Privacy Policy

This privacy policy explains how Ditto ("we", "us", "our") collects, uses, stores, and protects personal information in connection with our AI automation services and website. We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using our services or visiting our website, you acknowledge that you have read and understood this policy.

We collect the following categories of information: Contact information: name, business email address, phone number, and company name provided through our contact form or during discovery calls. Business data: workflow descriptions, system configurations, and operational information shared during the scoping and implementation process. Platform usage data: interaction logs, feature usage patterns, and session metadata generated when your team uses a Ditto system. Technical data: IP addresses, browser type, device information, and referral URLs collected automatically when you visit our website. We do not collect sensitive information as defined under the Privacy Act unless explicitly required for a specific engagement and agreed upon in writing.

We use collected information for the following purposes: To respond to enquiries and communicate about our services. To scope, design, build, and manage AI automation systems for your business. To operate and improve the Ditto platform and its services. To generate anonymised, aggregated analytics that help us improve system performance. To comply with legal obligations and enforce our agreements. We will not use your information for purposes materially different from those described here without your consent.

Ditto systems process business data through AI models to deliver automation services such as transaction coding, notice generation, and financial reporting. Our approach to AI data processing follows these principles: Pull, process, discard: client data is retrieved from connected platforms (such as your accounting or practice management software), processed by the AI system, and discarded after the task is complete. No client data is persisted beyond the active processing session. No model training: your data is never used to train, fine tune, adapt, or enhance any AI model, machine learning model, large language model, or predictive analytics tool. All model inference runs through enterprise AI platforms with zero data retention enabled. Australian infrastructure: all data processing occurs on servers located in Australia. No data leaves Australian infrastructure during processing. Human governance: every consequential action generated by AI requires explicit human approval before it is executed.

We do not sell, rent, or trade your personal information. We may share information with the following parties: Infrastructure provider: Amazon Web Services (AWS), with all hosting, storage, and processing occurring in the Sydney region (ap-southeast-2) under AWS's data processing agreement. AI model provider: Anthropic, accessed via AWS Bedrock for foundation model inference, with zero data retention and no model training. Bedrock contractually guarantees that customer inputs and outputs are not used to train AWS or Anthropic foundation models. Connected platforms: accounting software, practice management systems, and other platforms you authorise us to integrate with, limited to the scoped access you approve. Professional advisors: legal, accounting, and insurance professionals as required for business operations. Law enforcement: where we are required to do so by law or court order. We require all third party service providers to maintain appropriate security measures and to process personal information only as instructed by us. By connecting your accounts (including Xero, Xero Practice Manager, Microsoft 365, or other authorised platforms) to the Service, you consent to the sub-processors listed above processing your data solely for the purpose of delivering the Service. We will not pass API data to any other third party without your consent.

We implement technical and organisational measures to protect your information, including: Encryption in transit (TLS 1.2+) and at rest (AES 256) for all data. Multi factor authentication and role based access controls for all platform access. Full audit logging of every action taken within the system. Regular security assessments and vulnerability testing. Isolated tenant environments ensuring complete data separation between clients. OAuth 2.0 with scoped tokens for all third party integrations, revocable by you at any time. While we take reasonable steps to protect your information, no method of electronic transmission or storage is completely secure.

Tax File Numbers (TFNs) and other government-issued identifiers are treated as sensitive personal information requiring additional safeguards under the Privacy Act 1988 (Cth) and the Taxation Administration Act 1953 (Cth). Where the Service processes TFNs or similar identifiers: We process TFNs only as required to deliver the specific automation task you have authorised. TFNs are not retained beyond the active processing session. TFN redaction is applied where outputs are shared with parties other than the original account holder or authorised representative. Access to TFNs within the Service is restricted by role-based access controls and logged for audit purposes. We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. In the event of an eligible data breach, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law and without undue delay.

We retain personal information only for as long as necessary to fulfil the purposes described in this policy: Contact form submissions: retained for 12 months after the last communication, then deleted. Platform usage data: retained for the duration of your service agreement plus 90 days for transition purposes. Client business data: processed in real time and discarded after each session. Not retained beyond the active processing window. Website analytics: anonymised and aggregated data retained indefinitely. Identifiable data retained for 12 months. You may request deletion of your personal information at any time by contacting us.

Under the Australian Privacy Act 1988, you have the right to: Access the personal information we hold about you. Request correction of inaccurate or incomplete information. Request deletion of your personal information where we are not required by law to retain it. Withdraw consent for any processing based on your consent. Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs. To exercise any of these rights, contact us at hello@ditto.vip. We will respond to your request within 30 days.

Our website uses minimal cookies and tracking technologies: Essential cookies: required for website functionality such as session management. These cannot be disabled. Analytics: we use privacy focused analytics to understand website usage patterns. No personally identifiable information is collected through analytics. We do not use third party advertising cookies or tracking pixels. We do not participate in cross site tracking or retargeting.

Our website and platform may contain links to third party services. We are not responsible for the privacy practices of these services. We encourage you to review the privacy policies of any third party service before providing your information. Key third party services used in our operations include: Amazon Web Services (AWS) in the Sydney region for hosting and infrastructure, Anthropic via AWS Bedrock for AI inference, authorised accounting and business platform integrations (such as Xero, Xero Practice Manager, and Microsoft 365), and Web3Forms (contact form processing).

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify existing clients of material changes via email. The updated policy will be posted on our website with the effective date clearly indicated. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.

If you have questions about this privacy policy or wish to exercise your rights, contact us: Email: hello@ditto.vip Phone: +61 (0)7 4800 7003 Location: Australia To lodge a privacy complaint with the OAIC, visit www.oaic.gov.au. This policy is effective as of 26 May 2026.