TAXO ADVISORY

TAXO ADVISORY is a registered tax agent and accounting practice providing taxation, BAS, bookkeeping, and advisory services to individuals and business entities across Australia.

• ABN: 26681517747
• Address: Suite 11a/102 Princes Hwy, Unanderra NSW 2526, Australia.

We operate a secure client portal at https://taxo.com.au and may provide services through agent subdomains (e.g. xyz.taxo.au) or authorised custom domains.

We collect personal information necessary to provide our services. This includes:

We collect personal information:

• Directly from you — via our client portal (signup, tax forms, expense uploads, document submissions)
• From your authorised representatives — accountants, bookkeepers, family members, or legal representatives acting on your behalf
• From Referral Agents — authorised partners, sub-agents, or introducers who refer you to our services
• From third parties — the ATO, ASIC, employers, financial institutions, or managed fund providers where you have consented or where permitted by law
• From public sources — ASIC company registers, ABN Lookup, and publicly available information where relevant to your tax affairs
• Automatically via our portal — IP addresses, session data, login history, and device information for security purposes

Where practicable, we collect personal information directly from you. If we collect information about you from a third party, we will take steps to notify you unless this is impracticable or the information was collected in accordance with your consent.

We collect personal information for the following primary purposes:

• Preparing and lodging income tax returns (individual, company, trust, partnership, SMSF)
• Preparing and lodging Business Activity Statements (BAS) and Instalment Activity Statements (IAS)
• Preparing financial statements and reports
• Providing tax advice and planning
• Managing your client account in our portal
• Communicating with you about your tax affairs and our services
• Complying with our obligations under the Tax Agent Services Act 2009 and tax laws
• Meeting ATO, ASIC, and other regulatory obligations
• Processing payments and issuing invoices
• Maintaining our professional records and audit trails

If we need to use your information for a secondary purpose, we will seek your consent unless the secondary purpose is closely related to the primary purpose and you would reasonably expect such use.

We use personal information to:

• Provide taxation, BAS, accounting, and advisory services to you and your associated entities
• Verify your identity and manage your portal account (including 2FA and session management)
• Communicate with you via email, SMS, or portal notifications about your work and our services
• Comply with legal and regulatory requirements including ATO obligations
• Process payments, manage invoices, and recover outstanding fees
• Improve our services, systems, and client experience
• Protect the security of our systems and detect fraud or misuse

We may disclose your personal information to the following types of recipients:

We do not disclose personal information to any other party without your consent, except where required or permitted by law.

We may disclose personal information to overseas recipients in the following circumstances:

• Cloud software infrastructure: Software providers such as Xero, QuickBooks, and MYOB may host data on servers located outside Australia (including the United States, Ireland, Singapore, and other jurisdictions).
• Our staff locations: Our firm employs or engages staff who may work from locations within or outside Australia. All staff are bound by our confidentiality obligations and privacy policies regardless of location.

Before disclosing information to overseas recipients, we take reasonable steps to ensure those recipients comply with the Australian Privacy Principles or are bound by a substantially similar privacy scheme, or we obtain your consent to the overseas disclosure.

We collect, store, and use Tax File Numbers (TFNs) in accordance with the Privacy (Tax File Number) Rule 2015 and the Privacy Act 1988 (Cth).

• TFNs are collected solely for the purpose of preparing and lodging tax returns and communicating with the ATO on your behalf
• TFNs are encrypted at rest in our database using AES-256 encryption
• Only the last 4 digits of your TFN (your "TFN Key") are stored in an accessible form, used as your portal login credential
• We do not disclose your TFN to any person or organisation other than the ATO, except as required by law
• Staff with access to TFN data are trained on TFN privacy obligations and bound by confidentiality agreements

Our client portal (https://taxo.com.au) and all associated subdomains collect and process personal information to provide our services. Specifically:

• Account information: Name, email, phone, date of birth, address, and TFN (encrypted)
• Session data: Login timestamps, IP addresses, device information, and browser type — stored for security and fraud prevention
• Two-factor authentication (2FA): Temporary codes sent to your email for identity verification — codes are one-time use and expire within 10 minutes
• Uploaded documents: Tax documents, receipts, payslips, and supporting records uploaded through the portal are stored securely and used only for your tax affairs
• Form data: Information entered into tax forms, income and expense entries, and other portal submissions
• Communication records: Messages sent through the portal chat or service request system are stored and may be reviewed by our staff for service delivery
• Payment records: Payment amounts, methods, and receipts are stored for accounting and audit purposes

Our website and client portal use session cookies for authentication and functionality. We do not use third-party advertising or tracking cookies. Cookies we use include:

• Session cookies: Required for login and portal functionality — deleted when you close your browser or log out
• Remember-me cookies: Optional — stored for up to 24 hours if you choose "Keep me logged in"

You may disable cookies in your browser settings, however this may prevent you from using the client portal.

