Privacy Policy
Last updated: 8 March 2026
1. Introduction
This Privacy Policy describes how AML Simple (“we”, “us”, “our”) collects, uses, stores, and protects personal information through AML Simple (“the Service”).
We are a New Zealand sole trader providing AML/CTF compliance software to Australian businesses. As a New Zealand entity providing services to Australian businesses and collecting personal information from individuals in Australia, we are subject to:
- Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) — under section 5B (extraterritorial operation), the Privacy Act applies to us because we have an Australian link
- New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) — as a New Zealand entity
2. What Data We Collect
2.1 Account Information (Direct Collection)
| Data | Purpose | Basis |
|---|---|---|
| Name, email, password | Account creation and authentication | Necessary for service |
| Organisation name, ABN | Business verification and service configuration | Necessary for service |
| Billing information | Payment processing (handled by Paddle) | Contractual |
2.2 Customer Compliance Data (Entered by You)
You input personal information about your clients as part of your CDD processes:
| Data | Purpose |
|---|---|
| Client full name, DOB, address | Customer due diligence (CDD) |
| ID document details (type, number, issuer, expiry) | Identity verification records |
| Risk ratings and assessments | Compliance workflow |
| Screening results (sanctions, PEP) | Regulatory compliance |
| SMR/TTR report content | Regulatory reporting assistance |
Important: You determine the purposes for which your clients’ personal information is collected and used through the Service. We hold and process this information solely on your instructions and for the purpose of providing the Service. Under the Australian Privacy Act, we are an APP entity with obligations regarding the personal information we hold. Under the NZ Privacy Act, we are an agency with corresponding obligations.
2.3 Automatically Collected Data
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention |
| Browser type, device info | Service optimisation |
| Usage data (pages viewed, features used) | Product improvement |
| Error logs | Debugging and reliability |
2.4 Data We Do NOT Collect
- Copies of identity documents (we record details only, per AUSTRAC guidance)
- Financial account numbers
- Tax file numbers
- Biometric data
3. How We Use Data
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract |
| Sanctions and PEP screening | Your legitimate compliance obligations |
| AI-assisted report drafting | Performance of contract (you control output) |
| Sending service notifications | Performance of contract |
| Product improvement and analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Compliance with legal obligations | Legal obligation |
We do NOT:
- Sell personal information to third parties
- Use customer compliance data for marketing
- Use customer data to train AI models
- Share data with third parties except as described below
4. Data Storage and Security
4.1 Data Residency
All customer compliance data (CDD records, screening results, reports) is stored exclusively in Sydney, Australia (ap-southeast-2) and is not transferred overseas.
| Service | Location | Data Stored |
|---|---|---|
| Supabase (database) | Sydney, Australia | All customer and compliance data |
| Cloudflare Pages (hosting) | Global CDN (Sydney edge) | Application only (no PII at rest) |
| Paddle (payments) | Ireland, EU | Payment information only (see Section 11) |
4.2 Security Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Row Level Security (database access scoped to your organisation)
- Role-based access control
- Audit logging of all data access
- Regular security updates and dependency patching
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Customer compliance data (CDD, screening, reports) | 7 years from the relevant date specified in the AML/CTF Act (e.g., from when the business relationship with the client ends, or from the date of a transaction) | AML/CTF Act record-keeping requirements (sections 107–116) |
| Audit logs | 7 years | AML/CTF Act requirement |
| Account information | Duration of account + 90 days | Service provision |
| Usage analytics | 2 years | Product improvement |
| Error logs | 90 days | Debugging |
After the retention period, data is permanently deleted.
Note: We hold AML/CTF records on your behalf to assist you in meeting your record-keeping obligations under the AML/CTF Act. The 7-year retention period is your legal obligation as a reporting entity. We store these records to support that obligation.
6. Third-Party Data Processors
We share personal information with these processors solely to provide the Service:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database hosting | All service data | Sydney, AU |
| Cloudflare Pages | Application hosting | Request logs | Global (Sydney edge) |
| Paddle | Payment processing (Merchant of Record) | Name, email, billing info | Ireland, EU |
| dilisense | Sanctions/PEP screening | Name, DOB (for screening) | EU |
| Resend | Transactional email | Email address, name | US |
| Sentry | Error monitoring | Error context (no customer PII) | US |
All processors are bound by data processing agreements.
7. Your Rights
Under Australian Privacy Act (APPs)
- Access: Request access to your personal information (APP 12)
- Correction: Request correction of inaccurate information (APP 13)
- Complaint: Lodge a complaint with us or the OAIC
Under NZ Privacy Act 2020 (IPPs)
- Access: Request access to your personal information (IPP 6)
- Correction: Request correction (IPP 7)
- Complaint: Lodge a complaint with us or the NZ Privacy Commissioner
Additional Rights We Provide
- Data export: Export all your data at any time (CSV, PDF)
- Data deletion: Request deletion of your account and data (subject to 7-year retention requirements for AML/CTF records)
- Data portability: Download structured data in standard formats
How to Exercise Your Rights
Contact us at [email protected]. We will respond within 30 days.
Note: AML/CTF records subject to the 7-year retention requirement cannot be deleted before the retention period expires, even upon request. This is a legal requirement under the AML/CTF Act.
8. Data Breach Notification
Australian Notifiable Data Breaches Scheme
In the event of a suspected eligible data breach under Part IIIC of the Australian Privacy Act 1988:
- We will assess the breach as quickly as possible and within a maximum of 30 days of becoming aware of grounds to suspect a breach, as required by law
- If we determine the breach is an eligible data breach (where serious harm to affected individuals is likely), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable
- Our notification will include: a description of the breach, the kinds of information involved, and recommended steps for affected individuals
- We will notify you (as the reporting entity whose client data may be affected) separately so you can meet your own notification obligations
- We will take steps to contain the breach and mitigate harm
New Zealand Privacy Act 2020
Under the NZ Privacy Act 2020 (sections 112–117), if a privacy breach has caused, or is likely to cause, serious harm to affected individuals:
- We will notify the NZ Privacy Commissioner and affected individuals as soon as practicable
- We will take steps to contain the breach and reduce the risk of harm
9. Cookies and Tracking
We use essential cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Session |
| CSRF token | Security | Session |
We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
10. Children’s Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
11. International Data Transfers
Customer compliance data (CDD records, screening results, reports) is stored exclusively in Australia (Sydney, ap-southeast-2) and is not transferred overseas.
The following categories of personal information may be disclosed to overseas recipients:
- Ireland/EU: Paddle (name, email, billing information for payment processing); dilisense (name, DOB for sanctions/PEP screening)
- United States: Resend (email address, name for transactional emails); Sentry (error context, which may incidentally include technical identifiers but not customer PII)
Under APP 8, we take reasonable steps to ensure these overseas recipients handle personal information consistently with the APPs, including through binding data processing agreements. We remain accountable for the handling of personal information by these overseas recipients.
Under the NZ Privacy Act, we ensure that overseas recipients are subject to comparable privacy protections before disclosing personal information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email and in-app notice at least 30 days before taking effect.
13. Contact and Complaints
Privacy enquiries: [email protected]
Complaints:
If you are not satisfied with our response, you may contact:
- Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
- New Zealand: Office of the Privacy Commissioner — www.privacy.org.nz