Privacy Policy

Purpose

This Policy explains how Client Core collects, uses, discloses and secures personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the Notifiable Data-Breach scheme.

What We Collect

• Profile & Account

  Names, contact details, firm information.

• Identity Data

  Government IDs, selfies (processed by Stripe Identity).

• Client & Compliance Data

  ABNs, ASIC numbers, ATO agent links.

• Bank & Accounting Data

  Bank feeds, statements, transactional and ledger data imported from Xero, MYOB, QuickBooks or any third-party app you authorise (including Zapier integrations).

• Usage & Technical

  IP address, log files, cookies, analytics.

How We Collect

Directly from you, through authorised integrations and via cookies or similar technologies.

Why We Use Your Data

We use personal information solely to deliver, maintain and secure the Service you request, provide support you initiate, verify identity to meet ATO/TPB obligations and meet legal obligations. We do not sell personal information and we do not use your prompts, files or outputs to train foundation or product models, whether ours or third parties'. Where we use AI providers, we use enterprise configurations with data- retention disabled and human review prohibited. For bank and accounting data imported from Xero, MYOB, QuickBooks or authorised integrations, we act as your processor, using that data only to provide the Service you configure and not for independent analytics, marketing, or product development.

Disclosure to Service Providers

Subject to the terms set out in this policy, we may disclose personal information to:

• Hosting

  AWS (Sydney/Melbourne)

• AI Sub-processors

  OpenAI, Anthropic, Google Gemini and other similar LLM providers – API tiers that contractually prohibit using your inputs/outputs to train their models.

• Workflow & Integration

  Third party apps that you authorise

• Identity Verification

  For identity verification we will obtain express consent to collect and disclose biometric information (selfies/templates) to to our third-party identity verification providers solely for verification. Biometric data is retained only for the verification window and then deleted per their data retention policy; we do not use it for any other purpose.

• Professional Advisers & Regulators

  Where legally required

Cross-border Processing

While primary storage remains in Australia, limited processing may occur in the United States or other countries where our AI sub-processors operate. We take reasonable steps to ensure overseas recipients handle data in compliance with APP 8 (e.g., enterprise contracts, standard contractual clauses).

Security

Our infrastructure is built on AWS using Terraform for IaC. We run a Django (Python) application on ECS Fargate with Gunicorn supported by Celery workers for async tasks. The stack includes PostgreSQL RDS, Redis for caching, and S3 for static/media storage. The architecture features a secure VPC with public/private subnets, ALB for HTTPS traffic, and WireGuard VPN for secure access. All components are monitored via CloudWatch with comprehensive logging and alerting.

Notifiable Data Breaches

We assess suspected breaches promptly and, where serious harm is likely, notify affected individuals and the OAIC in accordance with Part IIIC of the Privacy Act.

Cookies & Analytics

Used for authentication, performance and product improvement. Browser settings can disable cookies but the Service may not function correctly.

Direct Marketing

Optional product updates; unsubscribe anytime.

Access & Correction

E-mail privacy@nagaris.com to request access or correction. We respond within 30 days.

Retention & Destruction

Personal information is kept only as long as necessary or as required by law, then securely deleted or de-identified.

Complaints

Contact our Privacy Officer first; unresolved complaints may be lodged with the OAIC.

Updates to this Policy

Material changes will be posted on our site and e-mailed 30 days before taking effect.

Contact

Privacy Officer, Client Core Pty Ltd, Level 9, 189 Kent St, Sydney 2000; privacy@nagaris.com