Back to Dashboard

Privacy Policy

Last updated: February 2026

1. About This Policy

IntelliCompli ("we", "us", "our") is committed to protecting the privacy of personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes how we collect, hold, use, and disclose personal information in the course of providing our AML/CTF compliance platform services.

This policy applies to personal information collected through our platform, including information about customers of our reporting entity clients ("end customers") and users of our dashboard ("platform users").

2. What Personal Information We Collect

We collect and process the following categories of personal information as required by AML/CTF compliance obligations:

  • Identity information: Full name, date of birth, country of birth, country of citizenship, residential address, occupation
  • Identification documents: Passport, driver's licence, birth certificate, citizenship certificate, or other government-issued identification
  • Contact information: Email address, phone number, postal address
  • Financial transaction data: Transaction amounts, dates, payment methods, counterparty details, and transaction descriptions
  • Risk assessment data: Risk scores, screening results, PEP status, sanctions check results, source of funds information, purpose of business relationship
  • Business information: Company name, ABN/ACN, business registration details, beneficial ownership information
  • Platform user data: Login credentials (hashed), role assignments, access logs, IP addresses, user agent information

3. How We Collect Personal Information

Personal information is collected through:

  • API ingestion: Data submitted by reporting entities through our REST API for customer onboarding, transaction monitoring, and compliance reporting
  • Document upload: Identity verification documents uploaded through our secure document management system
  • Identity verification services: Results from third-party identity verification providers (e.g., Stripe Identity)
  • Sanctions and PEP screening: Data obtained from screening against DFAT, UN, and other sanctions lists
  • Dashboard interactions: Information entered by platform users during compliance reviews and case management

4. Why We Collect and How We Use Personal Information

We collect and use personal information for the following purposes, as required by law and our contractual obligations:

  • AML/CTF compliance: To assist reporting entities in meeting their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), including customer identification, transaction monitoring, and regulatory reporting
  • Customer Due Diligence (CDD): To perform simplified, standard, and enhanced due diligence as required by the AML/CTF Rules
  • Regulatory reporting: To generate and submit Threshold Transaction Reports (TTRs), Suspicious Matter Reports (SMRs), and International Funds Transfer Instructions (IFTIs) to AUSTRAC
  • Risk assessment: To assess and monitor customer risk levels and detect potential money laundering, terrorism financing, or sanctions evasion
  • Sanctions screening: To screen customers against applicable sanctions lists as required by law
  • Audit and record-keeping: To maintain audit trails and records as required by the AML/CTF Act (minimum 7-year retention)

5. How We Store and Protect Personal Information

We implement appropriate technical and organisational measures to protect personal information, including:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). API keys and sensitive credentials are hashed using bcrypt.
  • Access controls: Role-based access control (RBAC) with multi-tenancy isolation using PostgreSQL Row Level Security (RLS)
  • Audit logging: All access to personal information is logged in tamper-evident audit logs with cryptographic hash chains
  • Data isolation: Each reporting entity's data is logically separated through tenant-level security policies
  • Infrastructure: Hosted on secure cloud infrastructure with regular security assessments

6. Who We May Disclose Personal Information To

We may disclose personal information to the following parties, as required or authorised by law:

  • AUSTRAC: As required for TTR, SMR, and IFTI reporting under the AML/CTF Act
  • Law enforcement: When required by law, court order, or in response to lawful requests from law enforcement agencies
  • The reporting entity: The business that is our client and has collected the information as part of their AML/CTF obligations
  • Identity verification providers: Third-party services used for identity verification, only to the extent necessary

Note: Under sections 123 and 128 of the AML/CTF Act, it is a criminal offence to disclose to any person that an SMR has been or will be filed.

7. Accessing and Correcting Your Personal Information

Under the Australian Privacy Principles, individuals have the right to:

  • Access: Request access to the personal information we hold about them. We will respond to access requests within 30 days.
  • Correction: Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

Please note that access to certain information may be restricted where:

  • Disclosure would prejudice law enforcement activities or the prevention, detection, or investigation of criminal offences
  • The information relates to an SMR or other compliance report filed with AUSTRAC (tipping-off prohibition under s123/s128)
  • Providing access would be unlawful or contrary to a court order

End customers should contact their service provider (the reporting entity) in the first instance. Platform users can manage their information through the dashboard settings.

8. Data Retention

Under the AML/CTF Act, we are required to retain customer identification records, transaction records, and compliance reports for a minimum of 7 years after the end of the relevant business relationship or transaction. After this period, records may be securely destroyed in accordance with the data retention policy configured by the reporting entity.

9. Data Breach Notification

In the event of an eligible data breach (as defined under Part IIIC of the Privacy Act), we will:

  • Promptly assess the breach to determine if it is an eligible data breach
  • Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
  • Notify affected individuals as soon as practicable
  • Take reasonable steps to contain the breach and prevent further breaches
  • Notify affected reporting entities so they can meet their own notification obligations

10. Complaints

If you believe your privacy has been breached or you have a complaint about how we have handled your personal information, you can contact our Privacy Officer. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Cross-Border Disclosure

Our infrastructure may process personal information in data centres located outside Australia. Where we disclose personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information.

12. Contact Us

For privacy-related enquiries, access requests, or complaints, please contact our Privacy Officer through the reporting entity that manages your account.

This privacy policy is provided in compliance with Australian Privacy Principle 1 (APP 1) and should be read in conjunction with the AML/CTF Act 2006 (Cth) and the Privacy Act 1988 (Cth).