Privacy Policy

1. Who we are (APP 1)

Review Copilot is operated by Micleah Pty Ltd (ABN 57 616 879 924), an Australian company with its registered office in New South Wales. In this policy, "we", "us", "our" refer to Micleah Pty Ltd; "you" refers to the firm or individual who has an account with us; and "clients" refers to your firm's clients whose Xero data you process through the Service.

This policy is published on a publicly accessible page in plain English to satisfy our open and transparent management obligations under APP 1. We review it at least annually.

2. What we collect (APP 3, APP 5)

We collect only what is reasonably necessary to deliver the Service.

• Account information — your name, email address, firm name, role, and ABN if provided. Collected at signup and when you invite team members.
• Authentication data — bcrypt-hashed passwords, optional TOTP secrets (encrypted), session tokens. We never store passwords in plain text.
• Billing data — held by Stripe (our payment processor); we receive only the customer ID and the last four digits of the card. Full card numbers never touch our infrastructure.
• Xero connection data — when you authorise the Service, we receive read-only OAuth 2.0 tokens scoped to the Xero permissions you granted. We do not receive your Xero login credentials.
• Client financial metrics — derived aggregates (revenue trends, cash position, AR ageing buckets, BAS-pre-check status, super-payment status, etc.) computed from Xero data. We do not persist individual line-item transactions.
• Saris conversation logs — when you use the natural-language assistant, we record your prompts and Saris's responses in our control plane to support the training feedback loop and to investigate quality issues.
• Usage data — IP address, browser, timestamps, feature usage and error logs, retained for security monitoring and debugging.

We collect your information directly from you when you sign up, when you connect Xero, when you interact with the Service, and from our sub-processors as described in section 5. APP 5 notification of these collection methods is provided through this policy and the relevant in-product flows (e.g., the Xero consent screen).

We do not collect sensitive information within the meaning of section 6 of the Privacy Act (e.g., health, religion, racial origin) and have no operational reason to do so.

3. How we use information (APP 6)

We use your personal information for the primary purpose of providing the Service and for closely related secondary purposes, namely:

• Producing weekly risk reports and on-demand analyses across your client portfolio.
• Generating Saris responses and (with your team's permission) drafting client communications for your review.
• Billing, account administration, and authentication.
• Service improvement (error diagnosis, performance tuning, model evaluation against captured feedback).
• Communicating with you about service updates, security advisories, billing, and renewals.
• Meeting our legal obligations (financial record-keeping, taxation, regulatory compliance).

We do not use or disclose your personal information for direct marketing without your consent (APP 7). Promotional emails are limited to material affecting your service and contain unsubscribe options for non-essential categories.

We do not sell your personal information or client data to third parties.

4. How we protect information (APP 11)

We take reasonable steps as required by APP 11.1 to protect your information from misuse, interference, loss, unauthorised access, modification or disclosure. These steps include:

• Network: TLS 1.2+ on all connections; strict transport security; private VPC for production database.
• At rest: AWS-managed encryption on databases (PostgreSQL with encryption at rest) and S3 object storage (SSE-AES256). Backups are encrypted with the same keys.
• Xero tokens: encrypted at the application layer using AES-256-GCM with a master key held in AWS Secrets Manager, in addition to AWS at-rest encryption.
• Multi-tenant isolation: each firm's data lives in its own database schema with row-level scoping enforced in code paths. Cross-firm access is architecturally impossible — not just disallowed by policy.
• Access control: role-based permissions inside the application (owner / partner / admin / staff). Production system access is restricted to authorised Micleah Pty Ltd personnel and audited.
• Authentication: bcrypt-hashed passwords, optional TOTP, sliding-window rate limiting, lockout after repeated failed attempts.
• Audit logging: every login, role change, Xero connection, data deletion, and Saris feedback action is recorded in an append-only audit log retained per the schedule below.

If we no longer need information and we are not required to retain it under Australian law, we will destroy or de-identify it (APP 11.2). See section 7 for the retention schedule.

5. Sub-processors and cross-border disclosure (APP 8)

To deliver the Service we rely on the following sub-processors. Before disclosing personal information to any of them we take reasonable steps as required by APP 8.1 to ensure they comply with the APPs (or with a substantially similar law). Where this is not technically possible we obtain your express consent through your acceptance of this policy and through in-product disclosures.

