Australian Privacy Act 1988 Compliant

We respect your privacy.

This policy explains clearly what information Clarity Workflows collects, why we collect it, and how it is protected. We believe in transparency — there are no surprises here. If anything is unclear, please reach out and we'll be happy to explain.

Last updated: 18 March 2026

Contents

1. Information We Collect 2. How We Use Your Information 3. How We Protect Your Data 4. Who Has Access 5. Data Retention 6. Your Rights 7. Data Breach Notification 8. Cookies & Tracking 9. Contact Us
1 Information We Collect

We only collect information that is necessary to provide the service. Here's exactly what that includes:

Account Information

When you are invited to create an account, we collect:

  • Email address
  • Password — stored as a one-way bcrypt hash; we never see or store your plaintext password
  • Your role within the practice (e.g. viewer, user, senior, owner)

Financial Records

Accounting practitioners may upload the following on behalf of their clients:

  • Bank statements (PDF, CSV, OFX, QIF formats)
  • Transaction data including dates, descriptions, and amounts
  • BSB codes and bank account numbers
  • Categorised financial entries

Client Data

  • Client names, addresses, and contact details
  • Custom fields entered by users
  • Workflow and task information
  • Generated documents

Technical Data (Collected Automatically)

To keep the system secure and running properly, we automatically record:

  • IP addresses and browser user-agent strings
  • Login timestamps and session activity
  • Actions performed within the system (audit trail)
2 How We Use Your Information

We use your data only for the following purposes — nothing else:

  • Authentication and access control — to verify your identity and enforce role-based permissions
  • Service delivery — to provide workflow management, document generation, and bank statement analysis
  • Security and audit — to detect unauthorised access, maintain audit trails, and meet regulatory requirements
  • Communication — to send account verification emails, password reset links, and invitations

We do not use your data for marketing, advertising, or profiling. Your information is used solely to operate and secure the service.

3 How We Protect Your Data

Security is built into every layer of the platform:

  • Encryption in transit: All data is transmitted over TLS 1.2+ (HTTPS)
  • Encryption at rest: Client personal information (names, contact details, email addresses, and phone numbers) is encrypted using AES-256-GCM before being stored in the database
  • Password hashing: Passwords are hashed using bcrypt (cost factor 12) — irreversible by design
  • Database security: Production data is stored on Azure SQL with private network endpoints — not exposed to the public internet
  • Backup encryption: Automated backups are encrypted at rest in production environments
  • Secret management: Cryptographic keys and credentials are stored as secure environment variables on the production server — not in application source code or version control
  • Access logging: All significant actions are recorded in an immutable security audit log
4 Who Has Access to Your Data

Access within the platform is tightly controlled through a role-based access control (RBAC) system:

  • Viewers — read-only access to assigned client data
  • Users — can view and manage data for their assigned clients
  • Seniors — can manage users, view audit logs, and configure the system
  • Owners — full system access including user role management

We do not sell, share, or disclose personal information to third parties, except:

  • Where required by law or a valid court order
  • To comply with the Notifiable Data Breaches (NDB) scheme
  • With your explicit written consent
5 Data Retention

We only keep data for as long as necessary or as required by law:

  • Client financial records: Retained for as long as your account is active. Records moved to the trash are permanently and irreversibly deleted after 12 months
  • Account data: Retained for the duration of your account, plus 12 months after deletion
  • Audit logs: Retained for at least 12 months. Records of data deletion events are retained for at least 24 months
  • Session tokens: Your login session is automatically ended after 24 hours of inactivity to protect your account — this does not affect your stored data, which remains intact until you or your firm administrator removes it
6 Your Rights

Under the Australian Privacy Principles (APPs), you have the right to:

  • Access (APP 12): Request a copy of the personal information we hold about you
  • Correction (APP 13): Request correction of any inaccurate or outdated personal information
  • Complaint: Lodge a complaint with us directly, or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

To exercise any of these rights, contact us using the details in Section 9. Here is how the process works:

  • Submit your request by email to admin@clarityworkflows.com, clearly describing what information you are requesting access to or wish to correct
  • We will verify your identity before processing the request — typically by confirming the email address and account details associated with your account
  • We will respond within 30 days of receiving your request
  • For access requests, we will provide a copy of the personal information we hold about you in a readable format (such as a PDF summary or data export)
  • For correction requests, we will update the relevant records and confirm the change has been made
  • If we are unable to fulfil a request, we will explain why in writing
7 Data Breach Notification

In the unlikely event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will:

  • Assess the breach as soon as practicable but within 30 days of becoming aware of the incident
  • Notify the Office of the Australian Information Commissioner (OAIC)
  • Contact affected individuals with a clear description of what occurred, what information was involved, and the steps we recommend they take
8 Cookies & Tracking

This application does not use advertising, marketing, or social media tracking cookies. Authentication is managed via JSON Web Tokens (JWT) stored in the browser's local storage. No personal data is shared with advertising or social media platforms.

We use PostHog, a third-party product analytics service, to understand how the application is used and to identify and fix issues. PostHog may collect:

  • Page views and navigation events
  • Button clicks and user interactions
  • Session recordings — all form inputs (including passwords and sensitive fields) are fully masked and are never recorded or transmitted

PostHog data is used solely to improve the reliability and usability of the application. It is not used for advertising or profiling. You can review PostHog's privacy policy at posthog.com/privacy.

9 Contact Us

If you have questions about this Privacy Policy, wish to access your data, or want to make a complaint, please get in touch:

Privacy & General Enquiries

admin@clarityworkflows.com

You may also contact the Office of the Australian Information Commissioner (OAIC) directly:

© 2026 Clarity Workflows. All rights reserved.