Privacy Policy
Last updated: 5 July 2026
1. Overview
Mark Chen trading as AML Mate (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains how we collect, use, disclose, and safeguard your information when you use our platform at amlmate.com.au (“the Service”).
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
The Service handles two kinds of personal information, and our role is different for each:
- Part A — Information about you (our customers, their team members, and website visitors). We collect and hold this information for our own purposes and are directly responsible for it under the Privacy Act.
- Part B — Information about your clients (the individuals whose details you enter into or upload to the Service as part of your AML/CTF compliance). You remain responsible for this information under the Privacy Act; we store and process it on your behalf, only to provide the Service.
Part A — Information about you
2. What we collect
2.1 Information you provide
- Account information: Name, email address, password (hashed).
- Business information: Business name, ABN, industry, designated services, compliance officer details.
- Contact form submissions: Name, email, and message content.
2.2 Information collected automatically
- Usage data: Pages visited, features used, activity logs.
- Device information: Browser type, operating system, IP address.
- Cookies: Session cookies for authentication; first-party analytics cookies (PostHog) tied to an opaque user id — we do not attach your name or email to analytics; and Google Analytics and Google Ads cookies, which measure site usage and advertising conversions (see Section 8).
3. How we use your information
We use information about you to:
- Provide and maintain the Service.
- Send transactional emails (account verification, password reset, compliance alerts).
- Process payments via Stripe.
- Respond to support requests.
- Improve the Service based on usage patterns (pseudonymous analytics keyed to an opaque user id — see Section 8).
4. Direct marketing and email preferences
- We may occasionally email you product updates or a personal note from the founder about getting set up. Every such email includes a one-click unsubscribe link, and you can manage email preferences (alert digests, deadline reminders) in your account settings.
- Unsubscribing does not affect essential account emails (security, billing, verification).
- We never use your clients' information (Part B) for marketing of any kind.
Part B — Information about your clients
5. What this covers
- Client records: Client names, identification details, risk assessments, and KYC/CDD records you enter into the Service.
- Documents: Files you upload, or your clients upload via a KYC link you send them (ID documents, financial records).
- Verification results: Where you use electronic identity verification (EIV), the verified name, date of birth, and document details returned by the verification provider.
6. Our role and your responsibilities
- We store and process your clients' information only to provide the Service to you — generating compliance plans, risk assessments, and reports; screening against sanctions and PEP lists; and keeping your KYC/CDD records.
- We never sell this information, never use it for our own marketing, and never use it to train AI models.
- You are responsible for this information under the Privacy Act: for collecting it lawfully, for giving your clients any required collection notices (including that it will be stored with service providers such as us), and for your own retention obligations under the AML/CTF Act.
- Screening: Client names are checked against public sanctions and PEP databases (DFAT, OpenSanctions) as part of the Service's compliance features.
- Identity verification: Where you request it, client identities are verified electronically via Stripe Identity or Sumsub (see Section 8 for what each provider receives).
7. AI features
Several features use Google's Gemini AI (the compliance assistant, risk assessment, alert triage, and report drafting and validation). To protect your clients:
- We remove direct client identifiers before sending anything to the AI. Client names, dates of birth, residential addresses, and ID or document numbers are never sent to the AI model. Where these appear in free text you enter, they are masked (for example
[NAME],[ID]) before the text is sent. - We may send de-identified risk attributes needed to generate guidance, such as client type, nationality, occupation, risk factors, and transaction amounts and dates. These are not used to identify an individual.
- Google processes this data under its paid API terms and does not use it to train its models.
- AI conversations are stored in our database for your reference and are subject to the same data protection as all other data.
- Adverse media screening is not performed by AI; it requires manual review.
Applying to both Parts A and B
8. Who we share information with
We do not sell your data. We share information only with:
- Stripe: Payment processing, and — if you use electronic identity verification (EIV) — Stripe Identity, which collects the client's ID document images and a selfie and returns the verified name, date of birth, and document number. Stripe's privacy policy applies.
- Sumsub: Alternative EIV provider. When used, the client's name, date of birth, address, and ID document details are sent to Sumsub for verification.
- Supabase: Database hosting (PostgreSQL) and file storage for uploaded documents. Data is stored in Sydney, Australia (AWS ap-southeast-2).
- Resend: Email delivery service for transactional emails.
- Vercel: Application hosting.
- Google (Gemini API): AI-assisted features (de-identified — see Section 7).
- Google (Analytics & Ads): Site usage measurement and advertising conversion tracking, primarily on our marketing pages. If you create an account after clicking one of our ads, a SHA-256 hash of your email address — hashed in your browser; the raw address is never sent — is shared with Google to attribute the sign-up to the ad. Your clients' information (Part B) is never shared with Google Analytics or Ads.
- OpenSanctions / DFAT: Client names are checked against public sanctions and PEP databases as part of the compliance screening feature.
- PostHog: Product analytics, keyed to an opaque user id only (no name or email).
- Law enforcement: If required by law, court order, or regulatory obligation.
9. Overseas disclosure (APP 8)
Some processors (Google — Gemini, Analytics and Ads — Vercel, Stripe, Sumsub, PostHog) may store or process data outside Australia, including in the United States. By using the relevant features you consent to this disclosure. We take reasonable steps to ensure overseas recipients handle your data consistently with the Australian Privacy Principles.
10. Data security
- Authentication is handled by Supabase Auth. We never store your password; password hashing is performed by Supabase.
- All data is transmitted over HTTPS (TLS 1.2+).
- Sessions use short-lived signed tokens managed by Supabase Auth, and every request is re-verified on our servers.
- Database access requires application credentials, and every query is scoped to the requesting business — one business can never read another's data.
- Uploaded documents are stored in a private storage bucket in Sydney, Australia. Each download is authorised against your business and served via a signed URL that expires after 60 seconds.
11. Data breaches
We comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). If a data breach occurs that is likely to result in serious harm, we will assess it promptly and notify affected individuals and the Office of the Australian Information Commissioner as required. If a breach affects your clients' information (Part B), we will notify you promptly so you can meet your own obligations.
12. Data retention
- Account data: Retained while your account is active. When the last member of a team deletes their account, all business and client data is deleted immediately; the remaining account record (name and email) is deleted or de-identified within 30 days.
- Client records and documents: We do not automatically delete client records or uploaded documents — they are retained until you delete them or your account is deleted. You are responsible for your own retention obligations under the AML/CTF Act: identification and transaction records must generally be kept for 7 years, while copies of identification documents themselves are no longer required to be retained once verification is complete, and should be destroyed when no longer needed (APP 11.2).
- AI conversation history: Retained for 12 months, then automatically deleted.
- Payment records: We store only your Stripe customer reference and subscription status. Invoices, receipts, and card details are held by Stripe, and we retain billing records as required by Australian tax law.
13. Your rights
If you are our customer (Part A), under the Australian Privacy Principles you have the right to:
- Access: Request a copy of personal information we hold about you.
- Correction: Request correction of inaccurate information.
- Deletion: Request deletion of your account and associated data (subject to legal retention requirements).
- Export: Export your client data in CSV format at any time via the dashboard.
- Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.
If you are a client of one of our customers (Part B): access, correction, and deletion requests should be directed to the business that collected your information — they are responsible for it under the Privacy Act, and we will assist them in responding. If you contact us directly, we will refer your request to that business unless the law requires otherwise.
14. Children
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect.
16. Contact us
For privacy-related inquiries or to exercise your rights, contact us at: