Privacy Policy

Last Updated: 10 April 2026

Privacy Policy

MNH Expert Platform MNH Planning Administration Pty Ltd

Effective Date: 10 April 2026 Last Updated: 10 April 2026

1. Introduction

This Privacy Policy explains how MNH Planning Administration Pty Ltd (ABN 76 166 906 789, ACN 166 906 789) ("MNH", "we", "us", "our") collects, holds, uses, and discloses personal information through the MNH Expert platform ("the Platform"), a cloud-based Software-as-a-Service (SaaS) application for Australian financial planning professionals.

This policy is prepared in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), the Privacy and Other Legislation Amendment Act 2024, and the Spam Act 2003.

MNH Planning Administration Pty Ltd does not hold an Australian Financial Services Licence (AFSL). The Platform provides technology services to AFSL holders and their authorised representatives.

2. Definitions

In this policy:

  • "Platform" means the MNH Expert cloud-based SaaS application, including all features, APIs, and integrations.
  • "User" means a financial planning professional or their staff member who holds an account on the Platform.
  • "Client Data" means personal and financial information about the end clients of Users, uploaded to or processed through the Platform by Users.
  • "DaaS Consumer" means a licensed third party accessing the MNH Expert Data-as-a-Service API.
  • "Personal Information" has the meaning given to it in the Privacy Act 1988 (Cth).
  • "Sensitive Information" has the meaning given to it in the Privacy Act 1988 (Cth).

3. Australian Privacy Principles Compliance

APP 1 -- Open and Transparent Management of Personal Information

3.1 What Personal Information We Collect

We collect and hold the following categories of personal information:

a) User Account Information

  • Full name, email address, phone number, and business name
  • Professional details including AFSL number, licensee name, practice role, and authorised representative (AR) number
  • Authentication credentials (managed by Supabase Auth)

b) Client Financial Data

  • Information uploaded by Users about their end clients, including fact finds, financial summaries, asset positions, superannuation details, insurance details, and income/expense information
  • This data is uploaded and managed by Users in their capacity as financial planning professionals

c) Email and Calendar Data

  • Email content synced from Gmail or Microsoft 365 via OAuth consent
  • Calendar events synced from Google Calendar or Microsoft 365 via OAuth consent
  • Syncing only occurs after the User explicitly grants permission through OAuth authorisation

d) Document Content

  • Text extracted from PDFs and DOCX files uploaded by Users for processing
  • AI-generated summaries and analyses of uploaded documents

e) AI Interaction Data

  • Conversation logs from the NLP engagement widget
  • Agent run records and AI processing outputs
  • Statement of Advice drafts generated by AI tools

f) Usage and Technical Data

  • IP address, browser type and version, operating system
  • Pages visited, features used, and timestamps
  • Session data and authentication events

g) API Usage Data (DaaS Consumers)

  • API endpoint access logs, response status codes, and timestamps
  • Organisation identifiers and API key usage records

3.2 How We Collect Personal Information

We collect personal information:

  • Directly from Users when they register an account, configure their profile, upload documents, sync email or calendar accounts, or interact with Platform features
  • From third-party integrations including Gmail, Microsoft 365, Google Calendar, and MaxWork, with User consent
  • Automatically through cookies, server logs, and analytics tools when Users interact with the Platform
  • From publicly available sources including APRA fund data, ATO tax rates, and Services Australia Centrelink rates for the Data Ocean research warehouse (this data does not contain personal information)

3.3 Why We Collect Personal Information

We collect personal information for the following purposes:

  • To provide and operate the Platform, including CRM, paraplanning, and research features
  • To authenticate Users and enforce role-based access controls
  • To process documents and generate AI-assisted outputs such as Statement of Advice drafts
  • To sync email and calendar data as requested by Users
  • To provide fund comparison, fee analysis, and scoring through the research data warehouse
  • To deliver Data-as-a-Service API access to licensed consumers
  • To send transactional emails (account verification, password resets, notifications)
  • To comply with legal and regulatory obligations, including ASIC record-keeping requirements
  • To maintain audit logs for compliance and security purposes
  • To improve Platform features, performance, and user experience

3.4 Consequences of Not Providing Personal Information

If you do not provide certain personal information, we may not be able to:

  • Create or maintain your Platform account
  • Provide AI-powered paraplanning features
  • Sync your email or calendar data
  • Generate compliance documentation on your behalf

APP 2 -- Anonymity and Pseudonymity

Where practicable, individuals may interact with us without identifying themselves. For example, you may browse our public website without providing personal information.

