What Gets Recorded and Why

Running a business management platform means different details arrive at different moments. When you create an account, we gather your name, email address, and phone number. Your business name and ABN come next. Payment information enters our system when you set up billing.

Here's what matters: we receive this because the service can't function without it. Sending invoices requires knowing who sends them. Processing payments needs payment details. Simple as that.

Business Activity Records

Your platform usage creates records automatically. Every invoice generated, every expense logged, every report created — these actions leave traces in our database. We keep these because they form the core of what you're paying for: a reliable record of your business finances.

The system also notes when you log in, what features you access, how long sessions last. This operational data helps us maintain service quality and troubleshoot issues when things break.

---

How Information Gets Handled

Your financial records sit on Australian servers operated by certified data centre providers. We chose local infrastructure deliberately — faster access for Australian businesses, clearer legal jurisdiction, better sovereignty over your data.

Our team accesses customer records when necessary for support requests or system maintenance. Database administrators see data structures. Support staff view account details when resolving your specific issue. Nobody browses through customer information casually — access gets logged and monitored.

When Data Moves Beyond Our Systems

Certain platform functions require sharing specific details with external services. Payment processing happens through a third-party provider who receives transaction amounts and payment methods. Email delivery services get your email address when we send invoices or notifications. Cloud backup systems store encrypted copies of your data.

Each external service operates under contractual obligations limiting what they can do with received information. We select providers who maintain Australian operations where possible and comply with local privacy standards.

Legal Requirements and Disclosures

Australian financial regulations sometimes require disclosure. Tax authorities may request records. Court orders compel production of specific data. We comply with lawful demands while pushing back against overly broad requests.

In seven years operating this platform, we've received four formal requests from authorities. Each received careful review before response.

---

Security Measures in Practice

Encryption protects data in transit and at rest. Your connection to our servers uses TLS 1.3. Database contents get encrypted using AES-256. Backup archives receive additional encryption layers.

Access controls limit who sees what. Engineers maintain separate development environments with synthetic data. Production system access requires multi-factor authentication and gets granted based on role requirements.

We run vulnerability scans monthly and penetration tests annually. Security updates deploy within 48 hours of release for critical patches. Staff receive security training during onboarding and yearly refreshers.

Despite these precautions, perfect security doesn't exist. Determined attackers with sufficient resources might breach defences. Hardware failures could cause data loss despite backups. We maintain incident response plans and professional liability insurance, but risks remain inherent in digital systems.

---

Your Control and Options

Account settings let you modify contact details, business information, and communication preferences. Changes take effect immediately in most cases, with some updates requiring verification steps.

Accessing Your Records

You can download complete copies of your business data anytime through the export function. This generates CSV files for transactions, PDF archives of invoices, and JSON exports of account settings. No waiting period, no approval needed — it's your data.

Want to see everything we hold about you beyond what appears in your account? Send a formal request to our privacy contact. We respond within 30 days with a complete data package.

Corrections and Updates

Spotted an error in your records? Fix it directly through the platform interface. Most corrections happen instantly. Some changes (like registered business details) might require verification documents to prevent fraudulent modifications.

Account Deletion and Data Removal

Closing your account triggers a defined sequence. Active subscriptions get cancelled. Your access gets disabled immediately. Business records remain in our systems for 90 days in case you change your mind or need to retrieve something.

After 90 days, deletion becomes permanent. We remove all business records, transaction histories, and stored documents. Financial records required for tax compliance get anonymized — we strip identifying details while preserving transaction data needed for our books.

Some information persists by necessity: copies in encrypted backups cycle out over 12 months, logged support conversations remain in our ticketing system, and financial summaries needed for accounting audits stay in our records.

---

Retention and Information Lifecycle

Different data categories have different retention periods based on business needs and legal requirements.

• Active account records: Maintained while your subscription remains current
• Cancelled account data: Held for 90 days, then permanently deleted
• Financial transaction records: Kept for seven years per Australian tax law
• Support correspondence: Archived for three years for reference and training
• System logs and analytics: Retained for 18 months, then purged
• Backup archives: Encrypted copies persist for 12 months on rotation

These timeframes balance practical needs (you might need old records) with privacy principles (we shouldn't hoard data indefinitely). When retention periods expire, deletion happens automatically through scheduled processes.

---

Legal Basis for Processing

Australian Privacy Principles govern how we handle your information. Different processing activities rest on different legal grounds.

Most of what we do falls under contractual necessity — you signed up for business management services, delivering those services requires processing your business data. You can't get the benefit without the processing.

Some functions rely on legitimate interests: maintaining system security, preventing fraud, improving platform features based on usage patterns. These activities benefit both parties and don't override your fundamental privacy rights.

Marketing communications (which we send rarely) depend on consent. You can opt out anytime using the unsubscribe link in emails or by adjusting your communication preferences.

Legal obligations drive certain processing: keeping financial records for tax purposes, responding to valid authority requests, complying with financial regulations.

---

Changes to Privacy Practices

This document gets updated when our practices evolve. Adding new features might require collecting additional data types. Changing service providers could alter where information gets processed. New regulations sometimes demand updated procedures.

Material changes trigger email notifications to active accounts. The "Last Updated" date at the top reflects when modifications occurred. Previous versions aren't published online, but we'll provide them on request if you want to see what changed.

Continuing to use the platform after changes take effect constitutes acceptance. If updates bother you, close your account before they become effective.

---

Children and Age Requirements

Our platform serves business owners, not children. We don't knowingly accept registrations from anyone under 18. If someone underage somehow creates an account, we'll close it and delete associated data upon discovery.

---

International Considerations

coriventalo operates as an Australian business serving primarily Australian customers. Data stays within Australian borders under Australian legal frameworks. If you access our platform from overseas, understand that your information will transfer to and get processed in Australia.

European or California residents get additional rights under GDPR or CCPA respectively. Those laws don't directly apply to Australian businesses, but we'll accommodate reasonable requests consistent with those frameworks.