Your data,
your rights.

We collect the following types of personal information:

• Directly from you when you create an account, enter financial data, upload documents, or chat with Frank.
• Automatically through server logs and usage analytics when you use the platform.
• From third-party services: Stripe (payment processing), Supabase (authentication), market data providers.

• To provide and improve the Finance Frank platform.
• To generate personalised insights, health scores, and AI-assisted observations.
• To process subscription payments and manage your account.
• To send service-related notifications (bill reminders, compliance alerts).
• To maintain audit logs for security and compliance.
• To comply with our legal obligations under Australian law.

We will not use your personal information for purposes unrelated to the above without your consent.

We share personal information with the following third parties, solely to provide our services. Sub-processor list last reviewed: 9 May 2026. We commit to reviewing this list at least quarterly, and to giving 30 days' written notice (per DPA cl 9 / MSA cl 16) before adding any new sub-processor that processes Personal Information.

Recipient location vs. data hosting region. Several providers are US-incorporated companies even where the underlying data is hosted in Australia (e.g. Supabase Inc. is US-incorporated but our database tenancy is in Sydney; Stripe Australia is the contracting entity but its parent is US). Under APP 8, the disclosure to the corporate entity itself is treated as a cross-border disclosure regardless of the data hosting region. See Section 5 for our APP 8 reasonable-steps statement.

No data sales. We do not sell, rent, or share your personal information or any de-identified data with third parties for their own marketing or commercial purposes. We disclose data to the sub-processors listed above strictly to operate the Service on your behalf, on the contractual safeguards described in Section 5.

Our reasonable-steps statement (APP 8.1)

Before disclosing personal information to an overseas recipient, we take steps that are reasonable in the circumstances to ensure the recipient handles the information consistently with the Australian Privacy Principles. Specifically, for each provider in Section 4 we have entered into a written agreement (a Data Processing Agreement, Data Processing Addendum, Standard Contractual Clauses or equivalent) that imposes confidentiality, security, breach-notification and use-limitation obligations substantively equivalent to the APPs. We do not rely on bundled or implied consent under APP 8.2(b) to authorise these disclosures.

What is sent to which provider

• Anthropic — your conversation messages with Frank, a contextual summary of your financial data (asset values, liability balances, income amounts, budget categories, goals, transactions), and your profile information (name, age, state, household type) for context.
• OpenAI (embeddings only) — text chunks from canonical financial document types you upload (trust deeds, building contracts, wills, leases, etc.). Receipts and ad-hoc statements are not embedded.
• Stripe — name, email, billing address (collected by Stripe Checkout), and your Stripe customer + subscription identifiers. Payment-card details are tokenised by Stripe and never reach our infrastructure.
• Supabase — all your stored data (encrypted at rest within the Sydney region tenancy).
• Render — all API request payloads pass through Render-hosted backend instances at request-time but are not persisted on Render disk.
• Vercel — IP address, request headers, and usage telemetry for the marketing and web-app frontends.
• Resend — recipient email address, sender name and the body of any transactional email we send you.

Additional safeguards

• Under our current commercial agreements with Anthropic and OpenAI, your data is not used to train their base AI models. We will update this policy if those arrangements change.
• Data in transit between our servers and any third-party API is encrypted using TLS 1.2 or higher.
• AI redaction — text content. For Frank chat and other text-based AI features, an automated redaction layer runs over every outbound message before it leaves our servers. The layer substitutes Tax File Numbers, BSB + account-number pairs, payment-card numbers (Luhn-validated), Medicare numbers, Australian passport numbers and driver’s licence numbers with neutral placeholders (e.g. [REDACTED:TFN]) so the AI provider never receives raw identifiers in chat content. Card details additionally go to Stripe directly via Stripe Checkout and never reach our backend at all.
• AI redaction — document image uploads. Where you upload a document image (e.g. a payslip, bank statement or insurance certificate) for parsing, the image file is sent to Anthropic’s vision endpoint so it can extract the structured fields you asked us to capture (amounts, dates, line items). Image content cannot be redacted before transmission with current technology. However, before we store the extracted result in your account, we re-apply the same redaction pass to the extracted text — so the data-at-rest copy in our database does not retain raw TFNs, account numbers, Medicare numbers or other sensitive identifiers. Anthropic’s Commercial Terms of Service prohibit retention or training on customer inputs by default.
• Where a provider has an Australian legal entity (e.g. Stripe Payments Australia Pty Ltd), we contract with the Australian entity, while still treating the disclosure as cross-border for APP 8 purposes given the parent-company structure.

