Privacy Statement

Last updated: 28 June 2026

Hanno (we, us, our) is a product operated by Desert Rose Investments Pty Ltd (ABN 93 672 354 022). We respect your privacy and handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This statement explains how we handle personal information across our website, application and API (the Service).

1. Information we collect

  • Account information - your name, email, business name, ABN and role.
  • Financial information - ledger entries, invoices, and the bank-account and transaction data you bring in through bank feeds.
  • Sign-in data - if you use Google or GitHub to sign in, we receive your email and basic profile from them.
  • API and usage data - API keys (stored only as a one-way hash), request logs, device and browser information, IP address, and how you use the Service.
  • Communications - messages you send us.

2. How we collect it

We collect information directly from you; automatically as you use the Service (cookies and logs); from sign-in providers you choose; and from our bank-feed provider Basiq under the Consumer Data Right, with your consent.

3. Bank data and the Consumer Data Right (CDR)

Bank-account and transaction data is retrieved through Basiq, an accredited data recipient under the Consumer Data Right, and only with your explicit consent. We collect only the data reasonably needed to provide reconciliation and reporting (data minimisation). You can withdraw your consent at any time; when you do, or when consent expires, we stop collecting CDR data and delete or de-identify it, and instruct Basiq to do the same. A separate CDR Policy will apply to bank-feed connections once that feature goes live.

4. Why we use your information

  • To provide and operate the Service - bookkeeping, reconciliation and reporting.
  • To authenticate you and keep your account secure.
  • To generate AI-assisted suggestions that you review and approve.
  • To provide support and send service-related messages.
  • To improve the Service, using de-identified or aggregated data where practicable.
  • To comply with our legal obligations.

5. Who we share it with

We share personal information only with service providers that help us run the Service, each bound to protect it:

  • Basiq (bank feeds), Supabase (database and authentication), Railway (hosting), Cloudflare (DNS and edge), and Resend (email delivery).
  • Professional advisers, and law enforcement or regulators where required by law.
  • A buyer in connection with a sale of our business, subject to this statement.

We do not sell your personal information.

6. Overseas disclosure

Some of our providers may store or process data outside Australia (for example, in the United States). We take reasonable steps to ensure overseas recipients handle your information consistently with the APPs. Where practicable, your financial and CDR data is hosted in Australia (Supabase, Sydney region).

7. How we store and protect it

We use encryption in transit and at rest, access controls, hashed API keys and audit logging. No system is perfectly secure, so you are responsible for keeping your password and API keys safe and for activity under your account.

8. Accessing and correcting your information

You may request access to, or correction of, the personal information we hold about you by contacting us. We may need to verify your identity first, and will respond within a reasonable period.

9. Direct marketing

We may send you service-related messages at any time. We only send marketing with your consent, every marketing email includes an unsubscribe link, and we comply with the Spam Act 2003 (Cth).

10. Cookies

We use essential cookies to keep you signed in and to operate the Service, plus minimal analytics. You can control cookies through your browser settings.

11. Data breaches

We comply with the Notifiable Data Breaches scheme. If an eligible data breach occurs, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law.

12. Retention and deletion

We keep personal information only for as long as needed for the purposes above or as required by law (for example, tax and record-keeping obligations). CDR data is deleted or de-identified when your consent ends. You can ask us to delete your account data at any time.

13. Complaints

If you have a privacy concern, contact us first at hello@hannohanno.com. If you are not satisfied with our response, you can complain to the OAIC at oaic.gov.au.

14. Changes to this statement

We may update this statement from time to time. The “last updated” date above shows the current version, and we will notify you of material changes.

15. Contact us

Hanno (Desert Rose Investments Pty Ltd, ABN 93 672 354 022) - hello@hannohanno.com.