Privacy policy

Docket is operated by The IT Dept Pty Ltd (ABN 12 665 405 505), an Australian company ("we", "us", "our"). You can reach us at hello@theitdept.au.

This policy explains what personal information we collect when you use Docket and the related marketing site, why we collect it, where we store it, who we share it with, and your rights under the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth).

We only collect what we need to run the service:

• Account info — your email, display name, optional phone number, and a passkey or magic-link credential. We use these to identify you and let you back in.
• Business info — your business name, ABN, GST registration status, BAS frequency, and chart of accounts. You give us this during onboarding.
• Bookkeeping data — invoices, bills, contacts, journal entries, transactions you create or that flow in via bank feeds. This is your data, you own it, and you can export it at any time.
• Banking data — when you connect a bank feed, we receive transaction metadata via Basiq under the Consumer Data Right (CDR). We don't see your banking login.
• Payment data — when your customers pay through a Docket pay-link, the card details go directly to Stripe. We see the amount, status, and last-four; we never see the full card number.
• Telemetry — server logs (request paths, status codes, timestamps) and basic error traces. No third-party analytics or session replay.
• Marketing waitlist — your email when you opt in on the marketing site, plus which page you signed up from. We don't sell or share this list.

The legal basis for each data category:

• To provide the service — you can't run a books product without bookkeeping data.
• To meet our obligations under Australian tax and BAS law.
• To send you transactional notices (auth links, payment receipts, billing).
• To improve the service — by aggregating anonymous usage patterns; never by reading individual books data without your explicit instruction.
• To respond to lawful regulatory requests (the ATO, courts).

All Docket data lives in Australia. Our primary database and application servers run in an Australian Equinix data centre. Backups stay onshore. We don't ship data offshore as part of normal operations.

Some sub-processors (listed below) operate outside Australia. Where that's the case, the data we send them is the minimum needed for the service they perform — it's not a mirror of your books.

We use the following sub-processors. Each has a specific, narrow purpose:

• Basiq (Australia) — bank feed aggregator under the Consumer Data Right. Receives the consent you grant when connecting a bank.
• Stripe (Australia / United States) — payment processing for the public pay-link and recurring auto-charge. Card data goes straight to Stripe; we don't store full card numbers.
• GoCardless (Australia) — direct-debit processing (where used).
• SMS Relay (Australia) — SMS dispatch for invoice send + magic-link auth. Receives the recipient phone + the message body.
• Email Relay (Australia) — email dispatch for invoice send + auth links. Receives the recipient email + the message body.
• Equinix Australia — physical hosting and connectivity.

We don't sell your data, ever. We don't use it to train AI models. We don't share it with marketers or ad networks.

While your account is active, we keep your data so the service works. If you cancel, we keep your books data for 30 days so you can come back and export it, then we delete it. Where Australian law requires longer retention (e.g. 5 years for tax records), we keep it as long as required and delete it as soon as we can.

Under the Australian Privacy Principles you can:

• Ask what personal information we hold about you.
• Ask us to correct it if it's wrong.
• Ask us to delete it (subject to retention obligations above).
• Withdraw consent for bank-feed data sharing at any time via the connection settings.
• Complain to us, and if you're not satisfied, to the OAIC.

Email hello@theitdept.au and we'll come back to you within 30 days. The Office of the Australian Information Commissioner is at oaic.gov.au.

We treat your books data the way we'd want our own treated. Practical controls are documented at our Security page — TLS in transit, encryption at rest, per-org row-level isolation in the database, passkey-first auth.

We use first-party cookies (or local storage) for session state — i.e. keeping you signed in. We don't run third-party trackers, advertising pixels, or analytics suites that follow you off-site.

Docket isn't directed at anyone under 18. If you become aware that a child has provided us personal information, please email us and we'll delete it.

If we change this policy materially, we'll notify you via email and update the date at the top. Minor edits (typos, structure) get a date bump only.

The IT Dept Pty Ltd · ABN 12 665 405 505 · hello@theitdept.au