Privacy Policy

1. What information we collect

We collect the following categories of personal information:

• Identity and contact details — your name, email address, role within your accounting practice, and the email associated with your Xero account.
• Authentication data — OAuth tokens issued by Xero or Google, encrypted at rest using Fernet symmetric encryption. We never see or store your Xero password.
• Practice and client data via Xero — when you connect a Xero organisation to BAS Pro, we read accounting data required for BAS and IAS preparation: payroll runs and payslips, tax reports, bank transactions, invoices, contacts, and chart-of-accounts metadata. This includes the personal information of employees of your client organisations (e.g. payroll names, gross wages, PAYG withheld) to the extent that data appears in Xero.
• Statement data we generate — the BAS and IAS figures we calculate (W1, W2, G1, 1A, 1B, net GST, net payable), reconciliation diagnostics, anomaly flags, and AI-generated commentary, all stored against your tenant.
• Billing data — Stripe customer ID, subscription status, and trial expiry. We do not store credit card numbers — those are handled directly by Stripe.
• Support tickets — the subject, description, category, priority, and message thread of any support ticket you submit.
• Operational logs — authentication events, BAS/IAS run identifiers, error codes, and timestamps. We deliberately exclude tokens, secrets, and sensitive financial figures from logs.

2. How we use your information

• To prepare BAS and IAS statements from your Xero data.
• To generate AI-assisted partner sign-off commentary (using Anthropic Claude — see Third Parties below).
• To run reconciliation and anomaly detection across the data.
• To deliver Excel and PDF working papers back to you.
• To provide multi-user team access, invitations, and role-based permissions inside your practice.
• To process subscription payments and manage your trial.
• To respond to support tickets and customer service requests.
• To send transactional email (account confirmation, invitation links, support replies, trial countdown reminders).
• To meet our legal obligations and protect our legitimate business interests.

We do not sell your information. We do not use your information for advertising. We do not use your data to train AI models — see "AI processing" below.

3. AI processing

BAS Pro uses Anthropic's Claude API to generate the partner sign-off commentary that appears in BAS and IAS reports. When a run executes, a small subset of the calculated figures (e.g. W1, W2, net GST, anomaly summaries) is sent to Anthropic's API to produce 3–4 sentences of professional commentary.

Anthropic's commercial API terms prohibit them from using API inputs or outputs to train their models. Your data is used only for the immediate inference call and is not retained by Anthropic for training purposes. We do not send raw client transactions, employee details, or document attachments to Anthropic — only aggregated BAS and IAS figures.

We do not train any AI or machine-learning model on your data. This includes data we read from Xero, data you or your team enter into BAS Pro, and any reports we generate on your behalf. The Anthropic Claude API is used solely for inference at the time of report generation; outputs are returned directly to your report and discarded by Anthropic per their commercial zero-retention terms.

This commitment is a hard requirement of our Xero App Partner agreement and matches Xero's updated developer terms (December 2025 / March 2026 revisions): no app may train models on Xero API data. We comply with this requirement by design — our architecture sends only the minimum aggregated figures needed for commentary, and never the underlying transaction-level data.

4. Third parties we share information with

We engage carefully selected third-party processors to operate the service:

• Xero (Xero Limited, NZ) — accounting data source. We connect to your authorised Xero organisations using OAuth 2.0. Data flows from Xero to BAS Pro; nothing is written back.
• Anthropic (Anthropic, PBC, USA) — AI inference for partner commentary. Data sent: aggregate BAS/IAS figures only. Anthropic's commercial API terms prohibit training on API data, and we do not train any of our own models on your data. See "AI processing" above.
• Stripe (Stripe Payments Australia Pty Ltd) — subscription billing. Stripe processes card data directly under PCI-DSS. We receive only customer IDs, subscription status, and event webhooks.
• SendGrid (Twilio Inc., USA) — transactional email delivery (invitations, support replies, trial reminders).
• Microsoft Azure (Microsoft Australia Pty Ltd, region: Australia East) — application hosting, database, file storage. All BAS Pro production data is stored in Australia East.
• SiteGround (SiteGround Hosting Ltd, EU) — DNS for the basmate.com domain only. SiteGround does not see customer data.
• GitHub (GitHub, Inc., USA) — source code hosting and CI/CD. Production data does not flow through GitHub.

We do not sell, rent, or trade your personal information to other organisations for marketing purposes.

5. Where your data is stored

All BAS Pro production data — accounts, Xero connections, BAS/IAS runs, reports, support tickets — is stored in Microsoft Azure data centres in Australia East (Sydney region). Database backups, blob storage for Excel reports, and Redis cache are all hosted in the same region.

Some processors (Anthropic, Stripe, SendGrid, GitHub) operate from the United States or the European Union. Where we transfer personal information overseas, we take reasonable steps to ensure the recipient is bound by enforceable obligations consistent with the APPs.

6. How we protect your data

• Encryption in transit — every connection to BAS Pro uses TLS 1.2+. Our managed certificates are provisioned via Let's Encrypt through Azure.
• Encryption at rest — Xero OAuth tokens and Custom Connection client secrets are encrypted using Fernet (AES-128-CBC + HMAC-SHA256) before being written to the database.
• Multi-tenant isolation — every database query is scoped to the caller's tenant ID. Data from one practice can never be returned to another.
• Role-based access — within a practice, four roles (owner, admin, staff, viewer) gate sensitive actions.
• Restricted credentials — third-party API keys are issued with the minimum scopes required (e.g. our SendGrid key only has "Mail Send" permission).
• No password storage — we use Xero's OAuth flow exclusively. We never see, store, or transmit your Xero password.
• Audit logging — security-relevant events (logins, role changes, removals) are logged.

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.

7. Your rights under the Australian Privacy Principles

You have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information that is inaccurate, out of date, incomplete, or misleading.
• Deletion — request deletion of your account and personal information, subject to legal obligations to retain certain records.
• Disconnection — at any time, disconnect any connected Xero organisation from inside the BAS Pro dashboard. We will revoke the OAuth tokens with Xero and stop reading data from that organisation.
• Withdraw consent — close your BAS Pro subscription at any time. Cancellation takes effect at the end of the current billing period.
• Complain — if you believe we have breached the APPs, contact us first (details below). If we do not resolve your complaint, you may lodge a complaint with the OAIC at oaic.gov.au.

We do not charge a fee to access your information unless the request is unreasonably complex or repetitive. We will respond to requests within 30 days.

8. Data retention

• Active accounts — we retain your data while your subscription is active.
• Cancelled accounts — for 30 days after cancellation we retain your data so you can resubscribe and recover access. After 30 days, all personal information is deleted, except where we are legally required to retain records (e.g. tax invoices for 5 years under the Income Tax Assessment Act 1997).
• BAS/IAS run reports — kept while your account is active. Available for download at any time. Permanently deleted with your account.
• Audit logs — retained for 12 months for security and compliance purposes.

9. Cookies and analytics

BAS Pro uses a single essential cookie (access_token) to keep you signed in. The cookie is HttpOnly where possible, set with the Secure flag, and expires after 7 days of inactivity.

We do not use third-party analytics, tracking pixels, or advertising cookies. We do not share usage data with marketing partners.

10. Children's privacy

BAS Pro is a business-to-business product intended for use by qualified accounting professionals. It is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes, we will email active users at least 14 days before the change takes effect.

12. Contact us

If you have questions about this Privacy Policy or wish to exercise any of your rights:

• Email: support@basmate.com
• Postal: Next Level Accountants (Aus) Pty Ltd — Privacy Officer (postal address available on request)

We aim to respond to privacy enquiries within 5 business days and resolve complaints within 30 days.