Back to login

Privacy Policy

Last updated: 3 April 2026

Redrock Systems Pty Ltd (ABN 53 696 760 433) ("we", "us", "our") is committed to protecting the privacy of individuals whose personal information we collect and handle. This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Australian Privacy Principles ("APPs") under the Privacy Act 1988 (Cth).

1. Information We Collect

We collect the following categories of personal information:

  • Account information: Name, email address, phone number, job title, organisation details
  • Authentication data: Encrypted passwords, multi-factor authentication secrets (TOTP), session tokens
  • Client data: Information you enter about your clients, including names, addresses, tax file numbers, financial records, and compliance documentation
  • Usage data: Login timestamps, feature usage, browser type, IP address
  • Payment information: Billing details processed through Stripe (we do not store card numbers)

2. How We Collect Information

We collect personal information directly from you when you register, use the Platform, or communicate with us. We may also collect information automatically through cookies and server logs when you access the Platform.

3. Purpose of Collection

We collect and use personal information to:

  • Provide, maintain, and improve the Platform
  • Authenticate users and enforce access controls
  • Process payments and manage subscriptions
  • Send transactional emails (e.g. document requests, engagement letters, notifications)
  • Comply with legal obligations, including AML/CTF record-keeping requirements
  • Respond to support requests and enquiries

4. Data Hosting and Storage

All data is hosted in Sydney, Australia (ap-southeast-2) on infrastructure provided by Supabase (backed by AWS). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups are retained in the same region.

5. Third-Party Service Providers

We use the following third-party services to operate the Platform. Each is engaged under appropriate data processing agreements:

  • Supabase (Sydney) — Database hosting, authentication, file storage
  • Vercel (Sydney) — Application hosting, edge functions
  • Stripe — Payment processing (PCI DSS Level 1 certified)
  • Resend — Transactional email delivery (fallback)
  • Microsoft 365 — Primary email delivery via Graph API
  • Annature — Electronic signature services

6. Disclosure of Personal Information

We do not sell personal information. We may disclose personal information to:

  • Third-party service providers listed above, solely for the purpose of operating the Platform
  • Law enforcement or regulatory bodies where required by Australian law
  • Your organisation's administrators, who manage user accounts and access permissions

7. Cross-Border Disclosure

Some of our third-party providers (Stripe, Resend) may process data outside Australia. Where this occurs, we take reasonable steps to ensure compliance with the APPs and that the overseas recipient handles information in a manner consistent with Australian privacy law.

8. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Platform. AML/CTF compliance records are retained for a minimum of 7 years as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). Upon account termination, non-compliance data is deleted within 90 days.

9. Data Security

We implement technical and organisational measures to protect personal information, including:

  • Encryption at rest and in transit
  • Row-level security (RLS) ensuring tenant data isolation
  • Multi-factor authentication enforcement
  • Role-based access control (8 roles with granular permissions)
  • HMAC-signed session tokens and hashed access credentials
  • Regular security audits and vulnerability assessments

10. Your Rights

Under the APPs, you have the right to:

  • Access the personal information we hold about you
  • Correct any inaccurate or out-of-date information
  • Request deletion of your personal information (subject to legal retention requirements)
  • Withdraw consent for marketing communications at any time

To exercise these rights, contact us at privacy@redrocksystems.com.au. We will respond within 30 days.

11. Complaints

If you believe we have breached the APPs, you may lodge a complaint with us at the email address above. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Platform. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy enquiries, contact our Privacy Officer at: privacy@redrocksystems.com.au

Redrock Systems Pty Ltd
ABN 53 696 760 433
Perth, Western Australia