Privacy Policy

This Privacy Policy contains information about how Your Future Strategy Holdings Pty Ltd (ABN 31 642 238 828) and its subsidiaries and related parties (‘Your Future Strategy, us, we or our’) collects, protects, uses and shares your personal information.

Following is a listing of those Your Future Strategy entities that you are most likely to engage with:

  • YOUR LOAN BROKER PTY LTD ABN 18 150 213 077
  • YOUR FINANCIAL ADVISOR PTY LTD ABN 59 608 700 456
  • YOUR TAX ADVISOR PTY LTD PTY LTD ABN 32 613 412 909
  • SCENE FINANCE PTY LTD ABN 43 149 529 215
  • LEGACY BUYERS AGENCY PTY LTD ABN 61 105 822 716
  • LEGACY PROPERTY MANAGEMENT PTY LTD ABN 42 149 071 992
  • LIGHTHOUSE PROPERTY NO. 1 PTY LTD ABN 37 148 189 075
  • LIGHTHOUSE PROPERTY NO. 2 PTY LTD ABN 31 148 189 048
  • CROY LEGAL PTY LTD ABN  11 651 833 199

Your Future Strategy abides by the Australian Privacy Principles (APPs) which is a part of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, which amends the Privacy Act 1988.

1. Information we collect

As a financial services organisation we are subject to certain legislative and regulatory requirements which necessitate us obtaining and holding detailed information which personally identifies you and/ or contains information or an opinion about you (“personal information”). In addition, our ability to provide you with comprehensive financial and lending advice is dependent on us obtaining certain personal information about you, including:

  • employment details and employment history
  • details of your financial needs and objectives
  • details of your current financial circumstances, including your assets and liabilities (both actual and potential), income, expenditure, insurance cover, estate planning and superannuation
  • details of your investment preferences and aversion or tolerance to risk information about your circumstances, family commitments and social security eligibility.

2. Consequences of not providing information

Failure to provide the personal information referred to above may expose you to higher risks in respect of the recommendations made to you and may affect the adequacy or appropriateness of advice we give to you. We are required pursuant to the Corporations Act to collect sufficient information to ensure appropriate advice can be given in respect of recommendations made to our clients. If you elect not to provide us with the personal information referred to above; we may elect to withdraw our services if we believe we are unable to provide you with a complete service.

3. Open & transparent management of personal information

We are committed to being open and transparent about how we use personal information. Where our documents ask for personal information, we will generally state the purposes for its use and to whom it may be disclosed. If any of our documents do not clearly state, the purposes for which we will use your personal information please ask us and we will clearly explain them to you.

Information collected may be shared between the other necessary entities within the Your Future Strategy Holdings, for the purposes of fulfilling your advice.

We will not use your personal information for any purpose other than for which it was originally collected, unless you have given us your consent to do so, or unless it is reasonably expected that we will use the information for another purpose (a secondary purpose).  An example of a secondary purpose is providing information in a court of law or dispute resolution.

Should we receive personal information that we have not asked for, we will establish whether the information could have been assessable and contained in a Commonwealth record and if the collection of this personal information was reasonably necessary or directly related to our service. Should the above not apply, we will as soon as practicable destroy the information.

While we may send you marketing material from time to time that we think will be useful to you, we are conscious of the need to respect your privacy.

Unless you are informed otherwise, the personal information we hold is used for establishing and managing your financial and lending products or services, reviewing your ongoing needs, enhancing customer service and product options and giving you ongoing information or opportunities that we believe may be relevant to your financial needs and other circumstances.

 If, at any time, you do not wish to receive this information, you may contact us with this request. We will endeavour to meet your request within 2 weeks.

We maintain a register for those individuals not wanting direct marketing material. Please refer to the end of this document for our contact details.

Your Future Strategy takes its obligations to protect your information seriously, this includes when we operate throughout Australia and overseas. We share personal information outside of Australia with regulatory agencies, service and investment providers. We take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles.

4. Information collection policy

We will not collect any personal information about you except when you have knowingly provided that information to us or authorised a third party to provide that information to us. Generally, collection of your personal information will be effected in either face to face interview, over the telephone or by way of an online client engagement form.

From time to time additional and/ or updated personal information may be collected through one or more of these methods. We will only collect, maintain and use personal information about you if it is necessary for us to adequately provide to you the services you have requested including:

  • the preparation of your financial plan
  • the provision of financial planning advice to you
  • making securities and investment recommendations;
  • reviewing your financial plan; reviewing securities and investment recommendations;
  • lodging or redeeming investments;
  • credit applications.

