1. Overview
Fundly Pty Ltd ("Fundly", "we", "us") provides an automated income-routing platform for Australian sole traders and fitness professionals. This Privacy Policy explains how we collect, use, disclose, store, and delete personal information in accordance with the APPs.
By creating an account or using our services, you acknowledge that you have read this policy. If you do not agree, you must discontinue use of the platform.
2. Personal Information We Collect
We may collect the following categories of personal information:
- Identity & account data: name, email address, authentication identifiers, and profile settings.
- Routing & financial configuration: bucket labels, allocation percentages, destination BSB/account details you configure, and transaction routing metadata generated by our engine.
- Open banking & payment data: account connection tokens, consent records, deposit notifications, and payment session data processed through our regulated partners (see Section 5).
- Communications: general support enquiries via support@getfundly.com.au, onboarding emails, and operational notifications you receive from us.
- Technical data: device type, IP address, session logs, and security audit events necessary to protect the service.
Where practicable, we collect personal information directly from you. Some information is collected automatically when you interact with the platform or when our third-party processors perform functions on our behalf.
3. How We Use Personal Information
We use personal information only for lawful purposes connected with our service, including to:
- authenticate you and maintain your account;
- execute automated fund-routing instructions you configure;
- process payments, deposits, and partner webhooks;
- send transactional and service-related communications;
- detect fraud, abuse, and security incidents;
- comply with Australian law, regulatory requests, and dispute-resolution obligations;
- improve platform reliability using aggregated, de-identified analytics where possible.
We do not sell your personal information to third parties.
4. Data Security & Cryptographic Storage
Fundly implements administrative, technical, and organisational safeguards appropriate to the sensitivity of the information we hold. This includes:
- encryption in transit using industry-standard TLS for all client and API traffic;
- cryptographic volume-level storage at rest using AES-256 for databases and object storage volumes that contain personal information;
- role-based access controls, audit logging, and least-privilege engineering practices;
- secure secret management and environment isolation between production and non-production systems.
While we apply bank-grade partner infrastructure and robust internal controls, no method of electronic transmission or storage is completely secure. You use the service at your own risk to the extent permitted by law.
5. Third-Party Data Processors
To deliver the Fundly platform, we engage the following third-party data processors. Each processor receives only the personal information reasonably necessary to perform its function and is contractually required to protect that information:
- Supabase
- Hosts our application database, authentication layer, and encrypted storage volumes. Stores account profiles, routing rules, bucket configurations, transaction logs, and user settings.
- Stripe
- Processes card payments, checkout sessions, and payment webhooks for class bookings and subscription flows. Receives payment identifiers, customer metadata, and transaction amounts required for settlement.
- Fiskil
- Provides regulated open-banking connectivity and consent management. Receives banking consent tokens, account linkage data, and deposit notification payloads necessary to trigger our routing engine.
- Resend
- Delivers transactional and operational email on our behalf. Receives your email address, message content, and delivery metadata for onboarding, alerts, and support correspondence.
We do not authorise these processors to use your personal information for their own marketing purposes. Where processors store data outside Australia, we take reasonable steps to ensure APP-compliant handling, including contractual safeguards.
6. Disclosure of Information
We may disclose personal information to:
- the processors listed in Section 5, strictly for service delivery;
- professional advisers (legal, accounting) bound by confidentiality;
- regulators, courts, or law enforcement where required or authorised by law;
- successors in the event of a merger, acquisition, or asset sale, subject to equivalent privacy protections.
7. Retention & 30-Day Permanent Deletion Purge
We retain personal information only for as long as necessary to provide the service, meet legal obligations, and resolve disputes.
When you request account deletion—or when your account is terminated—we initiate a 30-day permanent deletion purge lifecycle:
- Day 0: your account is deactivated and scheduled for erasure; active sessions are revoked.
- Days 1–29: data remains in encrypted storage solely to honour chargeback windows, fraud investigations, or legal holds where applicable.
- Day 30: we permanently delete or irreversibly anonymise personal information in production databases, encrypted volumes, and application logs within our control, except where Australian law requires longer retention (e.g. certain tax or AML records held by partners).
Backup snapshots containing your data are rotated out of active retention on a comparable schedule. Information held independently by Stripe, Fiskil, or other regulated partners is deleted according to their respective retention policies.
8. Your Rights Under the APPs
Subject to applicable exceptions, you may:
- request access to the personal information we hold about you;
- request correction of inaccurate, out-of-date, or incomplete information;
- request deletion in accordance with our purge lifecycle (Section 7);
- make a privacy complaint, which we will acknowledge and investigate promptly.
To exercise these rights, contact our Data Officer at privacy@getfundly.com.au. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
9. Changes to This Policy
We may update this Privacy Policy to reflect legal, technical, or operational changes. Material updates will be published on this page with a revised "Last updated" date. Continued use of Fundly after changes take effect constitutes acceptance of the updated policy.