Windfall

Privacy Policy

Last updated: March 2026

1. About this policy

Windfall Pty Ltd (“Windfall”, “we”, “us”) is committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). This policy describes how we collect, use, disclose, and store your personal information.

2. Information we collect

We collect the following types of personal information:

  • Identity information: Full name, date of birth, previous names (maiden names, married names), email address, and phone number.
  • Address history: Current and previous residential addresses, including suburb, state, and postcode.
  • Employment history: Previous employer names (used to locate lost superannuation).
  • Tax File Number (TFN): Only if you voluntarily provide it for ATO searches. Your TFN is encrypted at rest and in transit.
  • Account information: Email address and authentication data (via Google OAuth or magic link).
  • Payment information: Processed securely by Stripe. We do not store your credit card details.

3. How we use your information

We use your personal information to:

  • Search government unclaimed money registers on your behalf
  • Match your identity against unclaimed money records
  • Generate and lodge claim documents with government agencies
  • Communicate with you about search results, claims, and account updates
  • Process success fee payments via Stripe
  • Improve our services and user experience

4. How we store and protect your information

Your data is stored securely using Supabase (hosted on AWS in the Sydney region). All data is encrypted in transit (TLS 1.2+) and at rest. Sensitive fields such as TFN and Medicare numbers are additionally encrypted at the application level. We implement row-level security policies to ensure you can only access your own data.

5. Disclosure of your information

We may disclose your personal information to:

  • Government agencies (ASIC, ATO, State Revenue Offices) for the purpose of searching registers and lodging claims on your behalf
  • Stripe for payment processing
  • Our email provider (Resend) for transactional communications

We will never sell your personal information to third parties or use it for marketing purposes unrelated to our service.

6. Your rights

Under the Australian Privacy Principles, you have the right to:

  • Access your personal information held by us
  • Request correction of inaccurate information
  • Request deletion of your account and associated data
  • Withdraw consent to search on your behalf at any time
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

7. Cookies and analytics

We use essential cookies for authentication and session management. We may use privacy-respecting analytics to understand how our service is used. We do not use third-party advertising trackers.

8. Contact us

If you have any questions about this privacy policy or wish to exercise your rights, please contact us at privacy@windfall.com.au.