Comms.ID Privacy Policy

Welcome to Comms.ID. Our mission is to build a more trustworthy digital world by combating fraud and misinformation. We do this by providing a secure, high-assurance digital identity platform that replaces insecure, anonymous interactions with a verified and consent-driven ecosystem.

Your privacy is not an afterthought; it is fundamental to our design and our mission. This Privacy Policy outlines our core privacy commitments and explains how we handle your personal information.

Our Legal Framework

The Australian Government Digital ID System (AGDIS) is a voluntary accreditation scheme. While Comms.ID is on the journey to achieve formal accreditation, we have built our platform from the ground up to adopt and conform to all relevant aspects of this framework and its governing legislation. We are bound by and committed to upholding our responsibilities under the:

• Privacy Act 1988 (Cth);
• Digital ID Act 2024 (Cth); and
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).

At all times, we aim to meet and exceed the best practices and legal requirements of this framework.

2. Our Roles Explained: An Interoperable System

Comms.ID performs several distinct roles within the AGDIS framework. This separation of roles is a fundamental requirement of the system's design to enhance your privacy and security. It also ensures our services are interoperable, meaning in the future they can work with other accredited providers in the digital identity network.

Our roles include:

• Identity Service Provider (ISP): Verifying your identity against official documents to create your secure Digital ID.
• Attribute Service Provider (ASP): Verifying specific claims about you, such as your authority to act for a business.
• Identity Exchange (IXP): Acting as the secure, consent-driven "switchboard" that manages information flow between you and the services you access ("Relying Parties").

You can find detailed information on how we handle data in these specific roles in our dedicated notices:

• Identity Services Privacy Notice
• Identity Exchange Privacy Notice

3. Our Legal Obligations and Data Minimisation

We are subject to strict legal obligations that govern how we operate. The AML/CTF Act, in particular, requires both us and many of the Relying Parties that use our services (e.g., banks) to verify your identity to a high standard and keep records of those verifications. This may require us to collect specific information and retain verification records for a minimum of 7 years, even after you close your account. These are mandatory legal duties designed to prevent serious crime.

At the same time, we are deeply committed to data minimisation. We believe your data should not be duplicated unnecessarily across the internet. Our "Access vs. Access and Duplicate" consent model, which is explained in our Identity Exchange Privacy Notice, is designed specifically to limit the spread of your personal information, giving you greater control and security than traditional online services.

4. Your Privacy Rights

You are in control of your personal information. You have the right to:

• Access: Review your personal information at any time through the Comms.ID mobile or web applications.
• Correction: Request to have incorrect information corrected.
• Deletion: Close your Comms.ID account at any time. Upon your request, we will delete your personal information, subject to any legal obligations to retain it (such as under the AML/CTF Act).
• Withdraw Consent: View and revoke your consent for sharing information with a specific Relying Party at any time.

5. Data Security and Storage

Protecting your information is our highest priority. We store all personal information on secure servers located within Australia and will not transfer your personal information overseas. We use industry-leading security measures, including end-to-end encryption, and undergo regular independent security assessments to ensure our systems are robust.

6. Information for Minors

The Comms.ID service is available to individuals aged 15 years and older. We do not knowingly collect personal information from individuals under the age of 15.

7. How to Contact Us and Make a Complaint

To protect you from fraud, we will never use standard email, SMS, or unsecure phone calls for authentication or to request sensitive personal information.

To get support from a real person at Comms.ID, please use our secure, end-to-end encrypted channels:

• Use the secure chat widget on our public website at https://comms.id/.
• Use the in-app communication features (chat messages, voice or video calls) at https://auth.comms.id/, https://companion.comms.id/, or within our iOS and Android apps.

If you have a privacy concern or wish to make a complaint, please contact us first using these secure methods. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

8. Governing Law

This Privacy Policy and our handling of your personal information are governed by the laws of Queensland, Australia.