5. Information disclosure

We will not use or disclose personal information collected by us for any purpose other than:

  • the purposes for which it was provided or secondary related purposes in circumstances where you would reasonably expect such use or disclosure
  • where you have consented to such disclosure
  • where the National Privacy Principles authorise use or disclosure where required or authorised under law, in circumstances relating to public
  • health and safety and in connection with certain operations by or on behalf of an enforcement body

This may involve the disclosure of your personal information. We are also obliged pursuant to the Corporations Act to maintain certain transaction records and make those records available for inspection by the Australian Securities and Investments Commission.

We may use the personal information collected from you for the purpose of providing you with direct marketing material, however you may, by contacting us by any of the methods detailed below, request not to receive such information and we will give effect to that request. Please allow two weeks for your request to be actioned.

We may disclose your personal information to superannuation fund trustees, insurance providers, lenders, and product issuers for the purpose of giving effect to your financial plan and the commendations made by us.

In order to ensure that you receive a personal and tailored service, your personal information will be made available to other advisors or employees of Your Future Strategy.

It is a condition of our agreement with each of our advisors that they adopt and adhere to this privacy policy. You can be assured that your information will be maintained by any advisor or employee of Your Future Strategy in accordance with this policy. If you have any concerns in this regard, you should contact us by any of the methods detailed below.

We may disclose your personal information to external contractors for the following purposes:

  • storing information
  • audit of company accounts
  • compliance framework review

It is a condition of our agreement with each of our external contractors that they adopt and adhere to this privacy policy. We will confirm with external contractors that they have systems and procedures for handling personal information in accordance with this policy.

If you have any concerns in this regard, you should contact us by any of the methods detailed below. We will advise you of any change in business circumstances that may affect the handling of your personal information.

6. Storage of personal information

Your personal information is generally held in your client file. Information may also be held in a computer database. We will at all times seek to ensure that the personal information collected and held by us is protected from misuse, loss, unauthorised access, modification or disclosure. At all times your personal information is treated as confidential and any sensitive information is treated as highly confidential.

All record movements off premises are recorded in a central register. After hours’ access to our premises is controlled by allowing only personnel with security passes to access the premises. All computer based information is protected through the use of access passwords on each computer.

Data is backed up each evening and stored securely off site. In the event you cease to be a client of this organisation, any personal information which we hold about you will be maintained in a secure off-site storage facility, and destroyed after an appropriate period of time that complies with legislative and professional requirements (usually 7- 10 years).

7. Access to your personal information

You may at any time, by contacting us by any of the methods detailed below, request access to your personal information and we will (subject to the following exceptions) provide you with access to that information either by providing you with copies of the information requested, allowing you to inspect the information requested or providing you with an accurate summary of the information held.

We will, prior to providing access in accordance with this policy, require you to provide evidence of your identity. We will not provide you access to personal information which would reveal any confidential formulae or the detail of any in house evaluative decision making process, but may instead provide you with the result of the formulae or process or an explanation of that result.

We will not provide you with access to your personal information if:

  • providing access would pose a serious threat to the life or health of a person
  • providing access would have an unreasonable impact on the privacy of others
  • the request for access is frivolous or vexatious
  • the information related to existing or anticipated legal proceedings between us, and would not be discoverable in those proceedings
  • providing access would reveal our intentions in relation to negotiations with you in such a way as to prejudice those negotiations;
  • providing access would be unlawful
  • denying access is required, or authorised by or under law;
  • providing access would be likely to prejudice certain operations by, or on behalf of an enforcement body, or an enforcement body requests that access not be provided on the grounds of national security. We will endeavour to respond to any request for access within 14 to 30 days depending on the complexity of the information and/ or the request.
    If your request is urgent please indicate this clearly. In the event we refuse you access to your personal information, we will provide you with an explanation for that refusal.

8. Correction of personal information

We will endeavour to ensure that, at all times, the personal information about you which we hold is up to date and accurate. In the event that you become aware, or believe, that any personal information which we hold about you is inaccurate, incomplete or outdated, you may contact us by any of the methods detailed below and provide to us evidence of the inaccuracy or incompleteness or out datedness and we will, if we agree that the information requires correcting, take all reasonable steps to correct the information.

9. WEBSITE

We collect personal information about you when you use and access our website. We may record certain information about your use of our website, such as which pages you visit, the time and date of your visit and the internet protocol address assigned to your computer. We may also use ‘cookies’ or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but our websites may not work as intended for you if you do so.

 Our website may contain links to websites operated by other people. Those links are provided for convenience and may not remain current or be maintained. We are not responsible for the privacy practices of, or any content on, those linked websites, and have no control over or rights in any linked websites. The privacy policies that apply to those other websites may differ substantially from our Privacy Policy, so please read them before using those websites.

