PRIVACY POLICY

VerifyAU Pty Ltd  |  ABN 90 695 310 224

217–219 Flinders St, Adelaide SA 5000

Effective date: 25 May 2026

1. About This Policy

VerifyAU Pty Ltd (ABN 90 695 310 224) (“VerifyAU”, “we”, “us”, or “our”) is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) (“Privacy Act”) and the thirteen Australian Privacy Principles (“APPs”) set out in Schedule 1 of that Act.

This Privacy Policy explains how we collect, use, hold, disclose, and protect personal information in connection with our platform at app.verifyau.com.au and our website at verifyau.com.au (together, the “Platform”).

By using the Platform, you consent to the collection, use, and disclosure of personal information as described in this Policy. If you do not agree, you should not use the Platform.


2. Who We Are and What We Do

VerifyAU provides a cloud-based compliance software platform to Australian businesses that are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Our Platform helps these businesses manage their AUSTRAC compliance obligations, including customer due diligence, identity verification, AML/CTF program management, and suspicious matter reporting.

In providing the Platform, we process two categories of personal information:

  • Information about our Customers – the firms and their staff members who subscribe to and use the Platform; and

  • Information about End Clients – the individual clients of those firms whose personal information is entered into the Platform for identity verification and compliance record-keeping purposes.


3. Personal Information We Collect

3.1 Information about Customers and their staff

When a firm registers for and uses the Platform, we collect:

  • Business details: firm name, ABN, business address, industry type, and designated services

  • Account credentials: email address, hashed password, and authentication tokens

  • Staff member details: name, email address, assigned role within the Platform (Admin / Senior Manager, Compliance Officer, AML Staff, or Read Only)

  • Compliance officer information: designation date, fit and proper declaration records

  • Training records: completed training tiers, dates, and renewal status

  • Personnel due diligence (PDD) records: check type, date, and expiry

  • AUSTRAC enrolment details: AUSTRAC Account Number (AAN) and enrolment status

  • Communication data: support requests, feedback submissions, and emails you send us

  • Payment and billing information: credit purchase history and Stripe transaction references (we do not store full card numbers)


3.2 Information about End Clients

When a Customer’s firm uses the Platform to conduct customer due diligence on its own clients, the following categories of personal information about those individuals may be entered into or generated within the Platform:

  • Identity information: full name, date of birth, residential address, email address, phone number

  • Identity document details: Australian driver’s licence number and state, passport number, Medicare card number

  • Biometric data: liveness check data (a short facial scan) captured via our third-party provider One Click Services (OCS) for the purpose of verifying that the person presenting identity documents is the same person in the document photo

  • Politically Exposed Person (PEP) and sanctions screening results

  • Beneficial ownership information: where a client is a company or trust, details of its beneficial owners (including name, DOB, address, and identity documents for each)

  • Client risk rating: Low, Medium, or High, as assessed using the Platform’s risk assessment tools

  • Suspicious Matter Report (SMR) and Unusual Activity Report (UAR) content where it relates to a specific individual


The collection of End Client information is performed by the Customer (the firm) using our Platform. Customers who enter End Client data into the Platform represent that they have obtained all necessary consents and authorities from those individuals to do so.


4. How We Collect Personal Information

We collect personal information in the following ways:

  • Directly from you: when you register an account, enter information into the Platform, or contact us

  • From your staff: when staff members are invited to and use the Platform

  • From third parties: limited information may be received from Google when you use Google OAuth to sign in

  • Automatically: technical data such as IP addresses, browser type, device type, and session activity may be collected via Supabase and Vercel infrastructure for security and service delivery purposes


We do not collect personal information from you unless it is reasonably necessary for the provision of the Platform or as otherwise permitted by the Privacy Act.


5. Why We Collect and Use Personal Information

We collect and use personal information for the following purposes:

  • To create and manage your account and provide you with access to the Platform

  • To enable identity verification checks (DVS, liveness, and PEP screening) on your firm’s clients via One Click Services

  • To generate, store, and manage your firm’s AML/CTF compliance documentation, including AML programs, risk assessments, SMR and UAR records, training records, and audit logs

  • To process credit purchases and manage your account billing via Stripe

  • To send you transactional emails, including account notifications, compliance deadline reminders, training renewal reminders, and AUSTRAC reporting reminders, via Resend

  • To provide customer support and respond to your enquiries

  • To detect, investigate, and prevent fraud, security incidents, or misuse of the Platform

  • To comply with our own legal obligations, including any lawful request from a regulatory authority

  • To improve and develop the Platform


We will not use your personal information for direct marketing purposes without your consent. Where we send you information about Platform features, updates, or compliance news, this is considered a service communication ancillary to the Platform itself.


6. Disclosure to Third Parties

We disclose personal information to third parties only where necessary to deliver the Platform or as otherwise permitted by the Privacy Act. The third parties we share information with are set out below.


6.1 Sub-processors

The following third-party service providers process personal information on our behalf as part of the Platform’s operation:


  • One Click Services (OCS) – Receives identity document details and biometric (liveness) data for the purpose of performing Document Verification Service (DVS), liveness detection, and PEP/sanctions screening on behalf of our Customers. OCS is an Australian provider accredited to access the federal government’s DVS Hub.

  • Stripe, Inc. – Receives payment information for the purpose of processing credit purchases. Stripe operates under its own PCI-DSS certified infrastructure. We do not store full payment card numbers.

  • Anthropic, PBC – Receives AML/CTF program content inputs (firm details and designated service information) for the purpose of generating AML policy drafts and SMR narrative text using artificial intelligence. Personal information about End Clients is not transmitted to Anthropic.

  • Supabase, Inc. – Provides database and authentication infrastructure. All data is stored in the ap-southeast-2 (Sydney, Australia) region.

  • Vercel, Inc. – Provides application hosting and content delivery. Application processing occurs via Vercel’s infrastructure.

  • Resend, Inc. – Provides transactional email delivery services. Receives email addresses and email content necessary to send compliance notifications and service emails.

  • Google LLC – Provides OAuth authentication (Google sign-in) and address lookup functionality. Where you use Google OAuth, Google receives your email address and name.


6.2 Regulatory authorities

We may disclose personal information to AUSTRAC, the Office of the Australian Information Commissioner (OAIC), law enforcement, or another government authority where required or authorised by law.


6.3 Business transfers

In the event of a merger, acquisition, sale of assets, or restructure of our business, personal information held by us may be transferred to the acquiring entity, subject to confidentiality obligations consistent with this Policy.


6.4 No sale of personal information

We do not sell, rent, or trade personal information to any third party for commercial purposes.


7. Cross-Border Disclosure

Some of our third-party sub-processors are located or operate infrastructure outside Australia, including in the United States of America. These include Anthropic, Vercel, Stripe, Resend, and Google.

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle that information in a manner consistent with the Australian Privacy Principles, including by:

  • Relying on contractual data processing agreements that impose APP-equivalent obligations

  • Selecting providers with recognised international privacy and security certifications (such as ISO 27001, SOC 2 Type II, and PCI-DSS)


By using the Platform, you acknowledge and consent to the disclosure of personal information to overseas recipients in the manner described above. You acknowledge that, as a consequence of such disclosure, APP 8.1 requirements regarding cross-border disclosures will be satisfied by the steps we take, and that we may not be accountable under APP 8 for acts of the overseas recipient that are inconsistent with the APPs.


8. Storage and Security

We take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. Our security measures include:

  • All data stored in Supabase hosted in Sydney (ap-southeast-2), within Australian jurisdiction

  • Row-level security (RLS) enforced at the database layer: each firm can only access its own data

  • Multi-factor authentication (TOTP 2FA) available on all accounts

  • Role-based access controls: staff can only access features and data appropriate to their assigned role

  • Encrypted transmission: all data in transit is encrypted using TLS

  • All third-party sub-processors are engaged under contractual security obligations

  • Append-only audit logging of all material actions within the Platform


Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of personal information.


9. Retention of Personal Information

9.1 Active accounts

Personal information is retained for as long as your account is active and for as long as necessary to fulfil the purposes described in this Policy.


9.2 After account termination

Following termination of a Customer account, all Customer Data (including compliance records, client records, verification histories, SMR and UAR logs, training records, and audit logs) is retained for a period of seven (7) years from the date of the last compliance activity recorded in the account, consistent with the record-keeping obligations imposed by the AML/CTF Act.

During this retention period, the data is held securely and is not used for any commercial purpose. It is retained solely to fulfil legal obligations and to respond to lawful regulatory requests.

