Privacy Policy

Effective 13 May 2026 · ABN 49 452 393 782 · Caltury (sole trader, Australia)

1. Who we are

Caltury is a sole-trader business operating in Australia (ABN 49 452 393 782). We provide compliance software to Australian businesses that are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). This policy explains how we handle personal information as an APP entity under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

From you (the account holder): name, work email, phone, role at your practice, date of birth and residential address (when you become the AML/CTF Compliance Officer), business details (legal name, ABN, address, practice type).

From your customers (people you onboard through Caltury): name, date of birth, residential address, photographic and document evidence of identity (uploaded via Stripe Identity), and the screening results returned by sanctions / PEP databases. We collect this information at your direction so you can meet your AML/CTF obligations.

Technical: IP address, user-agent, timestamps of actions taken in the app. Used for security and audit purposes only.

3. How we use it

We use personal information solely to:

provide the Caltury service to you;
let you discharge your AML/CTF Act obligations (CDD, sanctions screening, SMR drafting, record-keeping);
verify your identity if you contact us about your account;
secure the service against fraud and abuse;
comply with our own legal obligations (tax, breach reporting).

We do not use your information, or your customers' information, for marketing to third parties, profile-building, or sale to data brokers. We do not train any AI model on your data.

4. Where it lives

All customer data is stored in Sydney, Australia (Supabase managed Postgres + storage in the ap-southeast-2 region). Application servers are pinned to AWS Sydney via Vercel.

Some service providers process data outside Australia in defined, documented ways:

Stripe Identity(USA / Ireland): document verification and DVS check. Stripe receives the customer's name, DOB, address, ID document image, and selfie. Result codes are returned to us; document images are retained by Stripe under their retention policy.
Anthropic / Claude (USA): when you draft a Suspicious Matter Report, the structured intake (without raw ID documents) is sent to Anthropic to generate the narrative. Anthropic does not retain content for training.
Resend (USA): sends transactional emails (sign-up confirmations, KYC links). Receives the recipient email address and message body.
OpenSanctions (Germany / EU): receives a customer name and (optionally) date of birth for screening; returns matches.

These cross-border disclosures are made under APP 8.1 with reasonable steps to ensure overseas recipients handle the information consistently with the APPs.

5. How we secure it

Encryption in transit (TLS 1.3) and at rest (AES-256).
Row-level security in the database — every record is scoped to your practice (your "org"); no other Caltury customer can see your data.
Multi-factor authentication available on every Caltury account.
Stripe Identity uploads stream directly to Stripe — Caltury never stores raw ID documents on its servers.
Audit log records every action (created, viewed, edited, deleted) against any record.

6. How long we keep it

AML/CTF records — including customer identity records, transaction records, SMRs, training records, the AML/CTF Program — are retained for 7 years after the end of the customer relationship or the date of the record, as required by the AML/CTF Act.

Account data (your user account, login records, audit log) is retained while your account is active and for 12 months after account closure, then deleted unless we are required to retain it for another legal purpose.

Marketing / signup informationfrom prospects who didn't complete signup is deleted after 90 days.

7. Your rights

You may at any time, by emailing privacy@caltury.com.au:

access the personal information we hold about you;
correct it if it is wrong;
complain about how we have handled it (APP 12, APP 13);
export your data (we'll provide it in a structured format within 30 days);
ask for deletion (subject to our retention obligations under the AML/CTF Act).

8. Notifiable data breaches

If a data breach involves personal information and is likely to result in serious harm to any individual, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.

9. Cookies and analytics

We use a small number of strictly necessary cookies for authentication. Product analytics (PostHog) run on EU servers and are configured to anonymise IP addresses. We do not use advertising cookies or trackers.

10. Children

Caltury is a business-to-business product. We do not knowingly collect personal information from anyone under 18.

11. Complaints

If you believe we have breached the APPs, please email privacy@caltury.com.au. We will respond within 30 days. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or 1300 363 992.

12. Changes to this policy

We may update this policy from time to time. The current version is always at caltury.com.au/privacy. Material changes will be communicated by email to account holders at least 14 days before they take effect.

This document is a starting point reviewed against Australian Privacy Act, Australian Consumer Law and standard SaaS practice. It is not legal advice for your business. If you need to vary these terms, contact us at hello@caltury.com.au.