← Back to HAMANI DOCS
PRIVACY POLICY
Last updated: 8 May 2026 · Effective: 8 May 2026
This Privacy Policy explains how HAMANI PTY LTD (ABN 73 277 932 893) (we, us, our) collects, uses, stores, discloses and protects your personal information when you use HAMANI DOCS™.
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), and where applicable, the General Data Protection Regulation (GDPR) for users in the European Union.
1. What information we collect
We collect only the minimum information needed to provide you the service:
- Account information: name and email address from your Google Sign-In, plus your unique Firebase user ID
- Payment information: handled by Stripe — we receive only a transaction ID and the amount paid. We never see or store your card number, CVV or full bank details
- Usage information: which AI tools you use, action timestamps, and your remaining credit balance
- Inputs and uploaded files: any text or files you submit are processed in real time and used solely to generate the requested output
- Technical information: IP address, browser type, device type, and operating system, used for security and abuse detection
2. How we collect information
We collect information when you:
- Sign up using Google Sign-In
- Purchase credits through Stripe
- Use any of the four HAMANI tools (Form Fill, Doc Forge, Ledger, HAMANI CONCIERGE)
- Upload a file to a tool
- Email us at support
- Visit our website (Cloudflare server logs)
3. Why we collect it
- To create and maintain your account
- To process your payments and track your credit balance
- To generate AI output in response to your requests
- To prevent abuse, fraud and unauthorised use
- To comply with our legal obligations (taxation, law enforcement requests, disputes)
- To improve the reliability and accuracy of the service
4. AI providers and your data
HAMANI DOCS uses third-party AI providers to generate output. When you use a tool, the relevant input is sent to one of:
- Anthropic PBC (Claude) — for high-quality drafting and reasoning tasks. Anthropic is based in the United States.
- Google LLC (Gemini) — for OCR, image and document text extraction. Google is based in the United States.
Both providers have committed in their public terms not to train their public models on data submitted via their commercial APIs. However, we have no direct control over how they handle data internally. By using HAMANI DOCS you consent to this transmission.
If you do not want your input sent to overseas AI providers, do not use HAMANI DOCS.
5. Who we share data with
We share data with the following service providers, only as needed to operate the service:
| Provider | Purpose | Location |
| Google Firebase | Authentication, user database, file storage | USA |
| Stripe | Payment processing | USA & Australia |
| Cloudflare | Website hosting, edge serverless functions | Global CDN |
| Anthropic | Claude AI processing | USA |
| Google AI | Gemini AI processing | USA |
We do not sell your personal information. We do not share data with advertisers, marketers or data brokers.
We may disclose information to law enforcement or government bodies when required by Australian law, court order or warrant.
6. Cross-border data transfers
By using HAMANI DOCS, you acknowledge that your information may be transferred outside Australia (primarily to the United States) for processing by the providers listed above. These transfers are made under each provider's published privacy and security standards.
We have taken reasonable steps to ensure these providers handle your data consistently with the Australian Privacy Principles, but you should be aware that overseas data may be subject to foreign legal requirements that differ from Australian law.
7. How long we keep data
- Account information: kept while your account is active and for up to 12 months after closure for tax and dispute purposes
- Payment records: kept for 7 years to comply with Australian taxation law
- Uploaded files: processed in memory and discarded immediately. Not retained.
- Inputs and AI outputs: not stored except in transient operational logs (kept up to 30 days for debugging and abuse investigation)
- Server logs: 30-90 days for security, then deleted
8. How we protect your data
- All connections use TLS 1.3 encryption
- Authentication uses Firebase's industry-standard token system
- Server-side credentials (API keys, service accounts) are stored as encrypted secrets at Cloudflare
- Database access is restricted by server-side rules — clients cannot modify financial fields directly
- Payment webhooks are cryptographically verified using HMAC-SHA256
- Suspicious activity (rate-limit breaches, refusal-pattern matches) is automatically flagged
No system is perfect. We do our best, but we cannot guarantee absolute security.
9. Data breach notification
HAMANI PTY LTD is subject to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of an eligible data breach involving your personal information, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, generally within 30 days of becoming aware.
10. Cookies and tracking
We use only essential cookies needed for sign-in and session management. We do not use advertising cookies, third-party trackers, or analytics services that profile users.
You can disable cookies in your browser, but you will not be able to sign in without them.
11. Your rights
Under the Australian Privacy Act, you have the right to:
- Access the personal information we hold about you
- Correct information that is inaccurate, out of date or incomplete
- Delete your account and associated personal data, subject to legal retention obligations
- Object to specific uses of your data
- Lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au)
To exercise these rights, you can:
We will respond to email requests within 30 days.
12. Automated decision-making and AI transparency
HAMANI DOCS uses AI to generate document drafts and to apply automated refusals to requests it judges to fall outside our acceptable-use policy. These automated processes:
- Do not make legally binding or significantly impactful decisions about you
- Do not assess your credit, eligibility, or any benefit you receive from a third party
- May refuse a request and refund the credit if our system flags it as outside our scope
If you believe a refusal was made in error, email support and we will review the request manually.
This section anticipates the December 2026 amendments to the Privacy Act 1988 (Cth) requiring transparency in automated decision-making.
13. Children's privacy
HAMANI DOCS is not intended for users under 16 years of age. Users between 16 and 18 must have permission from a parent or guardian.
We do not knowingly collect personal information from children under 16. If you believe a child has signed up, please email support and we will close the account and delete the data.
14. Intellectual property and enforcement
HAMANI™ and HAMANI DOCS™ are trade marks of HAMANI PTY LTD asserted under common law.
If you believe content on HAMANI DOCS infringes your intellectual property rights, email support@hamanidocs.com.au with details of the alleged infringement, the URL, your contact information, and a statement of good-faith belief. We respond to credible takedown requests within 7 business days.
15. My Account Vault
This section describes additional collection, use and retention that applies specifically to the My Account Vault feature.
What we collect in the Vault
- Personal information form fields — name and preferred name, date of birth, address, phone, alternate email, employment type, income range, industry, emergency contact details, and optional health information you choose to enter (blood type, allergies, medications, conditions, GP details).
- Australian identifiers — Medicare number, ABN, driver's licence number and state (where you choose to enter them, treated as sensitive information).
- Uploaded documents — any file you choose to upload (we do not inspect contents); metadata recorded includes original filename, file size, MIME type, your chosen category, the upload timestamp, an optional SHA-256 hash for integrity, and an optional expiry date.
- PIN hash — a one-way hash of your 4-digit PIN (PBKDF2-SHA-256, 100,000 iterations, per-user salt). The plaintext PIN is never stored.
- Audit logs — PIN events (set/verify/reset/lockout) and vault events (upload/delete) with timestamps, the requesting IP and user agent where available. Audit logs are immutable.
- Phase 2 fields (deferred) — Tax File Number, passport number, and bank account/BSB are not collected in this version. They will be reintroduced in a Phase 2 release subject to legal review and additional safeguards.
Why we collect it
- To pre-fill HAMANI tools with your saved information when you ask us to.
- To provide secure private storage for personal documents.
- To verify your identity and detect unauthorised access (PIN gate, audit logs).
How long we keep it
- Vault contents are retained while your account is active.
- On account deletion, contents are soft-deleted for 30 days (recoverable on request) then permanently deleted.
- Audit logs are retained for 7 years in accordance with Australian record-keeping practice; we may retain them longer where required by law.
Who we share it with
- Google LLC — Firestore and Firebase Storage infrastructure (data processor only; storage region
australia-southeast1).
- No one else. Vault information is not shared with any other third party, is not used to train AI models, and is not sent to any AI provider unless you explicitly use it to pre-fill a tool that you have asked to run.
- No HAMANI staff access to your Vault contents except where you request support and provide explicit consent, or where required by law.
Data breach notification
If we become aware of an eligible data breach affecting your Vault, we will assess and notify you and the Office of the Australian Information Commissioner under the Privacy Act 1988 (Cth) Part IIIC (the Notifiable Data Breaches scheme) within statutory timeframes — typically as soon as practicable, and where practicable within 72 hours of confirming an eligible breach.
Your rights
You may, at any time: view, edit and export your Vault contents via Account → Download my data; permanently delete your account and all Vault contents via Account → Danger Zone; and request access, correction, or complaint review by emailing support@hamanidocs.com.au. Your rights under Australian Privacy Principles 12 (access) and 13 (correction) are preserved.
16. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated by email or in-app notice where reasonably practicable.
HAMANI PTY LTD — Privacy Officer
New South Wales, Australia
Email: support@hamanidocs.com.au
Response time: 3-5 business days
If you are not satisfied with our response, you can contact the OAIC:
Phone: 1300 363 992 · Web: oaic.gov.au
© 2026 HAMANI PTY LTD. HAMANI™ and HAMANI DOCS™ are trade marks of HAMANI PTY LTD. ACN 696 864 981.