Privacy Policy

Last updated: 21 April 2026

Cassandra Research Pty Ltd (“Cassandra”, “we”, “us”) operates the Cassandra tax practice-management platform. We are bound by the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Taxation Administration Act 1953, and the ATO Privacy (Tax File Number) Rule 2015.

1. What we collect

• Account information: name, email, phone number, organisation name.
• Tax information entered by registered agents on behalf of their clients — including Tax File Numbers (TFNs), Australian Business Numbers (ABNs), return data, and bank account details.
• Authentication data: password hashes (bcrypt, cost 12), multi-factor authentication secrets, session tokens.
• Operational telemetry: audit logs of data access, IP addresses, user-agent strings.

2. How we use your information

• To prepare and lodge tax returns with the ATO via SBR.
• To authenticate you, prevent fraud, and secure your account.
• To comply with our legal obligations under the Taxation Administration Act and the Privacy Act.
• To maintain audit trails for the retention period required by the ATO (ten years).

3. Tax File Number handling

TFNs are treated as restricted information under Part X of the Privacy Act 1988. We encrypt every TFN at rest using AES-256-GCM, transmit it only over TLS 1.3 to the ATO, and never disclose it except as required by law.

4. Storage and security

• All data is stored in Australian-region infrastructure.
• Sensitive fields (TFNs, bank accounts, M2M certificate passphrases) are encrypted at rest with AES-256-GCM.
• Access is governed by role-based permissions and multi-factor authentication.
• Sessions expire after 15 minutes of inactivity, per ATO DSP Operational Security Framework.
• Audit logs are retained for ten years to cover the ATO retention requirement.

5. Disclosure

We disclose information to the ATO when you lodge a return, to our cloud-hosting provider as part of normal operations, and as compelled by Australian law. We do not sell or rent personal information.

6. Notifiable Data Breach scheme

If an eligible data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner within 30 days, in accordance with Part IIIC of the Privacy Act. Our internal response procedure is documented in BREACH_RESPONSE.md.

7. Access, correction, complaints

You may request access to, or correction of, the personal information we hold about you by emailing privacy@cassandra.tax. If you are dissatisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

8. Changes

We will post updates to this policy on this page and, for material changes, notify account holders by email.