Legal

Privacy Policy

Last updated: 13 June 2026

This Privacy Policy explains how Prepaidly Pty Ltd (ABN 19 688 065 367) (“Prepaidly”, “we”, “us” or “our”) collects, uses, discloses and protects your personal information when you use the Prepaidly website and application (the “Service”). We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Prepaidly Pty Ltd

ABN 19 688 065 367

South Australia, Australia

hello@prepaidly.io

1. Information we collect

We collect the following categories of information:

  • Account information: your name, email address, password (stored in hashed form), display name and role within an organisation.
  • Xero connection data: when you connect a Xero organisation, we receive OAuth access and refresh tokens and read data you authorise, such as your chart of accounts, contacts, organisation details and manual journals. We use this data solely to provide the Service.
  • Schedule and financial data: the prepayment and unearned revenue schedules, amounts, dates, accounts and journals you create or import.
  • Billing information: subscription tier and payment status. Card payments are processed by our payment provider (Stripe); we do not store full card numbers.
  • Usage and technical data: log data, device and browser information, IP address and activity within the app, used for security, troubleshooting and improving the Service.

2. How we use your information

We use personal information to:

  • provide, operate, maintain and secure the Service;
  • authenticate you and manage your account and organisation access;
  • connect to Xero and post manual journals you authorise;
  • process subscriptions, billing and related notifications;
  • respond to support requests and communicate service-related information;
  • detect, prevent and respond to fraud, abuse and security incidents; and
  • comply with our legal obligations.

3. Disclosure of information

We do not sell your personal information. We disclose information only as needed to operate the Service, including to:

  • Xero: to read authorised data and post journals on your instruction;
  • Service providers: hosting, infrastructure, analytics, email and payment providers (such as Stripe) who process data on our behalf under appropriate confidentiality obligations;
  • Other users in your organisation: administrators and members of a Xero organisation you belong to may see schedules, journals and activity for that organisation; and
  • Legal and regulatory bodies: where required by law or to protect our rights, users or the public.

4. Overseas disclosure

Some of our service providers may store or process data outside Australia. Where this occurs, we take reasonable steps to ensure recipients handle your information consistently with the Australian Privacy Principles.

5. Data security

We protect your information using technical and organisational measures, including encryption of data in transit (HTTPS), server-side storage of Xero tokens and secrets, tenant isolation so one organisation’s data is not exposed to another, and access controls based on user roles. No method of transmission or storage is completely secure, but we work to protect your information and to respond promptly to any suspected data breach in line with the Notifiable Data Breaches scheme.

6. Data retention

We retain personal information for as long as your account is active or as needed to provide the Service, and thereafter as required to meet legal, accounting or reporting obligations. You may request deletion of your account, after which we will delete or de-identify your information except where retention is required by law. Disconnecting a Xero organisation removes our stored tokens for that organisation and does not delete any data within Xero itself.

7. Your rights

Subject to the Privacy Act, you may request access to, or correction of, the personal information we hold about you. To make a request, or if you have a privacy concern or complaint, contact us using the details below. We will respond within a reasonable period. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

8. Cookies

We use cookies and similar technologies to keep you signed in, remember preferences and understand how the Service is used. You can control cookies through your browser settings, though disabling them may affect functionality.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you through the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact us

If you have any questions about this Privacy Policy or how we handle your information, please contact us at hello@prepaidly.io.