WhipSmart Privacy Policy – Ammending on 1st of May 2026

1. Introduction

WhipSmart Co Pty Ltd (17 662 603 732) (“WhipSmart”, “we”, “us”, “our”) is an Australian novated leasing provider specialising in electric vehicles. We are committed to protecting the personal information of our customers, prospective customers, referral partners, and website visitors in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains what personal information we collect, how we collect it, how we use and disclose it, how we protect it, and what your rights are in relation to it.

By engaging with WhipSmart — including visiting our website, creating an account, generating a quote, or entering into a novated lease — you acknowledge that you have read and understood this Privacy Policy.

If you have any questions about this policy or how we handle your personal information, please contact our Privacy Officer:

Privacy Contact

Email: privacy@whipsmart.au

Phone: +61 (0)7 2100 0123

Website: whipsmart.au

2. Information We Collect

We collect personal information that is reasonably necessary to provide our novated leasing services. The types of information we collect include:

2.1 Personal & Contact Information

  • Full name
  • Residential address
  • Email address
  • Phone number
  • Date of birth

2.2 Financial & Employment Information

  • Employer name
  • Annual gross income
  • Payslips and payroll documents
  • Bank account details (for lease payment and settlement purposes)

2.3 Vehicle & Lease Preferences

  • Preferred vehicle make, model, specification, and colour
  • Lease term, annual kilometres, and residual preferences
  • Fuel type and transmission preferences
  • Accessories or variant notes

2.4 Website & Behavioural Information

  • Pages visited and time spent on our website
  • Return visit data for known contacts
  • Email open and link click data (for contacts already in our CRM)
  • Device type, browser, and general location data via analytics tools

2.5 Referral Information

Where a referral partner (such as an accountant or financial planner) submits an enquiry on behalf of a prospective client, we may collect the client’s name and contact details as provided by the referring party. All such information is handled under the same standards as directly collected data.

3. How We Collect Your Information

We collect personal information through:

  • Our website (whipsmart.au), including account registration and quote generation forms
  • Direct communication with our team via phone, email, or in-person
  • HubSpot CRM, which tracks website visitor behaviour and interactions site-wide
  • Google Analytics, which collects aggregated website usage data
  • Meta (Facebook/Instagram) advertising pixel, which tracks visits to our website for ad targeting purposes
  • Inbound documents submitted by customers (e.g. payslips, employer invoices)
  • Third-party referral partners who submit enquiries on behalf of prospective clients
  • Credit reporting bodies and financial institutions as part of the lease assessment process

3.1 Cookies & Tracking

Our website uses cookies and tracking technologies. The HubSpot tracking code operates site-wide and may collect information about your browsing behaviour before you submit a form or create an account. Google Analytics and the Meta Pixel also collect data about site visits for analytics and advertising purposes.

By continuing to use our website, you consent to our use of cookies. You may disable cookies in your browser settings, however some functionality may be affected.

4. How We Use Your Information

We use the personal information we collect for the following purposes:

  • To assess your eligibility for a novated lease and generate a personalised quote
  • To process and administer your novated lease agreement
  • To communicate with you about your enquiry, quote, or active lease
  • To maintain accurate records of transactions and dealings
  • To comply with our legal and regulatory obligations
  • To send you marketing communications about our products and services (where you have consented or where permitted by law)
  • To improve our website, products, and customer experience using analytics data
  • To manage our relationship with referral partners
  • To conduct internal reporting and business planning

5. Disclosure to Third Parties

We may share your personal information with the following third parties in the course of providing our services:

5.1 Finance & Credit Partners

To arrange and process novated leases, we share relevant personal and financial information with our banking and lending partners, which currently include:

  • Commonwealth Bank of Australia
  • Westpac Banking Corporation

We also engage with credit reporting bodies, including Allied Credit and Metro Finance, to assess creditworthiness as part of the lease application process.

5.2 Your Employer

We receive employment-related documents (such as invoices) from your employer as part of the salary packaging and novated lease administration process. We do not share your personal information with your employer without your consent.

