Privacy Policy
This Privacy Policy ("Policy") describes how WriteOff ABN 30 132 181 813 ("WriteOff", "we", "us", "our") collects, uses, discloses, and protects your personal information when you access or use the WriteOff platform, including all associated websites, applications, and services (the "Service"). This Policy is issued in compliance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in Schedule 1 of the Privacy Act.
This Policy should be read in conjunction with our Terms of Service, which govern your use of the Service. The Terms of Service include important information about the nature of the Service and the fact that WriteOff is not a registered tax agent — see clause 2 of the Terms of Service.
By creating an account or using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Policy. If you do not agree with any part of this Policy, you should not use the Service.
1. Information We Collect
1.1. We collect and process the following categories of personal information:
| Category | Types of Data | Collection Method |
|---|---|---|
| Account Information | Email address, hashed password, account preferences, occupation/industry selection | Provided by you at registration |
| Third-Party Authentication Data | Where you authenticate via a third-party provider (e.g. Google OAuth), we may receive your name, email address, and profile photograph as provided by that provider | Received from authentication provider with your consent |
| Financial Data | Bank transaction records including dates, descriptions, amounts, merchant names, account balances, BSB/account identifiers (where included in CSV exports) | CSV upload (current method); bank connectivity in a future release (see clause 2.3) |
| Categorisation Data | Transaction categories, expense categorisations, work-use percentages, confidence scores, anomaly flags, and user overrides or corrections | Generated by our automated categorisation engine and modified by you |
| Report Data | PDF reports, categorised expense summaries, category breakdowns, financial year totals | Generated by the Service |
| Usage Data | Pages visited, features used, session duration, click events, device type, browser type, operating system, screen resolution, IP address, approximate geolocation (city-level) | Automatically collected via server logs |
| Payment Data | Subscription status, billing history, payment method type (last 4 digits only), billing address | Processed by Stripe, Inc. |
| Communication Data | Support enquiries, feedback, email correspondence, in-app messages | Provided by you |
| Advertising and Conversion Data | Ad click identifiers, conversion events (e.g. signup completed), referral source, campaign identifiers | Collected via Meta Pixel and similar advertising tools (see Section 10) |
1.2. We do not collect sensitive information as defined in the Privacy Act (such as health information, political opinions, religious beliefs, or biometric data) unless you voluntarily provide it in communications with us, in which case it will be handled in accordance with APP 3.3.
1.3. We do not knowingly collect information about persons under the age of 18. If we become aware that we have inadvertently collected personal information from a person under 18, we will take steps to delete such information promptly.
2. How We Collect Information
2.1. Directly from you: When you create an account, upload bank statements as CSV files, adjust categorisations, generate reports, select your occupation or industry, or contact our support team.
2.2. From third-party authentication providers: Where you choose to sign in using a third-party provider such as Google, we receive basic profile information (name, email address, and profile photograph) from that provider. We do not receive your password for the third-party service. The third-party provider's own privacy policy governs its collection and use of your data.
2.3. From third-party data aggregation providers (future release): Direct bank connectivity is not currently available. In a future release of the Service, we intend to offer optional bank connectivity through a third-party data aggregation provider (currently anticipated to be Basiq Pty Ltd, an Accredited Data Recipient under the Consumer Data Right regime). If and when this feature is enabled, transaction data will be transmitted to us via secure, encrypted API connections, we will receive read-only access to transaction data only, and we will never receive, access, or store your bank login credentials. This Policy will be updated before any bank-connectivity feature is enabled to disclose the specific provider, the access model (CDR Affiliate, CDR Representative, or non-CDR pathway), and any additional obligations under Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020.
2.4. Automatically: When you use the Service, we automatically collect certain technical and usage information through server logs, cookies, pixels, and similar technologies. See Sections 9 and 10 for details.
2.5. From advertising platforms: When you arrive at our website or Service through a paid advertisement, we may receive conversion data from the advertising platform (such as Meta/Facebook) indicating that you clicked on an advertisement and completed a signup. See Section 10 for details on advertising technologies.
3. Purpose of Collection and Use
3.1. We collect and use your personal information for the following purposes:
(a) Service Delivery: To provide, maintain, and improve the Service, including transaction parsing, automated categorisation, anomaly flagging, and report generation. The Service produces a categorised expense summary that you (and your registered tax agent) may use as a record-keeping aid. The Service does not ascertain your tax liability or determine whether any expense is deductible — see clause 2 of the Terms of Service.
