Terms of Service.

1. Agreement

These Terms of Service ("Terms") are a binding legal agreement between you and OneHQ App Pty Ltd (ABN 89 695 243 059) ("OneHQ", "we", "us", "our") governing your access to and use of the OneHQ platform ("Service").

By creating an account, accepting an invitation to join a practice, or otherwise using the Service, you agree to be bound by these Terms. If you do not agree, you must not use the Service.

If you are using the Service on behalf of an accounting practice or other organisation ("Practice"), you represent and warrant that you have the authority to bind that organisation to these Terms. In that case, "you" refers to both you individually and the Practice.

2. Definitions

In these Terms:

• "Your Data" means all data, content, and information that you or your Authorised Users upload, create, store, or transmit through the Service, including client records, documents, communications, financial data, and any other practice data.
• "Practice" means the accounting firm or organisation that has subscribed to the Service.
• "Authorised Users" means individuals who have been granted access to the Service by a Practice administrator.
• "Subscription Period" means the period during which you have a current, paid subscription to the Service (or are using the Service under a free trial or demo).
• "Intellectual Property Rights" means all patents, copyrights, trade marks, trade secrets, database rights, design rights, and all other intellectual property rights, whether registered or unregistered.
• "Subprocessor" means a third-party service provider that processes personal information on our behalf in order to deliver the Service (listed in Section 6.1 and in our Privacy Policy).

3. The Service

3.1 Description

OneHQ is a cloud-based practice management platform designed for Australian accounting firms. The Service provides tools for client and entity management, job and compliance tracking, BAS and tax return readiness analysis, tax planning, billing, document management, electronic signing, email and SMS communications, time tracking, AML/CTF compliance, and reporting.

3.2 Service modifications

We may modify, update, or enhance the Service from time to time. We will provide at least 14 days' notice of material changes that reduce core functionality. Bug fixes, security patches, and feature additions may be deployed without notice.

3.3 Service availability

We will use commercially reasonable efforts to maintain the availability of the Service. However, the Service may be temporarily unavailable due to scheduled maintenance (with reasonable notice), emergency security patches, or circumstances beyond our reasonable control. We do not guarantee uninterrupted or error-free access to the Service.

3.4 Australian context

The Service is designed for use by Australian accounting practices and incorporates Australian tax, compliance, and regulatory frameworks (including ATO, ASIC, BAS, STP, SMSF, FBT, and payroll tax). The Service is not designed or warranted for use outside Australia.

3.5 Nature of the Service — not tax, accounting, or legal advice

OneHQ is a software platform, not a tax agent, accountant, auditor, financial adviser, or legal practitioner. We do not provide tax advice, accounting services, financial advice, auditing services, or legal advice. We are not registered as a tax agent or BAS agent under the Tax Agent Services Act 2009 (Cth). We do not prepare or lodge tax returns, activity statements, or any other documents with the ATO or any other government body. The Service is not a Standard Business Reporting (SBR) enabled product and does not communicate directly with the ATO.

The Service provides software tools that assist registered tax practitioners in performing their own professional work. All analytical outputs, compliance indicators, risk flags, BAS readiness assessments, tax planning calculations, and other features within the Service are decision-support tools only. They are provided for informational purposes to support — not replace — the professional judgement of qualified practitioners.

You acknowledge that:

• You (the Practice) are solely responsible for all tax compliance decisions, ATO lodgements, client advice, and regulatory obligations
• All outputs from the Service must be independently reviewed and verified by a qualified practitioner before being relied upon or communicated to clients
• The Service does not create any professional relationship between OneHQ and your clients
• We bear no responsibility for the accuracy of compliance advice, lodgement decisions, or tax planning strategies derived from or informed by the Service

3.6 Risk engine and analytical tools

The Service includes a compliance risk engine, BAS estimator, tax readiness indicators, tax planning calculator, and other analytical features. These tools use deterministic, rule-based algorithms — not artificial intelligence or machine learning. You acknowledge that:

• These tools are not infallible and may not identify all compliance risks or anomalies
• The risk engine parameters (materiality thresholds, sensitivity presets, rule configuration) are configurable by you. You are responsible for selecting appropriate settings for each client's circumstances
• Risk flags, traffic-light indicators, and anomaly alerts are guidance only — a "green" indicator does not guarantee compliance, and a "red" indicator does not necessarily indicate a breach
• BAS estimates are calculated from historical data and seasonal patterns — they are projections, not binding figures, and must be verified against actual Xero data
• Tax planning calculations use standard tax tables and rates but may not account for every individual circumstance, private ruling, or legislative change effective after the last rate update
• We may update tax tables, rates, and rule logic from time to time. You remain responsible for verifying outputs against current legislation and the client's circumstances before relying on them

4. Accounts and access

4.1 Registration

You must provide accurate and complete information when creating an account. Each individual must have their own account — sharing login credentials is prohibited.

4.2 Practice administration

The user who creates a Practice is the initial administrator. Administrators can invite Authorised Users, assign roles (Admin, Partner, Accountant, Senior, Staff, Bookkeeper), configure permissions, and manage Practice settings. Administrators are responsible for managing access and ensuring that Authorised Users comply with these Terms.

4.3 Account security

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Enrolling in mandatory multi-factor authentication (MFA) within the required timeframe
• All activities that occur under your account, whether or not authorised by you
• Notifying us immediately at security@onehq.com.au if you suspect unauthorised access to your account

We may apply security controls such as authentication challenges, temporary lockouts, or session resets where we reasonably suspect suspicious activity.

4.4 Staff roles and permissions

Access within the Service is controlled by role-based permissions configured by Practice administrators. We are not responsible for the permissions you assign. You should configure access according to the principle of least privilege and review permissions regularly.

5. Your data

5.1 Ownership

You retain all ownership and Intellectual Property Rights in Your Data. We do not claim any ownership of Your Data. Nothing in these Terms transfers any ownership rights in Your Data to us.

5.2 Licence to us

You grant us a limited, non-exclusive, non-transferable licence to store, process, transmit, and display Your Data solely for the purpose of providing the Service to you and your Authorised Users. This licence is limited to what is reasonably necessary to operate the Service and terminates when you delete Your Data or close your account (subject to the retention periods in Section 12).

5.3 Data handling

We handle Your Data in accordance with our Privacy Policy, which forms part of these Terms. Your Data is isolated at the database level using Row Level Security — no other Practice can access your data.

5.4 Data accuracy

You are responsible for the accuracy, completeness, and legality of Your Data. The Service provides tools and analytics to assist your compliance work, but it is not a substitute for professional judgement. You remain solely responsible for all compliance decisions, lodgement obligations, and advice given to your clients.

5.5 Sensitive data

The Service is designed to handle sensitive financial and tax data, including Tax File Numbers (TFNs), ABNs, and client personal information. By entering such data, you confirm that you have the lawful authority to collect and process it, and that your collection complies with the Privacy Act 1988, the Privacy (Tax File Number) Rule 2015, and any other applicable law.

5.6 Export and portability

You may export Your Data at any time through the features available in the Service. Upon request, we will provide reasonable assistance for data portability, including making Your Data available in a structured, commonly used, and machine-readable format.

5.7 Data processing

For client data stored in the Service, you remain responsible for meeting your obligations as the collecting entity under the Privacy Act 1988. We act as your contracted service provider, processing personal information on your behalf to provide the Service. In particular:

• We process Your Data only to provide, secure, and support the Service. We do not sell Your Data or use it for advertising.
• We maintain reasonable technical and organisational safeguards appropriate to the nature of the data processed (see Section 11).
• We use third-party Subprocessors to deliver features of the Service. Our current Subprocessors are listed in Section 6.1 and in our Privacy Policy, which we keep up to date.
• If we become aware of a confirmed eligible data breach involving Your Data, we will notify you as soon as practicable and comply with our obligations under the Notifiable Data Breaches scheme (see Section 11.2).
• On termination, we make Your Data available for export for 90 days, then delete it from active systems in accordance with Section 12.5.

