Privacy Policy

Last updated: 1 April 2026 · Governing law: Australia (Privacy Act 1988 (Cth))

createABA.com.au ("we", "us", or "our") is committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what information we collect, how we use it, and your rights.

1. Your payment data stays in your browser

We never see your financial data. All file processing and ABA file generation happens entirely within your web browser using client-side JavaScript. Your payment data — including BSB numbers, account numbers, account names, and payment amounts — is never uploaded to our servers. We have no technical ability to access, store, or transmit your payment information.

This is a deliberate architectural decision. It is our primary privacy guarantee.

2. Information we do collect

We collect only what is necessary to operate the Pro subscription service:

Account information (Supabase)

If you create a Pro account, we store the following in our database (hosted on Supabase, a cloud database provider):

Your email address
Your subscription status (Free, Trial, or Pro)
Your trial start date and subscription dates
A Stripe Customer ID (a reference used to link your account to your payment record)

We do not store your name, postal address, phone number, or any payment card details. Your password is managed by Supabase Auth using bcrypt hashing — we never see it in plaintext.

Supabase stores data in data centres that may be located outside Australia. Supabase is certified under SOC 2 Type II. For Supabase's privacy practices, see supabase.com/privacy .

Payment information (Stripe)

Payment card details are handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We never receive or store your card number, expiry date, or CVV. Stripe may store your name, email, and card details in accordance with their privacy policy at stripe.com/au/privacy .

Stripe notifies us of subscription events (e.g. payment succeeded, subscription cancelled) via a webhook. We use this to update your subscription status in our database. The webhook payload contains no card details.

Analytics (Cloudflare Web Analytics)

We use Cloudflare Web Analytics to understand how visitors use the site (page views, referrers, browser type, country). Cloudflare Web Analytics is privacy-first by design:

No cookies are set.
No personal identifiers are collected or stored.
IP addresses are not logged.
Data is not shared with advertisers.

For Cloudflare's privacy practices, see cloudflare.com/privacypolicy .

Server logs (Cloudflare Pages)

The Service is hosted on Cloudflare Pages. Like all web servers, Cloudflare may retain standard HTTP access logs (IP address, URL requested, timestamp, HTTP status code). We do not access or export these logs under normal circumstances. Cloudflare's data retention practices are described in their privacy policy above.

3. How we use your information

We use the information we collect only for the following purposes:

To create and manage your account.
To process subscription payments via Stripe.
To send transactional emails (e.g. password reset, payment receipts). We do not send marketing emails without your consent.
To understand aggregate usage patterns and improve the Service.
To detect and prevent abuse or fraud.

We do not sell, rent, or trade your personal information to third parties. We do not use your information for targeted advertising.

4. Legal basis for processing

We process your personal information on the following bases under the Australian Privacy Principles:

Contract: Processing your email and subscription status is necessary to provide the Pro subscription service you have signed up for.
Legitimate interests: Analytics data helps us improve the Service. This data is anonymous and does not override your privacy rights.
Consent: Where we send you promotional communications, we will obtain your prior consent and provide an easy way to opt out.

5. Data retention

We retain your account information for as long as your account is active. If you delete your account, we delete your email address, subscription records, and Stripe Customer ID from our database within 30 days. Some information may be retained in backup systems for up to 90 days before permanent deletion.

You can delete your account at any time from the Account page. Deleting your account immediately cancels your Pro subscription (no refund for the remaining billing period).

6. Your rights under Australian Privacy Law

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

Access the personal information we hold about you (APP 12).
Correct personal information that is inaccurate, out of date, incomplete, or misleading (APP 13).
Complain about a breach of the APPs to us, and if unresolved, to the Office of the Australian Information Commissioner (OAIC) .

To exercise any of these rights, email us at privacy@createaba.com.au . We will respond within 30 days.

7. Cross-border disclosure

Some of our service providers (Supabase, Stripe, Cloudflare) may store or process data outside Australia. Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient handles the information consistently with the APPs (APP 8.1). Each provider listed above maintains recognised privacy certifications (SOC 2, PCI DSS, and/or equivalent frameworks).

8. Security

We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access (APP 11). Measures include:

All data in transit is encrypted using TLS 1.2 or higher.
Passwords are hashed using bcrypt (managed by Supabase Auth).
Database access is restricted to authenticated Edge Function calls only (Row Level Security enabled).
No payment card data is stored on our infrastructure.

If you become aware of any security vulnerability or data breach, please notify us immediately at security@createaba.com.au .

9. Cookies

The Service does not use tracking cookies. Supabase Auth uses a session token stored in your browser's localStorage to keep you signed in. This is not a cookie and is not accessible to third parties. You can clear it by signing out or clearing your browser's site data.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify Pro subscribers of material changes by email. The "Last updated" date at the top of this page will always reflect the most recent version.

12. Contact and complaints

For privacy enquiries or complaints, contact us at privacy@createaba.com.au .

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992.