Following the expiry of the seven-year retention period, data is securely and permanently deleted in accordance with our data destruction procedures.


9.3 Personal information no longer needed

Where personal information is no longer needed for any purpose, including our legal obligations, we will take reasonable steps to destroy or de-identify it securely.


10. Sensitive Information

The Privacy Act affords additional protection to “sensitive information”. The Platform processes the following categories of sensitive information in relation to End Clients:

  • Biometric information: facial scan / liveness check data collected via One Click Services for identity verification purposes

  • Government-related identifiers: Australian driver’s licence numbers, passport numbers, and Medicare card numbers used for Document Verification Service checks

  • Health information (limited): Medicare card numbers, to the extent they constitute health information

  • If an individual declines to consent to the collection and verification of their identity information for DVS purposes, the identity verification process cannot be completed and the relevant firm will be unable to onboard that individual as a client


This sensitive information is:

  • Collected for the primary purpose of identity verification as required under the AML/CTF Act

  • Disclosed only to One Click Services for the purpose of conducting verification checks

  • Not used for any secondary purpose without express consent

  • Retained only for the period described in clause 9 above


Customers are responsible for ensuring that the End Clients whose sensitive information is entered into the Platform have provided appropriate consent for collection and use as described in this Policy, and for the purposes required under the AML/CTF Act.


11. Access to and Correction of Personal Information

11.1 Your right to access

You have the right to request access to personal information we hold about you. To make an access request, contact us at support@verifyau.com.au. We will respond within 30 days.

We may charge a reasonable fee for providing access where the request is complex or requires substantial effort. We will advise you of any applicable fee before processing your request.

We may decline an access request in limited circumstances permitted by the Privacy Act, including where providing access would be unlawful or would unreasonably impact the privacy of another individual. Where we decline, we will explain why in writing.


11.2 Your right to correction

If you believe that personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you may request correction. Submit correction requests to support@verifyau.com.au. We will respond within 30 days.

Note: compliance records (including SMR logs and audit trail entries) are append-only and cannot be deleted or amended, as required by the AML/CTF Act. Corrections to such records are made by way of an addendum, not by deletion.


12. Cookies and Tracking

The Platform uses cookies and similar technologies for the following purposes:

  • Session management: authentication tokens and session cookies are used to maintain your logged-in state

  • Security: cookies help detect and prevent unauthorised access

  • Performance: limited technical data is collected to monitor Platform performance


We do not use advertising cookies, tracking pixels, or third-party analytics services that profile your behaviour for commercial purposes. We do not share cookie data with advertisers.

Most browsers allow you to control or disable cookies through browser settings. Disabling authentication cookies will prevent you from using the Platform.


13. Links to Other Websites

The Platform contains links to third-party websites, including AUSTRAC, DFAT, FATF, and AUSTRAC’s e-learning portal. These links are provided for your convenience. We are not responsible for the privacy practices or content of those websites and encourage you to review their privacy policies separately.


14. Children

The Platform is intended for use by businesses and their professional staff. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from individuals under 18 other than in the context of End Client identity verification records entered by a Customer firm.


15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. We will notify you of material changes by email or by a prominent notice on the Platform at least 14 days before the change takes effect.

The current version of this Policy is always available at verifyau.com.au/privacy-policy. The “Effective date” at the top of this Policy indicates when it was last updated.


16. Complaints

If you believe we have breached the Australian Privacy Principles or the Privacy Act, you may lodge a complaint with us by writing to support@verifyau.com.au. Please provide sufficient detail about the nature of your complaint so we can investigate and respond effectively.

We will acknowledge receipt of your complaint within 5 business days and aim to resolve it within 30 days. If we are unable to resolve your complaint to your satisfaction, or if you prefer, you may also lodge a complaint directly with the Office of the Australian Information Commissioner (OAIC):


Office of the Australian Information Commissioner

Website: www.oaic.gov.au

Phone: 1300 363 992

Post: GPO Box 5218, Sydney NSW 2001


17. Contact Us

For privacy-related enquiries, access or correction requests, or complaints, please contact our Privacy Officer:


VerifyAU Pty Ltd – Privacy Officer

217–219 Flinders St, Adelaide SA 5000

ABN 90 695 310 224

Email: support@verifyau.com.au

Website: verifyau.com.au


We aim to respond to all privacy enquiries within 5 business days.