Privacy Policy.

1. Introduction

OneHQ is operated by OneHQ App Pty Ltd (ABN 89 695 243 059) ("we", "us", "our"). We are an APP entity bound by the Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, hold, use, disclose, store and otherwise handle personal information through the OneHQ platform — a cloud-based practice management application for Australian accounting firms.

This policy applies to:

• Users — practice owners, administrators, staff and contractors who access OneHQ; and
• End-clients — individuals whose personal information is entered into or managed within OneHQ by a practice.

OneHQ is intended for use by professional accounting firms and their staff. It is not directed to individuals under 18 years of age.

This policy is available at onehq.com.au/privacy and may be provided in alternative formats on request (APP 1.4).

2. Definitions

2.1 Personal information

"Personal information" has the meaning given in section 6 of the Privacy Act 1988: information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether recorded in material form or not.

2.2 Sensitive information

"Sensitive information" is a subset of personal information that receives higher protection under the Privacy Act. In the OneHQ context, it may include:

• Tax File Numbers (TFNs) — regulated under the Privacy (Tax File Number) Rule 2015; and
• Identity verification data — government-issued identity document details collected through optional AML/CTF verification.

We only collect sensitive information where it is reasonably necessary for our functions, and where required, with consent or as authorised or required by law.

2.3 Derived data

"Derived data" means analytical outputs, compliance indicators, risk assessments, and calculated estimates generated from personal information or financial data. Where derived data relates to an identifiable individual, it is treated as personal information under this policy.

3. Our role

OneHQ operates in a dual capacity:

• Data processor (service provider) — for client data entered by accounting practices, OneHQ processes personal information only on the practice's instructions and for the purpose of providing the platform. The practice remains the data controller and is responsible for its obligations under the Privacy Act, including providing notices and obtaining client consents where required.
• Data controller — for OneHQ account data (user accounts, staff profiles, billing and administration records), OneHQ determines the purposes and means of processing and is directly responsible for compliance with the APPs.

We do not independently determine the purposes for which client personal information is processed, and we do not use client data for our own purposes beyond providing contracted services.

Note: the terms "data controller" and "data processor" are used for clarity and correspond to the Privacy Act concepts of collecting entity and contracted service provider respectively. Our obligations as a data processor are set out in our Terms of Service (Section 5.7).

4. Information we collect

4.1 Account and staff information

When you create an account or join a practice, we may collect:

• Name, email address and display name
• Practice name and role within the practice
• Password credentials (stored securely via Supabase Auth using bcrypt — we never access plaintext passwords)
• Multi-factor authentication enrolment data (TOTP secret for authenticator apps; backup codes stored as SHA-256 hashes)
• Session and security data (IP address, user agent, authentication events recorded in our audit log)
• Staff billing rates (hourly rate, cost rate) where timesheet features are enabled

4.2 Client data managed by practices

Practices may store and manage the following categories of client data:

• Identity details — names, dates of birth, ABNs, ACNs, entity types, directors, shareholders, beneficiaries, trust members
• Contact information — email addresses, phone numbers, physical and postal addresses
• Tax File Numbers — see Section 5 for specific TFN handling
• Compliance records — jobs, obligation tracking, statuses, due dates, lodgement history
• Financial records — billing, fee records, engagement terms
• Communications — email metadata, SMS messages, phone call notes, internal notes
• Documents and files — stored via the practice's Dropbox integration
• Accounting data — financial reports, transactions, and payroll data imported via Xero (see Section 8)
• Working papers — BAS reconciliation worksheets, FBT calculations, franking account records, and other structured workpapers
• AML/CTF records — identity verification status, document details, and verification outcomes (where the optional AML module is enabled)
• Time entries — time tracked against client work, including duration, category, and staff member

4.3 Derived and analytical data

OneHQ generates derived data including:

• BAS estimates — seasonal and year-on-year GST estimates from historical lodgement data
• Risk engine results — compliance anomaly flags from our deterministic rule engine (e.g. unusual GST coding, wrong-side entries)
• Tax readiness indicators — traffic-light compliance signals for activity statements and income tax returns
• Tax planning calculations — projected tax liabilities, distribution modelling, and super contribution analysis
• Document analysis — extracted metadata from PDFs (document type, ABN, period, signature field locations)

Derived data is stored within the practice's data and is subject to the same access controls, retention and security measures. Raw Xero report data is not separately persisted (see Section 8.3), noting that some journal and payroll data may be cached where enabled.

