Privacy Policy

Effective 2026-05-07.

1. Who we are

This Privacy Policy explains how [Your Business Pty Ltd] (ABN [ABN pending]) ("we", "us", "our") collects, uses, discloses, and protects your personal information when you use the AI Taxagent Pro platform (the "Service").

We are bound by the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and — because the Service handles Tax File Numbers — the Privacy (Tax File Number) Rule 2015.

2. Summary

You enter tax data; we prepare ATO-ready figures with citations.
Tax File Numbers are encrypted at rest with a separate key. They never appear in our logs, emails, SMS, or AI prompts.
We use a small set of third-party processors (Stripe for payments, Anthropic for the AI advisor, optionally Mindee for receipt OCR and Basiq for bank feeds). They each receive only what they need.
Personal information you give the AI advisor is redacted at the boundary before any text leaves our servers — TFN, ABN, BSB, mobile, and email become [REDACTED-XXX-N] tokens.
You can ask us to access, correct, or delete your data at any time. You can complain to the Office of the Australian Information Commissioner (OAIC) if we get it wrong.

3. What information we collect

3.1 Information you give us

Account information — name, email address, password (stored as a bcrypt hash, never in plaintext).
Entity information — business name, entity type, ABN, ACN, GST registration status, BAS frequency, financial year, residency-policy preference.
Tax File Number (TFN) — only if you choose to enter one for ITR preparation. Stored encrypted at rest with a dedicated KMS key (see §6).
Bank-transaction data — either uploaded as CSV or fetched via Basiq if you connect a live feed.
Receipts — images or PDFs you upload, plus the vendor / date / total / GST that OCR extracts.
Tax-form figures — what we compute from your inputs (BAS, ITR, CTR, IAS) plus citations to the rule version that produced each number.
Conversation history with the AI advisor — your questions and our (cited) answers, retained per your conversation thread.

3.2 Information we collect automatically

Session cookies — first-party only, used to keep you logged in.
Server logs — IP address, user agent, request paths, error stack traces. PII is scrubbed before logs are written (same redactor as the AI advisor).
Audit-trail entries — every lodgement-relevant action (prepare, review, mark-as-lodged) is recorded with timestamp, user ID, and the rule version cited. The audit log is append-only and immutable from the database side (UPDATE / DELETE / TRUNCATE on those rows is blocked at the trigger level).

3.3 Information we do not collect

We do not see your bank login or password — when you connect a live feed, Basiq (a CDR-accredited Outsourced Service Provider) handles that boundary.
We do not use third-party advertising or marketing trackers. There is no Google Analytics, no Facebook pixel, no LinkedIn Insight tag.

4. How we use your information

To provide the Service — prepare your BAS, ITR, CTR, IAS figures, generate Audit Defence Packs, send compliance reminders, surface AI-advisor answers.
To operate your account — process payments via Stripe, send transactional emails (e.g. reminders, lodgement confirmations, invoices).
To improve the Service — anonymous, aggregated metrics on which features are used. We do not use the contents of your tax data to train AI models.
To meet our legal obligations — including record-keeping requirements that apply to financial software providers.

5. Tax File Numbers — special protections

TFNs receive heightened protection under the Privacy (Tax File Number) Rule 2015. We comply by:

Encrypting at rest with a dedicated key separate from the rest of the database.
Never including TFNs in emails, SMS, push notifications, log files, error reports, or AI-advisor prompts. The PII redactor strips TFN-shaped strings (with ATO checksum validation) before any text leaves our servers.
Restricting access to TFN fields to the minimum number of people necessary — currently, only the operator of [Your Business Pty Ltd].
Supplying TFNs only for tax-related purposes the user has authorised — never to advertisers, analytics, or marketing third parties.
Allowing you to refuse to provide a TFN; if you do, ITR preparation is unavailable but the rest of the Service remains usable.

If you believe your TFN has been mishandled, you may complain to us (see §13) or directly to the OAIC.

6. Who we share your information with

We disclose personal information only to the third-party processors below, and only what each one needs to perform its function. None of them sell, share, or re-purpose your data.

