Privacy Policy

This policy applies to all personal information we collect through:

• Our public marketing site at reconlink.com.au;
• The ReconLink application (the practice dashboard, client portal, admin console);
• Email and other support channels (info@reconlink.com.au);
• Inbound channels including the per-client email inbox feature, CSV/Excel/PDF uploads and Basiq Consumer Data Right (CDR) bank feeds, where personal information may be embedded in the source documents.

This policy does not cover handling of personal information by your accounting practice or by your clients, who remain independent controllers of the data they enter into the Service. It also does not cover third-party sites we link to.

We collect personal information directly from you when you register, sign in, configure your practice, upload statements, contact support or fill in our contact form. We also collect personal information indirectly when:

• Your practice colleagues invite you to a workspace and populate fields about you;
• Your clients are added by your practice and bank transactions are imported on their behalf;
• Basiq, on instruction from a customer authorising a CDR data-sharing arrangement, transmits bank transaction data to ReconLink;
• An allowlisted sender forwards a statement to a client’s unique email inbox address.

We use personal information to:

• Provide, authenticate and personalise the Service;
• Reconcile, code and report on bank transactions on behalf of the practice;
• Generate BAS, P&L and cash-flow exports in the format requested by the practice;
• Bill subscriptions, manage trials and process refunds;
• Respond to support requests and security or compliance enquiries;
• Detect, investigate and prevent fraud, misuse and security incidents;
• Comply with our legal and regulatory obligations, including under the Privacy Act, the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)) and tax and corporations law;
• Conduct quality and performance research on aggregated, de-identified data sets to improve the Service.

We disclose personal information only to the categories of recipients listed below, and only to the extent required for the purposes set out in section 4:

• Service providers and sub-processors — our infrastructure, communications and analytics vendors, each engaged under written contracts requiring them to protect personal information consistently with the APPs. Our current sub-processor list is set out in section 6.
• Your practice administrators — where you are a practice user, administrators of the same practice workspace can see your account profile and audit-log entries.
• Your clients — where you make information visible through the client portal.
• Professional advisers — lawyers, accountants, auditors and insurers, bound by confidentiality.
• Acquirers — in the event of a sale, merger or asset transfer involving ReconLink, subject to equivalent privacy commitments.
• Law enforcement and regulators — where disclosure is required or authorised by Australian law, including under a warrant, court order or notice from a regulator such as the OAIC, the ATO or ASIC.

We do not sell, rent or trade personal information.

The following sub-processors host or process personal information on our behalf. We are currently completing a migration of our primary database to AWS Sydney (ap-southeast-2) to achieve full AU data residency. Contact security@reconlink.com.au for current migration status.

• Supabase Inc. (PostgreSQL database + storage) — primary data store, hosted in the AWS Asia-Pacific region. Migration to AWS Sydney (ap-southeast-2) is in progress (target: 30 May 2026). Data at rest is encrypted with AES-256.
• Railway Corporation (application hosting) — runs the FastAPI application and background workers.
• Basiq Pty Ltd — Accredited Data Recipient under the Consumer Data Right; provides bank transaction data on customer consent.
• Postmark / ActiveCampaign Inc. — transactional email delivery and inbound email parsing for the per-client email inbox feature.
• OpenAI, L.L.C. — large-language-model inference for Layer 3 of our auto-coding stack. Calls to OpenAI are made with content limited to the transaction description and minimal contextual signals; no full statements, contact details or account numbers are transmitted, and OpenAI is contractually prohibited from training on the data we submit.
• Stripe Payments Australia Pty Ltd — payment processing for subscription billing.
• Sentry / observability vendor — error tracking and performance monitoring; we scrub IP addresses and personal identifiers from event payloads before transmission.

When we engage a new sub-processor that materially changes where or how personal information is processed, we will update this list and notify practice administrators by email at least 14 days before the change takes effect.

We retain personal information only for so long as is necessary for the purposes set out in this policy or as required by law. Specifically:

• Bank transactions, BAS worksheets and source documents are retained for the period required by Australian tax law (currently five years from the end of the relevant financial year under section 262A of the Income Tax Assessment Act 1936 and equivalent obligations) or for the length of your subscription, whichever is longer.
• Original PDF, CSV and Excel source files retained in Supabase Storage are purged on a schedule set by the practice (default 12 months after the linked statement is committed), subject to the minimum retention period above.
• Account information is retained for the life of the account and for 12 months after closure, after which it is destroyed or irreversibly de-identified.
• Marketing contact submissions and newsletter records are retained for 24 months from last interaction unless you ask us to delete them sooner.

We take reasonable steps under APP 11 to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Our controls are described in detail in our Security policy and include transport encryption (TLS 1.2 minimum), at-rest encryption, multi-tenant row-level isolation, least-privilege access, audit logging, secret management, dependency scanning and an incident response plan.

We use a small number of strictly necessary cookies to keep you signed in and to remember workspace selections. Analytics and feature-flag cookies are first-party only and can be disabled in your browser without breaking the core Service. We do not deploy third-party advertising trackers on authenticated product pages.

Under the Privacy Act you may:

• Request access to the personal information we hold about you (APP 12);
• Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant or misleading (APP 13);
• Request deletion of personal information where we are not required to retain it for a legal, tax or security purpose;
• Lodge a complaint about how we have handled your personal information.

Most of these requests can be self-served from your ReconLink account settings. For anything that cannot, write to info@reconlink.com.au and we will respond within 30 days. If you are not satisfied with our response you may refer the complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.

We maintain an incident response plan aligned with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. Where a data breach is likely to result in serious harm to individuals and we cannot remediate that risk, we will notify affected individuals and the OAIC as soon as practicable, and in any event within the timeframes required by law.

The Service is intended for use by accounting practices and their staff in a professional context. We do not knowingly collect personal information from individuals under the age of 16. If you believe we have done so, contact us and we will delete it.

We may amend this policy from time to time. Material changes will be communicated by email to practice administrators at least 14 days before they take effect. The current version is always available at reconlink.com.au/privacy and the effective date is stated at the top of this page.

Our Privacy Officer can be reached at:
Innovious Group Pty Ltd · Attention: Privacy Officer
Email: info@reconlink.com.au
Postal: a current postal address will be added once our office is established. In the interim, please use the email address above.