Back to home

Privacy Policy

Last updated: 28 May 2026 · Governed by Australian law (Privacy Act 1988).

Who we are

Vaulco is operated by John Antony, a sole trader registered in Australia (ABN 67 154 348 185), based in Melbourne, Victoria. Throughout this policy “we” and “us” refer to that entity. Contact: hello@vaulco.com.au.

Vaulco is a mobile-first finance and operations app for Australian sole traders and small businesses. Vaulco is an ATO-registered Digital Service Provider (Indirect Connect category) for Single Touch Payroll (STP) Phase 2 lodgement.

Privacy Officer: John Antony, founder. Reach: hello@vaulco.com.au.

What we collect

When you create an account and use Vaulco, we collect:

  • Identity + auth: email, hashed password (or magic-link token), optional MFA token
  • Business profile: business name, ABN, industry, phone, address, logo (if uploaded)
  • Financial data you enter or import: transactions, invoices, quotes, bills, customers, products, mileage, assets, BAS/GST data
  • Staff + payroll data (if you use it): employee names, contact details, pay rates, timesheets, leave records, super fund details
  • Payment data: handled by Stripe — we do not store full card numbers; we keep only the Stripe customer ID and last 4 digits for display
  • Usage data: pages visited, features used, error logs (for debugging and product improvement)

We collect only what we need to deliver the product. We do not buy data about you from third parties.

Tax File Numbers (TFNs) and STP data

When you use STP lodgement in Vaulco, you may enter Tax File Numbers for your employees so we can lodge to the ATO on your behalf. We treat TFNs under the strict requirements of the Privacy (Tax File Number) Rule 2015:

  • TFNs are encrypted at rest using field-level encryption on top of the database's default AES-256
  • TFNs are only retrieved at lodgement time and passed through to our STP transport partner
  • TFNs are not used for any purpose other than STP lodgement
  • You can request deletion of TFN records independently of your full account at any time
  • If you cancel your subscription, TFN records are deleted within 30 days even if you keep your account

Note: TFN values embedded inside an STP pay event that has already been lodged form part of the immutable lodgement record and are retained encrypted for the 7-year ATO record-keeping period. Outside that lodgement record, your TFNs are deleted within 30 days of cancellation or on direct request.

How we use your data

  • To provide the Vaulco service — dashboards, reports, forecasts, AI-assisted insights
  • To lodge to the ATO when you ask us to (BAS pre-fill, STP)
  • To send transactional email (account, invoice notifications, weekly digest if subscribed)
  • To debug and improve the product (aggregated, never tied back to identifiable data in marketing)
  • To meet legal obligations (tax record retention, ATO audit requests for the data you've lodged)

We never sell your data. We never share your financial data with third parties for advertising. We never train AI models on your data. AI features (Aurum) call third-party large-language-model APIs at the moment of request, then discard the prompt; no model training contract.

Where your data is stored

All Vaulco application data is stored on servers located in Sydney, Australia:

  • Database + auth: Supabase (managed PostgreSQL, AWS Sydney region)
  • Hosting + edge: Vercel (Sydney region for Australian users)

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Daily automated backups are retained for 30 days.

Some operational services — outbound email (Resend, EU / US), inbound email parsing (CloudMailin, UK / EU), and AI inference (Anthropic, US; OpenAI, US) — process specific transient data outside Australia. None of these process STP, TFN, or payroll data; all are bound by Data Processing Agreements that prohibit secondary use of customer data.

Third-party processors

We use the following sub-processors to deliver Vaulco. Each is contractually required to handle your data only as instructed by us.

  • Supabase (managed Postgres + auth) — Sydney, Australia
  • Vercel (hosting + edge functions) — Sydney edge, US control plane
  • Single Touch Pty Ltd (STP Sending Service Provider — transports PAYEVNT.0004 to the ATO) — Australia
  • Stripe (payments) — PCI DSS Level 1 certified, AU-resident processing
  • Twilio (inbound SMS / MMS for snap-quote and smart-router) — AU-resident number +61468007898
  • CloudMailin (inbound email parsing for forward-to-Vaulco features) — UK / EU
  • Resend (transactional email) — for account, invoice, and digest emails
  • Anthropic / OpenAI (AI inference for Aurum) — request-time only, no model training, no data retention beyond the immediate response

A current list of sub-processors is also published at vaulco.com.au/security/subprocessors.

Data retention

While your account is active, we retain your data so the product works. If you delete your account, all associated data is purged within 30 days, with the following exceptions required by law:

  • Records you have lodged with the ATO (BAS, STP) are retained for 7 years per ATO record-keeping requirements
  • Stripe payment records are retained for 7 years per ASIC / tax law
  • Aggregated, anonymised usage statistics may be retained indefinitely (cannot be tied back to you)

Notifiable Data Breaches

If we suffer a security incident that meets the Notifiable Data Breach threshold under Part IIIC of the Privacy Act 1988, we will:

  • Notify affected customers in plain language within 72 hours of detection
  • Notify the Office of the Australian Information Commissioner (OAIC) within the same 72-hour window where required
  • For incidents involving STP or TFN data, notify the ATO via our DSP support channel within 24 hours
  • Publish a post-incident summary to affected customers within 5 business days

Our full incident-response procedure is maintained internally as part of our ATO Operational Security Framework evidence pack and is available to regulators on request.

Your rights

Under the Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

  • Access your personal data — every screen in Vaulco shows you the data we hold; CSV export is available
  • Correct inaccurate data — most fields are editable in-app; for anything else, email hello@vaulco.com.au
  • Request deletion of your data — via Settings → Data → Delete account, or through our deletion request form
  • Export your data — CSV exports of every table are available in the app
  • Opt out of non-essential email — links in every digest email; transactional email cannot be disabled while you have an active account
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we've mishandled your data

We respond to written requests within 30 days as required by APP 12.

Cookies

We use essential cookies only — authentication session, theme preference, and onboarding state. We do not use tracking cookies, advertising cookies, or third-party analytics that track you across sites.

Security

Our security posture, sub-processor list, and incident response process are published at vaulco.com.au/security. Suspected vulnerabilities can be reported to security@vaulco.com.au.

Children

Vaulco is for businesses, not consumers. You must be 18 or older and authorised to act for a business. We do not knowingly collect data from anyone under 18.

Changes to this policy

We may update this policy as our product changes. Material changes (new sub-processors, new data types collected, changes to retention) are notified at least 14 daysin advance via email to the address on your account, with the previous version archived and linked from this page.

Contact

Privacy questions, access requests, or complaints:
Email: hello@vaulco.com.au
Security: security@vaulco.com.au
Postal: available on request — email first
Vaulco is operated by John Antony (sole trader) · ABN 67 154 348 185 · Melbourne VIC.

Terms of ServiceSecurityDelete my data