Processor	Purpose	Data shared	Region
Stripe	Subscription billing	Email, plan code, payment method (card data goes directly to Stripe — we never see it)	USA / global
Anthropic	AI advisor LLM	Your question + tool-call results, with all PII (TFN, ABN, BSB, mobile, email) replaced by redaction tokens before sending	USA
Mindee (optional)	Receipt OCR	The receipt image / PDF you upload	France (EU)
Basiq (optional)	Live bank feed	Your consent + the bank you select; Basiq returns transaction data only	Australia (CDR-accredited OSP)
Email provider (SMTP / AWS SES)	Transactional email	Your email + email body (never contains TFN)	Australia / USA depending on provider
Hosting provider	Server + database hosting	All your data (encrypted at rest where supported)	Australia

We may also disclose information if we are legally compelled to do so (e.g. ATO notice, court order), or if it is necessary to protect our or another user's safety. We will notify you wherever permitted.

7. Cross-border data disclosures (APP 8)

Some of the processors above are located outside Australia (Stripe — USA; Anthropic — USA; Mindee — France). By using the Service, you consent to your personal information being disclosed to those processors in those countries for the purposes listed in the table above. They each have their own privacy and data-protection commitments which we have reviewed.

If you require strict Australian-only data residency, contact us before signing up — we offer an upgrade tier that routes receipt and document storage to AWS S3 Sydney with no offshore replication.

8. Where your data is stored

Your account data and tax-form figures live on our hosting provider's Australian servers. Receipt files and bank-statement uploads are stored on the same server's local disk by default, or on Cloudflare R2 (Sydney edge, with global replicas for durability) if configured. Tenants on the au_only residency policy use AWS S3 Sydney instead. The provider + region that handled each document is recorded on the audit-trail entry, so you can prove which jurisdiction held a file at any given time.

9. How long we keep your information

Tax records — retained for at least 5 years from the date the relevant return is lodged, in accordance with ATO record-keeping requirements.
Account information — retained while your account is active, and for up to 90 days after deletion to allow reversal of accidental deletion.
Audit-log entries — retained for the life of the relevant tax record (immutable from the database side).
Server logs — typically rotated within 30–90 days.
Stripe billing records — retained by Stripe under their own retention policy, typically 7 years for financial-services compliance.

On request, we will delete information that is not subject to a legal retention obligation. Tax-record retention typically prevails until the 5-year ATO window has elapsed.

10. Security

Encryption in transit — TLS on every connection (HTTPS, public web; encrypted database driver, internal).
Encryption at rest — TFNs encrypted with a dedicated key; database-level encryption where the hosting provider supports it; receipt-storage encryption when stored in Cloudflare R2 / AWS S3.
Tenant isolation — Postgres Row-Level Security enforces that one tenant cannot see another tenant's data, even via a SQL injection bug.
Audit-log immutability — UPDATE, DELETE, and TRUNCATE are blocked on audit-log rows at the database trigger level.
Password storage — bcrypt with a high work factor; we never see plaintext passwords.
Secrets management — credentials are stored in environment variables, never committed to source control.

No system is ever 100% secure. If we suffer an eligible data breach, we will notify affected users and the OAIC under the Notifiable Data Breaches scheme as required.

11. Cookies

We use only first-party cookies, all strictly necessary for the Service to work:

Session cookie — keeps you logged in. Cleared when you log out or after the session-lifetime expires.
CSRF cookie — protects forms from cross-site request forgery.

We do not use advertising cookies, analytics cookies, or third-party tracking technologies. Because none of our cookies are non-essential, we do not show a cookie consent banner.

12. Your rights

Under the Privacy Act and APPs, you have the right to:

Access — request a copy of the personal information we hold about you.
Correct — ask us to fix anything that is inaccurate or out of date.
Delete — ask us to delete your data, subject to the ATO 5-year retention obligation.
Export — receive your tax data in a machine-readable format (CSV / JSON).
Withdraw consent — disconnect Basiq, opt out of the AI advisor, or delete your TFN at any time.
Complain — to us first; if unresolved, to the OAIC at oaic.gov.au.

To exercise any of these rights, email privacy@example.com. We will respond within 30 days.

13. Children

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a child has used the Service, contact us and we will delete the relevant account.

14. Changes to this policy

We will update this policy as the Service changes or as the law evolves. Material changes will be notified to active users by email at least 14 days before they take effect. The effective date at the top of this page reflects the most recent revision.

15. Contact us

For privacy questions, complaints, or to exercise any right above:

[Your Business Pty Ltd]
Privacy team: privacy@example.com
Postal: [Postal address]
ABN: [ABN pending]