(b) Account Management: To create and manage your account, authenticate your identity, and maintain your preferences.
(c) Payment Processing: To process subscription payments, issue invoices, and manage billing.
(d) Communications: To send you service-related notifications, including account confirmations, security alerts, billing reminders, product updates, and responses to your enquiries. We will not send you marketing communications without your express consent.
(e) Service Improvement: To analyse usage patterns, identify bugs, improve our categorisation engine, and develop new features. Where possible, we use aggregated and de-identified data for this purpose.
(f) Advertising Measurement: To measure the effectiveness of our advertising campaigns, including tracking whether users who click on advertisements subsequently create accounts. See Section 10 for details.
(g) Security: To detect, prevent, and investigate fraud, security breaches, and other harmful or unauthorised activities.
(h) Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
3.2. We will not use your personal information for any purpose other than those listed above without obtaining your prior consent, except where permitted or required by law (APP 6).
4. Disclosure of Personal Information
4.2. We may disclose your personal information to the following categories of recipients:
(a) Hosting and Infrastructure Providers: Our Service is hosted on cloud infrastructure provided by Supabase, Inc. (database, authentication, and file storage) and Render Services, Inc. (application hosting and runtime processing). These providers process data on our behalf under data processing agreements that require them to maintain appropriate security measures. Our application hosting provider (Render) may collect additional technical data such as server logs and performance metrics in accordance with its own privacy policy.
(b) Payment Processor: Subscription payments are processed by Stripe, Inc. We transmit your email address and subscription details to Stripe. Stripe's handling of payment information is governed by Stripe's own privacy policy and PCI-DSS compliance standards. We do not receive or store your full credit card number, CVV, or expiry date.
(c) Banking Partner (future release): Direct bank connectivity is not currently enabled. If and when bank connectivity is enabled in a future release, your authorisation and transaction data may be handled by a third-party data aggregation provider (currently anticipated to be Basiq Pty Ltd), regulated under applicable Australian financial services and Consumer Data Right legislation. See clause 2.3.
(d) Advertising Platforms: We use Meta Pixel (Facebook/Instagram) on our marketing website to measure advertising effectiveness. Meta Pixel transmits conversion events (such as page visits and signup completions), your IP address, browser information, and click identifiers to Meta Platforms, Inc. This data is used to measure ad performance and may be used by Meta for its own advertising purposes in accordance with Meta's Data Policy. See Section 10 for details and your opt-out rights.
(e) Email Service Provider: Service-related communications (such as account confirmations, password resets, and billing notifications) may be sent via third-party email delivery providers. These providers receive your email address and the content of the communication solely for the purpose of delivery.
(f) Professional Advisers: We may disclose information to our lawyers, accountants, auditors, or insurers where reasonably necessary for the purpose of obtaining professional advice or managing legal proceedings.
(g) Law Enforcement and Regulators: We may disclose information where required by law, court order, subpoena, or regulatory request, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of WriteOff, our users, or the public.
(h) Business Transfers: In the event of a merger, acquisition, reorganisation, asset sale, or insolvency, your personal information may be transferred to the acquiring entity. We will notify you of any such transfer and any choices you may have regarding your information.
5. Overseas Disclosure
5.1. Your personal information is stored and processed in the following locations:
| Provider | Service | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | Australia — Sydney region (ap-southeast-2) |
| Render Services, Inc. | Application hosting and runtime processing | Singapore |
| Stripe, Inc. | Payment processing | United States |
| Meta Platforms, Inc. | Advertising measurement (Meta Pixel on marketing website only) | United States |
5.2. Your Financial Data and account data are stored at rest in Australia (Supabase Sydney region). However, application logic and runtime processing occur on our application hosting provider's Singapore-based infrastructure (Render), which means your data is transmitted to and processed in Singapore in the ordinary course of using the Service. Payment data is processed in the United States by Stripe. Advertising and conversion data is processed in the United States by Meta.
5.3. Where personal information is disclosed to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information, as required by APP 8.1. Our reasonable steps include contractual data processing agreements with our providers, reliance on their independently audited certifications (such as SOC 2 Type II for Supabase and Render, and PCI-DSS for Stripe), and ongoing monitoring of provider compliance. You acknowledge that an overseas recipient may not be subject to the Privacy Act or the APPs, that the laws of the recipient's country may differ from Australian privacy law, and that you may have limited ability to seek redress under the Privacy Act in respect of an act or practice of an overseas recipient.
