← Back to OnboardCookie Notice

Onboard Privacy Policy

Version 1.0 · Last updated: 5 May 2026 · Bhalekar Pty Ltd · ABN 22 642 063 385

1. Introduction

Bhalekar Pty Ltd (ABN 22 642 063 385) ("Bhalekar", "we", "us" or "our") is committed to protecting the privacy of personal information we handle. This Privacy Policy explains how we collect, hold, use, disclose and protect personal information in connection with:

  • our websites at bhalekar.ai and onboard.bhalekar.ai;
  • the Onboard practice management software product ("Software");
  • communications with prospects, customers, partners and other individuals; and
  • our consulting and related services.

This Privacy Policy is provided in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs"). Read it together with our Terms of Service and our Cookie Notice.

1.1 Relationship with Onboard customers

Onboard is installed and operated by our customers (typically accounting and bookkeeping practices) on infrastructure they procure and control. When customers use the Software for their own clients, the customer decides what personal information is collected, how it is used, and how long it is retained. Bhalekar does not host the production Software for customers and does not control that operational data, except where we access customer environments to provide support under contract.

If you are an end-client of an Onboard customer, this Privacy Policy does not govern how your accountant or bookkeeper handles your information. Refer to their privacy policy. This Privacy Policy applies to information that Bhalekar handles directly (for example, when you deal with our website, register for an account with us, or pay us through Stripe).

2. Personal information we collect

2.1 Information you provide

  • Contact details: name, business name, email address, phone number, role and similar details when you contact us, request a demo, register an account, place an order, or subscribe to updates.
  • Account details: login identifiers, billing identifiers, ABN/GST-related business information you supply, and account preferences for portals you create with us.
  • Payment information: payments for subscriptions and related services are processed by Stripe. We do not receive or store full payment card numbers. We may receive limited transaction metadata (such as billing status or last-four digits where shown by the processor) from Stripe in line with Stripe's terms and notices.
  • Support and correspondence: information you send when you log support tickets, email us, or speak with our team (including troubleshooting context you choose to share).

2.2 Information we collect automatically

  • Website usage data: such as IP address, browser type, pages viewed, timestamps and similar data collected via cookies and similar technologies — see our Cookie Notice.
  • Portal / product telemetry (Bhalekar-controlled interfaces only): logs and activity associated with authenticated use of portals and APIs we operate (such as authentication events, diagnostic and security logs). This does not extend to arbitrary content customers process solely inside their self-hosted application unless support access applies.

2.3 Information from third parties

We may receive information from service providers who assist our business, from referrals where lawful, and from public sources such as registers or directories where relevant to onboarding or AML/CTF-linked obligations that apply to us.

2.4 Sensitive information

We do not generally seek sensitive information (for example health data). If we ever need to collect it, we will do so only with consent where required by law or as otherwise permitted under the Privacy Act.

3. How we collect personal information

We collect personal information directly from you (forms, contracts, correspondence), automatically through cookies and similar technologies on our websites, from customers where needed to deliver support under contract, from referrers and partners where permitted, and from third-party processors that report back limited data (for example payment status from Stripe).

4. Why we use personal information

We collect, hold, use and disclose personal information for purposes including:

  • providing and supporting the Software and related professional services;
  • managing accounts, billing, invoicing and payments;
  • responding to enquiries, support requests and complaints;
  • sending operational messages and — where permitted — marketing (you may opt out of marketing anytime);
  • improving our products, security and customer experience;
  • protecting systems, detecting fraud or abuse, and supporting investigations where lawful;
  • complying with law (including taxation, Privacy Act obligations, AML/CTF where applicable to Bhalekar);
  • enforcing our agreements (including licence and order documentation — see agreements published with the product).

4.1 Marketing

We may send product or event information where allowed. Opt out via the unsubscribe link in emails or by contacting us. We do not sell personal information.

4.2 De-identified and aggregated data

We may use de-identified or aggregated information where it cannot reasonably identify an individual, consistent with applicable law.

5. Disclosure

We may disclose personal information to:

  • Service providers that help operate our business (including payment processing with Stripe, email delivery providers, hosting for our corporate sites and tooling, analytics where used, IT and security tools), subject to confidentiality and purpose limitations;
  • professional advisers where required;
  • regulators, courts or agencies where required by law;
  • successors in a merger or corporate transaction;
  • otherwise with consent or where the Privacy Act permits.

Bold names above reflect commonly used subprocessors — maintain an internal register and update this policy if your stack changes.

6. Overseas disclosure

Some subprocessors used for payments, messaging and cloud infrastructure process or access data outside Australia (for example, United States entities such as Stripe). Where we disclose personal information offshore, we take reasonable steps contractually and operationally consistent with APP 8. Your solicitor should confirm the precise mechanisms applicable to Bhalekar.

Bhalekar support and engineering personnel may perform work from jurisdictions outside Australia subject to confidentiality and security requirements in our contracts and internal policies.

7. Security and retention

We maintain technical and organisational measures appropriate to the information we hold — including access controls, encryption for data in transit, and restrictions on administrative access — while recognising no system is perfectly secure.

7.1 Customer‑controlled environments

Where customers operate Onboard on their own servers or cloud accounts, the security of that environment is primarily the customer's responsibility, as reinforced in contractual schedules supplied with Onboard.

7.2 Retention

We keep personal information only as long as needed for the purposes above and to meet minimum legal or professional retention periods (for example taxation and accounting records, typically up to seven years unless a longer period applies). When no longer needed, we take reasonable steps to destroy or de-identify.

8. Notifiable Data Breaches

We comply with the Notifiable Data Breaches scheme. Where Bhalekar holds personal information as an APP entity and a qualifying breach arises, we will assess, remedy where possible, notify individuals and the OAIC as required by law.

Where a breach relates solely to customer-controlled Onboard deployments, contractual incident steps apply and the customer's obligations as APP entity for its own-held data remain with the customer.

9. Your rights

Subject to exemptions in the Privacy Act, you may request access to personal information Bhalekar holds about you or ask us to correct it (APPs 12 & 13). Where we rely on consent, you may withdraw it subject to legal and contractual limits. Marketing opt-out is handled as described above.

We may need to verify your identity before responding. We aim to respond within thirty (30) days where the Act requires or as soon as reasonably practicable.

10. Cookies

See our Cookie Notice for categories of cookies, management options, and contacts.

11. Third-party links

Our websites may link to external sites or payment pages. Their privacy practices are their own responsibility.

12. Children

Our commercial services are directed at organisations and adults. If you believe a child under 16 has given us personal information, please contact us so we can delete it unless we must retain it by law.

13. Changes

We may revise this Privacy Policy. The published version here is authoritative. Material changes may be flagged on the website or by email where appropriate. The date at the top shows the latest revision.

14. Complaints

Contact us first using the details below. If you remain unsatisfied you may escalate to the Office of the Australian Information Commissioner (OAIC) — phone 1300 363 992, online at www.oaic.gov.au.

15. Contact us

Privacy Officer, Bhalekar Pty Ltd
ABN 22 642 063 385
Email: info@bhalekar.com.au (privacy enquiries)
Phone: 1800 434 005
Postal address: Unit 207, 111 Overton Road, Williams Landing VIC 3027, Australia

End of Privacy Policy — Onboard Privacy Policy v1.0 (web adaptation)