Note on liability under section 16C. If an overseas recipient mishandles your personal information in breach of the APPs, we may be treated under section 16C of the Privacy Act as having engaged in that conduct. The reasonable-steps approach above is intended to manage that risk but does not eliminate it; you retain all rights and remedies you have under the Privacy Act.

If you accept an invitation from a practice (an accountant, planner, broker or adviser firm using Finance Frank's practice tier), members of that practice can read certain data from your account on a scoped, opt-in basis. The legal basis for this disclosure under APP 6.1(a) is your express consent, given via the in-app invitation acceptance flow and the per-permission toggles in your settings.

• Per-tier permissions (tax / income / planning) determine what tables a practice member can read — see the per-role grid on /advisers.
• Documents are NOT readable by your practice unless you explicitly toggle "share with practice" on the document. The exception is documents you upload under the canonical tax_document category — these are shared-with-practice by default because that's their purpose. The upload form makes this explicit and gives you an opt-out toggle if you change your mind before saving.
• You can revoke a practice's access at any time from your settings; this immediately ends all reads.
• Every read by a practice member is auditable.
• Engagement letters and BAS sign-offs you accept from a practice are stored on your account and on the practice's record (with timestamp + IP) — required by the TPB for tax agent record keeping (5-year retention).
• Messages a practice sends you are stored against your account and are visible to staff at that practice; we don't send them to anyone else.

Practices may use white-label custom domains (e.g. frank.your-firm.com.au) to serve Finance Frank to their clients. Your data is still hosted by us under this Privacy Policy regardless of the domain you access it from.

We take reasonable steps to protect your personal information, including:

• Encryption in transit using TLS 1.2 or higher and at rest using the database provider's standard at-rest encryption.
• Application-level symmetric encryption of sensitive fields including Tax File Number, date of birth and MFA secrets. New writes use AES-256-GCM with a 96-bit nonce per write (NIST SP 800-38D). Pre-existing legacy ciphertexts (AES-128-CBC with HMAC-SHA256, via the cryptography library's Fernet construction) continue to decrypt and are migrated to AES-256-GCM on next write or via a one-shot migration script.
• Row-level security (RLS) policies in the database ensuring users only access their own data.
• JWT-based authentication with token expiry and verification, and optional TOTP two-factor authentication.
• Rate limiting and input sanitisation at the API layer.
• Audit logging of mutating API operations for security and compliance investigations.
• Standard security headers (X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, etc.) to mitigate common web attacks.

Organisational measures (APP 11 — “technical and organisational measures”)

The 2024 amendments to the Privacy Act clarified APP 11 to require both technical and organisational measures. Alongside the technical controls listed above, we maintain:

• A documented information security policy reviewed at least annually.
• Least-privilege access policy with named owners for production credentials, periodic review and offboarding playbook.
• Vendor due-diligence procedure for any new sub-processor — including a documented review of their DPA, security posture and breach-notification commitments before integration, and a 30-day customer notice clock per DPA cl 9.
• Documented incident-response plan covering containment, assessment under s 26WH, OAIC and individual notification under the NDB scheme, and post-incident review.
• Periodic security risk assessment, with findings tracked through to remediation.
• Director-level oversight of privacy and security posture — at this stage of the company, by the founder; from the appointment of a board, by a designated board member.

No security control is absolute. We follow the “reasonable steps” standard required by APP 11 and review our controls regularly. If a breach occurs, we will follow the procedure in Section 9 (Data breach notification).

