Back to Home

Privacy Policy

Last updated: 1 May 2026 · Effective: 1 May 2026

Contents

  1. 1. Introduction
  2. 2. Who we are
  3. 3. Personal information we collect
  4. 4. How we collect it
  5. 5. Why we collect, hold, use and disclose
  6. 6. Sub-processors and disclosures
  7. 7. AI-assisted features
  8. 8. Overseas disclosure
  9. 9. Cookies and analytics
  10. 10. Security and storage
  11. 11. Retention
  12. 12. Your rights — access, correction, deletion
  13. 13. Direct marketing
  14. 14. Children
  15. 15. Notifiable data breaches
  16. 16. How to make a complaint
  17. 17. Changes to this policy
  18. 18. California residents — your privacy choices
  19. 19. Contact us

This Privacy Policy explains how Auravest Pty Ltd (ACN [insert]) (Auravest, we, us, our) collects, holds, uses, and discloses your personal information in connection with the Auravest website, applications, and services (the Service).

Auravest is committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy is incorporated into our Terms of Service.

1. Introduction

Auravest provides software that helps Australian users track their personal financial position — including bank accounts, property, superannuation, equities, crypto, liabilities, transactions, income sources, and financial goals. We act strictly as a technology provider. We do not give financial advice, and we cannot move, transmit, or transact your money. Bank integrations are read-only.

2. Who we are

Auravest is operated by Auravest Pty Ltd, an Australian proprietary company with its registered office at 61 Lavender Street, Milsons Point, NSW 2061, Australia. We are an APP entity for the purposes of the Privacy Act and are responsible for the personal information we handle in connection with the Service.

3. Personal information we collect

The kinds of personal information we collect depend on how you use the Service. We generally collect:

  • Identity and contact details — your name, email address, profile image (if uploaded), and information you choose to provide about your country of tax residency.
  • Account credentials — hashed passwords, OAuth identifiers (e.g. Google sign-in), session tokens, and login metadata such as IP address, timestamp, and user-agent string.
  • Financial information — asset records (including property, equities, crypto, super, cash, and other holdings), liabilities (mortgages, loans, credit cards), purchase price, stamp duty, LMI, renovation spend, asset values, weekly rent, transaction history, income sources, budgets, financial goals, and any free-text notes you add.
  • Bank-connection data — when you connect Up Bank or a similar provider, we receive read-only access tokens or data extracts (account names, balances, transaction history, account identifiers).
  • Payment metadata — subscription tier, plan, billing status, Stripe customer/subscription identifiers, and limited payment-card metadata (last four digits, brand, expiry). We do not store full card numbers or CVCs; these are handled directly by Stripe.
  • Family and business profile data — if you use shared family or business features, the relationships and member information you enter.
  • AI chat content — your prompts, AI responses, and a summary of your financial context used to produce responses.
  • Technical and usage information — device type, browser, operating system, pages visited, features used, error logs, and similar telemetry. We collect this through cookies, server logs, and analytics tags (see section 9).
  • Support and communication records — emails, support tickets, and any feedback you send us.

Most of this information is not "sensitive information" as strictly defined in the Privacy Act. We do not request or knowingly collect health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, or criminal records.

4. How we collect it

We collect personal information:

  • Directly from you, when you sign up, enter data into the Service, contact support, or respond to surveys;
  • From devices you use to access the Service (cookies, browser headers, server logs);
  • From third-party services you authorise us to connect to (e.g. Up Bank, Google for sign-in, Stripe for billing); and
  • From publicly available sources only where you have made the information public and provided it to us.

Where it is reasonable and practicable to do so, we collect personal information directly from you. If we receive personal information about you that we did not solicit, we will deal with it in accordance with APP 4.

5. Why we collect, hold, use and disclose

We use personal information for the following purposes:

  • To create and administer your account, including authentication and access control;
  • To provide the Service — including aggregating, analysing, simulating, and displaying your data;
  • To process payments and manage your subscription via Stripe;
  • To deliver transactional emails (e.g. welcome, password reset, magic-link sign-in, receipts, security notices);
  • To respond to questions, troubleshoot issues, and provide customer support;
  • To detect, investigate, and prevent fraud, abuse, and security incidents;
  • To comply with our legal and regulatory obligations, including those under the Privacy Act, AML/CTF rules where applicable, and tax legislation;
  • To improve the Service — including measuring usage, fixing bugs, and developing new features. Where we use information for analytics we use it in anonymised or aggregated form where reasonably practical;
  • With your consent, to send you marketing communications about the Service (see section 13).

6. Sub-processors and disclosures

We disclose personal information to a limited set of trusted service providers (sub-processors) who help us operate the Service. Each sub-processor is bound by contractual confidentiality and security obligations and may only use your information to provide services to us:

  • Stripe, Inc. (USA) — payment processing, subscription billing, payment-method storage.
  • Google LLC (USA / EU) — AI inference via the Gemini API (see section 7), and OAuth sign-in.
  • Resend, Inc. (USA) — transactional email delivery.
  • Cloudflare, Inc. (USA / global edge) — DNS, CDN, edge tunnels, and DDoS protection.
  • Up Bank (Bendigo and Adelaide Bank Ltd, Australia) — where you authorise us to read your Up Bank account data.
  • [insert primary hosting provider — e.g. AWS Sydney / Vercel] — cloud infrastructure, compute, database hosting.
  • [insert any other sub-processor — e.g. Sentry, error monitoring] — error and performance monitoring.

We do not sell your personal information for monetary consideration, and we do not share it with data brokers or trade it to third parties for their independent marketing use. However, we use the analytics services described in section 9(Google Tag Manager and Google Analytics). Depending on configuration, the use of these services may meet the broad definitions of "sale" or "sharing" under the California Consumer Privacy Act (CCPA/CPRA) because they involve disclosing identifiers, device data, and usage information to Google for cross-context analytics. California residents can exercise their right to opt out — see section 18.

We may also disclose information where compelled by law (e.g. a valid subpoena, court order, AUSTRAC request, or regulatory notice) or where necessary to investigate or respond to a serious security incident.

7. AI-assisted features

Some features (including the AI Adviser chat) use third-party large language models — currently Google Gemini. When you use these features:

  • Your prompt and a summary of relevant financial context (e.g. asset class totals, liabilities, income sources, recent transactions, goal progress) may be sent to the AI provider in order to generate a response.
  • Where possible we minimise personal information sent to AI providers (e.g. we do not send raw bank account numbers, your full name, or sensitive personal identifiers). We cannot guarantee that AI providers will not retain prompts under their own terms — we recommend you do not include information you wish to keep entirely private.
  • Google's handling of Gemini API requests is governed by their terms and privacy policy.

8. Overseas disclosure

Several of our sub-processors (in particular Stripe, Google, Resend, and Cloudflare) are located outside Australia and may store or process your information in the United States, the European Union, and other countries where they operate global infrastructure. By using the Service you consent to this overseas disclosure on the basis described in APP 8.2(b).

We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs, including via contractual commitments and selection of providers with established privacy and security programs.

9. Cookies and analytics

We use cookies, local storage, and similar technologies to keep you signed in, remember preferences, understand how the Service is used, and improve it. The main categories are:

  • Strictly necessary — required for authentication, session management, and core platform functionality. These are always on.
  • Functional — remember preferences such as your dashboard layout, theme, and active tab.
  • Analytics — measure traffic, feature usage, page performance, and conversion paths. We use Google Tag Manager (container ID GTM-NN9TL29P) and Google Analytics 4 (measurement ID G-B7JT9Z8DRX), both operated by Google LLC. These services receive identifiers (including cookie IDs and IP address), device and browser data, pages viewed, events triggered, and approximate location derived from IP. Google may use this data both to provide analytics to us and, depending on your and our account-level settings, for its own purposes. Google's handling is governed by the Google Privacy Policy.

Your choices. When you first visit the Service from the EU/UK we ask for your consent before loading analytics cookies, and analytics are blocked unless you accept. From anywhere else you can withdraw consent at any time by clearing the Auravest cookie-consent preference (clear site data in your browser), installing the Google Analytics Opt-out Browser Add-on, or, if you are a California resident, exercising your CCPA opt-out right described in section 18.

Most browsers let you block or delete cookies, but doing so may break authentication or core functionality.

10. Security and storage

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, including:

  • Encryption in transit (TLS) for all traffic between your device and the Service;
  • Encryption at rest for our primary databases;
  • Hashing of passwords using bcrypt (passwords are never stored in plain text);
  • Read-only OAuth scopes for bank integrations — we do not store your Up Bank credentials;
  • Role-based access controls and multi-factor authentication for our infrastructure;
  • Logging, monitoring, and rate-limiting of authentication and sensitive endpoints;
  • Routine review of dependencies and third-party security advisories.

No system is perfectly secure. If you have any concerns about a security issue, please email [email protected].

11. Retention

We hold personal information for as long as it is necessary for the purposes described in this Policy or as required by law. When information is no longer needed we take reasonable steps to delete or de-identify it, having regard to the categories of information, applicable retention periods (including AML/CTF and tax record-keeping), and our backup cycles.

Subscription billing records may be retained for at least seven years to meet Australian tax and financial record-keeping obligations.

12. Your rights — access, correction, deletion

You have rights under the APPs and the Privacy Act, including the right to:

  • Access the personal information we hold about you (APP 12). Most data is viewable in the Service. To request a copy of additional records, email [email protected].
  • Correct inaccurate, out-of-date, incomplete, or misleading information (APP 13). You can update most data yourself in the Service.
  • Delete your account and the associated financial data we hold, subject to records we must keep by law. You can delete your account from your profile settings or by emailing us.
  • Withdraw consent for marketing communications or specific optional processing at any time.

We will respond to access and correction requests within a reasonable period — generally within 30 days. We may need to verify your identity before processing a request.

13. Direct marketing

We may send you product update emails, tips, and offers related to the Service. You can opt out at any time by clicking the "unsubscribe" link in the email or emailing [email protected]. Operational and transactional messages (e.g. receipts, security alerts, password reset) are not marketing and cannot be opted out of while you have an active account.

14. Children

The Service is not directed to children under 18 and we do not knowingly collect personal information from them. If you believe we have inadvertently collected such information, please contact us and we will delete it.

15. Notifiable data breaches

We comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act. If we suffer an eligible data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable in accordance with the scheme.

16. How to make a complaint

If you believe we have breached the APPs or this Policy, please contact our Privacy Officer at [email protected]. We will investigate and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:

  • Website: oaic.gov.au
  • Phone: 1300 363 992
  • Post: GPO Box 5288, Sydney NSW 2001

17. Changes to this policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top of the page. For material changes we will provide additional notice by email or in-app announcement before the change takes effect.

18. California residents — your privacy choices

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives you specific rights with respect to your personal information. These rights are in addition to the rights described in section 12.

  • Right to know what personal information we have collected about you, the sources, the categories of recipients, and the purposes for collection.
  • Right to delete personal information we have collected from you, subject to legal exceptions (e.g. records we must retain under tax or financial law).
  • Right to correct inaccurate personal information.
  • Right to opt out of sale/sharing of your personal information. As described in section 6 and section 9, we do not sell personal information for monetary consideration, but our use of Google Analytics may qualify as "sharing for cross-context behavioral analytics" under CCPA. You can opt out at any time by clicking "Your Privacy Choices" in the website footer, by rejecting analytics in the cookie banner, or by emailing [email protected]with the subject line "CCPA opt-out". We honor browser-level Global Privacy Control (GPC) signals as a valid opt-out.
  • Right to limit use of sensitive personal information — we do not use or disclose sensitive personal information for purposes that require an explicit limit-right under CCPA.
  • Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of quality because you exercised your CCPA rights.
  • Authorized agents— you may designate an authorized agent to submit requests on your behalf. We may require verification of identity and of the agent's authority.

To exercise these rights, email [email protected] or write to us at the address in section 19. We will respond within 45 days (extendable by a further 45 days where reasonably necessary, with notice to you).

19. Contact us

For privacy-related questions or to exercise your rights under this Policy: