We respect that your privacy is important and our Privacy Policy reflects the recent changes to Australian privacy laws. Your information is really important to us, so as part of our partnership with you we will always be honest and transparent.

Our commitment

In handling your personal information, Blue NRG Pty Ltd ABN 30 151 014 658 (‘Blue NRG’, ‘us’, ‘we’, ‘our’) is committed to complying with the Privacy Act 1988 (‘Privacy Act’) (as amended by the Privacy and Other Legislation Amendment Act 2024), and the Australian Privacy Principles. We are also bound by Division 3 of Part IIIA of the Privacy Act, which regulates the handling of credit information by credit providers. As an electricity retailer, we provide services to you before you are required to pay us for those services. Therefore, we are classified as a credit provider for the purposes of the Privacy Act.

Blue NRG recognises the importance of your privacy and is committed to protecting all personal information about you that we hold. This Privacy Policy operates in conjunction with our Information Security Policy and Compliance Framework Policy to ensure comprehensive protection of your information (these policies are available on request). Our employees undergo mandatory privacy and security training in accordance with our Information Security Policy, including training on the reformed Privacy Act requirements, data breach notification procedures, and enhanced security standards. This Privacy Policy outlines how we deal with your personal information (including credit-related information), as well as our legal obligations and rights to that information, including:

• What constitutes personal information;
• Why and how we collect, use and disclose personal information;
• How we manage credit related information;
• How we store personal information;
• Data breach notification obligations and procedures;
• How you can access your personal information, and correct personal information if you believe it to be incorrect;
• How to make a complaint if you have a concern regarding our handling of your personal information; and
• How to contact us.

All personal information is managed in accordance with the Privacy Act, Australian Privacy Principles, and our Information Security Policy to ensure appropriate technical and organizational security measures are in place to protect your data. This includes technical measures such as encryption, multi-factor authentication, access controls, and secure data storage, as well as organizational measures such as staff training on privacy and security obligations, access management policies, incident response procedures, and regular security audits.

What is ‘personal information’?

“Personal information”, as defined under the Privacy Act, means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

Generally, information that is only about a business is not considered to be ‘personal information’. This is because the Privacy Act defines an ‘individual’ as a ‘natural person’, and the ordinary meaning of a ‘natural person’ does not include a body politic or corporate entity (including a company).

However, an individual’s personal information may be so interconnected to information about his or her business or company that information about that business or company can constitute personal information about the individual. For instance, where the business is owned and managed by a sole trader, the distinction between business information and personal information might sometimes overlap.

In practice, where information provided in a business capacity is also personal information, the Australian Privacy Principles will apply.

For consistency and transparency, Blue NRG treats all personal and business information it collects, uses and discloses in the same manner.

Data retention

We will retain your personal information for as long as it is required to provide you with our services and comply with our legal obligations.

Specific retention periods vary by information type:

• Billing records and account information: Retained for 7 years in accordance with tax and accounting requirements
• Credit information: Retained in accordance with the Privacy (Credit Reporting) Code 2014
• Complaints and dispute records: Retained for the duration of the complaint/dispute plus 2 years
• Marketing and communications records: Retained for 2 years from last contact unless you request deletion
• Life support customer information: Retained for the period the customer requires life support equipment plus 2 years

Once we no longer require your personal information for any legal, regulatory, or operational purpose, we will securely delete or de-identify it.

Records of AI-assisted processing of customer communications – including triage classifications, routing decisions and draft correspondence – are retained as part of our internal customer service records and complaint files. These records form part of the audit trail that may be required by regulators such as the Australian Energy Regulator and the Essential Services Commission, and are retained in line with the retention periods set out above for billing, complaints and dispute records.