5.4. By using the Service, you acknowledge and consent to the transfer of your personal information to these overseas jurisdictions as described in this section.
6. Consumer Data Right
6.1. The Consumer Data Right ("CDR") regime under Part IVD of the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules 2020 establishes a framework for consumers to share certain data (including banking transaction data) with accredited recipients.
6.2. As at the effective date of this Policy, WriteOff is not an accredited data recipient under the CDR regime, and the Service does not currently access or process data under the CDR framework. CSV uploads provided by you are not CDR data.
6.3. If, in a future release, the Service offers bank connectivity that involves the CDR regime (for example, via a CDR Affiliate or CDR Representative arrangement with an Accredited Data Recipient such as Basiq Pty Ltd), this Policy will be updated before that feature is enabled to disclose the applicable access model, the CDR Privacy Safeguards that apply, and any additional consent and data-handling obligations.
7. Data Security
7.1. We implement a range of technical and organisational security measures to protect your personal information from unauthorised access, modification, disclosure, or destruction, including:
(a) Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (Transport Layer Security).
(b) Encryption at rest: All stored data, including Financial Data and account information, is encrypted using AES-256 encryption as provided by our hosting infrastructure.
(c) Access controls: Access to personal information is restricted to authorised personnel on a need-to-know basis. Access is authenticated and logged.
(d) Infrastructure security: Our hosting providers (Supabase, Render) maintain SOC 2 Type II certification, regular security audits, and industry-standard physical and network security controls. Stripe maintains PCI-DSS certification for payment processing.
(e) Password security: User passwords are hashed using bcrypt and are never stored in plaintext. We do not have access to your password.
7.2. While we take reasonable steps to protect your information in accordance with APP 11, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and accept no liability for any unauthorised access to or loss of personal information beyond our reasonable control.
7.3. Data Breach Notification. In the event of a data breach that is likely to result in serious harm to you, we will notify affected individuals and the Office of the Australian Information Commissioner ("OAIC") as soon as practicable, and in any event within 30 days of becoming aware of the eligible data breach, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.
7.4. If you believe your account or data has been compromised, contact us immediately at privacy@writeoff.net.au.
8. Data Retention
8.1. We retain your personal information only for as long as reasonably necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.
8.2. Specific retention periods:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account plus 30 days after closure |
| Financial Data (transactions) | Current and two preceding financial years, or duration of account, whichever is shorter |
| Reports | Duration of account |
| Payment records | 7 years (as required by Australian tax law) |
| Usage/analytics data | 24 months (aggregated and de-identified) |
| Advertising conversion data | 12 months |
| Support correspondence | 24 months after resolution |
8.3. Upon account closure or upon your request, we will delete or de-identify your personal information within 30 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims. Upon completion of a deletion request, we will provide written confirmation to you via email.
8.4. Backup Systems. Deleted data may persist in encrypted backup systems for up to 90 days before being permanently purged. During this period, backup data is not actively used, is not accessible through the Service, and is subject to the same security protections as active data.
9. Cookies and Tracking Technologies
9.1. We use the following types of cookies and similar technologies:
| Type | Purpose | Duration |
|---|---|---|
| Essential / Session | Authentication, session management, security, CSRF protection | Session / 30 days |
| Functional | Remember your preferences, display settings, and selected options | 12 months |
| Analytics | Understand aggregate usage patterns and Service performance (see Section 10) | 24 months |
| Advertising / Marketing | Meta Pixel for conversion tracking on marketing website only (see Section 10) | 90 days |
9.2. Where required by applicable law, we will obtain your consent before placing non-essential cookies. You may control cookies through your browser settings, though disabling essential cookies may affect the functionality of the Service.
10. Advertising and Analytics Technologies
10.1. Meta Pixel (Facebook/Instagram). We use the Meta Pixel on our marketing website (writeoff.net.au) to: (a) measure the effectiveness of our advertising campaigns on Facebook and Instagram; (b) track conversion events such as page visits, signup form submissions, and account creation; (c) create custom audiences for advertising purposes. The Meta Pixel transmits data including your IP address, browser information, page URL, referral source, and conversion events to Meta Platforms, Inc. in the United States. Meta may use this data in accordance with its own Data Policy, including for ad targeting across Meta's platforms.