APP 11.2 requires us to destroy or de-identify personal information once it is no longer needed for any purpose for which we may use or disclose it under the APPs. Each retention period below has a stated lawful basis:

De-identification for analytics & benchmarks

The peer benchmarks shown in-product today are sourced from published external datasets (ABS, ATO, APRA, RBA) and are not computed from our own user base. See /benchmarks for sources.

Where we generate aggregated, de-identified statistics from our own user data (for product analytics, peer comparisons we may introduce in future, error-rate telemetry, or research), we apply the following safeguards:

• We strip all direct identifiers (name, email, user ID, entity ID, ABN, TFN, IP address) before aggregation.
• We enforce a minimum cohort size: any aggregate broken down by attributes (e.g. state × age band × plan tier) is only reported where the cohort contains at least 25 users. Smaller cohorts are suppressed.
• We assess re-identification risk on an ongoing basis, not just at the point of de-identification, and we do not publish aggregates that could be triangulated using publicly available information.
• We do not sell, license or share de-identified data with third-party marketers, brokers or data aggregators.

Under the Australian Privacy Principles, you have the following rights:

To exercise any of these rights, contact us at the details below. We respond to access requests within 30 days (APP 12.6) and do not charge a fee for access (APP 12.4) or correction. If we have disclosed information to a third party and you ask us to, we will notify them of any correction we make (APP 13.2). The Australian privacy reform program also contemplates further individual rights (including a statutory right to erasure) — we will update this Policy as those come into force.

The Privacy and Other Legislation Amendment Act 2024 (which received Royal Assent on 10 December 2024) introduced a new transparency obligation in APP 1.4(b) requiring entities to disclose in their privacy policy any use of personal information in automated decisions that have a legal or similarly significant effect on individuals. The obligation has a 24-month grace period and commences on 10 December 2026. Even ahead of commencement, we are providing the following disclosure so the position is clear from today.

What automated processing we do

• Frank (AI assistant) generates conversational responses, narrative summaries, and educational suggestions using a combination of your financial data and a third-party large language model.
• Health-score calculations, peer-comparison percentiles, savings-rate trends and similar metrics are computed automatically from your data using deterministic formulas (not AI). The component breakdown of the health score is published at /benchmarks.
• EOFY readiness checks, super-cap headroom, deduction-tracker matches and SMSF compliance checks are deterministic rule-based assessments against published ATO / SIS Act rules.
• Categorisation of imported transactions uses rule-based matching with optional AI-assisted suggestions you can accept or reject.
• AI-redaction of sensitive identifiers (Tax File Numbers, BSB + account-number pairs, payment-card numbers (Luhn-validated), Medicare numbers, Australian passport numbers, driver’s licence numbers) before any text is sent to our AI sub-processors, and again on the data extracted from document image uploads before that data is written to our database. This is automated processing of your information but produces no decision about you — it removes data, it does not classify or score you.
• Marketing-email engagement scoring (whether to keep emailing you based on opens / clicks) is automated but does not affect your access to the platform; you can opt out of marketing entirely (see Section 10).

Are these “substantially automated decisions with a legal or similarly significant effect”?

Currently, none of these outputs constitute a substantially automated decision that has a legal or similarly significant effect on you within the meaning of the new APP 1.4(b). They are advisory and educational only — Frank does not lend money, set premiums, decide tax positions, lodge returns, underwrite an insurance application, set a credit limit, or otherwise determine an outcome that binds you or a third party. You remain the decision-maker, as set out in our Practitioner Posture and Our Approach pages.

If that ever changes

If we ever introduce a feature that does involve a substantially automated decision with a legal or similarly significant effect on you (for example, an automated underwriting or credit-assessment feature), we will, before that feature goes live: (a) update this Policy with the kinds of personal information used, the kinds of decisions made, and (in plain English) the logic involved; (b) provide a mechanism for you to request human review of any such decision; and (c) where the obligation requires consent, obtain it explicitly rather than relying on continued use of the platform.

We do not currently meet the “significant effect” threshold, but we treat the spirit of the obligation as already in force — meaning we will not introduce a binding-decision feature without surfacing it through the process above.

The 2024 amendment package is being implemented in stages. This section is a transparency snapshot of how we're tracking each piece — both what already affects you today and what's on our calendar for future revisions of this Policy.