6. Third-party integrations

6.1 Available integrations

The Service connects to third-party services that act as Subprocessors where they process Your Data:

• Supabase — cloud database and authentication (hosted on AWS in Sydney, Australia)
• Dropbox — file storage and management
• Dropbox Sign (HelloSign) — electronic document signing
• Xero — accounting data (read-only access)
• ClickSend — SMS sending and receiving (Australian company, Australian servers)
• Google — email sending and inbox synchronisation via Gmail API (where connected by the Practice)
• Microsoft — email sending via Microsoft Graph API (where connected by the Practice)
• FrankieOne — identity verification for AML/CTF compliance (optional, only where enabled by the Practice)

6.2 Your authorisation

By enabling an integration, you:

• Authorise OneHQ to access and exchange data with that service on your behalf, within the scope of the permissions you grant
• Agree to comply with the respective third party's terms of service and acceptable use policies
• Acknowledge that the availability, performance, and data handling of third-party services are outside our control
• Accept responsibility for ensuring your use of integrated services complies with applicable law (including any client consents required for data sharing)

6.3 Token management

OAuth tokens for all integrations are encrypted at rest (AES-256-GCM) and scoped to your Practice. You can revoke any integration at any time through Settings → Connections. Revocation immediately deletes stored tokens and, where applicable, removes cached data from that integration.

6.4 Third-party terms

We are not a party to your agreement with any third-party service. If a third-party service changes its terms, pricing, or availability in a way that affects the Service, we will use reasonable efforts to notify you and adapt, but we are not liable for any resulting disruption.

6.5 Subprocessor changes

We may update our Subprocessors from time to time. We will keep our Privacy Policy up to date with current Subprocessors. Where a change materially increases privacy risk, we will take reasonable steps to notify Practices via the Service or email.

7. Acceptable use

You agree not to:

• Use the Service for any unlawful purpose or in violation of any applicable Australian or international law
• Attempt to gain unauthorised access to the Service, other users' accounts, or other Practices' data
• Reverse engineer, decompile, disassemble, or attempt to extract the source code of the Service
• Interfere with or disrupt the integrity, security, or performance of the Service or its infrastructure
• Use the Service to store or transmit malicious code, viruses, or any material that infringes third-party rights
• Use automated scripts, bots, or scrapers to access the Service except through our published APIs
• Resell, sublicence, or redistribute access to the Service without our prior written consent
• Upload or process data that you are not lawfully authorised to hold (including TFNs collected without authorisation under the TFN Rule)
• Circumvent or attempt to circumvent any security measures, access controls, rate limits, or usage restrictions
• Use the bulk SMS or email campaign features to send unsolicited commercial messages in violation of the Spam Act 2003

7.1 Campaign tool responsibilities

Where you use the Service's bulk email or SMS campaign features, you are responsible for:

• Maintaining your own records of recipient consent as required by the Spam Act 2003
• Ensuring each campaign includes accurate sender identification and a functional unsubscribe mechanism (the Service provides these by default, but you must not disable or circumvent them)
• Ensuring campaign content does not breach any applicable law, including defamation, misleading or deceptive conduct, or privacy law

We reserve the right to suspend or terminate your account immediately if we reasonably believe you are in material breach of these terms, with or without notice depending on the severity of the breach.

8. Fees and payment

8.1 Pricing

Pricing for the Service is as published on our website or as agreed in a separate order form or subscription agreement. All fees are in Australian dollars (AUD).

8.2 GST

All fees are exclusive of GST unless stated otherwise. GST will be added where applicable in accordance with the A New Tax System (Goods and Services Tax) Act 1999. We will issue tax invoices that comply with GST law.

8.3 Payment terms

Fees are payable in advance for each billing period. If payment fails or is overdue by more than 14 days, we may restrict access to the Service until payment is received. We will provide at least 7 days' notice before restricting access for non-payment.

8.4 Price changes

We will provide at least 30 days' notice of any price changes. Price changes take effect at the start of your next billing period after the notice period. If you do not agree to a price change, you may cancel your subscription before the change takes effect.

8.5 Refunds

Fees are generally non-refundable except where required by Australian Consumer Law. If you cancel mid-period, you retain access to the Service until the end of your current billing period.

