Privacy Policy
Last updated 19 July 2026
1. About this policy and who we are
AccountSuite 360 (“we”, “us”, “our”) provides practice management and AML/CTF compliance software to accounting, taxation, and related professional service firms (“Subscribers”). We are also pursuing accreditation as an Identity Service Provider (IDSP) under the Identity Matching Services Act 2019 (Cth) (“IMS Act”).
We are committed to protecting your privacy and handling personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the IMS Act, and all applicable Australian laws. This policy explains how we collect, use, hold, disclose, and protect personal information in connection with our platform and website at accountsuite360.com.
By using our service, you acknowledge that you have read this policy. Capitalised terms not defined here have the meaning given in our Terms & Conditions.
2. Information we collect
(a) Subscriber account information: When a firm signs up, we collect: firm name, contact person’s name, email address, phone number, business role, number of users, and billing/payment information.
(b) User information: When a Subscriber adds staff members, we collect their name, work email address, and role within the practice.
(c) Client data processed on behalf of Subscribers: Subscribers use our platform to manage their own clients. In doing so, they upload and process information about those end clients, which may include: names, dates of birth, addresses, contact details, identification document details (document type, number, expiry, issuing authority), tax file numbers, ABNs, financial records, and correspondence. We process this data on behalf of Subscribers as their service provider.
(d) Identity verification information (DVS): Where a Subscriber uses our identity verification features, we may collect and process: the type of identity document, document number, date of birth, and name as provided by the person being verified. This information is transmitted to the Australian Government’s Document Verification Service (DVS) Gateway for verification and the result (match/no-match) is returned. We do not receive or store a copy of any government record. Detailed information about this processing is set out in section 6 below.
(e) Website usage information: When you visit our website, we may collect IP address, browser type, device information, pages visited, and time spent, through cookies and analytics tools. See section 10 below.
(f) Communications: If you contact us by email or through forms on our website, we collect the content of those communications and your contact details.
3. How we collect personal information
We collect personal information:
- Directly from you when you register, complete forms, or contact us;
- From Subscribers who add users or upload client data to the platform;
- From third-party identity verification services (DVS results) when an identity check is initiated;
- Automatically through cookies, analytics, and server logs when you use our website or application;
- From publicly available sources (such as ASIC, ABR) where we retrieve business registry information on your behalf.
4. Why we collect, hold, use and disclose personal information
We use personal information for the following purposes:
- Providing, operating, and improving the AccountSuite 360 platform;
- Authenticating users and securing accounts;
- Processing subscription payments and managing billing;
- Providing customer support and responding to enquiries;
- Sending service notifications and material updates to our Terms or policies;
- Conducting identity verification checks (DVS) on behalf of Subscribers to help them satisfy their AML/CTF CDD obligations;
- Helping Subscribers meet their obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and related Rules;
- Meeting our own legal and regulatory obligations, including our obligations under the IMS Act, the AML/CTF Act, and the Privacy Act;
- Preventing fraud, misuse, and unlawful activity on our platform.
We will not use your personal information for marketing purposes without your consent, and we do not sell personal information to third parties.
5. Our role as a data processor
In relation to the personal information of a Subscriber’s own clients (“Client Data”), AccountSuite 360 acts as a data processor — we hold and process that information on the Subscriber’s instructions to provide the platform service. The Subscriber is the party responsible for those clients’ information, for obtaining any consents required from their clients, and for meeting its own obligations under the Privacy Act, AML/CTF Act, and other applicable laws in relation to that Client Data.
If you are a client of a practice using AccountSuite 360 and you have a privacy question about how that practice has handled your information, please contact the practice directly. If you have a question about how AccountSuite 360 itself handles your information, contact us using the details in section 14 below.
6. Identity matching services and the DVS
AccountSuite 360 is pursuing accreditation as an Identity Service Provider (IDSP) under the Identity Matching Services Act 2019 (Cth). As an IDSP, we connect to the Australian Government’s Identity Matching Services, specifically the Document Verification Service (DVS), to provide electronic identity verification.
What is the DVS? The DVS is a whole-of-government service, administered by the Department of Home Affairs, that enables participating organisations to verify whether details on a presented identity document (such as a passport or driver licence) match records held by the issuing authority.
What happens when a DVS check is run:
- The Subscriber (or the Subscriber’s client) provides identity document details on the platform;
- The person being verified is informed of the check and their consent is obtained (or relied upon in accordance with the IMS Act and AML/CTF Rules);
- We transmit the provided details to the DVS Gateway in encrypted form;
- The DVS Gateway queries the relevant issuing authority’s records;
- We receive a match/no-match response. We do not receive a copy of government records;
- The result is recorded in the Subscriber’s account as part of their CDD audit trail.
Consent: Identity matching under the IMS Act requires consent from the individual whose document is being verified (or another permitted basis under the Act). Subscribers using DVS verification on our platform are required by our Terms to ensure that valid consent is obtained from their clients before initiating a check.
