Key Takeaways

Privacy Summary (v1.4)

ClearAML complies with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We collect personal and customer data solely for identity verification (KYC/KYB), AML/CTF compliance, and operating the Service. Primary application infrastructure and data storage are located in Sydney, Australia. We use AES-256 encryption at rest and TLS in transit. We engage third-party providers for payments, identity verification, email delivery, and AI narrative generation — all bound by confidentiality and data protection obligations. Marketing tracking tools operate on public pages only with prior consent. ClearAML does not sell personal information. AML/CTF records are retained for 7 years; other data deleted within 90 days of subscription end. Unused wallet credits are refundable on request.

Privacy Policy – Clear AML

Operated by Brive Pty Ltd
ABN: 14 680 839 329
Last updated: 8 June 2026

1. Who we are

This Privacy Policy explains how Brive Pty Ltd (ABN 14 680 839 329, trading as Clear AML) ("Brive", "Clear AML", "we", "us", "our") collects, uses, discloses and protects personal information when you:

  • visit any Clear AML websites or landing pages;
  • use the Clear AML web application and related services (the "Service"); or
  • communicate with us by email, chat, phone, social media or our support portal.

By using our websites or the Service, you acknowledge that you have read and understood this Policy. If you do not agree with it, you should not use the Service.

Our contact details for privacy matters are set out in section 19.

2. Scope and roles

This Policy applies to personal information we handle in connection with our own business operations and the provision of the Service to our customers.

For data that our customers upload, sync or otherwise submit into the Service about their own clients and related parties ("Customer Data"), we generally act as a data processor / service provider and process that information only on the documented instructions of the relevant customer. Our customers remain the data controller (or equivalent) for their Customer Data and are responsible for ensuring their own compliance with applicable privacy laws when they use the Service.

For personal information we collect directly about you (for example, during account setup, billing or support interactions), we act as a data controller and this Policy applies fully.

3. What personal information we collect

3.1 Account and contact information

  • Name, job title, firm name, email address, phone number, postal address.
  • Login credentials (hashed passwords) and authentication details (MFA tokens).
  • User settings and preferences.

3.2 Billing and transaction information

  • Subscription plan, invoices and payment history.
  • Limited payment card details processed by our PCI‑DSS compliant payment provider (Stripe). We do not store full card numbers.
  • Wallet balance and transaction records within the Service.

3.3 Usage and technical data

  • IP address, browser type, device identifiers, operating system.
  • Pages visited, features used, timestamps and clickstream data.
  • In‑app activity logs (verifications run, assessments completed, reports exported, team training completions).

3.4 Customer Data

Our customers may upload or generate information about their own clients, including:

  • Identity details (name, date of birth, address, identity document details, citizenship).
  • Business details (registration numbers, directors, beneficial owners, trust structures).
  • Matters and transactions (nature of business relationship, source of funds, risk assessment outcomes).
  • Biometric data — facial images and liveness‑check recordings collected for digital identity verification purposes. See section 16 for our specific treatment of biometric data.
  • Staff compliance information (Personal Due Diligence records, training completion, role and AML/CTF responsibilities).

4. How we collect personal information

We collect information:

  • Directly from you when you create an account, start a trial, complete onboarding, contact support, or respond to surveys or communications.
  • Automatically through server logs, cookies, and analytics tools when you visit our websites or use the Service. See section 14 for details on cookies.
  • From third parties, including government registers (e.g. ASIC, ABR), integrated practice‑management tools (e.g. Xero), screening and sanctions databases, and identity‑verification providers.

5. How we use personal information

  • To provide and operate the Service — account management, authentication, payment processing, identity verification, screening, risk assessment, and hosting Customer Data.
  • To secure and maintain the Service — monitoring, fraud detection, abuse prevention and security incident response.
  • To improve the Service — analysing usage patterns, diagnosing errors, and developing new features.
  • To communicate with you — service notices, onboarding support, billing alerts, security notifications and, where you have consented, marketing communications.
  • To comply with law — AML/CTF record-keeping and reporting obligations, responding to lawful requests from regulators and law enforcement.
  • To enforce our rights — detecting, investigating and resolving breaches of our Terms and applicable law.