10.  Notifiable Data Breaches

Entities subject to the Privacy Act 1998 (Cth) must comply with the Notifiable Data Breaches (NDB) scheme. The NDB scheme introduces an obligation to notify any individual whose personal information is involved in a data breach, where the data breach is likely to result in serious harm to an individual/s.

There is also an obligation to notify the Office of the Australian Information Commissioner (AOIC) of the data breach (if the breach is unable to be sufficiently remediated). The steps are detailed in the Cyber Incident Response Plan.

What breaches are notifiable?

An eligible data breach arises when the following three criteria are satisfied:

1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds

2. this is likely to result in serious harm to one or more individuals, and 3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

How to assess if the information is likely to result in serious harm

An assessment needs to be undertaken to determine whether (from the perspective of a reasonable person) the data breach would be likely to result in serious harm to an individual whose personal information was part of the data breach.

“Likely to occur” means the risk of serious harm to an individual is more probable than not (rather than possible).

“Serious harm” may include serious physical, psychological, emotional, financial or reputational harm.

AOIC provides a set of examples to help assess whether a data breach is likely to result in serious harm.

The type and the sensitivity of the information should be carefully considered. For example, the AOIC acknowledges that the following types of information may increase the risk of serious harm:

  • sensitive information’, such as information about an individual’s health;
  • documents commonly used for identity fraud (including Medicare card, driver licence, and passport details)
  • financial information; or
  • a combination of personal information (rather than a single piece of personal information).

How to prevent serious harm with remedial action

The NDB scheme provides the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If an entity takes remedial action that prevents the likelihood of serious harm occurring for any individuals whose personal information is involved in the data breach, then the breach is not an eligible data breach and does not need to be notified to the AOIC.

Assessing a data breach and response time required

If there are grounds to believe that Your Future Strategy has experienced an eligible data breach, it must promptly notify individuals and the

Commissioner about the breach, unless an exception applies. In contrast, if Your Future Strategy suspects that it may have experienced an eligible data

breach, it must quickly assess the situation to decide whether or not there has been an eligible breach. An assessment must be reasonable and expeditious, and organisations may develop their own procedures for assessing a suspected breach.

Your Future Strategy must take all reasonable steps to complete the assessment within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach.

How and who to notify?

If Your Future Strategy experiences an eligible data breach, it must provide a statement to the Commissioner, and notify individuals at risk of serious harm. The statement to the Commissioner must include:

Your Future Strategy’s contact details; a description of the breach; the type of information involved in the breach; and Your Financial Advisor’s recommended steps for individuals. An online form is required to be completed.


There are three options for notifying individuals at risk of serious harm, depending on what is ‘practicable’ for Your Future Strategy:

  1. Notify all individuals whose personal information was part of the data breach. This option may be appropriate, and the simplest method, if Your Future Strategy cannot reasonably assess which particular individuals are at risk of serious harm from an eligible data breach that involves personal information about many people, but where Your Future Strategy has formed the view that serious harm is likely for one or more of the individuals.
  • Notify only those individuals at risk of serious harm as a result of the data breach. If Your Future Strategy identifies that only a particular individual, or a specific subset of individuals, involved in an eligible data breach is at risk of serious harm, and can specifically identify those individuals, only those individuals need to be notified.
  • Publish notification: if neither option above is practicable, Your Future Strategy must publish a copy of the statement on the website and take reasonable steps to publicise the contents of the statements.

11. CYBER INCIDENT RESPONSE PLAN

12. COMPLAINTS

If you wish to complain about any breach or potential breach of this privacy policy or the National Privacy Principles, you should contact us by any of the methods detailed below and request that your complaint be directed to the Privacy Officer.

Your complaint will be considered within 7 days and responded to. It is our intention to use our best endeavours to resolve any complaint to your satisfaction; however, if you are unhappy with our response, you are entitled to contact the Office of the Privacy Commissioner who may investigate your complaint further.

13. POLICY UPDATES

This policy is subject to change from time to time. The most current version of our Privacy Policy can be obtained from the footer of our website (www. yourfuturestrategy.com.au) or by contacting us.

14. ADDITIONAL PRIVACY INFORMATION

Further information on privacy in Australia may be obtained by visiting the web site of the Office of the Federal Privacy Commissioner at www.privacy.gov.au.

15. CONTACT DETAILS

If you have query relating to our privacy practices, please contact us at:

Compliance Coordinator
Your Future Strategy
PO Box 5104
Gold Coast Mail Centre
QLD 9726

Last update: May 2024