Where derived data is aggregated and cannot reasonably identify an individual, it may be used in de-identified statistical form for platform improvement and analytics.

4.4 Technical data

We collect limited technical information necessary to operate and secure the platform:

• Browser type and version, device information
• IP address and user agent (recorded in our audit log for security)
• Authentication session tokens

We do not use advertising cookies, third-party behavioural tracking, or analytics services.

5. Tax File Number handling

TFNs are regulated under the Privacy (Tax File Number) Rule 2015 and receive the highest level of protection within OneHQ.

5.1 Collection

TFNs are collected only where reasonably necessary for authorised tax-related purposes, including supporting a practice's obligations in preparing and lodging returns and statements.

5.2 Use restriction

We use TFNs only for authorised purposes under the TFN Rule. We do not use TFNs for general identification, matching, marketing, analytics unrelated to tax compliance, or any other purpose.

5.3 Security controls

• Encryption — TFNs are encrypted at the application layer using AES-256-GCM before storage. They are never stored in plaintext.
• Access restriction — TFNs are never returned in standard data queries. A dedicated, rate-limited decryption endpoint requires explicit permission and is restricted to authorised staff with assigned entity access.
• Audit logging — all TFN access events are recorded in the audit log.
• PII scrubbing — TFN patterns are automatically detected and redacted from audit log detail fields, error logs, and any data sent to external services.

5.4 Destruction

Where a client entity is deleted, the associated TFN is destroyed as part of the deletion process. Where a practice account is terminated, encrypted TFNs are destroyed within the retention period in Section 13. Backup snapshots may persist until they expire under the backup lifecycle described in Section 13.3.

6. How we collect personal information

We collect personal information in accordance with APP 3 where reasonably necessary to provide our services, including through:

• Account creation and use of the platform
• Data entry and uploads by practice users
• Integrations enabled by the practice (e.g. Dropbox, Xero, ClickSend, Gmail/Outlook, identity verification providers)

We do not collect personal information by unlawful or unfair means.

6.1 Collection notice (APP 5)

We take reasonable steps to ensure individuals are notified of required matters under APP 5 — including the purposes of collection, the consequences of non-collection, and the entities to which information may be disclosed. This may occur through this policy, in-app notices, and/or terms and notices provided by the practice to its clients.

Where personal information is provided to us indirectly via a practice, we rely on the practice to have provided any required collection notice to the individual.

6.2 Unsolicited personal information (APP 4)

We may receive unsolicited information through inbound channels (e.g. ClickSend SMS webhooks, Dropbox Sign webhooks, email synchronisation). Where received, we assess whether it could have been collected under APP 3. If not, we destroy or de-identify it as soon as practicable where lawful and reasonable.

6.3 Government-related identifiers (APP 9)

We may store government-related identifiers (including TFNs and ABNs) on behalf of practices. We do not adopt these as our own identifiers — all internal records use system-generated UUIDs. We only use or disclose government identifiers where reasonably necessary for verification, compliance, or the purpose for which they were provided.

7. How we use personal information

We use personal information to:

• Provide and operate the OneHQ platform
• Authenticate users, enforce MFA and manage access controls
• Send SMS on behalf of practices (via ClickSend)
• Send emails on behalf of practices via their connected accounts (Google/Microsoft)
• Synchronise email metadata for communication tracking (where enabled)
• Facilitate document signing (via Dropbox Sign)
• Import, analyse and display accounting data (via Xero) for readiness and compliance workflows
• Generate derived compliance analytics and calculations
• Perform identity verification (where AML/CTF module is enabled)
• Record time entries for billing and workflow purposes
• Maintain audit logs for security and compliance
• Provide support and resolve incidents

We do not sell personal information and do not use personal information for advertising, profiling, or marketing to end clients. We do not disclose personal information to third parties except as described in this policy or where required or authorised by law.

We may disclose personal information where required or authorised by Australian law, including in response to court orders, subpoenas, or lawful requests from regulatory bodies such as the ATO or ASIC.

8. Xero integration & data handling

8.1 Data access

When you connect Xero, OneHQ accesses data in read-only mode. We do not create, modify or delete data in Xero. Depending on permissions granted, Xero data may include:

• Organisation details (legal name, ABN, tax number)
• Chart of accounts and tax rate configurations
• Bank transactions (for BAS readiness analysis and GST review)
• Manual journal entries (for comprehensive GST analysis)
• Financial reports — Profit & Loss, Balance Sheet, Trial Balance
• Payroll pay run summaries and payslip details (wages, tax, superannuation amounts)
• Contact names and ABNs (for matching Xero organisations to practice entities)
• Invoice summaries (for practice billing analysis)
• Bank statement data (for reconciliation status)

8.2 Purpose of access

We use Xero data for features such as: BAS/activity statement readiness checks, deterministic compliance risk flags, financial health and readiness indicators, tax planning worksheets, payroll reconciliation, practice billing workflows, and entity matching via ABN.

8.3 Storage approach

• OAuth tokens — encrypted with AES-256-GCM and stored for connection management. Encryption keys are managed with key rotation support. Tokens are never logged or exposed to the frontend.
• Cached data — where enabled, journal line items and payroll run summaries are cached to support compliance analysis and reduce repeated API calls. Cached data includes account names, contact names, amounts, and transaction descriptions. All cached data remains practice-scoped and subject to standard access controls and retention policies.
• Reports (P&L, Balance Sheet, Trial Balance, bank transactions) — fetched on-demand from Xero's API and returned directly to the authenticated user's browser. Report data is not persisted to our database.
• Tenant metadata (organisation name, ABN, tenant ID) — stored alongside encrypted OAuth tokens for connection management.

8.4 Disconnecting Xero

Practices may disconnect Xero at any time via Settings → Connections. When disconnected:

• All Xero API connections are revoked at Xero's end
• Encrypted OAuth tokens are immediately deleted from our database
• Cached journal and payroll data is purged
• All entity-to-Xero-organisation mappings are removed

8.5 Sharing

Xero data is not shared with third parties and is not used for marketing or advertising. For our position on AI, see Section 9. Access is restricted to authenticated users within the practice, enforced through Row Level Security at the database level.

9. Artificial intelligence & automated processing

OneHQ does not use artificial intelligence, machine learning, or large language models to process client data. We do not send client data to any AI service provider, and we do not use client data to train, fine-tune, or improve any AI or machine learning models.

All compliance analysis — including the risk engine, BAS estimator, and tax planning calculator — is performed by deterministic, rule-based systems that run entirely within our own infrastructure.

10. Third-party services and subprocessors

10.1 Service providers

We use third-party service providers to deliver features that practices enable. These providers operate under their own policies and terms:

• Supabase — cloud database and authentication (hosted on AWS in the Sydney, Australia region)
• Dropbox — file storage and management
• Dropbox Sign (HelloSign) — electronic document signing
• Xero — accounting data (see Section 8)
• ClickSend — SMS sending and receiving (Australian company, servers in Australia)
• Google — email sending and inbox synchronisation via Gmail API (where connected by the practice)
• Microsoft — email sending via Microsoft Graph API (where connected by the practice)
• FrankieOne — identity verification for AML/CTF compliance (optional, only where enabled by the practice)

10.2 Data shared with each service

We share information with providers only to the extent necessary to deliver enabled features:

• Dropbox — document files uploaded by the practice to their own Dropbox account. We read and write files on the practice's behalf; no entity PII is shared with Dropbox beyond what is embedded in documents.
• Dropbox Sign — document files (PDF), signer name, signer email address, and a cover message. Documents may contain client PII embedded in the PDF content.
• ClickSend — SMS message body and recipient phone number. Phone numbers are decrypted in-memory immediately before the API call and are not logged.
• Google / Microsoft — email content (HTML with resolved merge fields including client and practice names), sender and recipient addresses. For Gmail sync, email metadata (subject, snippet, from/to addresses) is stored; raw email bodies are not stored.
• Xero — only OAuth credentials are sent. ABNs are compared against Xero organisation data for entity matching. Financial data flows from Xero to OneHQ, not the reverse.
• FrankieOne — full name, date of birth, email, phone, and residential address for identity verification purposes. This data is only transmitted when a practice user explicitly initiates a verification check.

10.3 Subprocessor management

We maintain a vendor register and review subprocessors periodically. We apply controls including encryption of tokens and sensitive fields, least-privilege access, and practice-scoped isolation.

We may update our subprocessors from time to time. We will keep this policy up to date with current subprocessors. Where a change materially increases privacy risk, we will take reasonable steps to notify practices via the platform or email.

11. Cross-border disclosure

In accordance with APP 8, we disclose the following regarding overseas handling of personal information.

11.1 Primary data storage

All primary business data is stored in Supabase (PostgreSQL) hosted on AWS infrastructure in the Sydney, Australia (ap-southeast-2) region. Your data at rest remains in Australia.

11.2 Third-party services with overseas components

Some integrated third-party services may process data outside Australia:

• Dropbox / Dropbox Sign — headquartered in the United States. Documents and signing requests may be processed via US-based infrastructure.
• Google (Gmail API) — headquartered in the United States. Emails sent and synced via Gmail may be processed via global Google infrastructure.
• Microsoft (Graph API) — headquartered in the United States. Emails sent via Outlook may be processed via global Microsoft infrastructure.
• Xero — headquartered in New Zealand with global infrastructure. OAuth API calls may transit via international servers.
• ClickSend — Australian company with Australian servers. SMS data is processed within Australia.
• FrankieOne — Australian company; identity verification data may be checked against international watchlists and databases.

We may engage additional service providers from time to time. Any material overseas disclosures will be reflected in this policy.

Even where a service provider's primary infrastructure is in Australia, data may transit internationally in the ordinary course of internet routing.

11.3 Our obligations

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to the information (APP 8.1). We achieve this through:

• Selecting service providers with published privacy and security commitments
• Encrypting sensitive data before transmission (AES-256-GCM for all OAuth tokens and sensitive fields)
• Minimising personal information shared with each service to only what is necessary
• Contractual obligations where available

12. Data storage and security

We use a layered security model including:

12.1 Encryption

• Application-layer encryption (AES-256-GCM) — TFNs, ABNs, ACNs, dates of birth, email addresses, phone numbers, physical addresses, director/shareholder/beneficiary details, and all OAuth tokens are encrypted at the application layer before storage. Encryption keys support rotation, and key identifiers are embedded in ciphertext for auditability.
• Transparent data encryption (TDE) — all data at rest is additionally protected by Supabase's storage-layer encryption.
• Transport encryption — all data in transit is encrypted via HTTPS/TLS 1.2+. Strict transport security controls are enforced to reduce the risk of downgrade or interception attacks.

12.2 Access control

• Role-based access controls and practice-scoped data isolation
• Row Level Security (RLS) ensuring each practice can only access its own data
• Mandatory multi-factor authentication (TOTP) for all users
• Separation of privilege between client-facing and backend system components
• Account lockout controls on failed authentication attempts
• Active session tracking with forced session revocation capability

12.3 Audit and monitoring

• Append-only audit logging with restricted modification controls, covering data mutations, authentication events, and security-relevant actions
• PII scrubbing — TFNs, bank numbers, and other sensitive patterns are automatically redacted from audit log entries
• Rate limiting on all API endpoints
• Industry-standard HTTP security headers and session protections

We maintain internal records of our processing activities and security controls to support compliance with the APPs and applicable regulatory requirements.

