OnboardMe Logo

Privacy Policy

Effective Date: 18 August 2025

Introduction

OnboardMe ("we", "our", "us") is committed to protecting the privacy and security of our users and their clients. This Privacy Policy sets out how we collect, use, disclose, store, and safeguard personal data.

As a professional services platform, we recognise the sensitive nature of the information we process — including tax file numbers (TFNs), bank account details, identity documentation, and confidential business information. Protecting this data is a legal obligation and a core part of our mission.

Sensitive Information We Handle

In addition to standard personal data (name, email, phone), OnboardMe may process:

  • Tax File Numbers (TFNs) and tax-related data
  • Bank account and payment details
  • Identity verification documents and compliance records
  • Engagement letters, contracts, and legal agreements
  • Professional service records and onboarding information

These categories of information are subject to enhanced security, encryption, and compliance measures as described in this Policy.

Data Storage, Security, and Retention

All data is stored onshore in Australia in the AWS Sydney region, ensuring compliance with Australian privacy and data sovereignty laws.

  • Encryption: All sensitive data (including TFNs and banking details) is encrypted at rest using AES-256, and in transit using TLS 1.2+.
  • Access Controls: Role-based access control (RBAC), MFA, and strict authentication policies restrict data access to authorised personnel only.
  • Monitoring: All access to sensitive data is logged, monitored, and audited. Alerts are generated for suspicious activity.
  • Backups: Encrypted backups are maintained exclusively in AWS Sydney.
  • Retention: Data is retained only for as long as required by law or business need, then securely deleted or anonymised.

Cookies, Analytics, and Tracking

We use cookies and tracking technologies to operate our platform, enhance user experience, monitor performance, and improve functionality.

Types of Tracking

  • Essential Cookies: Required for login, secure sessions, and core App features.
  • Analytics Cookies: Track how users navigate and use features. Helps us prioritise improvements and understand adoption.
  • Functional Cookies: Remember preferences such as theme or language.
  • Security Cookies: Detect unusual behaviour, prevent fraud, and protect against malicious activity.

Third-Party Analytics

We use trusted providers such as PostHog, Google Analytics, and AWS CloudWatch to collect aggregated usage metrics, monitor system performance, and diagnose issues. These providers do not receive personally identifiable data unless strictly necessary for security or troubleshooting.

User Control

You can adjust cookie preferences via browser settings. Some cookies are essential to the secure operation of the App and cannot be disabled without impairing service.

Monitoring and Logging

OnboardMe employs extensive monitoring and logging for security, compliance, and product enhancement purposes.

  • User Activity: Pages visited, time spent, and feature usage, to improve UX and product design.
  • System Logs: Session data, IP addresses, login attempts, and error logs, to ensure platform stability and detect threats.
  • Performance Metrics: API response times, latency, and reliability statistics.
  • Diagnostic Data: Automatically collected during errors/crashes to improve stability.

Monitoring data is encrypted, stored in AWS Sydney, and subject to the same access controls as personal data. Wherever possible, monitoring data is aggregated or pseudonymised.

Data Breach Response and Notification

In the unlikely event of a data breach, OnboardMe follows a strict incident response plan in line with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

  • Breaches are detected through continuous monitoring and alert systems.
  • Incidents are immediately investigated and contained.
  • If the breach is likely to result in serious harm, affected individuals and the Office of the Australian Information Commissioner (OAIC) will be notified without undue delay.
  • Notifications will include the nature of the data affected, likely consequences, and steps individuals can take to mitigate risks.

We regularly test and update our incident response processes to ensure rapid and effective response capability.

Compliance with Australian Law

OnboardMe complies with the Privacy Act 1988 and the Australian Privacy Principles (APPs), as well as the TFN Rule 2015 and relevant financial record-keeping obligations.

We review our data handling practices regularly to ensure compliance with changing laws and industry standards.

Your Rights

You have rights to access, correct, and request deletion of your data, subject to legal obligations. You may also request portability of your data or object to certain processing activities. Requests can be submitted via our contact details below.

International Data Transfers

All personal data is stored in Australia (AWS Sydney). We do not transfer or store data offshore unless explicitly agreed and legally compliant.

Children’s Privacy

Our App is not directed to children under 13 (or the relevant local age). We do not knowingly collect data from children. If discovered, such data will be deleted.

Changes to This Privacy Policy

We may update this policy to reflect legal, regulatory, or operational changes. Updates will be published here with a new effective date.

Contact Us

For privacy enquiries, please contact us:

We respond to all enquiries within 30 days.