Privacy Notice
How Tax7 Accountants collects, uses, discloses, secures, and shares your personal information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Entity: Tax7 Pty Ltd (ACN 602 477 010) as trustee for the Tax7 Trust (ABN 95 507 557 877), trading as Tax7 Accountants
Last reviewed: 15 June 2026
Version history: archived versions are available on request from [email protected].
1. About This Notice
This Privacy Notice explains how Tax7 Accountants (we, us, our) handles personal information about our clients, prospective clients, former clients, contacts of clients (such as spouses, dependants, business partners, employees and beneficiaries), referrers, suppliers and website visitors. It applies whenever you deal with us in person, by phone, by email, through our website, through our client portal, through any mobile or desktop application we provide, or through a third party who is acting on your behalf.
This Notice is issued under, and should be read together with, the following Australian laws and instruments:
- Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) in Schedule 1 to that Act;
- Privacy (Tax File Number) Rule 2015, made under s 17 of the Privacy Act, which regulates the handling of tax file numbers (TFNs);
- the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act;
- the Privacy and Other Legislation Amendment Act 2024 (Cth), which (among other things) strengthens the security obligation in APP 11, adds infringement-notice powers, and from 10 December 2026 will require additional disclosure about automated decision-making;
- the confidentiality and record-keeping obligations imposed on registered tax agents under the Tax Agent Services Act 2009 (Cth) and the Tax Agent Services (Code of Professional Conduct) Determination 2024 (Cth);
- from 1 July 2026, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), when our customer due diligence obligations as a "Tranche 2" reporting entity commence.
You can also read our Terms of Service and our Disclaimer for the broader terms that govern our services and the use of our website.
2. What Personal Information We Collect (APP 3 and APP 5)
We collect personal information that is reasonably necessary to act as your registered tax agent and to meet our legal and professional obligations. "Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable. The categories we typically collect are:
- Identity information — full legal name, preferred name, date of birth, gender (where you choose to provide it), residency status, marital status, and the names and dates of birth of dependants or other family members where relevant to a tax claim.
- Contact information — residential and postal addresses, phone numbers, email addresses, and your preferred contact method.
- Financial information — income, deductions, offsets, assets, liabilities, expenses, depreciation schedules, capital gains and losses, rental property records, business records, accounting records, superannuation balances and contributions, and insurance details where relevant.
- Tax information (including TFN) — your tax file number, ABN/ACN, myGovID identifiers, prior-year tax returns, notices of assessment, correspondence with the ATO, PAYG summaries, and any other ATO-issued documents. See Section 8 (Tax File Numbers) for how we handle TFNs.
- Bank and payment information — bank account details for refunds and disbursements, billing details, credit/debit card details where you use them to pay us, and a record of payments and invoices.
- Family and dependants information — spouse and child details (including their TFNs only where required for family-tax-benefit, child-support, or shared-deduction calculations), and beneficiary details for trusts and SMSFs.
- Employer and business information — employer name and ABN, payroll details, employment status, and information about businesses you own, control or are a beneficiary of.
- AML/CTF identity documents — passport, driver licence, Medicare card, source-of-funds documentation, and beneficial-ownership information, for the purpose of customer due diligence under the AML/CTF Act from 1 July 2026.
- Communications and engagement records — file notes, emails, meeting recordings and transcripts (where you have consented), portal messages, documents you upload, and any other content you provide to us.
- Sensitive information — for example, health information that supports a medical-expense claim, professional memberships, or (rarely) information about a criminal record where it is necessary for a tax matter. We only collect sensitive information with your consent or where the law permits.
- Device and usage information — when you visit our website or use our portal, we automatically collect technical data such as IP address, device identifiers, browser type, operating system, referring URL, pages viewed, dates and times of access, and actions taken on our site.
- Cookies and analytics data — see Section 14 (Cookies & Website Analytics).
3. How We Collect Your Information
Wherever practicable we collect personal information directly from you. The main ways we collect information are:
- Directly from you — through our engagement letter, client onboarding form, secure email, secure client portal uploads, phone calls, meetings, and our website forms.
