Tranche 2 deadline: 1 July 202640 days remaining

Legal

Privacy Policy

Last updated: 18 May 2026

1. Overview

Klyvon is an AUSTRAC compliance platform for Australian businesses. We collect information to provide our services, deliver your documents, and keep your account running. We do not sell your data. We do not share it with advertisers.

This policy applies to klyvon.com.au and all Klyvon services. It is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. How We Share Your Data

We share your information only where necessary to provide our services, with the following categories of providers:

  • Payment processors — to manage billing and subscriptions. Klyvon does not directly store raw payment card numbers. All card data is handled by our payment processor (Stripe) via their hosted checkout.
  • Email delivery providers — to send transactional emails, trial reminders, and compliance checklist delivery.
  • AI service providers — to generate your compliance documents and SMR drafts from the information you provide.
  • Cloud hosting and database providers — to store your account data, client records, and generated documents. All structured data is stored on Australian-hosted infrastructure.
  • Web hosting providers — standard server logs are retained for security and performance purposes.

We use reputable third-party providers with industry-standard security controls. We do not sell, rent, or trade your personal information to any third party for marketing purposes.

3. Two Categories of Data We Hold

Klyvon holds two legally distinct categories of data, and we treat them differently.

Your firm’s data (Klyvon is the data controller)

This includes your account information, subscription details, and intake form responses. Klyvon determines how this data is collected and used, as described in this policy.

Your clients’ data (Klyvon is a data processor)

Client CDD records you enter into the platform — names, dates of birth, addresses, ID document details, risk ratings, PEP status — are records about your clients, not about you. For this data, your firm is the data controller. Klyvon processes it on your behalf, as instructed by your use of the platform. Your firm retains responsibility for the lawful collection of your clients’ personal information and for compliance with your own privacy obligations as an AUSTRAC reporting entity.

4. What We Collect and Why

4.1 Free checklist (no account required)

  • Work email address, company name, industry — to generate and deliver your personalised compliance checklist
  • Used for follow-up emails on Days 3 and 7 after checklist delivery
  • One-click unsubscribe in every email — honoured immediately
  • Retained for 12 months after last activity if no account is created, then deleted

4.2 Account and subscription data

  • Email address, firm name, compliance officer name (optional at signup), industry
  • Stripe customer ID and subscription ID — for billing management
  • Subscription status, trial end date — to manage your access
  • Dashboard access token (UUID) — our custom authentication credential
  • Retained while your account is active. Deleted within 30 days of a verified account deletion request.

4.3 Intake form data (dashboard)

  • Compliance officer name, effective date, cash acceptance policy, client types, services provided, trust account existence, annual transaction volume, operating state
  • Used solely to generate your AML/CTF compliance documents
  • Sent to our AI service provider for document generation (see Section 5)
  • Retained while your account is active

4.4 Client CDD records (entered by your firm)

  • Individual clients: full name, date of birth, residential address, ID document details
  • Entity clients: entity name, ABN, ACN, registered address, directors, beneficial owners
  • Risk rating, CDD tier, PEP status, TFS designated person status
  • Verification status, next review date, source of funds, source of wealth (enhanced CDD)
  • Audit log: every action on each record — timestamp, staff email, action type
  • Retention: minimum 7 years from the date of the record or transaction, as required by s.111 of the AML/CTF Act 2006. You are notified of this retention requirement in the platform.
  • Records are soft-deleted only — flagged as archived, never permanently deleted within the 7-year window

4.5 Children

Klyvon’s services are not directed at individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information as soon as practicable.

5. AI Processing

How we use AI to generate your documents

When you use Klyvon’s document generation or SMR drafting features, information you provide is sent to our AI service provider to generate your compliance documents.

What is sent

  • Your firm name and industry
  • Your compliance officer name
  • Your intake form responses
  • For SMR drafts: the transaction details you enter

What is not sent

  • Your clients' personal identification details (name, DOB, address, ID documents)
  • Payment information
  • Your authentication credentials

Your data is used solely to generate your documents in that session. Our AI service provider does not use your data to train their models under their standard API terms. If this changes, we will update this policy and notify you by email.

For questions about AI processing, contact privacy@klyvon.com.au.

6. Overseas Disclosure

Some third-party providers we use may store or process data outside Australia, including in the United States. Where this occurs, we take reasonable steps to ensure overseas recipients handle personal information consistently with the Australian Privacy Principles, including by using providers with established privacy and security programs and by relying on contractual protections.

All structured data and client CDD records are stored on Australian-hosted infrastructure.

7. Security

All data is transmitted over TLS (HTTPS). Database access requires authenticated credentials — no public access. Client data is stored on Australian-hosted infrastructure with encryption at rest and in transit.

Dashboard authentication uses a cryptographically random token stored in a secure httpOnly cookie.

Please note: no method of electronic storage or transmission is completely secure. While we implement industry-standard security measures, we cannot guarantee absolute security.

If you identify a security vulnerability, contact us immediately at support@klyvon.com.au.

8. Your Rights Under the Australian Privacy Act

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

  • Access the personal information Klyvon holds about you
  • Request correction of inaccurate or incomplete information
  • Request deletion of your account and associated data (subject to our retention obligations under the AML/CTF Act for client CDD records)
  • Withdraw consent to marketing emails at any time via the unsubscribe link in any email

Individuals making privacy complaints or enquiries have the right to anonymity where it is practicable to do so. However, we may require certain information to confirm your identity before we can action a request relating to your personal information.

To exercise any of these rights, contact us at privacy@klyvon.com.au. We will respond within 30 days.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au/privacy/privacy-complaints
  • Phone: 1300 363 992

9. Notifiable Data Breaches

Klyvon is subject to the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth). If we become aware of an eligible data breach that is likely to result in serious harm to any individual, we will:

  • Notify affected individuals as soon as practicable
  • Notify the Office of the Australian Information Commissioner (OAIC)
  • Take immediate steps to contain the breach and prevent further harm

We aim to complete notification within 30 days of becoming aware of an eligible data breach.

10. Cookies and Tracking

Klyvon uses a single httpOnly session cookie (klyvon_session) for authentication. This cookie is strictly necessary for the platform to function and does not track you across other websites.

We do not use advertising cookies, third-party tracking pixels, or behavioural analytics. Vercel may collect standard server-side logs (IP address, user agent, request path) for hosting and performance purposes. These logs are retained for 30 days.

If we introduce analytics or tracking tools in future, this policy will be updated prior to their deployment and you will be notified by email if you have a registered account.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email to your registered address at least 14 days before they take effect. The date at the top of this page reflects the most recent update.

Continued use of the platform after changes take effect constitutes acceptance of the revised policy.

12. Contact

For privacy questions, access requests, or complaints:

Email: privacy@klyvon.com.au

For general support:

Email: support@klyvon.com.au

For legal matters:

Email: legal@klyvon.com.au

Mail: Klyvon, Melbourne VIC, Australia

We aim to respond to all privacy requests within 30 days. Individuals making complaints or enquiries will be afforded the right to anonymity where practicable, however we may require certain information to confirm your identity before actioning a request.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC):

  • Website: oaic.gov.au/privacy/privacy-complaints
  • Phone: 1300 363 992

Privacy questions? Email us at privacy@klyvon.com.au