No method of transmission or storage is completely secure; however, we take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

13. Data retention

13.1 Active accounts

We retain personal information for as long as an account is active and for as long as required to provide the platform and meet legal obligations. Practices may configure retention for certain categories (default values shown):

• Audit logs — 84 months (7 years), aligned with ATO record-keeping requirements
• Communications history — 84 months (7 years)
• SMS messages — 84 months (7 years)
• Notifications — 6 months
• Job activity history — 84 months (7 years)

Retention periods are configurable by practice administrators within compliance-aligned limits. Retention cleanup supports dry-run previews before execution.

We may de-identify personal information where it is no longer required for an identifiable purpose. Once de-identified, such data is no longer treated as personal information under this policy.

13.2 Individual account closure

If you close your user account (or request deletion via privacy@onehq.com.au), we delete your personal information within 30 days. Specifically:

• Deleted — your user profile, authentication credentials (password hash, MFA enrolment), active sessions, push notification tokens, and personal notifications.
• Deactivated — your staff record is deactivated and anonymised (name replaced, email removed), but the record is retained as a reference for audit log entries.
• Retained — audit log entries that reference your actions are retained for a minimum of 7 years for regulatory compliance. These entries become pseudonymised once your user record is deleted.

13.3 Practice subscription cancellation

If a practice subscription is cancelled, we retain practice data for up to 90 days to allow reactivation. During this period, practice administrators retain read-only access to view data and request exports. After the 90-day window:

• Permanently deleted — all client data (entities, contacts, encrypted fields including TFNs and ABNs), jobs, communications, SMS messages, billing records, working papers, documents, Xero cached data, signing records, time entries, templates, campaign data, and OAuth tokens.
• Anonymised and retained — audit log entries (retained for 7 years from creation for ATO record-keeping compliance). The practice record is anonymised (all configuration, credentials, and identifying information removed) but retained as a foreign key anchor for the audit log.
• Retained where required by law — where the AML/CTF module is enabled, identity verification records required by law to be retained are stored on behalf of the practice for the statutory retention period (7 years after the business relationship ends, per the Anti-Money Laundering and Counter-Terrorism Financing Act 2006). Records are anonymised where possible while maintaining compliance.

13.4 Backups and logs

• Database backups — managed by Supabase with point-in-time recovery. Backups are retained according to Supabase's standard lifecycle (up to 7 days). Backup data is encrypted at rest.
• Application logs — retained for up to 30 days and designed to avoid containing sensitive personal information through scrubbing and redaction controls.
• OAuth tokens — when a third-party integration is disconnected, encrypted tokens are immediately deleted from primary storage. Tokens in backups expire naturally as backup snapshots age out.

14. Email campaign tracking

Where practices use OneHQ to send bulk email campaigns, OneHQ may provide campaign analytics that can include:

• Open tracking — a 1×1 transparent image embedded in campaign emails. When loaded, this records the time of open, recipient IP address and user agent.
• Click tracking — links in campaign emails are routed through our tracking service, which records the time of click, link destination, IP address and user agent before redirecting to the original URL.

Tracking data is stored in our database, scoped to the sending practice, and subject to standard retention policies and access controls. Tracking is used solely to provide campaign analytics to the sending practice and is not used by OneHQ for advertising or marketing.

Practices are responsible for ensuring compliance with the Spam Act 2003 (Cth) when using campaign features, including obtaining consent and providing functional unsubscribe mechanisms.

15. Cookies and local storage

OneHQ uses only essential cookies and local storage for authentication sessions and user preferences. We do not use advertising cookies, tracking cookies, or third-party analytics services (no Google Analytics, Mixpanel, or similar).