However, due to the nature of the Platform as a professional financial planning tool, Users must provide their identity and professional credentials to access Platform features. This is necessary to comply with ASIC regulatory requirements and to ensure appropriate access controls are maintained.

APP 3 -- Collection of Solicited Personal Information

We only collect personal information that is reasonably necessary for the functions and activities described in section 3.1 above.

We do not collect sensitive information (such as health information, racial or ethnic origin, or political opinions) unless it is contained within documents uploaded by Users for the purpose of financial planning (for example, health information relevant to insurance advice). In such cases, the User is responsible for obtaining appropriate consent from their end clients before uploading this information to the Platform.

Collection of personal information is conducted by lawful and fair means, directly from the individual where reasonable and practicable, or from Users who have obtained appropriate consent to share Client Data with us for processing.

APP 4 -- Dealing with Unsolicited Personal Information

If we receive personal information that we did not solicit and determine that we could not have collected it under APP 3, we will destroy or de-identify that information as soon as practicable, provided it is lawful and reasonable to do so.

APP 5 -- Notification of the Collection of Personal Information

At or before the time of collection, or as soon as practicable afterwards, we notify individuals of:

  • Our identity and contact details (see section 13)
  • The purposes for which we collect their personal information
  • The main consequences if personal information is not collected
  • Other entities to which we usually disclose personal information
  • That this Privacy Policy contains information about how to access and correct personal information, and how to make a complaint

For Client Data uploaded by Users, the User (as the financial planning professional) is responsible for notifying their end clients about how their information will be processed through the Platform.

APP 6 -- Use or Disclosure of Personal Information

We use and disclose personal information only for the primary purpose for which it was collected, or for a secondary purpose where:

  • The individual would reasonably expect the secondary use or disclosure, and it is related to the primary purpose
  • The individual has consented
  • It is required or authorised by Australian law or a court/tribunal order

We do not sell personal information to third parties.

We do not use personal information for direct marketing without consent.

We may disclose personal information to:

  • Anthropic (United States) -- for AI processing via the Claude API, subject to Anthropic's data retention policy which specifies that API data is not retained for model training
  • Supabase -- our database and authentication provider, hosting data in Australian data centre regions
  • Resend -- for transactional email delivery (account notifications, password resets)
  • Google (via Google Analytics 4 with IP anonymisation) -- for aggregated, anonymised usage analytics
  • MaxWork -- cross-platform data sharing where Users have enabled the integration, secured via HMAC-SHA256 service authentication
  • Law enforcement or regulatory bodies -- where required by law

APP 7 -- Direct Marketing

We do not use or disclose personal information for the purpose of direct marketing unless:

  • The individual has provided explicit consent (opt-in)
  • Each marketing communication includes a clear and functional opt-out mechanism
  • We comply with the Spam Act 2003

Users may opt out of marketing communications at any time by contacting us at security@mnh.expert or using the unsubscribe mechanism in any marketing email.

Transactional emails (account verification, security alerts, system notifications) are not considered direct marketing and cannot be opted out of while an account is active.

APP 8 -- Cross-Border Disclosure of Personal Information

We disclose personal information to overseas recipients in the following circumstances:

a) AI Processing -- Anthropic (United States) Client Data and document content may be transmitted to Anthropic's Claude API servers in the United States for AI processing, including document extraction, summarisation, and Statement of Advice draft generation. Under Anthropic's API data retention policy, data submitted via the API is not retained for model training and is processed transiently.

b) Staff Access -- Philippines and Laos Certain MNH staff may access the Platform from the Philippines and Laos via Microsoft 365. Access is protected by multi-factor authentication (MFA) and device compliance policies.

c) Analytics -- Google (United States) Google Analytics 4 is used with IP anonymisation enabled, meaning no personally identifiable IP addresses are transferred overseas.

Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient does not breach the APPs. We achieve this through:

  • Contractual obligations with service providers
  • Technical controls (encryption, access controls, audit logging)
  • Vendor data processing agreements
  • Ongoing review of third-party security practices

APP 9 -- Adoption, Use, or Disclosure of Government Related Identifiers

We collect government-related identifiers such as AFSL numbers and authorised representative numbers solely for the purpose of verifying professional credentials and meeting regulatory requirements. We do not adopt these identifiers as our own and only use or disclose them as required by law or for verification purposes.

