Privacy Policy

Last Updated: 9 June 2026

Instant Compliance Pty Ltd ("InstantCompliance", "we" and "us") is the provider of a software platform designed to assist businesses with their Customer Due Diligence (CDD) and AML/CTF (Anti-Money Laundering and Counter-Terrorism Financing) workflows. We provide the technological infrastructure that allows our customers ("Clients") to collect data and verify the identities of their customers ("Customers") in accordance with Applicable Laws.

This privacy policy is a single document that serves two different audiences. Please read the section that matches you.

Who is this policy for?

If a business asked you to verify your identity through Instant Compliance — Section A applies to you. A bank, law firm, real estate agent, accountant, or other regulated business has pointed you here so you can use our platform to verify who you are, or to provide documents about a company or trust you're connected with. We handle your information on behalf of that business so they can meet their legal "know your customer" obligations.

If you're a Client of Instant Compliance, work at one of our Clients, are evaluating Instant Compliance for your business, or are visiting our website — Section B applies to you. "Clients" are the organisations that use Instant Compliance to run their AML/CTF compliance program. Section B covers those Client organisations and their staff (compliance officers, administrators, and any day-to-day user of the platform), people considering the platform for their own business, and website visitors.

If both apply to you, Section A covers the verification and Section B covers the website visit and any use of the platform.

A note on terminology

We use a few specific words that may not match everyday usage:

"Client" — the organisation that uses Instant Compliance to run its compliance program (the bank, law firm, real estate agency, accountant, or other regulated business that pointed you here).

"Customer" — the individual whose identity is being verified.

"Personal Information" — any information about an identifiable individual, or an individual who is reasonably identifiable, including any data that can be used to identify or contact a single person.

"Service Providers" / "Sub-processors" — the third-party services we use to deliver the platform (the full list is in Section A.3).

Together, the Customers and Clients described above are referred to in this policy as "you" and "your."

Throughout this policy, references to "our website" include both our public website (instantcompliance.ai) and our secure web app (app.instantcompliance.ai) unless otherwise specified.

InstantCompliance is an Australian Privacy Principle (APP) entity, as defined by the Privacy Act 1988 (Cth) (Privacy Act), and as such is committed to handling personal information in accordance with applicable privacy laws.

We may update this Policy from time to time, and any changes will be published directly to our website and will be effective from the date of publication.

Our Company-Wide Commitment to Your Privacy

Providing secure technological infrastructure for AML/CTF compliance management is InstantCompliance's business. Handling all your Personal Information securely and in accordance with the APPs is essential to that business.

Every InstantCompliance employee undertakes mandatory training in the identification and handling of personal information as part of their onboarding process. Protection of personal information is discussed regularly in team and company-wide meetings, and considered when making any business decision.

Our Clients are contractually required to comply with the requirements of the Privacy Act, to comply with the security requirements of any Service Providers, and to protect all the Personal Information they receive through our platform.

Retrieval Process

InstantCompliance generally collects Personal Information under four scenarios:

1. From our Clients (current and potential) and their staff, we receive information necessary to set up and manage their contracts and provide software services to them.

2. From Clients we receive contact details for a Customer to facilitate the data collection process via our software.

3. From Customers we receive their Personal Information during the data collection and verification process facilitated by our platform.

4. From Clients and Customers we receive Customers' Personal Information contained in documents uploaded to our platform for 'know your customer' (KYC) processes.

If a Client has directed you to use our software for a CDD check, they do so because it is a legal requirement that they must complete prior to performing a service for you. They cannot perform that service without collecting your Personal Information. If you have any concerns or questions regarding why this data is being collected or how the Client will use it to make compliance decisions, you should contact the Client directly.

Section A: For individuals whose identity is being verified

The short version of what we do with your information. You're probably here because a business (your bank, law firm, real estate agency, accountant, or another regulated business) asked you to use Instant Compliance to verify your identity, or provide documents about a company or trust you're connected with. The detail follows below, but in plain English:

The business that asked you to verify (we call them the "Current Provider" in this policy) is in charge of why your data is collected and how they use it for their compliance decisions. Direct questions about that to them.

We act as the technology provider that runs the verification and stores the records for the Current Provider's audit trail. We don't make compliance decisions about you.

Identity-document images and biometric data (selfies, faceprints) are held by our identity-verification sub-processor Sumsub on EU-based infrastructure (subject to GDPR), not on Instant Compliance servers.

Some structured data (extracted name, address, date of birth and so on) is stored on Instant Compliance's AWS servers in Sydney.

For KYB (company / trust) checks, the underlying PDF documents are sent transiently to Anthropic (US-based) for automated data extraction. The complete sub-processor list is in Section A.3.

If you're dealing with us as a Customer, we might request and handle your Personal Information in two circumstances:

1. For your current provider: We have received a request from, and are providing software services to, a specific financial institution, law firm, accounting firm, real estate agent, or any other service you've hired, which are legally required to collect identity data to complete their service ("Current Provider").

2. For future providers: In limited circumstances allowed by Applicable Laws, and only if you or your authorised person approves, we can also hold your personal information securely within our platform for future use by a service provider ("Future Provider").

