Privacy Policy

Purpose

This Policy explains how Client Core collects, uses, discloses and secures personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including the Notifiable Data-Breach scheme.

What We Collect

• Profile & Account

  Names, contact details, firm information.

• Identity Data

  Government IDs, selfies (processed by Stripe Identity).

• Entity & Compliance Data

  ABNs, ASIC numbers, ATO agent links.

• Bank & Accounting Data

  Bank feeds, statements, transactional and ledger data imported from Xero, MYOB, QuickBooks or any third-party app you authorise (including Zapier integrations).

• Usage & Technical

  IP address, log files, cookies, analytics.

How We Collect

Directly from you, through authorised integrations and via cookies or similar technologies.

Why We Use Your Data

• Deliver and improve the Service
• Verify identity to meet ATO/TPB obligations
• Provide support and invoicing
• Comply with law (e.g., anti-money-laundering, tax)

Disclosure to Service Providers

We may disclose personal information to:

• Hosting

  AWS (Sydney/Melbourne)

• AI Sub-processors

  OpenAI, Anthropic, Google Gemini and other similar LLM providers – API tiers that contractually prohibit using your inputs/outputs to train their models.

• Workflow & Integration

  Third party apps that you authorise

• Identity Verification

  Stripe Identity

• Professional Advisers & Regulators

  Where legally required

Cross-border Processing

While primary storage remains in Australia, limited processing may occur in the United States or other countries where our AI sub-processors operate. We take reasonable steps to ensure overseas recipients handle data in compliance with APP 8 (e.g., enterprise contracts, standard contractual clauses).

Security

Our infrastructure is built on AWS using Terraform for IaC. We run a Django (Python) application on ECS Fargate with Gunicorn supported by Celery workers for async tasks. The stack includes PostgreSQL RDS, Redis for caching, and S3 for static/media storage. The architecture features a secure VPC with public/private subnets, ALB for HTTPS traffic, and WireGuard VPN for secure access. All components are monitored via CloudWatch with comprehensive logging and alerting.

Notifiable Data Breaches

We assess suspected breaches promptly and, where serious harm is likely, notify affected individuals and the OAIC in accordance with Part IIIC of the Privacy Act.

Cookies & Analytics

Used for authentication, performance and product improvement. Browser settings can disable cookies but the Service may not function correctly.

Direct Marketing

Optional product updates; unsubscribe anytime.

Access & Correction

E-mail privacy@nagaris.com to request access or correction. We respond within 30 days.

Retention & Destruction

Personal information is kept only as long as necessary or as required by law, then securely deleted or de-identified.

Complaints

Contact our Privacy Officer first; unresolved complaints may be lodged with the OAIC.

Updates to this Policy

Material changes will be posted on our site and e-mailed 30 days before taking effect.

Contact

Privacy Officer, Client Core Pty Ltd, Level 9, 189 Kent St, Sydney 2000; privacy@nagaris.com