APP 10 -- Quality of Personal Information

We take reasonable steps to ensure that the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant. These steps include:

  • Allowing Users to update their profile and account information at any time through the Platform
  • Validating data at the point of entry using schema validation (Zod schemas on all API endpoints)
  • Maintaining audit logs to track data changes
  • Periodically reviewing data quality as part of system maintenance

Users are responsible for ensuring the accuracy of Client Data they upload to the Platform.

APP 11 -- Security of Personal Information

We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure, as required by APP 11 (including the enhanced requirements introduced by the Privacy and Other Legislation Amendment Act 2024).

3.11.1 Authentication and Access Control

  • Authentication: Managed by Supabase Auth supporting email/password, magic link, and OAuth (Google, Microsoft) sign-in methods
  • Role-Based Access Control: Six distinct roles (owner, admin, manager, paraplanner, support, staff) with organisation-scoped permissions
  • Row Level Security (RLS): Enforced on all database tables (35+ tables) using JWT organisation ID claims, ensuring strict multi-tenant data isolation
  • Session Management: httpOnly cookies with automatic token refresh to prevent session hijacking

3.11.2 Encryption

  • In Transit: All data transmitted to and from the Platform is encrypted using TLS 1.2 or higher
  • At Rest: All stored data is encrypted using AES-256 encryption, managed by Supabase

3.11.3 API and Integration Security

  • API Key Security: API keys are hashed using SHA-256 before storage; plaintext keys are never persisted
  • Service Authentication: Cross-platform integrations (MaxWork) use HMAC-SHA256 service authentication
  • Rate Limiting: Applied to all API endpoints to prevent abuse
  • Input Validation: Zod schema validation on all API endpoints to prevent injection attacks
  • CRON Protection: All automated background routes are protected by bearer token authentication (CRON_SECRET)

3.11.4 File Security

  • MIME Type Whitelisting: Only approved file types can be uploaded
  • Organisation-Scoped Storage: File storage policies enforce tenant isolation, ensuring Users can only access files belonging to their organisation

3.11.5 AI Security

  • Prompt Injection Protection: A dedicated scanner with 25+ pattern detection rules guards against memory injection attacks on AI features
  • Human Review Requirement: All AI-generated outputs (document extractions, Statement of Advice drafts, fund scoring) require human review by the financial planner before use with end clients

3.11.6 Audit and Monitoring

  • Audit Logging: Five append-only audit tables (audit_log, mw_crm_audit, mr_api_usage, mw_activity_log, mw_advice_validation_log) record security-relevant events
  • API Usage Tracking: All DaaS API calls are logged with endpoint, response status, and timestamps

3.11.7 Framework Alignment

  • Our security measures align with the Australian Cyber Security Centre (ACSC) Essential Eight framework
  • Our information security management practices are guided by the ISO 27001 framework

3.11.8 Data Destruction

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and we are not required by law to retain it, we will take reasonable steps to destroy or de-identify the information. ASIC record-keeping requirements mandate a minimum 7-year retention period for financial planning records.

APP 12 -- Access to Personal Information

Individuals have the right to request access to personal information we hold about them. To make an access request:

  1. Contact our Privacy Officer at security@mnh.expert
  2. We will respond to your request within 30 days
  3. We will verify your identity before providing access
  4. Access will be provided in a reasonable manner and format

We may refuse access in limited circumstances permitted by law, including where:

  • Providing access would pose a serious threat to the life, health, or safety of any individual
  • Providing access would have an unreasonable impact on the privacy of others
  • The request is frivolous or vexatious
  • The information relates to existing or anticipated legal proceedings
  • Providing access would be unlawful or would prejudice law enforcement activities

If we refuse access, we will provide written reasons for the refusal and the mechanisms available to complain about the decision.

Users may access and export their own data directly through the Platform's account settings and CRM features.

APP 13 -- Correction of Personal Information

Individuals have the right to request correction of personal information we hold about them if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

To request a correction:

  1. Contact our Privacy Officer at security@mnh.expert
  2. We will respond to your request within 30 days
  3. If we correct information that has previously been disclosed to a third party, we will notify that third party of the correction upon request

If we refuse to correct personal information, we will provide written reasons and advise of complaint mechanisms. Upon request, we will associate a statement with the information noting that you consider it inaccurate, out-of-date, incomplete, irrelevant, or misleading.

Users may correct their own profile and account information directly through the Platform at any time.