We do not sell personal information to third parties.

6. Legal bases for processing

Under the Privacy Act 1988 (Cth), we collect and use personal information only where it is reasonably necessary for one or more of our functions or activities. The following describes the grounds on which we rely for each category of processing:

Performance of a contract

Processing necessary to provide the Service you have subscribed to — including account management, authentication, payment processing, hosting your data, and providing support.

Compliance with legal obligations

Retaining AML/CTF records for 7 years as required by the AML/CTF Act 2006; responding to lawful orders from courts, regulators and law enforcement; meeting tax and accounting obligations.

Legitimate interests

Fraud prevention, security monitoring, improving the Service through usage analytics, communicating service updates, and enforcing our Terms — where these interests are not overridden by your rights and interests.

Consent

Marketing communications (where opt-in consent has been obtained) and placing non-essential cookies (analytics and marketing) where required by applicable law.

7. Controller vs. processor responsibilities

When a customer uses the Service to process Customer Data about their own clients or staff, the customer is the data controller and Brive is the data processor. We process Customer Data only on the customer's documented instructions (as set out in their Terms of Service and any agreed data processing agreement).

Customers who require a formal Data Processing Agreement (DPA) may request one by contacting us at support@clearaml.com.au.

8. How we share personal information

We do not share personal information except in the following circumstances:

8.1 Third-party service providers

We engage third-party service providers to help us operate and deliver the Service. All providers are contractually required to protect personal information to a standard at least equivalent to this Policy. The categories of providers we use include:

  • Cloud infrastructure and hosting providers — for application hosting, database storage, authentication, and file storage.
  • Payment processors — for subscription billing and transaction processing. We do not store full payment card details.
  • Identity verification and AML screening providers — for KYC/KYB identity checks, liveness detection, and sanctions/PEP screening on behalf of our customers. Identity document verification may involve access to the Australian Government's Document Verification Service (DVS) through an authorised DVS provider, meaning document details are checked against official government records.
  • Email delivery providers — for transactional and service-related communications.
  • Performance and caching infrastructure — for rate limiting and application performance.
  • AI and language model providers — for generating internal client risk narratives as part of the compliance workflow. See section 15 for further detail.

We will notify you before engaging any new provider that materially changes how your Customer Data is processed.

8.2 Brive staff access

Brive personnel (including support staff and engineers) may access Customer Data on a need-to-know basis solely to: (a) resolve support requests you have submitted; (b) diagnose and repair technical issues; or (c) comply with legal obligations. All such access is logged, and staff are bound by confidentiality obligations. We do not access Customer Data for commercial, marketing or analytical purposes beyond those described in this Policy.

8.3 Your organisation

Activity logs and audit trails within the Service are visible to administrators within your organisation as configured by your Account Owner.

8.4 Regulators and law enforcement

We may disclose personal information to regulators (including AUSTRAC, the OAIC, and overseas equivalents), law enforcement agencies, courts, and other government bodies where required by law, court order or regulation. Where legally permitted, we will notify you of such a request before disclosing.

8.5 Business transfers

If Brive is involved in a merger, acquisition, asset sale or restructuring, personal information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.

9. International transfers of personal information

Our primary application infrastructure and database are hosted in Sydney, Australia. Your personal information and Customer Data are stored in Australia as the default. Overseas transfers are limited to specific sub-processor categories where Australian alternatives are not available or not appropriate — specifically payment processing, AI-assisted narrative generation, and email delivery, each of which involves sub-processors located in the United States.

When we transfer personal information outside Australia, we take the following steps to ensure it remains protected:

  • Contractual protections — We enter into data processing agreements with all overseas sub-processors that contractually require them to handle Australian personal information in accordance with the Australian Privacy Principles.
  • Adequacy assessments — We assess each sub-processor's country and security practices before engagement to ensure an adequate level of protection.
  • Continued responsibility — Under APP 8 of the Privacy Act 1988 (Cth), Brive remains accountable for ensuring overseas recipients handle personal information in accordance with the APPs, even after transfer.

For biometric data, see section 16 for specific transfer and storage details.

10. Security

We implement industry-standard technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration or destruction, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Role-based access controls limiting access to personal information to authorised personnel only.
  • Multi-factor authentication for access to production systems.
  • Comprehensive audit logging of access and modifications to personal data.
  • Regular vulnerability assessments and penetration testing.
  • Incident response procedures including breach notification processes.

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

11. Data retention

11.1 AML/CTF records

Customer Data that constitutes AML/CTF records (including identity verification records, transaction records, risk assessments and suspicious matter reports) is retained for a minimum of 7 years from the date of the relevant transaction or the end of the customer relationship, as required by the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006 (Cth).

11.2 Account and Customer Data on subscription end

After a subscription is cancelled or terminated, we will retain your account information and Customer Data for 90 days to allow you to request an export. After that period, we will securely delete or de-identify Customer Data unless we are required to retain it under applicable law (including the 7-year AML/CTF retention requirement above).

11.3 Biometric data

Facial images and liveness recordings captured for identity verification are retained only for as long as necessary to complete the verification process and to meet applicable record-keeping obligations. See section 16 for further detail.

11.4 Usage and technical data

Server logs, usage analytics, and audit trail data are retained for a period of up to 2 years for security monitoring and compliance purposes, after which they are deleted or aggregated in de-identified form.

12. Your privacy rights

Under the Australian Privacy Principles, you have the following rights in relation to personal information we hold about you:

Access (APP 12)

You may request a copy of the personal information we hold about you and information about how we use it.

Correction (APP 13)

You may request that we correct personal information that is inaccurate, out of date, incomplete or misleading.

Deletion

In certain circumstances, you may request deletion of your personal information. We may be unable to delete information we are required by law to retain (including AML/CTF records).

Objection to marketing

You may object to us processing your personal information for direct marketing purposes at any time. We will stop using your information for marketing on receipt of your objection.

Withdrawal of consent

Where processing is based on your consent (for example, marketing emails or non-essential cookies), you may withdraw that consent at any time without affecting prior processing.

How to exercise your rights

Submit your request in writing to support@clearaml.com.au with the subject line "Privacy Request". We will acknowledge your request within 5 business days and respond substantively within 30 days of receipt (as required by APPs 12 and 13). We may ask you to verify your identity before processing your request. We do not charge a fee for access requests unless the request is excessive or repetitive. If we are unable to fully comply with a request, we will explain why in writing.

13. Marketing communications

We may send you marketing communications about our products and services where you have opted in or where we have a legitimate interest and applicable law permits. You can opt out of marketing emails at any time by clicking "Unsubscribe" in any marketing email or by contacting us at support@clearaml.com.au. We will process opt-out requests promptly and within a reasonable timeframe.

We do not share your personal information with third-party advertising platforms for targeting or retargeting purposes within the authenticated Service. For consented use of marketing and retargeting tools on our public website, see section 14.

14. Cookies and tracking technologies

14.1 Essential cookies

We use cookies that are strictly necessary for the Service to operate, including authentication sessions, security tokens, and user preferences. These cookies are placed without requiring your consent as they are essential to the functionality you have requested. You cannot opt out of essential cookies without also opting out of using the Service.

14.2 Analytics cookies

With your consent, we use analytics cookies to understand how visitors interact with our website (for example, pages visited, session duration, and error rates). This data is used in aggregated form to improve the Service and is not used to identify you personally.

14.3 Marketing and retargeting technologies

With your consent, we use the following third-party marketing tools on our public website (not within the authenticated Service) to identify returning visitors and deliver relevant advertising:

  • rb2b / Retention.com — These tools may associate your website visit with your email address (if previously provided to us) for the purpose of delivering relevant marketing communications. They operate only after you have provided consent via our cookie consent banner.