8.6 Free trials and demo accounts

We may offer free trials or demo accounts. Free trials are subject to these Terms. We may modify or discontinue free trial offerings at any time. Demo accounts may have restricted functionality (including read-only access and blocked external API calls).

9. Intellectual property

9.1 Our IP

The Service, including its design, code, features, documentation, branding, and all related Intellectual Property Rights, is owned by OneHQ App Pty Ltd. Nothing in these Terms grants you any rights in our Intellectual Property except the limited licence to use the Service during your Subscription Period.

9.2 Your IP

We do not acquire any Intellectual Property Rights in Your Data or in any materials you provide to us, except for the limited processing licence described in Section 5.2.

9.3 Feedback

If you provide us with feedback, suggestions, or feature requests, you grant us a perpetual, irrevocable, non-exclusive, royalty-free licence to use that feedback for any purpose, including improving the Service. This does not apply to Your Data.

10. Confidentiality

10.1 Our obligations

We treat all data you store in OneHQ as confidential ("Confidential Information"). We will not access, use, or disclose Your Data except:

• As necessary to provide the Service (including processing by our Subprocessors listed in Section 6.1 and our Privacy Policy)
• To comply with applicable law, regulation, or a valid legal process (such as a court order or lawfully issued subpoena)
• To investigate or prevent fraud, security incidents, or violations of these Terms
• With your prior written consent

10.2 Accounting practice data

We acknowledge the highly sensitive nature of accounting practice data, which may include client TFNs, ABNs, financial records, and personal information. We maintain strict access controls, and our staff may only access Your Data where there is a legitimate operational reason (such as resolving a support request you have raised). All such access is logged in our audit trail.

10.3 Legal process

If we receive a legally binding request for Your Data from a law enforcement agency or court, we will, unless prohibited by law from doing so:

• Notify you promptly so that you may seek a protective order or other remedy
• Limit our disclosure to only the data specifically required by the request
• Use reasonable efforts to challenge overly broad requests

10.4 Your obligations

You agree to maintain the confidentiality of any non-public information about the Service (such as security mechanisms, API architecture, or pricing terms) disclosed to you in the course of using the Service.

11. Security

11.1 Our security measures

We implement and maintain reasonable security measures appropriate to the sensitivity of the data processed, including:

• Encryption of sensitive fields at rest and all data in transit
• Mandatory multi-factor authentication for all user accounts
• Practice-scoped data isolation at the database level
• Append-only audit logging with restricted access and monitoring
• Access controls, rate limiting, and session management

Our full security posture is described in our Privacy Policy.

11.2 Data breach notification

If we confirm a data breach involving Your Data, we will:

• Notify affected Practices as soon as practicable and provide information reasonably required to help you meet your own notification obligations
• Where the breach is an eligible data breach under the Privacy Act 1988, comply with the Notifiable Data Breaches (NDB) scheme, including notifying the OAIC and affected individuals as required
• Take immediate steps to contain the breach and mitigate any resulting harm

11.3 Your security responsibilities

You are responsible for:

• Ensuring all Authorised Users complete MFA enrolment within the required timeframe
• Configuring appropriate role-based permissions for your staff according to the principle of least privilege
• Managing integration connections and revoking access when staff depart or access is no longer needed
• Reviewing user access and permissions regularly (we recommend quarterly)
• Promptly reporting any suspected security incidents to security@onehq.com.au

12. Suspension, termination, and data retention

12.1 Suspension

We may suspend your access to the Service (temporarily restrict access while preserving Your Data) if:

• You fail to pay applicable fees after 14 days' overdue and 7 days' written notice
• We reasonably believe your account has been compromised or poses a security risk
• We need to perform emergency maintenance or respond to a security incident
• We are required to do so by law, regulation, or a valid legal process

During suspension, Your Data is preserved and access controls remain in place. We will notify you of the reason for suspension and the steps required to restore access. Suspension does not trigger the data retention countdown described in Section 12.5. We will lift the suspension promptly once the underlying cause is resolved.

12.2 Termination by you

You may close your account at any time by contacting us at team@onehq.com.au. If you cancel mid-billing period, you retain access until the end of your current billing period.

