Privacy Policy

1. About This Policy

OMU Technologies Pty Limited (ABN 24 696 787 934) trading as Next AML ("Next AML", "we", "us", "our") operates an AML/CTF compliance software platform designed for Australian accounting firms and tax agent practices.

This Privacy Policy applies to personal information collected by Next AML through: our website at nextaml.com.au; our software platform; email, phone, and other communications; and any other interaction you have with us.

This Policy is drafted in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act, as well as the Privacy (Tax File Number) Rule 2015 made under s.17 of the Privacy Act.

This Policy has been informed by privacy practices adopted by leading Australian software companies including Xero Limited, MYOB Group Pty Ltd, and BGL Corporate Solutions - all of which operate platforms that handle sensitive financial and identity data for Australian businesses and their clients.

2. Information We Collect

We may collect and hold the following categories of personal information:

Account and Contact Information

• Name, job title, and professional credentials
• Email address, phone number, and business address
• Firm or practice name and ABN
• Billing and payment information (processed via third-party payment providers)

Platform Usage Data (Subscription Customers)

• User account credentials (hashed passwords; we never store passwords in plain text)
• Log-in activity, session data, and feature usage analytics
• Support tickets and in-platform communications

Customer Data (End-Client Records Uploaded by Customers)

When our customers (reporting entities such as accounting firms) use the Platform to manage their AML/CTF compliance obligations, they may upload personal information about their own clients, including:

• Full name, date of birth, and residential address
• Identity document details (e.g. passport, driver's licence numbers)
• Tax File Numbers (TFN) and other government-issued identifiers (see clause 6)
• Beneficial ownership and trust structure information
• Politically Exposed Person (PEP) and sanctions screening results
• Transaction monitoring records and risk ratings
• Client due diligence documentation

In respect of end-client records, Next AML acts as a data processor on behalf of the customer (the reporting entity). The reporting entity remains the data controller and is independently responsible for ensuring it has appropriate grounds to collect and use such information.

3. How We Collect Information

We collect personal information in the following ways:

• Directly from you - when you register for an account, complete our interest registration form, contact us by email or phone, or subscribe to our communications.
• Through Platform use - automatically when you or your Users access and use the Platform, including through server logs, cookies, and analytics tools.
• From third parties - including identity verification services, payment processors, and professional directories, where permitted by law.
• Uploaded by customers - when a customer uploads or enters end-client records into the Platform for compliance purposes.

Where it is lawful and practicable, we will collect personal information directly from the individual to whom it relates.

4. How We Use Your Information

We use personal information for the following purposes:

• Providing the Platform - to create and manage accounts, deliver subscription services, process payments, and provide customer support.
• AML/CTF compliance features - to enable reporting entities to conduct customer due diligence, PEP and sanctions screening, risk assessments, and suspicious matter reporting in accordance with the AML/CTF Act 2006.
• Product improvement - to analyse usage patterns, troubleshoot issues, and develop new features, using anonymised and aggregated data where possible.
• Marketing and communications - to send product updates, compliance newsletters, and promotional materials, where you have consented or where we have a legitimate interest. You may opt out at any time.
• Legal and regulatory compliance - to comply with our own legal obligations, including record-keeping, tax, and reporting requirements.
• Security and fraud prevention - to monitor for and respond to security threats, unauthorised access, or misuse of the Platform.

We will not use personal information for any purpose that is materially different from the purposes described above without your consent, or as required or permitted by law.

5. Disclosure to Third Parties

We may disclose personal information to the following categories of third parties:

• Cloud infrastructure providers - Next AML hosts the Platform on Microsoft Azure infrastructure located in Australia. Azure is contractually bound to protect data and acts only on our instructions.
• Payment processors - billing and payment data is processed by third-party payment service providers (such as Stripe) who are PCI-DSS compliant. We do not store full payment card details.
• Identity and sanctions screening providers - where customers use in-Platform screening tools, data may be passed to approved third-party verification and watchlist providers. These providers are contractually bound to equivalent data protection standards.
• Professional service providers - such as legal advisers, auditors, or IT support contractors, who access information only as necessary and under strict confidentiality obligations.
• Regulators and law enforcement - we may disclose information to AUSTRAC, the ATO, the OAIC, courts, or law enforcement where we are required to do so by law, regulation, or court order.
• Business transfers - in the event of a merger, acquisition, or sale of our business, personal information may be transferred to a successor entity, subject to equivalent privacy protections and notice to affected individuals where required.

We will not sell, rent, or trade personal information to third parties for their own marketing purposes.

6. Tax File Numbers (TFN)

Next AML's Platform may store TFNs uploaded by customers (reporting entities such as accounting firms and tax agents) where those customers are legally authorised to collect such information from their own clients - for example, under the Income Tax Assessment Act 1936 or the Superannuation Industry (Supervision) Act 1993.

How we handle TFNs:

• Collection: We collect TFNs only where provided by our customers as part of end-client compliance records. We do not directly solicit TFNs from individuals for our own operational purposes.
• Storage: TFNs stored on the Platform are encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Access is restricted to authorised users within the relevant customer account.
• Use: TFNs will only be used to provide the compliance workflow services contracted by the customer. TFNs will not be used for any other purpose, including marketing or profiling.
• Disclosure: TFNs will not be disclosed to any third party other than: (a) where required by law (e.g. a court order or regulatory requirement); (b) to approved technical sub-processors operating under equivalent protections; or (c) as directed by the customer in accordance with their legal obligations.
• Deletion: TFNs will be securely deleted in accordance with clause 9 (Data Retention) below, or upon request by the customer.

