← Back to Home

Privacy Policy

Last updated: 14 March 2026

1. About This Policy

OneBookPlus Pty Ltd (ABN 17 971 013 775) ("we", "us", "our") operates the OneBookPlus platform at onebookplus.com.au. This policy explains how we collect, use, disclose, and protect your personal information in compliance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Information We Collect

Account Information

  • Name, email address, and password when you create an account
  • Business name, ABN, address, and phone number
  • Payment and billing information (processed securely via Stripe)
  • Multi-factor authentication (MFA) enrolment data, including TOTP authenticator secrets

Business Data

  • Contacts and client records you create
  • Invoices, quotes, bookings, orders, and expenses
  • Financial and accounting data, including P&L, revenue, GST, and BAS summaries
  • Menu items, table layouts, kitchen display orders, and daily sales records (restaurant features)
  • Point of Sale (POS) transaction data, including items sold, payment methods, and terminal sessions
  • Service listings and booking page configurations
  • Marketing campaign data, email templates, and contact lists
  • Google Reviews data and review request history
  • Inventory and stock tracking records

ATO and Tax Data

If you use the ATO Tax Lodgement feature, we may collect and process additional sensitive data:

  • Tax File Numbers (TFNs) and ABN details for tax lodgement purposes
  • BAS (Business Activity Statement) lodgement data, including GST amounts, PAYG, and instalment figures
  • Tax return data prepared for submission to the Australian Taxation Office
  • ATO Digital Service Provider (DSP) authentication tokens and session data

Tax data is handled under enhanced security controls in accordance with ATO DSP operational framework requirements. This data is encrypted at rest and in transit and subject to stricter access controls and audit logging.

Automatically Collected

  • IP address, browser type, device information
  • Pages visited and features used (via Google Analytics and Vercel Analytics)
  • Cookies for authentication and preferences
  • Session activity logs, including login times, idle timeouts, and security events

3. How We Use Your Information

  • To provide and maintain the OneBookPlus platform and all installed apps
  • To process subscription payments, app purchases, and manage billing via Stripe
  • To process client payments on your behalf via Stripe Connect
  • To send transactional emails (invoices, quotes, payment reminders, booking confirmations)
  • To provide customer support
  • To improve our services and develop new features
  • To comply with legal obligations (e.g. tax reporting, ATO requirements)
  • To submit tax lodgements to the ATO on your behalf (when using the ATO Tax Lodgement app)
  • To sync data with third-party integrations you enable (Xero, Mailchimp, Google Calendar)
  • To enforce security policies, including MFA, session management, and brute force protection

4. How We Share Your Information

We do not sell your personal information. We may share data with:

  • Service providers: Supabase (database and authentication), Stripe (payments and billing), Resend (email delivery), Vercel (hosting), Google (analytics and calendar integration)
  • Third-party integrations: Xero (accounting sync), Mailchimp (marketing sync), Google Ads, and Facebook Ads — only when you explicitly enable these integrations
  • Australian Taxation Office (ATO): Tax lodgement data is submitted directly to the ATO via their secure API when you use the ATO Tax Lodgement feature
  • Your clients: When you send invoices, quotes, or booking confirmations, your business details are shared with the recipient
  • Your team members: Data is shared within your business account with team members based on their role and permissions
  • Legal requirements: If required by Australian law or to protect our rights

5. Data Storage and Security

Your data is stored securely using Supabase (hosted on AWS in Sydney, Australia where available). We implement industry-standard security measures including:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Row-level security (RLS) to isolate tenant data — each business can only access their own data
  • Secure authentication via Supabase Auth with support for email/password and Google OAuth
  • Multi-factor authentication (MFA) using TOTP authenticator apps
  • Configurable session timeouts and idle lockouts
  • Brute force protection with account lockout after failed login attempts
  • Regular security reviews

Enhanced Security for ATO Tax Lodgement

When the ATO Tax Lodgement app is installed, additional security controls are enforced in line with ATO DSP requirements:

  • Mandatory MFA for all users with access to tax data
  • Reduced session duration (24 hours) and idle timeout (15 minutes)
  • Stricter brute force protection (5 attempts with 15-minute lockout)
  • Comprehensive audit logging of all data access, form edits, and submissions
  • ABN validation against the Australian Business Register (ABR)

6. App Store and Third-Party Apps

OneBookPlus offers an App Store with optional apps you can install. When you install an app:

  • The app may access specific data within your account as needed to function
  • Paid apps are billed separately and managed through your billing settings
  • You can uninstall apps at any time, which revokes their data access
  • Third-party integrations (e.g. Xero Sync, Mailchimp) may transfer data to external services governed by their own privacy policies

7. Your Rights

Under Australian Privacy law, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and data
  • Export your data at any time via the Settings page
  • Opt out of marketing communications
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law (e.g. financial records for 5-7 years per ATO requirements).

ATO tax lodgement records and audit logs are retained for a minimum of 5 years in compliance with Australian tax law, even after account deletion.

9. Cookies

We use essential cookies for authentication and session management. We also use analytics cookies (Google Analytics) on public pages only — not within your dashboard.

10. Third-Party Links

Our platform may contain links to third-party websites and services (including Stripe, Xero, Google, and Facebook). We are not responsible for the privacy practices of those websites and services.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a notice on our platform.

12. Contact Us

If you have questions about this privacy policy or wish to exercise your privacy rights, contact us at: