Version 1.35  ·  March 2026  ·  For Google OAuth App Verification

‍

1. Overview

Air Accounting operates an automated email processing service that reads and classifies inbound email from authorised client mailboxes. This service is used solely to support the delivery of accounts payable management engagements on behalf of clients who have explicitly granted access to their email accounts.

Air Accounting is bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy explains what data we collect, how we use it, where it is stored, and how it is protected, in accordance with those obligations.

‍

2. Scope and Authorisation

This policy covers Air Accounting’s use of the Google OAuth 2.0 API to access Gmail mailboxes on behalf of clients who have explicitly authorised that access. Access may be revoked by the client at any time through their Google account settings at myaccount.google.com.

The service does not process Air Accounting’s own internal email accounts.

‍

3. Legal Basis for Processing

We process client email data on the basis of explicit client consent and a contractual engagement to deliver accounts payable management services. Clients are informed of the nature of this processing prior to granting access, and access is never obtained without their knowledge and agreement.

‍

4. Data We Collect

For each email processed, we may collect and store the following:

• Sender and recipient email addresses

• Email subject line

• Email body content (plain text and HTML)

• Attachments, including their type, filename, and content

• AI-generated classification annotations and routing decisions

• A rendered image of the email for review purposes

‍

5. How We Use the Data

Data is used exclusively to:

• Classify and route incoming emails for accounts payable processing

• Enable Air Accounting staff to review and action emails assigned to them

• Maintain a historical record of processed email during the engagement

We do not sell, share, or use client email data for any purpose outside the delivery of the agreed engagement.

‍

6. Data Retention

Email data is retained for the duration of the client engagement. When a client relationship ends or Air Accounting ceases to provide accounts payable services for a client, all data associated with that client is permanently deleted from our systems.

Clients may request deletion of their data at any time by contacting us directly. We will action such requests promptly. Please note that deletion of historical email data may affect our ability to continue providing the accounts payable service, and we will discuss the implications with you before proceeding.

‍

7. Data Storage and Subprocessors

Data is processed and stored across the following third-party platforms, spanning multiple geographic regions. Each platform is bound by its own security and privacy standards, including SOC 2 and/or ISO 27001 certifications where applicable:

• n8n (workflow automation) — hosted on Sliplane, running on Hetzner infrastructure in Singapore.

• Mistral AI — used for OCR processing of email attachments. Data processed in the European Union. Mistral holds SOC 2 Type II and ISO 27001/27701 certifications and does not retain data after processing.

• Supabase — used for persistent email data storage. Hosted on AWS in Mumbai, India (ap-south-1).

• Glide — used as the team-facing application layer for reviewing and actioning emails. Hosted on Google Cloud Platform in Iowa, United States (us-central1).

• Upstash (Redis) — used for temporary caching and deduplication during processing. Hosted in Sydney, Australia (ap-southeast-2).

• Postmark — used for inbound email ingestion via webhook. Hosted at a SOC 2 Type II accredited facility in Chicago, Illinois, United States.

• Cloudflare R2 — used for storage of rendered HTML email images. Hosted in the Asia-Pacific (APAC) region.

• Cloudinary — used for image processing of email attachments. Data stored in US-based data centres on AWS and Google Cloud Platform infrastructure.

‍

8. International Data Transfers

As noted in section 7, data is processed and stored across multiple international jurisdictions including Singapore, India, the United States, and the European Union. By engaging Air Accounting’s accounts payable services and authorising access to their email accounts, clients acknowledge that their data may be transferred to and processed in these regions.

Additionally, Air Accounting employs offshore bookkeeping staff based in the Philippines who may access client email data through the Glide application as part of their assigned work. This constitutes an international data transfer under the Australian Privacy Act 1988. Access is role-based, limited to the relevant client engagement, and subject to the same controls described in section 9.

‍

9. Data Security

We apply the following security measures:

• All data is transmitted over HTTPS. Encryption at rest is provided by each platform according to their security standards.

• OAuth refresh tokens and API credentials are stored in n8n’s encrypted credential manager and are not accessible after entry, including to Air Accounting staff.

• Administrative access to the underlying database is restricted to designated IT and Security personnel.

• Team member access to email data within the application is role-based and tied to active work assignments. Access is removed when a team member is no longer working on a given client engagement.

• Master credentials are stored in 1Password Business, accessible only to business principals in the event of staff changes.

‍

10. Access to Data

Air Accounting staff access client email data in the same way they would access the client’s inbox directly — to review, classify, and action accounts payable items. Access is limited to staff assigned to the relevant client engagement.

‍

11. Data Breach Notification

Air Accounting is subject to the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988. In the event of a data breach that is likely to result in serious harm to affected individuals, we will:

• Contain the breach and assess the risk as quickly as practicable

• Notify affected clients directly as soon as reasonably possible

• Notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware that a notifiable breach has occurred

• Provide affected individuals with recommendations on the steps they should take in response

Clients who suspect a breach involving their data should contact us immediately at privacy@air.com.au.

‍

12. Your Rights

Clients may at any time:

• Request a summary of what data we hold relating to their mailbox

• Request correction of any inaccurate information

• Request deletion of their data (subject to the service impact noted in section 6)

• Revoke OAuth access via their Google account settings, which will immediately prevent further email processing

• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if they believe their privacy rights have been breached

To exercise any of these rights, please contact your Air Accounting engagement manager or email privacy@air.com.au.

‍

13. Changes to This Policy

We may update this policy from time to time. Clients will be notified of material changes. The current version is always available on request.

‍

14. Contact

For any privacy-related questions, please contact:

Air Accounting  ·  privacy@air.com.au

Version History

Version History

Version  Date            Summary of changes
-------  --------------  ---------------------------------------------------------------
1.0      June 2024       Initial draft for internal review
1.1      September 2024  Updated subprocessor list; added Cloudinary and Cloudflare R2
1.2      January 2025    Confirmed data storage regions for all subprocessors
1.3      February 2025   Minor clarifications to retention and access control language
1.35     March 2026      Added legal basis, APA 1988 reference, NDB obligations, Philippines staff disclosure, OAIC complaint right

‍