Privacy Policy
This document explains how varquinalos handles information connected to individuals who engage with our budget analysis services. Rather than starting with what we capture, we begin with what drives our approach: data minimalism rooted in operational necessity.
We don't pursue comprehensive profiles. Information finds its way into our systems only when fulfilling a specific function becomes impossible without it. That principle shapes every interaction, from initial registration through ongoing service delivery.
Questions about cookies, tracking pixels, or similar mechanisms? Those live in a separate document dedicated to browser-based technologies. This policy concerns itself exclusively with how identifying details about you—captured through direct interaction—move through our infrastructure.
Information Emergence and Functional Justification
Details about individuals materialize at distinct interaction points. When you establish an account to access budget analysis tools, we record your email address and a name you provide. Authentication requires the email; correspondence depends on having something to call you. Your financial institution connections—when you authorize them—generate records of account identifiers and transaction metadata, but never your banking credentials themselves.
Service functionality creates different data requirements. Budget categorization relies on transaction descriptions and amounts. Spending pattern analysis requires temporal sequences. Goal-tracking features demand baseline figures you define. Each capability pulls only the specific elements it needs to function.
Payment processing introduces commercial transaction records: billing details, subscription tier selections, payment instrument identifiers. These exist because financial exchanges require them, not because we seek comprehensive financial portraits.
Support interactions produce communication histories. When you contact us with a technical question or service concern, that exchange gets logged. The correspondence might reference account specifics you share to expedite resolution. This retention serves two purposes: maintaining continuity across multi-message exchanges and identifying recurring technical patterns that warrant systematic fixes.
Automated Intake
Some information arrives without explicit submission. Server logs capture IP addresses, browser identifiers, timestamp data. These technical artifacts support security monitoring, performance optimization, and abuse prevention. They're byproducts of digital infrastructure operation rather than deliberate collection efforts.
Operational Application and Internal Boundaries
Once information exists within our systems, it moves through defined channels based on necessity. Customer service personnel access account details when resolving specific inquiries. Engineering teams work with aggregated, anonymized patterns to identify performance bottlenecks—they never need to see whose transactions those are. Financial reconciliation staff handle payment records to address billing discrepancies.
Security monitoring operates differently. Automated systems scan for anomalous patterns that might indicate unauthorized access attempts. When alerts trigger, security personnel examine relevant logs, which may include IP addresses, access timestamps, and behavioral sequences tied to specific accounts.
Budget analysis algorithms process your transaction data to generate insights and categorizations. These calculations happen within segregated computational environments. The systems performing analysis don't connect to external networks; they operate on data already inside our infrastructure, producing outputs that flow back to your dashboard.
Development Work
Engineers building new features work with sanitized datasets where identifying elements have been stripped or randomized. Real transaction patterns matter for testing categorization accuracy; actual names and account numbers don't.
Business Intelligence
Understanding aggregate usage patterns—which features get adopted, where users encounter friction—relies on statistical summaries. These roll-ups never drill down to individual behavior tracking.
Quality Assurance
When investigating reported bugs, QA teams may examine specific account states with explicit permission, documented in support tickets. Access gets provisioned temporarily and logged comprehensively.
External Movement and Third-Party Relationships
Information leaves our direct control under specific circumstances. Payment processors receive transaction details necessary to complete billing operations—cardholder names, payment amounts, billing addresses when provided. These entities operate under their own privacy frameworks, though contractual agreements impose data handling requirements aligned with our minimalist approach.
Financial data aggregation services—the intermediaries connecting your bank accounts to our analysis tools—obtain authorization credentials you provide directly to them. They retrieve transaction data and relay it to us. We don't see your banking passwords; they don't perform budget analysis. This separation creates a functional boundary where each party handles only their specific operational requirements.
Australian regulatory obligations occasionally mandate disclosure. Tax authorities with valid legal instruments, law enforcement agencies presenting proper warrants, regulatory bodies conducting authorized audits—these can compel information production. We resist overbroad requests and provide only what legal requirements explicitly demand. When legally permitted, affected users receive notification.
