Halo

Halo AiHalo AiSign in →

Policy

Privacy Policy

Last updated · 8 April 2026

1. About this policy

Halo Ai Technologies (ABN: 82801499583) ("Halo Ai", "we", "us", "our") operates the Halo Ai platform at app.haloai.com.au, including the Excel and Word Office Add-ins (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It also addresses our obligations under the Tax Agent Services Act 2009 and professional standards applicable to accounting and audit firms.

By using the Service, you consent to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

2. Information we collect

2.1 Account information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash; we never store or have access to your plaintext password)
  • Organisation name and role within the organisation

2.2 Billing information

Payment processing is handled by a PCI DSS Level 1 certified payment provider. We store your billing email address and a payment reference ID. We do not store, process, or have access to your credit card numbers, CVV, or full payment card details.

2.3 Data from Microsoft 365 integrations

When you connect Microsoft 365, we may access:

  • Teams, SharePoint, and OneDrive files: Access is governed by the permissions you authorise during connection. Credentials are encrypted at rest.
  • Outlook (via the Halo Outlook add-in): When you open the Halo taskpane on a message, we read that message's content (sender, subject, body, attachments mentioned) in order to summarise the email, draft a reply for you to review, or extract structured fields. The add-in is read-only — it never sends, forwards, deletes, marks, or follows links. URLs are stripped from message bodies before they are sent to AI processing.

2.4 Uploaded documents

You may upload documents (PDF, Excel, Word, images) up to 20 MB each. We extract text content from uploaded documents to enable AI-powered analysis. Uploaded files are stored in isolated, organisation-scoped storage.

2.5 AI conversation data

We store your conversations with the Halo Ai assistant, including messages, tool invocations, and generated outputs. This data is used to provide the Service and improve your experience within your organisation.

2.6 Usage and audit data

We automatically collect:

  • IP address and user agent string
  • Actions performed within the Service (tool calls, file operations, integration events)
  • Timestamps of all actions
  • API usage metrics (request counts, model usage)

This data is recorded in an immutable audit trail to support professional compliance requirements for accounting and audit firms.

3. How we use your information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process AI queries and return relevant results
  • Connect to and retrieve data from your authorised integrations (Microsoft 365: Teams, SharePoint, OneDrive, Outlook)
  • Process payments and manage your subscription
  • Send transactional emails (account confirmation, password reset, billing notifications, alerts)
  • Maintain audit trails as required by professional accounting standards
  • Enforce usage limits based on your subscription tier
  • Investigate and prevent security incidents or misuse

We do not use your data for advertising, sell your data to third parties, or use your data to train AI models.

4. AI processing and data handling

Halo Ai uses multiple specialised AI models to process your queries, each optimised for different tasks. All AI processing is performed on private, encrypted servers located in Australia, ensuring your data remains within Australian infrastructure.

Key commitments regarding AI processing:

  • No model training: Your data is not used to train, fine-tune, or improve any AI models. This is contractually guaranteed by our infrastructure providers.
  • Ephemeral processing: Data sent for AI processing is not retained by any provider after the response is generated.
  • Australian data residency: AI processing occurs exclusively within Australian data centres.
  • Document search: We generate mathematical representations of your documents to enable intelligent search. These representations cannot be reversed to reconstruct original content.

5. Third-party service providers

We use a select number of third-party service providers to operate the Service. All core data, including your account information, conversations, and uploaded files, is stored on private, encrypted servers located in Australia.

Payment processing is handled by a PCI DSS Level 1 certified payment provider. Transactional emails (password resets, notifications) are delivered via a third-party email service. When you connect Microsoft 365, data is accessed via Microsoft's official APIs based on the permissions you authorise.

Each provider is bound by their own privacy policies and data processing agreements. We select providers that maintain appropriate security certifications and, where possible, offer Australian data residency.

