SyncPay Pty Ltd is committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains how we collect, use, and protect your personal information.
We collect the following types of information:
consumer_identifiers table and are not used for marketing. The same identifiers may also be provided directly by the consumer when creating a SyncPay account.SyncPay does not store card numbers, CVVs, or full payment credentials at any point.
Identifier-based transaction auto-linking: When a consumer account is active and consumer tracking is enabled by the merchant, SyncPay automatically links bank transactions to itemised receipts by matching the email address and/or phone number on the payment record against the identifiers stored in the consumer’s SyncPay account (consumer_identifiers table). This matching is performed server-side within SyncPay’s infrastructure. No external profiling service is used. Consumers can view which identifiers are registered under their account and remove them via the consumer portal.
We do not sell your personal information to third parties. We do not use your data for advertising purposes.
If you choose to connect your bank account via Basiq Pty Ltd (an accredited Consumer Data Right Accredited Data Recipient), SyncPay reads your transaction history to identify transactions that correspond to SyncPay-connected merchants and to match them against receipt records. Connecting Basiq is entirely optional.
What SyncPay stores from your Basiq connection:
basiq_connections)basiq_transactions), along with a reference to the matched receipt or invoice where a match is foundconsumer_accounts)SyncPay does not store full bank account numbers, BSBs, login credentials, or authentication tokens. Raw transaction data returned by Basiq is stored in the raw_data column of basiq_transactions for audit and re-matching purposes and is protected by row-level security so only the account holder can read it.
You can revoke Basiq access at any time through the consumer portal or by emailing hello@syncpay.au. On revocation, SyncPay will cease syncing new transactions. You may also request deletion of all stored Basiq transaction data under section 6.
All data is stored in Supabase infrastructure hosted in Australia and/or the United States. We use industry-standard encryption (TLS 1.3) for data in transit and AES-256 for data at rest. SPTC codes use HMAC-SHA256 cryptographic signing.
When you connect Square, Stripe, Shopify, Xero, PocketSmith, or Up Bank, limited data is shared with those platforms as required for the integration to function. Each of those platforms has its own privacy policy which governs their handling of your data.
For Basiq bank data access, see section 3A. Basiq Pty Ltd is an accredited Consumer Data Right (CDR) Accredited Data Recipient under the Competition and Consumer Act 2010. Consumers grant explicit consent through Basiq’s CDR consent flow; SyncPay does not initiate any bank data access without that consent.
Where SyncPay processes personal data of individuals located in the EU or EEA, the General Data Protection Regulation (EU) 2016/679 applies. SyncPay Pty Ltd acts as the data controller for the data described in this policy.
Lawful bases for processing (Article 6 GDPR):
Additional GDPR rights (Articles 17–21): In addition to the rights in section 6, EU/EEA data subjects have the right to data portability (Art. 20) and the right to object to processing based on legitimate interests (Art. 21). To object to identifier-based auto-linking, email hello@syncpay.au or remove your identifiers via the consumer portal. SyncPay will cease that processing unless it can demonstrate compelling legitimate grounds.
International transfers: SyncPay stores data on Supabase infrastructure which may be hosted in the United States. Transfers are covered by Supabase’s Standard Contractual Clauses with sub-processors. A list of sub-processors is available on request.
SyncPay lets you optionally link your personal loyalty accounts — currently Flybuys (operated by Loyalty Pacific Pty Ltd) and Everyday Rewards (operated by Woolworths Group Limited) — so that receipts from those merchants can fill in details for bank transactions that are not made through a SyncPay-connected merchant. This feature is strictly opt-in. No loyalty data flows to SyncPay unless you explicitly connect a provider from the Settings page in the consumer portal.
What we collect when you connect a loyalty account:
consumer_loyalty_connections table so SyncPay can read your receipts on your behalfWhy we collect it (APP 5, APP 6): The sole purpose is to fill in receipt details for your non-SyncPay bank transactions — for example, when your bank feed shows a Coles or Woolworths debit, SyncPay queries the linked loyalty provider to find the matching itemised receipt and surfaces it in your Saved Receipts. Loyalty receipt data is not shared with merchants, not used for advertising or direct marketing, and not sold to third parties. Receipts pulled this way are flagged internally as loyalty_synth=true and are visible only to you in the consumer portal.
How matching works: When Basiq surfaces an unmatched debit at a recognised loyalty merchant (such as Coles, Woolworths, BWS, or Big W), SyncPay automatically queries the linked loyalty provider for a receipt matching your email, the transaction amount, and the transaction date. After your initial connection, no further action is required from you. Matching only works if the email on your SyncPay account is the same email registered with the loyalty provider.
How we store the token (APP 11): We store a secure token that lets us read your receipts. Tokens are held in our database, scoped to your user account through row-level security so that only you and SyncPay’s service role can access them, and protected in transit by TLS 1.3 and at rest by Supabase’s underlying AES-256 disk encryption. We are working towards moving these tokens into a dedicated application-level encrypted column (pgsodium) and will update this policy when that change ships. Refresh tokens issued by Everyday Rewards may remain valid for up to approximately 14 months unless you disconnect or the provider revokes them.
Disconnecting (APP 12, APP 13): You can disconnect a loyalty provider at any time from the Settings page in the consumer portal. Disconnecting marks the connection as revoked, clears the stored tokens, and stops all future ingestion from that provider. Receipts already pulled into your Saved Receipts remain visible to you and can be erased through the “Delete my data” flow described in section 6.
Cross-border transfers (APP 8): Flybuys and Everyday Rewards are Australian-operated loyalty programs. Linking them does not introduce any cross-border transfer of personal information beyond the Supabase hosting arrangement already described in sections 4 and 5A.
A note on Everyday Rewards: Woolworths Group does not currently offer a public partner API for Everyday Rewards. Our integration uses the same form of token your Everyday Rewards mobile app uses to authenticate. If Woolworths Group changes how their app authenticates, the integration may stop working and we may need to ask you to reconnect. We will notify you in-app if that happens.
Under Australian privacy law (APP 12, 13) and, where applicable, GDPR Article 17, you have the right to access personal information we hold about you, request corrections, and request deletion. To exercise these rights, email us at hello@syncpay.au.
Consumers may also request immediate erasure through the in-app “Delete my data” button in the consumer portal, which calls our /consumers/erase API endpoint. Erasure requests are fulfilled within 30 days. Once erased, all personal identifiers on linked receipts are set to null; the receipt itself remains accessible by SPTC code but is no longer linked to you.
Inactive consumer records (no activity for 24 months) are automatically anonymised through our scheduled anonymize_inactive_consumers process, in accordance with APP 11.2 and GDPR Art. 5(1)(e).
We use essential cookies for authentication and session management only. We do not use third-party tracking or advertising cookies.
We may update this policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the service after changes constitutes acceptance.
Privacy enquiries: Contact us or email hello@syncpay.au.