Privacy Policy
Effective Date: 15 March 2026 | Last Updated: 15 March 2026
1. Background
AML Assured Pty Ltd ABN 27 693 940 706, trading as AML Assured (AML Assured, we, us or our), is committed to protecting the personal information that we collect, hold, use and disclose. This Privacy Policy (Policy) describes how we handle personal information in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) in Schedule 1 to that Act.
2. Kinds of personal information collected and stored
We collect and store personal information that is reasonably necessary for our functions and activities; including in the following contexts:
2.1 About customer organisations and their personnel
- identification details including: name, position, business contact details email, phone number, and address;
- authentication and account information including: usernames, passwords (stored in hashed form), multi-factor authentication tokens, IP address, device identifiers, login history and session information;
- billing and commercial information: ABN, business address, billing contact, payment instrument details (handled by our payment service providers); and
- usage information: pages and features accessed, configurations chosen, support tickets raised, communications with our team.
2.2 About website visitors
- device, browser and network information including IP address;
- information collected through cookies, and similar technologies;
- contact details that visitors voluntarily provide: for example in contact forms or to download materials; and
- information about how visitors interact with our website.
2.3 About individuals processed by the Platform on behalf of our customers
Where our customers use the Platform to perform their AML/CTF compliance processes on individuals (typically the customer's own clients or counterparties), the Platform may handle information about those individuals submitted by our customers or received from third party identity verification or screening services. This may include:
- identifying information: full name, date of birth, residential address, contact details, nationality, and country of residence;
- government-issued identifier information permitted by AML/CTF rules: driver licence number, passport number, and/or Medicare card number;
- sensitive information for the purposes of AML/CTF compliance: racial or ethnic origin (only as may be incidentally disclosed by identity documents); biometric information derived from facial images or liveness checks; and political opinions where this is relevant to politically exposed person (PEP) screening;
- documentary evidence of identity: scans or images of passports, drivers licences, utility bills, bank statements, and similar;
- verification artefacts and results: outputs of identity-document checks, likeness checks, electronic identity verification matches, and timestamps;
- screening results: matches or non-matches against sanctions lists, watch-lists, PEP lists, and adverse media, risk ratings and risk classifications;
- transaction context information: information about the property or transaction to which the AML/CTF process relates (for example, address of property, transaction value); and
- interaction and audit information: timestamps, IP addresses, device information, and any notes recorded by the customer's personnel.
In many cases, we handle personal information on behalf of our customers as a service provider. In those circumstances, the customer is responsible for their own compliance with the Privacy Act, including providing any required notices to individuals.
However, where we collect and use personal information for our own purposes (such as managing customer relationships, operating our business, or marketing), we do so as an APP entity and handle that information in accordance with this Privacy Policy.
3. How personal information is collected
We collect personal information by lawful and fair means, including in the following manner:
3.1 Directly from individuals
We collect personal information directly from individuals where reasonable and practicable to do so. For example:
- when an individual registers for an Account or signs up for a trial;
- when an individual contacts us by email, web form, telephone or in person;
- when an individual responds to our marketing communications, attends a webinar or event, or downloads a resource; and
- when an individual submits an application for employment with us.
3.2 From our customers
We receive personal information from our customers when they upload it to, or process it through, the Platform. This typically relates to the customer's own clients and counterparties for AML/CTF purposes. Where personal information is provided to us by our customers, we take steps to ensure that personal information is collected lawfully, including through contractual requirements and due diligence of our customers.
3.3 From third parties
We may collect personal information from third parties, including:
- identity verification providers, electronic identity verification services, document verification services and biometric/liveness verification providers;
- sanctions, watch-list, PEP and adverse-media screening providers;
- credit reporting bodies (only where applicable and consented to);
- publicly available sources;
- our service providers and partners (for example, payment, email, hosting, analytics and cybersecurity providers); and
- our customers' authorised users, where they submit information about themselves or others.
3.4 Through the Platform automatically
When individuals use the Platform or our website, we (and our service providers) automatically collect technical information including IP address, browser type, device identifiers, operating system, referring URLs, pages visited, and information about how the Platform is used. We also generate audit logs of user activity for security, integrity and compliance purposes.
4. Why we collect, hold, use and disclose personal information
We collect, hold, use and disclose personal information for purposes that are reasonably necessary for, or directly related to, one or more of our functions or activities. This ensures that we comply with the law.
The main purposes are described below:
4.1 Operating and providing the Platform
- authenticating users, providing access to the Platform, and providing technical support;
- hosting, processing and storing data submitted to the Platform;
- performing the compliance workflows that our customers have configured, including identity verification, screening, risk assessment, monitoring and record-keeping;
- integrating with third party services that the customer has enabled;
- generating audit logs, reports and analytics; and
- maintaining the security, integrity and performance of the Platform.
4.2 Managing our customer relationships
- registering and managing customer Accounts and Authorised Users;
- invoicing and processing payments;
- communicating with customers about the Platform, including service notices, security alerts and changes to terms or policies;
- responding to enquiries and complaints; and
- managing contractual obligations.
