Privacy Policy
Effective date: 2 May 2026
1. Introduction
Tranche (ABN 80 181 166 415) ("we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and store personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
This policy applies to our website, web application, and all services operated under the tranchehq.com.au domain.
2. Information We Collect
2.1 Firm account information
When you register an account, we collect: your name, email address, firm name, Australian Business Number (ABN), AUSTRAC Reporting Entity ID, and phone number.
2.2 Billing information
Payment details (card number, expiry, CVV) are collected and processed directly by Stripe, Inc. We do not store raw payment card data. We receive and store a Stripe customer ID and subscription status.
2.3 Client verification data
When you initiate an identity verification for one of your clients, we collect: the client's name, email address, and mobile phone number. The actual identity verification (including biometric data and identity documents) is conducted by Stripe Identity and is subject to Stripe's Privacy Policy. We store only the verification status and a reference ID — we do not store raw biometric data or copies of identity documents.
2.4 Bank statement data
When you upload a bank statement for Source of Wealth analysis, we store the PDF file and the extracted transaction data (dates, amounts, descriptions, running balances). This data is used solely to generate a compliance analysis report for your file. Uploaded PDFs and extracted data are encrypted at rest.
2.5 Usage data
We collect technical and usage data including IP address, browser type, pages visited, and error events via Sentry (error monitoring) and Vercel Analytics. This data is used to maintain and improve the Service.
3. How We Use Your Information
We use personal information to:
- Provide, maintain, and improve the Service;
- Process subscription payments and manage your account;
- Send transactional communications (e.g., verification invites, receipts, account notices);
- Respond to your support enquiries;
- Meet our legal and regulatory obligations; and
- Monitor the Service for security incidents and errors.
We do not use your data for advertising or marketing to third parties, and we do not sell personal information.
4. Disclosure of Personal Information
We may disclose personal information to the following categories of third parties, solely to provide the Service:
| Service Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | USA / Australia |
| Stripe, Inc. | Payment processing and identity verification | USA |
| Amazon Web Services | Bank statement OCR via AWS Textract (ap-southeast-2) | Australia |
| Resend | Transactional email delivery | USA |
| Twilio | SMS delivery for verification invites | USA |
| Vercel | Application hosting and analytics | USA |
| Sentry | Error monitoring | USA |
Where personal information is disclosed to overseas recipients (including service providers in the USA), we take reasonable steps to ensure those recipients handle information in a manner consistent with the APPs, including by relying on contractual obligations (such as Data Processing Agreements). By using the Service, you consent to this cross-border disclosure.
We may also disclose information where required by law, court order, or regulatory authority (including AUSTRAC).
5. Data Retention
We retain personal information for as long as necessary to provide the Service and meet our legal obligations. Specifically:
- Client verification records and SoW reports are retained for seven (7) years from creation, as required by the AML/CTF Act.
- Account and billing information is retained for seven (7) years for tax and accounting purposes.
- Usage and error logs are retained for up to ninety (90) days.
After the applicable retention period, data is securely deleted or de-identified.
6. Security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. These measures include:
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+);
- Row-level security policies on the database ensuring each firm can only access its own data;
- Access controls limiting staff access to personal information on a need-to-know basis;
- Short-lived signed URLs for file access; and
- Regular dependency and security audits.
No method of transmission or storage is 100% secure. If you become aware of a security incident affecting your account, please contact us immediately at privacy@tranchehq.com.au.
7. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you;
- Correct inaccurate or out-of-date information;
- Request deletion of your information (subject to legal retention obligations); and
- Complain about how we have handled your information.
To exercise any of these rights, contact us at privacy@tranchehq.com.au. We will respond within 30 days.
8. Cookies
We use session cookies to maintain your authenticated session. These are essential for the Service to function and cannot be disabled. We do not use third-party advertising cookies or tracking pixels.
9. Complaints
If you believe we have mishandled your personal information, please contact us first at privacy@tranchehq.com.au. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the Service. The effective date at the top of this page indicates when the policy was last revised.
11. Contact Us
For any privacy-related enquiries, please contact:
Tranche
ABN 80 181 166 415
Email: privacy@tranchehq.com.au
Tranche is operated by Tranche (ABN 80 181 166 415). © 2026 Tranche. All rights reserved.