— Australia-only · Privacy Act 1988

Your data is
being sold right
now. Find out
who has it.

NotMeID finds every Australian company holding your personal information and removes it automatically — using your legal rights under the Privacy Act 1988. Free to start.

No credit card · Takes 60 seconds · Free forever

Free exposure test

How exposed are you?

Enter your email for an instant check against known data breaches. No account needed. Takes 5 seconds.

Checked against public breach databases · No inbox access at this stage · We never sell your data

0 million

Australian email addresses breached since 2004

0

Accounts compromised every minute since 2004

A third of

all Australians in one breach alone (Optus)

·Optus · 9.8 million Australians · 2022·Medibank · 9.7 million Australians · 2022·Latitude Financial · 14 million Australians · 2023·MediSecure · 12.9 million Australians · 2024·Australian Clinical Labs · 2022·HWL Ebsworth · 2023·527 breach notifications · Jan–Jun 2024 · OAIC·388% increase in compromised accounts · Q1 2024

The scale of the problem

Australia is one of the most
breached countries on earth.

0 million

personal records exposed in Australia since 2004

Source: SurfShark / Corbado, 2024

0 million

unique Australian email addresses breached since 2004

Source: Corbado analysis, 2024

0

breach notifications to OAIC in just the first half of 2024

Source: OAIC Notifiable Data Breaches Report Jan–Jun 2024

0%

increase in compromised accounts Q1 2024 vs Q4 2023

Source: SurfShark / Australian Cyber Security Centre

The Australian Cyber Security Minister said in 2022 that Australia was "a decade behind other developed countries on cybersecurity and data privacy." That was before MediSecure — the largest breach in Australian history — compromised the prescription records of nearly 13 million people in 2024. The company entered administration weeks later.

This is not a future risk. It is the current state of Australian data security. Your personal information has almost certainly already been exposed. The question is whether you know about it, and whether you've exercised your legal right to have it removed.

Major Australian incidents

The breaches that
changed Australia.

Sep 2022

Optus

Up to 9.8 million Australians — a third of the country.

Australia's second-largest telco exposed customer names, dates of birth, addresses, phone numbers, passport numbers, driver's licence numbers, and Medicare numbers through an unsecured application interface. Records dated back to 2017. The class action involved 1.2 million customers. State governments paid to replace compromised driver's licences. The Deloitte review Optus commissioned was successfully suppressed for over a year before courts ordered its release.

9.8M records · Passports · Licences · Medicare numbers

Oct–Dec 2022

Medibank

9.7 million customers. Health records. On the dark web.

A Russian ransomware group obtained the medical records, claim histories, and personal details of nearly 9.7 million Medibank customers. When Medibank refused the $10 million ransom, the data was published on the dark web in stages — diagnoses, mental health records, HIV statuses. Home Affairs Minister Clare O'Neil called it "the single most devastating cyberattack we have experienced as a nation." The OAIC later alleged Medibank had no multi-factor authentication and failed to act on its own security software alerts. Civil penalty proceedings were filed in 2024. Over 11,000 cybercrime cases have since been linked to the breach.

9.7M records · Medical records · Mental health data · Prescription history

Mar 2023

Latitude Financial

14 million individuals. Data stored since 2005.

A single stolen employee credential was enough. Latitude Financial — a consumer lender operating across Australia and New Zealand — exposed the personal information of over 14 million people, including driver's licence numbers, passport numbers, and financial records. Much of the compromised data had been held since 2005, prompting questions about why a financial services company retained customer records for nearly two decades beyond any plausible business need. The breach extended Australian government powers to intervene in private sector cyberattacks.

14M records · Driver's licences · Passports · Financial data

May 2024

MediSecure

12.9 million Australians. 6.5 terabytes. Put up for sale for US$50,000.

MediSecure, an electronic prescription delivery service, suffered the largest data breach in Australian history by number of people affected. The stolen data included names, addresses, and health information tied to prescriptions filled before November 2023 — medication histories that could reveal conditions including mental illness, gender transition, and fertility treatment. A Russian hacking forum attempted to sell 6.5 terabytes of patient data for US$50,000. The company, unable to afford the investigation, entered voluntary administration three weeks after the breach became public.

12.9M records · Prescription history · Health conditions · Patient data

2024 (ongoing)

The pattern

527 breaches in six months. A 388% quarterly surge.

The OAIC received 527 data breach notifications in the first half of 2024 alone — the highest number since 2020 and a 9% increase on the previous six months. Australia became the 15th most compromised nation globally in Q1 2024. The Privacy Commissioner noted that "almost every day" her office receives notifications of breaches where Australians face likely serious harm. "Privacy and security measures are not keeping up with the threats facing Australians' personal information," she said.

527 notifications · Jan–Jun 2024 · OAIC report

Your data from one or more of these incidents is almost certainly on the dark web already. Run your free exposure test to find out which.

Australia's new law

The Digital ID Act 2024
created a new category
of data most Australians
don't know they're sharing.

Australia's Digital ID Act commenced on 1 December 2024. It established a nationally consistent framework for verifying identity online — linking myGovID, state government services, and eventually the private sector into a single accreditation system.

The goal was to reduce the number of copies of your identity documents floating around government and corporate systems. It largely achieved this.

What most Australians don't fully understand is what happens to the identity attributes — verified data points about you — that are created when you use the system. Accredited Digital ID providers hold data including your name, date of birth, biometric templates, and government document references. Under the Act, they can retain these attributes even after a transaction is complete.

Under APP 12 and APP 13 of the Privacy Act 1988, and under the Digital ID Act's own data destruction obligations, you have legal rights to access and request deletion of these attributes. Almost no Australian consumer has ever exercised these rights.

NotMeID is the only consumer service that specifically tracks, requests access to, and removes data held by Digital ID providers under this framework.

When you use a Digital ID, providers may hold:

  • — Your verified full legal name
  • — Date of birth
  • — Biometric template (if used)
  • — Document reference numbers (passport, driver's licence, Medicare)
  • — Transaction history (services accessed)
  • — IP address and device identifiers
  • — Liveness check images (photos)

Source: Digital ID Act 2024 (Cth), Privacy Impact Assessments, Maddocks, Oct–Nov 2024

"The Digital ID system is a novel technological innovation that seeks to limit the amount of information retained across the economy in the inevitable event of a data breach."
— Clifford Chance analysis of the Digital ID Act, 2024

The industry you haven't heard of

Hundreds of companies are
selling your personal
information right now.
None of them asked you.

The global data broker market is projected to reach US$345 billion by 2026. A significant portion of that value is Australian consumer data — scraped from public records, purchased from loyalty programs, harvested from real estate searches, extracted from breach data, and compiled into profiles sold to insurers, employers, marketers, private investigators, and anyone else who pays.

Data brokers operating in Australia are not a US problem that has drifted here. They are Australian companies registered in Australia, processing Australian consumer data, and subject to Australian law. Under the Privacy Act 1988, you have a legal right to demand they delete it. Most don't advertise an opt-out. None make it easy.

Credit & financial

Experian, Equifax, Illion (Dun & Bradstreet) hold credit files, income estimates, and financial profiles sold to lenders, insurers, and employers.

Experian AU · Equifax · Illion · Dun & Bradstreet

Property & real estate

CoreLogic, RP Data, realestate.com.au, Domain compile property search intent and ownership data sold to insurers and financial institutions.

CoreLogic · RP Data · REA · Domain

Loyalty & retail

Flybuys, Woolworths Rewards, Myer One, Everyday Rewards compile purchase histories and sell profiles to insurers and marketing platforms.

Flybuys · Woolworths Rewards · Myer One · Everyday Rewards

People finders

WhitePages AU, people-search sites aggregate names, addresses, phone numbers, relatives, and workplace data into public-facing profiles anyone can purchase.

WhitePages AU · people-search networks

Marketing & behavioural

Advertising data platforms compile browsing history, purchase intent, and demographic profiles from hundreds of Australian apps.

Ad networks · data management platforms

Digital ID

myGovID, ConnectID, Australia Post Digital iD hold verified identity attributes under the Digital ID Act 2024. Only NotMeID covers this category.

myGovID · ConnectID · AusPost Digital iD

NotMeID covers all six categories. 847 Australian providers. Continuously updated by the community.

See the full catalogue →

The coverage gap

American privacy tools
cover American databases.
Your data is in Australian
ones.

Incogni and DeleteMe are real products that do real work. For Americans covered by the California Consumer Privacy Act, or Europeans covered by GDPR, they provide meaningful protection. They have processed hundreds of millions of removal requests and they work as described.

They do not work for Australian consumers because they are not built for Australian consumers.

Incogni covers over 420 data brokers — nearly all of them operating under CCPA or GDPR jurisdiction. DeleteMe covers a similar universe. Neither service covers the Australian Privacy Principles under the Privacy Act 1988. Neither covers the Digital ID Act 2024. Neither has a database of Australian data brokers, Australian loyalty programs, Australian property data companies, or Australian credit reporting agencies. Neither can send a legally valid APP 13 deletion request. Neither can file an OAIC complaint.

An Australian who subscribes to Incogni and sees 420 requests sent gets a status dashboard that looks like protection. Experian Australia, Equifax Australia, Illion, CoreLogic, REA Group, Flybuys, and hundreds of other Australian entities holding their data are unaffected. The Australian consumer has spent $115 a year and their data footprint in Australia has not changed.

This is not a criticism of those products. It is a description of their scope. They were not built for this country and they do not claim to be.

Comparison of Australian privacy coverage across NotMeID, Incogni, and DeleteMe.
CoverageNotMeIDIncogniDeleteMe
Australian data brokers✓ 847+ providers✗ Not covered✗ Not covered
Privacy Act 1988 (APP 12, APP 13)✓ Native
Digital ID Act 2024✓ Only service
OAIC complaint drafting✓ Automated
Requests from your own email✓ Legal standing✗ Platform sends✗ Platform sends
Free discovery tier✓ Always free✗ Paid only✗ Paid only
JurisdictionAustraliaUS / EU (CCPA/GDPR)US primarily
Annual price (AUD equiv.)A$79/yr~A$115/yr~A$160/yr
"Australia could benefit from a similar company providing similar services operating within its jurisdiction."
— Whirlpool Forums, data privacy thread, 2024

What the law gives you

You have legal rights most
Australian companies hope
you don't know about.

APP 12 — Right of access

Under Australian Privacy Principle 12, you have the right to request access to the personal information any APP entity holds about you. They must respond within 30 days. They cannot charge you for the access. They cannot simply ignore the request.

APP 13 — Right to deletion

Under Australian Privacy Principle 13, you have the right to request correction or deletion of personal information an APP entity holds that is inaccurate, out of date, incomplete, irrelevant, or no longer needed. They must respond. A failure to respond is itself a breach of the Act.

The Office of the Australian Information Commissioner

If a company ignores a valid request, you can file a complaint with the OAIC. The OAIC has enforcement powers, can investigate, and can take civil penalty action. Penalties for serious or repeated breaches can reach $50 million for corporations. These are not theoretical powers — the OAIC filed civil penalty proceedings against Medibank in 2024 and against Australian Clinical Labs for their 2022 breach.

NotMeID automates the entire chain — request, follow-up, OAIC complaint — using your legal standing as the individual data subject, from your own email address.

Privacy Act 1988 (Cth)
Your rights as a data subject

Summary

APP 12 · Access
Right to access personal information held about you by any APP entity. Response required within 30 days.
APP 13 · Correction & deletion
Right to request deletion of inaccurate, irrelevant, or outdated personal information.
Digital ID Act 2024 (Cth)
Additional data destruction rights for accredited Digital ID providers.
OAIC Escalation
Non-compliance may be escalated to the Information Commissioner. Civil penalties up to $50 million.
NotMeID exercises these rights on your behalf, automatically.

How it works

Set it up once.
It runs forever.

Step 01 · Discover

Discover

We scan for every Australian company that may hold your data — across breach databases, your inbox history, and our catalogue of 847 providers.Free

Step 02 · Confirm

Confirm

You review what we found with supporting evidence. Tick what you want removed. We never act without your instruction.

Step 03 · Remove

Remove

Deletion requests go from your own email address with your legal name and your standing under the Privacy Act 1988. Providers can't dismiss it as automated bulk mail.

Step 04 · Escalate

Escalate

If a provider doesn't respond within 30 days, that's a statutory violation. We prepare an OAIC complaint — you review and file with one click.

What we cover

847 Australian providers. Updated continuously by the community.

Data brokers (142)Credit & finance (89)Loyalty & retail (134)Property & real estate (67)Digital ID providers (48)Marketing platforms (201)Government entities (44)Healthcare (82)Other (40)
Experian AustraliaEquifaxFlybuysrealestate.com.auSeekmyGovIDWoolworths RewardsCarsales

Full provider list, legal obligation class, and deletion status require a free account.

See all 847 providers →

Pricing

Less than a coffee a month
to disappear from hundreds
of databases.

Save up to 30%

Free

A$0 — forever free

Discover who has your data before paying a cent.

  • ✓ HIBP breach scan
  • ✓ 847-provider catalogue browse
  • ✓ Submit new providers
  • — Deletion requests (Standard)
  • — Response tracking (Standard)
  • — OAIC escalation (Pro)
Run free exposure test →

Standard

A$79/yr or A$9/month

Full deletion sweep for one identity.

  • ✓ Everything in Free
  • ✓ Deletion requests sent from your email
  • ✓ Inbox scan for account discovery
  • ✓ Response tracking and follow-ups
  • ✓ Batched assisted deletion
  • ✓ PDF certificate export
  • — Unlimited identities (Pro)
  • — APP 12 access requests (Pro)
  • — OAIC complaint drafting (Pro)
Get Standard →

Pro

A$159/yr or A$19/month

Full legal automation. Unlimited identities.

  • ✓ Everything in Standard
  • ★ Unlimited identities
  • ★ APP 12 access request automation
  • ★ OAIC complaint drafting
  • ★ Overdue escalation (auto)
  • ★ Priority processing
Get Pro →

All prices in AUD incl. GST · 14-day money-back guarantee · Cancel anytime · No annual lock-in required

Find out who has
your data. Today.

Free scan. No credit card. Takes 60 seconds. Every Australian should know their exposure.

Checked against public breach databases · notmeid.com.au · Published by SOCii · Australian Privacy Act compliant