Privacy Policy

Rand Pty Ltd (“Rand”, “we”, “us”) operates an AI-powered R&D Tax Incentive compliance platform for Australian technology companies. This privacy policy explains how we collect, use, disclose, and protect your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all users of the Rand platform, including organisation members, administrators, and expert reviewers.

We only collect personal information that is reasonably necessary to provide the Rand platform and fulfil our obligations (APP 3). We do not collect information we do not need.

Due to the nature of the service — preparing R&D Tax Incentive claims tied to specific individuals, organisations, and financial records — it is not practicable to provide the service on an anonymous or pseudonymous basis (APP 2).

We collect the following categories of information:

• Account information — your name, email address, and role within your organisation.
• Organisation data — company name, ABN, industry, and company description provided during onboarding.
• Employee data — names, roles, employment type, salary information, and optional GitHub/Jira usernames for staff involved in R&D activities. This data is used to calculate R&D expenditure allocations.
• R&D activity data — core and supporting activity descriptions, hypotheses, experimental methodologies, outcomes, evidence records, and confidence assessments.
• Integration data — when you connect GitHub, Jira, or other tools, we sync relevant signals such as pull request titles, descriptions, and issue summaries. We access this data via OAuth with the minimum permissions required.
• Financial data — R&D expenditure figures, allocation percentages, and claim amounts compiled for your R&D Tax Incentive submission.
• Usage data — page views, feature usage, and performance metrics collected via Vercel Analytics to improve the service.
• Payment information — subscription billing is processed by Stripe. We do not store your credit card details. Stripe’s privacy policy governs their handling of payment data.

We use your information to:

• Provide the Rand platform, including AI-powered analysis of R&D signals, drafting of activity descriptions, and compilation of R&D Tax Incentive claims.
• Facilitate expert review of your R&D activities by assigned reviewers.
• Calculate R&D expenditure allocations based on employee data and time records.
• Send notifications about your claim progress, reviewer tasks, and AI-generated suggestions.
• Process billing and manage your subscription.
• Improve and maintain the platform.
• Comply with legal obligations, including ATO record-keeping requirements.

Rand uses artificial intelligence to analyse R&D signals (such as pull requests and technical tickets) and draft activity descriptions aligned to AusIndustry registration requirements. Our AI processing is powered by Anthropic’s Claude models.

Key points about our AI processing:

• All AI-generated content is clearly marked as a draft and requires human review before it becomes part of your claim. AI outputs are probabilistic assessments, not factual determinations.
• AI is used to assess relevance, map signals to activities, and suggest R&D allocations — but no claim content is finalised without human approval.
• AI confidence scores and risk assessments are visible so you can make informed decisions.
• We only send the minimum data necessary to the AI provider for each specific task.
• Your data sent to Anthropic is processed under their commercial API terms. It is not used to train their models, is not stored beyond the request lifecycle, and is not accessible to other Anthropic customers.
• Rand does not use AI to make automated decisions that have legal or similarly significant effects on individuals without human oversight.

We do not sell your personal information. We share data with the following third parties solely to operate the platform:

• Supabase — database hosting and authentication.
• Anthropic — AI processing of R&D signals and activity drafting.
• Vercel — application hosting and analytics.
• Stripe — payment processing.
• Resend — transactional email delivery (notifications, digests).
• Expert reviewers — registered R&D professionals assigned to your organisation can access your R&D activity data to provide expert review and approval.

We may also disclose information where required by law, regulation, or legal process.

We take reasonable steps to protect your information from misuse, interference, loss, and unauthorised access. Our security measures include:

• Encryption in transit (TLS) and at rest.
• Row-level security (RLS) ensuring each organisation’s data is isolated at the database level.
• Role-based access controls with separate permissions for members, administrators, and reviewers.
• Immutable audit logging of all significant actions within the platform.
• Secure authentication with session management.

We retain your information for as long as your account is active and as needed to provide the service. Specific retention periods:

• Financial and tax records — retained for a minimum of 7 years in accordance with ATO record-keeping requirements.
• Audit logs — retained for the life of the associated claim year plus 7 years.
• Account data — retained while your account is active. On account closure, we delete personal data within 30 days, subject to legal retention obligations.

You may request deletion of your data at any time. Where we are required by law to retain certain records (e.g. tax-related data), we will inform you of the applicable retention period.

Under the Australian Privacy Principles, you have the right to:

• Access your personal information held by us.
• Request correction of inaccurate or incomplete information.
• Complain if you believe we have breached the APPs.

To exercise these rights, contact us at the details below. We will respond to access and correction requests within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Rand uses a minimal set of cookies, all essential to the operation of the platform:

• Authentication cookies — to maintain your logged-in session.
• Claim year cookie — to remember your selected financial year within the application.
• Theme preference — to remember your light/dark mode setting.

We use Vercel Analytics for basic usage metrics. We do not use advertising or marketing tracking cookies.

In the event of a data breach that is likely to result in serious harm, we will notify the OAIC and affected individuals as soon as practicable, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

We maintain a data breach response plan and will assess any suspected breach within 30 days of becoming aware of it.

Some of our third-party service providers are based outside Australia, including in the United States. When your data is transferred overseas, we take reasonable steps to ensure the recipient handles it in accordance with the APPs. This includes contractual obligations and selecting providers with strong privacy and security practices.

We may update this policy from time to time. For material changes, we will notify you via email or through the Rand platform before the changes take effect. We encourage you to review this page periodically.

For privacy enquiries, access requests, or complaints, contact us at: