Data Retention Policy
Version 1.0 — Effective 22 April 2026 | Owner: Anum Pty Ltd (ABN 80 697 129 525) | Linked from Privacy Policy § 7 — Data retention
Summary
- Summed retains tax records for 5 years, in line with ATO and ASIC minimum requirements for small business records.
- Personal information no longer needed for that purpose is destroyed or de-identified under Privacy Act APP 11.2.
- You can export the data Summed holds about you at any time. Under APP 12, access requests are answered within 30 days.
- Before a record reaches the end of its retention window, Summed sends reminder emails at 90, 30, 14, 7 and 1 day(s) out.
- When an account is closed, personal profile fields are anonymised on a 30-day grace period. Tax records stay under retention holds for the remainder of their statutory window, then are destroyed automatically.
Retention matrix
| Data class | Retention period | Legal basis |
|---|---|---|
| Income-tax records — transactions, invoices, expense records, receipts, BAS working papers | 5 years from record creation or transaction completion, whichever is later | ITAA 1936 s 262A(4)(a) |
| GST / indirect-tax records — tax invoices, GST components of transactions | 5 years from transaction completion | TAA 1953 Sch 1 s 382-5 |
| Books of a Pty Ltd customer, where Summed is the books of record | 7 years from transaction completion | Corporations Act 2001 s 286(2) |
| Account profile (name, email, business details) while linked to records still inside their retention window | Retained as long as the longest-linked record | Privacy Act APP 11.2(d) |
| Account profile after all linked records have expired | Destroyed or anonymised | Privacy Act APP 11.2 |
| Audit / security logs | 13 months | Privacy Act APP 11.1 (reasonableness) |
| Marketing consent records (after opt-out) | 2 years, as evidence of prior authorisation | Spam Act 2003 s 16(4) |
| Personal information no longer needed for any stated purpose | Destroyed or anonymised promptly | Privacy Act APP 11.2 |
Legal holds that pause the retention clock
Retention clocks pause while any of the following apply to your records:
- An active ATO audit, amendment, or extended review period under ITAA s 170.
- An ASIC investigation or regulatory inquiry.
- A Fair Work Ombudsman inspection.
- Current or anticipated litigation involving the records.
- A court or tribunal order to preserve records.
You will be notified in-app and by email if a legal hold is placed on your data.
Access and export
Go to Settings → Your Data → Export. Available scopes:
- Full export — transactions, invoices, receipts (PDF and original images), staff records, settings, reports. Delivered as a ZIP with CSVs, PDFs and original files.
- Tax only — transactions, receipts, BAS working papers.
- Profile only — your account details.
Exports are generated asynchronously (usually under 10 minutes; up to 24 hours for very large accounts) and delivered by email with a secure download link. Links expire after 7 days; a new one can be requested at any time.
Under Privacy Act APP 12, Summed provides access to personal information within a reasonable period (OAIC benchmark: 30 days). The self-serve export satisfies this for most requests; email support if you need something more specific.
Retention preferences
- Non-statutory data (marketing preferences, saved filters, dashboard customisations) can be reset or destroyed on request.
- Statutory tax records are destroyed automatically once the retention window closes. You are notified before it happens.
- On account closure, the profile is anonymised after a 30-day grace period. Only the minimum identifiers required to keep linked tax records meaningful are retained, and only for as long as those tax records remain inside their retention window.
Closing an account
Go to Settings → Account → Close Account. You will see exactly what will happen:
- Anonymised after 30-day grace period — your profile details (beyond the minimum needed to link tax records), marketing preferences, saved settings, session data. During the grace period you can email support to restore the account.
- Retained until each record's retention window closes — tax records, under retention hold. You cannot be re-contacted; these records cannot be used for any other purpose.
- Destroyed when each record's retention window closes — every destruction is logged. Proof of destruction is available on request, including after closure.
Pre-destruction reminders
Reminder emails fire at T-90, T-30, T-14, T-7 and T-1 days before any record reaches its retention cutoff. Each reminder identifies what is about to be destroyed and includes a one-click export link.
These reminders can be muted in Settings → Notifications. Once a record is destroyed, it cannot be recovered.
Data breaches
Under the Notifiable Data Breaches scheme (Privacy Act Part IIIC), Summed will:
- Assess any suspected breach within 30 days (target: 14).
- Notify the OAIC and affected individuals as soon as practicable after forming a reasonable belief of an eligible breach.
The incident response runbook is rehearsed quarterly.
Complaints
If you believe Summed has mishandled your personal information:
- Email support@summed.com.au.
- Escalate to the Privacy Officer at privacy@summed.com.au. 30-day response commitment.
- Complain to the OAIC at oaic.gov.au/privacy/privacy-complaints.
Changelog
| Version | Date | Change |
|---|---|---|
| 1.0 | 22 April 2026 | Initial publication |
Questions: privacy@summed.com.au