Privacy Policy

Last Updated: October 27, 2025

At Avanzu, we are committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our R&D tax incentive management platform.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account or use our services, we collect:

• Account Information: Name, email address, company name, and password
• Profile Information: Job title, contact details, and billing information
• Communications: Information you provide when contacting support or communicating with us

1.2 Authentication Information

When you sign in using Google OAuth, we collect:

• Google account email address
• Full name
• Avatar photo/profile picture

1.3 Xero Integration Data

When you connect your Xero account to Avanzu, we request read-only access to the following Xero data:

• Accounts: Chart of accounts and account details
• Transactions: Bank transactions, invoices, bills, and payments
• Employees: Employee records and details
• Payslips: Payroll information and salary details
• Organisation Details: Company name, financial year settings, and organizational metadata

Important: We only request read-only access to Xero. Avanzu does not write to, modify, or update any data in your Xero account.

1.4 Usage and Technical Information

We automatically collect:

• Device information (browser type, operating system, IP address)
• Usage data (features used, pages viewed, time spent on platform)
• Log data (access times, errors, performance metrics)
• Cookies and similar tracking technologies

2. How We Use Your Information

We use the collected information to:

• Provide Our Services: Deliver R&D tax incentive tracking, transaction allocation, and rebate calculations
• Process Xero Data: Sync and display your financial data for R&D compliance management
• Account Management: Create and maintain your account, authenticate users, and manage subscriptions
• Customer Support: Respond to inquiries, troubleshoot issues, and provide technical assistance
• Service Improvement: Analyze usage patterns to enhance features and user experience
• Communications: Send service updates, security alerts, and important notices
• Compliance: Meet legal and regulatory requirements, including tax and accounting obligations
• Security: Detect and prevent fraud, unauthorized access, and security threats

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data based on:

• Contractual Necessity: To provide our services under our Terms of Service
• Legitimate Interests: To improve our services, ensure security, and operate our business
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legal Obligations: To comply with applicable laws and regulations

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

4.1 Third-Party Service Providers

We engage trusted service providers who assist in operating our platform, including:

• Cloud hosting providers (for secure data storage)
• Payment processors (for billing and subscriptions)
• Email service providers (for communications)
• Analytics providers (for usage insights)

These providers are bound by strict confidentiality agreements and may only use your data to perform services on our behalf.

4.2 Xero Limited

Your Xero data is accessed through Xero’s API with your explicit authorization. We comply with Xero’s Developer Platform Terms and data handling requirements.

4.3 Legal Requirements

We may disclose information when required by law, court order, or government request, or to:

• Protect our rights, property, or safety
• Prevent fraud or security threats
• Enforce our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to this Privacy Policy.

5. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication and access controls
• Regular security audits and vulnerability assessments
• Employee training on data protection practices
• Secure cloud infrastructure with redundancy and backups

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as necessary to:

• Provide our services and maintain your account
• Comply with legal, tax, and accounting obligations (typically 7 years for financial records)
• Resolve disputes and enforce our agreements

When you delete your account, we will delete or anonymize your personal data within 90 days, except where retention is required by law.

7. Your Rights and Choices

You have the following rights regarding your personal information:

7.1 Access and Correction

• View and update your account information at any time through your account settings
• Request a copy of your personal data

7.2 Data Portability

• Export your data in a machine-readable format (e.g., Excel, CSV)

7.3 Deletion

• Request deletion of your account and personal data (subject to legal retention requirements)

7.4 Withdraw Consent

• Disconnect your Xero integration at any time
• Opt-out of marketing communications via unsubscribe links

7.5 Objection and Restriction

• Object to processing based on legitimate interests
• Request restriction of processing in certain circumstances

7.6 Complaints

• Lodge a complaint with your local data protection authority if you believe we have violated your privacy rights

To exercise these rights, contact us at privacy@avanzu.com.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your logged-in session
• Remember your preferences
• Analyze usage and improve our services
• Provide security and prevent fraud

You can control cookies through your browser settings, but disabling certain cookies may affect platform functionality.

Types of Cookies We Use:

• Essential Cookies: Required for authentication and core functionality
• Analytics Cookies: Help us understand how users interact with our platform
• Preference Cookies: Remember your settings and choices

9. Third-Party Links

Our platform may contain links to third-party websites (e.g., Xero, Google). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

10. Children’s Privacy

Avanzu is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it promptly.

11. International Data Transfers

Your data may be processed and stored in countries outside your residence, including Australia and the United States. We ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on this page with a new “Last Updated” date
• Notify you of material changes via email or platform notification
• Obtain your consent where required by law

Your continued use of Avanzu after changes constitute acceptance of the updated policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@avanzu.com Address: [Your business address] Data Protection Officer: [If applicable]

For Xero-related data inquiries, you may also contact Xero at https://www.xero.com/au/about/legal/privacy/.