Privacy Policy
I Count Beans Pty Ltd
Last updated: 14 July 2026
Last updated: 14 July 2026
I Count Beans Pty Ltd (ABN 19 168 707 051) (we, us, our) is committed to protecting your personal information and handling it in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
This Privacy Policy explains how we collect, use, store, disclose and protect personal information, including information used to verify your identity and meet our anti-money laundering and counter-terrorism financing (AML/CTF) obligations.
A current version of this Policy is always available at https://www.icountbeans.com.au/privacy-policy/.
We may collect the following personal information about you:
Payment and billing information, including bank account details, direct debit mandate details, invoice and payment status, and payment correspondence
Personal information about employees, contractors, customers, suppliers, officeholders and other individuals that a client provides to us for an authorised accounting, payroll, taxation, advisory or structure service
Information generated when we are given authorised access to a client’s accounting, payroll, banking or payment systems, subject to the access limits agreed with the client
We only collect personal information that is reasonably necessary to carry out our business activities or to meet our legal and professional obligations.
We collect, use and disclose your personal information to:
Administer fees and direct debit payments through GoCardless or another approved payment provider
Use approved accounting, document, communication and cloud systems, including Xero, Dext and Microsoft 365, to perform and support the services
Access a client’s internet banking or payment system under a separate authority where the engagement includes preparing transactions for the client’s approval
To verify your identity, we may use electronic identity verification services, including the Australian Government’s Document Verification Service (DVS).
Where you have consented, your name, date of birth and identity document details will be securely sent to the relevant Commonwealth or State authority that issued your document. This may include passport offices, driver licence authorities, the Department of Home Affairs, Births, Deaths and Marriages registries, or other authorised record holders.
These authorities check whether the details you have provided match the records they hold.
We do not receive a copy of your government records. The authority returns a match result only, confirming whether your details match (yes or no).
This process may be carried out through accredited identity verification providers, including APLYiD (APLYiD Pty Ltd, ABN 36 632 866 794) and its authorised sub-providers.
More information about the DVS is available at idmatch.gov.au.
As part of identity verification, we may collect biometric information, such as a facial image or a short video of you holding your identity document.
Biometric information may be used to:
Biometric information is treated as sensitive information under the Privacy Act. We only collect and use it for identity verification and related compliance purposes, and only with your consent.
When you choose to complete electronic identity verification, you will be asked to give the express consent required for the DVS and for collection and use of biometric information. That consent covers:
Consent for DVS and biometric verification is voluntary and may be withdrawn by contacting us, subject to processing already completed and information we must retain by law. Other personal information may be collected, used and disclosed because it is reasonably necessary to provide the requested service or because the handling is required or authorised by law; it is not dependent solely on consent.
If you do not consent, or do not provide the information we need, we may not be able to verify your identity electronically. We may need to verify your identity in another way, or we may be unable to provide the requested service, including a company, trust or other structure setup.
We may disclose your personal information to:
Banks, payment facilities and client-authorised financial platforms where required to perform an agreed bookkeeping, payroll or payment-preparation service
We do not sell your personal information.
When you pay an invoice by card or establish a direct debit, you should enter payment details directly into the payment provider’s secure process. Our personnel do not intentionally collect or retain complete credit card numbers.
Some AML/CTF information is subject to confidentiality and anti-tipping-off requirements. The law may prevent us from telling you about a particular use, disclosure or report.
Some of our personnel and service providers may access, store or process personal information outside Australia. Likely overseas locations include the Philippines, New Zealand, the United States, the United Kingdom and European Union member states. APLYiD states that information for Australian and New Zealand applicants is stored and processed in Sydney, with relevant service providers processing in Australia or New Zealand. AMLHUB states that primary production data for Australian customers is hosted in Australia, while some support and software systems may be located in the United States, European Union and New Zealand. Other approved providers, including Xero, Dext, Microsoft and GoCardless, operate internationally and may use overseas group companies or subprocessors as described in their current privacy and data-processing terms.
Where overseas access or disclosure occurs, we take reasonable steps to ensure that personal information is handled in line with the Australian Privacy Principles, including through provider due diligence, access controls, confidentiality requirements and contractual protections where appropriate.
We take reasonable steps to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.
These steps include secure systems, role-based access controls, multi-factor authentication, staff confidentiality requirements, and encryption in transit and at rest where appropriate.
Where we access a client’s internet banking or payment platform, we require separate, appropriately restricted access where available. Our personnel are not to be the final approver of client payments, and clients should not provide shared credentials, one-time passwords or complete credit card details.
If you give us personal information about another individual, you must ensure that you are authorised to provide it and, where required, that the individual has received an appropriate privacy notice.
We retain personal information only for as long as we need it for the purposes set out in this Policy, or as required by law. AML/CTF records are generally retained for at least seven years, with the applicable period depending on the record and the service or business relationship. Tax, corporate and professional records may be retained for different periods.
We seek to avoid retaining complete copies of identity documents longer than reasonably necessary where we can instead retain the required identification particulars, verification method and outcome. When information is no longer required, we take reasonable steps to securely delete, destroy or de-identify it, subject to legal retention requirements and secure backup cycles.
If a data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner where required under the Notifiable Data Breaches scheme.
You have the right to ask for access to the personal information we hold about you, and to ask us to correct it if it is inaccurate, incomplete, out of date, irrelevant or misleading.
To make a request, please contact us using the details in section 13. We may need to verify your identity before responding. We will respond within a reasonable time and will explain any refusal unless the law prevents us from doing so.
From time to time, we may use your contact details to send you information about our services that we think may be of interest to you, where permitted by law.
You can opt out of marketing communications at any time by using the unsubscribe link in our messages, or by contacting us using the details in section 13. We do not use biometric information or identity-verification information for direct marketing.
If you have a complaint about how we have handled your personal information, please contact us first using the details in section 13.
We will acknowledge your complaint, investigate it, and aim to respond within 30 days. We will tell you if we need more time.
If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.
If you have any questions about this Policy, or want to exercise any of your privacy rights, please contact us:
We may update this Privacy Policy from time to time to reflect changes in our practices, service providers or the law.
The latest version will always be available on our website. Where changes are significant, we will take reasonable steps to let affected individuals know.