Last Updated: June 13, 2025
Actuals International Pty Ltd (“Actuals”, “we”, “us” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose data when you use our cloud-based accounting software and related services (“Services”). It applies to business customers in Australia, the United States, the United Kingdom, Singapore, and New Zealand, and covers data collected through our websites, applications, and integrations with third-party systems.
What this Policy Covers: This Policy covers personal information and business data you or your organization provide to us, or that we generate or receive when delivering the Services. Personal information in this context mainly refers to business contact details (like names, work emails, phone numbers) and any personal data contained within the business documents you upload. We do not intentionally collect sensitive personal data (e.g. government ID numbers, financial account passwords, health or biometric data) beyond basic contact information. Our Services are intended for use by businesses, and any personal data about individuals (such as your employees or customers) that you input is considered business-related information.
Controller vs Processor: For personal data that you provide about third parties (for example, information about your customers or employees in invoices, contracts, or communications), you are the “data controller” (or equivalent term under applicable law), and Actuals acts as a “data processor” or service provider on your behalf. This means we will only process that data to provide the Services according to your instructions and our Terms of Service or data processing agreement. This Privacy Policy primarily addresses how we handle personal data when we act as a data controller (for example, information about our direct customers and website users). If you have questions about personal data that may be contained in your business data on our platform, you should direct those questions to the relevant business (the data controller).
We collect business-related data in order to provide our Services. This includes:
Account and Contact Information: When you sign up or communicate with us, we collect your name, business email, phone number, job title/role, company name, billing address, and similar contact details. This allows us to create and manage your account and reach you when needed.
Business Financial Data: Our accounting software processes data such as financial transactions, general ledger entries, bank transaction data, vendor invoices, bills, purchase orders, and customer contracts or quotes that you choose to upload or input. This data typically relates to your company’s finances and operations. Any personal information within this business data (for example, a customer’s name on an invoice) is incidental and handled as part of providing the Service to you.
Integrations and Communications Data: If you integrate our Service with your internal systems (like an ERP platform) or communication tools (such as Slack, Microsoft Teams, or email), we may collect data from those sources. For example, this could include messages or commands sent via Slack/Teams to our application, or data retrieved from your ERP to sync with our accounting system. We only access and use such data to the extent needed to perform the integration or provide the requested functionality.
Usage and Technical Data: We automatically collect certain information about how you and your users interact with our Services. This includes log data (e.g. IP address, browser type, device identifiers), timestamps of access, features used, pages or reports viewed, and error logs. We may also use cookies or similar technologies on our website or app to remember your preferences and improve user experience. This usage data does not normally identify you as an individual, but it may be linked with your account for service analytics and security purposes.
Support and Feedback: If you contact us for support or give feedback, we will collect the information you provide (such as the details of your query or problem, and any screenshots or attachments). We keep records of support tickets and communications to help resolve issues and improve our Services.
No Collection of Sensitive Personal Data: We do not knowingly collect any sensitive personal information such as racial or ethnic origin, political opinions, health information, or financial account passwords. We ask that you do not include such data in the materials you upload to our Service. In the event we encounter sensitive data incidental to the permitted use of our Services, we will treat it securely and in accordance with this Policy, but we disclaim any liability for any sensitive personal data submitted in violation of this direction.
We use the collected information for the following business purposes:
Providing and Improving the Services: We process your business financial data, documents, and inputs to deliver our accounting software functionality – for example, to generate financial reports, perform calculations, automate entries, generate invoices, and facilitate collaboration. We use contact and account data to maintain your user account, authenticate logins, and provide customer support. We may also analyze aggregate usage patterns and feedback to improve existing features and develop new ones. In some cases, we utilize AI tools or machine learning algorithms to assist with data processing (for instance, auto-categorizing transactions or extracting data from invoices). Any such AI processing is done with safeguards to maintain confidentiality and accuracy, and not for unrelated purposes like marketing to individuals.
Communication: We use your contact information to send necessary communications about the Service. This includes transactional emails (e.g. billing notices, security alerts, system updates, and changes to our Services or policies) and responses to support requests. We may also send product announcements, training materials, or marketing communications about new features or offers, but you can opt out of marketing emails at any time. We will ensure that any marketing complies with applicable laws (for example, obtaining consent where required). We may also use information provided by you to contact your vendors or customers in the context of your accounts payable and accounts receivable operations, with your approval.
Third-Party Integration: When you choose to integrate our Service with third-party platforms (like Slack, Teams, or an ERP), we use the relevant data from those integrations strictly to perform the integration and support controllership operations. For example, if you connect Slack, we may send messages, share documents, request approvals or receive commands via Slack as directed by you. If you connect an ERP, we exchange data with that system to sync records. We do not use data from third-party integrations for any purpose other than providing the intended functionality to you.
Compliance and Legal: We may process and retain data as needed to comply with legal obligations, such as financial reporting regulations, tax requirements, or responding to lawful requests by authorities. We also use data to enforce our Terms of Service and to detect or prevent fraud, security incidents, or other malicious activity. For instance, we might monitor usage logs to identify suspicious login attempts to protect your account.
Aggregated and Anonymized Insights: We may combine and anonymize data from many users to generate statistical insights that help us understand how our Services are used (for example, average usage trends or benchmark metrics). These aggregated insights contain no personal data and cannot be linked back to any individual or company. We may use such insights internally or share them with our community (e.g. publishing a report on small business accounting trends) in a manner that does not compromise confidentiality.
If we ever need to use your personal information for a new purpose that is not compatible with the original purposes above, we will obtain your consent or provide you with appropriate notice, as required by law.
We do not sell your personal information to third parties. However, we do share certain data with trusted third-party service providers and partners in order to run our business and deliver the Services to you, as outlined below:
Cloud Hosting and Infrastructure: Actuals relies on reputable third-party cloud providers such as Amazon Web Services (AWS) and Google Cloud Platform to host our application and store data. Your data (including backups) may be stored on secure servers operated by these providers. We use industry-standard safeguards (encryption, access controls, etc.) to protect data in the cloud. These providers act as our data processors and are bound by strict security and confidentiality obligations.
Integration Partners: If you enable integrations with tools like Microsoft (for Teams or Outlook email) or Slack, we will share or transmit data to those services as necessary for the integration to function (for example, sending a message to a Slack channel you designate). Similarly, if our Service uses an AI-based feature provided by a third party, any data sent to that tool (e.g. an invoice for OCR and analysis) is limited to what’s required for that feature and is subject to confidentiality. Each third-party service you connect may also collect or receive data under their own terms and privacy policies, which we encourage you to review. We do not control third-party providers’ use of your data on their side, but we only partner with services that meet our security standards.
Service Providers and Sub-Processors: We employ other companies and individuals to perform functions on our behalf. Examples include payment processors, email/SMS delivery services, analytics services, and customer support software. These providers may process personal data (e.g. your email address for sending a notification, or usage data for analytics) solely for our business purposes. We contractually require all sub-processors to protect personal information with at least the same level of care as we do, and to use it only for the services they provide to us.
Business Transfers: If Actuals International Pty Ltd is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of Service to another provider, your data may be disclosed to our advisors and any prospective or actual acquiring entity, to be used solely for the purpose of evaluating or completing the transaction and operating the Services thereafter. In such cases, we will ensure the recipient commits to respect this Privacy Policy or provides you notice and choices regarding your personal data.
Legal Compliance and Protection: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g. a court order, subpoena, or government inquiry). We may also disclose data if we believe in good faith that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights, property, or safety of Actuals, our customers, or others, (iii) investigate or assist in preventing any violation of law or our Terms of Service, or (iv) protect against legal liability. We will endeavor to notify you of any such disclosure, to the extent permitted by law.
In all cases where we share your data with third parties, we only share the minimum necessary information and we take steps to ensure the third party will safeguard it. We never share your business financial records or personal contact details with advertisers or unrelated third parties for their own marketing.
Actuals is an Australian company, but we serve customers globally and use cloud infrastructure that may be located in multiple countries. As a result, the data we collect from you may be transferred to, stored, or processed in a country different from your own, including the United States, Australia, Singapore, or other locations where our service providers maintain facilities. We understand that different countries may have different data protection laws, so we take appropriate measures to ensure your personal data remains protected whenever it is transferred across borders.
If you are located in the European Economic Area (EEA) or the UK, and your personal data is transferred outside of Europe, we will only transfer such data where we have a legal basis and adequate safeguards in place. This means we will ensure the recipient country is recognized for an adequate level of data protection or we will use standard contractual clauses (SCCs) or equivalent data transfer agreements approved by regulators to protect your information. These SCCs contractually require the recipient to provide privacy and security protections equivalent to those in the EU/UK. Similarly, for transfers from Australia, Singapore, or New Zealand to other countries, we comply with local requirements (such as Australia’s Privacy Principle 8 and Singapore’s PDPA provisions on cross-border data sharing) by ensuring the overseas recipients uphold commitments to protect your data.
Data Storage and Retention: We store your data on secure servers (for example, in AWS or Google Cloud data centers) with robust backup and recovery systems. Your data is encrypted at rest and in transit for protection. We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. In practice, this means we will keep your account information and business records while you have an active subscription and for a reasonable period thereafter. For instance, even after you stop using Actuals, we might retain certain data for a few years to comply with accounting laws (which in some jurisdictions require retention of financial records for 5-7 years), or to have necessary records in case of disputes. When personal data is no longer needed, we will securely delete it or anonymize it. For data that we process on your behalf (where you are the controller), our data processing terms will govern deletion or return of data upon termination of services, subject to applicable law.
We take the security of your data very seriously. Actuals implements a range of administrative, technical, and physical security measures to safeguard your information from unauthorized access, disclosure, or alteration. Our security program includes:
Encryption: All data transmitted between your device and our Services is encrypted using TLS/SSL. Data stored on our servers is encrypted at rest. In other words, your information is protected both in transit and in storage with strong cryptographic protocols.
Access Controls: We employ strict access controls on our systems. Only a limited number of authorized personnel at Actuals have access to customer data, and only to the extent necessary for their job roles (for example, to provide support or perform system maintenance). Access to production systems is secured via multi-factor authentication and VPN, and all access is logged and monitored. We enforce the principle of least privilege and regularly review permissions.
Authentication and Account Security: Two-factor authentication (2FA) may be required for your Actuals account login. We strongly encourage all users to enable 2FA to add an extra layer of security to their accounts. We also require strong, unique passwords and employ measures to prevent brute-force login attempts (such as rate limiting and alerting on suspicious login patterns).
Certifications and Standards: Actuals follows industry best practices for information security. We undergo regular audits and maintain compliance with standards such as SOC 2 Type II and ISO 27001 for our operations and infrastructure. These frameworks ensure we have rigorous controls in areas like risk management, access control, incident response, and vendor management. Our security practices are in line with those required of leading financial institutions, giving you confidence that your business data is handled securely. (If you require more detail, we can provide copies of relevant certifications or audit reports under NDA.)
Employee Training and Policies: Every Actuals employee undergoes background checks and is trained on confidentiality, data protection, and security best practices. We have internal policies (like clean desk policy, encryption of work devices, and least privilege data access) that all personnel must follow. Employees who handle customer data must sign confidentiality agreements. We also have a documented incident response plan. In the unlikely event of a data breach affecting your personal data, we will notify you and any applicable regulators as required by law.
While we strive to protect your data, it’s important to note that no method of transmission over the internet or electronic storage is 100% secure. We therefore cannot guarantee absolute security. However, we continuously work to update and improve our safeguards. You also play a role in security: please use a strong password, keep your login credentials confidential, enable 2FA, and notify us immediately if you suspect any unauthorized access to your account.