Sub-processor	Purpose	Data shared	Location
Xero Limited	Source of accounting data	OAuth tokens (we hold), API requests/responses (transient)	AU / NZ
Anthropic PBC (Claude API)	Powers Saris natural-language assistant	Your prompt text + relevant aggregated metrics from your scope. We do not send raw client transactions.	United States
OpenAI (embeddings only)	Vector embeddings for retrieval over a public knowledge corpus	Anonymised query text only. No client identifiers, no Xero data.	United States
Amazon Web Services	Application hosting, RDS PostgreSQL, S3, Secrets Manager, SES email	All Service data	Australia (ap-southeast-2 Sydney)
Stripe Payments Australia Pty Ltd	Subscription billing	Email, name, billing address, card data (held by Stripe, never by us)	Australia / United States (Stripe global)
Cloudflare Inc.	DNS, marketing-site CDN, email DNS	IP address, request metadata for marketing site only	Global edge (data may transit US)

Important Anthropic disclosure (APP 8.1). When you use the Saris natural-language assistant, your prompts together with the relevant retrieved corpus context and any aggregate metrics needed to answer (e.g., "Acme's net margin is 12.4%") are transmitted to Anthropic's infrastructure in the United States. Anthropic has confirmed it does not use API customer data to train its models. By using the Saris feature you consent to this disclosure. If you do not wish your queries to leave Australia, do not use the Saris feature; the rest of the Service will continue to function.

OpenAI embeddings disclosure. When you submit a Saris query, a 1536-dimensional vector representation of the query text is computed by OpenAI's embedding API to retrieve relevant context from our public knowledge corpus (ATO Community, AccountantsDaily, regulatory texts). The query text itself is the only data sent — no client identifiers, no Xero data.

We will keep this list current. If we add a sub-processor that materially changes data flows, we will notify you in advance.

6. Notifiable Data Breaches (Privacy Act Part IIIC)

We are subject to the Notifiable Data Breaches scheme. If we become aware of unauthorised access to or disclosure of personal information that is likely to result in serious harm to one or more individuals, and the harm cannot be remediated, we will:

1. Promptly assess the suspected breach and contain it.
2. Within 30 days of becoming aware, notify affected individuals and the OAIC, including a description of the breach, the kinds of information involved, and the steps individuals can take to mitigate harm.
3. Provide updates as the investigation progresses.

Our incident-response procedure is documented internally; a redacted summary is available to enterprise customers on request.

7. How long we keep information

• Account data — for the duration of your subscription, plus seven years after cancellation for tax-record-keeping (Income Tax Assessment Act 1936 s262A and equivalent).
• Client financial metrics — for the duration of your subscription. On cancellation the firm-specific schema is queued for deletion and erased after a 30-day grace window unless you request immediate deletion.
• Saris conversation logs — three years from the message date, then deleted unless they form part of an active feedback investigation.
• Raw Xero data — not persisted. Only computed metrics are stored.
• Authentication logs — 12 months rolling.
• Application/error logs — 90 days rolling.
• Audit events (logins, role changes, deletions, feedback) — seven years for compliance trail.

8. Your rights (APP 12, APP 13)

Under the Australian Privacy Principles you have the right to:

• Access the personal information we hold about you (APP 12). We will respond within 30 days; some operational data may be redacted to protect the privacy of others.
• Correct inaccurate, out-of-date, incomplete, irrelevant or misleading information (APP 13). We will correct without charge and notify any third party we previously disclosed the information to.
• Request deletion of your information, subject to retention requirements above. Operating-record information that the law requires us to retain cannot be deleted on request, but it remains restricted-access and is destroyed at the end of the retention period.
• Withdraw consent for non-essential processing (e.g., disconnect Xero, opt out of Saris).
• Lodge a complaint directly with us, or with the Office of the Australian Information Commissioner at oaic.gov.au.

To exercise any of these rights, email [email protected]. We will acknowledge within 5 business days and respond substantively within 30 days, in accordance with APP 12.4.

9. Tax Practitioners Board context

Many of our customers are registered tax agents, BAS agents, or tax (financial) advisers regulated by the Tax Practitioners Board ("TPB"). Code item 6 of the Tax Agent Services Act 2009 (Cth) requires registered agents not to disclose information about a client's affairs to a third party without the client's permission unless they have a legal duty to do so.

By using Review Copilot to handle data about your firm's clients, the firm represents that it has obtained the necessary client permissions to disclose that data to a SaaS sub-processor (Micleah Pty Ltd), typically through the engagement letter or privacy notice the firm provides to its clients. Micleah Pty Ltd is not itself a registered tax agent and does not provide tax agent services; we are a software provider.

A Data Processing Addendum reflecting this relationship is available on request from [email protected].

10. Cookies and analytics

We use only strictly-necessary cookies for session authentication and CSRF protection. We do not use advertising cookies or cross-site tracking. If we add product-analytics tooling (e.g., PostHog) we will update this policy and the relevant in-product disclosures before doing so.

11. Children

The Service is a B2B product not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

12. Changes to this policy

We may update this policy. Material changes will be notified by email at least 30 days before they take effect. The "last updated" date at the top reflects the most recent version. Historical versions are available on request.

13. Contact

Privacy Officer
Micleah Pty Ltd (Review Copilot)
ABN 57 616 879 924
Australia
Email: [email protected]

For complaints unresolved by us, the Office of the Australian Information Commissioner can be contacted at oaic.gov.au or 1300 363 992.

This policy is provided in good faith based on the Australian Privacy Act 1988, the 13 Australian Privacy Principles, the Notifiable Data Breaches scheme, and the Tax Practitioners Board Code of Professional Conduct as in force on the "last updated" date above.