Privacy Policy

1. What we collect

• Identity & account: email address, password (hashed), display name, age, pay frequency.
• Financial profile you enter: annual gross income, monthly savings pool, HECS/super settings, super projection preferences, tax deductions, other income, goals, property details, manual account balances, and investment holdings.
• Bank data (with your consent): account names, types, balances, and transaction descriptions, amounts, and dates via Basiq Open Banking / Consumer Data Right (CDR).
• Bank feed data you create: transaction categories, manual transactions, vendor mappings, and property links on transactions.
• Subscription data: Stripe customer ID and subscription status (payments are processed by Stripe — we do not store full card numbers).
• Uploaded documents: PDF invoices you attach to tax deductions or property records (stored in your account data).
• Technical data: session/authentication cookies, IP address and browser type in server logs, and app usage needed to run the service.
• AI features (optional): if you use the Simulator chat or finance Q&A, a summary of your dashboard figures may be sent to our AI provider to generate a response — not your full raw bank feed.

2. How we collect information

• Directly from you when you sign up, complete Profile fields, categorise transactions, or upload documents.
• From Basiq when you click Link bank and complete bank consent in the Basiq consent flow.
• From Stripe when you subscribe to Premium.
• Automatically through Supabase authentication sessions and essential cookies required to keep you signed in.
• From third-party market data (e.g. Yahoo Finance) when displaying share prices — we send ticker symbols, not your identity.

3. Why we collect and use information

• To provide dashboards, spending insights, cash-flow views, tax estimates, goals tracking, and account aggregation.
• To sync and display bank balances and transactions you authorise.
• To manage Premium subscriptions and access to paid features.
• To save your preferences and keep your data in sync across sessions.
• To maintain security, prevent abuse, and improve the app.
• We do not sell your personal information.

4. Who we disclose information to

We share personal information only as needed to run MoneyMoves:

• Basiq Pty Ltd — to connect your bank accounts and retrieve CDR data you consent to. Basiq acts under the CDR regime. See basiq.io/privacy.
• Stripe, Inc. — to process subscription payments and manage billing. Stripe handles card data under its own privacy policy.
• Supabase (hosted infrastructure) — to authenticate you and store your account data in a secured database with row-level security.
• OpenAI (if enabled) — anonymised/summarised financial context when you use in-app chat features.
• Infrastructure and hosting providers that process data on our behalf under confidentiality obligations.
• Regulators, courts, or law enforcement if required by Australian law.

5. Overseas disclosure

Some service providers (including Supabase, Stripe, Basiq, and OpenAI) may store or process data outside Australia (commonly the United States or European Union). Where we disclose personal information overseas, we take reasonable steps to ensure recipients handle it in line with APP 8, including contractual protections where appropriate.

6. Data retention

• We keep your information while your account is active and as needed to provide the service.
• If you delete manual accounts or disconnect a bank, related synced data is removed or stops updating.
• After account closure, we delete or de-identify personal information within 30 days, except where longer retention is required by law (e.g. tax or payment records).
• Server logs are retained for up to 90 days for security and troubleshooting.

7. Security

We use industry-standard measures including encrypted connections (HTTPS), hashed passwords, database row-level security, authenticated API routes, and restricted access to production systems. No method of transmission or storage is 100% secure; you are responsible for keeping your login credentials safe.

8. Your rights

Contact privacy@moneymoves.com.au to exercise these rights. We will respond within a reasonable time (usually 30 days).

• Access — request a copy of personal information we hold about you.
• Correction — update most information in Profile, Bank Feed, and related tabs; contact us for anything you cannot edit.
• Deletion — remove data in-app or email us to close your account.
• Withdraw bank consent — disconnect via your bank or stop using Link bank; we will stop fetching new CDR data.
• Opt out of marketing — we do not send marketing without consent; unsubscribe from any optional emails.

9. Notifiable Data Breaches

If a data breach is likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme.

10. Complaints

Email privacy@moneymoves.com.au with details of your concern. We will acknowledge and investigate promptly. If you are not satisfied, you may contact the OAIC at oaic.gov.au or 1300 363 992.

11. Changes

We may update this policy from time to time. The "Last updated" date will change and continued use after notice constitutes acceptance of material changes.