Security & Data

Your money data, properly protected.

Bank-level encryption. Australian hosting. Zero data sharing with third parties. You own your data — we just store it.

Six layers of protection.

Bank-level encryption

Data is encrypted in transit with TLS 1.3 and at rest with AES-256 — the same standard used by major Australian banks. Keys rotate automatically.

Australian hosting

All infrastructure runs in the AWS Sydney (ap-southeast-2) region via Supabase. Your financial data never leaves Australia without your explicit export.

Row-level security (RLS)

Every database query is constrained by your user ID at the database level. Even if someone bypassed the app, they can't query another user's data.

Authentication that doesn't leak

Password hashes use bcrypt with per-user salts. Session tokens are HTTP-only, Secure, SameSite-Strict. Failed login attempts rate-limited.

We never look at your data

Aggregated, anonymised usage metrics help us improve the app — but we never view individual transactions, invoices, or account balances. Support can't access your financial data without your permission.

Your data, your rights

Export everything as CSV or JSON from Settings at any time. Delete your account and all associated data in one click — actual deletion within 30 days (not just 'hidden').

GoldMate is a finance tool — not a clinical record system.

For allied health, medical and wellness practitioners: GoldMate is designed for the business side of your practice — invoices, Medicare/NDIS/DVA reconciliation, expenses, tax, BAS. It is not a clinical record system and you should not upload patient health information, clinical notes, diagnoses, or treatment plans to GoldMate. Keep those in a dedicated practice management system (Cliniko, Halaxy, Nookal, PowerDiary). Per our Terms, uploading regulated health information violates acceptable use.

Compliance & standards.

We follow the rules that protect you — not the loopholes that protect us.

  • Australian Privacy Act 1988 compliant
  • Consumer Data Right (CDR) principles
  • Notifiable Data Breaches (NDB) scheme
  • PCI-DSS compliant payment processing (via Stripe)
  • SOC 2 Type II alignment (hosted infrastructure)
  • GDPR-compatible data handling for international visitors

What you can always do.

Export everything

CSV or JSON. All transactions, invoices, assets — one click in Settings.

Delete everything

Full account + data deletion within 30 days. No retention policy for hostage-holding.

See who accessed your data

Audit log of every login and sensitive action — coming Q3 2026.

Report a security issue

security@goldmate.au — responsible disclosure policy, no gotchas.

Still have questions about security?

We're happy to go deeper. Ping us and we'll answer in detail.

Ask us