Privacy Policy
How we collect, use, and protect your information.
1. Introduction
WriteOff ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.
We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and applicable state and territory privacy legislation.
2. Information We Collect
2.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Email address, password (hashed), name | Create and manage your account |
| Profile Information | Industry/occupation, ABN (optional) | Customise deduction categories |
| Transaction Data | Bank transactions (via CSV upload or bank connection) | Identify potential tax deductions |
| Payment Information | Processed by Stripe — we don't store card details | Process payments |
| Communications | Support emails, feedback | Provide customer support |
2.2 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Device Information | Browser type, operating system, device type | Optimise the service for your device |
| Usage Data | Pages visited, features used, time spent | Improve the service |
| Log Data | IP address, access times, error logs | Security and troubleshooting |
2.3 Information from Third Parties
If you connect your bank account via our Open Banking integration (Basiq), we receive account holder name and details, transaction history (descriptions, amounts, dates), and account balances.
This data is only accessed with your explicit consent and can be revoked at any time.
3. How We Use Your Information
We use your information to:
- Provide the Service: Analyse transactions, identify deductions, generate reports
- Manage Your Account: Authentication, account settings, preferences
- Process Payments: Handle subscriptions and purchases via Stripe
- Communicate: Send service updates, respond to enquiries, provide support
- Improve the Service: Analyse usage patterns, fix bugs, develop new features
- Security: Detect and prevent fraud, abuse, and security incidents
- Legal Compliance: Comply with legal obligations and respond to lawful requests
4. Data Storage & Security
4.1 Where Your Data is Stored
| Service | Data Stored | Location |
|---|---|---|
| Supabase | User accounts, transactions, deductions, reports | Sydney, Australia (AWS ap-southeast-2) |
| Basiq | Bank connection tokens | Australia |
| Stripe | Payment information | PCI-compliant global infrastructure |
| Netlify | Static website files only (no personal data) | Global CDN |
4.2 Security Measures
- Encryption in Transit: All data transmitted using TLS 1.2+
- Encryption at Rest: Database encrypted with AES-256
- Password Security: Passwords hashed using bcrypt (never stored in plain text)
- Access Controls: Strict role-based access to production systems
- Regular Updates: Systems patched and updated regularly
- Row Level Security: Database policies ensure users can only access their own data
4.3 Data Breach Notification
In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC), notify affected individuals as soon as practicable, and provide information about the breach and steps being taken.
5. Third-Party Services
We use the following third-party services to operate WriteOff. Each has their own privacy policy:
Supabase (Database & Authentication)
Stores your account information, transactions, and generated reports. Hosted in Sydney, Australia.
Supabase Privacy PolicyBasiq (Bank Connectivity)
Provides secure Open Banking connections to retrieve your bank transactions with your consent. Accredited Consumer Data Right recipient.
Basiq Privacy PolicyStripe (Payment Processing)
Processes all payments securely. We never see or store your full credit card number. Stripe is PCI-DSS Level 1 certified.
Stripe Privacy PolicyNetlify (Website Hosting)
Hosts our static landing page. Does not process personal data beyond standard web server logs.
Netlify Privacy Policy6. Data Sharing
6.1 When We Share Data
- Service Providers: Third parties that help us operate the Service (listed in Section 5), under strict confidentiality agreements
- Legal Requirements: When required by law, court order, or government request
- Safety: To protect the rights, safety, or property of WriteOff, our users, or the public
- Business Transfers: In connection with a merger, acquisition, or sale of assets (you would be notified)
- With Your Consent: When you explicitly authorise us to share information
6.2 What We Never Do
6.3 Aggregated Data
We may use aggregated, anonymised data (that cannot identify you) for research, analytics, or improving our services.
7. Data Retention
7.1 How Long We Keep Your Data
| Data Type | Retention | Reason |
|---|---|---|
| Account Information | Until you delete your account | Provide the service |
| Transaction Data | 7 years from upload | ATO record-keeping requirements |
| Generated Reports | 7 years from creation | ATO record-keeping requirements |
| Payment Records | 7 years | Tax and accounting obligations |
| Support Communications | 3 years | Service improvement |
| Log Data | 90 days | Security and troubleshooting |
7.2 Account Deletion
When you request account deletion:
- Your account is immediately deactivated
- Personal data is permanently deleted within 30 days
- Some data may be retained in anonymised form or as required by law
- Backup copies are purged within 90 days
8. Your Rights
Under Australian privacy law, you have the right to:
8.1 Access Your Data
Request a copy of the personal information we hold about you. We will respond within 30 days.
8.2 Correct Your Data
Request correction of any inaccurate or incomplete information. You can update most information directly in your account settings.
8.3 Delete Your Data
Request deletion of your account and personal data. See Section 7.2 for details on our deletion process.
8.4 Data Portability
Request a copy of your data in a machine-readable format (e.g., CSV or JSON).
8.5 Withdraw Consent
If you've connected your bank account, you can revoke access at any time through your account settings or by contacting us.
8.6 Lodge a Complaint
If you believe we have breached your privacy, contact us first — we take complaints seriously. You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
9. Cookies & Analytics
9.1 Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, basic functionality | Session / 30 days |
| Preferences | Remember your settings and preferences | 1 year |
| Analytics | Understand how you use the service (anonymised) | 2 years |
9.2 Analytics
We may use privacy-focused analytics tools to understand how people use WriteOff. This data is aggregated and cannot identify individual users.
9.3 Managing Cookies
You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.
10. Children's Privacy
WriteOff is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children.
If we become aware that we have collected data from someone under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@writeoff.net.au.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or through the Service. Your continued use of the Service after changes take effect constitutes acceptance.
12. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, please contact us:
- Email: privacy@writeoff.net.au
- General Support: support@writeoff.net.au
- Website: writeoff.net.au
We aim to respond to all privacy enquiries within 5 business days.