Privacy Policy

Effective Date: 14 August 2025

This Privacy Policy explains how aicpa.coma.u ("we", "us", "our") collects, uses, discloses, and protects personal information in connection with our accounting and related professional services. This document is provided as a template and does not constitute legal advice.

1. Introduction

We are committed to maintaining the confidentiality, integrity, and security of the personal information entrusted to us. Given the sensitivity of financial and tax information, we apply strict governance, role-based access, encryption standards, and continuous monitoring to reduce risk and meet applicable professional and statutory obligations.

2. Scope

This Policy applies to personal information we process about (i) clients, (ii) prospective clients, (iii) users of our platform and tools, (iv) vendors, and (v) other individuals whose data we handle in the course of providing accounting, advisory, bookkeeping, compliance, reporting, and related professional services. It covers online and offline collection channels unless stated otherwise.

3. Data We Collect

  • Identification & contact: name, address, email, phone, government identifiers where legally required (e.g., tax file / ABN equivalents, business registration numbers).
  • Account & authentication: usernames, role assignments, audit trails, session metadata, access logs.
  • Financial & transactional: invoices, receipts, bank feed data (where expressly authorized), general ledger details, payroll inputs, expense records, payment confirmations.
  • Compliance & regulatory: documents required for KYC/AML (to the extent legally permissible), risk assessments, declarations, attestations.
  • Communication records: emails, messages, support tickets, meeting notes.
  • Technical (limited): device/browser information, IP address, time zone, usage analytics (aggregated / pseudonymized where possible), security events.
  • Optional submissions: feedback, survey responses, uploaded supporting documents.

We minimise collection to what is necessary for stated purposes. Where we act on behalf of a client regarding third-party personal information (e.g., employees in payroll), the client warrants lawful collection and transfer.

4. How We Use Personal Information

  • Deliver and administer accounting and advisory services.
  • Prepare, review, and file financial, tax, and compliance reports.
  • Maintain accurate internal records and audit logs.
  • Provide secure platform access, authentication, and authorization.
  • Detect, prevent, and investigate fraud, errors, or abuse.
  • Meet legal, regulatory, professional, and contractual obligations.
  • Improve quality, security, automation, and user experience.
  • Respond to inquiries and provide client support.
  • Conduct anonymised or aggregated analytics (non-identifying).
  • Send service-related notices (system changes, incidents, compliance reminders).

We do not sell personal information, nor do we permit third parties to use client data for their independent marketing without explicit, informed consent.

6. Cookies & Tracking Technologies

We use only essential and strictly limited functional cookies necessary to operate secure login, session continuity, locale preferences, and anti-CSRF protections. Analytics, advertising, or profiling cookies are either not used or require clear opt-in where introduced. Browser settings may be adjusted to block cookies, but essential features may be impaired.

7. Data Retention

We retain personal information only as long as necessary for service delivery, contractual obligations, statutory limitation periods, professional recordkeeping standards, or regulatory retention requirements (e.g., tax documentation requirements). Upon expiry of retention criteria, data is securely deleted, anonymised, or archived with restricted access.

8. Security Measures

We implement layered safeguards aligned with industry and professional expectations, including: encryption in transit (TLS) and at rest, strict role-based access control (RBAC), principle of least privilege, multi-factor authentication options, network segmentation, secure development lifecycle practices, vulnerability management, intrusion and anomaly detection, logging & immutable audit trails, regular access reviews, incident response procedures, and background checks for staff with elevated privileges.

No system is fully immune from risk. In the event of a data incident meeting legal notification thresholds, we will follow applicable breach notification laws.

9. Sharing & Disclosures

We may disclose personal information to:

  • Authorized personnel, subcontracted professional staff under confidentiality obligations.
  • Technology and infrastructure providers (hosting, secure storage, email delivery) bound by data processing / service agreements.
  • Regulators, tax authorities, or law enforcement where legally compelled or to assert legal rights.
  • Professional advisers (legal, audit, insurance) under confidentiality.
  • Successors in a merger, acquisition, or restructuring (subject to safeguards and notice where required).

We prohibit downstream recipients from using data for unrelated purposes and require appropriate security controls.

10. International Data Transfers

Where cross-border transfers occur, we rely on applicable adequacy decisions, contractual safeguards (such as standard contractual clauses), or other lawful transfer mechanisms, and we assess jurisdictional risk and implement supplementary controls as needed.

11. Your Rights

Subject to applicable law, you may have rights to access, rectify, update, restrict, object to processing, port, or erase personal information. Requests should: (i) provide sufficient detail to identify data; (ii) include proof of identity; and (iii) specify the right invoked. We will respond within statutory timelines. Certain records (e.g., tax filings, mandatory ledgers) may be exempt from erasure while legal obligations persist.

Where consent is relied upon, you may withdraw it at any time without affecting prior lawful processing.

12. Children’s Privacy

Our services are not directed to children. We do not knowingly collect personal information from individuals below the minimum legal working or consent age in relevant jurisdictions. If you believe we have inadvertently collected such information, contact us for prompt remediation.

13. Changes to This Policy

We may update this Privacy Policy to reflect regulatory, technical, or operational changes. Material updates will be posted with a revised Effective Date and, where required, additional notice or consent will be sought.

14. Contact Us

For questions, requests, complaints, or to exercise rights, contact our privacy team at: privacy@aicpa.coma.u. If unresolved, you may have the right to lodge a complaint with a relevant data protection or privacy regulator in your jurisdiction.

Disclaimer: This template is provided for general informational purposes only and does not constitute legal advice. You should obtain independent legal counsel to tailor this policy to your specific obligations and jurisdictional requirements.