Should varquinalos ever merge with another organization or undergo acquisition, user data would transfer as part of business continuity. The acquiring entity would inherit all commitments made here unless they provide advance notice and meaningful choice regarding continued service usage under modified terms.
We don't sell user information. We don't participate in data brokerage. We don't package anonymized datasets for commercial licensing. Budget analysis services generate revenue through subscriptions, not through data monetization.
Protection Measures and Residual Risk
Safeguarding stored information involves multiple layers. Transport encryption protects data moving between your browser and our servers. Database encryption shields stored records. Access controls limit which personnel can reach which systems. Multi-factor authentication gates administrative functions. Regular security audits probe for vulnerabilities.
These measures reduce risk; they don't eliminate it. Sophisticated attackers breach protected systems. Authorized personnel sometimes make mistakes. Hardware fails. Software contains bugs. Despite our commitment to robust security practices, absolute protection remains impossible.
Specific risk factors you should understand: financial transaction data, even when encrypted, represents high-value targets. Email addresses serve as vectors for phishing attempts. Account credentials, if compromised through password reuse across services, could enable unauthorized access despite our protections.
When security incidents occur that may have exposed user information, we follow disclosure protocols: assessing impact scope, implementing containment measures, and notifying affected individuals within timeframes specified by Australian data protection regulations. Transparency during breaches matters as much as prevention beforehand.
User Control, Retention Boundaries, and Legal Foundations
Access and Modification
You can view most information we hold about you through your account dashboard. Profile settings display the name and email address on record. Connected accounts show which financial institutions you've authorized. Transaction histories reflect what we've imported for analysis. Correction happens through those same interfaces—update your name, change your email, disconnect bank accounts.
For information not exposed through dashboard controls, submit a formal access request to help@varquinalos.com. We'll compile a comprehensive report within 30 days, delivered through secure channels. If that report reveals inaccuracies, request corrections through the same email address, specifying which elements need revision and providing supporting evidence when relevant.
Deletion and Withdrawal
Account closure triggers systematic deletion. Transaction histories, categorization data, budget configurations, goal tracking records—these disappear within 90 days of account termination. That window accommodates billing dispute resolution and regulatory compliance periods. Payment transaction records persist longer due to tax documentation requirements (seven years) and fraud investigation needs.
Partial deletion requests get evaluated individually. Removing specific transaction imports while preserving account functionality might be possible; eliminating your email address while maintaining an active subscription isn't. We'll clarify what can and cannot be deleted given your service usage preferences.
Duration Logic
Active account data persists as long as you maintain service access. Communications logs expire after three years—old enough to track recurring issues, recent enough to avoid perpetual accumulation. Server logs age out after 90 days unless flagged for security investigations. Payment records follow statutory retention mandates.
Legal Standing
Multiple foundations support our information handling. Contractual necessity covers data required to deliver subscribed services—you can't receive budget analysis without providing transactions to analyze. Legitimate business interests justify security logging, fraud prevention, and service improvement analytics, balanced against privacy intrusions through minimization practices. Legal compliance obligations mandate certain record-keeping. Where none of those apply, explicit consent governs collection and use.
Australian Privacy Principles frame our obligations and your rights. For users outside Australia accessing our services, we extend equivalent protections regardless of geographic location, treating data handling standards as universal commitments rather than jurisdiction-specific compliance measures.
Privacy Concerns and Escalation Paths
Formal privacy inquiries, access requests, correction demands, or deletion petitions should arrive through structured channels rather than casual support tickets. This separation ensures appropriate handling by personnel equipped to address regulatory obligations.
Postal Address
Lot 766 Casuarina Drive
Small Boat Harbour
Bunbury WA 6230
Australia
help@varquinalos.com
Phone
+61249625650
If our response to a privacy concern fails to satisfy your expectations, Australian residents may escalate complaints to the Office of the Australian Information Commissioner. That governmental body investigates potential Privacy Act violations and mediates disputes between individuals and organizations regarding personal information handling.