Privacy Policy

Last updated: 27 March 2026

1. About this policy

MySecureSend (“we”, “our”, “us”) is committed to protecting the privacy of individuals whose personal information we handle. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using MySecureSend, you agree to the practices described in this policy. If you do not agree, please discontinue use of the service.

2. Information we collect

Account information: When you register, we collect your name, email address, and organisation name.

OAuth2 connection: When you connect Gmail or Outlook 365, we store OAuth2 access and refresh tokens (AES-256 encrypted) to send email on your behalf. We do not access any email content beyond sending.

Send metadata (audit log): For each send, we log: recipient email address, last 3 digits of recipient phone, email subject, file names and count, sender IP address, SMS delivery status, and a 2-character password hint. We do not log full passwords or full phone numbers.

Files: We do not store files. Files are encrypted in-memory using AES-256 and transmitted directly. They are never written to disk and are discarded immediately after sending.

3. How we use your information

  • To provide the MySecureSend service and process secure file deliveries
  • To authenticate you and maintain your account session
  • To send transactional emails (invite links, account confirmations) via Resend
  • To deliver SMS password notifications via Twilio
  • To maintain tamper-evident audit logs for your compliance requirements
  • To improve service reliability and diagnose technical issues

We do not use your information for advertising, profiling, or sale to third parties.

4. Disclosure to third parties

We disclose personal information only to the following service providers, strictly for the purpose of delivering the service:

  • Supabase: Database and authentication (Sydney region, ap-southeast-2 - data stored in Australia)
  • Vercel: Application hosting (Sydney region, syd1)
  • Twilio: SMS delivery for password notifications
  • Resend: Transactional email delivery (invite and notification emails)
  • Google / Microsoft: OAuth2 email sending only - we use your credentials solely to send email on your behalf

We do not sell, rent, or share personal information with any other third party.

5. Data storage and security

Location: All data is stored in Australia (Supabase Sydney, AWS ap-southeast-2). Data does not leave Australian jurisdiction.

Encryption at rest: OAuth2 tokens are encrypted with AES-256 before storage. All database connections use TLS.

Zero file retention: Files are encrypted in-memory and immediately discarded after sending. We have no ability to access, retrieve, or disclose any file contents because we never store them.

6. Retention periods

  • Account data: Retained for the duration of your account plus 90 days after deletion
  • Audit log (send_logs): Retained for 7 years to meet compliance obligations
  • OAuth2 tokens: Retained until you disconnect the account or delete your account
  • Files: Not retained - discarded immediately after encryption and transmission

7. Your rights (Australian Privacy Principles)

Under the Privacy Act 1988 (Cth), you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate or incomplete information
  • Request deletion of your account and associated data (subject to legal retention obligations)
  • Lodge a complaint about how we handle your personal information

To exercise any of these rights, contact us at hello@mysecuresend.com.au. We will respond within 30 days.

8. PII subject line redaction

MySecureSend provides a PII subject redaction feature. When the sender ticks the “Subject contains PII” checkbox, the subject line is replaced with a reference number before sending. The original subject is stored in the audit log visible only to you - not to recipients. This feature assists with compliance under the Privacy Act 1988 for the 18 identifier categories including names, dates of birth, Medicare numbers, and other identifiers.

9. Cookies and tracking

We use session cookies for authentication only. We do not use tracking cookies, analytics scripts, or advertising pixels. We do not track users across third-party websites.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to the account holder at least 14 days before taking effect. Continued use of the service after that date constitutes acceptance of the updated policy.

11. Contact us

For privacy enquiries contact us at hello@mysecuresend.com.au or support@mysecuresend.com.au.