CDR Policy
Consumer Data Right Policy for One Click Switch, RateGuard and our other services
Version 1.0
Last updated: 28th May 2026
This is the CDR Policy of BeMoved Pty Ltd (ABN 37 649 325 940), a wholly owned subsidiary of Housed Group Limited (we, us, our).
We are a CDR Representative of Fiskil Pty Ltd (ABN 89 646 260 728), an Accredited Data Recipient under the Consumer Data Right framework. Our CDR Representative Arrangement with Fiskil has been registered with the Australian Competition and Consumer Commission (ACCC).
This CDR Policy explains how we collect, hold, use and disclose Consumer Data Right (CDR) data through the services we offer, including:
• One Click Switch — energy plan comparison and switching;
• RateGuard — ongoing energy plan monitoring and notifications;
• Savings Campaigns and other features that may use CDR data.
Because we are a CDR Representative, the activities described in this CDR Policy take place under Fiskil’s accreditation and within Fiskil’s CDR Policy framework. Fiskil remains responsible to you for our compliance with the CDR Rules in respect of CDR data we handle as its Representative. Fiskil’s CDR Policy is available at https://www.fiskil.com/legal/cdr-policy.
Our broader handling of personal information that is not CDR data is described in our Privacy Policy, available at https://www.bemoved.com.au/legal/privacy-policy .
1. About this CDR Policy
1.1 This CDR Policy is published under rule 7.2 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) and addresses the matters required by Schedule 1, clause 1.4 of those Rules in respect of our CDR Representative activities.
1.2 We may update this CDR Policy from time to time. The most recent version is always available on our websites and the “last updated” date appears at the top of this document. Where the changes are material, we will take reasonable steps to bring them to your attention.
1.3 Where there is any inconsistency between this CDR Policy and our Privacy Policy in respect of CDR data, this CDR Policy prevails.
1.4 Where there is any inconsistency between this CDR Policy and Fiskil’s CDR Policy in respect of CDR data, Fiskil’s CDR Policy prevails, as Fiskil is the accredited entity ultimately responsible for our CDR Representative activities.
2. Key terms
2.1 In this CDR Policy:
Accredited Data Recipient or ADR means an entity that is accredited under the CDR Rules to collect and use CDR data. Fiskil is our ADR.
CDR means the Consumer Data Right framework established under Part IVD of the Competition and Consumer Act 2010 (Cth).
CDR Data means data that is shared with us (or with Fiskil and made accessible to us) under the CDR framework about your energy services.
CDR Consumer or you means a person whose CDR data we may collect, hold, use or disclose in the course of providing the Services.
CDR Receipt means the notice you receive each time CDR data is collected, used or disclosed, as required by the CDR Rules.
CDR Representative Arrangement means the written arrangement between us and Fiskil that allows us to act as Fiskil’s CDR Representative under the CDR Rules.
Consent means the consent you give for the collection, use, disclosure or de-identification of CDR data.
Data Holder means the entity that holds your CDR data before sharing — typically, your energy retailer.
Derived CDR Data means data wholly or partly derived from CDR data by analysis, calculation or other processing — for example, your personalised savings estimate, plan ranking or RateGuard insight. Derived CDR Data is treated as CDR data under the CDR Rules.
De-identified Data means data that has been altered so that you are no longer reasonably identifiable from it, in accordance with the CDR Rules. Validly de-identified data ceases to be CDR data.
Outsourced Service Provider or OSP means a person engaged by Fiskil or us to provide a service involving the handling of CDR data, under a written contract that imposes obligations consistent with the CDR Privacy Safeguards.
Privacy Safeguards means the thirteen CDR Privacy Safeguards set out in Division 5 of Part IVD of the Competition and Consumer Act 2010 (Cth).
Services means One Click Switch, RateGuard, and any other services we provide that may involve CDR data.
3. Our role under the CDR
3.1 We are a CDR Representative of Fiskil. This means:
(a) Fiskil is the Accredited Data Recipient that collects your CDR data from your Data Holder under the CDR framework;
(b) we access and use that CDR data under our CDR Representative Arrangement with Fiskil, which is registered with the ACCC;
(c) from your perspective, you give CDR Consent to us through our user interface, and that Consent operates as a Consent given to Fiskil as the ADR;
(d) Fiskil remains responsible to you for our handling of your CDR data under the CDR Rules;
(e) you can make a CDR complaint to us or to Fiskil (see clause 13).
3.2 We are not separately accredited under the CDR Rules. We do not access CDR data except through our arrangement with Fiskil.
4. What CDR data we collect
4.1 With your Consent, we (through Fiskil) collect the following kinds of CDR data from your Data Holder:
(a) account and meter identifiers, including your National Meter Identifier (NMI) or Metering Installation Registration Number (MIRN), supply address, account identifiers and information needed to identify the relevant electricity account or connection point;
(b) Customer Contact Data, where you have consented to share it, including your name, email address, phone number, mailing address, residential address and other customer details made available by your Data Holder;
(c) plan and product information, including your current Energy Plan, tariff structure, rates, fees, discounts and benefit period;
(d) usage data, including interval or aggregated electricity consumption for periods of up to 12 months;
(e) billing data, including bill history, billing periods, charge categories, amounts, concessions, credits, discounts and other billing information where shared by the Data Holder;
(f) electricity connection and meter information, including meter type, network tariff, distributor information and connection details;
(g) energy generation and storage information, where available, including solar generation, export information, battery or storage information and related data;
4.2 Data minimisation. We only request CDR data that is reasonably needed to provide the Services you have requested. For One Click Switch and RateGuard, this means data needed to compare energy plans using your actual usage, create and manage your Account, activate and manage your free RateGuard monitoring account, monitor your energy plan, send service notifications and alerts, manage your CDR consent, and facilitate a switch where you direct us to do so.
4.3 We do not collect, and under the CDR framework we are not able to collect:
(a) your password or login credentials for your energy account;
(b) your bank account or payment information;
(c) personal information of any other person on your account.
4.4 CDR data for gas accounts is not currently available, and accordingly we do not collect gas information under the CDR. For gas plan comparisons, we rely on a bill you upload to us.
5. How we collect CDR data
5.1 CDR data is collected through the secure CDR data exchange operated between your Data Holder and Fiskil, and then made available to us under our CDR Representative Arrangement.
5.2 Before any CDR data is shared, you go through a CDR consent flow which includes:
(a) confirming the data you agree to share and the purposes you authorise, including the Authorised Uses described in clause 6;
(b) confirming that One Click Switch will use your CDR data to provide a personalised energy plan comparison and activate your free RateGuard monitoring account;
(c) where you consent to share Customer Contact Data, authorising us to use that data to create and manage your Account, create and manage your RateGuard monitoring account, deliver service notifications and alerts, manage your CDR consent, and help verify that you are the relevant account holder;
(d) providing an email address for the management of your Consent and Account. We use this email address for account, consent and service communications. We do not treat this as consent to receive unrelated marketing;
(e) authorising data sharing through Fiskil; and
(f) being redirected to your Data Holder, who will verify your identity and confirm your authorisation.
5.3 You receive a CDR Receipt for each collection of your CDR data, and you can review your active CDR consents through the consent management functionality in our Services and through Fiskil’s consumer dashboard.
5.4 Where Customer Contact Data received through CDR differs from contact details you have provided directly to us, we may ask you to confirm which contact details you wish us to use for your Account, RateGuard alerts and CDR consent communications. Unless you confirm otherwise, we may continue to use the contact details you provided directly to us for account access and service communications.
6. Why we collect, use and disclose CDR data (Authorised Uses)
6.1 We collect, use and disclose your CDR data only for the purposes you have consented to. The Authorised Uses for which we may seek your Consent are:
(a) calculating personalised energy plan comparisons, estimated annual costs and potential savings estimates for you;
(b) ranking available Energy Plans based on your historical usage, current plan, tariffs, meter information, billing information and other relevant CDR data;
(c) creating and managing your Account, including using Customer Contact Data where you have consented to share it;
(d) activating, creating and managing your free RateGuard monitoring account as part of the One Click Switch CDR service;
(e) providing RateGuard ongoing monitoring of your energy plan for the duration of your active CDR consent;
(f) generating, sending and recording service notifications, reminders, alerts and insights about your energy plan, including price changes, expiring discounts, unusual bill changes, CDR consent expiry and potential savings opportunities;
(g) managing your CDR consent, including consent records, CDR receipts, consent expiry reminders, withdrawal requests, deletion elections and support requests;
(h) verifying your eligibility for, and calculating your entitlement under, Savings Campaigns and similar offers;
(i) disclosing CDR data or Derived CDR Data to OSPs listed in clause 11 where permitted under the CDR Rules and our CDR Representative Arrangement, for the purpose of delivering the Services and notifications described in this clause;
(j) disclosing relevant information to an energy retailer where you have directed us to facilitate a switch;
(k) producing De-identified Data, where you have given de-identification consent, for the purposes set out in clause 9.
6.2 We will not use your CDR data outside the Authorised Uses you have consented to. In particular, we will not:
(a) use your CDR data to market products or services unrelated to the comparison, switching or monitoring of your energy services;
(b) sell your CDR data;
(c) access your energy account on your behalf (CDR access is read-only);
(d) make any change to your energy services without your separate and explicit instruction;
(e) use your CDR data in any way not permitted by the CDR Rules.
6.3 We may send operational service communications using CDR data, Derived CDR Data or Customer Contact Data where this is necessary to provide the Services you have requested, such as RateGuard alerts, CDR consent reminders, account notices and security notices. These operational communications are separate from marketing communications. We will only send unrelated marketing where you have opted in.
7. Your CDR Consents
7.1 Kinds of Consent. Depending on the Services you use, we may seek the following kinds of Consent from you:
(a) Collection consent — to collect specified kinds of CDR data from your Data Holder for a specified period;
(b) Use consent — to use the CDR data we have collected for specified Authorised Uses;
(c) Disclosure consent — to disclose CDR data or Derived CDR Data to specified categories of recipients;
(d) De-identification consent — to produce De-identified Data from your CDR data for the purposes set out in clause 9.
7.2 Consent durations. The standard durations for which we may seek Consent are:
(a) for plan comparisons through One Click Switch and ongoing monitoring through RateGuard: up to 12 months. You will be invited to renew your Consent before it expires;
(b) for Savings Campaign eligibility and fulfilment: for the period required to verify your eligibility and complete fulfilment of the campaign, including any campaign-specific verification window, up to a maximum of 12 months.
7.3 Maximum duration. The CDR Rules cap consent durations at 12 months. To continue receiving services that depend on CDR data beyond 12 months, you will be asked to renew your Consent.
7.4 How to withdraw your Consent. You can withdraw your Consent at any time, free of charge. To do so, you can:
(a) use the consent management functionality within our Services;
(b) use Fiskil’s consumer dashboard at https://consents.fiskil.app/consents ;
(c) contact your Data Holder directly to revoke data sharing; or
(d) contact us using the details in clause 14.
7.5 Deletion or de-identification. When your Consent ends (by withdrawal or expiry), our default action is to de-identify your CDR data. Validly de-identified data ceases to be CDR data and may then be used by us in accordance with clause 9. You can get in touch with us to delete your CDR data where possible (if it has not been fully de-identified yet).
7.6 Effect of withdrawal. Withdrawing your Consent ends our right to continue collecting or using your CDR data, but does not affect:
(a) anything we have lawfully done with your CDR data before withdrawal;
(b) disclosures already made to OSPs, Data Holders or other parties before withdrawal;
(c) any record of switches you have completed, or obligations that have already arisen under a Savings Campaign.
7.7 Joint accounts. Where your energy account is a joint account, CDR sharing is governed by the joint-account rules of your Data Holder and the CDR Rules. By giving Consent in respect of a joint account, you confirm that you have the authority of the other joint account holder(s) to do so. We may decline to act on a Consent where we have reason to believe joint-account requirements have not been met.
7.8 CDR Receipts. You will receive a CDR Receipt each time we collect, use or disclose your CDR data in a way that requires one under the CDR Rules. CDR Receipts are made available through our Services and through Fiskil’s dashboard. We retain CDR Receipts for the period required by the CDR Rules.
8. How we hold CDR data and keep it secure
8.1 We hold CDR data and Derived CDR Data in systems hosted by Amazon Web Services within Australian-region data centres.
8.2 We apply security measures to protect CDR data from misuse, interference, loss, unauthorised access, modification or disclosure. These include:
(a) encryption of CDR data in transit and at rest using current industry standards;
(b) logical separation of CDR data from non-CDR data;
(c) access controls based on the principle of least privilege, with multi-factor authentication for systems holding CDR data;
(d) logging, monitoring and alerting on access to systems holding CDR data;
(e) regular security review and testing of our systems and OSPs;
(f) staff training on CDR obligations and information security;
(g) a documented data breach response and notification process.
8.3 As a CDR Representative, our information security controls are subject to the oversight of Fiskil under our CDR Representative Arrangement. Fiskil, as the accredited entity, holds the primary CDR information security accreditation.
9. Derived CDR Data and De-identified Data
9.1 Derived CDR Data. The savings estimates, plan comparisons, RateGuard insights and notification triggers we create from your CDR data are Derived CDR Data. Under the CDR Rules, Derived CDR Data is treated as CDR data and is subject to this CDR Policy.
9.2 De-identified Data. Where you give de-identification consent, we may convert CDR data and Derived CDR Data into De-identified Data in accordance with the CDR Rules. Once data is validly de-identified, it is no longer CDR data and is no longer subject to the Privacy Safeguards or this CDR Policy.
9.3 We may use De-identified Data for:
(a) improving the Services, including the accuracy of our savings calculations and notification logic;
(b) research, benchmarking and product development;
(c) product analytics, including sending de-identified event data to our analytics provider Mixpanel, Inc. (United States) for the purpose of understanding how the Services are used;
(d) internal reporting, and aggregated reporting to Affiliates and other partners;
(e) publishing market insights, provided that no individual is identifiable.
9.4 We follow the de-identification standards expected under the CDR Rules, including assessing the risk of re-identification, applying technical and organisational controls, and reviewing our approach over time.
10. Disclosure of CDR data
10.1 We may disclose your CDR data or Derived CDR Data only:
(a) to Fiskil, in its capacity as our CDR Representative Principal and ADR;
(b)to OSPs listed in clause 11, where permitted under the CDR Rules and our CDR Representative Arrangement, for the purpose of providing the Services and Authorised Uses described in this CDR Policy.;
(c) to an energy retailer, where you have directed us to facilitate a switch — once disclosed to your chosen retailer, the disclosed information becomes subject to that retailer’s privacy policy and ceases to be CDR data in the hands of the retailer;
(d) to any other party with your express prior Consent;
(e) where we are required or permitted by law to make the disclosure (for example, in response to a lawful request from law enforcement or a regulator).
10.2 We do not sell CDR data. We do not disclose CDR data for the unrelated marketing purposes of any third party.
10.3 Overseas disclosure. While CDR data is stored in Australia where reasonably possible, some of our OSPs are headquartered overseas or process operational metadata about CDR data overseas. The countries to which CDR data, Derived CDR Data or operational metadata about that data may be disclosed include:
(a) the United States (Twilio, SendGrid, Mailgun, Clerk, and some Amazon Web Services support functions);
(b) any other countries listed at clause 11 below.
10.4 Before CDR data is disclosed to an overseas OSP, we and Fiskil take reasonable steps to ensure the recipient is bound by obligations consistent with the Privacy Safeguards, including through contractual arrangements.
11. Outsourced Service Providers
11.1 The OSPs that may handle CDR data or Derived CDR Data on our behalf are listed below. This list is current as at the “last updated” date and is reviewed regularly. We may add, remove or change OSPs over time. The current version is always published in this CDR Policy.
Fiskil Pty Ltd
Role: Our CDR Representative Principal and Accredited Data Recipient.
CDR data handled: All categories of CDR data we use — Fiskil is the entity that technically collects and holds CDR data on accreditation, with us as Representative.
Location of processing: Australia.
Reference: See Fiskil’s CDR Policy and Privacy Policy.
Amazon Web Services, Inc. (AWS)
Role: Cloud infrastructure and hosting provider for our application, databases and backups.
CDR data handled: All CDR data and Derived CDR Data we hold.
Location of processing: Australia (Sydney region) for primary storage. Some AWS support, monitoring and management functions may be performed by AWS personnel located outside Australia, subject to contractual safeguards.
Twilio, Inc.
Role: SMS notification and alert delivery.
CDR data handled: Your mobile phone number and the content of SMS notifications, which may include Derived CDR Data (for example, a savings opportunity message or a discount expiry alert).
Location of processing: United States.
MessageMedia (Sinch Group)
Role: SMS notification and alert delivery (alternate provider).
CDR data handled: Your mobile phone number and the content of SMS notifications, which may include Derived CDR Data.
Location of processing: Australia and United States.
SendGrid (Twilio SendGrid)
Role: Email notification and alert delivery.
CDR data handled: Your email address and the content of email notifications, which may include Derived CDR Data.
Location of processing: United States.
Mailgun (Sinch Email)
Role: Email delivery (transactional and/or alternate provider).
CDR data handled: Your email address and the content of email notifications, which may include Derived CDR Data.
Location of processing: United States.
Clerk, Inc.
Role: Identity, authentication and session management for our Services.
CDR data handled: Authentication identifiers and metadata associated with your account. Clerk does not receive substantive CDR data such as usage data or plan information, but it controls access to systems holding CDR data and is therefore listed as an OSP.
Location of processing: United States.
11.2 We require each OSP to be bound by contractual obligations consistent with the CDR Privacy Safeguards, including obligations relating to use, disclosure, security, retention and breach notification.
11.3 Note: our product analytics provider Mixpanel, Inc. (United States) is not listed above because Mixpanel only receives De-identified Data, which is not CDR data. See clause 9.3(c).
12. Retention and deletion of CDR data
12.1 We retain CDR data only for as long as is required for the Authorised Uses for which it was collected, plus any period required by law.
12.2 Specific retention rules:
(a) for plan comparisons and for RateGuard (up to 12 months of Consent): CDR data is held for the duration of the active Consent, after which it is deleted or de-identified within a reasonable time after the Consent ends.
(b) for Savings Campaign eligibility and fulfilment: CDR data is held for the duration required to verify eligibility and complete fulfilment, including any campaign-specific verification window, after which it is deleted or de-identified;
(c) CDR Receipts are retained for the period required by the CDR Rules.
12.3 Where you have given de-identification consent, validly de-identified data may be retained by us indefinitely, as De-identified Data is no longer CDR data.
12.4 We may retain some Derived CDR Data or related records for longer than the above periods where we are required to do so by law (for example, to comply with financial record-keeping obligations) or to defend or pursue legal claims.
13. Your rights and how to complain
13.1 Your CDR rights. You have the right to:
(a) give, manage and withdraw your CDR Consents at any time;
(b) ask us for information about how your CDR data has been collected, used and disclosed;
(c) ask us to correct your CDR data where you believe it is inaccurate, out of date, incomplete, irrelevant or misleading. Where the inaccuracy is in data we received from your Data Holder, we may need to refer the correction request to the Data Holder;
(e) complain about our handling of your CDR data.
13.2 Making a complaint. If you have a complaint about our handling of your CDR data, please contact our Privacy Officer using the details in clause 14. We will:
(a) acknowledge your complaint within 5 business days;
(b) investigate the complaint and aim to provide a substantive response within 30 days, or let you know if more time is reasonably required for a complex complaint;
(c) keep you informed of the progress and outcome of the complaint;
(d) where appropriate, work with Fiskil to resolve the complaint, given Fiskil’s status as our CDR Representative Principal.
13.3 Escalation. If you are not satisfied with our response, you can escalate your complaint to:
(a) Fiskil as our CDR Representative Principal, at https://www.fiskil.com/contact;
(b) the Office of the Australian Information Commissioner (OAIC) — phone 1300 363 992, web www.oaic.gov.au;
(c) the Australian Competition and Consumer Commission (ACCC) — web www.accc.gov.au.
13.4 Both the OAIC and the ACCC have jurisdiction over CDR matters. The OAIC is generally the primary regulator for privacy-related aspects of CDR conduct.
14. Contact us
14.1 For CDR-related questions, requests or complaints, please contact our Privacy Officer:
Privacy Officer (CDR)
BeMoved Pty Ltd
ABN 37 649 325 940
Level 8, 2 Bligh St, Sydney NSW 2000
Phone: 1300 661 464
Email: privacy@oneclickswitch.com.au
14.2 You can also contact our CDR Representative Principal, Fiskil Pty Ltd, at https://www.fiskil.com/contact.
15. Changes to this CDR Policy
15.1 We may update this CDR Policy from time to time. The most recent version is always available on our websites and the “last updated” date appears at the top.
15.2 Where the changes are material (for example, the addition of an OSP that will handle CDR data, a change to our CDR Representative status, or a change to the categories of CDR data we collect), we will take reasonable steps to notify affected CDR Consumers in advance.
Document version: 1.0
Last updated: 28th May 2026
Related documents: Terms and Conditions; Privacy Policy; Fiskil CDR Policy.