Legal
Privacy Policy
Last updated: May 2026
Frly is operated by Frly Pty Ltd (ABN 55 697 943 490, ACN 697 943 490), based in Melbourne, Australia. This policy explains what information we collect, how we use it, and your rights under the Australian Privacy Act 1988.
Short version: We collect only what we need to lodge your BAS. We don't sell your data. We don't share it with anyone except the ATO and the services required to run Frly.
What we collect
When you sign up or use Frly, we may collect:
- Your name and email address
- Your ABN and GST registration details
- Income and expense information you provide during the BAS flow
- Platform data you enter (e.g. Uber, DoorDash, DiDi earnings)
- Payment information processed via Stripe (we never store card details directly)
- Identity verification data — a government-issued photo ID (e.g. driver's licence or passport) and a selfie, collected once via Stripe before your first BAS lodgement. We store the outcome of the verification (verified or not) but not your document images — those are held by Stripe.
- Receipt images you upload, if you use the receipt inbox auto-categorisation feature
- Basic usage data such as pages visited and actions taken within the app (via PostHog)
- Error and performance data collected automatically when something goes wrong (via Sentry)
How we use your information
We use your information to:
- Prepare and lodge your Business Activity Statement with the ATO
- Send you confirmation emails and BAS deadline reminders
- Process payments securely via Stripe
- Improve the Frly product and fix bugs
- Verify your identity before lodging your first BAS, as required by the Tax Practitioners Board (TPB)
- Support the registered BAS agent services provided on your behalf
We do not use your information for advertising, profiling, or sale to third parties.
Who we share it with
We only share your information with:
- The ATO - to lodge your BAS on your behalf
- Stripe - to process payments securely and to verify your identity
- Resend - to send transactional emails (confirmations, reminders)
- PostHog - to track how people use Frly so we can improve it (data stored on EU servers)
- Sentry - to capture application errors and diagnose bugs
- Anthropic — if you use the receipt inbox feature, receipt images are sent to Anthropic (the maker of Claude) to automatically extract the amount, date, merchant, and category. Anthropic does not use API inputs to train its models. Images are not retained by Anthropic beyond the time needed to process the request. You can learn more at anthropic.com/privacy.
We do not sell, rent, or trade your personal information.
Identity verification
Our registered BAS agent is required by the Tax Practitioners Board (TPB) to verify your identity before lodging your first BAS. You will be asked to complete this once. You will need a current Australian driver's licence or passport, and you will be asked to take a selfie to confirm it's you.
We use Stripe for identity document verification. Stripe collects identity document images, facial images, ID numbers and addresses as well as advanced fraud signals and information about the devices that connect to its services. Stripe shares this information with us and also uses this information to operate and improve the services it provides, including for fraud detection. You may also choose to allow Stripe to use your data to improve Stripe's biometric verification technology. You can learn more about Stripe and read its privacy policy at stripe.com/privacy.
Data storage and security
Your data is stored with reputable cloud infrastructure providers using industry-standard encryption in transit (TLS) and at rest. We have data processing agreements in place with all providers. Access to your data is restricted to authorised Frly personnel only.
While we take reasonable steps to protect your information, no system is completely secure. If we become aware of a data breach that is likely to cause serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme.
Retention
We retain your tax records for 7 years, as required by the ATO. You can request deletion of your account and non-tax data at any time by emailing us.
Your rights
Under the Australian Privacy Act, you have the right to:
- Access the personal information we hold about you
- Request correction of inaccurate information
- Request deletion of your account and non-ATO data
- Complain to the OAIC if you believe your privacy has been breached
Cookies
We use minimal cookies - to keep you logged in and to support PostHog analytics (to understand how people use the site). We don't use advertising or tracking cookies.
Changes to this policy
We may update this policy from time to time. If we make material changes, we'll notify you by email. The current version is always available at frly.com.au/privacy.
Contact us
If you have questions about this policy or want to exercise your privacy rights, email us at [email protected]. We'll respond within 5 business days.