6. Cross-border data disclosure

In accordance with APP 8, we disclose that the following data may be processed outside Australia:

  • Payment data is processed by a PCI DSS Level 1 certified provider in the United States.
  • Transactional emails (password resets, notifications) are delivered via a third-party email provider which operates from the United States.
  • Document search indexing involves generating mathematical representations of your documents via infrastructure in the United States. Only these mathematical representations are transmitted, not raw document content.
  • Web Search (Professional and Organisation tiers): when you use the live web-search feature, a sanitised version of your search query is sent to Perplexity AI's Search API (United States). Client identifiers including entity names, ABNs, ACNs, TFNs, email addresses, Australian phone numbers, and large dollar amounts are automatically removed before the query leaves Australia. Perplexity operates a Zero Data Retention policy on this API surface and does not use queries to train AI models. Search results are returned to our Australian infrastructure for analysis. Your uploaded documents, conversations, and AI processing remain within Australian data centres at all times.

All core data storage and AI processing (the primary data-intensive operations) are performed exclusively within Australia on private, encrypted servers.

7. Data security

We implement the following security measures to protect your information:

  • Organisation isolation: All data is scoped to your organisation, ensuring users can only access data belonging to their organisation.
  • Encryption at rest: All sensitive data, including integration credentials, is encrypted before storage. Passwords are cryptographically hashed.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Multi-factor authentication: We support two-factor authentication for all accounts.
  • Role-based access control: Organisation members are assigned roles (admin, partner, manager, staff) with tiered permissions governing which tools and data they can access.
  • Immutable audit trail: All significant actions are logged in a tamper-proof audit trail that prevents modification or deletion.
  • Private Australian servers: All data is stored on private, encrypted servers located in Australia.

8. Data retention and deletion

  • Account data: Retained for the duration of your active subscription. Upon account deletion, personal information is removed within 30 days.
  • Conversation history: Retained for 30 days by default. Organisations may configure shorter retention periods.
  • Uploaded documents: Retained while your subscription is active. Deleted within 30 days of account closure or upon request.
  • Audit trail: Retained for a minimum of 7 years to comply with professional accounting and tax record-keeping obligations under the Income Tax Assessment Act 1997, Corporations Act 2001, and relevant professional standards.
  • Billing records: Retained as required by the GST Act 1999 and applicable tax legislation (minimum 5 years).

To request deletion of your data, contact us at the address below. We will process your request within 30 days, subject to any legal retention obligations.

9. Cookies and local storage

Halo Ai uses minimal browser storage, limited to:

  • Authentication session: A secure authentication token stored as an HTTP-only cookie to maintain your login session.
  • Microsoft authentication cache: If you use Microsoft sign-in or Office Add-ins, authentication state is stored locally in your browser.

We do not use any analytics cookies, advertising trackers, tracking pixels, or third-party tracking scripts. We do not use Google Analytics, Segment, Hotjar, or similar services.

10. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access (APP 12): Request a copy of the personal information we hold about you.
  • Correction (APP 13): Request correction of any inaccurate, out-of-date, or incomplete personal information.
  • Deletion: Request deletion of your personal information, subject to legal retention obligations.
  • Data portability: Request an export of your data in a structured, machine-readable format.
  • Revoke integration access: Disconnect Microsoft 365 at any time from your dashboard settings. Connection credentials are immediately deleted upon disconnection.
  • Complaint: If you are not satisfied with our handling of your information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

11. Professional obligations

We recognise that our users are accounting and audit professionals subject to stringent confidentiality obligations. Our platform is designed to support compliance with:

  • APES 110 Code of Ethics for Professional Accountants: Section 114 (Confidentiality) requires that information acquired in professional relationships is not disclosed without proper authority. Our organisation-scoped data isolation and RBAC controls support this obligation.
  • Tax Agent Services Act 2009: Tax practitioners must maintain confidentiality of client information. Our encrypted storage, access controls, and audit trails support these requirements.
  • APES 325 Risk Management for Firms: Our security measures, audit trails, and data governance support firms' risk management frameworks.
  • APES 220 Taxation Services: Record-keeping requirements are supported by our 7-year audit trail retention policy.

12. Children's privacy

The Service is designed for use by accounting and audit professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

14. Contact us

If you have questions about this Privacy Policy, wish to exercise your rights, or need to report a privacy concern, please contact us:

  • Email: info@haloai.com.au
  • Entity: Halo Ai Technologies (ABN: 82801499583)
  • Location: Melbourne, Victoria, Australia

For complaints that remain unresolved, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au or by phone on 1300 363 992.