When we're handling your personal information for a Current Provider, we are doing it as a technology provider facilitating their data collection process. In these cases, the Current Provider remains the primary data controller. Any questions or requests about your personal information in this circumstance should be directed to that Current Provider, and they will instruct us if necessary via our platform tools.

When we're handling your personal information for potential Future Providers, we are doing it on your behalf and this policy does apply.

Note: By virtue of you visiting our website, parts of Section B (below) may also apply to you.

1. Information we collect and disclose

When we are managing your personal information during the Retrieval Process we request and collect it from you directly and your Current Providers, and then may share it, when necessary, with:

Your Current Provider;

Our Service Providers (e.g., identity verification databases); and

Future Providers (subject to regulatory requirements and your authorisation)

This includes the following types of personal information (the "Retrieved Information"):

Category	Information we Collect
Customer Contact Information	First and last name, Email, Address
Biometric Information	Faceprints (and facial mapping and scans of digitised images)
Sensory Information	Photos, videos or recordings of you and your environment
Unique Identifiers	Unique Device ID, IP Address, Identification number (such as Passport or Drivers Licence number)
Demographic Information	Age / date of birth contained on your identification documents, Nationality indicated on your identification documents, Sex indicated on your identification documents
Geographic Information	Geographic location

2. How long we retain information

We aim to keep your information for only as long as it is legally required for your Current Provider to maintain their audit trails, or for as long as you request it for Future Providers.

Identity-document images and biometric data (such as faceprints and selfies) are held by our identity-verification sub-processor, Sumsub, on Sumsub-controlled infrastructure and are not stored at rest on Instant Compliance infrastructure. Sumsub operates EU-based infrastructure, and identity-document images and biometric data held by Sumsub are accordingly subject to the EU General Data Protection Regulation (GDPR). Retention and deletion of these items are governed by Sumsub's policy. Cryptographic audit trails confirming the verification event are retained by Instant Compliance for the Client's compliance records.

Factors that may influence how long we retain your data include fulfilling our legal or regulatory obligations, responding to a question or complaint, or being unable to delete the data for technical reasons.

3. How we use and share your Personal Information

InstantCompliance collects, uses and holds your Personal Information so that we can provide the technological infrastructure for our Client to conduct their required CDD checks. We may also use it for specific purposes that you have consented to. In general, we use your information to minimise risks and protect against fraud, misuse or loss of data, and to improve our software services. We may also use it to comply with laws, obligations or provide assistance to regulatory, government and law enforcement authorities.

InstantCompliance shares your Personal Information with the requesting Client via our platform to enable them to meet their legal obligations and make their own compliance decisions. We may share limited Personal Information to identify you or your CDD so that we may respond to a Client's technical enquiry about your data file.

If compelled by law, we may disclose your information in response to a subpoena, court order, or a request for cooperation from a law enforcement or government agency. We may also disclose information when we believe it is appropriate to investigate illegal activity, suspected fraud, or to protect the rights, property, or safety of our company, users, and employees. In the event of a reorganisation, merger, or sale of InstantCompliance, we may transfer any and all Personal Information we collect to the relevant third party.

Sub-processors and overseas recipients

We use the following sub-processors to deliver parts of the Service. Where these sub-processors are located outside Australia, your Personal Information is disclosed overseas; the most likely recipient country is the United States.

Amazon Web Services (AWS) — application hosting, PostgreSQL database, and document (S3) storage. Region: Sydney, Australia.

Sumsub — identity verification, including storage of identity-document images and biometric data, on EU-based infrastructure (subject to GDPR). Retention is governed by Sumsub.

Anthropic (Claude API) — automated extraction of structured data from KYB documents (e.g. ASIC company extracts, trust deeds). Region: United States. Documents are processed transiently and are not used to train Anthropic's foundation models.

Groq — contact-name inference from email addresses and sanitised page HTML within our Chrome extension. Region: United States (other regions, including Australia, are available; inference is not retained by default).

OpenAI (gpt-4o-mini) and Pinecone — in-app support assistant. OpenAI handles chat content; Pinecone holds vector representations of the organisation's authored knowledge base for retrieval. Region: United States (Pinecone's EU and Singapore regions are available; Pinecone has no Australian region). Provided via EK Hub (see below).

Where supported by the provider, we operate Anthropic and Groq under zero-data-retention and/or no-training arrangements for the document-extraction flows. Data Processing Agreements are in place with sub-processors that handle Personal Information.

We take such steps as are reasonable in the circumstances to ensure that overseas recipients handle your Personal Information consistently with the Australian Privacy Principles (APP 8). Some disclosures may also rely on consent under APP 8.2(b) where you have agreed to the cross-border disclosure as part of a Current Provider's CDD workflow.

Intra-group sub-processor — EK Hub / Squiggly Labs Pty Ltd

The in-app support assistant is provided via EK Hub, a product of Squiggly Labs Pty Ltd, which is the 100% owner of Instant Compliance. EK Hub uses OpenAI and Pinecone as its underlying providers. The assistant is scoped to the organisation's authored knowledge base plus the live conversation; it has no code path to KYC, KYB, identity, or customer records. If a user voluntarily types personal information into the chat, or an organisation loads personal information into its knowledge base, that information will reach OpenAI and Pinecone as part of the chat or retrieval flow.

