Viable logo
Resources
Blog Demo Key documents API access
About
Our Team What are projections? What are different pathways? Scenario analysis explained AASB Compliance
Get started

Consumer Data Right (CDR) Policy

Effective Date: 07/11/2025

Viable Pathway Pty Ltd (ABN 15687421772)

1. Introduction

Viable Pathway Pty Ltd ("we", "us", "our") is committed to handling consumer data in line with the Australian Consumer Data Right (CDR) framework where that framework applies to our activities.

This CDR Policy explains how we approach CDR-related information when you use our web application, API services, or website (collectively, the "Services"). It should be read together with our Privacy Policy, which covers personal information more broadly.

The CDR is established under Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 (Cth) ("CDR Rules"), and is jointly regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). Official guidance is published on cdr.gov.au.

2. What is the Consumer Data Right?

The CDR gives consumers and certain small businesses the right to access particular data held about them by businesses that must share it (data holders), and to authorise accredited third parties (accredited data recipients) to receive and use that data in approved ways. Different "sectors" (for example, banking or energy) are brought into the CDR over time, each with its own data standards and safeguards.

The CDR includes legally binding privacy safeguards that apply to CDR data. Those obligations operate alongside the Privacy Act 1988 (Cth) and the Australian Privacy Principles where both apply.

3. How this relates to Viable Pathway

Our Services are designed to help organisations model greenhouse gas (GHG) emissions, scenarios, and transition planning. Depending on the features we make available, you may choose to provide data that was originally obtained or exported under the CDR (for example, usage or account-related information from an authorised connection or file you control).

Where a feature involves the formal CDR disclosure pathway (for example, an authorisation presented through a data holder or accredited data recipient), we will identify that at the point of use and provide any additional information required by law or by your authorisation (including who is accredited, what data categories are requested, and retention periods where specified).

If you are unsure whether a particular workflow involves CDR data, you can check your dashboard or authorisation history with your data holder or the accredited party named in your consent, or contact us using the details at the end of this policy.

4. Consent and authorisation

CDR data must only be collected and used in line with valid consumer authorisations and the CDR Rules. We do not seek to bypass or replace the consent and authorisation mechanisms required by the CDR.

You may withdraw or manage authorisations through the channels your data holder or accredited recipient provides. Withdrawing consent may limit our ability to continue certain features that depend on refreshed CDR data.

5. Use, disclosure, and minimisation

We use CDR-related information only for the purposes described to you at collection, in your agreement with us, and as permitted by law—including to operate, secure, and improve the Services, and to provide support.

We apply data minimisation: we collect and retain only what is reasonably needed for those purposes. We do not sell CDR data. We disclose CDR-related information only as permitted by the CDR framework, by law, with your clear agreement, or as described in our Privacy Policy (for example, to confidentiality-bound service providers who help us host or secure the platform).

6. Redundant Data (Deletion and De-identification)

When CDR data is no longer needed for the purposes for which it was collected, and we are no longer required by law or a court/tribunal order to retain it, the data becomes "redundant."

Our Default Practice: We will permanently and irretrievably delete redundant CDR data by purging it from our production databases.

Consumer Election: You may elect for your redundant CDR data to be deleted at any time by contacting us. If you make this election, we will delete the data (and any de-identified versions of it) unless an exception under the CDR Rules applies.

De-identification: In specific cases where we de-identify redundant data rather than deleting it, we use aggregation techniques to ensure the data can no longer be linked to an identifiable individual. We do this for the purpose of general research and service performance analysis.

7. Joint Accounts

If you hold a joint account with another person, the CDR allows either account holder to manage data sharing.

Disclosure Options: By default, a "disclosure option" applies to joint accounts. This means either account holder can authorize the disclosure of CDR data to an accredited recipient without needing the other holder's approval for each request.

Management: You can change your disclosure options or withdraw sharing permissions for joint accounts at any time through your Account Settings.

Notifications: If one account holder authorizes or withdraws a data-sharing arrangement, we will notify the other joint account holder(s) through their nominated contact method.

8. Accuracy and Correction of CDR Data

We take reasonable steps to ensure the CDR data we hold is accurate, up-to-date, and complete. If you believe your data is incorrect:

Request: Contact us at info@viablepathway.net to request a correction.

Acknowledgment: We will acknowledge your request within five business days.

Action: Within 10 business days, we will either correct the data or provide you with a notice explaining why a correction is not necessary or appropriate.

No Fee: There is no charge for making a correction request or for the correction itself.

Refusal: If we refuse to correct the data, we will explain our reasons and how you can complain if you are dissatisfied with our decision. If the data originated from a third-party Data Holder, we may direct you to contact them to fix the error at the source.

9. Security

We protect CDR-related information using appropriate administrative, technical, and organisational measures, including encrypted transmission (HTTPS / TLS), access controls, monitoring, and secure cloud infrastructure. We review our practices as the CDR standards and threat landscape evolve.

You are responsible for safeguarding your account credentials and for any authorisations you grant to third parties.

10. Complaints and Dispute Resolution

If you have a concern about how we have handled your CDR data, you can lodge a formal complaint by emailing info@viablepathway.net.

Acknowledgment: We will acknowledge your complaint within one business day.

Resolution: We aim to investigate and resolve most complaints within 30 days. We will provide you with a written response explaining the outcome.

External Dispute Resolution (EDR): If you are not satisfied with our response, you have the right to take your complaint to an independent EDR scheme. Viable Pathway is a member of the Australian Financial Complaints Authority (AFCA):

  • Website: www.afca.org.au
  • Phone: 1800 931 678
  • Address: GPO Box 3, Melbourne VIC 3001

You may also contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Updates to this policy

We may update this CDR Policy from time to time to reflect changes in our Services, the CDR sectors we support, or legal requirements.

Changes will be posted on this page with an updated effective date. Continued use of the Services after updates constitutes your acceptance of the revised policy, to the extent permitted by law.

12. Contact us

Questions about this CDR Policy or CDR-related information we handle:

info@viablepathway.net