legal

Privacy Policy

Consent

Last Updated: 24 March 2026

This Privacy Policy describes how Grant Help collects, uses, stores, and discloses personal information through our web application Grant Help Plus, accessible at plus.granthelp.com.au, and our website at www.granthelp.com.au (collectively, the "Platform").

The Platform is intended for use by Australian businesses and their employees. We are committed to complying with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) and applicable state and territory privacy legislation. This policy applies to all individuals who interact with our Platform, including users, employees of client organisations, and website visitors.

By using our website, you hereby consent to our Privacy Policy and agree to its terms.

1. Information we collect

We collect personal information both directly from individuals (e.g., when you register an account or use the chat assistant) and indirectly from client organisations (e.g., when your employer enters your details into the Platform for R&D compliance tracking).

Where it is lawful and practicable, individuals may choose not to identify themselves when interacting with us. However, due to the nature of our services, we generally require personal information to provide access to the Platform and fulfil our service obligations.

1.1 Account Information

When you register for or are provisioned a Grant Help Plus account, we collect:

  • Full name
  • Email address
  • Role and permissions within your organisation
  • Company association(s)
  • Timezone preference

Authentication is handled via email one-time password (OTP), Microsoft OAuth, or Google OAuth. We do not collect or store passwords.

1.2 Company Information

Organisations using Grant Help Plus provide:

  • Company name
  • Australian Business Number (ABN)
  • Contact email and phone number
  • Business address
  • Public website URL and information from the website
  • Company logo

1.3 Employee and Workforce Data

To facilitate R&D compliance tracking, client organisations may enter information about their employees into the Platform. This information is collected indirectly. It is provided by the employer, not by the employee directly. Client organisations are responsible for ensuring their employees are aware that their information is being submitted to Grant Help for processing.

Information collected may include:

  • Employee name and email address
  • Job title
  • Hourly rate or salary information
  • Hours worked and R&D time allocations
  • R&D activity descriptions and project details
  • Timesheet submission, review, and rejection notes

1.4 Financial and Payroll Data (via Xero Integration)

Where a company connects their Xero account, we access financial and payroll data on a read-only basis, including:

  • Profit and Loss report data: monthly income and expense totals for each month of the financial year
  • Invoice and bank transaction data: supplier bills and outgoing payments with individual line items
  • Chart of accounts data: account types, account names, account descriptions used to classify and organise transactions
  • Fixed asset data: asset identification details, purchase and disposal information, current and prior accumulated depreciation amounts, depreciation method and rate parameters, effective life, and book values.
  • Contact data: supplier names, email addresses, phone numbers (default and mobile), and location details (city, region, and country), used to assess supplier eligibility for R&D claims.
  • Employee first and last names
  • Pay run details (wages, deductions, tax, superannuation, net pay)
  • Payslip line items (earnings, deductions, leave accruals, reimbursements)

Grant Help Plus does not access or store Xero login credentials at any point, and authentication is handled exclusively via Xero, meaning your Xero username and password are never transmitted to or seen by Grant Help.  Bank account numbers are neither requested nor stored. Grant Help Plus operates under read-only API permissions and cannot modify, create, or delete any data within your Xero account.

1.5 Documents

Users may upload documents to support R&D claims. We store these documents in secure cloud storage and retain associated metadata including the uploader's name, email, role, and upload timestamp.

1.6 AI Processing and Interactions

Grant Help Plus includes an AI-powered assistant. When you use this feature:

  • Your messages are sent to our AI service provider (Anthropic) for processing

contextual data such as employee names, job titles, project details, timesheet data, and R&D activity descriptions may be included to provide relevant responses

conversation history, including AI responses and tool execution results, is stored in our database

  • The AI assistant is also applied to Xero-synced financial data. Specifically, transaction line items, including supplier invoice data, outgoing bank transaction data, and chart of accounts classifications, are processed by Anthropic's Claude model for the purpose of automated R&D expense categorisation. Payroll data, including pay run details and individual payslip line items, may also be processed in this manner where relevant to R&D cost allocation.

The AI assistant may also be used to validate R&D activity descriptions, assess eligibility, classify documents, and generate company profiles. These AI-assisted assessments are used to support human decision-making and do not constitute automated decisions with legal or similarly significant effect. All AI outputs are subject to review by Grant Help staff or the client organisation.

1.7 Usage and Analytics Data

We collect non-personally identifiable usage data to improve the Platform, including:

  • Named application events (e.g., "timesheet submitted", "document uploaded") and limited metadata
  • Page interactions and behavioural data via session analytics tools (when enabled)

1.8 Log Data

Our hosting infrastructure automatically records standard log data including IP addresses, browser type, access timestamps, and referring pages. This data is used for security monitoring and troubleshooting and is not linked to individual user accounts.