- From the ATO with your consent — once you appoint us as your registered tax agent, we use our authorised tax agent access to retrieve pre-fill data, prior-year returns, notices of assessment, activity statements, and account balances.
- From referrers and other professionals — for example, your previous tax agent, financial planner, mortgage broker, lawyer, or business partner, where you have authorised the disclosure.
- From public sources — such as ASIC, the ABN Lookup, the TPB register, and other publicly available registers.
- Automatically via our website and portal — through cookies, analytics, and server logs as described in Section 14.
Where we collect personal information about you from a third party, we will let you know as soon as practicable, either at the point of collection or in our next communication with you.
4. Notification at Collection (APP 5)
When we collect personal information from you, we will take reasonable steps to make sure you are aware of:
- our identity and how to contact us;
- the circumstances of collection (for example, that we obtained information from the ATO under our authorised access);
- whether the collection is required or authorised by an Australian law (for example, tax laws and the AML/CTF Act);
- the purposes for which we are collecting it;
- the consequences if you do not give us the information — for example, we cannot lodge your tax return without your TFN, and from 1 July 2026 we cannot accept you as a client without completing AML/CTF customer due diligence;
- the kinds of organisations to which we usually disclose information of that kind (see Section 9);
- how you can access and correct your personal information (see Section 17);
- how to complain about a privacy breach (see Section 18);
- whether we are likely to disclose information overseas, and the countries where overseas recipients are likely to be located (see Section 10).
We give this notification by providing this Privacy Notice and through our engagement letter, which contains a short-form collection statement that links back to this document.
5. Why We Use Your Information — Primary Purposes (APP 6)
The primary purpose for which we collect, hold, use and disclose personal information is to provide tax, accounting, bookkeeping and related professional services to you. This includes:
- preparing and lodging income tax returns, business activity statements (BAS), fringe benefits tax returns, and other ATO lodgements on your behalf;
- providing tax planning, structuring, and accounting advice tailored to your circumstances;
- bookkeeping, reconciliation, payroll, and financial-statement preparation;
- corresponding with the ATO and other regulators on your behalf;
- issuing invoices and collecting fees;
- meeting our own legal and regulatory obligations, including record-keeping under the Tax Agent Services Act 2009 and the Income Tax Assessment Act 1936, customer due diligence under the AML/CTF Act, and reporting obligations to the ATO, TPB and AUSTRAC.
6. Secondary Uses (APP 6)
We may also use your personal information for related secondary purposes where you have consented or where the law permits, including:
- pre-filling working papers for future tax years from prior-year data;
- sending you tax updates, planning reminders, firm news and event invitations (always with an unsubscribe option — see Section 13);
- improving our services — for example, by analysing aggregated and de-identified service-usage data;
- quality assurance, internal training, and supervision of our team in accordance with the Tax Practitioners Board's quality-management expectations;
- protecting our legal interests, for example in defending a claim or recovering unpaid fees;
- research and analytics on a de-identified basis, where the output does not identify you.
7. Sensitive Information
Where we collect sensitive information (for example, health information that supports a medical-expense or income-protection claim, professional memberships, or information about a criminal record where it is necessary for a tax matter), we do so only with your consent and only where it is reasonably necessary for the services we are engaged to provide. The full categories of personal information we collect, including sensitive information, are described in Section 2 above.
8. Tax File Numbers (TFNs) — Privacy (Tax File Number) Rule 2015
Important: TFNs receive special protection under Australian law. Unauthorised use or disclosure of a TFN is a criminal offence under sections 8WA and 8WB of the Taxation Administration Act 1953.
Legal authority for collection. We collect TFNs for individuals under the authority of the Income Tax Assessment Act 1936 (Cth), the Income Tax Assessment Act 1997 (Cth) and the Taxation Administration Act 1953 (Cth), for the purpose of preparing and lodging your tax returns and dealing with the ATO on your behalf.