4. Automated Decision-Making Disclosure

In accordance with the Privacy and Other Legislation Amendment Act 2024, we disclose the following regarding automated decision-making on the Platform:

MNH Expert uses artificial intelligence (Anthropic Claude) for the following functions:

  • Document Extraction and Summarisation: Uploaded PDFs and DOCX files are processed by AI to extract structured data and generate summaries
  • Statement of Advice Draft Generation: AI assists in generating draft Statements of Advice based on client data and product research
  • Fund Scoring and Comparison: AI-assisted analysis scores and compares financial products within the research data warehouse
  • Email Follow-Up Suggestions: AI analyses synced email content to suggest follow-up actions

These are assistive tools only. All AI-generated outputs are presented as drafts or suggestions and require human review and approval by the financial planning professional before any use with or impact on end clients. No automated decisions are made that directly affect end clients without adviser review and intervention.

Users retain full control over whether to accept, modify, or reject any AI-generated output.

5. Cookies and Tracking

The Platform uses the following technologies:

  • Essential Cookies: httpOnly session cookies for authentication and security. These are strictly necessary for Platform operation and cannot be disabled.
  • Analytics: Google Analytics 4 with IP anonymisation enabled, used to understand aggregate Platform usage patterns. No personally identifiable information is collected through analytics.

6. Data Retention

We retain personal information for the following periods:

Data Category Retention Period Reason
User account information Duration of account + 7 years ASIC record-keeping requirements
Client financial data Duration of account + 7 years ASIC record-keeping requirements
Email and calendar sync data Until User disconnects integration or deletes account User-controlled
Document content and extractions Duration of account + 7 years ASIC record-keeping requirements
AI conversation logs 2 years from creation Platform improvement and audit
Audit logs 7 years from creation Compliance and security
API usage logs 2 years from creation Service monitoring and billing
Usage and technical data 26 months Google Analytics default retention

After the applicable retention period, data is destroyed or de-identified in accordance with APP 11.

7. Users' Responsibilities Regarding Client Data

Users of the Platform are financial planning professionals who upload and manage Client Data within the Platform. Users acknowledge and agree that:

  • They are responsible for obtaining all necessary consents from their end clients before uploading Client Data to the Platform
  • They must comply with their own obligations under the Privacy Act 1988, their AFSL conditions, and any applicable codes of conduct
  • They must ensure Client Data is accurate, up-to-date, and relevant before uploading
  • They must inform their end clients that their data may be processed using AI tools and that data may be transmitted to the United States for AI processing (see section 3, APP 8)
  • MNH processes Client Data as a service provider to the User and does not have a direct relationship with end clients

8. Data Breach Notification

In the event of an eligible data breach (as defined in Part IIIC of the Privacy Act 1988), we will:

  1. Take immediate steps to contain the breach and mitigate any harm
  2. Conduct an assessment to determine whether the breach is likely to result in serious harm
  3. If serious harm is likely, notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable
  4. Notify affected Users so they can fulfil their own notification obligations to their end clients
  5. Maintain a record of all data breaches, whether or not they are eligible data breaches

9. Third-Party Links and Integrations

The Platform may contain links to third-party websites or integrate with third-party services (including Gmail, Microsoft 365, Google Calendar, and MaxWork). We are not responsible for the privacy practices of these third parties. Users should review the privacy policies of any third-party services before enabling integrations.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or legal requirements. When we make material changes:

  • We will update the "Last Updated" date at the top of this policy
  • We will notify Users via email or an in-Platform notification
  • Continued use of the Platform after notification constitutes acceptance of the updated policy

11. Children's Privacy

The Platform is designed for use by financial planning professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

12. Complaints

If you believe we have breached the APPs or handled your personal information inappropriately, you may lodge a complaint:

  1. Contact our Privacy Officer at security@mnh.expert with details of your complaint
  2. We will acknowledge your complaint within 5 business days
  3. We will investigate and respond within 30 days
  4. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
    • Website: www.oaic.gov.au
    • Phone: 1300 363 992
    • Post: GPO Box 5218, Sydney NSW 2001

13. Contact Us

If you have any questions about this Privacy Policy or wish to make a privacy-related request, please contact:

Privacy Officer: Matthew Hibbins Email: security@mnh.expert Phone: +61 478 669 918 Address: Broadbeach, QLD 4218

14. Governing Law

This Privacy Policy is governed by the laws of the Commonwealth of Australia and the State of Queensland. Any disputes arising from this policy are subject to the exclusive jurisdiction of the courts of Queensland.

Privacy Policy | MNH Expert