Data Security & Information Handling

• Account data: your email, hashed password, practice name, ABN, TPB number.
• Client data: business names, ABNs, TFNs, contact details, BAS records.
• Financial transaction data: bank statements, transaction lines, reconciliation results.
• OAuth tokens and SMTP credentials: when you connect a Gmail / Microsoft / SMTP mailbox for outgoing email.
• Generated documents: BAS, P&L, TPAR, transaction reports.

• At rest: sensitive secrets (OAuth refresh tokens, SMTP passwords) are encrypted with AES-256-GCM before being written to the database. The master key is held in environment configuration, never in code or backups.
• Database storage: Supabase Postgres provides full-database encryption at rest as a baseline.
• In transit: TLS 1.3 for all connections to and from Jazhi.

All client data is stored in AWS Sydney (ap-southeast-2) via Supabase. Data is not replicated outside Australia for storage purposes. Some sub-processors (named in the Trust Centre) may briefly process data outside Australia for compute reasons (e.g. Anthropic API request handling) — see §6.

Your data is never used to train AI models — ours, Anthropic's, or any third party's.

• The Anthropic API operates under their no-training-data terms for API customers. Prompts and responses sent through their API are not used to train Claude.
• Within Jazhi, “training rules” are deterministic keyword-to-category mappings stored per user (and optionally shared globally with consent). They are not AI model weights.
• We do not sell, share, or license your data to advertisers, data brokers, or analytics partners.

• Row-level security (RLS) on the database isolates your data so other Jazhi users cannot read it.
• The service-role database key, used by background jobs, is held only in environment configuration. It is never exposed to the browser.
• Account access requires email + password. MFA is on the roadmap (see Trust Centre).
• Internal access by Zaki (the operator) is limited to support cases and is logged.

We use the following sub-processors. Each is listed with role and location. Any change to this list will be reflected here and in the Trust Centre.

• Supabase (AWS Sydney, ap-southeast-2) — database, authentication, file storage.
• Vercel — application hosting (Sydney edge / serverless).
• Anthropic — AI categorisation and email drafting under no-training-data API terms.
• Stripe — payment processing.
• Resend — outbound transactional email when the default channel is used.
• Sentry — error monitoring for the application.

Supabase performs automated daily database backups with point-in-time recovery available. Backup data is retained per Supabase's retention schedule and is encrypted at rest under the same controls as the live database.

If we become aware of a security incident affecting your data, we will notify affected accounts as soon as practicable and within the timeframes required by the Australian Privacy Act (Notifiable Data Breaches scheme), with the information available at the time and updates as the investigation progresses.

• You can export all your data via the in-app export tool at any time, including after cancellation.
• You can request account deletion from within the app or by emailing us. After deletion, data is permanently removed within 30 days.
• We retain billing records for 7 years to comply with Australian tax law, even after account deletion.

• Choose a strong password unique to Jazhi.
• Do not share your account with team members — multi-user support is on the roadmap; until then, each agent should have their own account.
• Verify AI-generated outputs (categorisation, email drafts) before they leave your desk. Jazhi is a productivity tool; the registered agent operating it remains responsible for the work.

No system is completely secure. We use industry-standard controls and continuously improve them, but cannot guarantee absolute security. If you discover a vulnerability, please report it to security@taxtracker.com.au.

We are working towards SOC 2 Type I certification (target Q2 2027) and will publish progress on the Trust Centre. ISO 27001 and IRAP assessments are under evaluation.