Voluntary provision. You are not legally required to give us your TFN. However, without it we cannot lodge a tax return for you, and the ATO may require higher amounts to be withheld from your income.
Restricted use. We use and disclose TFN information only for purposes authorised by taxation, superannuation, or personal-assistance law. We do not use your TFN for any other purpose.
Secure handling. Access to TFN information is restricted to the staff who need it to carry out an authorised purpose. TFN information is encrypted in transit (TLS 1.2 or higher) and at rest (industry-standard encryption). We discourage clients from emailing TFNs — please use our secure client portal instead.
Retention and destruction. We securely destroy or permanently de-identify TFN information when we are no longer required to retain it by law (see Section 16).
Not used as a client identifier. Consistent with Rule 7(1) of the Privacy (Tax File Number) Rule 2015, we do not use TFNs as our client reference number or as a general identifier in our systems.
9. Disclosure to Third Parties
We disclose personal information only as set out below, and we require all third parties who handle personal information on our behalf to do so in accordance with the Australian Privacy Principles and our contractual safeguards. We do not sell personal information.
- Australian Taxation Office (ATO) and the Commissioner of Taxation — for lodgements, queries, audits, objections, and other tax administration.
- Tax Practitioners Board (TPB) — where required for regulatory purposes, including responses to TPB notices, registration matters and complaints.
- AUSTRAC — from 1 July 2026, for reports and information required under the AML/CTF Act.
- Professional bodies — where relevant to a regulatory or membership matter, we may exchange information with the professional associations of which our individual practitioners are members. Any such memberships are held by individual practitioners personally. Tax7 is a registered tax agent practice; it is not a Chartered Accounting firm or a CPA public practice firm, and it does not hold a Certificate of Public Practice or a CPA Public Practice Certificate.
- Cloud and software providers — including Amazon Web Services (AWS) (United States and Australia), Microsoft 365 (United States and Australia), Xero (Australia and New Zealand), and Fedix.ai (Australia), for hosting, accounting, productivity, document management and practice-management purposes.
- Website service providers — including Google Analytics and Google Tag Manager (United States) for website analytics, SimplyBook.me for online appointment bookings, and Cloudflare for content delivery and security.
- Artificial Intelligence (AI) processors — including OpenAI (United States), Anthropic (United States) and Mistral (France), for the purposes described in Section 11, subject to the safeguards described in that section.
- Banks and financial institutions — where you have authorised us to verify account details, request bank statements, or process payments.
- Successor agents — where you direct us to pass your information to a new tax agent following disengagement.
- Insurers, legal advisers and accountants' assistance schemes — where reasonably required to defend or respond to a claim, or as part of our professional indemnity arrangements.
- Law enforcement, courts and tribunals — where required or authorised by Australian law, a court order, or a properly issued statutory notice.
- Your authorised representatives — such as your spouse, business partner, lawyer or financial planner — only where you have asked us to.
10. Overseas Disclosure (APP 8 and section 16C)
Some of our service providers process personal information outside Australia. The countries where your personal information is likely to be disclosed are:
- United States — Amazon Web Services (AWS), Microsoft 365, OpenAI, Anthropic, and Google (Analytics);
- France — Mistral (OCR);
- New Zealand — Xero (which operates across Australia and New Zealand).
Reasonable steps before disclosure. Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs, including by entering into contracts that impose privacy, security, subcontracting and breach-notification obligations substantially equivalent to the APPs, and by performing vendor due diligence (for example, reviewing the provider's certifications such as ISO/IEC 27001, SOC 2, and published security and privacy commitments).
Section 16C accountability. Under section 16C of the Privacy Act, we remain accountable for how our overseas service providers handle your information — an act done by an overseas recipient that would breach the APPs is treated as having been done by us. Foreign laws may also require disclosure of personal information held overseas to foreign authorities, and we cannot guarantee that you will have the same redress under foreign law as you would under Australian law.
