Privacy Policy
Taxy Pty Ltd (ABN 33 666 815 890) (“Taxy”, “we”, “us”, “our”) provides a cloud-based tax workflow platform at app.taxy.au. This policy explains how we handle personal information, in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Last updated: 10 June 2026.
1. Who we are, and the two ways we handle data
Taxy is used by Australian accounting practices (“Firms”) to collect information and documents from their clients and manage tax workflows. We handle personal information in two distinct roles:
- As the entity responsible (controller) — for information about Firm staff who hold Taxy accounts (name, email, login and usage data), people who contact us, and visitors to our website.
- On a Firm’s behalf (service provider / processor) — for the client information a Firm and its clients put into Taxy (“Customer Content”), which can include identity details, contact details, financial information, tax file numbers, and supporting documents. The Firm decides what is collected and why; we handle it under our agreement with the Firm and only to provide the service. If you are a client of a Firm, contact that Firm first about your information — they control it, and our agreement with them governs how we process it (see our Data Processing Agreement).
2. What this notice covers — and doesn’t
It covers personal information we handle through our website and the Taxy platform. It does not cover a Firm’s own privacy practices, or third-party sites we link to — those have their own policies.
3. Personal information we collect, and how
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, email, role, password (hashed) | Firm / user at sign-up |
| Usage & device | Log-in events, in-app activity, IP, browser | Automatically, in use |
| Customer Content | Client identity, contact, financial data, tax file numbers, documents | Entered by the Firm and its clients |
| Support & comms | Messages you send us, support-access logs, call recordings | You / our systems |
| Website | Enquiry-form details, cookies | You / your browser |
We collect tax file numbers only as part of the Customer Content a Firm chooses to collect. We collect, use, store and disclose them only as necessary to provide the platform to the Firm, never use them to establish or confirm an individual’s identity, and otherwise handle them in accordance with the Privacy (Tax File Number) Rule 2015.
4. How we use personal information
To provide, secure, support and improve the platform; to communicate with account holders; to bill; and to meet our legal obligations. We use aggregated, de-identified usage data to improve the product. We do not sell personal information, and we do not use Customer Content for advertising.
Artificial intelligence
We use AI tools to build, operate and support the platform, and in the course of that work personal information — including Customer Content — may be processed by our AI sub-processor (Anthropic), for example where a working session reads from our systems. Anthropic operates on a business tier under which content is not retained after the session and is not used to train AI models, and is listed on our Sub-processor list.
Where Taxy offers in-product AI features, those features use large language models provided by Google Cloud Platform, run in our Australian Google Cloud environment, and personal information is not used to train models.
Meetings and calls
We may record and transcribe meetings and phone calls — for example sales, onboarding and support calls with prospective and existing Firms — to capture notes and follow-ups and to improve our service. We use Fireflies to transcribe video meetings and Aircall for business telephony (which captures phone numbers and call recordings). Participants are told at the start of each call that it is being recorded and may decline; if you ask us not to record, we won’t. These recordings sometimes include discussion of client information; we handle them as our own confidential records (Taxy as controller), keep access least-privilege, and do not use them to train AI models.
5. Cookies and website analytics
We use essential cookies to run taxy.au and Google Analytics 4 to understand website usage. Google Analytics is used for visitor analytics on our marketing site only — it does not receive Customer Content. You can control or disable cookies through your browser settings; disabling non-essential cookies will not affect your use of the Taxy platform.
6. How we share personal information
- Service providers (sub-processors) who help us run the platform — see our Sub-processor list. They may handle data only to provide their service to us, under terms at least as protective as our DPA.
- The Firm whose account the Customer Content belongs to.
- Legal / safety — where required by law, or to protect rights and safety.
- On a business transfer (merger or sale), under confidentiality.
7. Retention
We keep personal information while an account is active and as needed for the purposes above or to meet legal obligations. On a Firm’s request we delete Customer Content within 60 days, except where we must retain it by law or in routine backups (which then expire on their normal cycle). This matches Section 10 of our DPA.
8. Security
Customer data is stored in Australia and encrypted in transit and at rest. For disaster-recovery resilience we replicate encrypted backups to the United States (see §9). We run a zero-trust model with multi-factor authentication and logged, least-privilege access. See our Security page for detail. If a data breach is likely to cause serious harm, we will notify affected individuals and the OAIC without undue delay, consistent with the Notifiable Data Breaches scheme.
9. International transfers
Our primary storage is in Australia. For disaster-recovery resilience we replicate encrypted backups to a location in the United States, and some of our sub-processors — our AI provider (Anthropic) and our email and analytics provider (Twilio — SendGrid and Segment) — are located in the United States (APP 8). The current list is in our Sub-processor list. We take reasonable steps to ensure overseas recipients handle the information consistently with the APPs.
10. Your rights
You may request access to, or correction of, your personal information, and may complain about how we have handled it. Contact us (below). If unresolved, you may complain to the Office of the Australian Information Commissioner (OAIC), oaic.gov.au. Clients of a Firm should contact the Firm first.
11. Updates
We may update this policy; material changes will be notified by email to account holders and/or a notice in the app. The “last updated” date shows the current version.
12. Contact
privacy@taxy.au · Taxy Pty Ltd, Level 7, 88 Phillip Street, Sydney NSW 2000.