Privacy Policy

DocFlow provides document-collection software for accounting firms. We act as the operator of the platform. Where an accounting firm uses DocFlow to collect documents from their own clients, the firm is responsible for that data as the data controller, and DocFlow acts as the data processor on their behalf.

• Account information — your name, email address, firm name, password (stored encrypted), and any logo or branding you upload.
• Client and engagement data — information your firm enters about its clients (such as name, email, phone, ABN, address) and the documents your clients upload through the portal.
• Billing information — handled by our payment processor; we do not store full card numbers.
• Usage and technical data — log data, IP address, device/browser information, and activity within the app, used to operate and improve the service.

• To provide, maintain and improve the DocFlow service;
• To send transactional emails and SMS (such as confirmations, document requests and reminders);
• To process subscriptions and payments;
• To provide AI-assisted extraction of data from uploaded documents;
• To respond to support requests and communicate with you;
• To detect, prevent and address security or technical issues, and to comply with our legal obligations.

We use trusted third-party providers to operate DocFlow. These providers only process data as needed to deliver their service to us:

• Supabase — database, authentication and file storage;
• Vercel — application hosting;
• Resend — transactional email delivery;
• Twilio — SMS delivery (where enabled);
• Stripe — subscription billing and payments;
• Anthropic — AI processing of uploaded documents for data extraction;
• Xero — where you connect your Xero organisation, to sync contacts and push documents at your direction.

We do not sell your personal information.

Some of our service providers store and process data outside Australia, including in the United States. By using DocFlow you acknowledge that your information may be stored or processed overseas. We take reasonable steps to ensure such providers handle information consistently with the APPs, including APP 8 (cross-border disclosure).

We use industry-standard measures to protect your information, including encryption in transit and at rest, access controls, and one-time-code verification for the client portal. No method of transmission or storage is completely secure, but we work to protect your data and to notify you of any eligible data breach as required under the Notifiable Data Breaches scheme.

We retain personal information for as long as your account is active or as needed to provide the service, comply with legal obligations, resolve disputes and enforce our agreements. You or your firm may request deletion of client data, subject to any legal record-keeping requirements that apply to accounting records.

You may request access to, or correction of, the personal information we hold about you. You may also request deletion of your account and associated data. To make a request, contact us at privacy@docflow.au. Where DocFlow processes data on behalf of an accounting firm, please direct requests about that data to the firm.

We use essential cookies to keep you signed in and to operate the service. We do not use cookies for third-party advertising.

We may update this policy from time to time. The “last updated” date above reflects the latest version. Material changes will be communicated through the app or by email.

For privacy questions or requests, contact privacy@docflow.au. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.