Privacy Policy

Last updated: 14 March 2026

1. Overview

AML Mate Pty Ltd (ABN pending) (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your information when you use our platform at amlmate.com.au (“the Service”).

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

2. Information We Collect

2.1 Information you provide

• Account information: Name, email address, password (hashed).
• Business information: Business name, ABN, industry, designated services, compliance officer details.
• Client data: Client names, identification details, risk assessments, and KYC/CDD records you enter into the Service.
• Documents: Files you upload (ID documents, financial records).
• Contact form submissions: Name, email, and message content.

2.2 Information collected automatically

• Usage data: Pages visited, features used, activity logs.
• Device information: Browser type, operating system, IP address.
• Cookies: Session cookies for authentication. We do not use third-party tracking cookies.

3. How We Use Your Information

We use your information to:

• Provide and maintain the Service.
• Generate compliance plans, risk assessments, and reports based on your inputs.
• Screen clients against PEP and sanctions lists (DFAT, OpenSanctions) as part of the Service's compliance features.
• Send transactional emails (account verification, password reset, compliance alerts).
• Process payments via Stripe.
• Respond to support requests.
• Improve the Service based on usage patterns (aggregated, anonymised).

4. AI Features

The Service includes an AI compliance assistant powered by Google Gemini. When you use this feature:

• Your questions and relevant page context are sent to Google's API to generate responses.
• We do not send your client PII (names, ID numbers) to the AI model. Only business context (industry type, risk factors) is shared.
• AI conversations are stored in our database for your reference and are subject to the same data protection as all other data.

5. Data Sharing

We do not sell your data. We share information only with:

• Stripe: Payment processing. Stripe's privacy policy applies to payment data.
• Supabase: Database hosting (PostgreSQL). Data is stored in Australia or the nearest available region.
• Resend: Email delivery service for transactional emails.
• Vercel: Application hosting.
• Google (Gemini API): AI assistant queries only (see Section 4).
• OpenSanctions / DFAT: Client names are checked against public sanctions and PEP databases as part of the compliance screening feature.
• Law enforcement: If required by law, court order, or regulatory obligation.

6. Data Security

• Passwords are hashed using bcrypt.
• All data is transmitted over HTTPS (TLS 1.2+).
• Session tokens are signed JWTs with httpOnly, secure, sameSite cookies.
• Database access is restricted to authenticated application queries only.
• Uploaded documents are stored in the database with access controls scoped to your team.

7. Data Retention

• Account data is retained while your account is active and for 30 days after deletion request.
• Client KYC/CDD records are retained per AUSTRAC requirements (7 years from when the record was created or the relationship ended, whichever is later). You are responsible for your own retention obligations under the AML/CTF Act.
• AI conversation history is retained for 12 months, then automatically deleted.
• Payment records are retained as required by Australian tax law.

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access: Request a copy of personal information we hold about you.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
• Export: Export your client data in CSV format at any time via the dashboard.
• Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

9. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect.

11. Contact Us

For privacy-related inquiries or to exercise your rights, contact us at:

• Email: support@amlmate.com.au
• Contact form