Customers are responsible for ensuring they have a lawful basis to collect and use TFNs from their end clients, and for complying with the TFN Rule in their own operations. Next AML provides the technical infrastructure and acts only on the customer's instructions with respect to TFN data.

7. Sensitive Information

Under the Privacy Act, certain categories of information are classified as "sensitive information" and attract a higher standard of protection. This includes racial or ethnic origin, health information, biometric data, and government identifiers such as TFNs.

In connection with AML/CTF compliance workflows, the Platform may process sensitive information uploaded by customers, including identity document data and beneficial ownership details. Next AML will:

• collect sensitive information only where the customer has a lawful basis to provide it;
• use sensitive information only for the purpose for which it was provided;
• apply additional technical and organisational controls to sensitive information; and
• not disclose sensitive information except as required by law or with appropriate consent.

8. Data Security

We implement industry-standard technical and organisational security measures to protect personal information against unauthorised access, loss, misuse, or alteration. Our security practices include:

• Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
• Access controls: Role-based access controls (RBAC) limit who within Next AML can access customer data. Multi-factor authentication (MFA) is available for all accounts and required for administrative access.
• Infrastructure: The Platform is hosted on Microsoft Azure data centres located in Australia, which maintain ISO 27001, SOC 2, and PCI-DSS certifications. Cloud hosting on Azure can provide higher levels of physical and digital security than many organisations maintain independently.
• Monitoring: We conduct ongoing security monitoring, vulnerability scanning, and penetration testing.
• Incident response: We maintain a data breach response plan and will notify affected individuals and the OAIC in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, where a breach is assessed as likely to cause serious harm.

No security measure is infallible. If you believe your account or data has been compromised, please contact us immediately at [email protected].

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

• Account and subscription data: Retained for the duration of the customer relationship plus 7 years, to satisfy our tax, contractual, and financial record-keeping obligations.
• AML/CTF compliance records (Customer Data): Under the AML/CTF Act 2006, reporting entities are required to retain customer due diligence records for a minimum of 7 years from the date the relevant transaction or business relationship ended. Customers are responsible for configuring the Platform's retention settings to comply with their own obligations. Next AML will not delete Customer Data before the end of the applicable retention period without the customer's instruction.
• TFNs and sensitive identifiers: Retained only as long as required by the customer for their compliance obligations, and securely deleted upon request or account termination (subject to any mandatory retention requirements).
• Marketing and contact data: Retained until you withdraw consent or unsubscribe, plus a reasonable period thereafter for records.
• Website analytics: Aggregated and anonymised analytics data may be retained indefinitely.

When personal information is no longer required, we securely destroy or de-identify it.

10. Overseas Disclosure

Next AML stores Customer Data in Microsoft Azure data centres located in Australia (Sydney and Melbourne regions). We take all reasonable steps to ensure that personal information is not disclosed to recipients overseas without appropriate protections.

Some of our third-party service providers (such as software vendors or sanctions screening providers) may be located or operate systems outside Australia. Before disclosing personal information to any overseas recipient, we take reasonable steps to ensure that the recipient is subject to a law, binding scheme, or contract that provides substantially similar protections to those required by the Australian Privacy Principles (APP 8.1).

By using the Platform, you acknowledge that your personal information may be processed in jurisdictions with different privacy laws to Australia, and you consent to such transfers subject to the protections described in this Policy.

11. Your Rights

Under the Privacy Act and the APPs, you have the following rights in relation to your personal information:

• Access (APP 12): You may request access to personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee for access in complex cases.
• Correction (APP 13): If you believe information we hold is inaccurate, out of date, incomplete, or misleading, you may ask us to correct it. We will take reasonable steps to correct the information within 30 days.
• Anonymity (APP 2): Where lawful and practicable, you may interact with us anonymously or using a pseudonym. This may limit our ability to provide certain services.
• Withdrawal of consent: Where our processing relies on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Opt-out of marketing: You may unsubscribe from marketing communications at any time by using the unsubscribe link in our emails or by contacting us directly.
• Complaints: You have the right to lodge a complaint about our privacy practices (see clause 15).

To exercise any of these rights, please contact our Privacy Officer (see clause 15). We may need to verify your identity before processing a request.

Note for end-clients of our customers: If you are an individual whose information was uploaded to the Platform by one of our customers (e.g. an accounting firm), please contact that firm directly in the first instance to exercise your rights. We will cooperate with customers to facilitate access and correction requests where required.

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve user experience and collect analytics data. Cookies are small text files placed on your device that help us:

• keep you logged in and remember your preferences;
• understand how visitors use our website (via analytics tools such as Google Analytics, used under data processing agreements); and
• measure the effectiveness of our marketing.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our website or Platform. We do not use cookies to serve third-party advertising or sell your data to advertisers.

13. Children's Privacy

The Platform is designed for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• updating the "Last updated" date at the top of this page;
• sending an email notification to registered customers; and/or
• displaying a prominent notice within the Platform.

We encourage you to review this Policy periodically. Continued use of the Platform after any changes take effect constitutes acceptance of the updated Policy.

15. Contact Us and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact our Privacy Officer:

We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Mail: GPO Box 5218, Sydney NSW 2001

For complaints relating to TFN handling specifically, you may also contact the OAIC under the Privacy (Tax File Number) Rule 2015.