These tools are not active within the authenticated Service (your logged-in dashboard) and do not process Customer Data. They operate only on public-facing website pages. You can opt out at any time by: (a) withdrawing cookie consent via the consent banner on our website; (b) visiting retention.com/optout; or (c) contacting us at support@clearaml.com.au.

14.4 Consent and managing cookies

When you first visit our public website, a cookie consent banner is displayed. Non-essential cookies (analytics and marketing) are only placed after you actively accept them. You can change your consent preferences at any time by revisiting the banner or adjusting your browser settings. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

15. AI-assisted compliance narratives

15.1 What the feature does

The Service uses artificial intelligence (AI) / large language model (LLM) technology to generate internal client risk narratives. When a compliance officer completes a client risk assessment, the Service can automatically produce a draft written rationale summarising the risk profile. This is a standard part of the compliance workflow — not a separate optional add-on.

15.2 Data sent to AI sub-processors

To generate a narrative, structured and anonymised data about the client profile — such as entity type, risk category, flagged risk indicators, and relevant assessment fields — is sent to our AI sub-processor. We take steps to minimise the personal information included in AI prompts and do not include identity document details, biometric data, or raw personal identifiers. Customer Data submitted to the AI sub-processor is not used to train AI models and is not retained beyond what is necessary to generate the requested output.

15.3 Current AI sub-processor and transition

We are currently transitioning our AI sub-processor to Anthropic (United States). We will update section 8.1 once the transition is complete and notify you as required under section 8.1. All compliance outputs can also be completed manually without using AI narrative generation.

15.4 AI outputs are not professional advice

AI-generated narratives are drafts only. They must be reviewed and approved by a qualified compliance professional before use in any formal AML/CTF program, risk assessment or regulatory filing. Brive makes no warranty as to the accuracy, completeness or regulatory sufficiency of AI-generated outputs.

16. Biometric data

Biometric data — including facial images and liveness-check recordings — is sensitive personal information under the Privacy Act 1988 (Cth). We treat it with the highest level of care.

16.1 Purpose and collection

Biometric data is collected solely for the purpose of digital identity verification (KYC) of individuals whose information is submitted by our customers. It is collected on behalf of, and at the direction of, our customers (who are the data controllers for that data). Biometric data is never used for marketing, profiling or any purpose other than identity verification and fraud prevention.

16.2 Consent

Our customers are responsible for obtaining the explicit, informed consent of individuals before submitting their biometric data to the Service. Customers must ensure their privacy notices explain the collection, use and storage of biometric data and provide a lawful basis for processing. Brive provides template guidance on consent language to customers on request.

16.3 Processing and sub-processor

Biometric data is processed by our identity-verification service provider under a data processing agreement that requires them to protect biometric data to the same or higher standard as this Policy. Brive does not retain raw biometric data (e.g. facial scan templates) beyond the period needed to complete verification and store the verification result and supporting documents in accordance with section 11.

16.4 Retention and deletion

Facial images and liveness recordings are retained for as long as necessary to: (a) complete the identity verification process; and (b) meet applicable AML/CTF record-keeping obligations (typically 7 years from end of customer relationship). After the applicable retention period, biometric data is securely deleted. Customers may request deletion of specific biometric records earlier (subject to legal retention requirements) by contacting us at support@clearaml.com.au.

16.5 Individual rights

Individuals whose biometric data has been processed may exercise rights of access, correction or deletion by contacting the customer (data controller) who collected their information. Where a customer requests deletion on behalf of an individual, Brive will action that request subject to any mandatory legal retention obligations.

17. Children

The Service is intended for use by businesses and professional firms and is directed at adults aged 18 and over. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected information from a minor, please contact us at support@clearaml.com.au and we will take prompt steps to delete it.

18. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. We will update the "Last updated" date at the top of this Policy. For material changes — such as changes to how we use personal information, new categories of data collected, or new sub-processors handling sensitive data — we will notify you by email or in-app notification at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

19. Contact us and complaints

Brive Pty Ltd (trading as Clear AML)

Attention: Privacy Officer

Email: support@clearaml.com.au

If you have a complaint about how we have handled your personal information, please contact us first. We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.