This is a demo environment. Data will be periodically deleted.
PRIVACY POLICY
Complinet Pty Ltd (ABN 43 689 762 436) trading as AML Shield
Effective Date: 31 March 2026 --- Version 1.0
AML Shield is committed to protecting the privacy of individuals whose personal information we collect and handle. This Privacy Policy explains how we collect, use, store, disclose, and protect Personal Information in connection with the AML Shield platform and our business operations.
This Privacy Policy should be read in conjunction with our Terms of Service, available at www.amlshield.com.au/terms.
Complinet Pty Ltd (ABN 43 689 762 436), trading as AML Shield ("AML Shield", "we", "us", or "our"), operates a cloud-based compliance management platform designed to assist reporting entities regulated under Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) ("AML/CTF Act") in developing, implementing, and managing their AML/CTF compliance programs.
AML Shield is an Australian Privacy Principles (APP) entity within the meaning of the Privacy Act 1988 (Cth) ("Privacy Act") and is bound by the Australian Privacy Principles.
This Privacy Policy applies to:
(a) individuals who visit the AML Shield website at www.amlshield.com.au;
(b) individuals who create an account on or otherwise use the AML Shield platform ("Platform");
(c) individuals whose personal information is uploaded to or processed through the Platform by our customers ("End Clients"); and
(d) individuals who contact us, attend our training, or otherwise interact with AML Shield.
AML Shield operates the Platform as a service provider to its customers ("Customers"). In most cases, our Customers are the entities that collect personal information from their own clients in the course of performing customer due diligence (CDD) under AML/CTF Laws. When Customers upload personal information about their End Clients to the Platform, AML Shield acts as a data processor on behalf of the Customer. The Customer remains the primary data controller and is responsible for ensuring that the collection and use of their End Clients' personal information complies with the Privacy Act and all applicable laws.
This distinction is important: AML Shield does not have a direct relationship with End Clients whose information is stored on the Platform. Enquiries from End Clients regarding their personal information should be directed to the relevant Customer in the first instance.
We collect the following categories of personal information directly from Customers and their Authorised Users:
(a) Account registration information: name, email address, phone number, business name, ABN/ACN, business address, and role or position within the organisation;
(b) Billing information: payment card details, billing address, and transaction history (payment card details are processed by our third-party payment processor and are not stored on AML Shield servers);
(c) Communications: enquiries, support requests, feedback, and any other correspondence you send to us; and
(d) Training participation records: attendance, completion status, and assessment results for training modules accessed through the Platform.
Customers upload and store personal information about their End Clients through the Platform in the course of meeting their AML/CTF compliance obligations. This Customer Data may include highly sensitive personal information, such as:
(a) Identity verification documents: copies of passports, driver's licences, Medicare cards, birth certificates, and other government-issued identification;
(b) Identification information: full name, date of birth, residential address, nationality, and place of birth;
(c) Beneficial ownership information: details of beneficial owners, controlling persons, and corporate structures;
(d) Risk assessment data: customer risk ratings, risk indicators, enhanced due diligence records, and ongoing monitoring notes;
(e) Source of funds and source of wealth information;
(f) Politically exposed person (PEP) screening results and sanctions screening records;
(g) Transaction records and suspicious matter report documentation, where applicable; and
(h) Any other information the Customer uploads in connection with its AML/CTF compliance program.
AML Shield processes this Customer Data solely on the Customer's instructions and for the purpose of providing the Platform services. AML Shield does not independently access, review, or use Customer Data except as necessary to provide, maintain, and improve the Platform, or as required by law.
When you access the Platform or our website, we may automatically collect:
(a) Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution;
(b) Usage data: pages visited, features used, session duration, click patterns, and navigation paths;
(c) Log data: access times, error logs, and performance data; and
(d) Cookies and similar technologies: as described in Section 10 of this Policy.
We collect and use personal information for the following purposes:
(a) Providing the Platform: to create and manage your account, deliver the Platform services, process subscriptions, and provide access to features included in your Subscription Plan;
(b) Billing and payment: to process payments, issue invoices, manage subscriptions, and administer refunds;
(c) Customer support: to respond to enquiries, troubleshoot issues, and provide technical assistance;
(d) Training delivery: to administer training modules, track completion, and issue certificates where applicable;
(e) Platform improvement: to analyse usage patterns, identify areas for improvement, develop new features, and enhance the user experience;
(f) Security and fraud prevention: to detect, investigate, and prevent unauthorised access, security incidents, and fraudulent activity;
(g) Communications: to send service-related notifications, product updates, and, where you have consented, marketing communications;
(h) Legal compliance: to comply with our obligations under the Privacy Act, AML/CTF Laws, and any other applicable legislation; and
(i) Legal rights: to establish, exercise, or defend legal claims.
