Privacy Policy
Last updated: 20 March 2026
1. Introduction
This Privacy Policy describes how AML Simple (“we”, “us”, “our”) collects, uses, stores, and protects personal information through AML Simple (“the Service”).
We are a New Zealand sole trader providing AML/CTF compliance software to Australian businesses. As a New Zealand entity providing services to Australian businesses and collecting personal information from individuals in Australia, we are subject to:
- Australian Privacy Act 1988 and the Australian Privacy Principles (APPs) — under section 5B (extraterritorial operation), the Privacy Act applies to us because we have an Australian link
- New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) — as a New Zealand entity
2. What Data We Collect
2.1 Account Information (Direct Collection)
| Data | Purpose | Basis |
|---|---|---|
| Name, email, password | Account creation and authentication | Necessary for service |
| Organisation name, ABN | Business verification and service configuration | Necessary for service |
| Billing information | Payment processing (handled by Paddle) | Contractual |
2.2 Customer Compliance Data (Entered by You)
You input personal information about your clients as part of your CDD processes:
| Data | Purpose |
|---|---|
| Client full name, DOB, address | Customer due diligence (CDD) |
| ID document details (type, number, issuer, expiry) | Identity verification records |
| Risk ratings and assessments | Compliance workflow |
| Screening results (sanctions, PEP) | Regulatory compliance |
| SMR/TTR report content | Regulatory reporting assistance |
Important: You determine the purposes for which your clients’ personal information is collected and used through the Service. We hold and process this information solely on your instructions and for the purpose of providing the Service. Under the Australian Privacy Act, we are an APP entity with obligations regarding the personal information we hold. Under the NZ Privacy Act, we are an agency with corresponding obligations.
2.3 Automatically Collected Data
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention |
| Browser type, device info | Service optimisation |
| Usage data (pages viewed, features used) | Product improvement |
| Error logs | Debugging and reliability |
2.4 Data We Do NOT Collect
- Copies of identity documents (we record details only, per AUSTRAC guidance)
- Financial account numbers
- Tax file numbers
- Biometric data
Note on electronic verification: Where you use our electronic identity verification feature (powered by Didit), the verification provider processes document images and performs a biometric liveness check on our behalf to confirm your client’s identity. AML Simple does not store these images or biometric data — only the verification result (approved/declined) and the associated audit record. See Section 6 for details on Didit as a data processor.
3. How We Use Data
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract |
| Sanctions and PEP screening | Your legitimate compliance obligations |
| AI-assisted report drafting | Performance of contract (you control output) |
| Sending service notifications | Performance of contract |
| Product improvement and analytics | Legitimate interest |
| Security and fraud prevention | Legitimate interest |
| Compliance with legal obligations | Legal obligation |
| Advertising attribution (marketing site only) | Reasonably necessary for business functions (measuring advertising effectiveness) |
We do NOT:
- Sell personal information to third parties
- Use customer compliance data for marketing
- Use customer data to train AI models
- Share data with third parties except as described below
4. Data Storage and Security
4.1 Data Residency
All customer compliance data (CDD records, screening results, reports) is stored exclusively in Sydney, Australia (ap-southeast-2) and is not transferred overseas.
| Service | Location | Data Stored |
|---|---|---|
| Supabase (database) | Sydney, Australia | All customer and compliance data |
| Cloudflare Pages (hosting) | Global CDN (Sydney edge) | Application only (no PII at rest) |
| Paddle (payments) | Ireland, EU | Payment information only (see Section 11) |
4.2 Security Measures
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Row Level Security (database access scoped to your organisation)
- Role-based access control
- Audit logging of all data access
- Regular security updates and dependency patching
For a full overview of our security posture, infrastructure certifications, and data protection commitments, see our Security page.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Customer compliance data (CDD, screening, reports) | 7 years from the relevant date specified in the AML/CTF Act (e.g., from when the business relationship with the client ends, or from the date of a transaction) | AML/CTF Act record-keeping requirements (sections 107–116) |
| Audit logs | 7 years | AML/CTF Act requirement |
| Account information | Duration of account + 90 days | Service provision |
| Usage analytics | 2 years | Product improvement |
| Error logs | 90 days | Debugging |
After the retention period, data is permanently deleted.
Note: We hold AML/CTF records on your behalf to assist you in meeting your record-keeping obligations under the AML/CTF Act. The 7-year retention period is your legal obligation as a reporting entity. We store these records to support that obligation.
