Privacy Policy

Rand Pty Ltd (ABN [to be inserted]) (“Rand”, “we”, “us”) operates an AI-powered R&D Tax Incentive compliance platform for Australian technology companies. This privacy policy explains how we collect, use, disclose, and protect your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all users of the Rand platform, including organisation members, administrators, and expert reviewers.

We only collect personal information that is reasonably necessary to provide the Rand platform and fulfil our obligations (APP 3). We do not collect information we do not need.

Due to the nature of the service — preparing R&D Tax Incentive claims tied to specific individuals, organisations, and financial records — it is not practicable to provide the service on an anonymous or pseudonymous basis (APP 2).

We collect the following categories of information:

• Account information — your name, email address, and role within your organisation.
• Organisation data — company name, ABN, industry, and company description provided during onboarding.
• Employee data — names, roles, employment type, salary information, and optional GitHub/Jira usernames for staff involved in R&D activities. This data is used to calculate R&D expenditure allocations.
• R&D activity data — core and supporting activity descriptions, hypotheses, experimental methodologies, outcomes, evidence records, and confidence assessments.
• Integration data — when you connect GitHub, Jira, or other tools, we sync relevant signals such as pull request titles, descriptions, and issue summaries. We access this data via OAuth with the minimum permissions required.
• Financial data — R&D expenditure figures, allocation percentages, and claim amounts compiled for your R&D Tax Incentive submission.
• Usage data — page views, feature usage, and performance metrics collected via Vercel Analytics to improve the service.
• Payment information — subscription billing is processed by Stripe. We do not store your credit card details. Stripe’s privacy policy governs their handling of payment data.

Third-party personal information: If you enter personal information about your employees or contractors (such as names, salaries, roles, and developer usernames), you are responsible for ensuring you have the authority to provide this information and that those individuals have been notified their data will be processed through Rand.

Sensitive information: We do not intentionally collect sensitive information as defined in section 6 of the Privacy Act 1988 (such as health information, racial or ethnic origin, political opinions, or biometric data). Salary and financial data collected through the platform is business information used for R&D expenditure calculations and is not classified as sensitive information under the Act.

We use your information to:

• Provide the Rand platform, including AI-powered analysis of R&D signals, drafting of activity descriptions, and compilation of R&D Tax Incentive claims.
• Facilitate expert review of your R&D activities by assigned reviewers.
• Calculate R&D expenditure allocations based on employee data and time records.
• Send notifications about your claim progress, reviewer tasks, and AI-generated suggestions.
• Process billing and manage your subscription.
• Improve and maintain the platform.
• Comply with legal obligations, including ATO record-keeping requirements.

Rand uses artificial intelligence to analyse R&D signals (such as pull requests and technical tickets) and draft activity descriptions aligned to AusIndustry registration requirements. Our AI processing is powered by Anthropic’s Claude models.

Key points about our AI processing:

• All AI-generated content is clearly marked as a draft and requires human review before it becomes part of your claim. AI outputs are probabilistic assessments, not factual determinations.
• AI is used to assess relevance, map signals to activities, and suggest R&D allocations — but no claim content is finalised without human approval.
• AI confidence scores and risk assessments are visible so you can make informed decisions.
• We only send the minimum data necessary to the AI provider for each specific task.
• Your data sent to Anthropic is processed under their commercial API terms. It is not used to train their models, is not stored beyond the request lifecycle, and is not accessible to other Anthropic customers.
• Rand does not use AI to make automated decisions that have legal or similarly significant effects on individuals without human oversight.

We do not sell your personal information. We share data with the following third parties solely to operate the platform:

• Supabase — database hosting and authentication.
• Anthropic — AI processing of R&D signals and activity drafting.
• Vercel — application hosting and analytics.
• Stripe — payment processing.
• Resend — transactional email delivery (notifications, digests).
• Expert reviewers — registered R&D professionals assigned to your organisation can access your R&D activity data to provide expert review and approval.

We may also disclose information where required by law, regulation, or legal process.

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access. Our security measures include:

• Encryption in transit (TLS) and at rest.
• Row-level security (RLS) ensuring each organisation’s data is isolated at the database level.
• Role-based access controls with separate permissions for members, administrators, and reviewers.
• Immutable audit logging of all significant actions within the platform.
• Secure authentication with session management.

We retain your information for as long as your account is active and as needed to provide the service. Specific retention periods:

• Financial and tax records — retained for a minimum of 7 years in accordance with ATO record-keeping requirements.
• Audit logs — retained for the life of the associated claim year plus 7 years.
• Account data — retained while your account is active. On account closure, we delete personal data within 30 days, subject to legal retention obligations.

You may request deletion of your data at any time. Where we are required by law to retain certain records (e.g. tax-related data), we will inform you of the applicable retention period.

Under the Australian Privacy Principles, you have the right to:

• Access your personal information held by us (APP 12).
• Request correction of inaccurate or incomplete information (APP 13).
• Opt out of receiving any direct marketing communications from us at any time (APP 7). Currently, Rand only sends transactional notifications related to your account and claim activity.
• Complain if you believe we have breached the APPs.

To exercise these rights, contact us at the details below. We will respond to access and correction requests within a reasonable period, generally within 30 days. For complex requests, we will notify you if additional time is needed and provide reasons for the delay.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Rand uses a minimal set of cookies, all essential to the operation of the platform:

• Authentication cookies — managed by Supabase to maintain your logged-in session.
• Claim year cookie (rand-claim-year-id) — a 90-day cookie to remember your selected financial year within the application.
• OAuth state cookies — short-lived cookies (up to 10 minutes) used during GitHub and Jira integration setup for security verification (CSRF protection). These are automatically deleted after use.

We use Vercel Analytics for basic, privacy-friendly usage metrics (page views and performance data). Vercel Analytics does not use cookies and does not track individual users across sites. We do not use advertising, marketing, or third-party tracking cookies.

In the event of a data breach that is likely to result in serious harm, we will notify the OAIC and affected individuals as soon as practicable, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

We maintain a data breach response plan and will assess any suspected breach as expeditiously as possible, and in any event within 30 days of becoming aware of it, as required under the Act.

Some of our third-party service providers are based outside Australia. Your data may be transferred to the following countries as part of providing the service:

• United States — Anthropic (AI processing), Vercel (hosting and analytics), Stripe (payment processing), Resend (email delivery), and GitHub/Atlassian (integration data syncing, where connected by you).
• Australia — Supabase (database hosting and authentication, Sydney region).

In accordance with APP 8, we take reasonable steps to ensure each overseas recipient handles your personal information consistently with the APPs. This includes entering into contractual arrangements that require the recipient to protect personal information, and selecting providers with established privacy and security practices that meet or exceed Australian standards.

We may update this policy from time to time. For material changes, we will notify you via email or through the Rand platform before the changes take effect. We encourage you to review this page periodically.

For privacy enquiries, access requests, or complaints, contact us at:

You may also contact the Office of the Australian Information Commissioner (OAIC) directly if you have concerns about how we handle your personal information.