Group Privacy Policy

1. Our Commitment to Privacy

CobdenHayson is committed to protecting the privacy of every person we work with — buyers, sellers, landlords, tenants, applicants, and the communities we serve across Sydney's Inner West and Lower North Shore.

We handle personal information with care, transparency, and respect. This policy explains how we collect, use, store, disclose and protect personal information across the CobdenHayson Group, and sets out your rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

CobdenHayson Group is operated by Cobden & Hayson Holdings Pty Ltd (ABN 12 601 355 980), together with affiliated franchise offices. Each office operates under this Group policy and maintains a supplementary office-level policy addressing its own systems and practices.

2. What Personal Information We Collect

We collect personal information that is reasonably necessary to provide our services and meet our legal obligations. This may include:

• Names, contact details and identification information
• Buyer, seller, landlord and tenant details
• Inspection, enquiry and appraisal records
• Property transaction and tenancy information
• Rental application information, including employment history, income and referee details
• Communication history and marketing preferences
• Information required to meet legal, regulatory and professional obligations

Sensitive Information

In some circumstances we may handle sensitive information — for example, health information relevant to a tenancy accommodation request, or financial information forming part of a rental application. We collect sensitive information only where it is reasonably necessary and, where required by law, with your consent. Sensitive information is subject to a higher level of protection and is never used for unrelated purposes.

We do not collect personal information unnecessarily.

3. How We Collect Personal Information

We collect personal information directly from individuals wherever possible — in person, in writing, verbally, electronically, or via third-party platforms used in our business operations.

We may also collect personal information from third parties such as referees, employers, previous agents, conveyancers, and publicly available sources.

At the time of collection, or as soon as practicable, we take reasonable steps to ensure individuals are aware of who we are, why we are collecting the information, how it will be used and disclosed, and how they can access or correct it.

Third-Party Platforms and Systems

To deliver our services, we use a range of third-party platforms and systems that may collect, store or process personal information on our behalf. These include software used for property management, customer relationship management, digital communications, document signing, marketing, and inspection management.

Each office-level policy sets out the specific systems used at that location, where data is stored (including any overseas storage), and the privacy protections those providers maintain. We take reasonable steps to ensure all third-party providers handle personal information securely and consistently with Australian privacy requirements.

We do not sell personal information to third parties.

4. Why We Collect Personal Information

We collect and use personal information for purposes including:

• Providing real estate sales, leasing and property management services
• Managing inspections, appraisals, listings and transactions
• Assessing rental applications and managing tenancies
• Communicating with clients, tenants, landlords and other stakeholders
• Sending marketing communications where permitted by law
• Improving our services and client experience
• Meeting our legal, regulatory and professional obligations

If we are unable to collect required personal information, we may be unable to provide certain services or meet our legal obligations.

5. Disclosure of Personal Information

We may disclose personal information where necessary to deliver our services, including to:

• Conveyancers, solicitors, strata managers and contractors
• Technology and platform providers including CRM, property management, inspection, marketing and communications systems
• Related entities and offices within the CobdenHayson Group for operational and administrative purposes
• Government bodies, regulators or law enforcement where required by law

We take reasonable steps to ensure any party to whom we disclose personal information handles it securely and in accordance with applicable privacy obligations.

Overseas Disclosure

Some of the third-party platforms we use may store or process personal information outside Australia, including through cloud-based systems hosted in the United States, Ireland or other countries. Where personal information is disclosed or transferred overseas, we take reasonable steps to ensure it receives protections comparable to those required under Australian law.

Details of overseas storage arrangements specific to each office are set out in the relevant office-level policy.

6. Automated Decision-Making

Automated decision-making (ADM) refers to the use of software or algorithms to assist or replace human judgment in making decisions that may significantly affect an individual's rights or interests — for example, in the assessment of rental applications.

We are committed to being transparent about our use of technology in decisions that affect the people we work with. We are currently reviewing all systems and processes across the CobdenHayson Group to identify where automated decision-making may be in use, the extent to which it influences outcomes, and the measures in place to ensure fairness and accuracy.

We will update this policy and our office-level policies as this review is completed, and no later than the compliance date of 10 December 2026 as required under the Privacy and Other Legislation Amendment Act 2024 (Cth).

In the interim, we confirm that all decisions affecting individuals — including rental application outcomes — remain subject to review and final determination by a qualified member of our team.

7. Marketing Communications

We may use personal information to send marketing communications — including property alerts, market updates and news about our services — where you have provided consent or where permitted by applicable law, including the Spam Act 2003 (Cth).