Why we collect, hold, use and disclose personal information

We need to collect, use and disclose your personal information so that we can perform our functions and duties as your electricity retailer. The information that we request from you (or in some cases, access from third parties) allows us to identify you and communicate with you, and to manage your energy account with us. This may include circumstances such as:

• Providing our products and services to you, or to provide you with a quote or offer for our products and services, including to follow up if we do not hear from you;
• Contacting you about your account, including issuing bills and seeking payment;
• If you want to set up a direct debit facility to pay your bills;
• Responding to any complaint you make to us;
• Answering enquiries and providing any information or documents you ask for;
• For administrative reasons (i.e. compliance reviews, planning, quality control and research);
• Updating our records to ensure your contact details are up to date;
• Using information, we are permitted by law to establish or report on your creditworthiness; and
• Marketing purposes where we have your express consent to contact you using one or more types of personal information that we hold about you or where we are permitted by law to contact you. We no longer rely on inferred consent for marketing communications. Consent is voluntary, informed, specific, and unambiguous, and you may withdraw it at any time by contacting us.
• Using tools and systems, including artificial intelligence (AI) tools, to help us manage and respond to customer enquiries, complaints and other communications more efficiently (for example, by classifying, prioritising and drafting responses to inbound emails), and to support our broader operational functions including quality assurance, internal analytics and service improvement.
• Supporting and improving our customer service processes, quality assurance and training through analysis of customer interactions, including where these processes are assisted by AI tools.

Blue NRG uses AI-assisted tools in some of our customer operations. This includes the automated classification, prioritisation and drafting of responses to customer communications (such as emails), as well as quality assurance, internal reporting and the analysis of customer interactions to improve our services. These tools may process information contained in your correspondence with us or held on your account, including your contact details, account information and the nature of your enquiry. AI-assisted outputs are always reviewed by Blue NRG staff before any action is taken, and we do not make decisions that have a legal or similarly significant effect on you based solely on automated processing.

When accepting services provided by Blue NRG, you consent to us collecting, using and disclosing your information for the core purposes set out in this Privacy Policy that are necessary for the provision of our services. Where we require your consent for other purposes (such as direct marketing or certain disclosures), we will seek that consent separately. If you choose not to provide your personal information to us, we may not be able to answer your query or provide energy and other products and services to you.

What personal information do we collect and hold?

As a customer or prospective customer, we aim to only collect and hold information that is necessary to provide you with any service you have requested, being the sale and supply of electricity or related services. Some common examples of information we collect include:

• Contact information, including your name, business name, phone number, previous and current address, postal address, email address or fax number,
• Identifying information, including your name, date of birth, driver’s licence number, copies of your driver’s licence, (or copies of other identification), Australian Business Number (ABN) and Australian Company Number (ACN),
• Information about your electricity account, including your supply address(es), meter number, national meter identifier (NMI), billing information and usage history, and concession or rebate entitlements,
• Financial information, including your direct debit and bank account details, credit card details, credit history, payment history, payment plan information (where relevant).

We may also collect details of other interactions that you have with us, together with any other information that you choose to give us. If you provide us with personal information about another person, such as an additional account holder, you must tell that person about this Privacy Policy.

From time to time, we may also collect sensitive personal information, for example, health information if you are a customer who requires electricity powered life support equipment. If we collect and hold sensitive information about you, we will only do so with your consent or where collection is required or authorised by law.

When we use AI-assisted tools to process customer communications, we apply data minimisation principles. This means we only provide the AI tools with the information reasonably necessary to triage and respond to your enquiry. When we use AI-assisted tools to process customer communications, we apply data minimisation principles. This means we only provide the AI tools with the information reasonably necessary to triage and respond to your enquiry. We do not permit our AI providers to use your personal information to train or improve their public models, and we select enterprise-grade tools with contractual restrictions on the use of customer data for model training purposes.

AI and sensitive information (including life support)

Where your communications with us indicate that you use electricity-powered life support equipment or that you are experiencing other sensitive circumstances, our systems are designed to flag these matters for immediate human review and escalation in line with our regulatory obligations. We do not rely solely on automated tools to assess or make decisions about life support or similar sensitive matters. , our systems are designed to flag these matters for immediate human review and escalation in line with our regulatory obligations. We do not rely solely on automated tools to assess or make decisions about life support or similar sensitive matters.

Access, correction and complaints

You have the right to access the personal information we hold about you and request its correction if it is inaccurate, out-of-date, incomplete, irrelevant or misleading. To make a request, please contact us at: 1300 599 888

If you have a complaint about how we have handled your personal information, you can contact us using the contact details above. We will respond to your complaint within 5 business days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

If you are concerned that an AI-assisted classification or communication has led to an incorrect or unfair outcome (for example, how your enquiry was triaged or how we responded), you may request that the matter be reviewed by a human. We will investigate and, where appropriate, re-assess your enquiry or complaint without relying on AI-assisted outputs.