Under the Privacy Act, we collect personal information only where it is reasonably necessary for one or more of our functions or activities listed in Section 3.1 above, and only by lawful and fair means. Where we collect sensitive information (as defined in the Privacy Act), we do so only with the individual's consent or where collection is required or authorised by law.
We may create anonymised and aggregated datasets derived from usage of the Platform for the purposes of product improvement, industry benchmarking, and research. Such data cannot, individually or in combination, be used to identify any individual, Customer, or End Client. Anonymised and aggregated data is not Personal Information and is not subject to this Privacy Policy.
We may disclose personal information to the following categories of recipients:
(a) Service providers and sub-processors: third-party providers who assist us in operating the Platform and conducting our business, including cloud hosting providers, payment processors, email service providers, analytics providers, and customer support tools. All service providers are bound by contractual obligations to protect personal information and to use it only for the purposes for which it was disclosed;
(b) Professional advisers: our legal, accounting, and other professional advisers, subject to professional obligations of confidentiality;
(c) Related entities: companies within our corporate group, for the purposes of providing and improving the Platform and for internal administration;
(d) Law enforcement and regulators: where we are required or authorised by law to disclose information, including to AUSTRAC, the Australian Federal Police, or other law enforcement agencies in connection with their lawful functions; and
(e) With consent: to any other party where you have provided your express consent to the disclosure.
AML Shield does not sell, rent, or trade personal information to third parties for marketing or any other purpose. We do not use Customer Data (including End Client data) for advertising, profiling, or any purpose unrelated to the provision of the Platform services.
All Customer Data is stored on servers located in Australia. AML Shield uses enterprise-grade cloud infrastructure hosted within Australian data centres. We do not transfer Customer Data to servers located outside of Australia without the Customer's prior written consent, except as described in Section 6 (Cross-Border Disclosure).
AML Shield implements and maintains technical and organisational security measures appropriate to the sensitivity of the personal information we hold, including:
(a) Encryption: all data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher;
(b) Access controls: role-based access controls, the principle of least privilege, and mandatory multi-factor authentication for all AML Shield personnel with access to Customer Data;
(c) Network security: firewalls, intrusion detection and prevention systems, and network segmentation;
(d) Application security: secure software development practices aligned with the OWASP framework, regular code reviews, and automated vulnerability scanning;
(e) Penetration testing: independent penetration testing conducted at least annually;
(f) Monitoring and logging: continuous monitoring of systems and comprehensive audit logging of access to Customer Data;
(g) Personnel security: background checks for all personnel with access to Customer Data, mandatory security awareness training, and confidentiality obligations; and
(h) Incident response: a documented incident response plan that is tested and updated regularly.
AML Shield will, upon reasonable request, provide Customers with a summary of its current security practices and any relevant certifications (such as ISO 27001 or SOC 2) held from time to time.
In the event of a data breach that is likely to result in serious harm to any individual whose personal information is affected, AML Shield will:
(a) take immediate steps to contain the breach and mitigate any resulting harm;
(b) assess the breach to determine whether it constitutes an eligible data breach under Part IIIC of the Privacy Act (the Notifiable Data Breaches scheme);
(c) notify affected Customers without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, providing a description of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken to address and mitigate the breach;
(d) where required under the Notifiable Data Breaches scheme, notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable; and
(e) cooperate with affected Customers to fulfil their own notification obligations to End Clients and regulators.
AML Shield stores all Customer Data on servers located in Australia. However, some of our service providers and sub-processors may be located overseas or may have personnel located overseas who have incidental access to personal information in the course of providing their services (for example, global cloud infrastructure providers with support teams in multiple jurisdictions).
Before disclosing personal information to an overseas recipient, AML Shield will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information, including by:
(a) entering into contractual arrangements that require the recipient to comply with obligations substantially similar to the APPs;
(b) assessing the privacy laws and practices of the recipient's jurisdiction; and
(c) implementing appropriate technical safeguards, including encryption and access controls.