We respect your rights to control your personal information. Depending on the laws that apply to you (for example, the GDPR if you are in the EU/UK, or the Australian Privacy Act if you are in Australia), you may have some or all of the following rights regarding your personal data:
Right to Access: You can request confirmation of whether we are processing your personal information and access to the personal data we hold about you. We will provide you with a copy of your information in a commonly used format, subject to some exceptions (e.g. if providing the data would adversely affect the rights of another person or as otherwise permitted by law).
Right to Correction: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct or update it. For example, you can update your contact details in your account settings, or contact us to request correction. We encourage you to keep your information up to date to help us serve you better.
Right to Deletion: You can request that we delete your personal information. We will honor such requests to the extent required by applicable law. For example, if you discontinue the Service, you may request deletion of your account’s personal data. Note that we might retain certain minimal information as required for legal compliance or legitimate business purposes (as described in Data Storage and Retention above), but we will let you know if that’s the case.
Right to Restrict Processing: You have the right to ask us to restrict or suspend the processing of your personal data in certain circumstances – for instance, if you contest the accuracy of the data or object to us processing it, we will consider your request and inform you before lifting any restriction.
Right to Data Portability: For data you provided to us, you can request to receive it in a structured, commonly used, and machine-readable format, and you have the right to transmit that data to another service provider where technically feasible. In plain terms, this allows you to take your data to go, or to ask us (where possible) to transfer it to a third-party.
Right to Object: If we are processing your data based on our legitimate interests (or those of a third party), you can object to that processing if you feel it impacts your fundamental rights and freedoms. You also have an unconditional right to object to your personal data being used for direct marketing purposes. If you lodge an objection, we will stop processing the personal information in question unless we have a compelling legitimate ground to continue (or as otherwise permitted by law).
Right to Withdraw Consent: In the limited cases where we might rely on your consent to process personal data (for example, if you agreed to receive optional marketing emails), you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing done before your withdrawal, and it will not affect processing of personal data under other legal grounds.
Right not to be subject to Automated Decisions: Actuals does not make any purely automated decisions about you that have legal or similarly significant effects. If that changes in the future, and we were to use automated decision-making (including profiling), you would have the right to not be subject to a decision based solely on such automated processing, and to request human intervention or an explanation.
To exercise any of these rights, please contact us using the details in the Contact section below. We will respond to your request as soon as possible and within any timeframe required by law. Typically, we will respond within 30 days of receiving a valid request (or inform you if we need more time). Please note that for security, we may need to verify your identity (for example, by asking you to confirm some information or through your account login) before executing your request. If your request is particularly complex or you have made a number of requests, we may extend the response timeframe, but we will inform you of the reason and the extension. In some cases, we might refuse requests that are unreasonable or not required by law (for example, if fulfilling a request would violate another person’s privacy or if you repeatedly request data erasure that we are legally required to keep). However, we will always explain our reasoning if we decline your request.
Your Choices (Opt-Out): You have choices about certain uses of your data: for example, you can opt out of receiving marketing emails by clicking the “unsubscribe” link in any such email or by contacting us. Note that you will still receive transactional and account-related communications (we need to send those to operate the Service). You can also disable or refuse cookies via your browser settings if you don’t want us to collect website analytics data (though this may affect functionality). For integrated third-party services, you can disconnect the integration at any time from your account settings, which stops any ongoing data sharing with that third party.
We want to emphasize that you own your business data. If you decide to stop using Actuals, you can export your data from our platform at any time during your subscription. We also offer tools to help with data portability, and upon termination (or upon request) we will return or delete your data as described earlier.
Actuals International Pty Ltd is based in Australia and we adhere to the Australian Privacy Principles (APPs) and the Privacy Act 1988 (Cth). We also recognize and comply with other data protection laws in the regions we serve, including (but not limited to) the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) (as amended by CPRA) for applicable US customers, Singapore’s Personal Data Protection Act (PDPA), and New Zealand’s Privacy Act 2020. This means:
We process personal data lawfully, fairly, and transparently. Our processing activities have a defined legal basis. For most of the personal data we collect (like your contact and account info), the legal basis is that it’s necessary for the performance of a contract – i.e. to provide you with the Services you requested. In some cases, we rely on legitimate interests (for example, improving our Services or ensuring security) – but only where those are not overridden by your data protection rights. If we ever rely on consent, we will obtain it clearly and you can withdraw it as noted above. We will also comply with any additional requirements under local laws, such as obtaining opt-in consent for electronic marketing in jurisdictions that require it.
We fulfill the transparency and accountability obligations required by these laws. For instance, this Privacy Policy outlines the types of data we collect, how we use and share it (APP 1 and GDPR Articles 13/14), and how you can contact us with inquiries or complaints. We will notify you in the event of certain types of data breaches as required (e.g. under the Notifiable Data Breaches scheme in Australia or the GDPR breach notification rules). We have also appointed internal personnel responsible for privacy compliance and, where required, we will appoint representatives or data protection officers.
If you are in the EEA, UK, or other jurisdictions that offer strong privacy rights, we uphold those rights as described in the Your Rights section above. We do not discriminate against individuals for exercising their privacy rights (for example, under CCPA we will not deny service or provide a different level of quality to those who opt out of data sales or exercise rights, and in any event we do not sell personal data). Our goal is to extend essentially the same standard of privacy protection to all our customers, regardless of location.
We have a Data Processing Addendum (DPA) available that incorporates Standard Contractual Clauses and meets GDPR/UK GDPR requirements, which will apply to the relationship whenever we process personal data on behalf of our customers (acting as processor). For example, our DPA addresses how we handle data you input into the system (your business records), our commitments on confidentiality, security, breach notification, sub-processors, and assistance with data subject requests or audits. If your organization needs a signed DPA for compliance, we are happy to provide one.
We regularly review our practices to ensure compliance with evolving privacy regulations (e.g., new US state privacy laws, updates to GDPR interpretations, or changes in APAC privacy frameworks). We will update this Policy and our procedures as needed to stay current with legal requirements and industry best practices.
We may update this Privacy Policy from time to time to reflect changes in our Services, legal obligations, or data handling practices. If we make a material change (for example, if we start collecting new types of personal data or use data in a significantly different way), we will provide you with advance notice and the opportunity to review the revised Policy before it takes effect. We may notify you of changes by email (sent to the address associated with your account) or by posting a prominent notice within our application or on our website. Minor updates (such as clarifications or typographical corrections) may be posted without a specific notice, but you can always see the “Last Updated” date at the top to track changes.
We encourage you to periodically review this Privacy Policy to stay informed about how we are protecting your information. If you continue to use the Services after a Privacy Policy update takes effect, it will constitute your acceptance of the changes. If you do not agree with a change, you should discontinue use of the Services and contact us regarding your data deletion or retrieval options.
Your feedback and questions about privacy are important to us. If you have any questions, concerns, or requests regarding this Privacy Policy or how Actuals handles your data, please contact us using the details below:
Privacy Officer – Actuals International Pty Ltd Email: hello@actuals.com
We will address your inquiry or issue as promptly as possible. If you have a complaint about our privacy practices, please let us know and we will do our best to resolve it. We will investigate and respond to any privacy complaint within a reasonable timeframe and in accordance with applicable law. In general, we aim to respond to complaints within 30 days.
If you are not satisfied with our response, or you believe we are unlawfully processing your personal data, you have the right to escalate your complaint to the data protection authority or privacy regulator in your jurisdiction. For example, in Australia you can contact the Office of the Australian Information Commissioner (OAIC); in the UK, the Information Commissioner’s Office (ICO); in Singapore, the Personal Data Protection Commission (PDPC); in New Zealand, the Office of the Privacy Commissioner; and in the United States, your state Attorney General’s office or the Federal Trade Commission (for certain issues). We can provide the contact details for the appropriate regulator upon request.
Thank you for trusting Actuals with your business data. We value your privacy and will continue working hard to keep your information secure and confidential.