10.2. Opt-Out. You may opt out of Meta Pixel tracking by: (a) adjusting your ad preferences in your Facebook/Instagram account settings; (b) using browser-based ad blockers or privacy extensions; (c) enabling "Do Not Track" or equivalent privacy settings in your browser (note: not all services honour these signals; see clause 10.4).
10.3. Analytics. We may use privacy-respecting analytics tools to understand aggregate usage patterns of the Service. As at the date of this Policy, we rely primarily on our hosting provider's built-in server metrics and do not use third-party analytics services such as Google Analytics within the application itself.
10.4. Do Not Track. Some browsers transmit "Do Not Track" (DNT) signals to websites. There is currently no industry-standard method for responding to DNT signals. We do not currently alter our data collection or tracking practices in response to DNT signals, except where required by applicable law. You may use the opt-out methods described in clause 10.2 to limit tracking.
11. Your Rights
11.1. Under the Privacy Act and the APPs, you have the following rights in relation to your personal information:
(a) Right of Access (APP 12): You may request access to the personal information we hold about you. We will respond to your request within 30 days. We may charge a reasonable fee for providing access where permitted by law.
(b) Right of Correction (APP 13): You may request that we correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most account information directly through the Service.
(c) Right of Deletion: You may request that we delete your personal information. We will comply with such requests except where we are required or permitted by law to retain the information. See Section 8 for details on retention periods and backup persistence.
(d) Right to Withdraw Consent: Where we process your personal information based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
(e) Right to Data Portability: You may request a copy of your data in a structured, commonly used, machine-readable format (CSV). You can export your transaction data and reports at any time through the Service.
11.2. To exercise any of these rights, contact us at privacy@writeoff.net.au. We may require you to verify your identity before processing your request. We will respond to all valid requests within 30 days.
11.3. Automated processing. WriteOff uses an automated categorisation engine to suggest expense categories based on transaction patterns and occupation-specific rules. These suggestions are categorisation candidates for your review — they are not decisions about your tax position, your entitlement to claim any deduction, or any other matter that significantly affects your rights or interests. You can review, override, or remove every category before generating a report. From 10 December 2026, additional disclosure obligations relating to automated decision-making will apply to APP entities under APP 1.7–1.9 of the Privacy Act (introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth)). We will update this Policy before that date to reflect those obligations.
12. Direct Marketing
12.1. We will not use your personal information for direct marketing purposes unless you have provided your express consent (opt-in). You may withdraw your consent at any time by clicking the "unsubscribe" link in any marketing email or by contacting us.
12.2. Service-related communications (such as account notifications, security alerts, password resets, and billing reminders) are not considered direct marketing and may be sent without separate consent as they are necessary for the provision of the Service.
13. Third-Party Links and Services
13.1. The Service may contain links to third-party websites, services, or resources that are not operated or controlled by us. This Policy does not apply to any third-party services, and we are not responsible for their privacy practices.
13.2. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Service.
14. Changes to This Policy
14.1. We may update this Policy from time to time to reflect changes in our practices, the Service, applicable law, or our third-party service providers. Material changes will be notified to you via email to the address associated with your account, or through a prominent notice within the Service, at least fourteen (14) days before they take effect.
14.2. The "Last updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy.
14.3. We recommend that you review this Policy periodically to stay informed about how we protect your information.
15. Complaints
15.1. If you believe that we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint with us by contacting privacy@writeoff.net.au. We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days.
15.2. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
GPO Box 5218, Sydney NSW 2001
16. Contact Information
For questions, concerns, access requests, or complaints relating to this Policy or our handling of your personal information:
WriteOff ABN 30 132 181 813 — Privacy Officer
Email: privacy@writeoff.net.au
General Support: support@writeoff.net.au
Website: writeoff.net.au
17. Relationship to the Terms of Service
17.1. This Privacy Policy addresses how we handle your personal information. It does not address the substantive nature of the Service, the limits of what the Service does, or your responsibilities as a user. Those matters are addressed in our Terms of Service.
17.2. In particular, you should be aware that WriteOff is a software tool — not a registered tax agent. WriteOff does not provide tax advice and does not lodge tax returns. The categorisations and totals produced by the Service are estimates intended as a record-keeping aid for review by your registered tax agent. See clause 2 of the Terms of Service for the full position.
© 2026 WriteOff. All rights reserved. This document was last reviewed on 28 May 2026.