Privacy Policy

Introduction

HeadStart Docs Pty Ltd (ABN 12 691 347 823) ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard your information when you visit our website, access our compliance documents and use our services including the AML Portal and HeadStart Verify.

We are bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth) and are committed to ensuring that your personal information is handled in accordance with this legislation.

Information We Collect

Personal Information

When you interact with our website, purchase our products or use the AML Portal, we may collect:

• Name and contact details (email address, phone number)
• Business name and ABN
• Payment information (processed securely through Stripe)
• Purchase history and licence keys
• Login credentials and authentication data
• Organisation details and compliance officer information
• Customer records including names, addresses and risk assessments
• Customer due diligence (CDD) records and transaction monitoring data
• Sanctions and PEP screening results
• Investigation records and suspicious matter reports

Identity Verification Information (HeadStart Verify)

When a customer completes identity verification through HeadStart Verify, the following information may be processed:

• Identity documents (passport, driver licence and Medicare card images)
• Extracted identity data (name, date of birth, document numbers and address)
• Selfie or biometric data for liveness verification (if enabled by the requesting organisation)
• Verification status and outcome metadata
• Device and browser information used during the verification process

Technical Information

We automatically collect certain information when you visit our website:

• IP address and device information
• Browser type and version
• Pages visited and time spent on pages
• Download activity and document access logs
• User agent strings

AML Portal

HeadStart Docs Pty Ltd operates the AML Portal as a technology platform provider and data processor. We are not a reporting entity, nor an agent under s 37 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). The reporting entity retains full responsibility for its AML/CTF obligations.

Optional Zero-Knowledge Encryption for CDD Data

Organisations may opt into client-side field-level encryption for customer due diligence data and customer PII stored through the AML Portal. Where enabled, data is encrypted client-side using AES-256-GCM before it reaches our servers. Encryption keys are derived from user-held passphrases using PBKDF2 key derivation. Under this zero-knowledge architecture, HeadStart Docs Pty Ltd cannot decrypt or access the encrypted data.

Bring Your Own Storage (BYOS)

Organisations may connect their own storage infrastructure (including AWS S3, Google Cloud Storage, Azure Blob Storage or S3-compatible providers) for client documents including CDD records, VOI submissions and investigation evidence. When external storage is connected, client documents are routed directly to the organisation's nominated storage and are not stored on the HeadStart Docs platform. Organisations that do not connect external storage retain full platform-managed storage with all protections described in this policy.

Identity verification through HeadStart Verify also supports the BYOS architecture. Where BYOS is configured, identity document images are routed directly to the organisation's own infrastructure after processing.

HeadStart Verify

HeadStart Verify is a digital identity collection technology platform provided within the AML Portal. This section explains how identity information is handled when submitted through HeadStart Verify.

Our Role as Technology Provider

In its capacity as technology provider, HeadStart Docs Pty Ltd provides a platform that reporting entities use to perform their own identity collection and verification. When you complete identity verification through HeadStart Verify, the organisation that sent you the verification request is collecting your information using our technology platform. The reporting entity performs the collection and verification; we provide the secure digital infrastructure.

How Identity Information is Used

Identity information processed through HeadStart Verify is used to:

• Provide the technology platform for identity verification at the direction of reporting entity clients
• Extract document data using AI-assisted optical character recognition (OCR)
• Perform liveness verification (if enabled)
• Provide verification status and results to the requesting organisation
• Maintain audit trails and activity logs at the direction of the reporting entity client

Consent and Disclosure

By completing identity verification through HeadStart Verify, customers consent to:

• Collection of their identity documents and personal information by the requesting organisation
• AI-assisted processing of their documents
• Provision of verification results to the requesting organisation
• Storage of their identity data by HeadStart Docs Pty Ltd on behalf of the requesting organisation

Identity information processed through HeadStart Verify is disclosed to the organisation that requested the verification. That organisation is the collector of your information and is responsible for their own AML/CTF compliance obligations.

How We Use Your Information

We use the information we collect to:

• Process and fulfil your orders for digital documentation products
• Manage your account and provide customer support
• Send transactional communications (order confirmations, licence keys and updates)
• Detect and prevent fraud and unauthorised access
• Track document downloads for licensing and IP protection purposes
• Improve our website, products and services
• Comply with legal obligations and enforce our terms and conditions
• Send marketing communications (only with your consent, and you may opt out at any time)

How We Share Your Information

We do not sell, rent or trade your personal information. We may share your information with:

Service Providers

• Stripe (USA): Payment processing. Collects name, email and payment card data (see stripe.com/privacy)
• Resend (USA): Transactional email delivery. Receives recipient email addresses and message content
• Supabase (Australia, Sydney region): Database hosting, authentication, file storage and serverless functions
• Google Analytics (USA): Website analytics and visitor tracking (see Google's privacy policy)
• Google Places API (USA): Address autocomplete. Receives address text input
• Visitor Tracking Software: Third-party tracking services to monitor site traffic, user sessions and browsing behaviour
• Partnero (EU, Lithuania): Referral program management. Receives email and name for referral tracking
• Intercom (USA): In-app messaging and customer support communications
• OpenSanctions (EU, Germany): Sanctions and politically exposed persons (PEP) screening. Receives person names for compliance screening
• Firecrawl (USA): Adverse media search. Receives person names to search publicly available news sources
• AI Processing Provider (USA): AI-assisted optical character recognition (OCR) for identity document data extraction during VOI. Receives identity document images

Related Entity — HeadStart Counsel

If you request a referral to HeadStart Counsel, we may share the following information with them: your name, email address, business name, ABN, products purchased, and (if you separately authorise it in the portal) your completed Configuration Schedule and program settings. HeadStart Counsel is a separate legal practice with shared beneficial ownership with HeadStart Docs. It operates independently and is separately regulated under the Legal Profession Act. No referral fee is exchanged. You are free to engage any qualified lawyer of your choice. For full details of the relationship structure and legal entity, see Section 6 of our Terms of Service.

