Last Updated: June 2026
We are committed to protecting the financial privacy and data integrity of our property investors. This policy details how we handle information in compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the New Zealand Privacy Act 2020.
1. THE DATA WE COLLECT & LEAST-PRIVILEGE DESIGN
1.1 LEAST-PRIVILEGE PRINCIPLE: The platform is structurally engineered around a least-privilege data schema. We do not store or read unneeded personal data.
1.2 COLLECTED INFORMATION: We process:
- Account Data: Email addresses and profile metadata used to establish user sessions.
- Property Metadata: Structural labels, room classifications, and property configurations.
- Operational Financial Data: Imported iCal reservation blocks, manually tracked user blocks, expense categories, itemised dollar costs, and transactional rows parsed via income CSV ingests.
- Document Blobs: Images or digital PDF copies of invoices, assets, and receipts uploaded to our file gateway.
2. FILE ACCESS PROTECTION (AUTHENTICATED PROXY STORAGE)
2.1 PRIVATE ACCESS STORAGE: All uploaded property receipts, documentation evidence, and asset images are stored utilizing private cloud infrastructure blocks.
2.2 SECURE VIEWING ONLY: Your files do not have a public internet URL. No data is exposed on public Content Delivery Networks (CDNs). Every request to view or download an uploaded receipt passes through our secure verification system. Access is strictly checked against your specific property permissions—if an unauthorised person or external party attempts to open, copy, or guess a file link, our security systems will automatically block the attempt and completely deny access.
3. DATA RESIDENCY, RETENTION, & PORTABILITY
3.1 RESIDENCY AND STORAGE: Data processing runs primarily across secure cloud hosting nodes (such as Supabase, Prisma-connected databases, and Vercel infrastructure clusters) optimised for region-specific multi-tenant segregation.
3.2 RECOVERY AND PORTABILITY: Your financial logs belong entirely to you. You maintain the right to view, correct, or request the absolute erasure of your operational data records from our active storage tables at any time, subject to active subscription terminations.
4. THE "CONTROLLER VS. PROCESSOR" FIREWALL (GUEST DATA)
4.1 YOUR CUSTOMERS' DATA: When you synchronise iCal feeds or import financial CSV statements from third-party platforms (such as Airbnb or Booking.com), those files may contain the personal data of your guests (e.g., guest names or reservation IDs).
4.2 OUR ROLE AS PROCESSOR: You remain the sole Data Controller of this third-party guest data. Dunit acts strictly as a Data Processor. We do not own this guest data, we do not market to your guests, and we process this information exclusively to calculate your localised tax apportionment and financial ledgers. You represent that you have the lawful right to upload this data into our platform.
5. SUB-PROCESSORS & INTERNATIONAL TRANSFERS
5.1 TRUSTED INFRASTRUCTURE: To provide a secure, high-speed platform, we utilise enterprise-grade sub-processors, including cloud hosting and database providers (such as Vercel and Supabase) and a generative AI provider for the features described in Section 9 (currently Google, via the paid Gemini API).
5.2 CROSS-BORDER ROUTING: While we target regional data centres where possible, your data may be transferred to, routed through, or backed up on secure servers located outside of Australia and New Zealand (such as the United States). By using the platform, you consent to these secure international data transfers.
6. COLLABORATORS & DATA SHARING
6.1 AUTHORISED SHARING:We will never sell your personal or financial data to data brokers. However, if you utilise our "Property Collaborator" features, your property data, ledgers, and uploaded receipts will be shared with the accountants, agents, or co-hosts that you explicitly invite and authorise.
7. AGGREGATED DATA & ANALYTICS
7.1 PLATFORM IMPROVEMENTS: We reserve the right to strip all Personally Identifiable Information (PII) from operational data to create anonymised, aggregated datasets. We use this anonymised data to improve platform functionality, train machine learning categorisation models, and generate generalised industry insights, completely independent of your identity.
8. ADVERTISING & MEASUREMENT (META PIXEL)
8.1 WHAT WE USE: On our public marketing and sign-up pages only, we use the Meta Pixel (provided by Meta Platforms, Inc.) to measure the performance of our advertising. We do not load any advertising or tracking pixels inside the secure dashboard where your financial records, ledgers, and receipts are kept.
8.2 WHAT IS COLLECTED: The pixel records standard web events such as page views and the completion of a sign-up, along with technical data your browser sends automatically (e.g. IP address, device and browser type). We do notenable Meta's automatic advanced matching, meaning we do not silently scrape and transmit the details you type into forms.
8.3 DISCLOSURE TO META (OVERSEAS): This information is disclosed to Meta, whose servers are located outside Australia and New Zealand (including the United States), and may be used by Meta in accordance with its own data policy. By using our public marketing pages you consent to this collection and overseas disclosure for advertising measurement.
8.4 YOUR CONTROL:You can limit this tracking using your browser's privacy settings, ad-blocking tools, or your Meta ad preferences. Declining does not affect your ability to use the platform.
9. ARTIFICIAL INTELLIGENCE PROCESSING
9.1 WHAT WE SEND:Some features use a third-party generative AI provider (currently Google's Gemini API). When you use the receipt "AI Suggest" prefill, we send the uploaded receipt or invoice image or PDF to the provider so it can extract details such as the date, amount, supplier, and a suggested category. Where an in-app assistant is enabled, we send the text of your questions and, only when needed to answer you, a limited summary of the relevant figures from your own ledger.
9.2 NOT USED TO TRAIN AI:We use the paid tier of this provider. Your content and the AI responses are not used to train or improve the provider's models, and are handled under the provider's data processing addendum. The provider logs this content only for a limited period to detect abuse and maintain the security of its services.
9.3 OVERSEAS PROCESSING:This processing occurs on the provider's global infrastructure, and your content may be processed on servers located outside Australia and New Zealand (including the United States). By using these AI features you consent to this overseas disclosure.
9.4 OUTPUTS ARE A CONVENIENCE: AI-generated values and answers are drafts only and may be inaccurate. You are responsible for reviewing and confirming them. AI features do not provide tax, legal, or financial advice.