Privacy Policy

Effective 1 July 2025 · Last updated 1 July 2025

UHH Management Services Pty Ltd trading as TaxMate, ABN 62 671 067 235 ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, hold and disclose your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

1. What information we collect

We collect the following categories of personal information:

• Account information — name, email address, password (hashed), phone number, authentication provider (Google/Apple/email).
• Profile information — occupation, work-from-home hours and percentage, phone work-use percentage, annual income range, whether you have a HELP/HECS debt, whether you hold private hospital cover, and whether you have a dedicated home workspace.
• Financial transaction data — where you connect a bank or upload a bank statement, we collect individual transaction records: date, description, amount, direction (money in / money out), merchant name and basic ATO-style category. We do not collect or store your bank account number, BSB, card number or balance.
• AI analysis output — categorisations, confidence scores and short justifications produced by our AI provider for each transaction.
• Subscription information — your Stripe customer identifier and subscription status. We do not store your full card number.
• Technical information — IP address, browser type, basic session timestamps required for security, abuse prevention, and operating the Service.

2. How we collect information

We collect information directly from you (when you sign up, fill in onboarding questions, connect a bank, upload a statement or contact us), from our service providers (Stripe, Basiq, Supabase, Resend, Anthropic) and via cookies and similar technologies.

3. How we use your information

We use your personal information only for the purposes for which it was collected, including to:

• operate and improve the Service;
• identify potential tax deductions and produce reports for you;
• communicate with you about your account, payment, support requests, and product changes;
• detect, prevent and respond to fraud, abuse, security incidents and legal claims;
• comply with our legal obligations.

4. How your bank data is handled

If you choose to connect a bank, our Australian open-banking partner Basiq retrieves read-only transaction data on your behalf. We cannot move money, change account details or initiate any transaction.

If you choose to upload a bank statement (PDF or CSV), the original file is processed in memory on our servers and is deleted immediately after we extract the transactions. The original file is never saved to disk, database, cloud storage or logs. Only the extracted transactions are retained in your account.

5. AI processing

To classify transactions as potential deductions, we send transaction descriptions and amounts to our AI provider, Anthropic. We never send your name, account number, card number or other directly-identifying information for this purpose. Anthropic processes these requests under their own privacy and security commitments and does not use API inputs to train their models.

6. Service providers

We use the following service providers to operate the Service:

• Supabase — database and authentication (data stored in their EU/US infrastructure subject to standard contractual clauses).
• Vercel — application hosting.
• Stripe — payment processing (PCI-DSS compliant).
• Basiq — Australian open-banking provider (CDR-accredited).
• Anthropic — AI processing for transaction classification.
• Resend — transactional email delivery from noreply@taxmateai.com.au.
• Cloudflare — DNS and traffic protection.

7. Data storage and security

Personal information is stored in encrypted databases. Access is restricted to authorised personnel on a need-to-know basis. All communications between your browser and our servers use HTTPS. We apply row-level security so users can only access their own data. Subscription and bank-connection identifiers are stored separately to identity data.

Despite reasonable measures, no online system is perfectly secure. You acknowledge this residual risk when using the Service.

8. Disclosure of personal information

We do not sell your personal information. We may disclose it:

• to the service providers listed above to the extent needed for them to perform their function;
• to law enforcement or regulators if compelled by a valid Australian court order or statute;
• to professional advisors (auditors, lawyers, accountants) bound by confidentiality obligations;
• with your express consent.

9. Cross-border disclosures

Some of our service providers operate from outside Australia (for example, Anthropic and certain Supabase regions in the United States and European Union). By using the Service you consent to your personal information being transferred to and processed in these jurisdictions under appropriate contractual safeguards.

10. Cookies

We use cookies necessary for authentication (session cookies), for security (CSRF protection) and to remember referral codes. We do not use advertising or cross-site tracking cookies.

11. Your rights

Under the Privacy Act you have the right to access the personal information we hold about you and to request correction of any inaccuracies. You may exercise these rights by emailing privacy@taxmateai.com.au. We will respond within 30 days.

You may delete your account at any time, which will permanently remove your profile, transactions and deduction analysis from our active systems within 30 days. Backup copies may persist for up to 90 days as required for disaster recovery and audit.

12. Data retention

We retain transaction and deduction data for as long as your account is active so that you can prepare tax returns from prior years. After account deletion, we retain only the minimum records required for legal and tax compliance under Australian law.

13. Children

The Service is not intended for users under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect.

15. Complaints and contact

If you have a privacy concern, contact us at privacy@taxmateai.com.au. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au.