6. Third-Party Data Processors
We share personal information with these processors solely to provide the Service:
| Processor | Purpose | Data Shared | Location | Certifications |
|---|---|---|---|---|
| Supabase | Database hosting | All service data | Sydney, AU | SOC 2 Type 2 |
| Cloudflare Pages | Application hosting | Request logs | Global (Sydney edge) | ISO 27001, SOC 2 Type II |
| Paddle | Payment processing (Merchant of Record) | Name, email, billing info | Ireland, EU | PCI DSS Level 1* |
| dilisense | Sanctions/PEP screening | Name, DOB (for screening) | EU | GDPR compliant* |
| Didit | Electronic identity verification | Name, DOB, document image, biometric liveness data | EU* | ISO 27001, ISO 27017, ISO 27018, iBeta Level 1 |
| Zoho Mail | Transactional email | Email address, name | Netherlands, EU | ISO 27001, SOC 2 Type 2 |
| Sentry | Error monitoring | Error context (no customer PII) | US | GDPR DPA |
| Google LLC | Advertising conversion tracking and remarketing (marketing site only) | Cookie IDs, conversion events, IP address, hashed email (Enhanced Conversions) | United States / Ireland | Google Ads DPA |
All processors are bound by data processing agreements. Certifications marked * are pending DPA confirmation.
7. Your Rights
Under Australian Privacy Act (APPs)
- Access: Request access to your personal information (APP 12)
- Correction: Request correction of inaccurate information (APP 13)
- Complaint: Lodge a complaint with us or the OAIC
Under NZ Privacy Act 2020 (IPPs)
- Access: Request access to your personal information (IPP 6)
- Correction: Request correction (IPP 7)
- Complaint: Lodge a complaint with us or the NZ Privacy Commissioner
Additional Rights We Provide
- Data export: Export all your data at any time (CSV, PDF)
- Data deletion: Request deletion of your account and data (subject to 7-year retention requirements for AML/CTF records)
- Data portability: Download structured data in standard formats
How to Exercise Your Rights
Contact us at hello@amlsimple.com. We will respond within 30 days.
Note: AML/CTF records subject to the 7-year retention requirement cannot be deleted before the retention period expires, even upon request. This is a legal requirement under the AML/CTF Act.
8. Data Breach Notification
Australian Notifiable Data Breaches Scheme
In the event of a suspected eligible data breach under Part IIIC of the Australian Privacy Act 1988:
- We will assess the breach as quickly as possible and within a maximum of 30 days of becoming aware of grounds to suspect a breach, as required by law
- If we determine the breach is an eligible data breach (where serious harm to affected individuals is likely), we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable
- Our notification will include: a description of the breach, the kinds of information involved, and recommended steps for affected individuals
- We will notify you (as the reporting entity whose client data may be affected) separately so you can meet your own notification obligations
- We will take steps to contain the breach and mitigate harm
New Zealand Privacy Act 2020
Under the NZ Privacy Act 2020 (sections 112–117), if a privacy breach has caused, or is likely to cause, serious harm to affected individuals:
- We will notify the NZ Privacy Commissioner and affected individuals as soon as practicable
- We will take steps to contain the breach and reduce the risk of harm
9. Cookies and Tracking
9.1 Essential Cookies
The following essential cookies are used in the AML Simple application (app.amlsimple.com):
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Authentication | Session |
| CSRF token | Security | Session |
9.2 Advertising Cookies (Marketing Site Only)
On our marketing website (amlsimple.com) only, we use Google Ads conversion tracking cookies to measure the effectiveness of our advertising campaigns. These cookies are not used in the AML Simple application (app.amlsimple.com).
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
_gcl_au | Google LLC | Stores and tracks conversions from Google Ads (conversion linker) | 90 days |
_gac | Google LLC | Contains campaign-related information used for conversion tracking | 90 days |
These cookies record whether you clicked on one of our ads before visiting our site and track when a conversion event occurs (e.g., completing our readiness quiz or signing up for email updates).
9.3 Enhanced Conversions
On our marketing website (amlsimple.com), where you provide your email address (for example, via our readiness quiz or newsletter sign-up), we may send a hashed (one-way encrypted) version of your email address to Google to improve the accuracy of our conversion measurement. This hashed data is used solely for advertising attribution and cannot be reversed to recover your email address. This feature operates on the marketing site only and is not used in the AML Simple application.
9.4 Remarketing (Marketing Site Only)
On our marketing website (amlsimple.com) only, we may use Google Ads remarketing to display our advertisements to previous visitors of amlsimple.com on other websites and apps across the Google Display Network and Google Search. Google uses cookies set during your visit to our site to serve these ads. This feature is not used in the AML Simple application (app.amlsimple.com).