11.1 Referral & Introducer Agents
Where you have been referred to us by an Authorised Referral Agent, Authorised Representative, sub-agent, partner, or introducer ("Referral Agent"), we may share the following information for coordination purposes:

• Your name, contact details, and client code
• The status of your tax return or services (e.g. pending, completed)
• Fee invoices and payment status where the Referral Agent collects on our behalf

We do not share your TFN, sensitive tax data, or detailed financial information with Referral Agents unless you have specifically authorised this in writing. All Referral Agents are contractually bound to maintain confidentiality and are prohibited from using client information for any other purpose.

11.2 Payment Technology Partners & IT Providers
To process payments securely, we engage payment gateway operators, platform technology providers, and IT service companies. These providers may receive the following information solely for payment processing and platform operation:

• Name, email, and contact details for transaction identification
• Invoice amount and payment reference
• Payment card details (processed directly by the gateway — we do not store full card numbers)
• Transaction confirmation data

Payment technology partners operate under data processing agreements. They do not receive your TFN, tax return data, or sensitive financial information. Where such providers are located outside Australia, we take steps to ensure compliance with the Australian Privacy Principles or equivalent international standards.

11.3 Tax Agent Data Access on Reassignment
When your matter is assigned or reallocated to a different registered tax agent within our platform, the newly assigned agent will be given access to your file and relevant personal information necessary to provide services — including name, contact details, tax return history, documents, and financial information. All tax agents on our platform are bound by the same confidentiality obligations and professional standards described in this policy and your Engagement Agreement. You will be notified of any reassignment.

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

• HTTPS/TLS encryption for all data transmitted via our website and portal
• AES-256 encryption for sensitive data stored in our database (TFNs, bank account details)
• Password hashing using industry-standard algorithms (bcrypt)
• Two-factor authentication (2FA) for new devices and password resets
• Session expiry and idle timeout controls
• Role-based access controls limiting staff access to client data based on their role
• Login attempt limits and account lockout after repeated failures
• Audit logs for all login events, data access, and document operations
• Regular software updates and security patches

In the event of a data breach that is likely to cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme.

We retain personal information for as long as necessary to provide our services and comply with legal obligations. Retention periods include:

• Tax records and financial documents: Minimum 5 years from the date of lodgement, as required by Australian tax law
• Client account data: For the duration of the engagement and for a reasonable period thereafter
• Security logs: Up to 12 months for login history and session data
• Communication records: For the duration of the engagement
• Deactivated accounts: Personal information may be retained in an archived form for legal and audit purposes

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it securely. Electronic records are deleted or overwritten; physical records are shredded.

You have the right to access the personal information we hold about you and to request corrections where the information is inaccurate, incomplete, or out of date.

To access your information: Log in to your client portal where most information is visible and editable. For information not accessible via the portal, contact us at info@taxabn.com.au.

To request correction: Contact us with details of the correction required. We will respond within 30 days.

We may decline access in limited circumstances permitted by the Privacy Act, such as where access would unreasonably impact another person's privacy or where the request relates to ongoing legal proceedings. If we decline, we will provide written reasons.

There is no charge for making an access or correction request, however we may charge a reasonable fee for the administrative cost of providing access to a large volume of information.

We may use your contact details to send you information about our services, tax deadlines, ATO updates, and relevant news that may be of interest to you.

You may opt out of marketing communications at any time by:

• Clicking the unsubscribe link in any marketing email
• Updating your notification preferences in your portal settings
• Contacting us directly at info@taxabn.com.au

We will action opt-out requests promptly. Note that opting out of marketing communications does not affect our ability to send you service-related communications about your tax affairs (e.g. lodgement confirmations, payment receipts, 2FA codes).

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you may lodge a complaint with us. We will investigate your complaint and respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC): oaic.gov.au/privacy/privacy-complaints | 1300 363 992
• Institute of Public Accountants (IPA): publicaccountants.org.au — Complaints

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Updated versions will be published on our website and client portal. The version date at the top of this document indicates when it was last updated.

Continued use of our services following publication of an updated policy constitutes your acceptance of the changes. For significant changes, we will notify you via email or portal notification.

This clause supplements Clause 11.3 with additional detail on how your data is handled during tax agent assignment and reallocation events.

When a tax agent is assigned to your file for the first time, or when an existing assignment is changed, the following data handling applies:

• The newly assigned practitioner gains read access to your full client file, tax return history, uploaded documents, financial data, and correspondence
• The previously assigned practitioner retains read-only access to historical records for audit, quality review, and continuity purposes
• Assignment events are logged in our system with date, time, and the identity of the practitioner assigned
• You will be notified of the assignment via your client portal dashboard and/or email

You may request a copy of your assignment history by contacting our Privacy Officer. You may also request that a specific practitioner not be assigned to your matter, subject to our operational requirements and our right to manage internal workflow.

All access to client data by any registered tax agent is subject to the confidentiality obligations of the Tax Agent Services Act 2009, APES 110, and the Privacy Act 1988 (Cth).

For any privacy-related enquiries, requests, or complaints, please contact our Privacy Officer:

We aim to respond to all privacy enquiries within 30 days of receipt.