16. Marketing communications

We may send:

• Service communications — security notices, operational emails and account notices. These are necessary and cannot be unsubscribed from.
• Product updates — occasional updates about OneHQ features. Every product update includes an unsubscribe mechanism. You can opt out at any time via the unsubscribe link or by contacting team@onehq.com.au. We will action opt-out requests within 5 business days in accordance with APP 7 and the Spam Act 2003.

We do not market to end clients of practices. Campaign tools are operated by practices — we provide the tools; the practice controls content and recipient lists.

17. Access, correction and deletion

Under APP 12 and APP 13, individuals may request access to, correction of, or deletion of personal information we hold.

17.1 Requesting access

• Submit a request to privacy@onehq.com.au specifying the information you wish to access.
• We will verify your identity before actioning any request. For practice users, this may include confirming your registered email address and multi-factor authentication. For end-clients, we may request your name, date of birth, and one additional identifier.
• We aim to respond within 30 calendar days.
• We do not charge for standard requests, but may charge a reasonable fee for manifestly excessive or repetitive requests and will advise any fee in advance.

Practice administrators can access, correct and delete client data directly within OneHQ, subject to their permissions. Tax File Numbers are never included in bulk data exports — TFN access is restricted to individual, audited lookups within the platform (see Section 5).

17.2 Requesting correction

• If you believe personal information we hold about you is inaccurate, incomplete, out of date, or misleading, contact privacy@onehq.com.au.
• We will respond within 30 calendar days.
• If we refuse a correction request, we will provide written reasons and advise you of available complaint mechanisms.

Note: for end-client data managed by a practice, we may refer your request to the practice in the first instance, as the practice is the data controller for that information.

17.3 Requesting deletion

You may request deletion of your account and associated personal information by contacting privacy@onehq.com.au. Deletion requests are subject to identity verification and a confirmation step to prevent accidental data loss.

We will action verified deletion requests within 30 days. For details on what is deleted, what is anonymised, and what is retained for legal compliance, see Section 13.2 (individual accounts) and Section 13.3 (practice subscriptions).

Deletion does not extend to: (a) anonymised audit log entries required for regulatory compliance; (b) AML/CTF records within their mandatory retention period; or (c) data already included in time-limited backup snapshots, which expire naturally (see Section 13.4).

18. Complaints

If you believe we have breached the APPs or mishandled personal information, you may lodge a complaint:

• Email: privacy@onehq.com.au
• Post: Privacy Officer, OneHQ App Pty Ltd, 98 Wills St, Bendigo VIC 3550, Australia

We will acknowledge complaints within 5 business days and aim to provide a substantive response within 30 calendar days. If we need more time, we will inform you of the reason and expected timeframe.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au/privacy/privacy-complaints
• Phone: 1300 363 992
• Post: GPO Box 5288, Sydney NSW 2001

19. Data breach notification

If we confirm a data breach involving personal information, we will:

• Notify affected practices as soon as practicable and provide information reasonably required to help them meet their own notification obligations
• Where the breach is an eligible data breach under the Privacy Act 1988, comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC, including notifying the OAIC and affected individuals as required
• Where a breach involves data from a third-party integration, notify the relevant provider as required by their applicable standards or contractual obligations
• Take immediate steps to contain the breach and mitigate any resulting harm

20. Changes to this policy

We may update this policy from time to time. We will notify users of material changes via email and/or within the platform at least 30 days before the changes take effect. Non-material changes (typographical corrections, formatting) may be made without notice. The version number and effective date at the top indicate the latest revision. Previous versions are available on request.

21. Contact

Privacy, access requests and complaints: privacy@onehq.com.au

General enquiries: team@onehq.com.au

Security & incident reporting: security@onehq.com.au

OneHQ App Pty Ltd
ABN 89 695 243 059
98 Wills St, Bendigo VIC 3550, Australia