Introduction
OnboardMe ("we", "our", "us") is committed to protecting the privacy and security of our users and their clients. This Privacy Policy explains how we collect, use, disclose, store, and safeguard personal information and personal data (together, "personal information" in this Policy).
As a professional services platform, we recognise the sensitive nature of the information we process — including Australian tax file numbers (TFNs), New Zealand IRD numbers, bank account details, identity documentation, and confidential business information. Protecting this data is a legal obligation and a core part of our mission.
Your use of the Service is also governed by our Terms of Service. Where we process personal information on behalf of your organisation, additional terms (such as a data processing agreement) may apply as agreed with that organisation.
Who we are
The operator of the OnboardMe platform is OnboardMe Pty Ltd (Australian company), trading as OnboardMe. For the purposes of applicable privacy law, OnboardMe Pty Ltd is generally the organisation responsible for decisions about how we use personal information collected through this website and the App in our own business capacity (for example, account administration, billing, security, and product improvement).
When your firm uses OnboardMe to onboard or manage itsclients or staff, your firm is usually responsible for that client or employee data as the "controller" or equivalent under local law, and we act as a "processor" or service provider only for that processing — following your firm's instructions and our agreement with them. This Policy still describes how the platform works and our security practices; your firm's privacy notice may also apply to you.
Sensitive information we handle
In addition to ordinary personal information (such as name, email, and phone), OnboardMe may process:
- Australian tax file numbers (TFNs), New Zealand IRD numbers
- Bank account and payment details
- Identity verification documents and compliance records
- Engagement letters, contracts, and legal agreements
- Professional service records and onboarding information
These categories are subject to enhanced security, encryption, and access controls as described in this Policy.
Categories of personal information
Depending on how you use the Service, we may process:
- Identity and contact: name, email, phone, job title, employer, practice or entity identifiers.
- Account and technical: login identifiers, session and device data, IP address, audit logs, integration identifiers (where you connect third-party systems).
- Service content: information you or your organisation enters into forms, proposals, engagements, ethical letters, ID verification flows, and related workflows.
- Financial: billing details, subscription records, and transaction-related data processed by our payment partners where you pay us.
- Usage and diagnostics: feature usage, performance metrics, error reports, and aggregated analytics.
Why we use personal information
We collect and use personal information only for lawful purposes connected to providing and improving the Service, meeting legal obligations, and keeping the platform secure. Typical purposes include: operating accounts and authentication; delivering onboarding, engagement, and compliance features; billing and support; security monitoring and fraud prevention; product analytics in aggregated or pseudonymous form where possible; and meeting tax, financial, and record-keeping obligations.
Data storage, security, and retention
Production data for this deployment is stored in the AWS Sydney region, consistent with Australian privacy and data sovereignty expectations.
- Encryption: Sensitive data (including tfn or ird number where collected) is encrypted at rest (for example AES-256) and in transit using TLS 1.2+.
- Access controls: Role-based access control (RBAC), multi-factor authentication (MFA), and authentication policies limit access to authorised personnel and subprocessors bound by confidentiality and security obligations.
- Monitoring: Access and security events are logged and monitored. Alerts may be sent to our security team at security@onboardme.app.
- Backups: Encrypted backups are maintained within Australia (Sydney region).
- Retention: We retain personal information only as long as needed for the purposes above, including to perform our contract, meet legal, tax, and regulatory record-keeping duties, resolve disputes, and enforce agreements. Retention periods vary by data type; when no longer required, we delete or anonymise it using secure methods.
Who we share information with
We do not sell your personal information. We share it only as needed to run the Service, comply with law, or with your direction, including with:
- Infrastructure and security: cloud hosting, backup, logging, and monitoring providers (for this deployment, including AWS and related services).
- Analytics and diagnostics: providers such as PostHog for product analytics, configured to minimise identifiable data where feasible, and AWS CloudWatch for operational metrics.
- Communications: email or messaging delivery providers used to send transactional or service-related messages.
- Payments: payment processors that handle card or wallet transactions on our behalf.
- Professional advisers: lawyers, accountants, or insurers where required and subject to confidentiality.
- Authorities: regulators, courts, or law enforcement when we are legally required or permitted to respond.
We may update the list of material subprocessors from time to time; material changes are communicated in line with your agreement with us (for example, via product notices or email to organisation administrators).
Monitoring and logging
We use monitoring and logging for security, compliance, reliability, and product improvement.
- User activity: pages visited, time spent, and feature usage, to improve user experience and product design.
- System logs: session metadata, IP addresses, authentication events, and error logs, to maintain stability and detect threats.
- Performance metrics: API response times, latency, and availability statistics.
- Diagnostic data: collected when errors occur to improve stability.
Monitoring data is protected with appropriate access controls and is stored in Australia (Sydney region) for this deployment, subject to the same security standards as other service data. Where practicable, we aggregate or pseudonymise analytics.
Automated decision-making
We do not use solely automated decision-making that produces legal or similarly significant effects on individuals in relation to the Service.
Data breach response and notification
We maintain an incident response plan aligned with serious harm notification expectations under Australian law and notifiable privacy breach requirements under New Zealand law, as applicable.
- Australia: where a breach is likely to result in serious harm to individuals whose information is involved, we assess and notify under the Notifiable Data Breaches (NDB) scheme and may notify the Office of the Australian Information Commissioner (OAIC).
- New Zealand: where a notifiable privacy breach occurs, we assess and notify in line with the Privacy Act 2020 and may notify the Office of the Privacy Commissioner (Te Mana Mātāpono Matatapu).
- Affected individuals are notified when the law requires it or when we reasonably consider notification appropriate, without undue delay where feasible.
- We review and test our incident response processes on an ongoing basis.
Compliance with Australian and New Zealand law
We handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) where Australian law applies, and the Privacy Act 2020 and the Information Privacy Principles (IPPs) under that Act where New Zealand law applies.
We review our data handling practices regularly to reflect changes in law, technology, and industry practice.
Your rights
Subject to applicable law, you may request access to and correction of personal information we hold about you. You may also have rights to object to certain uses, to withdraw consent where processing is consent-based, and to make a complaint to a regulator as described below.
To exercise your rights, email info@onboardme.appwith the subject line "Privacy request" and enough detail for us to verify your identity and locate the relevant information. If your organisation subscribes to OnboardMe, we may need to coordinate with your organisation's administrator where data is held on their behalf.
We aim to respond within 30 days, or sooner if required by applicable law. There is no fee for a legitimate request unless the law allows a reasonable charge for manifestly unfounded or excessive requests.
You may complain to the OAIC (Australia) or the Office of the Privacy Commissioner (New Zealand), depending on which law applies to your situation. We encourage you to contact us first so we can try to resolve your concern.
International data transfers
Primary infrastructure and stored customer data for this deployment are located in Australia (AWS Sydney). We do not routinely transfer personal information offshore unless you or your organisation agree, or the law requires it, and any transfer is handled in line with applicable Australian and New Zealand privacy laws.
Children's privacy
The Service is designed for businesses and professionals, not for children. We do not knowingly collect personal information from anyone under 16. If we learn that we have collected such information, we will take steps to delete it.
Changes to this Privacy Policy
We may update this Policy to reflect legal, regulatory, or operational changes. The updated version will be published on this page with a revised effective date. Where changes are material and we have your contact details, we may also notify you by email or through the App.
Contact us
For privacy questions or requests:
- Email: info@onboardme.app
- Security: security@onboardme.app
Postal or registered company details can be provided on request to the same address.