Tax Time

Upload your bank transaction file in xlsx format with date, amount (in Australian accounting format), transaction description, payer and payee data to identify the full business name and categorise the transactions in preparation for your tax return.

example file format
Date Description Payee Amount
1 02 Jan 2025 SUPERMARKET STORE 1042 SUBURB Supermarket Co -89.45
2 05 Jan 2025 ONLINE SUBSCRIPTION SVC 1300000000 Streaming Service -22.99
3 10 Jan 2025 SALARY CREDIT REF 998812 EMPLOYER PTY Employer Pty Ltd 4500.00
4 14 Jan 2025 INSURANCE DD REF 554421 INSURER LTD Insurer Ltd -215.30
click to browse or drag & drop
📄
Privacy & Data Handling Notice — please read before uploading
AU Privacy Act 1988 APRA CPS 234 EU GDPR SG PDPA KR PIPA CN PIPL HK PDPO

1. Identity of the data controller

This tool is operated by you, the individual user, for your own personal tax return preparation. It is not operated by a corporation or financial institution. You are both the data subject and the controller of your own information.

2. What personal information is collected and why

When you upload a file, the app reads transaction descriptions and payee names for the sole purpose of identifying merchant business names and categorising transactions for tax preparation (APP 3, GDPR Art. 5(b), PDPA s18, PIPA Art. 3, PIPL Art. 6, PDPO DPP1).

Amounts, account numbers, balances, dates and all other fields remain on this server only and are never transmitted externally. Only the minimum information needed to identify a merchant name is used.

3. How data is processed — data minimisation

Before any external call is made, descriptions are automatically preprocessed (APP 11, GDPR Art. 5(c), APRA CPS 234 §36):

  • Card numbers (13–16 digits), reference numbers, transaction IDs, dates and state/country codes are stripped.
  • Only the cleaned merchant name tokens (e.g. "SUPERMARKET METRO") and transaction type (e.g. "EFTPOS", "Direct Debit") are transmitted to the AI service.
  • Financial transaction descriptions may be considered sensitive personal information under some jurisdictions (PIPL Art. 28, PIPA Art. 23). They are handled with heightened care and minimised before transmission.

4. Cross-border data transfer

Cleaned merchant name tokens are sent to OpenAI (an AI language model service), whose servers are located in the United States. This constitutes a cross-border transfer of personal data under the laws listed above (GDPR Art. 44–49, APP 8, PDPA s26, PIPA Art. 28, PIPL Art. 38–39, PDPO DPP3). OpenAI maintains data processing agreements and complies with applicable international data transfer mechanisms. You must separately consent to this transfer below before any data is uploaded.

5. Storage and retention

Your file is read entirely in memory. Nothing is written to disk. All processed data is deleted from server memory immediately after your results are returned to your browser (APP 11.2, GDPR Art. 5(e), PDPA s25, PIPA Art. 21, PIPL Art. 19, PDPO DPP2). No data is retained between sessions. A short-lived in-memory cache of merchant name lookups (not your file data) may persist for the duration of the server process to avoid redundant AI calls.

6. Security measures

The following technical controls are in place (APRA CPS 234 §§36–38, GDPR Art. 32, PDPA s24, PIPA Art. 29, PIPL Art. 51, PDPO DPP4):

  • All communication is encrypted in transit via HTTPS (TLS).
  • HTTP security headers are set on every response: Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security, Permissions-Policy.
  • File size is capped at 16 MB; file type and MIME type are validated before processing.
  • No personal data is written to application logs.

7. Your rights as a data subject

Depending on your jurisdiction, you may have rights including access, correction, deletion, portability, restriction of processing, objection to processing, and the right to withdraw consent at any time without affecting the lawfulness of prior processing (GDPR Arts. 15–22, APP 12–13, PDPA ss21–24, PIPA Arts. 35–39, PIPL Arts. 44–50, PDPO DPP6). Because no data is retained after your session ends, these rights are automatically satisfied by the retention policy above. You may withdraw consent at any time by unchecking the boxes below — this will prevent any further uploads.

8. Complaints and supervisory authorities

If you have concerns about how your data is handled: Australia — Office of the Australian Information Commissioner (oaic.gov.au); EU/EEA — your national Data Protection Authority; Singapore — Personal Data Protection Commission (pdpc.gov.sg); South Korea — Personal Information Protection Commission (pipc.go.kr); China — Cyberspace Administration of China (cac.gov.cn); Hong Kong — Office of the Privacy Commissioner for Personal Data (pcpd.org.hk).

9. APRA CPS 234 note

APRA CPS 234 applies to APRA-regulated entities (authorised deposit-taking institutions, insurers, superannuation trustees). This tool is for personal use and is not operated by an APRA-regulated entity. However, the information security controls implemented here are aligned with CPS 234 principles as best practice.

Notice version 1.0 — effective from the date of first use. This notice will be updated if processing practices change.

Results

# Date Raw Description Extracted Entity Direction Amount Identified Payee Category ATO Expense Category Confidence Notes