Privacy Policy

Last updated: 19 May 2026

1. About this policy

This Privacy Policy explains how Quixotic Systems Pty Ltd ACN 688 287 747 (ABN 16 688 287 747) ("Quixotic Systems", "we", "us", "our") collects, holds, uses, discloses, secures and otherwise handles personal information in connection with the AutoAMLplatform at autoaml.com.au (the "Service"). We are an "APP entity" under the Privacy Act 1988 (Cth) (the "Privacy Act") and comply with the Australian Privacy Principles ("APPs"), the Notifiable Data Breaches scheme, and applicable state health and records legislation. This policy forms part of our Terms of Service.

2. Who we are and our role

AutoAML is a business-to-business software tool used by Australian businesses to draft and maintain their own AML/CTF compliance documentation. In respect of information about your personnel and account holders, we act as the APP entity. In respect of personal information about your customers and third parties that you input into the Service to prepare your own compliance records, we handle that information on your behalf in accordance with our Terms of Service and this policy; you remain the APP entity with primary responsibility under the Privacy Act for that information.

3. The personal information we collect

3.1 Information you give us

  • Account information: name, email, phone, role or job title, password (hashed), display preferences, multi-factor-authentication device enrolment, referral code.
  • Organisation information: legal name, trading name, ABN/ACN, industry, business type, registered and trading address, website, contact details, employee count, premises type, risk profile responses, services offered, customer-base statistics, compliance-role appointments, fit-and-proper declarations.
  • Customer and third-party information you input: information you choose to record about your own customers or third parties for your AML/CTF record-keeping purposes, including names, contact details, identification reference numbers, risk ratings, CDD method and outcome notes, and references to evidence held by you. You must have a lawful basis and, where required, the consent of or notice to those individuals before providing this information to us. Politically-exposed-person (PEP) and sanctions screening are not performed by the Service — you conduct those checks using your own procedures and record the outcome here.
  • Identity verification information:where you use the integrated identity verification feature, the individual you nominate submits identity documents and a facial image directly to our verification provider, Stripe, through Stripe Identity. This includes government identification document data and biometric facial-image data, which is "sensitive information" under the Privacy Act. We collect and store the verification result, a verification reference and limited associated metadata; the underlying documents and biometric data are collected and held by Stripe under its own privacy terms. You are responsible for ensuring the individual has consented to the verification and to the collection of their sensitive information before you initiate it. See sections 5 and 7.
  • Payment information: your Stripe customer and subscription identifiers. Card-number, expiry and CVC data are collected directly by Stripe, our payment processor, and never reach our servers.
  • Support and correspondence: the content of emails, support tickets, survey responses and feedback you send us.

3.2 Information we collect automatically

  • Usage data: pages viewed, features used, actions taken, session duration, device and browser type, approximate IP-based location.
  • Technical and security data: IP address, request timestamps, user agent, request correlation IDs, authentication events and, for abuse-prevention purposes, details of failed log-in and API-rate-limit events.
  • Audit trail: a record of actions users take in the Service (for example, creating or editing documents, logging CDD records, changing settings) linked to the user who performed them — this is both a product feature for you and a security control for us.
  • Cookies and similar technologies: see section 10.

3.3 Information from third parties

  • Google (if you choose to sign in with Google): your name, email and profile image from your Google account.
  • Stripe: subscription, invoice and payment-status information.
  • Google Places: address suggestions during onboarding (data flows directly between your browser and Google and is governed by Google's privacy policy).
  • Publicly available sources and referrers: for example, where a partner or referring user directs you to us.

We do not knowingly collect personal information from children under 18. The Service is not directed to children.

4. Why we collect, hold, use and disclose personal information

We use personal information for the following purposes:

  • to create, authenticate and manage accounts and user permissions;
  • to deliver the Service, including generating, storing, exporting and versioning your compliance documentation;
  • to process payments, manage subscriptions, invoicing and collections;
  • to send service communications, including security alerts, transactional messages, compliance-deadline reminders and product updates;
  • to provide customer support and respond to enquiries;
  • to monitor, secure, troubleshoot and improve the Service, including detecting and preventing fraud, abuse and unauthorised access;
  • to conduct internal analytics, research and product development using de-identified or aggregated data;
  • to comply with our legal obligations, including record-keeping, tax, financial-reporting, sanctions-screening and law-enforcement requests properly made; and
  • to enforce our Terms of Service and to establish, exercise or defend legal claims.

We use personal information for direct marketing only where the law allows. You can opt out of marketing at any time using the unsubscribe link in emails or by contacting us.

5. Artificial intelligence, identity verification and automated processing

The Service uses Anthropic's Claude large-language models, accessed through Google Cloud Vertex AI, to generate draft compliance documentation. Inputs sent to these models consist of your organisation's profile information and the prompts your users enter. Anthropic contractually undertakes not to use Customer Data to train its foundational models, and we do not use your content to train our own models.

The Service does not make automated decisions that produce legal or similarly significant effects for individuals. All compliance decisions about your business and your customers are made by you. Where future law requires specific disclosure of automated decision-making (for example, under the new APP 1.7 transparency obligation commencing on 10 December 2026), we will update this policy in advance.

Where you use the identity verification feature, identity document images and a facial image are collected directly from the individual by Stripe through Stripe Identity, which uses automated techniques (including biometric facial comparison and document authentication) to produce a verification result. We record that result for your AML/CTF customer-due-diligence purposes. The result is information only: you remain the decision-maker for whether to accept, reject or further investigate any customer, and the Service does not make that decision automatically.

You control what you input into free-text AI fields. We recommend against inputting personal information about your customers into AI features unless necessary, and you must have a lawful basis for doing so.

6. Disclosure to third parties

We disclose personal information only as described in this policy. The principal categories are:

  • Sub-processors that operate parts of the Service on our instructions (see section 7);
  • Professional advisers (lawyers, accountants, auditors, insurers) under duties of confidence;
  • Government, regulators and law-enforcement agencies where we are required or authorised by law to do so, or to protect our rights, property or safety, or those of others;
  • A successor entity in connection with a merger, acquisition, financing, insolvency or sale of business, subject to confidentiality obligations; and
  • Another party with your consent, or at your direction (for example, if you choose to share documents).

We do not sell personal information, and we do not share it with advertising networks for behavioural advertising.

7. Sub-processors and cross-border disclosure

We rely on the following sub-processors to provide the Service. We take reasonable steps to ensure each sub-processor handles personal information in a manner consistent with the APPs, including through written agreements addressing purpose limitation, security, sub-contracting, data-breach notification and deletion. Under section 16C of the Privacy Act, we remain accountable for acts and practices of an overseas recipient that would breach the APPs if done by us.

ProviderFunctionLocation of processing
Google Cloud Platform / Firebase (Google LLC / Google Australia Pty Ltd)Hosting, database (Firestore), storage, authentication, logging, serverless computeAustralia (australia-southeast1, Sydney) for primary data stores; certain control-plane and support functions may be accessed from other regions
Anthropic PBC (Claude via Google Cloud Vertex AI)Large-language-model inference for document generationGlobal (Vertex AI routes to available regions, which may include the United States)
Stripe, Inc. / Stripe Payments Australia Pty LtdPayment processing and subscription billingAustralia and United States
Stripe, Inc. (Stripe Identity)Document and biometric identity verification of individuals you nominateUnited States
OpenSanctions Datenbank GmbHPolitically-exposed-person (PEP) and sanctions-list screening of customers you record. Each screening call transmits the customer’s name and, where available, date of birth and nationality to the OpenSanctions Hosted API. OpenSanctions confirms in its DPA that query data is not retained beyond the time required to generate the response.European Union (Frankfurt, Germany)
Resend, Inc.Transactional email deliveryUnited States
Cloudflare, Inc.Content delivery, DDoS protection, web application firewallGlobal network; edge processing near the requesting user
Google LLC (Google Analytics)Product and marketing analyticsUnited States and global

In particular, identity verification information (including identity document images and biometric facial-image data) is processed and stored outside Australia, principally in the United States. It is not processed within Australia, and no Australian data-residency option is currently available for this provider.

Customer screening against politically-exposed-person (PEP) and sanctions lists is performed by transmitting the customer’s name and, where available, date of birth and nationality to the OpenSanctions Hosted API in Frankfurt, Germany. OpenSanctions has confirmed in its Data Processing Agreement that query data is processed only for the duration of the request and is not retained or logged thereafter, used to train models, or shared with other parties. Screening results returned to us are stored in our Australian Firestore database.

By using the Service you acknowledge the above cross-border disclosures. We maintain an up-to-date internal sub-processor register; material changes to this list will be reflected in this policy and, where the law requires, notified to account owners in advance.

8. Data security

We implement administrative, technical and physical safeguards appropriate to the nature of the personal information we hold. These include:

  • encryption in transit using TLS and encryption at rest using provider-managed keys;
  • identity and access management with role-based access control, least-privilege service accounts, and optional multi-factor authentication for end users;
  • tenant isolation: every record is scoped to an organisation and enforced at both the database security-rule layer and the application middleware layer;
  • network protection through a managed WAF, rate-limiting and DDoS mitigation;
  • secure development practices, input validation, audit logging, and monitoring of security-relevant events; and
  • automated daily database backups with defined retention, and storage object versioning for compliance-document buckets.

No system is perfectly secure. You are responsible for keeping your credentials confidential, using strong passwords, enabling multi-factor authentication, and promptly notifying us of any suspected unauthorised access by emailing support@autoaml.com.au.

9. Data retention

  • Active accounts: personal information is retained for the duration of your subscription and while needed for the purposes described in section 4.
  • After cancellation: you have a 90-day read-only period to export Customer Data. After that period, active-system data is deleted, subject to the next bullets.
  • Compliance documentation: AML/CTF documents stored in our document buckets are subject to a seven-year retention policy at the storage layer to align with the minimum record-keeping periods under section 113 of the AML/CTF Act and AUSTRAC guidance. You remain responsible for your own statutory record-keeping; we are not a statutory record-keeper for you.
  • Identity verification data: we retain the verification result, reference and limited metadata as part of your AML/CTF records (subject to the seven-year period above). The underlying identity documents and biometric data are retained and deleted by Stripe under its own retention practices, not by us.
  • Backups and logs: encrypted backups and security/audit logs are retained for defined periods and rotated out of storage in the ordinary course.
  • Legal holds: we may retain information longer where required by law, where necessary to establish, exercise or defend legal claims, or where subject to a regulator or law-enforcement request.
  • Aggregated and de-identified data: may be retained indefinitely where it can no longer reasonably be used to identify you or any individual.

10. Cookies and similar technologies

We use strictly-necessary cookies for authentication, session management, load balancing and security (these cannot be turned off without breaking the Service). We use analytics cookies (including Google Analytics) to understand usage and improve the product; you can opt out via your browser settings or by using the Google Analytics opt-out browser add-on. We do not use third-party advertising cookies.

11. Your rights

Under the Privacy Act and the APPs you have the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate, out-of-date, incomplete, irrelevant or misleading personal information;
  • request that we delete personal information where no longer needed for the purpose collected and we are not required by law to retain it;
  • opt out of receiving direct marketing;
  • request information about our handling of your personal information, including overseas disclosures; and
  • make a complaint about a breach of the APPs.

To exercise any of these rights, contact our Privacy Officer at support@autoaml.com.au. We will respond within a reasonable time (and in any case within 30 days for access requests, consistent with OAIC guidance). We may ask you to verify your identity before actioning a request. There is no fee for making a request, though a reasonable cost-recovery charge may apply to access in unusual cases.

If you input personal information about a third party (for example, a customer of your business), requests from that individual are generally directed to you as the APP entity responsible for that information; we will reasonably assist.

12. Data breaches

If we become aware of a data breach that we assess (or are required to assess) as likely to result in serious harm to any individual, we will notify the Office of the Australian Information Commissioner and affected individuals as required by Part IIIC of the Privacy Act. Where you are the APP entity for the affected information, we will promptly notify you and cooperate with your own assessment and notification obligations under the Notifiable Data Breaches scheme.

13. How to complain

If you believe we have breached the APPs, contact our Privacy Officer at support@autoaml.com.au with details of the complaint. We will acknowledge receipt within 5 business days and provide a substantive response within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows when the policy was last revised. We will notify account owners of material changes by email or in-app notice a reasonable period before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact us

Privacy Officer, Quixotic Systems Pty Ltd — email support@autoaml.com.au. Postal address: Canberra, Australian Capital Territory, Australia (full registered address available on request).