4. Security and storage

InstantCompliance implements a comprehensive array of physical, technical, organisational, and administrative security measures to protect the Personal Information we hold from unauthorised access, use, and disclosure.

The servers used for storing Customer data, which may include Personal Information, are operated by Amazon Web Services and are located in Sydney, Australia. These data centres are certified to SOC 1, SOC 2, and ISO 27001 standards, ensuring robust security protocols.

Data held on our servers is encrypted both in transit (when being sent to and from our servers) and at rest (when stored). Specifically, 256-bit SSL/TLS encryption is employed to protect data in transit, while 256-bit AES encryption safeguards data at rest.

Instant Compliance's own organisational SOC 2 and ISO 27001 certifications are currently in progress. Our control framework is self-assessed against our internal DSS-1200 security framework. Note that some of our sub-processors are located outside Australia (see "Sub-processors and overseas recipients" above); IC-stored data remains in AWS Sydney, while transient content sent to AI sub-processors may transit overseas.

5. Accessing, correcting, erasing and your other rights

You are entitled to know and confirm the accuracy of all your Personal Information recorded by InstantCompliance, and all such requests will be addressed free of charge. However, Personal Information collected for a CDD check is held within the platform on behalf of the Client who requested the data collection, and any requests in relation to modifying or deleting this information must be directed to the Client, as they have legal record-keeping obligations.

Correction of Personal Information may not be possible once a CDD data collection event is completed as this information has been logged to verify your identity at a specific point in time in accordance with Applicable Laws and needs to be retained by the Client to support their audit trail.

If we cannot correct Personal Information as requested, InstantCompliance will respond in written form as to the reasons for denial of the correction along with the appropriate avenue for complaint.

Section B: For Clients, their staff, and website visitors

1. Personal Information we collect

When you visit our website (instantcompliance.ai) or use our secure web app (app.instantcompliance.ai), InstantCompliance gathers information that doesn't directly identify you. This can include things like your job, language, postcode, area code, unique device ID, location, IP address, and the time zone. We might collect information about what Clients do on our website and within the secure web app.

1.1 Information Collected Directly

We might collect some Personal Information directly from you, such as your name, email, and professional title when you contact us or sign up for our software services.

1.2 Information Collected Automatically

When you visit our website or use our secure web app, we might automatically collect some Personal Information, such as your IP address, device type, and browser attributes.

1.3 Cookies and Other Technologies

InstantCompliance's website, online services, and email messages may use "cookies" and other technologies. These technologies help us better understand user behaviour and improve the effectiveness of our software. You can disable cookies in your browser settings, but please note that certain features of the InstantCompliance website may not be available.

2. How we use and share your Personal Information

We only handle your Personal Information if we have a good reason under the law. Generally, here are our main reasons:

Because of a contract: We need your Personal Information to do what we've agreed to do for you, like providing access to our software platform.

Our legitimate interests: We might use your Personal Information for our legitimate business reasons, such as improving our software, marketing, and keeping our platform secure.

With your consent: Sometimes, we'll use your Personal Information because you've clearly provided your consent.

Legal requirement: We might need to use your Personal Information to follow a legal rule or if it's for something that benefits the public.

We will not sell your Personal Information. We may share it with government or regulatory bodies if the law requires it, or with anyone else you authorise us to.

Where to find sub-processor and cross-border disclosures. If you use the in-app support assistant inside our platform, your chat content and any organisation-authored knowledge base content are processed by OpenAI and Pinecone, provided via EK Hub (a product of our parent company Squiggly Labs Pty Ltd). The complete sub-processor list — including overseas recipients and our APP 8 cross-border-disclosure statement — is in Section A.3 ("Sub-processors and overseas recipients" and "Intra-group sub-processor — EK Hub / Squiggly Labs Pty Ltd"). That disclosure applies to you whether you fall under Section A or Section B.

3. Accessing, correcting, erasing and your other rights

You can get in touch with us anytime to see your personal information and ask us to:

Fix or add to it.

Delete it.

Take back your permission.

Get more information or a copy.

Limit how we use or share it.

Stop marketing messages by using the "unsubscribe" link in our emails or contacting us at help@instantcompliance.ai.

Before you can do any of these things, we'll need to check who you are. We'll deal with your request as quickly as we can, following the privacy laws.

Contact & Complaints

If you have any questions, concerns or would like to make a complaint about any of our data handling practices, please contact us by:

Email: help@instantcompliance.ai

Address: 1301/242 Elizabeth St, Surry Hills, NSW, 2010, Australia

We aim to respond to your dispute within 30 days. We take all complaints seriously and are committed to a quick and fair resolution.

If you are not satisfied with how we deal with your query or complaint, you may contact the Office of the Australian Information Commissioner (OAIC) by visiting their website at www.oaic.gov.au.

Instant Compliance Pty Ltd

ACN: 111 744 668

Privacy policy