The countries in which our sub-processors are located are listed in our Sub-Processor Register, which is available to Customers upon request.
During an active subscription, all Customer Data is retained on the Platform and is accessible to the Customer and its Authorised Users.
Upon termination of a Customer's subscription, AML Shield will retain Customer Data for a period of ninety (90) days ("Retention Period") to allow the Customer to export its data. During the Retention Period, the Customer may access the Platform in read-only mode for the sole purpose of data export.
Following the expiry of the Retention Period, AML Shield will permanently and irreversibly delete or de-identify all Customer Data, unless retention is required by law.
Customers are reminded that reporting entities are required under the AML/CTF Act to retain certain records, including CDD records and transaction records, for a minimum period of seven (7) years. AML Shield provides data export functionality to enable Customers to download and independently retain their records. It is the Customer's sole responsibility to ensure that it has exported and retained all records necessary to meet its regulatory record-keeping obligations before the expiry of the Retention Period.
AML Shield retains its own business records (such as billing records, support correspondence, and account activity logs) for as long as necessary to fulfil the purposes for which they were collected, to comply with our legal obligations, and to resolve disputes. Account registration information and billing records are typically retained for seven (7) years from the end of the Customer relationship, in accordance with Australian tax and corporate record-keeping requirements.
You have the right to request access to the personal information we hold about you. We will respond to your request within thirty (30) days and will provide access to the information in the manner requested, where reasonable and practicable. We may charge a reasonable fee for providing access to cover our administrative costs.
We may refuse access in certain circumstances permitted by the Privacy Act, including where providing access would pose a serious threat to the life, health, or safety of any individual, or where the request is frivolous or vexatious. If we refuse access, we will provide written reasons for the refusal.
You have the right to request correction of any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within thirty (30) days. If we refuse to correct the information, we will provide written reasons and, if requested, associate a statement with the information noting that you consider it to be inaccurate or incomplete.
If you believe we have breached the Australian Privacy Principles or have handled your personal information inappropriately, you may lodge a complaint with us using the contact details in Section 13. We will acknowledge your complaint within five (5) Business Days and will investigate and respond within thirty (30) days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
If you are an End Client whose personal information has been uploaded to the Platform by one of our Customers, please direct any access, correction, or deletion requests to the Customer who collected your information. AML Shield will cooperate with the Customer to facilitate such requests.
AML Shield may use your contact information to send you marketing communications about our products, services, events, and industry updates. We will only send marketing communications where:
(a) you have consented to receive such communications; or
(b) we are permitted to do so under the Privacy Act and the Spam Act 2003 (Cth) (for example, where we have an existing business relationship with you and the communications relate to similar services).
Every marketing communication will include a clear and functional unsubscribe mechanism. You may opt out of marketing communications at any time by clicking the unsubscribe link in any email, updating your communication preferences in your account settings, or contacting us at privacy@amlshield.com.au.
Opting out of marketing communications will not affect service-related communications (such as billing notices, security alerts, and Platform updates) that are necessary for the operation of your account.
The AML Shield website and Platform use cookies and similar technologies to enhance your experience, analyse usage, and support our operations.
(a) Essential cookies: required for the operation of the Platform, including session management, authentication, and security. These cookies cannot be disabled.
(b) Analytics cookies: used to collect anonymised usage data to help us understand how the Platform is used and to identify areas for improvement. We use industry-standard analytics tools for this purpose.
(c) Preference cookies: used to remember your settings and preferences (such as language and display options) to provide a more personalised experience.
You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Platform. For more information about cookies and how to manage them, visit www.allaboutcookies.org.
The Platform is intended for use by businesses and professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. Where we make material changes, we will notify you by email to your registered email address and/or by prominent notice on the Platform at least thirty (30) days before the changes take effect.
We encourage you to review this Privacy Policy periodically. The "Effective Date" at the top of this Policy indicates when it was last updated. Your continued use of the Platform after any changes take effect constitutes your acceptance of the revised Privacy Policy.
If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us:
Privacy Officer
Complinet Pty Ltd trading as AML Shield
Email: privacy@amlshield.com.au
Website: www.amlshield.com.au
Post: [Business address to be inserted]
© Complinet Pty Ltd (ABN 43 689 762 436) trading as AML Shield. All rights reserved.
Last updated: 31 March 2026