Privacy Policy

1. Introduction

SnapMyTax Co. (“SnapMyTax”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal and financial information when you use the SnapMyTax mobile application (iOS and Android) and related services (the “Platform”).

This Privacy Policy applies in conjunction with our Terms and Conditions. By using the Platform, you consent to the collection and use of your information as described in this Policy.

2. Compliance Framework

This Privacy Policy is drafted in strict accordance with:

• the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
• the Privacy Safeguards embedded within Part IVD of the Competition and Consumer Act 2010 (Cth) governing the Consumer Data Right (CDR);
• the Consumer Data Rules 2020 and associated ACCC guidance;
• Apple App Store Review Guidelines (Section 5.1 — Privacy); and
• Google Play Developer Programme Policies (User Data).

3. Information We Collect

We collect only the minimum data necessary to deliver the Platform's core functionality. We apply strict data minimisation principles across all data collection channels.

3.1 Profile Information

When you create an account, we collect: your name, email address, profile photo (from Google or Apple authentication), occupation, income type (e.g. PAYG, ABN holder, mixed), annual income band, work-from-home parameters (days per week), vehicle use for work, and investment details (shares, property).

3.2 CDR Service Data (Open Banking)

If you link your bank account, we receive transaction data from your bank via our CDR Principal, Basiq (an ACCC-accredited Accredited Data Recipient). This data includes: merchant names, transaction amounts, dates, descriptions, and Merchant Category Codes (MCC). SnapMyTax requests read-only transaction data only (bank:transactions:read scope). We never receive or store your bank login credentials.

3.3 Email-Extracted Data (Gmail)

If you authorise Gmail integration (gmail.readonly scope), we apply a 3-layer smart pre-filter before accessing any email content. Only emails identified as financial receipts or invoices are processed. We extract and store: merchant name, date, amount, line items, and receipt attachments (PDF or image). Raw email bodies are never retained or stored. Non-financial emails are never accessed, read, or processed.

3.4 User Uploads (Manual Receipts)

Receipts and invoices you photograph or upload via the Platform. We process these using Optical Character Recognition (OCR) via Google Cloud Vision to extract structured data (merchant, date, amount, items).

3.5 Device and Technical Data

We collect limited technical data to ensure security and Platform functionality: device model (hashed for session binding), operating system version, app version, biometric enrolment status (enrolled/not enrolled — we never collect biometric data itself), and push notification tokens (Firebase Cloud Messaging). We do not collect advertising identifiers (IDFA/GAID), and we do not track you across other apps or websites.

3.6 Analytics Data

We use PostHog (configured for Australian data residency or self-hosted) for product analytics. Analytics data is aggregated and anonymised. We use Sentry for error monitoring with PII scrubbing rules configured. No names, email addresses, financial amounts, or transaction details appear in our logs.

4. How We Use Your Information

Your information is used exclusively for the following purposes:

• analysing your transactions against ATO guidelines to assign a deductibility confidence assessment;
• processing receipts via OCR using Google Cloud Vision to extract structured financial data;
• refining deduction categorisations via internal processing using Gemini AI;
• providing your personalised deduction dashboard, SnapScore, and estimated tax savings;
• sending you real-time notifications when potentially deductible transactions are detected;
• providing aggregated, anonymised benchmark comparisons (e.g. claim rates by occupation);
• maintaining Platform security, fraud prevention, and session management; and
• complying with our legal obligations, including responding to valid court orders.

5. Data Storage, Security, and Sovereignty

5.1 Data Sovereignty

All personal information, transaction databases, encrypted receipt files, and backups are hosted exclusively on servers physically located within Australia (AWS ap-southeast-2, Sydney region). Your data never leaves Australian jurisdiction.

5.2 Encryption

All data in transit is protected by TLS 1.3 encryption. All sensitive data at rest is encrypted using AES-256-GCM, including database fields (via application-level encryption) and receipt images (via AWS S3 server-side encryption with KMS-managed keys). OAuth tokens are encrypted and stored in AWS KMS. On your device, sensitive credentials are stored in hardware-backed secure enclaves (iOS Keychain / Android Keystore).

5.3 Session Security

Sessions are managed via signed JWTs (RS256) with 15-minute access token expiry and 30-day refresh token rotation. Refresh token family tracking detects and blocks replay attacks. Only one active session per user is permitted.

5.4 Mobile Security

The Platform implements jailbreak/root detection, screenshot prevention on financial screens, clipboard protection for sensitive values, automatic screen blur when backgrounded, and auto-lock with biometric re-authentication after 5 minutes of inactivity.

