Privacy Policy

ATO Tax Optimizer is operated by Disaster Recovery Qld (ABN 42 633 062 307), a Queensland-based Australian company. We are committed to protecting the privacy and security of your personal and financial information.

This Privacy Policy explains how we collect, use, store, and disclose your information when you use our AI-powered tax analysis platform. By accessing or using ATO Tax Optimizer, you acknowledge that you have read and understood this policy.

We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and applicable state and territory legislation.

Account Data — When you register, we collect your name, email address, and authentication credentials (managed via Supabase Auth). If you sign in via Google OAuth, we receive your name and email from your Google account.

Financial Data — When you connect your accounting software (Xero, MYOB, or QuickBooks) via OAuth, we access your transaction data, chart of accounts, invoices, and related financial records in read-only mode. We do not modify your accounting data.

Payment Data — Payment processing is handled entirely by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe provides us with a transaction reference and payment confirmation only.

Usage Data — We collect information about how you interact with our platform, including pages visited, features used, and analysis reports generated.

Tax Analysis — Your financial data is processed by our AI engine (powered by Google Gemini) to identify potential R&D tax offsets, unclaimed deductions, Division 7A compliance gaps, and other tax optimisation opportunities under Australian, New Zealand, and United Kingdom tax law.

Anomaly Detection — We analyse transaction patterns to flag potential misclassifications, unusual entries, and compliance risks that may warrant professional review.

Report Generation — We generate detailed PDF and Excel reports containing findings, confidence scores, and legislative references for review by your registered tax agent or financial adviser.

Service Improvement — Aggregated, de-identified data may be used to improve our AI models and the accuracy of our analysis. Individual financial data is never shared or sold.

Database — Your data is stored in Supabase PostgreSQL databases located in Sydney, Australia (ap-southeast-2 / syd1). All data remains within Australian data centres.

Encryption — OAuth tokens from Xero, MYOB, and QuickBooks are encrypted at rest using AES-256-GCM. All data in transit is encrypted via TLS 1.2+.

Access Control — Row Level Security (RLS) is enforced on all database tables containing user data. Each tenant can only access their own records. Administrative access is restricted and audited.

HTTPS — All connections to our platform are encrypted via HTTPS. Unencrypted HTTP connections are automatically redirected.

Google Gemini AI — Your financial data is processed by Google Gemini for AI-powered tax analysis. Data is transmitted securely and is subject to Google’s data processing terms.

Stripe — Payment processing is handled by Stripe, Inc. Stripe is PCI DSS Level 1 certified. Your payment information is subject to Stripe’s privacy policy.

SendGrid — Transactional emails (account verification, report delivery, notifications) are sent via SendGrid. Only your email address and message content are shared.

Xero / MYOB / QuickBooks — We connect to your accounting platform via OAuth 2.0 with read-only access. We do not store your accounting platform credentials.

Financial Data — Your imported financial data is retained for as long as your account is active. Upon account deletion or written request, all financial data is permanently deleted within 30 days.

AI Analysis Results — Tax analysis reports and findings are retained for 12 months from the date of generation to allow you to revisit and download your reports.

Account Data — Basic account information (name, email) is retained until you request deletion. We may retain minimal records as required by Australian tax and corporate law.

Backups — Encrypted database backups may retain deleted data for up to 90 days before automatic purging.

Under the Australian Privacy Act 1988 (Cth), you have the right to:

Access — Request a copy of the personal information we hold about you.

Correction — Request correction of any inaccurate or incomplete personal information.

Deletion — Request deletion of your personal information and all associated financial data. We will comply within 30 days unless we are legally required to retain certain records.

Complaint — Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

To exercise any of these rights, contact us at support@ato-ai.app with the subject line "Privacy Request".

Essential Cookies — We use essential cookies to maintain your authentication session and ensure the platform functions correctly. These cookies cannot be disabled without breaking core functionality.

Analytics Cookies — With your consent, we may use analytics cookies to understand how users interact with our platform. You can accept or decline analytics cookies via our cookie consent banner.

No Third-Party Tracking — We do not use third-party advertising cookies or cross-site tracking technologies.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email to registered users and posted on this page.

Last updated: 26 March 2026.

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: support@ato-ai.app

Operator: Disaster Recovery Qld (ABN 42 633 062 307)

Location: Queensland, Australia