1.9 Audit Logs

All data changes within the Platform are recorded in audit logs, including the user who made the change and the previous and updated values. Audit logs are maintained for compliance, security, and data integrity purposes.

2. How we use your information

We use personal information for the following purposes:

  • Providing our services: Operating the Platform, processing timesheets, managing R&D documentation, and generating compliance reports
  • AI-assisted analysis: Validating R&D activity descriptions, classifying documents, checking eligibility, and generating company profiles using our AI assistant
  • Communications: Sending transactional emails including onboarding information, timesheet reminders, and service notifications from compliance@granthelp.com.au
  • Account administration: Managing user accounts, roles, permissions, and multi-company access
  • Payroll integration: Importing payroll data from Xero to streamline timesheet entry
  • Analytics and improvement: Understanding how the Platform is used to improve functionality and user experience
  • Security and compliance: Maintaining audit trails, detecting fraud, and ensuring data integrity
  • Legal obligations: Complying with applicable laws, regulations, and government requests

We do not use your personal information for direct marketing or sell your personal information to third parties.

3. Third-Party Service Providers

We engage the following third-party service providers who may process personal information on our behalf:

  1. Supabase (Cloud Infrastructure/AWS) — Database hosting, authentication, file storage. Processes all application data. Location: Cloud infrastructure (AWS).
  2. Anthropic (United States) — AI language model (Claude) for R&D analysis and chat assistant, and automated financial data classification. Processes employee names, job titles, R&D activity descriptions, project details, document content, Xero-synced financial transaction data (including supplier invoice line items, outgoing bank transaction line items, and chart of accounts data), and payroll data (including pay run details and payslip line items).
  3. Vercel (Global CDN) — Application hosting, serverless functions, analytics, and AI Gateway (proxy for AI model requests). Processes application event data, server-side request handling, and routes requests to AI providers.
  4. Resend (United States) — Transactional email delivery. Processes recipient name and email address, email content.
  5. Xero (Australia/Global) — Financial and payroll data import (read-only, user-initiated). Processes OAuth tokens; financial and payroll data accessed on-demand, including profit and loss report data, invoice and bank transaction data, chart of accounts data, fixed asset records, contact records (names, email addresses, phone numbers, and location details), and payroll data (employee names, pay run details, and payslip line items).
  6. Hotjar (European Union) — Session analytics and behavioural insights (when enabled). Processes page interactions, clicks, scrolls.
  7. Microsoft (Global) — OAuth authentication provider (optional). Processes email address (for authentication only).
  8. Google (Global) — OAuth authentication provider (optional) and Maps/Places API for address validation. Processes email address (for authentication) and company business addresses (for address autocomplete).
  9. Voyage AI (United States) — Embedding model for automated expense classification. Processes financial transaction descriptions for vector similarity matching. Accessed via Vercel AI Gateway.

Each provider is bound by their own privacy policies and data processing terms. We select providers with appropriate security practices, but we acknowledge that some providers operate outside Australia and your data may be processed in the jurisdictions listed above.

4. Data Storage and Security

4.1 Storage

All Company Data stored within the Platform's Supabase-hosted PostgreSQL databases and Supabase Storage is encrypted at rest using AES-256 encryption. Data in transit is protected using TLS 1.2 or higher, applied across all connections to the Platform. Primary database infrastructure is hosted in the Australian region. Application hosting and serverless functions are deployed across Australian and international regions. Third-party providers may process data in overseas jurisdictions as described in Section 9.

4.2 Access Control

Row-level security is enforced at the database level, ensuring that users can only access data belonging to their own organisation. OAuth tokens used for third-party integrations are stored server-side only and are never transmitted to or stored in the browser. Administrative access to the platform infrastructure is limited to authorised Grant Help staff.

4.3 Authentication Security

  • One-time passwords are short-lived and single-use
  • Session tokens are managed with automatic expiry
  • Third-party OAuth providers (Microsoft, Google) use industry-standard OAuth 2.0 flows
  • Integration tokens (e.g., Xero) are stored securely and refreshed automatically

4.4 Security Measures

Our primary infrastructure providers — including Supabase, Vercel, Anthropic, Resend, and Voyage AI — hold SOC 2 Type 2 certification, providing independent verification of their security, availability, and confidentiality controls.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include encrypted connections, access controls, audit logging, and regular security reviews. However, no method of electronic storage or transmission is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

We retain personal information for as long as your account is active or as needed to provide our services. Specifically:

  • Account data: Retained while the account is active. Deactivated accounts are marked inactive but retained for compliance purposes.
  • Timesheets and R&D records: Retained for the duration of the client relationship and for a minimum of five (5) years thereafter to support R&D Tax Incentive compliance and potential ATO audit requirements.
  • Chat and AI conversation history: Retained for the duration of the client relationship and for a reasonable period thereafter for service quality purposes, unless earlier deletion is requested.
  • Audit logs: Retained indefinitely for compliance and data integrity purposes.
  • Uploaded documents: Retained until deleted by the user or for the duration of the client relationship.
  • Xero financial and payroll data: Synced Xero data forms part of the supporting evidence for R&D Tax Incentive claims. Accordingly, synced Xero data is subject to the same retention period as other R&D records — a minimum of five (5) years from the date of the most recent R&D Tax Incentive claim period, in alignment with ATO record-keeping requirements.

Upon termination of a client relationship, we will retain data as required by law or legitimate business purposes and securely delete or de-identify data that is no longer required.

  • Deletion of data associated with submitted R&D claims may not be possible while those claims remain within the ATO retention period.  

6. Cookies and Tracking Technologies

The Platform uses the following technologies:

  • Session storage: Authentication tokens are stored in your browser to maintain your logged-in session. These are cleared when you sign out.
  • Vercel Analytics: Collects anonymised application usage events to help us understand Platform usage patterns.
  • Hotjar (when enabled): May use cookies to track session interactions for behavioural analytics. Hotjar sets its own cookies (e.g., _hjSession, _hjSessionUser) subject to Hotjar's privacy policy.

We do not use advertising cookies, retargeting pixels, or third-party ad networks on the Platform. We do not serve advertisements.

7. Your Rights Under Australian Privacy Law

Under the Australian Privacy Principles, you have the right to:

  • Access your personal information that we hold (APP 12)
  • Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
  • Request deletion of your personal information where it is no longer required for the purposes for which it was collected. Please note that deletion of data associated with submitted R&D claims may not be possible while those claims remain within the ATO retention period
  • Lodge a complaint if you believe we have breached the Australian Privacy Principles (APP 1)
  • Opt out of receiving non-essential communications

If you are an employee whose information has been entered into the Platform by your employer, you may contact us directly to exercise your access and correction rights, or you may raise the matter with your employer.

To exercise any of these rights, please contact us using the details in Section 11 below.

We will respond to access and correction requests within 30 days. If we refuse a request, we will provide written reasons and information about how you may complain about the refusal.

8. Disclosure of Information

We may disclose personal information in the following circumstances:

  • To our third-party service providers as described in Section 3, solely for the purposes of providing and improving our services
  • To your employer or organisation administrator, as permitted by your organisation's use of the Platform
  • Where required or authorised by Australian law, including in response to lawful requests from government agencies (e.g., the Australian Taxation Office)
  • To protect the rights, property, or safety of Grant Help, our users, or the public
  • In connection with a merger, acquisition, or sale of assets, in which case we will notify affected users

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

9. Cross-Border Data Transfers

While Grant Help operates in Australia and serves Australian clients, some of our third-party service providers process personal information in overseas jurisdictions. In accordance with APP 8, we disclose the following:

  • United States: Anthropic (AI processing), Voyage AI (embedding generation), Resend (email delivery), and cloud infrastructure providers
  • European Union: Hotjar (session analytics, when enabled)
  • Global / multiple jurisdictions: Vercel (application hosting via global CDN), Microsoft and Google (OAuth authentication)

Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles, including reviewing their data processing terms and security practices. We remain accountable under the Privacy Act for personal information disclosed to overseas recipients.

10. Data Breach Notification

In the event of an eligible data breach, where unauthorised access to, disclosure of, or loss of personal information is likely to result in serious harm. We will comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. This includes:

  • Assessing suspected breaches within 30 days
  • Notifying affected individuals as soon as practicable after completing our assessment of the breach
  • Notifying the Office of the Australian Information Commissioner (OAIC)
  • Providing a description of the breach, the kinds of information involved, and recommended steps individuals should take

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or want to make a complaint, please contact us:

Grant Help Pty Ltd  

  • Data deletion requests: techsupport@granthelp.com.au
  • Website: www.granthelp.com.au
  • Phone: 1300 367 348
  • Address: 6A Cecil Place, Prahran VIC 3181, Australia

Complaints process: If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us at compliance@granthelp.com.au. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

12. Children's Privacy

Grant Help Plus is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18 without appropriate consent, we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, services, or legal obligations. We will notify users of material changes by updating the "Last Updated" date. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of Victoria, Australia, and the Privacy Act 1988 (Cth). You submit to the non-exclusive jurisdiction of the courts of Victoria and any courts entitled to hear appeals from those courts.