Privacy Policy

Effective date: 1 January 2025  |  Last updated: 21 March 2026

1. Introduction

Book Keeps ("we", "us", "our") operates the Book Keeps mobile application and web platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and financial information when you use our Service.

We are committed to protecting your privacy and complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using our Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Your name, email address, and password (hashed and salted — we never store plaintext passwords)
  • Business name, ABN (Australian Business Number), and GST registration status
  • Two-factor authentication details (TOTP secrets, encrypted at rest)

2.2 Financial Data

To provide our bookkeeping services, we collect and process:

  • Transaction data: Income and expense records including amounts, dates, descriptions, categories, and GST components
  • Receipt images: Photos of receipts uploaded for OCR processing, including vendor names, amounts, and line items extracted by our AI
  • Invoice data: Invoice details you create, including client names, amounts, payment terms, and payment status
  • Bank feed data: Transaction data imported from connected bank accounts via our third-party banking data provider (Basiq)
  • GST and BAS data: Calculated GST positions, BAS preparation data, and closeout run history
  • Categorisation rules: Custom rules you create, and patterns learned by our AI auto-categorisation engine

2.3 Usage Data

We automatically collect:

  • Device type, operating system, and app version
  • Feature usage analytics (which features you use and how often)
  • Error logs and crash reports to improve app stability
  • Login timestamps and session duration

2.4 AI Assistant Interactions

When you use the AI Bookkeeping Assistant, we process:

  • Your natural language queries about your financial data
  • The context of your business data needed to generate accurate responses
  • Conversation history within the current session

3. How We Use Your Information

We use your information to:

  • Provide core bookkeeping services: Record transactions, generate reports, calculate GST, prepare BAS summaries, and manage invoices
  • Power AI features: Process receipt images via OCR, auto-categorise transactions, generate cash flow forecasts, calculate business health scores, and respond to assistant queries
  • Improve our AI models: Learn from your categorisation patterns to improve auto-categorisation accuracy for your business (this learning is per-business and is not shared between users)
  • Send notifications: Invoice payment reminders, weekly business digests, and BAS deadline alerts (configurable in settings)
  • Generate exports: Produce accountant packs, CSV exports, and data backups you request
  • Maintain security: Detect unauthorised access, enforce two-factor authentication, and maintain audit logs
  • Improve the Service: Analyse usage patterns to fix bugs, add features, and optimise performance

4. Data Storage and Security

4.1 Where We Store Your Data

Your data is stored on secure cloud infrastructure. Database backups are encrypted and retained according to our backup schedule. Receipt images and documents are stored in encrypted object storage.

4.2 Encryption

  • In transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
  • At rest: Sensitive fields (including TOTP secrets and bank connection tokens) are encrypted using AES-256 encryption
  • Passwords: Hashed using bcrypt with a cost factor of 10 — we can never see or recover your password

4.3 Access Controls

Access to production data is restricted to authorised personnel only and is subject to audit logging. We employ the principle of least privilege — staff only access data necessary for their role.

4.4 Session Security

Sessions are secured with signed cookies and configurable session timeouts. Two-factor authentication (TOTP) is available and strongly encouraged for all accounts.

5. Third-Party Services

We share data with the following categories of third-party service providers, only to the extent necessary to deliver our Service:

Service Purpose Data Shared
Cloud hosting provider Application hosting and data storage All app data (encrypted at rest)
AI/LLM provider (OpenAI) Receipt OCR, AI assistant, auto-categorisation Receipt images, transaction context for queries (no full database exports)
Banking data provider (Basiq) Bank feed imports Bank connection credentials (encrypted), imported transaction data
Email service provider Transactional emails, invoice delivery, notifications Recipient email addresses, email content
Push notification service Mobile push notifications Device tokens, notification content

We do not sell, rent, or trade your personal or financial information to any third party for marketing purposes. Ever.

6. AI and Automated Decision-Making

Book Keeps uses artificial intelligence in several features:

  • Receipt OCR: AI analyses receipt images to extract structured data (vendor, amount, date, GST). You can review and edit all extracted data before it is saved.
  • Auto-categorisation: AI suggests categories for transactions based on learned patterns. You can accept, reject, or change any suggestion.
  • Cash flow forecasting: AI analyses historical patterns to project future cash positions. Forecasts are informational only and should not be relied upon as financial advice.
  • Business health score: AI evaluates bookkeeping completeness and compliance indicators. Scores are advisory only.
  • AI Assistant: Responds to natural language queries about your data. Responses are generated from your actual financial records but may contain errors — always verify critical figures.

No AI feature in Book Keeps makes irrevocable decisions on your behalf. All AI outputs can be reviewed, edited, or rejected by you. We do not use your data to train general-purpose AI models — per-business learning stays within your account.

7. Data Retention

  • Active accounts: We retain your data for as long as your account is active
  • After account deletion: We delete your data within 30 days of account deletion, except where retention is required by law (e.g., tax records under ATO requirements)
  • Audit logs: Security audit logs are retained for 12 months
  • Backups: Data may persist in encrypted backups for up to 90 days after deletion

You can export all your data at any time using the Full Backup feature before deleting your account.

8. Your Rights

Under the Australian Privacy Act, you have the right to:

  • Access: Request a copy of all personal information we hold about you
  • Correction: Ask us to correct inaccurate or incomplete information
  • Deletion: Request deletion of your account and associated data
  • Data portability: Export your data in standard formats (CSV, ZIP) via the Accountant Pack or Full Backup features
  • Restrict processing: Ask us to limit how we use your data
  • Withdraw consent: Opt out of optional data processing (e.g., notifications, AI features)
  • Complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

To exercise any of these rights, contact us at privacy@bookkeeps.com.au.

9. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. Cookies and Tracking

Our web platform uses:

  • Essential cookies: Session cookies required for authentication and security (cannot be disabled)
  • No third-party tracking: We do not use advertising cookies, social media trackers, or third-party analytics that track you across other websites

11. Data Breach Notification

In the event of an eligible data breach (as defined by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988), we will:

  • Notify the OAIC as required by law
  • Notify affected individuals as soon as practicable
  • Provide clear information about what data was affected and recommended steps

12. International Data Transfers

Some of our third-party service providers (including cloud infrastructure and AI services) may process data outside Australia, including in the United States. Where this occurs, we ensure appropriate safeguards are in place, including contractual obligations on the recipient to protect data to a standard comparable to the APPs.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or in-app notification at least 14 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

Privacy Officer

Book Keeps

Email: privacy@bookkeeps.com.au

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.