Australian Privacy Principles Compliance

Effective Date: 3 May 2026

Last Updated: 3 May 2026

This page sets out how TidyBooks meets the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). It supplements our Privacy Policy and should be read alongside it.

TidyBooks voluntarily commits to handling personal information in accordance with the APPs, including for periods during which we are not legally required to do so as a small business.

APP 1 — Open and transparent management

We maintain our Privacy Policy as a clearly expressed, up-to-date description of how we manage personal information. It covers:

  • The kinds of personal information we collect
  • How we hold and use it
  • Purposes of collection, holding, use, and disclosure
  • How to access or correct your information
  • How to make a privacy complaint (see "Privacy Complaints" below)
  • Whether we are likely to disclose information overseas, and to which countries (see APP 8 below)

Privacy Officer: Privacy questions and complaints can be directed to our Privacy Officer at privacy@tidybooks.tax.

APP 2 — Anonymity and pseudonymity

Because TidyBooks is an account-based service that requires identifiable account ownership, billing, and accountability for documents processed on your behalf, dealing with us anonymously or under a pseudonym is not practicable. Identification is required to operate the Service.

APP 3 — Collection of solicited personal information

We only collect personal information that is reasonably necessary for our functions or activities. Collection is by lawful and fair means, and only with your knowledge or consent (typically through your direct provision, OAuth authorisation, or document forwarding to your unique TidyBooks address).

APP 4 — Unsolicited personal information

If we receive personal information about a third party that we did not solicit (for example, contained within a forwarded email or document), we treat it under the same APPs and security measures as solicited information. If we determine that we could not have collected such information under APP 3, we will take reasonable steps to destroy or de-identify it as soon as practicable, unless that information is contained in a Commonwealth record or required by law to be retained.

APP 5 — Notification of collection

Before or at the time of collection, we notify you (through our Privacy Policy, signup flows, OAuth consent screens, and connection prompts) of: our identity and contact details; the fact and circumstances of collection; the purposes for which we collect; the consequences of not providing information; other parties we usually disclose to; and whether we are likely to disclose overseas and to which countries.

APP 6 — Use or disclosure

We use personal information only for the primary purposes for which it was collected, for related secondary purposes you would reasonably expect, or with your consent. See "How We Use Your Information" and "Information Sharing" in our Privacy Policy.

APP 7 — Direct marketing

We send marketing communications only with your consent. Every marketing email contains a clear unsubscribe link, and you can opt out at any time. Service-related communications (security alerts, billing notices) are not marketing and continue while your account is active.

APP 8 — Cross-border disclosure

Some service providers we rely on are located outside Australia. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in a way that is consistent with the APPs — typically through contractual safeguards, Data Processing Agreements, and reliance on the recipient's own published privacy and security certifications.

Cross-border disclosures:

| Service Provider | Purpose | Country | |---|---|---| | Amazon Web Services (AWS) | Storage and infrastructure | Australia (primary), United States | | OpenAI | AI/OCR document processing | United States | | LemonSqueezy | Payment processing | United States | | Mixpanel | Anonymised analytics | United States | | Google Analytics | Anonymised analytics | United States | | Email delivery providers | Transactional and notification email | United States |

APP 9 — Government-related identifiers

We do not adopt, use, or disclose government-related identifiers (such as Tax File Numbers or Medicare numbers) as our identifiers for any individual. If a forwarded document happens to contain a TFN or similar identifier, we treat it as sensitive information and do not use it for identification or matching purposes. Australian Business Numbers (ABNs) and similar publicly registered business identifiers may be extracted from documents to populate vendor records, as ABNs are public information.

APP 10 — Quality of personal information

We take reasonable steps to ensure that personal information we collect, use, and disclose is accurate, up-to-date, and complete. You can review and update your account information and extracted document data at any time within the platform.

APP 11 — Security and retention

See "Data Storage and Security" and "Data Retention" in our Privacy Policy for the reasonable steps we take to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, we take reasonable steps to destroy it or de-identify it (subject to backup retention windows and any legal retention obligations).

APP 12 — Access to personal information

You have the right to request access to the personal information we hold about you. See "Your Rights and Choices" in our Privacy Policy for how to do this. We aim to respond within 30 days of a request. Where access cannot be provided in full (for example, where it would unreasonably affect another individual's privacy), we will explain why and offer alternative means where appropriate.

APP 13 — Correction of personal information

You may request correction of any personal information we hold about you that you believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We take reasonable steps to make the correction. If we do not agree that correction is required, you may request that we associate a statement with the information noting that you consider it should be corrected.

Notifiable Data Breaches

If we become aware of a data breach that is likely to result in serious harm to any individual whose personal information is involved, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

We maintain an internal data breach response procedure covering prompt assessment, containment, notification, and remediation.

Privacy Complaints

If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, please contact our Privacy Officer at privacy@tidybooks.tax. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Mail: GPO Box 5288, Sydney NSW 2001

Contact Us

For privacy-related questions:

Australian Privacy Principles Compliance | TidyBooks