Legal · plain English
Privacy Policy
Last updated 28 June 2026 · Beta v0 · Contact info@ezzfin.com
1. Who we are
Ezzfin is a multi-tenant cloud accounting application for Australian small businesses, operated from Queensland, Australia. In this policy “Ezzfin”, “we”, and “us” refer to the operator of ezzfin.com. The easiest way to reach a real person is info@ezzfin.com.
2. What information we collect
We try to collect the minimum we need to operate the service. We do not run analytics trackers, advertising pixels, or third-party session recorders.
From you, when you create an account
- Your email address (used as your sign-in identifier)
- Your display name (you can change it any time at
/account) - The company name, legal entity name, ABN, ACN, and GST status you record for each business you set up in Ezzfin
- Optional contact details you provide for your business (address, phone)
From you, while you use Ezzfin
- Transactions you enter (invoices, bills, expenses, payments, manual journals)
- Bank statement data (CSV files you upload, transaction rows, attachments)
- Customer + supplier records (names, emails, ABNs, payment terms — these are your business contacts, not Ezzfin’s)
- Receipts and other PDF / image attachments you upload
- BAS periods you finalise — snapshot frozen at finalisation for audit
Automatically, when you interact with Ezzfin
- IP address of requests, user-agent string, timestamps (for security + audit)
- One-time passcodes (OTPs) we send to your email for sign-in
- Session cookies that prove you’re signed in (HTTP-only, secure, same-site)
- An append-only audit log of changes you make in the app
What we do not collect
- Tax File Numbers (TFNs). Ezzfin does not store, transmit, or process TFNs of employees, contractors, or business owners. Payroll / STP features are not in scope for v1.
- Passwords. Ezzfin uses email-OTP sign-in only.
- Credit card details. There is no payment processing in v1 (free beta).
- Banking credentials. CSV import only — we never see your online-banking login.
- Marketing tracking IDs, advertising cookies, or third-party analytics.
3. Why we collect it (APP 5)
We use your personal and business information to:
- Provide and maintain the Ezzfin service you signed up for
- Authenticate you via OTP and keep your session signed in
- Generate the tax invoices, BAS working papers, and reports you ask Ezzfin to produce
- Send invoices you compose to recipients you choose
- Send scheduled invoice reminders that you set up
- Email you back when you join the waitlist or contact support
- Maintain an audit log so you (and your accountant) can verify who changed what and when
- Detect and respond to abuse, fraud, or security incidents
We do not use your data to train machine-learning models, build advertising profiles, or sell to data brokers.
5. Storage and security (APP 11)
We take reasonable steps to protect your information from misuse, loss, unauthorised access, modification, or disclosure.
What we do today
- All traffic is encrypted in transit (HTTPS/TLS), with strict browser-security headers.
- Email sign-in with optional two-factor authentication; sessions are held in HTTP-only, secure cookies you can review and revoke at any time.
- Strict separation between businesses — every request is scoped to your business only.
- An append-only audit log of every change to your financial records.
- Daily off-site encrypted database backups, kept for 90 days.
- Uploaded files are checked by type and size before they are stored.
If a notifiable data breach happens
Under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act), if we ever experience a breach that is likely to result in serious harm to you, we will notify both you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.
6. How long we keep it
Australian businesses are required by section 262A of the Income Tax Assessment Act 1936 and section 70 of the A New Tax System (Goods and Services Tax) Act 1999 to keep most financial records for at least 5 years. Ezzfin defaults to that:
- Soft delete only. When you delete a transaction in Ezzfin, the row is marked deleted but kept in the database for 7 years so you can prove what was on file at any point.
- BAS snapshots are frozen.Finalising a BAS period stores a structured snapshot of every contributing journal line — so the working paper you handed your accountant remains reproducible.
- Audit log is append-only. Entries are never edited or removed.
- If you cancel your subscription we keep your data in read-only mode for 90 days so you (and your accountant) can export everything as PDF + CSV. After 90 days the data is deleted, unless you have asked us in writing to retain it for ongoing ATO retention obligations.
- Account / OTP / login logs are kept for 12 months for security analysis, then purged.
7. Your rights (APP 12, 13)
Access
You can see almost all of your data inside Ezzfin already — that’s what the product is for. For anything you can’t see directly (e.g. our server-side audit log entries about your account), email info@ezzfin.com and we will respond within 30 days.
Correction
You can edit your name and email at /account, and you can edit, void, or correct any business transaction inside the app (with an audit-log entry). For anything else, email us.
Deletion
Account deletion is a manual process in v1 — email us and we will delete your data subject to ATO 5-year retention obligations on records you may need for tax purposes. We will explain what is required to be retained and what can be deleted.
Complaints
If you believe we have mishandled your information, please email us at info@ezzfin.com first — we want to make it right. If you’re not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Children
Ezzfin is built for Australian businesses operated by adults. The service is not intended for or directed at anyone under 18. If you believe a minor has signed up, email info@ezzfin.com and we will remove the account.
10. International data transfers
During the v1 beta, Ezzfin operates on infrastructure connected to Australian-friendly data centres. Some third-party services (e.g. Resend for transactional email) may process data outside Australia. We use providers with reasonable security and data-protection commitments that we believe meet APP 8.1.
If we add or change data-processing partners in a way that changes the jurisdiction of your data materially, we will update this policy and email you.
Separately, if you choose to connect your own third-party AI agent, that may send your data overseas to a provider we do not control — see section 11.
11. Connecting your own AI agent
Ezzfin itself does notuse artificial intelligence or large language models to process your data, and we never use your data to train any model (see sections 3 and 5). Your data stays within Ezzfin’s security controls unless you choose to connect an external AI agent.
Ezzfin offers an optional connector (an “MCP” connector) that lets you link your ownthird-party AI agent or assistant — for example Anthropic’s Claude or OpenAI’s ChatGPT / Codex, or any other MCP-compatible client. This is entirely opt-in: nothing is shared with any AI service unless you connect one and approve it.
What is sent
When you connect an agent and approve its permissions, that agent can retrieve the data categories you approve — which may include contacts, invoices, bills, your chart of accounts, financial reports and BAS figures — and, if you grant write permissions, create or change those records, in the one company you choose. To do this, the data you authorise is transmitted to the AI service behind the agent so it can process your request.
What is not sent
- Only the permissions and the single company you approve — nothing more.
- Nothing is sent in the background: every access is initiated by you or your agent, and stops the moment you revoke it.
- No agent can reach your data without a valid access key, and results are bounded.
- Ezzfin makes no AI calls of its own — the request is yours.
Who receives it, and whose terms apply
The recipient is the AI provider behind the agent you connected — not Ezzfin. How that provider stores, retains, uses, or further discloses your data — including whether it uses it to improve its own models — is governed by that provider’s privacy policy and terms, which you should read before connecting (for example, the Anthropic and OpenAI privacy policies linked above). Ezzfin has no contract with, and no control over, the provider you choose, and cannot recall data once it has been sent.
Overseas disclosure
AI providers commonly process data outside Australia. Connecting an agent may therefore disclose your data — including personal information held in your books about your customers, suppliers and staff — overseas, to a recipient we do not control. By connecting an agent you authorise and consent to that disclosure. This is a disclosure you choose to make; the commitments in section 10 relate to Ezzfin’s own providers, not to an agent you connect.
Your responsibility
Before connecting an agent, you confirm that you have the authority to share the data in your books — including other people’s personal information — with that AI service, consistent with your own privacy obligations to them.
Your control
You can review and revoke any connection at any time in Settings → Connected AI agents. Revoking stops further access immediately, though it cannot recall data already sent to the provider. Every action an agent takes is permission-checked and recorded in your audit log.
12. Changes to this policy
We may update this policy as the product evolves — for example when we add Stripe for billing at general availability, or when we add live bank feeds via Open Banking. Material changes will be announced by email at least 30 days in advance, and you can review the latest version on this page. The “Last updated” date at the top reflects when it was last revised.
13. Contact us
The fastest way to reach us about privacy, access, correction, or deletion is email: info@ezzfin.com. A real person reads every message — usually within one business day during the beta.
Questions, requests, or anything that reads ambiguously? Email us at info@ezzfin.com — a real person reads every message.