4.3 Marketing and business development
We may use personal information of customer contacts and prospective customers to send marketing communications about our services, industry developments and events. We will only do so in accordance with the Privacy Act and the Spam Act 2003 (Cth).
Where required, we will obtain an individual's consent before sending direct marketing communications. In other circumstances, we may rely on consent that can reasonably be inferred from the individual's relationship with us, where permitted by law.
Individuals may opt out of receiving marketing communications from us at any time by using the unsubscribe link in our communications or by contacting us using the details in this Privacy Policy. We will comply with such requests promptly.
4.4 Product improvement and analytics
- understanding how the Platform is used and improving its features and performance;
- training and improving machine learning, statistical and rule-based models, using de-identified or aggregated data;
- benchmarking; and
- generating de-identified industry insights.
4.5 Security, fraud prevention, and integrity
- detecting, preventing and responding to security incidents, fraud, abuse and unauthorised access;
- monitoring compliance with our Terms and Conditions and acceptable use policies; and
- protecting the rights, property or safety of AML Assured, our customers, or others.
4.6 Legal and regulatory compliance
- complying with our obligations under the Privacy Act, the AML/CTF Act (where applicable to AML Assured), tax laws, corporations law and other applicable laws;
- responding to lawful requests from regulators (including the Office of the Australian Information Commissioner, AUSTRAC and the ACCC) and law enforcement;
- complying with court orders, subpoenas and other legal process; and
- establishing, exercising or defending legal claims.
4.7 Other purposes
We may use or disclose personal information for any other purpose:
- for which the individual has consented (APP 6.1(a));
- that is required or authorised by or under an Australian law or court/tribunal order (APP 6.2(b));
- where a permitted general situation or permitted health situation applies (APP 6.2(c)); or
- that the individual would reasonably expect, where that other purpose is related to a primary purpose of collection (or in the case of sensitive information, directly related to the primary purpose) (APP 6.2(a)).
5. Sensitive information
We collect sensitive information only where:
- the individual has consented and the information is reasonably necessary for our functions or activities (APP 3.3(a)); or
- the collection is required or authorised by or under an Australian law (APP 3.4(a)) — in particular where the AML/CTF Act, AML/CTF Rules, or other law authorises or requires collection of the information.
In the context of identity verification, biometric information may be processed in or through the Platform on behalf of our customers, who in turn rely on lawful bases for that processing under the AML/CTF Act, customer due diligence requirements, or explicit consent.
Where we handle biometric information directly we will do so in accordance with the Australian Law and OAIC guidance.
6. Disclosure of personal information
We disclose personal information to the following kinds of recipients, to the extent reasonably necessary for the purposes described in this Privacy Policy:
6.1 Our service providers and sub-processors
We disclose personal information to third parties that provide services to us, including:
- cloud infrastructure and hosting providers;
- identity verification, document verification, electronic identity verification, biometric and liveness check providers;
- sanctions, PEP, watchlist and adverse-media screening providers;
- payment processing providers;
- customer relationship management, support, ticketing and communications providers;
- analytics, monitoring, security, fraud detection and cybersecurity providers;
- professional advisers (legal, accounting, auditing, consulting); and
- backup, data recovery, archival and electronic signature providers.
6.2 Our customers and their Authorised Users
Where individuals interact with the Platform on behalf of, or are otherwise associated with, a customer organisation, we disclose information about that individual to the relevant customer organisation as necessary to provide the Platform to that customer.
6.3 Regulators and law enforcement
We may disclose personal information to regulators, law enforcement and other authorities where required or authorised by law, including under the Privacy Act, the AML/CTF Act, court orders, subpoenas, search warrants, and similar legal process.
The AML/CTF Act requires reporting entities to lodge certain reports with AUSTRAC, and our customers may use the Platform to assist them in preparing those reports.
6.4 Corporate transactions
If we are involved in a sale, merger, acquisition, restructure, insolvency or other corporate transaction, we may disclose personal information to the relevant counterparty and their professional advisers, subject to appropriate confidentiality protections.
6.5 Other disclosures
We may also disclose personal information:
- with the individual's consent;
- to protect the rights, property or safety of AML Assured, our customers, the individual, or any other person;
- where the disclosure is required or authorised by or under an Australian law or court/tribunal order; or
- where a permitted general situation or permitted health situation under the Privacy Act applies.
We do not sell personal information. We do not sell personal information to third parties for their own marketing purposes.
7. Disclosure of personal information overseas
Some of our service providers and sub-processors are located outside Australia, or use sub-contractors located outside Australia, and personal information may be hosted, processed or accessed in those countries. Countries may include the United Kingdom, the United States and other jurisdictions.
We take reasonable steps to ensure that any overseas recipient of personal information handles that information in a manner consistent with the Australian Privacy Principles, unless an exception applies under the Privacy Act.
8. Cookies and similar technologies
We and our service providers use cookies, web beacons, pixels, tags, local storage and similar technologies (collectively, cookies) on our website and the Platform. We use them to:
- authenticate users and maintain sessions; remember preferences;
- measure and analyse how the website and Platform are used;
- detect, prevent and respond to fraud, abuse and security issues; and
- (on our website only) deliver and measure marketing communications.
We use the following categories of cookies:
Strictly necessary
Required for the website and Platform to function, including sign-in, session management, security, and delivery of core features (including training content). These technologies are essential and are not used for advertising. On the Platform, this includes local/session storage used to maintain your authenticated session.
Functional
Remember choices and settings to improve your experience, such as organisation branding and onboarding progress. Some of this information is stored in your browser (local or session storage) and some may also be stored in your account on our systems.
Analytics
Help us understand how selected pages are used so we can improve them. On the Platform, this is currently limited to public signup-related pages where Google Tag Manager is enabled. We do not use broad in-app product analytics cookies across the authenticated Platform unless we tell you otherwise.
Marketing
Used to deliver and measure marketing and advertising. Marketing cookies and tags are used on our marketing website only. On the Platform, we may collect marketing email consent during signup, but we do not use marketing tracking technologies across the authenticated Platform.
We do not currently operate a cookie preference centre on the Platform. Essential browser storage is required to use the Platform. If we introduce optional analytics or marketing technologies on the Platform in future, we will update this policy and, where required, provide appropriate choices.
9. Security and retention of personal information
We take reasonable steps to protect personal information that we hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by APP 11. These steps include technical and organisational measures appropriate to the kinds of information we handle and the risks involved.
We retain personal information only for as long as it is reasonably necessary for the purposes set out in this Policy, or for any longer period required or authorised by law.
Where individuals are verified through the Platform on behalf of our customers, we apply the following retention approach to minimise the personal information we hold:
- raw identity documents and biometric source material submitted for verification (including scans and images of passports, driver licences, utility bills, bank statements, facial images and liveness recordings) are retained for no longer than 7 days following completion of the verification process, after which they are securely deleted; and
- verification data points (including the outcome of verification checks, match and non-match results, screening results, risk ratings, audit logs and associated metadata) are retained for a minimum period of 7 years from the completion of the verification or the end of the customer's business relationship with the relevant individual, to enable our customers to meet their record-keeping obligations under the AML/CTF Act.
Where we hold personal information that is no longer needed for any of the purposes set out in this Policy and is not required to be retained by law, we take reasonable steps to destroy or de-identify that information in accordance with APP 11.2.
10. How an individual may access their personal information and seek its correction
Individuals have the right to access the personal information that we hold about them, and ask us to update or correct it if it is not accurate. We will take reasonable steps to correct the information where we are satisfied it requires correction. If we decline to correct, we will give written reasons and the individual may request that we associate with the information a statement that the individual considers it to be inaccurate.
We do not charge for making an access or correction request. Where we charge for giving access to personal information, the charge will not be excessive. To access your personal information, please contact our Privacy Officer using the details at the end of the Privacy Policy.
11. Complaints
If an individual considers that we have breached the APPs or otherwise mishandled their personal information, they may complain to us. To make a complaint, please contact our Privacy Officer using the details at the end of the Privacy Policy.
We will:
- acknowledge receipt of the complaint promptly;
- investigate the complaint and respond substantively within a reasonable period (and in any case within 30 days of receiving the complaint, unless we agree on a longer period); and
- where the complaint is substantiated, take reasonable steps to address it.
If the individual is not satisfied with our response, the individual may complain to the Office of the Australian Information Commissioner (OAIC).
Contact details for the OAIC are:
- GPO Box 5288, Sydney NSW 2001;
- phone 1300 363 992;
- email enquiries@oaic.gov.au; and
- website oaic.gov.au.
12. Automated processing and decision-making
The Platform uses automated processing — including rule-based engines, matching algorithms, machine learning and other automated techniques — to support compliance workflows. Examples include matching identity data against verification sources, screening individuals and entities against sanctions, politically exposed person and watchlist data, generating risk ratings and alerts, and extracting information from documents.
Decision-support, not automated decisions about individuals.These features are designed as decision-support tools for our customers (the real estate agencies and other reporting entities who use the Platform). The Platform produces outputs — such as a risk rating or a potential watchlist match — but the decisions that affect an individual (for example, whether to proceed with a transaction, whether to conduct further checks, or whether to make a report) are made by our customer, applying human judgment, as part of the customer's own compliance processes. We do not use these automated features to make decisions that produce legal or similarly significant effects about an individual without human involvement on our customer's part.
Limitations.Automated processing can produce inaccurate, incomplete or unexpected results, including false positives and false negatives, and depends on the accuracy of third-party data sources. Outputs should be reviewed by a person and are not a substitute for the customer's own judgment.
13. How to contact us
Please contact our Privacy Officer if you have any questions, requests or complaints about this Privacy Policy or our handling of personal information.
| Privacy Officer | The Privacy Officer |
|---|---|
| privacy@amlassured.com | |
| Postal address | 280 Albert St, East Melbourne VIC 3002 |
| Phone | Available via amlassured.com |
| Website | amlassured.com |
Questions please contact privacy@amlassured.com
© 2026 AML Assured Pty Ltd. All rights reserved.