12.3 Termination by us

We may terminate your account if:

• You materially breach these Terms and fail to remedy the breach within 14 days of written notice specifying the breach
• You fail to pay applicable fees after suspension and a further 30-day cure period
• We are required to do so by law or regulation
• Your account has been suspended for more than 60 consecutive days without resolution

12.4 Service discontinuation

We may discontinue the Service entirely with at least 90 days' written notice. If we discontinue the Service:

• We will make data export tools available for the full 90-day notice period
• We will provide reasonable assistance for data migration upon request
• We will refund any prepaid fees for the period after the discontinuation date

12.5 Effect of termination

Upon termination (but not suspension):

• Your right to access the Service ceases immediately (or at the end of the current billing period for voluntary cancellation)
• We will retain Your Data for 90 days to allow for data export or reactivation. During this period, Practice administrators retain read-only access to view data and request exports
• After 90 days, Your Data is permanently deleted including all client data, encrypted fields, cached integration data, and associated OAuth tokens
• Audit log entries are anonymised and retained for 7 years from creation for ATO record-keeping compliance
• AML/CTF identity verification records (where applicable) are retained in anonymised form for 7 years as required by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
• Individual user account data is deleted within 30 days of account closure (see our Privacy Policy Section 13.2 for details)

12.6 Survival

The following sections survive termination: 2 (Definitions), 3.5 (Nature of the Service), 5 (Your Data — ownership and processing provisions), 8 (Fees — for any outstanding amounts), 9 (Intellectual Property), 10 (Confidentiality), 13 (Limitation of Liability), 14 (Indemnification), 17 (Governing Law), and 18 (Dispute Resolution).

13. Limitation of liability

13.1 Exclusion of certain damages

To the maximum extent permitted by law, including the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010):

• We are not liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to your use of the Service
• We are not liable for loss of revenue, loss of profits, loss of business, loss of data (except as caused by our breach of these Terms), or business interruption
• We are not liable for the acts or omissions of third-party service providers (Dropbox, Xero, ClickSend, Google, Microsoft, or others)

13.2 Liability cap

Subject to Section 13.3, the total aggregate liability of each party for all claims arising from or related to these Terms or the Service is limited to the total fees paid by you to us in the 12 months immediately preceding the event giving rise to the claim.

13.3 Consumer guarantees

Nothing in these Terms excludes, restricts, or modifies any consumer guarantee, right, or remedy conferred by the Australian Consumer Law or any other law that cannot be excluded, restricted, or modified by agreement. If our liability cannot be excluded but can be limited, our liability is limited to (at our option): re-supply of the Service or payment of the cost of re-supply.

13.4 Compliance tool disclaimer

The Service provides compliance monitoring, risk analysis, BAS readiness assessments, tax planning tools, and other analytical features to assist your professional work. Without limiting the generality of Section 3.5:

• These features are decision-support tools only and are not a substitute for professional judgement, independent verification, or advice from a qualified professional
• We do not warrant that the Service will identify all compliance risks or that any analysis is error-free
• The risk engine uses configurable rules and thresholds that you set — the outputs are only as reliable as the parameters you configure and the data quality in your Xero and practice records
• BAS estimates, tax planning projections, and readiness assessments are based on historical data and standard tax tables that may not reflect your client's specific circumstances
• A "green" or "clear" status indicator does not guarantee compliance and must not be treated as confirmation that a lodgement is correct
• You remain solely responsible for all lodgements, compliance decisions, and advice to your clients

14. Indemnification

14.1 Your indemnity to us

You agree to indemnify, defend, and hold harmless OneHQ, its directors, officers, employees, and agents from and against any claims, liabilities, losses, damages, costs, and expenses (including reasonable legal fees) arising from:

• Your breach of these Terms
• Your violation of any applicable law or regulation
• Your infringement of any third party's rights (including privacy rights)
• Your Data or the use of Your Data within the Service
• Any claim by a third party (including your clients) arising from advice, lodgements, or decisions you made using or based on the Service

This indemnity does not apply to the extent that a claim arises from our negligence, wilful misconduct, or breach of these Terms. Your indemnity obligation is subject to the liability cap in Section 13.2.

