Privacy Policy

Effective: 1 April 2026  ·  Last updated: 9 April 2026

1. About this Policy

This Privacy Policy explains how Beeswax STP Pty Ltd (ABN to be issued) (Beeswax STP, we, us, our) collects, holds, uses, and discloses personal information when you use our Single Touch Payroll (STP) service at beeswax-stp.au and via our API (the Service).

Plain-English summary: Beeswax STP is a tool you (or your accountant) use to lodge payroll information with the ATO. To do that, we have to handle the personal information of you and your employees — including tax file numbers. We hold all of it in Australia, encrypt it, and only share it where we're required to (mainly with the ATO at your direction).

2. Scope and applicable law

We are bound by:

  • the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
  • the Privacy (Tax File Number) Rule 2015, which sets additional rules for handling tax file numbers (TFNs);
  • the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act; and
  • the ATO's Operational Security Framework (OSF), which imposes minimum security controls on digital service providers connecting to the ATO.

Where we act as a processor of personal information on your behalf (for example, the personal information of your employees that you upload), you remain the entity primarily responsible under the APPs for that information. We will handle it in accordance with this Policy and our Terms of Service.

3. What personal information we collect

The kinds of personal information we collect depend on how you interact with us.

3.1 Information you give us as a customer

  • name, email address, telephone number;
  • business details (legal name, ABN, branch number, registered address);
  • payment details (handled by our payment processor — we do not store full card numbers);
  • account credentials (hashed password, MFA secrets, recovery codes); and
  • support correspondence and customer feedback.

3.2 Employee personal information you upload

To prepare and lodge STP submissions, you will upload personal information about your employees, including:

  • name, date of birth, residential address, contact details;
  • tax file number (TFN) — see clause 5;
  • employment basis, employment start and end dates, residency status;
  • pay amounts (gross, allowances, leave, lump sums, deductions);
  • PAYG withholding amounts;
  • superannuation guarantee contributions and superannuation fund details; and
  • year-to-date totals.

3.3 Information collected automatically

  • IP address and approximate location derived from it;
  • browser type, device type, operating system;
  • pages visited, features used, timestamps;
  • API request metadata (token used, request path, response status); and
  • audit log records (who did what, when) required by the ATO Operational Security Framework.

4. Sensitive information

We do not deliberately collect sensitive information (as defined in the Privacy Act, e.g. health information, racial or ethnic origin, religious beliefs). If you upload sensitive information about an employee that is not required for STP reporting, we ask that you remove it.

5. Tax File Numbers

Tax File Numbers (TFNs) receive special protection under the Privacy (Tax File Number) Rule 2015. Specifically, in relation to TFNs:

  • we collect TFNs only for the purpose of preparing and lodging STP reports with the ATO;
  • we encrypt TFNs at the application layer in addition to database-level encryption;
  • access to plaintext TFNs is restricted to system processes that need them to generate STP messages;
  • TFNs are never shown in audit logs or analytics events;
  • we only disclose TFNs to the ATO and to accredited STP gateway providers acting on our behalf to lodge messages with the ATO; and
  • we do not use TFNs to identify individuals for any purpose other than STP reporting.

6. How we collect personal information

We collect personal information:

  • directly from you when you create an account, configure an employer, upload employee data, contact support, or use the Service;
  • automatically when you use the Service, the API, or our website;
  • from third parties such as the Australian Business Register (to validate ABNs), our payment processor, and service providers acting on our behalf; and
  • from publicly available sources where relevant and lawful.

7. Why we collect, hold, use, and disclose personal information

We use personal information for the following purposes:

  • Providing the Service: creating and managing accounts, generating PAYEVNT.0004 messages, submitting them to the ATO, tracking responses, calculating year-to-date amounts, and generating reports.
  • Security and integrity: authenticating users (including MFA), detecting and preventing fraud or abuse, and maintaining audit logs as required by the ATO Operational Security Framework.
  • Customer support: responding to your enquiries, troubleshooting, and improving the Service.
  • Billing and administration: charging fees, sending invoices, and managing your subscription.
  • Legal and regulatory compliance: meeting our obligations under Australian tax, privacy, and corporations law.
  • Service improvements: understanding how the Service is used so we can improve it (using aggregated, de-identified data wherever possible).
  • Communications: sending you transactional messages (e.g. submission status, security alerts) and, with your consent or where permitted by the Spam Act 2003 (Cth), product updates.

We do not sell personal information, and we do not use it for advertising profiling.

8. Who we share personal information with

We disclose personal information only to:

  • The Australian Taxation Office, when you instruct us to lodge a pay event, finalisation, or update event;
  • Accredited STP gateway providers who facilitate the secure transmission of STP messages to the ATO on our behalf, under contractual confidentiality obligations;
  • Cloud and infrastructure providers, principally Amazon Web Services (Sydney region), where data is stored and processed;
  • Email and notification providers for transactional messages (e.g. password reset, security alerts);
  • Payment processors for billing purposes (we do not store full card details);
  • Professional advisors (lawyers, accountants, auditors) under confidentiality obligations;
  • Law enforcement, regulators, or courts where required by law (for example, in response to a valid subpoena or notice); and
  • A successor entity in connection with a corporate sale, merger, or restructure, subject to equivalent privacy protections.

9. Disclosure to the ATO

When you submit a pay event, finalisation, or update event through the Service, we transmit the relevant personal information (including employee names, addresses, TFNs, and pay information) to the ATO. This is the core purpose of the Service. You authorise this disclosure when you submit the event, and the ATO handles that information under its own legal obligations.

10. Overseas disclosure

Beeswax STP is designed for Australian data sovereignty. In the ordinary course of providing the Service:

  • customer data and employee personal information are stored in the AWS Sydney region (ap-southeast-2) and do not leave Australia;
  • we do not transfer TFNs or employee personal information outside Australia.

However, some of our supporting service providers (for example, error monitoring, transactional email, support ticketing) may be operated by entities based outside Australia. Where this is the case, we limit the personal information shared to what is strictly necessary, ensure those providers are bound by appropriate contractual protections, and we will update this Policy to identify the countries involved if and when this changes materially.

11. Storage and security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

  • hosting in the AWS Sydney region with infrastructure-level encryption, access controls, and isolation;
  • encryption in transit using TLS 1.2 or higher;
  • encryption at rest at the database level, plus application-level encryption for sensitive fields such as TFNs;
  • mandatory multi-factor authentication for all user accounts;
  • least-privilege access controls for our staff and contractors, with role-based permissions;
  • full audit logging of administrative actions, with at least 12 months' retention as required by the Operational Security Framework;
  • regular dependency and security scanning;
  • self-assessment against OWASP ASVS Level 2 controls; and
  • incident response and breach notification procedures.

No system can be guaranteed completely secure, but we treat any security incident affecting personal information seriously and respond promptly.

12. Data retention

We retain personal information for as long as is reasonably necessary to provide the Service, meet legal and regulatory obligations, resolve disputes, and enforce our agreements. In particular:

  • employee STP records and submission history are retained for the periods required by Australian tax law (generally five years);
  • audit logs are retained for at least 12 months under the ATO Operational Security Framework;
  • account and billing information is retained while your account is active and for a reasonable period after closure.

When personal information is no longer needed and we are no longer required to retain it, we will take reasonable steps to delete or de-identify it.

13. Cookies and analytics

We use a small number of cookies and similar technologies, including:

  • Strictly necessary cookies for authentication (session cookies) and CSRF protection — these cannot be disabled without breaking the Service;
  • Preference cookies for things like theme mode (light/dark);
  • Privacy-respecting analytics, where used, configured to avoid collecting personally identifiable information beyond what is needed to understand traffic patterns.

You can clear or block cookies in your browser, but doing so may prevent you from signing in to the Service.

14. Your rights

Under the Australian Privacy Principles you have the right to:

  • Access the personal information we hold about you;
  • Correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading;
  • Be informed of the kinds of information we hold and how we handle it (this Policy);
  • Complain about our handling of your personal information;
  • Withdraw consent for marketing communications at any time using the unsubscribe link or by contacting us; and
  • Deal anonymously or under a pseudonym where lawful and practicable — though this is not generally practicable for STP reporting, which requires verified identity.

To exercise these rights, contact us at privacy@beeswax-stp.au. We will respond within a reasonable time, and at no cost to you (other than any reasonable cost of providing access in a particular form).

If your request relates to personal information about an employee that another organisation uploaded into the Service (for example, your former employer), we will direct you to that organisation, which is the entity primarily responsible under the APPs.

15. Notifiable Data Breaches

If we become aware of an "eligible data breach" affecting personal information — that is, unauthorised access to or disclosure of personal information that is likely to result in serious harm — we will:

  • notify you without undue delay via email or in the Service;
  • notify the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme; and
  • provide information about what happened, what information was affected, and the steps you can take to protect yourself.

16. Children

The Service is not directed at children under 18. We do not knowingly create accounts for children. STP records may legitimately include personal information of employees under 18 (for example, casual employees), and that information will be handled the same way as any other employee information.

17. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top of this Policy reflects the most recent revision. We will notify you of material changes by email or through the Service. Your continued use of the Service after the effective date of an updated Policy means you accept the updated Policy.

18. How to contact us

If you have questions, concerns, or complaints about this Policy or how we handle personal information, contact us first:

Privacy Officer, Beeswax STP Pty Ltd
Email: privacy@beeswax-stp.au
Postal address: to be advised

We aim to acknowledge complaints within 5 business days and resolve them within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
Web: www.oaic.gov.au
Phone: 1300 363 992