You can contact our Privacy Officer at [email protected] to ask about a specific service provider or to request a current list of outsourced service providers.
11. Use of Artificial Intelligence (AI)
We use AI tools to help us deliver our services more accurately and efficiently. We believe transparency about AI is essential — this section sets out what we use AI for, who processes the data, and how you can opt out.
What we use AI for
- drafting client communications, working papers, and reports for review by our staff;
- classifying and coding transactions in bookkeeping, reconciliation, and BAS workflows;
- extracting information from documents and receipts (optical character recognition, or OCR);
- surfacing audit and risk flags for our accountants to consider;
- transcribing meetings and voicemails (where you have consented);
- answering routine client questions through our AI Copilot, with human oversight.
AI processors and jurisdictions
Personal information about you may be processed by the following AI service providers:
- OpenAI — United States — chat, transcription, embeddings, and general-purpose AI;
- Anthropic — United States — drafting and reasoning tasks;
- Mistral — France — OCR and document understanding.
Contractual no-training commitment
Where commercially available, we use these AI services under commercial / API terms that contractually prohibit the provider from using your data to train their general AI models. Our current arrangements with OpenAI, Anthropic and Mistral include this commitment. We do not knowingly enter your personal information into consumer / free AI tools that train on user input.
Human in the loop
Every AI output that affects a material decision about your tax position — for example, a lodgement, written advice, or movement of money — is reviewed and signed off by a registered tax agent. No decision that significantly affects your rights or interests is made solely by AI.
Your right to opt out of AI processing
You may opt out of AI processing of your personal information by emailing [email protected]. We will record your preference against your client file and use a non-AI workflow wherever reasonably practicable. Opting out may slow down some aspects of your service, but will not change the price of our work or the standard of advice you receive.
Automated decision-making transparency
From 10 December 2026, the Privacy and Other Legislation Amendment Act 2024 will require APP entities to publish additional information in their privacy policies about automated decisions that significantly affect individuals. We are publishing the disclosure above ahead of that date so that you know now how AI is used in our services. We will update this section as the regulations are finalised.
12. Email & Electronic Communications
Email is not a secure channel. Please do not send us your tax file number, identity documents, bank account details, or other sensitive information by email. Use our Fedix Client Portal instead.
Our default channel for exchanging sensitive information is the Fedix Client Portal, which encrypts uploads in transit and at rest and limits access to your engagement team. If you must email us, please use only our firm domain addresses (such as [email protected] or [email protected]) and avoid attaching sensitive documents. We may decline to act on instructions received from an address we cannot verify.
13. Direct Marketing (APP 7 and Spam Act 2003)
We may use your contact details to send you newsletters, tax updates, planning reminders, firm news, and event invitations. We comply with the Privacy Act, the Spam Act 2003 (Cth) and (where applicable) the Do Not Call Register Act 2006 (Cth).
Every marketing email we send includes a one-click unsubscribe link, and we will honour your request within five business days at no charge. You can also email [email protected] at any time to opt out of all direct marketing or to update your contact preferences. We do not sell or share your contact details with third parties for their own marketing.
14. Cookies & Website Analytics
Our website uses two broad categories of cookies and similar technologies:
- Essential cookies — required for the site to function (for example, session management and security).
- Analytics cookies — used to understand how visitors use our site so we can improve it. We use Google Analytics and Google Tag Manager for this purpose; the data is processed in aggregated form.
Most browsers allow you to refuse or delete cookies via your browser settings. Disabling essential cookies may affect the functionality of our website and portal.
15. Data Security (APP 11)
We take reasonable technical and organisational measures (TOMs) to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure, as required by APP 11.1 (and APP 11.3 from 11 December 2024). Our safeguards include:
Technical measures
- encryption of data in transit (TLS 1.2 or higher);
- encryption of data at rest (industry-standard encryption);
- multi-factor authentication (MFA) on all staff accounts and on the client portal;
- role-based access controls and least-privilege principles;
- network segmentation, firewalls, endpoint protection, patch management, and vulnerability monitoring;
- secure backups with tested restoration procedures;
- audit logging and anomaly detection.
