(08) 6325 5761
Merion

Privacy

How Merion handles personal information — collected from creditor clients and debtors — under the Australian Privacy Principles and the Privacy Act 1988 (Cth).

Regulatory framework

Merion Pty Limited (ACN 684 211 390) is bound by the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth). The APPs govern how Australian Privacy Act-regulated entities collect, use, disclose, and store personal information.

The Office of the Australian Information Commissioner (OAIC) is the federal regulator for privacy matters. Complaints that cannot be resolved directly with Merion may be referred to the OAIC.

Merion's full Privacy Policy is published at merion.com.au/privacy-policy/. The summary below covers the key data flows; the full policy governs.

What personal information is collected

From creditor clients

When a business engages Merion to recover a debt, we collect:

  • Business name, ACN/ABN, registered address.
  • Contact person name, role, email address, and phone number.
  • Banking details for disbursement of recovered funds (held securely; used only for payment).
  • Details of referred accounts: debtor name, amount, invoice history, correspondence, and supporting documents.

From debtors

When Merion is engaged to recover a debt owed by an individual or business, we collect:

  • Full name and trading name (where applicable).
  • Phone number(s) and email address(es) — encrypted at rest using AES-256-GCM.
  • Residential or registered business address — encrypted at rest using AES-256-GCM.
  • Account and dispute correspondence.
  • Payment information (processed by Stripe; card/bank data is not stored by Merion).
  • Hardship or dispute information, where voluntarily provided.

Purpose of collection

Personal information is collected for the primary purpose of recovering or managing the specific debt account. Secondary uses are limited to:

  • Legal proceedings relating to the account, where escalation is required.
  • Compliance with regulatory obligations (including responding to OAIC or court inquiries).
  • Fraud detection and platform security.

Merion does not use debtor personal information for marketing purposes. Creditor contact information may be used to send account-management communications directly related to the engagement.

Data separation

Creditors and debtors operate in separate, isolated data environments. A creditor can view their own referred accounts and the associated debtor communications. Debtors can view their own account status and communicate with Merion. Neither party has access to the other party's private profile or account data, nor to any other creditor's or debtor's records.

Retention

Personal information is retained for as long as necessary to fulfil the purposes for which it was collected, and for a minimum of seven years after account closure to satisfy:

  • Potential re-engagement (statute of limitations periods for debt vary by state: 6 years in most jurisdictions).
  • Regulatory inquiry and audit trail requirements under the Privacy Act and debt collection framework.

Following the expiry of the retention period, personal information is deleted or de-identified in accordance with APP 11.2.

Disclosure to third parties

Merion discloses personal information to third parties only where:

  • The individual has consented.
  • It is required by law (court order, regulatory direction).
  • It is necessary to engage a sub-processor to provide the service (e.g., Stripe for payment processing).

Merion does not sell personal information to third parties. Debtor information is not shared with credit reporting bodies unless the engagement specifically involves credit reporting (this is disclosed at the time of any such engagement).

Overseas disclosure

Some sub-processors are located overseas. Refer to the Sub-Processors page for a current list. Where personal information is disclosed to overseas recipients, Merion takes reasonable steps to ensure those recipients handle the information in accordance with Australian Privacy Principles (APP 8).

Debtor rights — access and correction

Under APP 12 (access) and APP 13 (correction), individuals have the right to:

  • Request access to the personal information Merion holds about them.
  • Request correction of inaccurate, incomplete, or out-of-date information.

Requests are responded to within 30 days. We may decline access in limited circumstances permitted by the Privacy Act (e.g., where providing access would unreasonably affect another person's privacy). If we decline, we will provide reasons and information about complaint pathways.

How to make a privacy request

Email [email protected] with the subject line "Privacy Request". Include:

  • Your full name.
  • The account or case reference number (if known).
  • A description of the information you wish to access or correct.
  • A copy of identification sufficient to verify your identity.

We will acknowledge your request within five business days and provide a substantive response within 30 days.

Complaints

If you believe Merion has mishandled your personal information, please contact us first. If your complaint is not resolved to your satisfaction, you may refer the matter to the OAIC at oaic.gov.au. See also Merion's complaints page for the full complaints process.

Get started

Ready to talk to Merion?

Whether you have accounts to recover or a question about a notice, the first conversation is always obligation-free.

Contact us Explore our services