Privacy Policy
Last updated: 2026-04-08
1. Overview
PayrollTax.online ("we", "us", the "Service") is an Australian payroll tax calculation and lodgement preparation tool operated by No. 1. 2. Trust. This policy explains what we collect, why we collect it, how long we keep it, and the rights you have under the Australian Privacy Act 1988 and the EU General Data Protection Regulation (where it applies to you).
We are headquartered in Australia and host all customer data in Sydney, Australia (DigitalOcean SYD1).
2. What we collect
Account information
- Email address, display name, hashed password
- Organisation name, ABN, subdomain slug
- Role and tenant memberships
- Optional TOTP secret (encrypted at rest with AES-256-GCM)
- Optional trusted-device cookies
Payroll data (via your connected provider)
- Employee names, addresses, employment basis, tax file number indicator (NOT the TFN itself)
- Pay run earnings, allowances, deductions, super
- Pay item codes and titles
- Organisation/company file metadata
Technical data
- IP address (recorded in
api_audit_logfor 90 days) - Browser user agent
- Session cookies (file-backed, not third party)
- Server logs (errors, request paths)
We do not sell personal information. We do not run third-party advertising trackers on the application.
3. Per-provider data flows
3.1 Xero
- Data accessed: Employees, pay runs, pay slips, pay items, organisation details, connected tenants.
- OAuth scopes:
payroll.employees.read,payroll.payruns.read,payroll.payslip.read,payroll.settings.read,accounting.settings.read,offline_access. - Retention: Payroll snapshots are stored for the life of your subscription and retained for 5 years after anonymisation, in line with the ATO record- keeping requirement. Tokens are stored encrypted and deleted immediately on disconnect.
- How to delete: Settings → Account → Connected Apps → Disconnect Xero, or Settings → Account → Danger Zone → Delete account to remove everything.
3.2 MYOB
- Data accessed: Company file employees, pay history, payroll categories.
- OAuth scopes:
CompanyFile,CompanyFile.Read. - Retention: Same as Xero. MYOB refresh tokens do not rotate; both access
and refresh tokens are stored encrypted at rest in
kv_store. - How to delete: Settings → Account → Connected Apps → Disconnect MYOB, or full account deletion via Danger Zone.
3.3 Employment Hero
- Data accessed: Employee directory, pay run history, organisation profile.
- OAuth scopes:
read:employees,read:payruns,read:organisations. - Retention: Same as Xero/MYOB. Employment Hero rotates the refresh token on every refresh — both tokens are stored encrypted.
- How to delete: Settings → Account → Connected Apps → Disconnect Employment Hero, or full account deletion via Danger Zone.
4. Your rights
Under the Australian Privacy Act and the EU GDPR you have the right to:
- Access the personal information we hold about you (Settings → Account → Export my data).
- Correct inaccurate information (edit your profile, or contact support).
- Delete your account and personal information (Settings → Account → Danger Zone). Soft-deleted accounts are hard-purged after a 30-day grace period; tax records are anonymised immediately and the anonymised rows are hard-deleted 5 years later.
- Withdraw consent by disconnecting any provider at any time.
- Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au/, GPO Box 5288, Sydney NSW 2001, or by phone on 1300 363 992. EU residents may also contact their local supervisory authority.
5. Data retention
| Data class | Retention |
|---|---|
| User account | Until deletion + 30-day grace, then hard-purged |
| Calculations / snapshots | Anonymised on account deletion; hard-deleted +5 yrs |
| Lodgement deadlines | Anonymised on account deletion; hard-deleted +5 yrs |
| Group workings | Anonymised on account deletion; hard-deleted +5 yrs |
audit_log (admin acts) |
7 years |
api_audit_log (HTTP) |
90 days |
deletion_audit_log |
Indefinite (no PII; HMAC email hash only) |
| OAuth tokens | Deleted immediately on disconnect or account delete |
| TOTP secrets | Deleted immediately on account delete or 2FA disable |
| Session files | Until logout, expiry, or account delete |
The 5-year tail on payroll data exists because the Australian Tax Office requires payroll records to be kept for 5 years. Anonymisation strips all fields that could re-identify a person while leaving aggregate financial totals intact.
6. Sub-processors
We rely on the following sub-processors. Each is bound by its own privacy and security commitments.
| Sub-processor | Purpose | Region |
|---|---|---|
| DigitalOcean | Application hosting and database | Sydney (SYD1) |
| Resend | Transactional email (SMTP relay) | EU/US (provider choice) |
| Anthropic | AI rule extraction (Claude) | US |
We do not transfer your payroll data to Anthropic. Only public state revenue office web pages are sent for rate extraction.
7. Security
For a description of the security measures we apply — including encryption at rest, TLS in transit, 2FA, session hardening, and audit logging — please contact us and we will provide our security statement.
8. Contact
For privacy questions, data access requests, or to report a concern, contact us at support@payrolltax.online.
We aim to respond to all privacy requests within 30 days.