ReconLink
Sign inStart free
Legal

Data Processing Addendum

This Data Processing Addendum (DPA) governs how ReconLink processes personal information on behalf of your accounting practice. It forms part of the ReconLink Terms of Service and is compliant with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles.

Effective 6 June 2026 · Innovious Group Pty Ltd · ABN 59 637 038 754

This Data Processing Addendum (“DPA”) is entered into between Innovious Group Pty Ltd (ABN 59 637 038 754) (“ReconLink”, “Processor”) and the Customer identified in the ReconLink account registration or Order Form (“Customer”, “Controller”). This DPA is incorporated into, and forms part of, the ReconLink Terms of Service.

A signed, PDF version of this DPA for enterprise agreements is available on request at info@reconlink.com.au.

1Definitions

In this DPA, the following terms have the meanings given below. Other capitalised terms have the meanings in the Terms of Service.

  • APPs means the thirteen Australian Privacy Principles in Schedule 1 of the Privacy Act 1988 (Cth).
  • Customer Data means all Personal Information provided by or on behalf of the Customer to ReconLink in connection with the Service, including bank transactions, source documents, coded entries, BAS worksheets, and Personal Information of the Customer’s staff and end-clients.
  • Data Subject means an individual whose Personal Information is included in Customer Data.
  • Notifiable Data Breach has the meaning given by Part IIIC of the Privacy Act.
  • Personal Information has the meaning given by section 6 of the Privacy Act.
  • Security Incident means any confirmed or reasonably suspected unauthorised access to, disclosure, alteration, loss, or destruction of Customer Data.
  • Sub-processor means any third-party processor engaged by ReconLink to process Customer Data on ReconLink’s behalf.

2Details of processing

2.1Subject matter

ReconLink processes Customer Data to deliver the bank reconciliation, transaction-coding, BAS generation, reporting, and related features described in the Terms of Service.

2.2Nature of processing

ReconLink performs: ingestion of bank transactions (Basiq CDR feeds, CSV/Excel/PDF imports); normalisation and storage; application of deterministic and ML-based coding rules; LLM inference on normalised transaction descriptions only (no full statements or contact details are sent to OpenAI); BAS, P&L and reconciliation report generation; practice-to-client portal access; transactional email; error monitoring (scrubbed of PII); and subscription billing.

2.3Purposes of processing

ReconLink processes Customer Data solely on the Customer’s instructions: (a) to provide the Service; (b) to comply with legal obligations; and (c) to investigate Security Incidents. ReconLink will not process Customer Data for any other purpose, including AI model training, without the Customer’s express written consent.

2.4Categories of personal information

Customer Data may include:

  • Practitioner identity — name, work email, phone, role, account credentials;
  • Business information — business name, ABN, GST registration, ACN;
  • End-client identity — business name, ABN, contact details;
  • Financial records — bank account identifiers (masked), transaction descriptions, amounts, balances, counterparty names;
  • Source documents — original PDF, CSV, or Excel bank statements;
  • BAS and compliance data — G1–G19 values, 1A, 1B, quarterly filing periods;
  • System metadata — IP addresses, session timestamps, audit log entries.

3Processor obligations

ReconLink will:

  • Process Customer Data only on the Customer’s documented instructions;
  • Ensure authorised personnel are subject to confidentiality obligations;
  • Implement the technical and organisational security measures described in section 6;
  • Notify the Customer of Sub-processor engagements in accordance with section 4;
  • Assist the Customer in meeting its obligations to respond to Data Subject access and correction requests (APPs 12 and 13);
  • Notify the Customer of Security Incidents within 48 hours of confirmation (see section 5);
  • At termination, delete or return Customer Data in accordance with section 7.

4Sub-processors

4.1Authorised sub-processors

The Customer authorises ReconLink to engage the following Sub-processors:

  • Supabase Inc. — Primary PostgreSQL database and file storage. Hosted on AWS ap-southeast-2 (Sydney, Australia) from the Effective Date of this DPA. Data encrypted at rest with AES-256.
  • Railway Corporation — Application hosting and background workers.
  • Basiq Pty Ltd — CDR bank feed data retrieval (Accredited Data Recipient under the Consumer Data Right). Australian entity; CDR compliant.
  • Postmark / ActiveCampaign Inc. — Transactional email delivery and inbound email parsing for the per-client email inbox feature.
  • OpenAI, L.L.C. — LLM inference for transaction auto-coding (Layer 3 only). Only normalised transaction descriptions are transmitted — no account numbers, contact details, or full statements. Zero-data-retention API agreement in place; OpenAI is contractually prohibited from training on submitted data.
  • Stripe Payments Australia Pty Ltd — Subscription billing and payment processing.
  • Sentry (Functional Software, Inc.) — Error tracking and performance monitoring. PII is stripped from error payloads before transmission.

4.2Changes to sub-processors

ReconLink will give the Customer at least 14 days’ prior written notice before engaging a new Sub-processor or making a material change to an existing one. If the Customer objects on reasonable grounds within 7 days, the Parties will work in good faith to resolve the objection.

4.3Overseas sub-processors

Supabase, Railway, Postmark/ActiveCampaign, OpenAI, and Sentry are overseas recipients. ReconLink has taken reasonable steps under APP 8 to ensure each overseas recipient handles Personal Information in a manner consistent with the APPs, including through contractual data processing agreements.

5Security incident notification

Where ReconLink confirms a Security Incident affecting Customer Data, it will notify the Customer’s practice administrator by email within 48 hours of confirmation, and in any event no later than 72 hours after discovery. The notification will describe the nature of the incident, categories and approximate volume of Personal Information affected, and measures taken or proposed. ReconLink will cooperate with the Customer’s assessment of whether notification to the OAIC and/or affected individuals is required under the Notifiable Data Breaches scheme.

6Security measures

ReconLink implements the following controls (full detail at reconlink.com.au/security):

  • Encryption in transit: TLS 1.2 minimum on all external connections;
  • Encryption at rest: AES-256 on database and file storage;
  • Multi-tenant isolation: PostgreSQL Row-Level Security (RLS) enforced per-practice;
  • Access control: Role-based access, least privilege, JWT authentication (15-minute token expiry);
  • Audit logging: Immutable log for all data access and mutation events;
  • Incident response plan: Aligned with the Notifiable Data Breaches scheme;
  • Backups: Automated database backups, 30-day retention;
  • Dependency scanning: Automated vulnerability scanning.

7Data retention and return

7.1Retention periods

ReconLink retains Customer Data for:

  • Bank transactions, BAS worksheets, and reconciliation records: minimum 5 years from the end of the relevant financial year (s. 262A, Income Tax Assessment Act 1936 (Cth)); 7-year retention is available as a practice-configurable option to satisfy ATO record-keeping guidance;
  • Source PDF/CSV/Excel files: the period selected by the practice (default 12 months after commit), subject to the minimum above;
  • Account information and audit logs: life of account plus 12 months after closure.

7.2Return and deletion on termination

Within 30 days of subscription termination, ReconLink will, at the Customer’s election, either (a) provide a machine-readable export (CSV and JSON) of all Customer Data, or (b) destroy all Customer Data, except where retention is required by law. ReconLink will confirm deletion in writing within 30 days of completion.

8Audit rights

The Customer may, no more than once per calendar year and on at least 30 days’ written notice, request an audit of ReconLink’s processing activities and security controls. Audits are at the Customer’s cost unless they reveal a material breach of this DPA. ReconLink will cooperate with any audit or investigation by the OAIC or another competent Australian authority.

9Australian data residency

From the Effective Date of this DPA, Customer Data is stored in Supabase PostgreSQL on AWS ap-southeast-2 (Sydney, Australia). Where Customer Data is processed by an overseas Sub-processor (see section 4), ReconLink has taken reasonable steps under APP 8 to ensure the overseas recipient applies equivalent privacy protections.

10General

10.1Governing law

This DPA is governed by the laws of Victoria, Australia. The Parties submit to the exclusive jurisdiction of the courts of Victoria.

10.2Amendments

ReconLink may amend this DPA from time to time. Material amendments will be notified to practice administrators at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance.

10.3Execution

By creating a ReconLink account and accepting the Terms of Service, the Customer agrees to this DPA. For enterprise agreements requiring wet or electronic signatures, a standalone PDF is available on request at info@reconlink.com.au.

10.4Contacting us

Privacy Officer: Innovious Group Pty Ltd · Attention: Privacy Officer
Email: info@reconlink.com.au