Privacy Policy
Effective Date:
March 1, 2026
1. Introduction
ComplianceLink Pty Ltd ACN 692 550 904 of Suite 805, Level 8, 220 Collins Street, Melbourne Victoria 3000 (ComplianceLink, we, us, our) provides a software-as-a-service workflow and recordkeeping platform (the Services or Platform) that assists accounting and bookkeeping firms to manage their AML/CTF, KYC/KYB, and CDD obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).
We are an APP entity for the purposes of the Privacy Act 1988 (Cth) (Privacy Act) and are bound by the Australian Privacy Principles (APPs). We also comply with the Privacy and Data Protection Act 2014 (Vic) to the extent applicable to our operations.
This Privacy Policy explains how we collect, hold, use, disclose, and otherwise manage personal information in connection with:
• our business and the Services provided under our Master Services Agreement (MSA) with customers; and
• our website at compliancelink.com.au (Website).
This Privacy Policy should be read together with our MSA, which sets out additional obligations regarding Customer Data handling, cross-border storage, security incidents, and data export.
2. Personal Information We Collect
2.1 Customer personnel and account contacts
When an accounting or bookkeeping firm (Customer) subscribes to the Services, we collect personal information about the firm and its nominated personnel, including:
• Business contact details: firm name, ABN/ACN, registered address, telephone, and email
• Details of the Authorised Officer, Anti-Money Laundering Compliance Officer (AMLCO), and other designated Users
• Billing and payment information (payment card details are processed by our payment provider; we do not store full card numbers)
• Account credentials and login information
• Platform usage and access log data
2.2 Customer Data — third-party individuals input by Customers
The Services are designed to help Customers perform Customer Due Diligence (CDD), KYC/KYB verification, risk tiering, PEP and sanctions screening, and related compliance functions. In operating the Services, Customers input and store personal information about their own underlying clients (Customer Data). This may include:
• Names, dates of birth, residential and business addresses, and contact details
• Identity document details (e.g. passport numbers, driver licence numbers) used for KYC verification
• Business ownership structure, beneficial ownership, and control information (KYB)
• PEP status and sanctions screening results, including match data returned via screening APIs
• Risk tier classifications, risk scores, and ongoing monitoring records
• Transaction records and other compliance documentation uploaded by Customers
Processing role: To the extent we process Customer Data on a Customer's instructions, we act as a service provider/processor and the Customer is responsible as the controller and reporting entity under the AML/CTF Act. This is consistent with clause 5.2 of our MSA. Customers are responsible for collecting Customer Data with appropriate notice and consent under applicable privacy and AML/CTF laws.
2.3 Website visitors
When you visit our Website, we may collect:
• Device and browser information
• IP address and approximate geolocation
• Pages visited, time on site, and referral source (via analytics tools)
• Contact form submissions, including name, email address, firm name, and message content
2.4 Analytical Data
As described in clause 4.5 of our MSA, we may collect logs, usage statistics, and technical telemetry from the Services, which we may aggregate and anonymise in a non-identifying and non-reversible form (Analytical Data). Analytical Data does not identify Customers or any individual and may be used to operate, improve, and develop the Services and for other lawful business purposes.
2.5 Sensitive information
We do not intentionally collect sensitive information (as defined in the Privacy Act) except where it is incidentally included in identity verification materials or compliance documents uploaded to the Platform by Customers. Where this occurs, we apply the same protections as for all other personal information and do not use it for any secondary purpose.
3. How We Collect Personal Information
We collect personal information:
• Directly from individuals — when they contact us, subscribe to the Services, complete onboarding forms, or submit enquiries via the Website
• From Customers — when Customers and their Users upload, input, or import Customer Data into the Platform in connection with their AML/CTF compliance obligations
• Automatically — via cookies, analytics tools, and server logs when individuals interact with our Website or Services
• From third-party screening services — when we perform PEP and sanctions screening via the OpenSanctions API or equivalent services, we may receive match data relating to individuals screened
• From third-party KYC/identity verification providers — where Customers elect to use identity verification features, those services are provided by third-party providers and may be passed through at cost; those providers have their own privacy policies
Where it is lawful and practicable, we will allow individuals to interact with us anonymously or using a pseudonym. However, the nature of the Services and our contractual and regulatory obligations generally require that Customers and their Users are identified.
4. Why We Collect and Use Personal Information
4.1 Primary purposes
We collect and use personal information to:
• Provide, operate, and support the Services under our MSA
• Onboard Customers and manage their accounts, Orders, and Subscription Terms
• Enable AML/CTF compliance workflows including CDD, risk tiering, PEP and sanctions screening, and recordkeeping functions
• Process payments, manage billing, and issue invoices
• Respond to enquiries, provide customer support, and manage complaints
• Fulfil our contractual obligations to Customers under the MSA
• Deliver Technical Services and implementation support as outlined in agreed Statements of Work
4.2 Secondary purposes
We may also use personal information to:
• Improve and develop the Services and related Documentation
• Communicate service updates, regulatory changes relevant to AML/CTF compliance, and Platform enhancements
• Meet our own legal, regulatory, and audit obligations
• Generate Analytical Data (in anonymised, non-identifying form) to support Platform development and benchmarking
We will not use or disclose personal information for a secondary purpose unless the individual would reasonably expect us to do so, we have obtained consent, or another exception under APP 6 applies.
5. Disclosure of Personal Information
We may disclose personal information to:
5.1 Platform infrastructure and sub-processors
We use a number of third-party platforms to deliver the Services. Customer Data may be processed by or stored within these systems:
• Cloud workflow automation (Make.com / Integromat) — used for backend automation of compliance workflows
• Database platform (Airtable) — used for structured data storage across our two-base governance and CDD architecture
• Form and intake tools (JotForm) — used for client onboarding intake flows
• Third-party KYC/identity verification providers — engaged on a pass-through basis where Customers elect to use identity verification features
• Sanctions and PEP screening API (OpenSanctions or equivalent)
• Payment processors — for billing and subscription management
• Cloud infrastructure and hosting providers
5.2 Professional advisers
We may share personal information with our legal, accounting, and other professional advisers on a confidential basis where necessary.
5.3 Regulatory and law enforcement bodies
We may disclose personal information to AUSTRAC, the OAIC, the Office of the Victorian Information Commissioner, law enforcement, or other regulatory bodies where required by law, a court order, or where we reasonably believe disclosure is necessary to prevent or respond to unlawful activity.
5.4 Business succession
In the event of a merger, acquisition, or sale of all or substantially all of ComplianceLink's business or assets, personal information may be disclosed to prospective or actual purchasers or their advisers, subject to appropriate confidentiality obligations consistent with clause 17 of the MSA.
5.5 Cross-border disclosure and storage
Some of our sub-processors and third-party platforms operate in, or store data in, jurisdictions outside Australia (including the United States and the European Union). Cross-border data storage is addressed in clause 5.3 of our MSA: unless a Customer has expressly requested Australian-only data residency in their Order, Customer Data may be stored and/or accessed in jurisdictions where ComplianceLink or its subcontractors operate.
Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that recipients comply with the APPs or a comparable privacy regime, consistent with APP 8.
6. Storage and Security
We hold personal information in electronic form using cloud-based systems including Airtable and associated infrastructure. In accordance with clause 4.3 of our MSA, we maintain technical and organisational security measures designed to protect Customer Data and the Services. These include:
• Access controls limiting Platform access to authorised Users
• Encrypted data transmission (HTTPS/TLS) for all data in transit
• A two-base architecture separating governance (Part A) and CDD/client data (Part B)
• Role-based access management within the Platform
• Regular review of sub-processor and third-party platform security practices
We do not guarantee that information transmitted over the internet is completely secure. Customers are responsible for maintaining the security and confidentiality of their Users' login credentials.
6.1 Security incident notification
Consistent with clause 5.4 of our MSA, if we become aware of a confirmed security incident affecting Customer Data, we will notify the affected Customer within 48 hours (or such shorter period as required by law) and provide reasonable cooperation to support their incident response obligations.
6.2 Retention and deletion
We retain personal information for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Under the AML/CTF Act, Customers are required to retain certain records for a minimum of seven (7) years. We retain Platform data accordingly unless a Customer requests earlier deletion, subject to applicable legal requirements.
Following termination or expiry of a Customer's Subscription Term, Customer Data will remain accessible for export for 90 days (as set out in clause 4.4 of our MSA), after which it will be deleted. When personal information we hold is no longer required, we take reasonable steps to destroy or de-identify it.
7. Access to and Correction of Personal Information
Under APP 12, you have the right to request access to personal information we hold about you. Under APP 13, you may request correction of personal information that is inaccurate, out of date, incomplete, or misleading.
To make a request, contact us using the details in Section 11. We will respond within 30 days. We may decline an access request on grounds permitted by the Privacy Act and will provide written reasons if we do so.
Where a request relates to Customer Data about an underlying individual that was input by a Customer, we will refer the request to the relevant Customer as the responsible controller.
8. Cookies and Online Tracking
Our Website uses cookies and similar tracking technologies to analyse site usage and improve user experience. You may configure your browser to refuse cookies, but this may affect Website functionality.
We currently use Google Analytics to understand how visitors interact with our Website. Google Analytics collects data such as pages visited, time on site, and device information. For information on how Google handles this data, see Google’s Privacy Policy at policies.google.com/privacy. We do not sell personal information collected through analytics to third parties.
9. Direct Marketing
We may use contact details provided by Customers and enquirers to send relevant communications, including service updates, regulatory alerts relevant to AML/CTF compliance, and Platform announcements. Recipients may opt out of marketing communications at any time by contacting us or using the unsubscribe mechanism in any email.
We comply with the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth).
10. Privacy Complaints
If you have a complaint about how we have handled your personal information, please contact our Privacy Contact (see Section 11). We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001
11. Contact Us
For privacy-related enquiries, access or correction requests, or complaints:
ComplianceLink Pty Ltd (ACN 692 550 904)
Address: Suite 805, Level 8, 220 Collins Street, Melbourne VIC 3000
Email: support@compliancelink.com.au
Website: compliancelink.com.au
12. Updates to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we do, we will update the Effective Date above and, where changes are material, notify Customers via email or in-Platform notification in accordance with our MSA.
The current version of this Privacy Policy is available at compliancelink.com.au/privacy and is referenced in clause 5.1 of our MSA.
ComplianceLink Pty Ltd ACN 692 550 904 | Suite 805, Level 8, 220 Collins Street, Melbourne VIC 3000 | compliancelink.com.au
This policy provides structured APP-compliant disclosure and does not constitute legal advice.