VibeCFO Privacy Policy

Version: 2.0

One Place Business Platform Pty Ltd (ACN 612 278 180) trading as VibeCFO Business Platform (VibeCFO, we, us, our) is committed to protecting the privacy of personal information we collect, hold, use and disclose. This Privacy Policy explains how we handle Personal Information in connection with the VibeCFO Platform, EVA, our websites, our mobile applications and our services (together, our Services).

This Privacy Policy is consistent with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). If you are a resident of a jurisdiction outside Australia, additional rights may apply to you, as set out in the regional notices at the end of this Policy. Where additional rights apply, we will honour those rights to the extent required by the applicable law.

By using our Services, you acknowledge that we may collect, hold, use and disclose your Personal Information as described in this Privacy Policy. If you do not agree, you must not provide Personal Information to us or use our Services.

1. What is Personal Information?

We follow the definition given in the Privacy Act: “Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not”.

Personal Information may include Sensitive Information (as defined in the Privacy Act). We do not generally collect Sensitive Information through the Platform, and where we do, we only collect it with your consent and only where reasonably necessary for our Services or as required by law.

2. The Personal Information We Collect

The Personal Information we collect depends on your relationship with us. It may include:

• identification details, including your name, position and employer;
• contact information, including business and email addresses, phone numbers and postal addresses;
• account credentials and authentication information;
• financial information of you or your business that flows through the Platform from Third-Party Connectors, including bank account details, income, assets, liabilities, financial statements and tax information;
• records of your interactions with us, including support tickets, calls and correspondence;
• usage data relating to your use of the Platform, including IP address, browser, device, operating system, login times and feature usage;
• content you provide through forms, surveys or social media interactions.

Where data flows through the Platform from a Third-Party Connector at the direction of a Customer or Advisor, we process that data on their behalf. The Customer or Advisor is responsible for the lawful basis on which they collected the data and for ensuring they have the authority to share it with us.

3. How We Collect Personal Information

We generally collect Personal Information:

• directly from you, when you sign up for, use or interact with the Platform or our Services;
• from your accountant, advisor, employer or other business you are associated with, where that business provides our Services to you;
• from Third-Party Connectors (such as Xero, MYOB, simPRO and similar platforms) that you or a Customer have authorised the Platform to access;
• through cookies and analytics tools, when you visit our websites or use our applications;
• from publicly available sources, such as ASIC, business registers and your business's website;
• from other authorised representatives or service providers acting on your behalf.

If we receive unsolicited Personal Information, we will assess whether we could have collected it under the Privacy Act and, if not, will destroy or de-identify it where lawful and practicable.

4. Why We Collect, Hold, Use and Disclose Personal Information

We collect, hold, use and disclose Personal Information for purposes including:

• providing, operating and supporting the Platform and EVA;
• authenticating users and managing access;
• processing payments, billing and account administration;
• responding to enquiries, support requests and complaints;
• improving the Platform, including evaluating feature usage, fixing defects and developing new features;
• training EVA's natural-language understanding, in respect of question phrasing only and only where you have opted in (we never use your financial data, numerical results or client information to train AI models);
• communicating with you about your account, the Platform and changes to our terms or policies;
• sending marketing communications, where you have provided your contact details and not opted out;
• meeting our legal, regulatory and contractual obligations, including obligations under the Privacy Act, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and partner agreements with Third-Party Connectors;
• protecting the security of the Platform, detecting and responding to security incidents, and protecting our rights and the rights of others.

5. How We Hold and Secure Personal Information

We hold Personal Information electronically on infrastructure provided by Amazon Web Services (AWS). The primary AWS region used by the Platform is the Asia Pacific (Sydney) region. We also operate regional infrastructure in New Zealand, the United Kingdom, the United States and Canada for customers in those regions.

We protect Personal Information using technical and organisational measures appropriate to the risk, including:

• encryption in transit (TLS 1.3) and at rest (AES-256);
• dedicated per-business database isolation;
• multi-factor authentication on all platform accounts;
• role-based access controls with the principle of least privilege;
• logging, monitoring and automated security scanning;
• regular review of security practices against the ISO 27001 control set (target certification: December 2026).

We destroy or de-identify Personal Information when we no longer require it for the purpose for which it was collected, subject to any legal obligation to retain it.

6. Disclosure of Personal Information

We may disclose Personal Information to:

• the Customer or Advisor who provides our Services to you, where you are accessing the Platform as their end user;
• Third-Party Suppliers who provide infrastructure or services to operate the Platform, including AWS, Anthropic and OpenAI;
• Third-Party Connectors that you or a Customer has authorised to exchange data with the Platform;
• our personnel, including employees, contractors and offshore support and development team members (see clause 7 below);
• professional advisers (such as lawyers, accountants and auditors) bound by confidentiality obligations;
• courts, tribunals, regulators and law enforcement agencies, where required or authorised by law;
• a successor entity in connection with a sale, merger, acquisition or restructure of our business.

A list of material subprocessors is published at vibecfo.ai/subprocessors and is updated when material changes occur.

7. Offshore Access and Cross-Border Disclosure

VibeCFO is headquartered in Adelaide, South Australia. Our development and support team includes personnel located in the Philippines. These personnel may access Personal Information in the course of:

• developing, maintaining and operating the Platform;
• providing customer support, including responding to support tickets;
• investigating and resolving security and operational incidents.

All VibeCFO personnel, regardless of location, are bound by written confidentiality obligations and are required to handle Personal Information in accordance with this Privacy Policy and equivalent obligations to those imposed by the Australian Privacy Principles. Access to Personal Information is granted on a need-to-know basis using role-based access controls.

In addition to the Philippines, Personal Information may be accessed or stored in:

• the country in which the AWS region serving you is located (Australia, New Zealand, the United Kingdom, the United States or Canada, depending on your region);
• the United States, in connection with our use of AI models provided by Anthropic and OpenAI (although AI processing relating to the Platform is performed on AWS infrastructure in the AWS region serving you);
• the country in which a Third-Party Connector you have authorised is located;
• the country in which an analytics or cookie provider operates, where applicable.

By using the Platform you consent to this cross-border disclosure. We take reasonable steps to ensure that overseas recipients handle Personal Information consistently with this Privacy Policy and the Australian Privacy Principles, including through contractual obligations with our subprocessors.

8. EVA and AI

EVA is our AI-powered conversational and analytical feature. EVA's primary function is text-to-SQL: it translates natural-language questions into SQL queries against your database. EVA does not generate financial numbers; the numbers EVA returns come from your database.

EVA uses large language models provided by Anthropic and OpenAI, accessed through their enterprise APIs on AWS infrastructure. These providers do not train their models on your data. Under our partnership obligations with Xero, we are contractually prohibited from using Customer Data sourced from Xero to train AI models. As a matter of policy, we do not use any Customer financial data, numerical results or client information to train AI models, irrespective of the data source.

On your profile page, you may opt in or out of having the phrasing of your EVA questions used to improve EVA's natural-language understanding. This setting covers question phrasing only.

9. Direct Marketing

We may use your contact details to send you marketing communications about VibeCFO products and services that may be of interest to you. You can opt out of marketing communications at any time by using the unsubscribe link in any marketing email or by contacting our Privacy Officer.

10. Cookies and Analytics

Our websites and applications use cookies, web beacons and analytics tools to understand how visitors use the site, to remember your preferences, and to improve our Services. You can disable cookies in your browser, but some parts of our website may not function correctly if you do.

Our cookies policy is available at vibecfo.ai/cookies.

11. Accessing and Correcting Your Personal Information

You may request access to, or correction of, the Personal Information we hold about you by contacting our Privacy Officer. We will respond to your request within a reasonable period (typically within 30 days).

Before providing access we may need to verify your identity. We may charge a reasonable administrative fee to cover the cost of providing access, and will advise you of any fee before incurring it.

If we refuse a request, we will provide written reasons and information about how you can complain.

12. Complaints

If you have a question or complaint about how we handle your Personal Information, please contact our Privacy Officer using the contact details below.

We will acknowledge your complaint promptly and typically respond within 30 days. If your complaint requires longer to investigate, we will keep you informed.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

13. Data Retention

We retain Personal Information for as long as it is needed for the purpose for which it was collected, and for as long as required by law. When a Customer's subscription ends, we delete the Customer's data from production systems within 90 days of the end of the data export period (typically 30 days after termination), and from backups in line with our backup retention cycles.

Audit logs and security records may be retained for longer periods where required for legal, security or compliance reasons.

14. Children

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect Personal Information from children.

15. Changes to this Policy

We may amend this Privacy Policy from time to time. We will notify you of material changes by email or in-Platform notification with at least 30 days' notice. The current version is always available at vibecfo.ai/privacy. The effective date of this version is shown at the top of the Policy.

16. Contact

Our Privacy Officer can be contacted at:

Email: privacy@vibecfo.ai
Post: Privacy Officer, One Place Business Platform Pty Ltd, PO Box 6233, Linden Park, South Australia 5065

17. Regional Notices

17.1 European Union (GDPR) and United Kingdom (UK GDPR)

If you are in the European Union or the United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR may apply to our processing of your Personal Data. Where it does:

• our lawful bases for processing are contract performance, our legitimate interests in operating the Platform, your consent (for optional processing such as marketing or opt-in AI training improvement), and compliance with legal obligations;
• you have the right to access, rectify, erase, restrict, port and object to the processing of your Personal Data, subject to applicable exemptions;
• you have the right to withdraw consent at any time without affecting the lawfulness of prior processing;
• we will notify the relevant supervisory authority of a notifiable Personal Data breach within 72 hours of becoming aware of the breach;
• you have the right to lodge a complaint with your local supervisory authority.

Cross-border transfers of EU/UK Personal Data to countries without an adequacy decision are made under the appropriate transfer mechanism (such as Standard Contractual Clauses).

17.2 California (CCPA / CPRA)

If you are a California resident, you have the right to: (a) request access to the categories and specific pieces of Personal Information we hold about you; (b) request deletion of your Personal Information, subject to legal exceptions; (c) opt out of the sale or sharing of Personal Information; and (d) not be discriminated against for exercising your rights.

We do not sell Personal Information.

17.3 Canada (PIPEDA)

If you are a Canadian resident, you have the right to access your Personal Information, challenge its accuracy, and raise compliance concerns with our Privacy Officer.

17.4 New Zealand (Privacy Act 2020)

If you are a New Zealand resident, you have the right to be informed about how we collect and use your Personal Information, to access your Personal Information, and to request correction of inaccurate Personal Information.