Privacy Policy
Last updated 15 July 2026
This policy explains how Unladen Software Pty Ltd, ABN 18 700 213 181 (“Unladen Software”, “we”, “us”) handles personal information in connection with our website and the Unladen CRM service (together, the “Service”). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Two kinds of personal information
It helps to distinguish the two roles we play. First, we collect a small amount of information about our own users: the advisers and staff of subscribing practices. Second, we hold information that practices store in the Service about their clients. That client information belongs to the practice; we store and process it on the practice’s behalf and on its instructions.
What we collect about our users
- Account details: name, work email address, practice name and role.
- Technical information: sign-in events, IP addresses and service logs, used for security and troubleshooting.
- Support correspondence when you contact us.
Our website uses only essential cookies (sign-in sessions and interface preferences). We do not run advertising trackers and we do not sell personal information to anyone.
Client information held for practices
- Practices store records about their clients in the Service. These records can include names, contact details, dates of birth, financial information and other material a financial advice practice ordinarily holds.
- Each practice is responsible for collecting that information lawfully, for its own privacy notices and consents, and for what its staff do with the records.
- Client records are encrypted with a key specific to each practice before being stored. Our operational design is that we cannot read a practice’s client records in the ordinary course of running the Service.
- We access practice data only as needed to provide and support the Service, on the practice’s instructions, or as required by law.
Why we collect information
- To provide, secure and support the Service.
- To administer subscriptions and billing.
- To communicate service and security notices.
- To meet our legal obligations.
Where information is stored
The Service’s database, documents and backups are hosted in Sydney, Australia (AWS ap-southeast-2, via Supabase), and the application runs from Australian infrastructure. Some of our service providers are headquartered overseas, and limited data may be processed outside Australia in the course of providing their services. In particular, transactional emails (such as invitations and password resets) are delivered via Resend, which processes email in the United States, and web traffic is delivered through Vercel’s global network. We do not otherwise send personal information overseas.
Who we share information with
Only the service providers we use to run the Service, and only to the extent needed for them to provide their services to us. Currently these are Supabase (database, storage and authentication), Vercel (application hosting) and Resend (transactional email). We may also disclose information where required by law. See our Security page for how these providers fit together.
Security
Practice data is encrypted in transit and at rest, client records are additionally encrypted with per-practice keys, every account requires multi-factor authentication, and access is invitation-only. Full details are on our Security page.
Retention and deletion
We keep personal information while the related subscription is active. After a subscription ends, practice data remains available for export for 60 days, is then deleted from the live Service, and leaves our backups in the ordinary backup cycle shortly after. We may retain limited billing records as required by tax law.
Data breaches
We comply with the Notifiable Data Breaches scheme. If a breach likely to result in serious harm occurs, we will notify affected practices and the Office of the Australian Information Commissioner as required.
Access, correction and complaints
You may request access to or correction of personal information we hold about you by emailing admin@unladencrm.com.au. If you are a client of a practice that uses Unladen CRM, your records are controlled by that practice, so please contact them directly, and we will assist them as needed. If you are unhappy with our response to a privacy complaint, you can contact the Office of the Australian Information Commissioner (oaic.gov.au).
Changes to this policy
We may update this policy from time to time. The current version will always be at this address, with the date above.