Privacy Policy
Veriqua Pty Ltd — ABN 92 697 961 023
Effective date: 28 May 2026
1. About This Policy
Veriqua Pty Ltd ("Veriqua", "we", "us", or "our") operates the Veriqua Compliance OS — a cloud-based compliance management platform built for Australian firms holding an Australian Financial Services Licence (AFSL) or subject to AML/CTF obligations under AUSTRAC.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using our platform or website, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
We collect the following categories of personal information:
- Account information — name, email address, job title, firm name, and login credentials provided when registering, starting a trial, or contacting us.
- Compliance records — regulatory data entered into the Platform by your firm, including register entries, incident records, audit findings, and staff training records. This data is entered by you and remains owned by your firm.
- Customer onboarding data — where your firm uses the Customer Onboarding Portal, personal information about your customers (such as identification documents and risk assessment data) is stored within the Platform on your behalf. Veriqua processes this data as a data processor acting under your instructions.
- Usage data — log data, IP addresses, browser type, and in-app activity, collected automatically for security monitoring and platform operations.
- Billing data — subscription tier and billing history. Payment card data is collected and processed directly by Stripe, Inc. and is never transmitted to or stored on Veriqua systems. We do not have access to your full card number, CVV, or bank account details. We receive only a tokenised customer reference and subscription status from Stripe.
3. How We Use Personal Information
We use personal information to:
- Operate, maintain, and improve the Veriqua Platform.
- Authenticate users and manage access controls.
- Send transactional emails — including password resets, billing receipts, and compliance digest notifications — via Resend.
- Process subscription payments via Stripe.
- Maintain security audit logs as required by applicable law and our contractual obligations.
- Comply with Australian law, including the Privacy Act 1988 (Cth) and the AML/CTF Act 2006.
Compliance data entered into the Platform is never used for any purpose other than providing the service to your firm. We do not sell, rent, or share personal information for marketing or advertising purposes.
4. Data Residency and Storage
All customer data — including compliance records, audit logs, and account information — is stored on servers physically located in Australia (Google Cloud Platform, Australia East region). Compute, database, and object storage are all Australian-hosted. Data does not leave Australian jurisdiction under standard platform operations.
Daily encrypted database backups are retained for 30 days and stored within the same Australian region. This architecture is designed to comply with Australian Privacy Principle 8 (cross-border disclosure) and to support firms with obligations under the Privacy Act 1988 and the AML/CTF Act 2006.
5. Disclosure to Third Parties
We disclose personal information to the following third-party service providers only to the extent necessary to operate the Platform:
Stripe — Payment Processing
Payments are processed by Stripe Payments Australia Pty Ltd (ACN 160 180 343), an APRA-regulated institution. Stripe collects and processes payment card data directly under its own privacy policy at stripe.com/au/privacy. Veriqua receives only a tokenised customer reference and subscription status — we never receive or store card numbers, CVV, or bank account details. By subscribing you acknowledge your payment data is subject to Stripe's privacy policy.
Resend — Transactional Email
We use Resend to deliver transactional emails (account confirmations, billing receipts, compliance digests, and password resets). Only your email address and the content of the message are shared with Resend for delivery purposes.
Google Cloud Platform / Azure — Hosting, Storage & AI Inference
The Platform is hosted on Google Cloud Platform (Australia East region). AI inference features (including the Compliance Assistant and Predictive Risk Scoring) are processed by Microsoft Azure OpenAI Service (Australia East region). Both providers act as data processors under our direction and do not independently access or use your data. All processing occurs within Australian data centres.
We do not disclose personal information to overseas recipients other than as described above. Where any overseas disclosure is unavoidable, we take reasonable steps to ensure the recipient handles information consistently with the APPs.
6. AI Features
Veriqua includes AI-assisted features such as the Compliance Assistant and Predictive Risk Scoring. These features are designed to assist your compliance function — they do not constitute legal, financial, or compliance advice, and your firm remains solely responsible for its compliance obligations.
Query content submitted to AI features may be processed by an AI inference provider for the purpose of generating a response. Veriqua does not use client data to train AI models. Query content is not retained beyond the current session unless separately saved by you within the Platform.
7. Data Retention
We retain personal information and compliance records for the duration of your active subscription and for 7 years following termination of your subscription, or for any longer period required by applicable law — including record-keeping obligations under the AML/CTF Act 2006, which may require retention for 7 years from the date of the relevant transaction or activity.
Following the applicable retention period, data is securely deleted or de-identified.
8. Security
We implement the following technical and organisational security controls:
- TLS encryption for all data in transit.
- AES-256 encryption for data at rest.
- bcrypt password hashing with progressive account lockout on repeated failed attempts.
- CSRF protection on all authenticated endpoints.
- Structured, immutable security audit logging of all user and system actions.
In the event of an eligible data breach under the Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) within 72 hours of becoming aware of a breach likely to result in serious harm.
9. Your Rights
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you.
- Correct personal information that is inaccurate, out of date, or incomplete.
- Complain if you believe we have breached the APPs.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
10. Cookies
We use HTTP-only session cookies that are essential to the operation of the Platform (e.g., maintaining your authenticated session). We do not use advertising cookies, tracking pixels, or third-party analytics that share data with advertisers. No consent banner is required for essential-only cookies under Australian law.
11. Changes to This Policy
We will provide at least 14 days' notice by email of any material changes to this Privacy Policy before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy. The effective date at the top of this page always reflects the most recent update.
12. Contact
For any privacy-related enquiries, access requests, or complaints, contact us at: