Privacy Policy

1. Introduction

Book Keeps ("we", "us", "our") operates the Book Keeps mobile application and web platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and financial information when you use our Service.

We are committed to protecting your privacy and complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using our Service, you consent to the practices described in this policy.

Book Keeps is available to businesses in the United Kingdom as well as Australia. If you are located in the UK, we also comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — see Section 9 (UK Users) for the terms that apply specifically to you.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Your name, email address, and password (hashed and salted — we never store plaintext passwords)
• Business name, ABN (Australian Business Number), and GST registration status
• Two-factor authentication details (TOTP secrets, encrypted at rest)

2.2 Financial Data

To provide our bookkeeping services, we collect and process:

• Transaction data: Income and expense records including amounts, dates, descriptions, categories, and GST components
• Receipt images: Photos of receipts uploaded for OCR processing, including vendor names, amounts, and line items extracted by our AI
• Invoice data: Invoice details you create, including client names, amounts, payment terms, and payment status
• Bank feed data: Transaction data imported from connected bank accounts via our third-party banking data provider (Basiq)
• GST and BAS data: Calculated GST positions, BAS preparation data, and closeout run history
• Categorisation rules: Custom rules you create, and patterns learned by our AI auto-categorisation engine

2.3 Usage Data

We automatically collect:

• Device type, operating system, and app version
• Feature usage analytics (which features you use and how often)
• Error logs and crash reports to improve app stability
• Login timestamps and session duration

2.4 AI Assistant Interactions

When you use the AI Bookkeeping Assistant, we process:

• Your natural language queries about your financial data
• The context of your business data needed to generate accurate responses
• Conversation history within the current session

3. How We Use Your Information

We use your information to:

• Provide core bookkeeping services: Record transactions, generate reports, calculate GST, prepare BAS summaries, and manage invoices
• Power AI features: Process receipt images via OCR, auto-categorise transactions, generate cash flow forecasts, calculate business health scores, and respond to assistant queries
• Improve our AI models: Learn from your categorisation patterns to improve auto-categorisation accuracy for your business (this learning is per-business and is not shared between users)
• Send notifications: Invoice payment reminders, weekly business digests, and BAS deadline alerts (configurable in settings)
• Generate exports: Produce accountant packs, CSV exports, and data backups you request
• Maintain security: Detect unauthorised access, enforce two-factor authentication, and maintain audit logs
• Improve the Service: Analyse usage patterns to fix bugs, add features, and optimise performance

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored on secure cloud infrastructure. Database backups are encrypted and retained according to our backup schedule. Receipt images and documents are stored in encrypted object storage.

4.2 Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• At rest: Sensitive fields (including TOTP secrets and bank connection tokens) are encrypted using AES-256 encryption
• Passwords: Hashed using bcrypt with a cost factor of 10 — we can never see or recover your password

4.3 Access Controls

Access to production data is restricted to authorised personnel only and is subject to audit logging. We employ the principle of least privilege — staff only access data necessary for their role.

4.4 Session Security

Sessions are secured with signed cookies and configurable session timeouts. Two-factor authentication (TOTP) is available and strongly encouraged for all accounts.

5. Third-Party Services

We share data with the following categories of third-party service providers, only to the extent necessary to deliver our Service:

We do not sell, rent, or trade your personal or financial information to any third party for marketing purposes. Ever.

6. AI and Automated Decision-Making

Book Keeps uses artificial intelligence in several features:

• Receipt OCR: AI analyses receipt images to extract structured data (vendor, amount, date, GST). You can review and edit all extracted data before it is saved.
• Auto-categorisation: AI suggests categories for transactions based on learned patterns. You can accept, reject, or change any suggestion.
• Cash flow forecasting: AI analyses historical patterns to project future cash positions. Forecasts are informational only and should not be relied upon as financial advice.
• Business health score: AI evaluates bookkeeping completeness and compliance indicators. Scores are advisory only.
• AI Assistant: Responds to natural language queries about your data. Responses are generated from your actual financial records but may contain errors — always verify critical figures.

