Privacy Policy

1. Introduction

Ledger Loom Pty Ltd (ABN 73 694 868 427, ACN 694 868 427) ("Ledger Loom", "we", "us", or "our") operates the Ledger Loom platform, a cloud-based practice management solution for accounting firms, accessible at ledgerloom.com.au and related subdomains (the "Platform").

We are committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and applicable state and territory privacy laws. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

2. Definitions

"Tenant"

An accounting firm or business entity that has registered for a Ledger Loom subscription.

"Tenant User"

An individual authorised by a Tenant to access the Platform (e.g., accountants, bookkeepers, administrators).

"Client"

A customer of the Tenant whose data may be stored on the Platform and who may access the Client Portal.

"Personal Information"

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

"Sensitive Information"

A subset of Personal Information that includes financial information, tax file numbers, and other information as defined in the Privacy Act.

3. Information We Collect

3.1 Information you provide directly

• Account registration: business name, ABN/ACN, contact name, email address, phone number, billing address.
• Billing information: payment card details or bank account information processed securely through our third-party payment providers (Stripe and eWay). We do not store full payment card numbers on our servers.
• Tenant User profiles: names, email addresses, roles, and permissions.
• Client data uploaded by Tenants: client names, contact details, ABNs, financial records, tax information, and other data that Tenants choose to store on the Platform.
• Client Portal accounts: names, email addresses, and authentication credentials for Clients accessing the portal.
• Communications: information you provide when contacting our support team or providing feedback.

3.2 Information collected automatically

• Usage data: pages visited, features used, time spent, actions taken within the Platform.
• Device and browser information: IP address, browser type and version, operating system, device type, screen resolution.
• Cookies and similar technologies: session cookies for authentication, preference cookies, and analytics cookies (see Section 9).
• Log data: server logs including access times, error logs, and API request details.

3.3 Information from third parties

• QuickBooks Online (Intuit): when a Tenant connects their QuickBooks Online account, we receive accounting data including chart of accounts, items, tax codes, invoices, and customer records as authorised by the Tenant.
• Payment providers: transaction confirmations, payment status, and limited card information (last four digits, expiry) from Stripe and eWay.

4. How We Use Your Information

We use Personal Information for the following purposes:

• Providing the Platform: operating, maintaining, and improving the Ledger Loom platform and its features, including task management, time tracking, billing, invoicing, and the Client Portal.
• Account management: creating and managing your account, processing subscriptions, and handling billing.
• Communication: sending service-related notifications, responding to enquiries, and providing customer support.
• Security: detecting, preventing, and addressing fraud, unauthorised access, and other security issues.
• Compliance: meeting legal and regulatory obligations, including tax reporting and audit requirements.
• Analytics and improvement: analysing usage patterns to improve the Platform, develop new features, and enhance user experience.
• Integration services: facilitating data synchronisation with connected third-party services (e.g., QuickBooks Online) as authorised by the Tenant.

We will not use your Personal Information for purposes other than those outlined above without your consent, unless required or authorised by law.

5. Data Processing Roles and Responsibilities

5.1 Ledger Loom as data processor

For Client data uploaded by Tenants, the Tenant is the data controller and Ledger Loom acts as the data processor. We process Client data solely on the Tenant's instructions and for the purpose of providing the Platform.

5.2 Tenant responsibilities

Tenants are responsible for:

• Obtaining all necessary consents from their Clients before uploading Client data to the Platform.
• Ensuring that their use of the Platform complies with applicable privacy laws.
• Responding to data access, correction, or deletion requests from their Clients.
• Informing their Clients about the use of Ledger Loom for data processing.

5.3 Ledger Loom as data controller

For Tenant account information, Tenant User profiles, billing data, and usage data, Ledger Loom is the data controller and handles this data in accordance with this Privacy Policy.

6. Disclosure of Personal Information

We may disclose Personal Information to:

• Service providers: third-party companies that assist in providing the Platform (see Section 7 for details on cross-border transfers).
• Payment processors: Stripe and eWay for processing subscription payments and billing transactions.
• Integration partners: QuickBooks Online (Intuit) when a Tenant has authorised the integration.
• Professional advisers: lawyers, auditors, and accountants as necessary for our business operations.
• Law enforcement and regulators: when required by law, regulation, or legal process, or to protect the rights, safety, or property of Ledger Loom, our users, or the public.
• Business transfers: in connection with a merger, acquisition, or sale of assets, where Personal Information may be transferred as a business asset.

