Privacy policy.

Information We Collect

Clear Check collects information necessary to provide AML/CTF compliance screening services to Australian professionals. We are committed to collecting only what is required and nothing more.

Account Information

• Full name, email address, and phone number
• Business name, ABN, and professional registration details
• Billing address and payment information (processed securely via Stripe)
• Professional role and industry sector

Screening Data

• Names and identifiers submitted for compliance checks
• Search results from government databases (DFAT, ABN Lookup, PPSR, ASIC, AFSA)
• PEP screening results from the OpenSanctions dataset
• Screening reports and audit trail records

Technical Data

• IP address, browser type, and device information
• Pages visited, time spent, and interaction patterns
• Authentication logs and session data

How We Use Information

We use the information we collect for the following purposes:

• Service delivery: To perform AML/CTF compliance screening checks against Australian government databases and sanctions lists
• Audit trail: To maintain records of all screening activities as required by AML/CTF legislation
• Account management: To manage your subscription, process payments, and provide customer support
• Compliance reporting: To generate compliance reports and assist with your AUSTRAC obligations
• Service improvement: To analyse usage patterns and improve the accuracy and speed of our screening services
• Security: To detect, prevent, and respond to fraud, abuse, and security incidents
• Legal obligations: To comply with applicable Australian laws, regulations, and legal processes

We will never sell your personal information to third parties. We do not use your screening data for advertising or marketing purposes.

Data Storage & Security

Infrastructure

• Hosted on Google Cloud Platform — Sydney, Australia (australia-southeast1)
• Cloud SQL (PostgreSQL) with encryption at rest using AES-256
• All data in transit encrypted with TLS 1.3
• Secrets managed via Google Cloud Secret Manager
• Cloud Armor Web Application Firewall for perimeter protection

Access Controls

• Role-based access control (RBAC) across all systems
• Multi-factor authentication required for administrative access
• Regular access reviews and principle of least privilege
• Complete audit logging of all data access events

Security Practices

• Regular penetration testing and vulnerability assessments
• Secure software development lifecycle (SSDLC)
• Incident response plan aligned with the Notifiable Data Breaches scheme
• SOC 2 Type II compliance (in progress)

Data Retention

We retain your data for as long as necessary to fulfil the purposes outlined in this policy, and as required by law:

• Account data: Retained for the duration of your active subscription, plus 30 days following account closure
• Screening records and audit trails: Retained for 7 years from the date of the screening, as required by the AML/CTF Act 2006
• Billing records: Retained for 7 years to comply with Australian tax law
• Technical logs: Retained for 90 days for security and diagnostic purposes

When data is no longer required, it is securely deleted using cryptographic erasure methods or overwritten to prevent recovery.

Your Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the following rights:

• Access: You may request access to the personal information we hold about you
• Correction: You may request correction of inaccurate, incomplete, or out-of-date information
• Complaint: You may lodge a complaint about our handling of your personal information
• Erasure: You may request deletion of your account and associated personal data, subject to our legal retention obligations
• Data export: You may request a copy of your screening records and compliance reports in a standard format

To exercise any of these rights, contact us at privacy@clearcheck.com.au. We will respond within 30 days.

Cookies

Clear Check uses a minimal set of cookies that are essential for the service to function:

• Session cookies: To maintain your login session and authentication state
• Security cookies: To detect and prevent cross-site request forgery (CSRF) attacks
• Preference cookies: To remember your display and notification settings

We do not use third-party advertising cookies or cross-site tracking technologies. We do not participate in ad networks or data broker programs.

Third Parties

We share data with third parties only as necessary to provide our service:

• Google Cloud Platform: Infrastructure hosting (Sydney region only)
• Stripe: Payment processing (Australian processing enabled)
• Australian Government APIs: DFAT, ABN Lookup, PPSR, ASIC, and AFSA — accessed via Australian endpoints for compliance checks

We require all third-party providers to maintain appropriate security controls and data handling practices. We do not share your data with third parties for their own marketing or commercial purposes.

Breach Notification

In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify affected individuals directly via email and in-app notification
• Provide a description of the breach, the types of information involved, and recommended steps
• Take reasonable steps to contain the breach and mitigate any harm

Our incident response process is documented and tested regularly. We maintain 24/7 monitoring of our infrastructure for suspicious activity.