorised parties — any third party you authorise us to disclose your information to;

(h) Legal and regulatory recipients — law enforcement, regulators, courts and tribunals, where we are required or permitted by law, including in connection with the detection or investigation of unlawful activity, suspected fraud, or threats to safety;

(i) Business transition recipients — in connection with a sale, merger, reorganisation or insolvency event affecting our business, subject to confidentiality obligations and your rights under law.

12.2 We do not sell your personal information. We do not disclose your personal information to other organisations for them to use for their own unrelated marketing purposes without your express consent.

12.3 A current list of our key service providers, including those that handle data outside Australia, is available on request. The list of OSPs handling CDR data is published in our CDR Policy.

13. Overseas disclosure

13.1 Some of our service providers may store or process personal information outside Australia. The countries to which we are likely to disclose personal information include:

(a) the United States — our messaging providers (Twilio, SendGrid, Mailgun), authentication provider (Clerk), product analytics provider (Mixpanel — de-identified events only), and certain Amazon Web Services support and management functions;

13.2 Before disclosing personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information. This typically includes binding the recipient under contract to standards that are consistent with the APPs and assessing the recipient’s information security practices.

13.3 Where you have given consent to the overseas disclosure (for example, by accepting a service from a clearly named overseas provider), APP 8.1 may not apply. Where we rely on this exception, we will make the disclosure transparent to you at or before collection.

14. How we store personal information and keep it secure

14.1 We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. These steps include:

(a) encryption of data in transit and at rest using current industry-standard methods;

(b) access controls based on the principle of least privilege, with multi-factor authentication for systems containing personal information;

(d) logging, monitoring and alerting on access to systems containing personal information;

(e) regular security testing and review of our systems and our service providers;

(f) staff training on privacy and information security.

14.2 No method of electronic transmission or storage is perfectly secure, and we cannot guarantee absolute security.

14.3 If you suspect that your Account has been accessed without authorisation, or that your personal information has been compromised in any way, please contact our Privacy Officer immediately using the details in clause 20.

15. How long we keep personal information

15.1 We retain personal information only for as long as is reasonably necessary for the purposes for which it was collected, including:

(a) while you have an active Account or an active Dormant Profile;

(b) while you have active CDR consent (for One Click Switch and RateGuard);

(d) for the period required to comply with our legal, regulatory, tax and accounting obligations (typically up to seven years for financial records);

(e) for the period required to defend or pursue legal claims;

(f) for the period required to investigate or address suspected fraud, misuse or breach of our terms.

15.2 When personal information is no longer required and we are not required by law to retain it, we will destroy it or de-identify it.

15.3 Specific retention rules apply to CDR Data and are set out in our CDR Policy.

15.4 Where your Account or Dormant Profile has been inactive (no activity across any Service) for a continuous period of 12 months, we may close your Account and delete the associated information in accordance with our Terms and Conditions.

16. Data breach notification

16.1 We have a documented data breach response process. If we suspect or become aware of unauthorised access to, unauthorised disclosure of, or loss of personal information that we hold, we will:

(a) promptly assess whether the incident is likely to result in serious harm to any affected individual;

(b) take reasonable steps to contain the incident and remediate the cause;

(c) where the incident is an eligible data breach under the Notifiable Data Breaches scheme, notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Privacy Act;

(d) where the incident involves CDR Data, comply with the additional notification obligations in the CDR Rules.

17. Your rights and choices

17.1 Access. You can request access to the personal information we hold about you at any time by contacting our Privacy Officer (clause 20). We will respond within a reasonable period (generally within 30 days). We may need to verify your identity before providing access. We will not charge you for making a request, but we may charge a reasonable cost for providing access in particular forms. We may refuse access in the limited circumstances permitted by the Privacy Act, in which case we will provide written reasons.

17.2 Correction. If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you can request that we correct it. We will correct the information or, where we disagree, attach a note to the record stating that you consider the information should be corrected.

17.3 Deletion. You can request that we delete the personal information we hold about you (including deleting a Dormant Profile or closing your Account). We will give effect to that request to the extent we are able, subject to our legal, regulatory and contractual obligations to retain certain information (for example, transactional records that we are required to keep).

17.4 Withdrawing consent. Where we rely on your consent to collect, use or disclose personal information, you can withdraw that consent at any time. Withdrawal does not affect any collection, use or disclosure we have already made in reliance on the consent.

17.5 Opting out of marketing. See clause 10.

17.6 Anonymity and pseudonymity. Where it is lawful and practicable, you can interact with us anonymously or by using a pseudonym (for example, when making a general enquiry). For most of the Services it is not practicable to interact anonymously — we cannot, for example, complete a connection or switch on your behalf without your identity.

17.7 Specific rights in respect of CDR Data are set out in our CDR Policy.

18. Government related identifiers

18.1 We do not adopt a government related identifier (such as a tax file number or Medicare number) as our own identifier for you. We do not use or disclose government related identifiers except where permitted by the Privacy Act.

19. Changes to this Privacy Policy

19.1 We may update this Privacy Policy from time to time. The most recent version is always available on our websites and the “last updated” date appears at the top.

19.2 Where the changes are material, we will take reasonable steps to notify you in advance, such as by email or in-platform notice. Where the changes require your specific consent under law, we will obtain that consent separately.

20. Contact us and how to make a complaint

20.1 If you have a question about this Privacy Policy, want to exercise any of your rights, or want to make a complaint about how we have handled your personal information, please contact our Privacy Officer:

Privacy Officer

BeMoved Pty Ltd

ABN 37 649 325 940

Level 8, 2 Bligh St, Sydney NSW 2000

Phone: 1300 661 464

Email: privacy@bemoved.com.au

20.2 We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If your complaint is complex, we will let you know if we need longer.

20.3 If you are not satisfied with our response, you can refer your complaint to the Office of the Australian Information Commissioner (OAIC):

Phone: 1300 363 992

Website: www.oaic.gov.au

20.4 Complaints about our handling of CDR Data may also be referred to the OAIC and to the Australian Competition and Consumer Commission (ACCC), as described in our CDR Policy.

20.5 If your complaint relates to the conduct of an energy retailer or to the supply of energy, the relevant energy ombudsman in your jurisdiction may also be able to help.

20.6 If your complaint relates to the conduct of a telecommunications provider or to the supply of telecommunications services, you may also be able to contact the Telecommunications Industry Ombudsman (TIO).

Document version: 2.0

Last updated: 28th May 2026

Related documents: Terms and Conditions; CDR Policy.