Data minimisation: We only transmit the minimum information necessary to complete a DVS check. We do not collect biometric information (face images or fingerprints) through the DVS.
Retention: DVS check results (match/no-match and the details used for verification) are retained for the period required by the AML/CTF Act and Rules (generally 7 years from the completion of the relevant CDD), after which they are securely destroyed.
Our use of the DVS is governed by our participation agreement with the DVS Gateway operator and the requirements of the IMS Act, the DVS Policy Framework, and applicable Privacy Act obligations.
7. Sensitive information
We treat certain categories of information with heightened care:
- Tax File Numbers (TFNs): Where Subscribers input TFNs as part of client records, we handle these in accordance with the Privacy (Tax File Number) Rule 2015. TFNs are masked in the interface and are not accessible beyond the minimum necessary for the purpose for which they were provided.
- Health information and other sensitive information: We do not deliberately collect health information or other sensitive information (as defined in the Privacy Act). If such information is incidentally included in documents uploaded to the platform, we treat it with the same care as other personal information and do not use it for any secondary purpose.
8. Disclosure of personal information
We may disclose personal information to:
- The DVS Gateway: For identity verification checks as described in section 6;
- Cloud hosting providers: We use Australian-based cloud infrastructure to host the platform. Our primary hosting is in Australia;
- Payment processors: For billing and subscription management;
- Email and communication providers: For transactional notifications and support communications;
- Analytics and monitoring tools: For platform performance and security monitoring;
- Professional advisers: Our lawyers, accountants, and auditors, under obligations of confidentiality;
- Government and regulatory bodies: Where required or authorised by Australian law, including AUSTRAC, the OAIC, and law enforcement — or where we believe disclosure is necessary to protect legal rights or prevent serious harm;
- Successors: In the event of a merger, acquisition, or sale of our business, personal information may be transferred to a successor entity (we will notify you of any such change).
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes.
9. Overseas disclosure
Our primary servers are located in Australia. Some of our third-party service providers (such as email delivery infrastructure or analytics tools) may process data outside Australia. Where this occurs, we take reasonable steps under APP 8 to ensure those recipients handle information consistently with the APPs and relevant Australian law. Overseas processing may occur in countries including the United States and European Economic Area jurisdictions. These countries have data protection frameworks that we assess before engaging providers.
DVS checks are transmitted only to the Australian Government’s DVS Gateway, operated within Australia, and are not sent overseas.
10. Data security
We implement reasonable technical and organisational security measures including:
- TLS encryption for all data in transit;
- Encryption of sensitive fields at rest;
- Role-based access controls and least-privilege principles;
- Multi-factor authentication for platform access;
- Regular automated backups with encryption;
- Audit logging of significant actions;
- Penetration testing and security reviews.
Despite these measures, no internet-based service is completely secure. We encourage Subscribers to use strong credentials and to report any suspected security concerns to us immediately.
Data breach notification: If a notifiable data breach occurs, we will notify affected individuals and the OAIC as required by the Privacy Act 1988 (Notifiable Data Breaches scheme) and, where applicable, under the IMS Act.
11. Data retention
We retain personal information for as long as necessary to provide the service and meet our legal obligations:
- Subscriber account data is retained for the duration of the subscription, plus 7 years after termination for tax and legal compliance purposes;
- AML/CTF CDD records (including DVS verification results) are retained for 7 years from the end of the customer relationship or the date of the last designated service, as required by the AML/CTF Act;
- Identity document details submitted for DVS checks are retained only for the period required by the AML/CTF Act;
- Website usage logs are retained for 90 days.
Upon expiry of the applicable retention period, personal information is securely deleted or anonymised.
12. Access, correction, and deletion
Under the Privacy Act, you have the right to request access to the personal information we hold about you, and to request correction of inaccurate, out-of-date, or incomplete information. To make a request, contact our Privacy Officer (see section 14). We will respond within 30 days. We may ask you to verify your identity before actioning a request.
Note: Some information may be subject to mandatory retention obligations (e.g., under the AML/CTF Act) and cannot be deleted on request until the retention period expires.
13. Cookies and analytics
Our website uses cookies and similar tracking technologies. For full details, see our . You can control cookies through your browser settings; some features may not function properly if cookies are disabled.
14. Children’s privacy
Our service is not directed to children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it as soon as practicable.
15. Privacy complaints
If you believe we have handled your personal information in breach of the Privacy Act or our obligations under the IMS Act, please contact us first so we can attempt to resolve the matter. We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days. If you are not satisfied with our response, you may refer your complaint to:
- The Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992; or
- For IMS Act matters, through the channels established by the Australian Government’s identity matching services framework.
16. Changes to this policy
We may update this policy from time to time. Where changes are material, we will notify Subscribers by email or through the platform at least 14 days before the changes take effect. The current version is always available at accountsuite360.com.
17. Contact us
Privacy Officer, AccountSuite 360
Email: info@accountsuite360.com
General: info@accountsuite360.com