Compliance
Last updated: April 2026
Redbark operates under Australia's Consumer Data Right. This page explains what that means in practice: how we're registered, how your consent works, how your data is handled, and what rights you have. If you want to verify any of it, every claim below links to a primary source.
1. Who we are
Redbark is the trading name of SKINT AI Pty Ltd (ACN 685 364 729).
We are a CDR Representative of Fiskil Pty Ltd (Accredited Data Recipient, accreditation number ADRBNK000246). Our appointment is listed on the ACCC's public CDR register at cdr.gov.au/find-a-provider under Fiskil's entry, with a CDR Representative Arrangement dated 19 February 2026.
2. What the CDR Representative model means
Under Rule 1.10AA of the Competition and Consumer (Consumer Data Right) Rules 2020, Fiskil (our Principal ADR) has appointed us to provide CDR services under Fiskil's accreditation. Fiskil bears primary liability for our handling of CDR data under Rule 1.16A. We adopt and comply with Fiskil's CDR Policy under Rule 1.10AA(2)(e).
In practical terms, bank → Fiskil → Redbark → your destination is the accredited data path, and it only moves with your express consent.
3. How consent works
Where consent is given
When you connect a bank, we redirect you to Fiskil's hosted consent screen. Fiskil, as the Principal ADR, runs the compliant CDR consent UI where you select the bank, authenticate with the bank's own login, and choose which data categories and time period to share.
What we disclose before you start
Before we hand you off to Fiskil, we display a disclosure stating that Redbark is a CDR Representative of Fiskil and that Fiskil will collect and disclose your CDR data to Redbark on your behalf. This satisfies the disclosure obligation under the CDR Representative model.
Consent duration
Consents are time-limited. The maximum duration is 12 months per CDR Rule 4.14. You can view your active consents, expiry dates, and data categories on the Consents page in your Redbark account, and manage your consents at any time through Fiskil's consent dashboard.
Consent expiry notifications
We run a daily scheduled job that sends an advance notice 90 days before a consent expires, so you have time to renew before sync stops.
Withdrawing consent
You can withdraw a consent at any time through Fiskil's consent dashboard. Fiskil is the accredited data recipient and manages consent withdrawal under the CDR Rules. Withdrawal is real-time: it revokes data access at the bank, disables every sync that depends on that consent, and queues deletion of the associated connection data and tokens. This is as easy as giving consent in the first place, per CDR Rule 4.16.
4. What data we hold, and what we don't
We do not store your CDR transaction data. Transactions are proxied live from Fiskil at sync time and written directly to the destination you configured. Deletion on our side is instant because there is nothing being held.
We do hold, in our production database:
- Account metadata (institution name, account type, masked account number) to power the UI
- Consent metadata (status, purpose, data categories, expiry, audit trail)
- Encrypted OAuth tokens for your providers and destinations (AES-256-GCM at rest)
- An audit log of every state-changing action (who, what, when, what entity)
We never store:
- Transaction amounts, dates, descriptions, merchants, or balances
- Raw CDR payloads from Fiskil
- Your banking credentials (you enter those directly at the bank)
5. How destinations work
When you configure a destination such as a Google Sheet, a YNAB plan, a Notion database, or a webhook URL, you are directing Redbark to deliver your transaction data to that destination. Once data arrives at the destination, it sits in your own account with that provider, under that provider's own terms, and outside the CDR framework.
This arrangement is addressed directly by the ACCC's Third-party data sharing use cases guidance (updated 27 January 2026). The guidance treats consumer-configured export to external tools as Scenario 1(b) and states such use cases are “unlikely to raise compliance concerns for the ACCC” provided the consumer makes a clear and informed choice. Our destination setup flow includes a disclosure that makes this choice explicit.
6. Security
- All OAuth and banking tokens are encrypted at rest using AES-256-GCM with unique random IVs
- All data is transmitted over HTTPS / TLS
- Our error monitoring (Sentry) has a scrubbing layer that redacts CDR transaction fields, PII, and secrets from every event before it leaves the app
- Our log pipeline (Pino to Axiom) redacts the same fields before log lines leave the runtime
- Our product analytics (PostHog) has DOM autocapture and session recording disabled, so rendered transaction data cannot be scraped into analytics events
- Our infrastructure providers hold SOC 2 Type II certifications: Vercel (hosting), PlanetScale (database), Clerk (authentication), Stripe (payments), Trigger.dev (background jobs)
- Fiskil operates as an ACCC-accredited CDR data recipient under their own security assessment program
7. Your rights
Under Australian privacy law and the CDR Rules, you can:
- Withdraw consent at any time through Fiskil's consent dashboard
- Delete your account from Settings, which withdraws all active consents at the provider, deletes provider-side end users, cancels your subscription, and removes your data
- Request access to the personal information we hold about you by emailing privacy@redbark.co. We respond within 30 days
- Correct inaccurate information by emailing the same address
- Complain (see the next section)
8. Complaints and external dispute resolution
Start by emailing us at privacy@redbark.co. If you're not satisfied with our response, you can escalate:
- Privacy complaints: Office of the Australian Information Commissioner at oaic.gov.au
- CDR-specific complaints: via our CDR Principal Fiskil under Fiskil's CDR Policy. Fiskil's external dispute resolution body is the Australian Financial Complaints Authority (AFCA, member 83521) at afca.org.au
9. Data breach response
If a data breach affects CDR data or other personal information, we follow a documented internal runbook with these steps:
- Triage, contain, and record the incident within the first hours
- Notify Fiskil (our CDR Principal) as soon as reasonably practicable, per CDR Rule 1.19
- Notify affected consumers and the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth)
- Run a blameless post-incident review and share findings with Fiskil
Security researchers can report vulnerabilities privately to security@redbark.co. We will acknowledge within 2 business days, provide an initial assessment within 5, and will not pursue legal action against good-faith research conducted within the scope described on that mailbox's auto-reply.
10. Primary sources
Everything above is verifiable against public documents.
- ACCC CDR register — Fiskil (ADRBNK000246) — expand the entry to see our appointment
- Fiskil's CDR Policy — the policy we adopt under Rule 1.10AA(2)(e)
- Competition and Consumer (Consumer Data Right) Rules 2020 — on legislation.gov.au
- ACCC — Third-party data sharing use cases — guidance updated 27 January 2026
- OAIC — CDR Representative model privacy obligations
- Redbark Privacy Policy and Terms of Service
11. Contact
Privacy and CDR enquiries: privacy@redbark.co
Security reports: security@redbark.co
General support: support@redbark.co