Privacy Policy
duely ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal information when you use our platform and website. This policy is prepared to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
By using duely, you consent to the data practices described in this policy.
1. Role as a Data Processor versus Data Controller
For the AML/CTF compliance tools provided through our platform:
- the Reporting Entity (Firm / Subscriber) using our platform is the Data Controller of its clients' personal data; and
- duely acts as the Data Processor, acting on the instructions of the Firm.
If you are an individual whose data has been submitted to duely by a participating Firm, your primary point of contact for privacy inquiries is the Firm itself.
2. Information We Collect
We collect personal information to operate and improve our services.
2.0 How We Collect Information
We collect personal information through the following channels:
- Directly from you: when you register an account, subscribe to a plan, submit a support request, or interact with our platform.
- From Firms on behalf of their clients: when a Firm uploads customer identity documents, enters customer details, or initiates verification workflows through the platform.
- From third-party providers: identity verification and screening results from Didit (identity verification outcomes, biometric liveness and face-match results, and PEP / sanctions / adverse-media screening), company data from InfoTrack (ASIC extracts), and payment confirmations from Stripe.
- Automatically: through cookies, server logs, and analytics tools (PostHog, Google Analytics) when you visit our website or use the platform. See our Cookie and Tracking Policy for details.
2.1 Information Collected from Subscribers (Firms)
When creating an account or subscribing to our services, we collect:
- contact details (name, email address, phone number);
- business details (company name, ABN/ACN, role/title);
- billing and payment information; and
- account credentials and platform usage data.
2.2 Sensitive Data Processed on Behalf of Firms
In operating our AML/CTF compliance platform, we process sensitive customer data on behalf of Firms, which may include:
- Identity information: names, dates of birth, residential addresses.
- Government-issued IDs: drivers' licences, passports, Medicare cards.
- Biometric data: facial recognition, liveness, and face-match data processed via our third-party verification partner, Didit. Didit performs this processing outside Australia, in the European Union. Didit does not retain this data — it is purged once the verification result is returned, and the resulting evidence is stored by duely in Australia.
- Screening data: Politically Exposed Persons (PEP) status, sanctions list matches, and adverse media findings.
3. How We Use Information
We use the collected information to:
- operate and maintain the duely platform;
- facilitate Identity Verification (KYC/KYB) and screening processes as instructed by the Firm;
- process payments and manage subscriptions;
- provide customer support and respond to inquiries;
- monitor platform security and prevent fraudulent activity; and
- analyse platform usage and improve our services.
AI and Machine Learning Notice: duely does not use customer data (including personal or sensitive data processed on behalf of Firms) to train foundational AI or large language models. We will not introduce any AI-based feature that processes customer data without first updating this Policy and, where required, obtaining the Firm's consent.
4. How We Share and Disclose Information
We do not sell your personal information. We share information only in the following circumstances.
4.1 Third-Party Sub-Processors
We engage trusted third-party providers to assist in operating our platform. These include:
- Didit: identity verification, biometric liveness and face-match, and AML (PEP / sanctions / adverse-media) screening. Processed outside Australia, in the European Union.
- InfoTrack: ASIC extracts and company data.
- Xero: optional practice management integration (if authorised by the Firm).
- Stripe: payment processing.
- Keycloak: authentication and identity management.
- PostHog / Google: platform and website analytics.
4.2 Legal and Regulatory Requirements
We may disclose information where required by law, subpoena, or other legal process, or to protect the rights, property, or safety of duely, our users, or others. Where permitted by law, we will notify the Firm of such requests in accordance with our Law Enforcement Request Policy.
5. Data Storage and Security
Data Localisation: Application hosting and the primary storage of matter, document, and evidence data are conducted in Tier 1 data centres in Australia (Sydney and Melbourne). Certain specialist processing (identity, biometric, and AML verification) is performed by our sub-processor Didit outside Australia on a process-and-purge basis — the data is not retained offshore, and the resulting evidence is stored back in Australia, as set out below.
Cross-Border Transfers: Some of our third-party processors operate internationally. This means the relevant data is disclosed to and processed by those providers outside Australia:
- Didit (identity verification, biometric liveness / face-match, and AML screening): European Union (AWS). Government-issued identity documents, facial-biometric data, and screening data are processed by Didit outside Australia. duely operates Didit on a process-and-purge basis: the identity and biometric data is deleted once the verification result is returned and is not retained by Didit. Didit is GDPR-compliant and holds ISO 27001 and SOC 2 (Type I) certification.
- Stripe (payment processing): United States.
- PostHog (product analytics): United States and European Union.
- Google Analytics (website analytics): United States.
We put appropriate safeguards in place for cross-border transfers, including reviewing each processor's security certifications, data processing agreements, and compliance with applicable privacy frameworks.
Security Measures: We use security practices including AES-256 encryption at rest, TLS 1.3 in transit, role-based access control (RBAC), and append-only audit logging.
6. Data Retention
We retain data in accordance with the legal obligations of our Subscribers:
- Matter and Evidence Data: maintained for the duration of the Firm's subscription. AML/CTF evidence packs are designed to assist Firms in meeting their 7-year record-keeping obligations after matter closure.
- Subscription Expiry: on subscription termination or expiry, Firms have a 90-day export window. After this period, data is securely deleted in line with our data destruction protocols.
7. Your Privacy Rights
Under the Australian Privacy Principles, individuals have the right to request access to and correction of their personal information.
- Account holders / Subscribers: you may access and update your profile directly within the platform or by contacting us.
- Clients of Subscribers (Data Subjects): if you are an individual whose data was submitted by a Firm, please direct your access, correction, or deletion requests to that Firm. We will assist the Firm in fulfilling its obligations.
Note on Deletion Requests: Deletion of certain AML/CTF verification records may be restricted where statutory record-keeping obligations (for example, section 107 of the AML/CTF Act 2006) require the Firm to retain that evidence, overriding general privacy deletion rules.
Children's Privacy: The duely platform is a business-to-business service designed for use by professional services firms. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.
8. Cookies and Tracking
We use cookies for platform functionality, session management, and usage analytics. You can manage your cookie preferences through your browser settings or our website's consent banner. See our Cookie and Tracking Policy for details.
9. Complaints Process
If you believe we have breached the Australian Privacy Principles, please contact us with your concerns. We will acknowledge your request within 7 business days and aim to resolve it within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
10. Contact Us
For any questions about this Privacy Policy or our data practices, please contact our Privacy Officer at:
Email: privacy@duely.com.au
Address: Sydney, New South Wales, Australia