Privacy Policy - Invoice Harbour

TMD Industries Pty Ltd (ABN 90 684 648 717), trading as Invoice Harbour (“we”, “us”, “our”), respects your privacy. This Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Personal information we collect

We collect the following categories of personal information when providing our cloud‑based invoice‑processing service:

Category	Examples (non‑exhaustive)	Typical source
Account details	Contact name; work email; phone; company name; ABN	Supplied by you during onboarding
Authentication data	Login credentials; API keys/OAuth token	Your account administrator
Invoice & receipt data (“Expenses”)	Data that appears on uploaded invoices/receipts, e.g. client or vendor names and addresses; service descriptions & dates; Medicare or provider numbers (if present); line‑item amounts & GST	Documents you upload Data pulled from authorised integrations
Technical data	IP address; browser user‑agent; session ID; error log	Collected automatically from your device and our application

How we collect information

Directly from you – when you create an account, upload an Expense, or contact support.
Indirectly from integrations – via Lookout, your accounting software or other services you authorise.
Automatically – through cookies or similar technologies (only essential and analytics cookies; no advertising cookies).

Why we collect, hold and use personal information

Purpose	Legal basis under the APPs
Provide and operate the Invoice Harbour platform	Necessary for the performance of our contract with you
Process, extract and classify data from Expenses	Same as above
Enable authorised integrations	Same as above
Monitor performance & security, diagnose errors, plan capacity	Our legitimate business interests
Comply with Australian tax, accounting and other legal obligations	Legal obligation

Disclosure of personal information

We disclose personal information only:

To trusted service providers that host, store, process or analyse data for us
To integrations you enable, such as Lookout or your accounting software.
When required or authorised by law, a court or a government agency.

All third‑party providers are bound by confidentiality and security obligations that are at least as protective as those in our Terms of Service.

Data retention

Active customers – Expense files, extracted data and audit logs are retained for the lifetime of the account.
After account closure – We delete or anonymise Customer Data within 30 days, unless a longer period is required by law.

System logs may be kept for up to 12 months for security and accounting purposes.

Data security

We employ administrative, physical and technical safeguards, including:

Encryption in transit (TLS 1.2+) and at rest (AES‑256)
Role‑based access controls and multi‑factor authentication
Continuous backups in AWS Sydney availability zones
Regular vulnerability assessment and remediation

Access and correction

You may request access to, or correction of, the personal information we hold about you by emailing privacy@invoiceharbour.com.au. We will respond within 30 days. If we refuse a request, we will explain why in writing and outline how you can complain.

Cookies and analytics

We use first‑party cookies for session management and privacy‑enhanced usage analytics. You can disable cookies in your browser, but some functions may not work correctly.

Complaints

If you have a privacy concern, please contact our Privacy Officer:

Privacy Officer

TMD Industries Pty Ltd

Email: privacy@invoiceharbour.com.au

We aim to respond within 30 days. If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC).

Changes to this policy

We may update this Privacy Policy from time to time. The latest version is always available at https://invoiceharbour.com/privacy. Material changes will be communicated via email or an in‑app banner.

Last updated: 1 Sept, 2025