We will not sell, rent, or trade your Personal Information to third parties for their marketing purposes.

7. Cross-Border Data Transfers

In accordance with Australian Privacy Principle 8 (APP 8), we disclose that Personal Information may be transferred to, and processed in, countries outside Australia by the following third-party service providers:

Our primary data hosting infrastructure is located in Microsoft Azure's Australia East region, ensuring that your core data remains within Australian borders. Cross-border transfers to US-based services occur only where necessary for the specific functionality described above.

We take reasonable steps to ensure that overseas recipients handle your Personal Information in accordance with the Australian Privacy Principles.

8. Data Security

We implement robust security measures to protect your Personal Information:

• Encryption at rest: all data is encrypted using AES-256 encryption via Azure SQL Transparent Data Encryption and Azure Blob Storage encryption.
• Encryption in transit: all communications are secured with TLS 1.2 or higher.
• Tenant isolation: data is logically isolated between Tenants using row-level security. No Tenant can access another Tenant's data.
• Authentication: secure authentication using industry-standard JWT tokens with multi-factor authentication (MFA) available.
• Access controls: role-based access controls (RBAC) ensure users only access data they are authorised to view.
• Audit trails: comprehensive audit logging tracks data access and modifications with timestamps and user identification.
• Backup: automated daily backups with geographic redundancy within the Australian Azure region.
• Payment security: payment card data is handled by PCI DSS-compliant providers (Stripe, eWay). We do not store full card numbers on our servers.

While we take all reasonable steps to protect your Personal Information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: required for Platform functionality, including authentication session management and security tokens. These cannot be disabled.
• Preference cookies: remember your settings and preferences (e.g., language, theme, display preferences).
• Analytics cookies: help us understand how users interact with the Platform to improve functionality and user experience. These may be provided by third-party analytics services.

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.

10. Data Retention

• Active accounts: we retain Personal Information for as long as your account is active and as necessary to provide the Platform.
• After cancellation: when a Tenant cancels their subscription, we retain their data for 90 days to allow for reactivation or data export. After this period, data is permanently deleted from our systems and backups.
• Immediate deletion: Tenants may request immediate deletion of their data at any time by contacting us at hello@ledgerloom.com.au. We will process such requests within 30 business days.
• Legal obligations: we may retain certain information beyond the retention period where required by law (e.g., tax records, audit trails required under Australian financial regulations).
• Anonymised data: we may retain anonymised, aggregated data that cannot identify individuals for analytics and service improvement purposes indefinitely.

11. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access: request access to the Personal Information we hold about you (APP 12).
• Correction: request correction of inaccurate, out-of-date, incomplete, or misleading Personal Information (APP 13).
• Complaint: make a complaint if you believe we have breached the Australian Privacy Principles.
• Data portability: request an export of your data in a standard machine-readable format.

To exercise any of these rights, please contact us at hello@ledgerloom.com.au. We will respond within 30 business days.

For Clients of Tenants: if you are a Client whose data is stored on the Platform by an accounting firm, please direct your privacy enquiries to the relevant firm (the data controller) in the first instance. They can then work with us to fulfil your request.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to any individual whose Personal Information is involved, we will:

• Notify the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches (NDB) scheme.
• Notify affected individuals and Tenants as soon as practicable.
• Take immediate steps to contain the breach and mitigate potential harm.
• Provide recommendations for steps affected individuals can take to protect themselves.

13. Children's Privacy

The Platform is designed for use by accounting professionals and businesses. We do not knowingly collect Personal Information from children under the age of 18. If we become aware that a child under 18 has provided us with Personal Information, we will take steps to delete such information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date and version number at the top of this page.
• Notify Tenants via email or an in-platform notification for material changes.
• Provide a summary of changes for transparency.

Continued use of the Platform after changes constitutes acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our handling of your Personal Information, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).