Privacy Policy

1. Who we are

Caltury is a sole-trader business operating in Australia (ABN 49 452 393 782). We provide compliance software to Australian businesses that are reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). This policy explains how we handle personal information as an APP entity under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What we collect

From you (the account holder): name, work email, phone, role at your practice, date of birth and residential address (when you become the AML/CTF Compliance Officer), business details (legal name, ABN, address, practice type).

From other people at your agency that you add to Caltury: name, work email, role, and (for directors, officers and beneficial owners listed in your AUSTRAC enrolment package) date of birth and residential address. You upload this information in your capacity as account holder. You are responsible for giving each such person any APP 5 collection notice required and for confirming you have authority to upload their information.

From your customers (people you onboard through Caltury): name, date of birth, residential address, photographic and document evidence of identity (uploaded via Stripe Identity), and the screening results returned by sanctions / PEP databases. We collect this information at your direction so you can meet your AML/CTF obligations.

You are the reporting entity for your customers. You are responsible for giving each customer any collection notice or obtaining any consent required under APP 5 before their personal information is uploaded to Caltury, including making them aware that some information will be disclosed to the overseas providers listed in section 4 for verification and screening purposes.

Technical: IP address, user-agent, timestamps of actions taken in the app. Used for security and audit purposes only.

Prospect contact details (B2B outreach).We may collect business contact information (typically work email, name, role, business name, public ABN) from publicly available sources such as agency websites, the Australian Business Register, professional directories, and LinkedIn. We use this information solely to contact Australian businesses that are likely to fall within the AML/CTF Act Tranche 2 reforms about Caltury's software. Recipients can opt out of further contact at any time using the unsubscribe link in our outreach emails or by writing to support@caltury.com.au. We do not sell or disclose prospect contact information to third parties.

3. How we use it

We use personal information solely to:

• provide the Caltury service to you;
• let you discharge your AML/CTF Act obligations (CDD, sanctions screening, SMR drafting, record-keeping);
• verify your identity if you contact us about your account;
• secure the service against fraud and abuse;
• comply with our own legal obligations (tax, breach reporting).

We do not use your information, or your customers' information, for marketing to third parties, profile-building, or sale to data brokers. We do not train any AI model on your data.

4. Where it lives

All customer data is stored in Sydney, Australia (Supabase managed Postgres + storage in the ap-southeast-2 region). Application servers are pinned to AWS Sydney via Vercel.

Some service providers process data outside Australia in defined, documented ways:

• Stripe Identity(USA / Ireland): document verification and DVS check. Stripe receives the customer's name, DOB, address, ID document image, and selfie. Result codes are returned to us; document images are retained by Stripe under their retention policy.
• Anthropic / Claude (USA): when you draft a Suspicious Matter Report, the structured intake (without raw ID documents) is sent to Anthropic to generate the narrative. Anthropic does not retain content for training.
• Resend (USA): sends transactional emails (sign-up confirmations, KYC links). Receives the recipient email address and message body.
• OpenSanctions (Germany / EU): receives a customer name and (optionally) date of birth for screening; returns matches.

Account holder data, APP 8.2(b) consent. At sign-up you are required to tick a separate consent box that names the overseas recipients above and the purposes of disclosure. By ticking that box you give consent under APP 8.2(b) to the disclosure of your own personal information to those overseas recipients for the purposes set out in section 3. You acknowledge that, where consent applies, APP 8.1 and section 16C of the Privacy Act do not apply to those disclosures.

Other agency personnel data, account holder warranty. Where you upload personal information about a director, officer, beneficial owner or other staff member of your agency in your capacity as account holder, you warrant that you have authority to upload that information and that you have either given that person any APP 5 collection notice required and obtained their consent for overseas disclosure to the recipients listed above, or that another exception under APP 8.2 applies to that disclosure. Caltury does not purport to obtain consent on behalf of those individuals through your sign-up tick-box.

Customer data, agency direction.Personal information about your agency's own customers is uploaded to Caltury at your direction so you can meet your AML/CTF obligations. As described in section 2, you (as the reporting entity) are responsible for giving each customer the APP 5 collection notice and, where required, obtaining APP 8.2(b) consent for overseas disclosure before their information is uploaded. Caltury processes that information on your instructions for the purposes you direct.

Contractual safeguards, APP 8.2(a). Caltury also enters into data-processing terms with each overseas recipient that bind them to handle personal information consistently with the APPs, relying on APP 8.2(a) as a further safeguard for both data classes above.

Stripe Identity custody.Raw identity document images and selfies are held by Stripe Identity on Stripe's own infrastructure. Stripe's handling, retention and deletion of those documents is governed by Stripe's privacy notice, not by this policy. Caltury never receives or stores those images, although Caltury designs the collection flow and selects Stripe as the verification provider.

5. How we secure it

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Row-level security in the database. Every record is scoped to your practice (your "org"), so no other Caltury customer can see your data.
• Multi-factor authentication available on every Caltury account.
• Stripe Identity uploads stream directly to Stripe. Caltury never stores raw ID documents on its servers.
• Audit log records every action (created, viewed, edited, deleted) against any record.

6. How long we keep it

AML/CTF records (including customer identity records, transaction records, SMRs, training records, and the AML/CTF Program) are retained for 7 years after the end of the customer relationship or the date of the record, as required by the AML/CTF Act.

Account data (your user account, login records, audit log) is retained while your account is active and for 12 months after account closure, then deleted unless we are required to retain it for another legal purpose.

Marketing / signup informationfrom prospects who didn't complete signup is deleted after 90 days.

7. Your rights

You may at any time, by emailing support@caltury.com.au:

• access the personal information we hold about you;
• correct it if it is wrong;
• complain about how we have handled it (APP 12, APP 13);
• export your data (we'll provide it in a structured format within 30 days);
• ask for deletion. Where the information does not fall within our 7-year retention obligation under the AML/CTF Act (see section 6 for the data classes), we will delete it within 30 days. Where retention is required, we will restrict the information so that it is used only for AML/CTF compliance, audit, legal or regulatory obligations, the establishment, exercise or defence of legal claims, and complaint or breach investigation, for the remainder of the retention period, then delete it.

8. Notifiable data breaches

If a data breach involves personal information and is likely to result in serious harm to any individual, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by Part IIIC of the Privacy Act.

9. Cookies and analytics

We use a small number of strictly necessary cookies for authentication. For traffic measurement we use Vercel Web Analytics, which does not use cookies, does not track individual users, and does not collect personally identifiable information.

On our marketing pages only (public pages, sign-up and sign-in), we also run Microsoft Clarity session replay and heatmaps so we can diagnose drop-off in the sign-up funnel. Input field values are masked at collection (passwords, emails, ABNs, etc. are never recorded). Clarity is not loaded on any authenticated route inside /dashboard, /onboarding or on the tokenised customer / reviewer links at /c/ and /r/. Microsoft Clarity is disclosed as a sub-processor at /sub-processors.

We do not use advertising cookies or cross-site behavioural-tracking third parties beyond the Google Ads conversion pixel on marketing pages, which fires only on completed conversion events (sign-up completion) and contains no personally identifiable information.

10. Children

Caltury is a business-to-business product. We do not knowingly collect personal information from anyone under 18.

11. Complaints

If you believe we have breached the APPs, please email support@caltury.com.au. We will respond within 30 days. If you are unsatisfied with our response, you may contact the Office of the Australian Information Commissioner at oaic.gov.au or 1300 363 992.

12. Changes to this policy

We may update this policy from time to time. The current version is always at caltury.com.au/privacy. Material changes will be communicated by email to account holders at least 14 days before they take effect.