6. Data Retention and Destruction

6.1 Default Retention Period

To assist you with the ATO's record-keeping requirements, we retain your classified transaction data and receipt images for up to five (5) years from the end of the relevant financial year. This aligns with the ATO's requirement to keep records for 5 years from the date of lodgement.

6.2 CDR Data Deletion

If you disconnect your bank account (revoke CDR consent), all raw bank transaction data is permanently deleted from our systems within 24 hours. Derived deduction records (which do not contain raw transaction data) may be retained to support ATO record-keeping obligations. You will be informed in plain language of exactly what is retained and why.

6.3 Email Data Deletion

If you disconnect your Gmail integration, your Gmail OAuth tokens are immediately revoked via Google's token revocation endpoint. Local tokens are deleted, and any pending email processing is cancelled.

6.4 Right to Erasure (Hard Delete)

You have the absolute right to delete your account and all associated data at any time via the Platform's Settings menu. When you trigger account deletion, we initiate an immediate “hard delete” protocol that permanently removes your profile, transaction history, receipt images, and all stored data from our active databases and storage within 24 hours. We do not retain anonymised shadow profiles.

Before deletion is executed, you will be informed of any ATO-mandated record retention obligations that may apply to your data. You may choose to proceed with full deletion regardless, understanding that you assume responsibility for maintaining your own tax records.

7. Disclosure of Information

We do not sell, rent, or trade your personal data. We will never share your data for marketing or advertising purposes.

Disclosures are strictly limited to authorised infrastructure and service partners, each of whom processes your data solely to deliver the Platform's functionality. Each partner is contractually bound to provide equivalent or greater protection of your data as described in this Policy.

We will only disclose your data to law enforcement or government agencies (such as the ATO) if compelled by a valid Australian court order, statutory notice, or as required under the Notifiable Data Breaches scheme.

8. Consumer Data Right (CDR) Notices

As a CDR Representative, SnapMyTax handles your bank data (“service data”) under a formal contractual arrangement with our CDR Principal, Basiq. Under the CDR framework, you have the right to:

• view your active CDR consents, including scope, duration, and expiry, via the “My Connections” screen in the app;
• withdraw your CDR consent at any time, which will instantly cease the data feed from your bank;
• request the destruction of collected CDR service data in accordance with CDR Privacy Safeguard 12; and
• lodge a complaint about our CDR data handling directly with the OAIC.

CDR consent is time-limited to a maximum of 12 months per consent period. We will notify you 30 days before your consent expires and provide an easy in-app renewal process.

9. Your Rights

9.1 Access and Correction

You may access and update your profile information at any time within the Platform. You may manually override any transaction categorisation made by the Classification Engine.

9.2 Data Portability

You may request an export of your data in a machine-readable format by contacting our Privacy Officer.

9.3 Consent Withdrawal

You may withdraw consent for bank data sharing or email scanning at any time via the “My Connections” screen. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

9.4 Account Deletion

You may delete your account and all associated data at any time via the Settings menu. See Section 6.4 for details of our hard delete protocol.

10. Children's Privacy

The Platform is designed for Australian tax filers aged 18 years and older. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected data from a child under 18, we will promptly delete that data.

11. Cookies and Tracking Technologies

The SnapMyTax mobile application does not use cookies, web beacons, or browser-based tracking technologies. We do not collect or use advertising identifiers (Apple IDFA or Google GAID). We do not engage in cross-app or cross-site tracking. We do not participate in any advertising networks.

12. Data Breach Notification

In the event of an eligible data breach (as defined under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988), we will notify the Office of the Australian Information Commissioner (OAIC) and all affected users as soon as practicable, and in any event within 30 days of becoming aware of the breach. Our notification will include the nature of the breach, the types of data involved, and the steps we are taking in response.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. Material changes will be notified to you via the Platform and/or email at least 30 days before taking effect. The updated Policy will be accessible within the Platform at all times. Your continued use of the Platform after the updated Policy takes effect constitutes your acceptance of the changes.

14. Complaints

If you believe we have breached the APPs, CDR Privacy Safeguards, or any other applicable privacy obligation, you may lodge a complaint by contacting our Privacy Officer:

Email: Hello@snapmytax.com.au

We will acknowledge your complaint within 7 days and provide a substantive response within 30 days. If you are unsatisfied with our resolution, you may escalate the matter to:

15. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us at:

SnapMyTax Co.

Email: Hello@snapmytax.com.au

Website: snapmytax.com.au