Privacy Policy

1. Who we are

Deduct AU (ABN 30 454 172 063) is a sole trader business based in Australia.

For any privacy-related enquiries, contact us at contact@deductau.com.

2. What information we collect

We collect only the information necessary to provide the expense analysis service. This includes:

• Expense analysis inputs: Your selected occupation, employment type, work-from-home status, and expense descriptions and amounts you enter into the tool.
• Payment information: Payment is processed entirely by Stripe. We do not receive or store your credit card number. We receive a payment confirmation, transaction ID, the amount paid, and the email address you entered at checkout.
• Account information (optional): If you choose to create an account to save your reports, we store your email address and, if you sign in with Google, your name and profile image. Accounts are not required to use the service.
• Waitlist sign-up: If you join our waitlist, we store your email address so we can notify you when the service launches. You can request removal at any time by emailing us.
• Technical data: Standard server logs including IP address, browser type, and request timestamps. These are used for security and debugging purposes only.

We do not collect your tax file number, bank details, or any government-issued identifiers. You can use the full analysis service without creating an account.

3. How we collect information

• Directly from you: When you enter your occupation, employment details, and expenses into the analysis form.
• From Stripe: When you complete a payment, we receive a payment confirmation via webhook.
• Automatically: Standard technical data collected by our hosting infrastructure (Cloudflare).

4. Why we collect information

We collect and use your information for the following purposes:

• To provide the expense analysis service — your inputs are required to generate an analysis against ATO guidelines.
• To process your payment and verify access to the full report.
• To maintain payment records for financial and legal reporting obligations.
• To detect, prevent, and address technical issues or misuse of the service.

5. How we use artificial intelligence

Your expense data is processed by an AI language model (hosted on Microsoft Azure OpenAI) to generate the deduction analysis. When you submit your expenses:

• Your occupation, employment type, and expense descriptions are sent to the AI model as part of an analysis prompt.
• The AI model processes your data and returns a structured analysis, which is then validated by our system before being shown to you.
• Microsoft Azure OpenAI does not use your data to train or improve its models. Your data is processed for the sole purpose of generating your analysis and is not retained by Microsoft after the API request is complete.
• The AI output is general information based on publicly available ATO guidelines — it is not financial or taxation advice.

6. Overseas disclosure

In providing the service, your information may be disclosed to overseas recipients. Specifically, data may be processed by services located in the United States:

• Microsoft (Azure OpenAI): Processes your expense data to generate the analysis. Subject to Microsoft's Privacy Statement.
• Stripe: Processes your payment. Subject to Stripe's Privacy Policy.
• Cloudflare: Hosts the application, temporarily stores analysis results, and sends transactional emails (sign-in codes and waitlist confirmations). Subject to Cloudflare's Privacy Policy.
• PostHog: Collects anonymised usage analytics (page views, interactions) to help us improve the service. Does not receive your expense data or payment details. Subject to PostHog's Privacy Policy.
• Google (OAuth sign-in, optional): If you choose to sign in with Google, Google receives a request from our sign-in flow. Subject to Google's Privacy Policy.

We take reasonable steps to ensure these providers protect your information in accordance with their published privacy policies and contractual obligations.

7. Data retention

• Analysis results without an account: Stored in our temporary edge cache (Cloudflare KV) for 30 days to allow you to revisit your report after payment. After 30 days, these results are automatically and permanently deleted.
• Analysis results saved to an account:If you sign in after payment to save your report, the result is moved from the temporary cache into your account and kept indefinitely, so you can refer back to it for ATO record-keeping purposes. You can request deletion at any time (see "Your rights" below).
• Account data: Your email address (and Google profile details, if you signed in with Google) are retained while your account is active. If you request account deletion, all of your account data and saved reports are removed.
• Payment records: Transaction ID, amount, and timestamp are retained for financial and legal reporting purposes as required by Australian taxation law. These are retained separately from your analysis data.
• Expense data: Your expense descriptions and amounts are never written to any log. They exist only in the temporary result store (and in your account, if you save the report).
• Waitlist email: Your email address is retained until we send you a launch invitation. After launch, waitlist records are deleted. You can request removal at any time by emailing us.

8. Data security

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
• Session and payment-access cookies are HTTP-only and Secure — they cannot be read by JavaScript on the page.
• Accounts use passwordless sign-in: a 6-digit code sent to your email (expires in 5 minutes) or Google OAuth. We never ask for or store a password.
• Payment card data is handled entirely by Stripe, which is PCI DSS Level 1 certified. We never see or store your card details.
• Expense data is never written to any log.

9. Your rights

Although Deduct AU falls below the $3 million annual turnover threshold under the Privacy Act 1988 (Cth) and is not technically required to comply with the Australian Privacy Principles, we voluntarily follow the APPs as best practice. You have the right to:

• Access: Request access to any personal information we hold about you.
• Correction: Request correction of any personal information that is inaccurate, out of date, or incomplete.
• Complaint: Lodge a complaint if you believe your privacy has been breached.

If you have not created an account, the only personal information we may hold is payment transaction records (retained for legal reporting) and any live analysis results still within the 30-day retention window. If you have created an account, you can also request deletion of your account and all saved reports. To exercise any of these rights, contact us at contact@deductau.com.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

10. Cookies

We use the following cookies and tracking technologies:

• Payment-access cookie — set after payment to grant you access to your full report. HTTP-only, signed, and scoped to a single report. Expires after 30 days.
• Session cookie — set when you sign in to save reports to an account. HTTP-only, managed by our authentication library (Better Auth), and used only to identify your session.
• Analytics (PostHog) — we use PostHog, a product analytics tool, to understand how visitors interact with the site (e.g. page views, button clicks). PostHog may set a cookie or use local storage to distinguish returning visitors. We use this data to improve the service. PostHog does not receive your expense data, payment details, or any information you enter into the analysis form.

We do not use advertising or social media tracking cookies.

11. Third-party services

The following third-party services are used to deliver and support Deduct AU. Each has its own privacy policy governing how they handle your data:

• Stripe — Payment processing — Privacy Policy
• Microsoft Azure OpenAI — AI analysis — Privacy Statement
• Cloudflare — Hosting and infrastructure — Privacy Policy
• PostHog — Product analytics — Privacy Policy

12. Children

Deduct AU is not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at contact@deductau.com and we will take steps to delete it.

13. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, the service, or legal requirements. When we do, we will update the "Last updated" date at the top of this page. Where we hold your email address (e.g. waitlist sign-up or account creation), we may notify you of material changes. Otherwise, we encourage you to review this page periodically.

14. Contact and complaints

If you have any questions about this privacy policy or wish to make a complaint about how we handle your information, please contact us:

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):