Organisational measures
- a documented information security risk-management framework with senior-partner accountability;
- privacy and security training for all staff on induction and annually;
- a nominated Privacy Officer responsible for privacy compliance and breach response;
- written confidentiality undertakings from staff and contractors;
- vendor due diligence and contractual safeguards for all service providers (see Section 10);
- a documented incident response plan and data breach response plan, tested periodically.
16. Data Retention
We retain personal information for as long as is necessary to provide our services and to comply with our legal obligations. As a registered tax agent, we are required to retain client records for a minimum of five years from the end of the engagement, in line with section 35 of the Tax Agent Services (Code of Professional Conduct) Determination 2024 and section 262A of the Income Tax Assessment Act 1936. Some records may need to be retained for longer where a specific law (for example, in relation to capital gains tax or superannuation) requires it.
Once the retention period ends and we no longer need the information for any lawful purpose, we securely destroy or permanently de-identify it in accordance with APP 11.2 and Rule 11(2) of the Privacy (Tax File Number) Rule 2015.
17. Access & Correction (APP 12 and APP 13)
You have the right to request access to the personal information we hold about you and to ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. To make a request, email [email protected] or write to our Privacy Officer at the postal address in Section 23.
We will respond within 30 days. There is no charge for making a request, although we may charge a reasonable fee to retrieve or copy large volumes of information (we will tell you in advance). We will need to verify your identity before releasing personal information.
If we refuse access or refuse to make a correction, we will give you written reasons (to the extent reasonable) and tell you how to complain. If we have disclosed information that we later correct, you can ask us to take reasonable steps to notify the third parties to whom we disclosed it.
18. Complaints
If you have a question or complaint about how we have handled your personal information, please contact our Privacy Officer first:
Email: [email protected]
Phone: 1300 166 777
We will acknowledge your complaint within 5 business days and aim to provide a substantive response within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Email: [email protected]
- Postal: GPO Box 5288, Sydney NSW 2001
19. Notifiable Data Breaches
We comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. If we become aware of a data breach that is likely to result in serious harm to you and we cannot prevent that harm with remedial action, we will notify you and the OAIC as soon as practicable after we have reasonable grounds to believe an eligible data breach has occurred. Our notice to you will explain:
- who we are and how to contact us;
- what happened — including, to the extent we know, when and how;
- what kinds of information were involved;
- what steps you should take to protect yourself (for example, changing passwords, monitoring credit reports, contacting the ATO).
20. Children
Our services are not directed to children. We do not knowingly collect personal information from children under 15 years of age except where they are connected to a client engagement — for example, as a dependant on a parent's tax return, as a beneficiary of a family trust, or where a parent or guardian engages us on the child's behalf. Where we collect a child's information, we do so on instructions from, and with the consent of, the responsible parent or guardian.
21. Serious Invasions of Privacy
From 10 June 2025, the Privacy Act has included a statutory tort for serious invasions of privacy (Schedule 2 to the Privacy and Other Legislation Amendment Act 2024). We acknowledge this and take it into account in our privacy governance and incident response. Nothing in this Notice limits any rights you may have under that tort, the Privacy Act, the Australian Consumer Law, or other applicable law.
22. Changes to This Notice
We may update this Privacy Notice from time to time. The version date is shown at the top of this page. Material changes will be brought to your attention through our client portal, by email, or in our next engagement letter. Archived versions of this Notice are available on request from [email protected].
23. Contact Us
Our Privacy Officer is the first point of contact for any privacy question, request or complaint.
Privacy Officer — Tax7 Accountants
Name: Niko He
Email: [email protected]
Phone: 1300 166 777
Postal Address:
Privacy Officer
Tax7 Accountants
Level G & Level 1
213 Clarence Street
Sydney NSW 2000
Last reviewed: 15 June 2026. This Privacy Notice supersedes all previous versions.