Legal Requirements

We may disclose your information when required by law, court order or to protect our rights, property or safety, or that of others.

Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure or destruction. These measures include:

• Secure Socket Layer (SSL) encryption for data transmission
• Encrypted storage of sensitive data
• Row-level security policies on our databases
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements
• Download tracking and audit trails for IP protection

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security.

Data Residency and International Data Transfers

All data stored through the HeadStart Docs™ platform and AML Portal is hosted on Australian-based infrastructure (Supabase, Sydney region, ap-southeast-2). Customer records, CDD data, audit logs and uploaded documents are stored within Australian jurisdiction.

Certain processing operations involve cross-border data transfers to service providers listed above. Specifically: identity document images are processed by an AI provider (USA) for OCR extraction; sanctions and PEP screening queries are sent to OpenSanctions (EU); adverse media searches are processed by Firecrawl (USA); payment processing is handled by Stripe (USA); and transactional emails are delivered by Resend (USA). These transfers are necessary to provide the service and are conducted in accordance with each provider's privacy policy. We take reasonable steps to ensure these providers handle personal information in accordance with the Australian Privacy Principles.

Organisations using the Bring Your Own Storage (BYOS) feature are responsible for the data residency and jurisdiction of their own connected storage infrastructure.

Data Retention

We retain your personal information for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. This includes:

• Account information: For the duration of your account plus 7 years for tax and legal compliance
• Purchase records: 7 years in accordance with Australian tax law
• Download logs: For the duration of the licence validity plus 2 years for IP protection
• Marketing communications: Until you withdraw consent or request deletion

HeadStart Verify Data Retention

HeadStart Docs Pty Ltd holds identity data at the direction of the reporting entity client. The retention period is determined by the reporting entity's instructions, in accordance with their record-keeping obligations under the AML/CTF Act.

• Identity documents: Retained at the direction of the reporting entity client. Reporting entities typically retain records for 7 years in accordance with their obligations under s 107 of the AML/CTF Act. This is the reporting entity's retention decision, not ours.
• Biometric data (if collected): Processed in memory only. Verification outcome (pass/fail/confidence score) is stored, but raw biometric images are deleted within 24 hours of processing
• Verification metadata: Retained at the direction of the reporting entity client for their audit purposes

Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Opt-out: Unsubscribe from marketing communications at any time
• Complaint: Lodge a complaint about how we handle your personal information

HeadStart Verify Data Rights

Customers who have completed identity verification through HeadStart Verify may:

• Request access to their identity data held by HeadStart Docs Pty Ltd
• Request correction of inaccurate data
• Request deletion of their data, subject to the reporting entity's instructions and legal retention obligations under the AML/CTF Act

To exercise these rights, customers should contact the organisation that requested the verification, as they control how your identity data is used and retained. Deletion requests will be processed in accordance with the reporting entity's instructions, as they may have legal obligations to retain identity records for compliance purposes.

To exercise any of these rights, please contact us using the details provided below.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our website and hold certain information. Cookies are files with a small amount of data that may include an anonymous unique identifier.

Analytics and Tracking Software

Our website uses third-party analytics and visitor tracking services to help us understand how visitors interact with our website. These services may include:

• Google Analytics: We use Google Analytics to track website usage, visitor demographics and user behaviour. Google Analytics uses cookies to collect information about your use of our website. This information is used to compile reports and help us improve our website. For more information about how Google uses data, please visit www.google.com/policies/privacy/partners/
• Visitor Tracking Software: We use visitor tracking software to monitor website traffic, user sessions, page views and visitor behaviour patterns. This helps us understand how users navigate our site and identify areas for improvement. The tracking software collects technical information such as IP addresses, browser types, device information and browsing patterns.

Managing Your Cookie Preferences

You can control your cookie preferences at any time. When you first visit our website, you'll be asked to accept or reject tracking cookies. You can change your preferences by:

• Clearing your browser cookies and revisiting our website to see the consent banner again
• Using your browser settings to block or delete cookies
• Installing browser extensions that block tracking scripts

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our website. You can also opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Note: Essential cookies required for website functionality (such as shopping cart and authentication) will still be used regardless of your tracking cookie preferences.

Third-Party Links

Our website may contain links to third-party websites, including AUSTRAC and other regulatory bodies. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies before providing any personal information.

Children's Privacy

Our services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you become aware that a child has provided us with personal information, please contact us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Important Disclaimer

HeadStart Docs™ is a digital publisher and platform provider. We sell digital compliance products including publications and portal access; we do not provide legal advice or services. You should always obtain independent legal advice from your own solicitor before using any of our products to ensure they are suitable for your specific circumstances.

Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights or have a complaint about how we handle your personal information, please contact us:

If you are not satisfied with our response to your complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):