5.3 Technology & Service Providers

We use a number of third-party technology platforms that may process your personal information on our behalf:

  • HubSpot, Inc. — CRM, marketing automation, and website tracking (servers located in the United States)
  • Google LLC — website analytics via Google Analytics (global infrastructure)
  • Meta Platforms, Inc. — advertising pixel for ad targeting and retargeting (servers located in the United States)
  • GoDaddy Inc. — website hosting for whipsmart.au (servers may be located outside Australia)

5.4 What We Do Not Do

We do not sell your personal information to third parties. We do not upload customer lists to advertising platforms for targeting purposes. We do not share your information with referral partners.

6. Overseas Disclosure

Some of the third-party service providers we use store and process data on servers located outside of Australia, including in the United States. These providers include HubSpot, Google, Meta, and GoDaddy.

Before disclosing personal information to overseas recipients, we take reasonable steps to ensure that they handle your information in a manner consistent with the Australian Privacy Principles. By engaging with our services, you consent to the transfer of your personal information to these overseas recipients.

7. Data Security

We take the security of your personal information seriously and implement reasonable technical and organisational measures to protect it from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include:

  • Restricted access to personal information — only authorised WhipSmart personnel can access customer data
  • Secure website infrastructure via our hosting provider
  • Cyber insurance to assist in the event of a data breach
  • Secure deletion procedures for sensitive documents once no longer required

Sensitive documents such as payslips and bank account details are deleted as soon as they are no longer required for the completion of your transaction.

8. Data Breach Response

WhipSmart is subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). In the event of a data breach that is likely to result in serious harm to affected individuals, we will:

  • Immediately engage our web developer and technical team to contain the breach
  • Notify affected customers within 48 hours of confirming the breach
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
  • Take all reasonable steps to mitigate the impact of the breach

If you suspect that your personal information held by WhipSmart has been compromised, please contact us immediately at privacy@whipsmart.au.

9. Data Retention

We retain personal information only for as long as it is necessary for the purposes for which it was collected, or as required by law. Our approach to retention is as follows:

  • Cold leads and abandoned quotes: deleted when no longer needed for business purposes
  • Sensitive documents (payslips, bank details): deleted immediately upon completion of the relevant transaction
  • Settled lease records: retained for a minimum of 5 years to comply with ATO requirements, and up to 7 years for financial records as required under the Corporations Act 2001 (Cth)
  • All other records: assessed on a case-by-case basis in accordance with applicable legal obligations

Once information is no longer required, we take reasonable steps to destroy or permanently de-identify it.

10. Marketing Communications

WhipSmart complies with the Spam Act 2003 (Cth). We send marketing communications only where you have expressly consented, or where consent can be reasonably inferred from the circumstances (for example, by providing your email address when requesting a quote).

All marketing emails from WhipSmart:

  • Clearly identify WhipSmart as the sender
  • Include our contact details
  • Provide a simple and functional unsubscribe mechanism

If you unsubscribe from marketing communications, we will process your request promptly. Unsubscribing from marketing does not affect transactional or service-related communications.

11.Your Privacy Rights

11.1 Access & Correction

You have the right to request access to the personal information we hold about you, and to request corrections where the information is inaccurate, incomplete, or out of date. To make a request, contact us at privacy@whipsmart.au. We will respond within a reasonable timeframe (typically within 30 days).

11.2 Deletion Requests

Where you have terminated your novated lease contract, you may request the deletion of your personal information. Deletion requests are assessed on a case-by-case basis. We will comply with your request to the extent possible, however we may be required to retain certain information for legal, regulatory, or financial record-keeping purposes. We will notify you of any information we are unable to delete and the reason for retention.

11.3 Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact our Privacy Officer in the first instance:

Email: privacy@whipsmart.au

We will acknowledge your complaint within 5 business days and work to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

Website: oaic.gov.au   |   Phone: 1300 363 992

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal obligations. When we make material changes, we will update the effective date at the top of this document and, where appropriate, notify you directly.

We encourage you to review this policy periodically. Continued use of our website or services after any changes constitutes your acceptance of the updated policy.