9.5 Opt-Out
You can opt out of Google advertising cookies and personalised ads at any time:
- Google Ad Centre: Visit myadcenter.google.com to manage your ad personalisation preferences
- Browser cookie controls: Delete or block cookies through your browser settings (note: blocking essential cookies may affect service functionality)
- Network Advertising Initiative (NAI) Opt-Out: Visit optout.networkadvertising.org to opt out from participating ad networks
Opting out will not prevent you from seeing ads, but ads shown to you will be less personalised.
10. Children’s Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
11. International Data Transfers
Customer compliance data (CDD records, screening results, reports) is stored exclusively in Australia (Sydney, ap-southeast-2) and is not transferred overseas.
The following categories of personal information may be disclosed to overseas recipients:
- Ireland/EU: Paddle (name, email, billing information for payment processing); dilisense (name, DOB for sanctions/PEP screening); Didit (name, DOB, document image, biometric liveness data for electronic identity verification — EU processing, specific country pending DPA confirmation)
- Netherlands, EU: Zoho Mail (email address, name for transactional emails)
- United States: Sentry (error context, which may incidentally include technical identifiers but not customer PII)
- United States / Ireland: Google LLC (cookie IDs, conversion events, IP address, and hashed email for Enhanced Conversions — marketing site only, for advertising attribution and remarketing)
Under APP 8, we take reasonable steps to ensure these overseas recipients handle personal information consistently with the APPs, including through binding data processing agreements. We remain accountable for the handling of personal information by these overseas recipients.
Under the NZ Privacy Act, we ensure that overseas recipients are subject to comparable privacy protections before disclosing personal information.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email and in-app notice at least 30 days before taking effect.
14. Marketing and Business Contact Information
14.1 What We Collect
In addition to data collected through the Service, we collect business contact information for marketing and outreach purposes:
| Data | Purpose |
|---|---|
| Name, business email, phone number | Contacting businesses about our AML/CTF compliance tools |
| Company name, role/title | Personalising outreach and understanding business context |
| LinkedIn profile URL, website URL | Professional context and verification |
| Australian state/territory | Regional relevance |
14.2 How We Source This Information
We collect business contact information from:
- Agency websites: “About Us” and “Contact” pages where business contact details are conspicuously published
- Professional directories: REIV member directory, RateMyAgent, Google Maps business listings
- Referrals: Where another business professional introduces us
- Inbound enquiries: Where you contact us, complete our readiness quiz, or sign up for our service
We do not scrape email addresses from LinkedIn profiles or other platforms where addresses are not conspicuously published for the purpose of receiving business communications.
14.3 Legal Basis
Under the Australian Privacy Act 1988 (APP 3), we collect this information because it is reasonably necessary for one of our functions or activities: providing relevant, targeted information about AML/CTF compliance tools to businesses with a legal obligation to implement AML programs by 1 July 2026.
Under the Spam Act 2003, our commercial electronic messages rely on:
- Inferred consent via conspicuous publication (Schedule 2, clause 4): where a business email address is (a) published to enable public contact in a business capacity, (b) conspicuously published, (c) published with apparent agreement, and (d) not accompanied by a statement that the person does not wish to receive unsolicited commercial messages — and our message is relevant to the recipient’s business role
- Express consent: where you have directly opted in to receive communications from us (e.g., by completing our readiness quiz, subscribing to our newsletter, or contacting us)
For contacts introduced via referral, we send a single introductory message only. Ongoing communication requires express opt-in from the recipient.
All commercial electronic messages comply with ss 17–18 of the Spam Act: they include accurate sender identification and a functional unsubscribe mechanism.
When we first contact you using information collected from a public source, our message will include a link to this privacy policy, in accordance with APP 5 (notification of collection of personal information).
14.4 Unsubscribe and Opt-Out
Every commercial message we send includes a free, functional unsubscribe mechanism. You can also email hello@amlsimple.com to opt out at any time. We honour unsubscribe requests within 5 business days as required by the Spam Act.
14.5 Retention and Deletion
| Scenario | Retention |
|---|---|
| Active outreach contact | Retained while we have a reasonable basis for contact |
| No engagement for 24 months | Deleted (email retained on suppression list only) |
| Unsubscribe request | All data deleted within 30 days; email retained on suppression list to prevent re-contact |
| Deletion request | All data deleted within 30 days; email retained on suppression list |
14.6 Your Rights
You have the same rights over your marketing contact data as described in Section 7, including access (APP 12), correction (APP 13), and complaint rights. Contact hello@amlsimple.com.
14.7 Overseas Disclosure
Marketing contact data may be processed through Zoho Mail (Netherlands, EU) for email delivery. See Section 11 for our approach to international data transfers and overseas recipient accountability.
15. Contact and Complaints
Privacy enquiries: hello@amlsimple.com
Complaints:
If you are not satisfied with our response, you may contact:
- Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
- New Zealand: Office of the Privacy Commissioner — www.privacy.org.nz