We refresh this section whenever a tracked item commences, on the OAIC's publication of new guidance, or on a material change to the Policy.

In the event of a data breach likely to result in serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988:

• Carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe a notifiable breach has occurred — as soon as reasonably practicable, and in any event within 30 days, after becoming aware that there are reasonable grounds to suspect such a breach (s 26WH of the Privacy Act). We target assessment completion within 72 hours where the facts permit.
• Notify our practice-tier customers (where their data is involved) without undue delay and in any event within 72 hours of our confirmation that there are reasonable grounds to believe a notifiable breach has occurred. The 72-hour window is the contractual commitment to the customer; the s 26WH window above is the statutory upper bound for completing the assessment.
• Notify the OAIC and affected individuals as soon as practicable after the assessment concludes positively (and in any event by the s 26WL deadline) — describing the breach, the types of information involved, the steps we are taking and recommended steps for the individual.
• Take reasonable steps to contain the breach and mitigate harm, in line with our internal incident runbook.

The 2024 amendments to the Privacy Act increased OAIC penalties (now tiered, including mid-tier penalties for “interferences with privacy” that are not “serious”) and introduced a criminal offence of doxxing. Our internal breach-response playbook reflects the heightened risk and is reviewed on each material change to the platform. We will also notify the OAIC within the 30-day deadline under section 26WL of the Privacy Act where notification is required.

Statutory tort of serious invasion of privacy (commenced 10 June 2025)

Schedule 2 of the Privacy Act creates a statutory tort for serious invasions of privacy. The tort is actionable where the conduct is intentional or reckless, the plaintiff had a reasonable expectation of privacy, the invasion is “serious”, and the public interest in privacy outweighs any countervailing public interest. We acknowledge this cause of action and design our practices accordingly. Where we become aware of conduct that may constitute a serious invasion of your privacy, we will notify you and take steps to mitigate.

We may send you marketing communications (product updates, EOFY tips, new feature announcements) by email if you have provided us with your email address and we have a relevant relationship with you. All such communications comply with the Spam Act 2003 (Cth) and Australian Privacy Principle 7.

Your right to opt out

• Every marketing email we send includes a clear unsubscribe link in the footer. One click removes you from all future marketing communications.
• You can also opt out at any time by emailing privacy@financefrank.ai with the subject "Unsubscribe".
• Opting out of marketing does NOT opt you out of transactional / service emails (sign-up confirmation, password reset, payment receipts, security notifications, EOFY deadline alerts you have explicitly enabled, BAS / engagement letter sign-off requests). Those are necessary for the service to function and are sent regardless of marketing preferences.
• We action unsubscribe requests within 2 business days. The Spam Act 2003 (Cth) requires functional unsubscribe within 5 business days under section 18; we aim to be materially faster.

We do not sell, rent, or share your email address with third-party marketers. We do not send marketing communications on behalf of any third party.

Engagement tracking in marketing emails

To measure whether our marketing communications are useful (and to remove inactive recipients from our list rather than continuing to email them), we use two industry-standard tracking techniques in marketing emails only. These are not applied to transactional / service emails.

• Open tracking — a 1×1 pixel hosted by our email provider Resend is included in marketing emails. Loading the pixel records that the email was opened, the approximate time, and your IP address. Most email clients prevent the pixel from loading unless you explicitly load images, so open tracking is best-effort and frequently undercounts.
• Click tracking — links inside marketing emails are rewritten to pass through Resend's redirector before forwarding to the destination. This records that you clicked, the time, and the destination URL. The destination page receives no additional tracking data from us.
• We collect and store the resulting per-recipient counts (delivered, opened, clicked, bounced, complained, unsubscribed) so we can review aggregate engagement per broadcast.
• You can opt out of all marketing emails — including the open and click tracking that comes with them — at any time using the unsubscribe link in any marketing email or via the marketing toggle in your account settings.
• Engagement data older than 24 months is deleted on a rolling basis.

Open and click tracking is treated as personal information under the Privacy Act and is subject to the same access, correction, and deletion rights described in Section 8.