For further information about how we handle sensitive information, including health information for life support customers, please see the “What Personal Information Do We Collect and Hold?” section above.

How we collect your personal information

Generally, we collect personal information directly from you, our customer, unless it is unreasonable or impracticable to do so. We also collect personal information via third parties, including:

• Our agents or third parties with whom we have business relationships;
• Third party brokers and sales agents who have contacted you about our products and services or have identified you as someone who may wish to receive offers about our products and services;
• Your agent or representative, where you have authorised them to act on your behalf in providing us with your personal information;
• Other energy retailers, for example, if you switch to us from another authorised retailer;
• Electricity distribution network businesses to access information about your energy supply;
• Energy ombudsman schemes;
• Through our website and social media accounts on Facebook and LinkedIn;
• Credit reporting agencies (see credit related information below);
• Additional account holders on your account; and
• Publicly available sources of information, such as telephone directories.

When we collect information from you, we may do so over the phone, in writing, in person, online (for example, through our website, or via email).

Some information that we collect from you is then used to formulate internal information about you, for example, billing history, payment information and account information. This information is collected by us and stored in Blue NRG’s internal systems.

How we use your personal information

We will use personal information only for the purpose it was collected, and/or for one of the reasons stipulated below.

We use your personal information to:

• Understand your energy needs and provide you with the right electricity product for you;
• Set up an electricity account for you, and manage that account over time;
• Assess your creditworthiness;
• Provide you with flexible payment options and other payment assistance where necessary;
• Contact you about your electricity account, and news, events and other services and products we offer;
• Improve our products and services from feedback provided by you via mail, phone, email or our social media accounts;
• Comply with legal and regulatory obligations to various government bodies;
• Conduct internal research and analysis;
• Manage complaints and disputes raised by you; and
• Keep you informed of any new products, services or offers through promotional marketing.

Disclosure of personal information

From time to time, we may also disclose your personal information. We will only disclose your personal information for a purpose that is:

• Set out in this Privacy Policy (i.e. required for the primary purpose of performing our functions and duties as an electricity retailer);
• A circumstance you would reasonably expect and have consented to; or
• As required by or permitted by law.

We may disclose your personal information to third parties in the conduct of our business and for the purpose of their work. Third parties may include:

• Additional account holders or your authorised representative;
• Other energy retailers (if you decide to move to another retailer);
• Companies that manage the distribution of your energy;
• Financial institutions (for payment processing);
• The Australian Energy Market Operator (AEMO) which manages energy supply, demand and capacity in accordance with applicable regulation;
• Government and regulatory authorities where required or authorised by law;
• Credit reporting bodies;
• Any companies related to us;
• External advisors such as lawyers, accountants and auditors; and
• Our service providers such as information technology suppliers, external sales partners and energy comparison services, mailing and logistics providers, meter reading and maintenance contractors, metering coordinator, data analysts, debt collection agencies, and marketing and advertising agencies and contractors.
• We may disclose personal information to overseas recipients for the purposes of data storage, processing, or other administrative functions. This includes third-party AI processing services that assist us to manage customer communications. For example, we use Anthropic, Inc. (Anthropic), a provider of AI tools based in the United States, under an enterprise Data Processing Addendum and commercial terms that include contractual data protection commitments. Information submitted to these services may be processed on servers located outside Australia.
• Where we disclose your personal information to overseas recipients, we take reasonable steps to ensure they handle your information in accordance with the Australian Privacy Principles, including by putting in place appropriate contractual safeguards.

Policy updates

We may update this Privacy Policy from time to time. The current version will always be available on our website. Where appropriate, we will notify you of significant changes.

Contact us

Phone: 1300 599 888 (9am to 5pm (AEST/AEDT) Mon – Fri)
Email: [email protected]
Website: www.bluenrg.com.au
Fax: 1300 881 903
Post: Blue NRG Pty Ltd. PO Box 24390, Melbourne VIC 3001