Privacy Policy
Version 1.4 — Last updated: 22 April 2026 | Jurisdiction: Victoria, Australia
This document has been drafted using current Australian legal standards and is intended as a starting point. It does not constitute legal advice. You should seek independent legal advice from a qualified Australian legal practitioner before relying on this document.
1. Introduction (APP 1 — Open and Transparent Management)
Anum Pty Ltd (ABN 80 697 129 525, ACN 697 129 525) ("Summed", "we", "us", "our") is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the thirteen Australian Privacy Principles ("APPs"). This Privacy Policy explains how we collect, use, disclose, and store your personal information when you use our cloud-based bookkeeping platform at summed.com.au ("Service").
Summed is an APP entity for the purposes of the Privacy Act because the Service handles financial information. This Privacy Policy is maintained in accordance with APP 1, which requires us to manage personal information in an open and transparent way. We make this policy freely available and will update it whenever our information handling practices change.
Important — Financial Data: Because Summed handles financial records, business transaction data, staff wage information, and government-related identifiers (such as ABNs), we are subject to heightened privacy obligations. We treat all financial data entered into the Service as sensitive business information and apply additional safeguards accordingly.
2. Anonymity and Pseudonymity (APP 2)
Where practicable, we will give you the option of not identifying yourself, or of using a pseudonym, when dealing with us. However, due to the nature of the Service (financial record-keeping requiring accurate business and identity information), it is generally not practicable to use the Service anonymously or under a pseudonym. We require your real identity for account registration, payment processing, and to comply with our legal obligations, including those under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
You may contact us with general enquiries without identifying yourself.
3. Information We Collect (APP 3 — Collection of Solicited Personal Information)
We only collect personal information that is reasonably necessary for, or directly related to, one or more of our functions or activities — namely, providing the Service to you. We collect personal information by lawful and fair means, and directly from you wherever possible.
3.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Name, email address, password | Account creation and authentication |
| Business information | Business name, ABN, GST registration status | Configuring your bookkeeping environment and reports |
| Financial records | Transactions, categories, amounts, dates | Core bookkeeping functionality |
| Staff information | Staff names, hourly rates, shift records | Wage management and reporting |
| Payment information | Subscription plan selection (card details processed by Stripe) | Billing and subscription management |
| Uploaded files | Receipt images | Record-keeping and transaction documentation |
| Bank transaction data | Transaction dates, descriptions, amounts, and account references imported from bank-exported CSV files | Transaction import and bookkeeping — see Section 3.3 |
3.2 Information Collected Automatically
- Usage data: Pages visited, features used, and actions taken within the Service
- Technical data: IP address, browser type, device type, operating system
- Cookies: Session cookies for authentication and security (see Section 7)
3.3 Bank Transaction Data (CSV Import)
You may voluntarily upload bank transaction data in CSV format that you have exported from your own banking institution (such as CBA, ANZ, Westpac, NAB, Bendigo Bank, St George, ING, or Macquarie). When you use this feature, we collect transaction dates, descriptions, amounts, and account references contained in the uploaded CSV file.
Important — What we do NOT do:
- Summed does not access, connect to, or interface with any banking institution, payment system, or financial data aggregator directly
- Summed does not use Open Banking, the Consumer Data Right (CDR) under the Competition and Consumer (Consumer Data Right) Rules 2020, or any screen-scraping, credential-sharing, or automated data retrieval technology
- Summed does not request, store, or process your bank login credentials at any time
- The upload is initiated entirely by you, using a file you have already downloaded from your banking institution
How bank CSV data is processed: Uploaded CSV files are parsed in memory during the upload process for the purpose of extracting transaction records. The raw CSV files are not retained on our systems after processing is complete. Only the extracted transaction records (dates, descriptions, amounts, and account references) are stored, encrypted at rest using AES-256-GCM encryption, and associated with your account.
Bank transaction data is collected and used solely for the primary purpose of providing the Service to you — specifically, to populate your transaction ledger and assist with bookkeeping and financial record-keeping. This data is not used for any secondary purpose, is not disclosed to any third party, and is not used for profiling, marketing, or credit assessment purposes.
4. Unsolicited Personal Information (APP 4)
If we receive personal information that we did not solicit, we will determine within a reasonable period whether we could have collected the information under APP 3. If we determine that we could not have collected the information, and the information is not contained in a Commonwealth record, we will destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.
5. Notification of Collection (APP 5)
At or before the time we collect your personal information (or as soon as practicable afterwards), we will take reasonable steps to notify you of the matters required under APP 5, including: the identity and contact details of the organisation collecting the information; the purposes of collection; the consequences if information is not collected; the entities to which we usually disclose information; and information about this Privacy Policy.
6. How We Use Your Information (APP 6 — Use or Disclosure)
We use your personal information only for the primary purpose for which it was collected, or for a secondary purpose that is directly related to the primary purpose and which you would reasonably expect. We use your information for the following purposes:
- Providing and maintaining the Service
- Processing your subscription payments via Stripe
- Generating financial reports and data exports
- Sending transactional emails (account confirmation, password resets, subscription notices)
- Improving the Service and developing new features (using aggregated, de-identified data where possible)
- Complying with legal obligations, including taxation record-keeping requirements
- Protecting the security of the Service and our users
- Responding to lawful requests from regulatory authorities, courts, or law enforcement
7. Direct Marketing (APP 7)
We will not use your personal information for direct marketing unless you have provided explicit opt-in consent. If you do consent to receiving marketing communications, every communication will include a simple and free unsubscribe mechanism in accordance with the Spam Act 2003 (Cth). You may opt out of direct marketing at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@summed.com.au.
We will not use or disclose your financial records or business transaction data for any marketing purpose.
8. Disclosure of Information (APP 6)
We may disclose your personal information to the following service providers ("data processors") who help us operate the Service:
- Amazon Web Services (Amazon Web Services Australia Pty Ltd — AWS Sydney region, ap-southeast-2): Cloud hosting, database, and object-storage infrastructure. Your personal information, business data, and uploaded receipts and invoices are stored on AWS infrastructure physically located in Australia (Sydney region), with Multi-Availability-Zone redundancy and encryption at rest managed via AWS Key Management Service. As this data remains onshore in Australia, disclosure to AWS for hosting purposes is not a cross-border disclosure under APP 8. AWS is engaged under contractual terms that require it to handle personal information consistently with the Australian Privacy Principles.
- Stripe (Stripe Inc, USA): For payment processing, subscription billing, and card data handling. We do not store full card numbers on our servers — payment data is handled directly by Stripe. Stripe's privacy policy applies to payment data they process.
- OpenAI (OpenAI Inc, USA): When you use the AI receipt or invoice scanning feature, uploaded images are sent to OpenAI's GPT-4o API for automated data extraction (amounts, dates, vendor names, line items). OpenAI processes this data in the United States. We send only the image data necessary for extraction; no other account information is transmitted. OpenAI's data usage policies apply to this processing — see openai.com/policies/privacy-policy.
- Resend (Resend Inc, USA): For sending transactional and notification emails (welcome emails, password resets, trial reminders, invoice deliveries, support ticket acknowledgements). Only the recipient email address, sender details, and email content are transmitted to Resend.
- Third-party integrations: If you connect third-party services (e.g., Square POS), data is shared as necessary to provide the integration.
- Legal authorities: Where required by law, court order, or regulatory request.
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
9. Cross-Border Disclosure (APP 8)
Your core account, business, and uploaded file data is hosted within Australia on AWS Sydney infrastructure (see section 8) and is not disclosed overseas for hosting purposes. However, a small number of third-party processors we rely on for specific functions — payments, AI-assisted receipt extraction, and transactional email delivery — process limited personal information outside of Australia, including in the United States. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (as required by APP 8.1). The overseas recipients currently engaged by Summed, and the countries where they process personal information, are:
- Stripe Inc (United States): Payment processing and subscription billing.
- OpenAI Inc (United States): AI receipt and invoice scanning via GPT-4o API.
- Resend Inc (United States): Transactional and notification email delivery.
Under APP 8, if we disclose your personal information to an overseas recipient and the recipient breaches the APPs, we may be accountable for that breach. We mitigate this risk through contractual arrangements with our service providers that require them to handle personal information in accordance with Australian privacy standards.
10. Government Related Identifiers (APP 9)
We collect government-related identifiers such as Australian Business Numbers (ABNs) only where it is reasonably necessary for our functions (configuring your bookkeeping environment and generating accurate business reports). We will not use or disclose government-related identifiers as our own identifier for you, and we will only use or disclose them in the circumstances permitted by APP 9 — including where required by law, or where reasonably necessary to verify your identity for the purposes of the Service.
We do not collect Tax File Numbers (TFNs). If a TFN is inadvertently entered into the Service, we strongly recommend it be removed immediately.
11. Quality of Personal Information (APP 10)
We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant. As a bookkeeping platform, the accuracy of financial data depends primarily on user input. We encourage you to review and update your account and business information regularly, and to contact us if any information we hold about you is inaccurate or out of date.
12. Data Security (APP 11)
We implement reasonable security measures to protect your personal information, including:
- Encrypted connections (HTTPS/TLS) for all data transmission
- Secure password hashing (bcrypt with salt rounds)
- JWT-based authentication with short-lived access tokens and secure refresh tokens
- Rate limiting on authentication endpoints
- Regular database backups
- Audit logging of data modifications
- Imported bank transaction data encrypted at rest using AES-256-GCM encryption on AWS KMS-protected infrastructure
- Bank CSV files processed in memory only — raw files are not retained after transaction extraction
No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
13. Cookies and Tracking Technologies
We use the following cookies:
- bc_access: Short-lived authentication token (15 minutes). HttpOnly, Secure in production.
- bc_refresh: Long-lived refresh token (30 days). HttpOnly, Secure in production.
These cookies are essential for the Service to function and cannot be disabled while using the platform. We do not use tracking or advertising cookies.
14. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. After account termination:
- Your data is retained for 90 days to allow for data export
- After 90 days, your data may be permanently deleted
- Certain records may be retained longer where required by law (e.g., for tax or audit purposes)
Bank transaction data: Imported bank transaction data is retained for as long as your account is active or as needed to provide the Service. You may delete individual imported bank transactions or all imported bank data at any time through the application. Upon account deletion, all associated bank transaction data is permanently removed. We recommend that you maintain your own independent records of bank transactions in accordance with ATO record-keeping requirements (generally 5 years from the date a return is lodged, per s 382-5 of Schedule 1 of the Taxation Administration Act 1953 (Cth)).
15. Access to Personal Information (APP 12)
You have the right to request access to the personal information we hold about you. Upon receiving a request, we will respond within 30 days. We will provide access in the manner you request (where reasonable and practicable), such as by email or through the Service's data export features.
We may refuse access in limited circumstances permitted by APP 12.3, such as where access would be unlawful, where it would have an unreasonable impact on the privacy of others, or where the request is frivolous or vexatious. If we refuse access, we will provide written reasons and inform you of the mechanisms available to complain about the refusal.
16. Correction of Personal Information (APP 13)
You have the right to request correction of any personal information we hold about you that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days. If we correct information that has previously been disclosed to a third party, we will take reasonable steps to notify the third party of the correction (unless it is impracticable or unlawful to do so).
For imported bank transaction data, you may directly edit, re-categorise, or delete individual transaction records through the application interface at any time without needing to submit a formal correction request.
If we refuse to correct information, we will provide written reasons and inform you of the mechanisms available to complain. You may also request that we associate a statement with the information that you believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
17. Your Additional Rights
In addition to access and correction rights under APPs 12 and 13, you may also:
- Export your data: Download your financial records via the CSV export feature at any time
- Delete imported bank data: Delete individual imported bank transactions or all imported bank transaction data at any time through the application interface
- Delete your account: Request deletion of your account and all associated data — including imported bank transactions — by contacting support (subject to any legal retention obligations)
To exercise any of these rights, contact us at support@summed.com.au.
18. Third-Party Personal Information (Staff Data)
If you use the Service to record information about your employees, contractors, or other third parties (such as staff names, hourly rates, and shift records), you are responsible for ensuring that those individuals are aware that their personal information is being stored in Summed. You should notify affected individuals of:
- The fact that their personal information is being recorded in the Service
- The types of information stored (e.g., name, pay rate, hours worked)
- How their information is used (internal record-keeping and reporting)
- How they can request access to or correction of their information (by contacting you, the account holder)
Summed does not have a direct relationship with the individuals whose information you enter. We rely on you, the account holder, to comply with your notification obligations under the APPs in respect of any third-party personal information you input into the Service.
19. Notifiable Data Breaches
In accordance with Part IIIC of the Privacy Act 1988 (Cth) (the Notifiable Data Breaches scheme), if we have reasonable grounds to believe that an eligible data breach has occurred and the breach is likely to result in serious harm to any individuals whose personal information is involved, we will:
- Assess the breach within 30 days of becoming aware of grounds to suspect a breach (as required by s 26WH of the Privacy Act)
- Notify the OAIC as soon as practicable after completing our assessment, providing a statement that includes: a description of the breach, the kinds of information involved, and recommendations about the steps individuals should take
- Notify affected individuals as soon as practicable after completing our assessment, with the same information provided to the OAIC, as well as our contact details and the contact details of the OAIC
Financial data heightened risk: Given that Summed handles financial records, business transaction data, and government-related identifiers (ABNs), we recognise that breaches involving this data carry a higher risk of serious harm. We apply the serious harm factors set out in s 26WG of the Privacy Act, including the kind and sensitivity of the information, whether the information is protected by security measures, and the nature of the harm that could result. Financial data breaches are assessed on an expedited basis.
20. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will take steps to delete that information as soon as practicable.
21. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.
22. Complaints
If you believe we have breached the APPs or otherwise mishandled your personal information, you may lodge a complaint with us using the contact details below. Our complaint handling process is as follows:
- Lodge your complaint by emailing support@summed.com.au with the subject line "Privacy Complaint". Please include details of the breach you believe has occurred.
- Acknowledgement: We will acknowledge receipt of your complaint within 5 business days.
- Investigation: We will investigate and provide a written response within 30 days of receiving your complaint.
- Escalation: If you are not satisfied with our response, or if we do not respond within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
OAIC Contact Details:
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
- Post: Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001
23. Contact
For any questions about this Privacy Policy, or to exercise your rights under the APPs, please contact us:
Anum Pty Ltd (ABN 80 697 129 525, ACN 697 129 525)
Privacy Officer
Email: support@summed.com.au
Jurisdiction: Victoria, Australia