We use a small set of cookies and browser local-storage entries — all first-party and operational. We do not use third-party advertising cookies, ad-tech pixels, or cross-site tracking.

Cookies and storage we use

• Session / authentication tokens — stored in browser local storage; required to keep you signed in. Expire on logout or token expiry.
• CSRF protection cookie — first-party, session-scoped; required to prevent cross-site request forgery on state-changing requests.
• User preference local-storage entries — theme, notification settings, last-active practice tenancy, dismissed-notice flags. First-party; not transmitted to our servers.
• Analytics session ID — a randomly generated identifier stored in local storage and sent with first-party product-analytics events to our own backend (see below).

Product analytics

We run a first-party analytics pipeline only — events (e.g. “signup completed”, “feature opened”) are sent from your browser directly to our own backend at /api/analytics/track and stored in our Supabase database (Sydney region). We do not use Google Analytics, Plausible, Vercel Analytics, Mixpanel, PostHog, Amplitude, Segment, or any third-party analytics SDK on the marketing site or web app. We do not load advertising or marketing-tech pixels (Meta, LinkedIn, TikTok, Google Ads).

Do Not Track

We honour the browser-level Do Not Track (DNT) signal where your browser sends one: when DNT is on, we suppress first-party analytics events from being recorded. Operational cookies (authentication, CSRF) remain because they are required to provide the service.

Cookie identifiers as personal information

The OAIC has signalled that cookie identifiers and similar online identifiers can be “personal information” under the Privacy Act in many cases. We treat the analytics session ID and any cookies linked to your account as personal information for the purposes of this Policy — they are subject to the same access, correction, and deletion rights described in Section 8.

Finance Frank is intended for adults (18+) managing real financial information. We do not knowingly collect personal information from children. Sign-up requires you to confirm you are at least 18 (Terms of Service clause 3) and we collect a date of birth in onboarding to enable age-related calculations (super preservation age, peer benchmarks).

If we become aware that we hold personal information about an individual under 18 (for example, through the date-of-birth field, a parent / guardian notification, or an internal audit), we will close the account and delete the data within 30 days, unless retention is required by law. If you believe we hold information about a child, please contact privacy@financefrank.ai.

The OAIC must develop a binding Children's Online Privacy Code by 10 December 2026 under the 2024 amendments to the Privacy Act. We will update this Section and our onboarding controls when the Code is published.

Practice-mediated minor data. Where a practice tier subscriber (e.g. a family-group SMSF accountant) invites a minor into the platform — for instance because a child is a nominated beneficiary or trustee-in-waiting — additional safeguards apply, and the inviting practice is responsible for any consents required under Australian law for minors. Frank does not knowingly process the personal information of minors except via this practice-mediated pathway, and the inviting practice retains primary responsibility under APP 6 / APP 11 for any data of a minor it surfaces into the platform.

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notification at least 30 days before they take effect. Non-material changes (typo fixes, clarifications that do not affect your rights) take effect immediately when published. The “Last updated” date at the top reflects the most recent revision; a summary of recent changes is available on request.

If you have questions about this Privacy Policy or wish to exercise any of your privacy rights, contact our Privacy Officer:

How to lodge a formal privacy complaint

If you believe we have breached the Australian Privacy Act 1988 (Cth) or the Australian Privacy Principles, you can lodge a formal complaint with us by emailing privacy@financefrank.ai with the subject line “Privacy Complaint”.

Please include:

• Your name and contact email
• A description of the conduct you believe breached the Privacy Act, including approximate dates and the type of personal information involved
• How the conduct affected you
• What outcome or remedy you are seeking

Our complaint-handling timeline

• We acknowledge receipt of your complaint within 7 calendar days.
• We provide a substantive response within 30 calendar days, including the outcome of our investigation and any remedial action taken.
• If your complaint is complex and we need longer, we will tell you within the 30-day window with an estimated extended timeline.

If you are not satisfied with our response

You may escalate to the Office of the Australian Information Commissioner (OAIC). The OAIC generally requires you to attempt resolution with us first before they will investigate, so the steps above are typically a prerequisite to OAIC escalation.