14.2 Our indemnity to you

We will indemnify, defend, and hold harmless you and your Practice from and against any third-party claim that the Service infringes Australian intellectual property rights, subject to the liability cap in Section 13.2, provided that you:

• Promptly notify us in writing of the claim
• Give us sole control of the defence and any settlement
• Provide reasonable cooperation at our expense

This indemnity does not apply to the extent that a claim arises from your modification of the Service, your combination of the Service with other products, or your use of the Service in breach of these Terms.

15. Warranties and disclaimers

15.1 Our warranties

We warrant that:

• The Service will perform substantially in accordance with its documentation during your Subscription Period
• We will provide the Service with reasonable skill and care
• We will comply with all applicable laws in providing the Service, including the Privacy Act 1988

15.2 Disclaimers

Except for the express warranties in Section 15.1 and any consumer guarantees that cannot be excluded by law:

• The Service is provided "as is" and "as available"
• We disclaim all implied warranties, including warranties of merchantability, fitness for a particular purpose, and non-infringement
• We do not warrant that the Service will be uninterrupted, error-free, or free of vulnerabilities
• We do not warrant the accuracy, completeness, or timeliness of any data imported from third-party services (including Xero financial data)

16. Changes to these Terms

We may update these Terms from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect.

Continued use of the Service after changes take effect constitutes acceptance of the updated Terms. If you do not agree to the updated Terms, you may terminate your account before the changes take effect, and we will refund any prepaid fees for the unused portion of your Subscription Period.

Non-material changes (typographical corrections, clarifications that do not affect your rights) may be made without notice. The effective date and version number at the top of this page indicate the most recent revision. Previous versions are available on request.

17. Governing law

These Terms are governed by the laws of Victoria, Australia. Each party irrevocably submits to the exclusive jurisdiction of the courts of Victoria and the courts of appeal from them for the resolution of any dispute arising under or in connection with these Terms.

18. Dispute resolution

Before commencing any court proceedings (other than urgent injunctive relief), the parties agree to attempt to resolve any dispute in good faith through the following process:

• Step 1 — Notice: The party raising the dispute must give written notice to the other party, setting out the nature of the dispute and the relief sought.
• Step 2 — Negotiation: The parties will negotiate in good faith for a period of 21 days from the date of the notice.
• Step 3 — Mediation: If the dispute is not resolved within 21 days, either party may refer the dispute to mediation administered by the Resolution Institute (or a successor body) in Melbourne, Victoria. The costs of mediation will be shared equally.
• Step 4 — Litigation: If mediation does not resolve the dispute within 30 days of referral, either party may commence court proceedings in accordance with Section 17.

19. General provisions

19.1 Entire agreement

These Terms, together with our Privacy Policy and any order form or subscription agreement, constitute the entire agreement between you and OneHQ regarding the Service and supersede all prior agreements, representations, and understandings.

19.2 Severability

If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions continue in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it valid and enforceable.

19.3 Waiver

A failure or delay by either party to exercise any right or remedy under these Terms does not constitute a waiver of that right or remedy.

19.4 Assignment

You may not assign or transfer these Terms or your rights under them without our prior written consent. We may assign these Terms in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, provided the assignee agrees to be bound by these Terms.

19.5 Force majeure

Neither party is liable for any delay or failure to perform its obligations (other than payment obligations) where the delay or failure results from circumstances beyond its reasonable control, including natural disasters, pandemic, war, terrorism, government action, power failure, internet disruption, or failure of third-party services.

19.6 Notices

Notices under these Terms must be in writing and sent to the email addresses on file. Notices to us should be sent to legal@onehq.com.au. Notices to you will be sent to the email address associated with your account or your Practice administrator's account.

20. Contact

For questions about these Terms, contact us at:

General enquiries: team@onehq.com.au

Legal notices: legal@onehq.com.au

Security: security@onehq.com.au

OneHQ App Pty Ltd
ABN 89 695 243 059
98 Wills St, Bendigo VIC 3550, Australia