1. Introduction
Welcome to BookWell (Finnovation Pty Ltd, ABN 67 676 448 552). We provide an AI-powered financial workforce platform (the "Services") designed to automate bookkeeping, payroll, tax optimization, and financial analytics. Protecting your privacy and securing your sensitive financial and employee data is our highest priority. This Privacy Policy outlines how we collect, use, store, and share your Personal Information and Consumer Data Right (CDR) Data in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the CDR Rules.
2. Information We Collect
To provide our AI Services, we collect the following types of information:
Account & Identity Information: Name, email address, phone number, role/title, and business details (e.g., ABN, company name).
Financial & Transaction Data: Bank feeds, transaction histories, invoices, bills, and tax-related information necessary for bookkeeping and compliance.
Payroll & Employee Data (Sensitive Information): If you use our AI Payroller , we collect employee names, addresses, dates of birth, Tax File Numbers (TFNs), salary details, timesheets, and Superannuation fund details to facilitate Single Touch Payroll (STP) Phase 2 and SuperStream compliance.
AI Interaction Data ("Context Graph"): Information regarding how you interact with our AI Agents (e.g., AI Manager, AI Analyst) , including communication preferences, historical prompts, and business context, which helps our AI remember your company history and execute complex workflows.
3. How We Use Your Information
We use your information strictly to deliver and improve our Services, including:
Automating daily bookkeeping, data processing, and compliance risk scanning (e.g., via AI Guardian).
Processing payroll calculations and lodging STP data with the ATO.
Providing business insights, cash flow forecasts, and tax optimization strategies.
Training and refining your localized "Context Graph" to personalize the AI Workforce's collaboration and decision-making for your specific business.
De-identification: We may de-identify and aggregate financial data to improve our machine learning models, monitor system performance, and develop new features, ensuring no individual or company can be re-identified.
4. How We Share Your Information (Authorized Infrastructure Partners)
BookWell operates as a secure platform layer. To execute specialized financial transactions, we embed highly secure, regulated, and Australian-accredited third-party infrastructure. We do not sell your data. We only share data with the following categories of Authorized Infrastructure Partners (Sub-processors):
Accredited Data Recipients (CDR): To aggregate your bank feeds, we partner with infrastructure providers officially accredited under the Australian Consumer Data Right (CDR) regime.
Digital Service Providers (DSP): To process payroll and lodge STP/SuperStream, we share relevant employee data with an ATO-certified and ISO 27001-aligned payroll infrastructure provider .
Service Integrations: Payment gateways, insurance providers, or lending institutions, but only when you explicitly choose to engage with these third-party services via our platform to pay bills or seek financial products.
Note: A complete and current registry of our specific Authorized Infrastructure Partners is available upon request to our Privacy Officer or accessible via your secure customer dashboard. By using our Services, you consent to the processing of your data by these regulated entities.
5. Consumer Data Right (CDR) Compliance
When you connect your bank accounts, you warrant that you are a "CDR Business Consumer." We strictly adhere to the CDR Privacy Safeguards. CDR Data is only retrieved with your explicit, informed consent, used solely for the agreed-upon use cases (e.g., transaction categorization), and is never used for unauthorized direct marketing.
6. Data Storage and Security
We employ enterprise-grade security measures to protect your data:
Data Residency: Your core financial and personal data is hosted securely in Australia (e.g., AWS Sydney Region) using multi-availability zone deployments.
Encryption & Access: Data is encrypted in transit and at rest. We utilize role-based access controls and audit logging.
Breach Notification: In the unlikely event of a data breach that poses a real risk of serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme.
7. Your Rights and Choices
Under the Privacy Act and CDR Rules, you have the right to:
Access and Correct: Request access to the Personal Information we hold about you and ask for corrections if it is inaccurate.
Withdraw Consent: You may disconnect your bank feeds or revoke payroll processing consent at any time via your dashboard. (Note: Withdrawing consent may limit the AI's ability to perform certain tasks).
Data Deletion: Request the deletion or de-identification of your data upon account termination, subject to our legal data retention obligations (e.g., ATO requirements for financial records).
8. Contact Us & Complaints
If you have any questions, concerns, or wish to file a complaint regarding how we handle your privacy or CDR data, please contact our Privacy Officer:
Email: info@bookwell.ai
Address: Level 17, International Tower Three, 300 Barangaroo Ave, Barangaroo NSW 2000, Australia
We will respond to all privacy complaints within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.