No AI feature in Book Keeps makes irrevocable decisions on your behalf. All AI outputs can be reviewed, edited, or rejected by you. We do not use your data to train general-purpose AI models — per-business learning stays within your account.

6.1 Your consent to AI data sharing

AI features require data to be sent to OpenAI, our AI provider based in the United States. Before any of your data is sent to OpenAI, we ask for your explicit, in-app consent. AI features stay switched off until you opt in. You can review your choice and withdraw consent at any time under Settings → AI Data Sharing; withdrawing immediately stops any further AI data sharing, and the rest of the app continues to work normally.

7. Data Retention

• Active accounts: We retain your data for as long as your account is active
• After account deletion: We delete your data within 30 days of account deletion, except where retention is required by law (e.g., tax records under ATO requirements)
• Audit logs: Security audit logs are retained for 12 months
• Backups: Data may persist in encrypted backups for up to 90 days after deletion

You can export all your data at any time using the Full Backup feature before deleting your account.

8. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access: Request a copy of all personal information we hold about you
• Correction: Ask us to correct inaccurate or incomplete information
• Deletion: Request deletion of your account and associated data
• Data portability: Export your data in standard formats (CSV, ZIP) via the Accountant Pack or Full Backup features
• Restrict processing: Ask us to limit how we use your data
• Withdraw consent: Opt out of optional data processing (e.g., notifications, AI features)
• Complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

To exercise any of these rights, contact us at support@bookkeeps.com.au.

9. UK Users (UK GDPR)

If you are located in the United Kingdom, the following additional terms apply. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Book Keeps is the "data controller" of your personal data.

9.1 Legal Bases for Processing

We only process your personal data where we have a lawful basis to do so:

• Performance of a contract: to provide the bookkeeping service you signed up for — managing your account, transactions, invoices, receipts, and reports
• Legitimate interests: to secure accounts, prevent fraud, and maintain and improve the Service, balanced against your rights and freedoms
• Legal obligation: to retain certain records where required by law
• Consent: for optional features such as notifications and certain AI features, which you can withdraw at any time

9.2 Your Rights Under UK GDPR

In addition to the rights listed in Section 8, if you are in the UK you have the right to be informed, to access, to rectification, to erasure (the "right to be forgotten"), to restrict processing, to data portability, and to object to processing (including processing based on our legitimate interests). You also have rights in relation to automated decision-making and profiling — as explained in Section 6, we do not make decisions with legal or similarly significant effects about you using solely automated means. We will respond to any request within one month, and exercising these rights is free of charge in most cases.

9.3 International Data Transfers

Where we transfer your personal data outside the United Kingdom — for example to service providers based in the United States (see Section 5) — we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on a country covered by UK adequacy regulations.

9.4 Complaints

If you are in the UK and believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk. We would, however, appreciate the chance to address your concerns first — please contact us at support@bookkeeps.com.au.

10. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Cookies and Tracking

Our web platform uses:

• Essential cookies: Session cookies required for authentication and security (cannot be disabled)
• No third-party tracking: We do not use advertising cookies, social media trackers, or third-party analytics that track you across other websites

12. Data Breach Notification

In the event of an eligible data breach (as defined by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988), we will:

• Notify the OAIC as required by law
• Notify affected individuals as soon as practicable
• Provide clear information about what data was affected and recommended steps

If you are in the United Kingdom, where a personal data breach is likely to result in a risk to your rights and freedoms we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to you, we will also inform you directly.

13. International Data Transfers

Some of our third-party service providers (including cloud infrastructure and AI services) may process data outside Australia, including in the United States. Where this occurs, we ensure appropriate safeguards are in place, including contractual obligations on the recipient to protect data to a standard comparable to the APPs. For users in the United Kingdom, the safeguards described in Section 9.3 apply to transfers of personal data outside the UK.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or in-app notification at least 14 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (Australia) or, if you are in the United Kingdom, the Information Commissioner's Office (ICO).