Privacy Policy

About this policy

First Aboard Pty Ltd (ACN 699 291 122, ABN 23 699 291 122) ("FirstAboard", "we", "us", "our") respects your privacy. This policy explains how we collect, use, hold, disclose and protect personal information, and how you can access or correct it or make a complaint.

We handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Even where a small-business exemption might apply, we choose to comply with the APPs because we handle sensitive financial and identity information, and because the brokers we serve must comply and rely on us to do the same.

This policy covers our broker onboarding platform, our website, and the FirstAboard PDF desktop app (together, the "Services"). By using the Services, you agree to this policy.

The two roles we handle information in

We handle personal information in two different roles, and it matters which one applies:

• On behalf of brokers. When a broker uses FirstAboard to collect information from their own clients, that client information is collected for and on behalf of the broker. The broker decides what is collected and why. We store and process it securely on their instructions. The broker is the first point of contact for that information, and the broker’s own privacy policy also applies to it.
• For our own business. We also collect personal information directly, for example from brokers who create an account, people who contact us, visitors to our website, and customers of FirstAboard PDF.

Where this policy talks about information we hold "on behalf of a broker", requests to access, correct or delete that information should usually go to the broker first. We will assist the broker as needed.

The personal information we collect

Depending on how you interact with us, we may collect:

• Broker account information: name, business name, email address, phone number, login and authentication details, and billing details.
• Client onboarding information (collected on behalf of brokers): name, contact details, date of birth, residential history, employment details, financial details (income, assets, liabilities and expenses), identity documents (such as a driver licence or passport), uploaded documents and photos, and electronic signatures.
• Website and enquiry information: contact details you choose to give us, such as an email address you submit to a waitlist or a support request.
• Payment information: subscription and billing details, processed by our payment provider (we do not store full card numbers ourselves).
• Technical information: IP address, device and browser type, and usage data collected through cookies and similar technologies, used to keep the Services secure and working.

FirstAboard PDF runs entirely on your own computer. We do not collect, upload, see or store the contents of any file you open with it. See "FirstAboard PDF" below.

Sensitive information and identity documents

Some of the information collected through the broker platform is "sensitive information" or government-related identifier information under the Privacy Act, including financial details and identity documents.

We collect this information only with consent and only as needed for the broker to provide their services. Identity documents may be processed using automated text recognition (OCR) through Amazon Web Services (AWS) Textract to read the details on the document. This processing takes place in the AWS Sydney region (Australia).

We do not adopt, use or disclose a government-related identifier (such as a licence or passport number) as our own identifier for you, except as permitted by the Privacy Act.

How we collect information

We collect personal information in these ways:

• Directly from you, wherever practical: when a broker signs up, when a client completes an onboarding flow a broker has invited them to, or when you contact us.
• From your use of the Services: technical and usage information collected automatically through cookies and similar technologies.
• From third parties, where you have authorised it or where it is reasonably necessary, such as our payment provider confirming a payment.

At the point of collection through the onboarding flow, we provide a short collection notice telling you who we are, why the information is being collected, and that this policy applies.

Why we collect and use information

We use personal information to:

• provide, operate and improve the Services;
• let brokers collect information from, and serve, their clients;
• verify identity where that is part of the broker’s onboarding flow;
• process payments and manage subscriptions;
• communicate with you, including by email and SMS, about your account, support requests and service updates;
• keep the Services secure, prevent misuse, and maintain audit and access logs;
• meet our legal and regulatory obligations.

We do not sell your personal information, and we do not use it for advertising or share it with advertising networks.

FirstAboard PDF

FirstAboard PDF is a desktop application that runs entirely on your own computer. The files you open, edit, sign or redact with it are processed locally on your device and are never uploaded to us. We do not see, collect, store or have access to those files.

The only personal information we handle for FirstAboard PDF is the account and billing information needed to run your subscription (for example your name, email and subscription status), which is processed through our payment provider, Stripe.

Open banking and the Consumer Data Right

The broker platform can include an optional open-banking step. In that step, the broker adds their own secure open-banking link (for example a Consumer Data Right (CDR) provider such as Frollo, or another provider they choose). The client authorises that provider directly.

FirstAboard does not collect, store, sync or have access to a client’s bank-account data obtained through the Consumer Data Right. We simply record that the client was asked to connect, and whether they confirmed that they did. The handling of any CDR data is governed by the chosen provider and the client’s consent with that provider.

When we disclose information, and to whom

We do not sell your personal information. We disclose it only:

• to the broker the information was collected for;
• to trusted service providers who help us run the Services, under arrangements requiring them to protect the information and use it only for our purposes;
• where required or authorised by law, or to protect our legal rights.

The main service providers we use are:

• Supabase - database, authentication and file storage (hosted in Australia, Sydney region).
• Amazon Web Services (AWS) - identity-document text recognition and related processing (Australia, Sydney region).
• Vercel - hosting of our web application (United States and global edge network).
• Stripe - payment and subscription processing (United States and global).
• Resend - delivery of transactional email (United States).
• Twilio - delivery of SMS messages (United States and global).

We keep this list current. If our providers change, we will update this policy.

Sending information overseas

Some of our service providers store or process information outside Australia. In particular, hosting, payments, email and SMS may involve recipients in the United States. Identity-document processing and our primary database storage take place in Australia (Sydney).

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles. We remain accountable for that information as required by the Privacy Act.

How we store and protect information

We take the security of personal information seriously and use measures appropriate to its sensitivity, including:

• encryption of data in transit (HTTPS/TLS) and at rest;
• database access controls, including row-level security so each broker can only access their own clients’ information;
• private, access-controlled file storage that is not publicly reachable;
• passwordless sign-in for brokers using passkeys, with rate limiting and monitoring to resist automated attacks;
• append-only audit logging of sensitive actions;
• restricting access to staff and providers who need it to operate the Services.

No method of transmission or storage is completely secure, but we work to protect personal information and to continually improve our safeguards.

Data breaches

We maintain a data-breach response process. If we become aware of a data breach that is likely to result in serious harm, we will assess it promptly and, where the Notifiable Data Breaches scheme requires, notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, including the steps you should take in response.

Where a breach affects information we hold on behalf of a broker, we will also notify the broker promptly so they can meet their own obligations.

How long we keep information

We keep personal information only for as long as we need it for the purposes described in this policy, or for as long as required by law. We retain information we hold on behalf of a broker in line with the broker’s account and instructions.

When information is no longer needed, we take reasonable steps to destroy it or to de-identify it.

Direct marketing and electronic messages

We may send you information about our Services. We only send marketing messages where we are permitted to, and every commercial electronic message we send will identify us and include a working unsubscribe option, in line with the Spam Act 2003 (Cth). You can opt out of marketing at any time by using the unsubscribe link or by contacting us, and we will action your request promptly.

Account, billing, security and other service messages are not marketing and may still be sent while you hold an account.

Cookies and analytics

Our website and web application use cookies and similar technologies that are necessary to run the site, keep you signed in, and keep the Services secure. We do not use advertising trackers. You can control cookies through your browser settings, although some features may not work without them.

Accessing and correcting your information

You can ask us for a copy of the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading.

For client onboarding information we hold on behalf of a broker, please contact that broker first, as they control that information; we will assist them as needed. For other requests, contact us using the details below. We may need to verify your identity before acting on a request, and in limited cases the law allows us to decline, in which case we will explain why.

Children

The Services are intended for brokers and their adult clients and are not directed at children. We do not knowingly collect personal information from anyone under 18 for our own purposes. If you believe we hold such information, please contact us and we will take appropriate steps.

Complaints

If you believe we have mishandled your personal information or breached the Australian Privacy Principles, please contact us using the details below. We will acknowledge your complaint and aim to resolve it within a reasonable time.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or on 1300 363 992.

Changes to this policy

We may update this policy from time to time. The current version is always available at firstaboard.com/privacy, with the "last updated" date shown at the top. Significant changes will be reflected on this page.

Contact us

For any privacy question or request, contact:

• First Aboard Pty Ltd (ABN 23 699 291 122)
• Email: support@firstaboard.com