You can opt out of marketing communications at any time by using the unsubscribe function in any communication or by contacting us directly. Opt-out requests are actioned promptly and at no cost to you. 

8. Data Security

We take reasonable technical and organisational measures to protect personal information from misuse, loss, unauthorised access, modification or disclosure. Our security measures include:

• Secure digital systems with controlled access and authentication
• Password management and role-based access controls
• Secure handling and storage of physical records
• Regular staff training on privacy obligations and data handling practices
• Internal privacy procedures and governance frameworks
• Periodic review of third-party provider security arrangements

Staff training on privacy and data handling is a standard component of induction for all CobdenHayson team members and is refreshed regularly. We recognise that organisational measures are as important as technical ones in protecting the personal information of the people we work with.

While we take privacy seriously and work hard to maintain robust protections, no system can be guaranteed to be completely secure.

9. Data Retention and Destruction

We retain personal information for as long as it is necessary for the purpose for which it was collected, or as required by applicable law or professional obligations.

When personal information is no longer required, we take reasonable steps to destroy it or de-identify it in a secure manner. This includes:

• Unsuccessful rental applications, which are retained for a reasonable period following assessment and then securely deleted
• Transaction records retained in accordance with statutory and professional requirements
• Marketing contact lists, which are updated promptly when individuals opt out

Specific retention periods for different categories of information are set out in our internal data handling procedures. If you have a question about how long we hold information about you, please contact the Group General Manager. 

10. Privacy Breaches

We have procedures in place to identify, assess and respond to privacy breaches in a timely manner. In the event of an eligible data breach under the Notifiable Data Breaches scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

Our response to any breach focuses on containing the breach, minimising harm to affected individuals, and taking steps to prevent recurrence.

11. Your Rights

Access and Correction

You have the right to request access to personal information we hold about you, and to request corrections if information is inaccurate, out of date or incomplete. Requests should be made in writing to the Group General Manager using the contact details below.

We will respond to access and correction requests within 30 days of receipt. We may need to verify your identity before releasing information. In some circumstances, access may be declined where permitted by law — if this occurs, we will explain the reason in writing.

We will not charge a fee for making an access or correction request, though a reasonable fee may apply for the cost of providing access in some circumstances.

Right to Complain

If you believe we have not handled your personal information appropriately, you have the right to make a complaint. You also have the right to bring a civil claim for serious invasions of privacy under the statutory tort introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), where the conduct was intentional or reckless and a reasonable person would have expected privacy in the circumstances.

12. Privacy Complaints

If you have a concern about how we have handled your personal information, we encourage you to contact us first so we can address it directly.

Complaints should be directed to the Group General Manager in writing. We will acknowledge your complaint within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

 13. Website and Analytics

When you visit our website at ch.com.au, we may collect non-identifying information including IP address or domain, date and time of access, pages visited, and referring websites. This information is used to improve website performance and user experience and does not identify individuals.

Our website may use analytics tools provided by third parties. Details of any analytics platforms in use are set out in the website terms and conditions.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage users to review their individual privacy policies before providing personal information. 

14. How to Contact Us

For any privacy-related enquiries, access or correction requests, or complaints, please contact:

Role: Group General Manager

Business: Cobden & Hayson Holdings Pty Ltd

ABN: 12 601 355 980

Contact: Via your local CobdenHayson office — see links below 

15. Office-Level Policies

Each CobdenHayson office maintains a supplementary privacy policy that sets out the specific third-party systems, overseas data storage arrangements, and local contact details relevant to that office. These office-level policies are to be read alongside this Group policy.

Office-Level Privacy Policy

• Annandale: https://www.ch.com.au/privacy-policy-annandale
• Balmain: https://www.ch.com.au/privacy-policy-balmain
• Drummoyne: https://www.ch.com.au/privacy-policy-drummoyne
• Earlwood: https://www.ch.com.au/privacy-policy-earlwood
• Lane Cove: https://www.ch.com.au/privacy-policy-lanecove
• Petersham: https://www.ch.com.au/privacy-policy-petersham

16. Changes to This Policy

This Privacy Policy may be updated from time to time to reflect changes in law, regulation or business practice. The current version will always be available at ch.com.au/privacy-policy. We will update the version number and date at the foot of each page when material changes are made.

Note

• Document type: CobdenHayson Group Privacy Policy — applies across all CobdenHayson offices
• Version: 2.0
• Last updated: 5 June 2026
• Applies to: All CobdenHayson offices and entities
• Policy owner: Group General Manager
• Privacy contact: Group General Manager — contact via your local office
• Regulator: Office of the Australian Information Commissioner (OAIC)