Privacy Policy

Jazhi is operated by Tax Tracker Pty Ltd, a registered tax agent practice (Tax Agent 26321143). Our registered office is in Australia. Jazhi is built and operated by Zaki Ahmed Choudhry, a registered Tax Agent (TPB 26298664) and BAS Agent (TPB 26280921), and a member of the Institute of Public Accountants (IPA).

• Account data: email address, password (hashed), practice name, ABN, TPB number.
• Client data: business names, ABNs, TFNs, contact details, and financial transaction data that you upload.
• Usage data: pages visited, features used, timestamps. No tracking cookies are used.
• Payment data: processed by Stripe. We do not store credit card numbers.

• To provide the BAS workflow platform and its features.
• To process bank statements and categorise transactions.
• To compute BAS figures and generate reports.
• To send transactional emails (welcome, BAS reminders, lodgement confirmations).
• To improve the categorisation engine via anonymised training rules.

We do not sell your data. We do not share data with advertisers, data brokers, or analytics partners.

When you use the AI categorisation feature, only the cleaned transaction description and amount are sent to our AI provider (Anthropic). A two-layer redaction strips potential PII before any data leaves our server:

• Generic patterns: emails, ABNs, BSBs, card numbers, account numbers, phone numbers, addresses, postcodes, TFNs.
• Client context: the specific client's own business name, contact name, and ABN are stripped per request so the AI never sees the client's identity.

Your data is never used to train AI models. The Anthropic API operates under their no-training-data terms for API customers.

When you upload a scanned or image-based PDF bank statement, optical character recognition (OCR) runs entirely in your browser. The PDF image data is never transmitted to our servers or any third party. Only the extracted text (which goes through the same redaction pipeline above) is sent to our parser.

Each user's data is completely isolated via Row Level Security (RLS) at the database level. No user can access another user's clients, transactions, or BAS records. The platform operator has admin access for support purposes only and access is logged.

All client data is stored in Supabase (PostgreSQL) hosted in AWS Sydney (ap-southeast-2). Uploaded bank statement files are stored in encrypted Supabase Storage. OAuth tokens and SMTP passwords are AES-256-GCM encrypted at rest before being written to the database. All connections use TLS 1.3. Data is not replicated outside Australia for storage purposes.

Under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs), you have the right to:

• Access: request a copy of all your data (Settings → Export Data).
• Correction: update your data at any time via the platform.
• Erasure: permanently delete your account and all data.
• Portability: download your data as machine-readable JSON.

The current list of sub-processors that handle your data:

• Supabase: database, authentication, file storage (AWS Sydney).
• Vercel: application hosting.
• Anthropic: AI categorisation and email drafting (no-training-data terms).
• Stripe: payment processing.
• Resend: transactional email delivery.
• Sentry: error monitoring.

See the Trust Centre for the full sub-processor list and architecture.

Your data is retained for as long as your account is active. After account deletion, all data is permanently erased within 30 days. Backups are rotated and older backups containing deleted data are purged within 90 days. We retain billing records for 7 years as required by Australian tax law.

For privacy inquiries: zaki@taxtracker.com.au