Privacy & Data Handling

1. What information we collect

Three different categories of information may be involved.

1.1 Personal information you provide directly

• Email address — collected by Stripe at checkout, then provided to us via the Stripe webhook so we can send you the access link and recovery emails.
• Payment information — your card details are entered into Stripe’s checkout form and are not collected, processed, or seen by us. We receive a Stripe charge identifier and the amount paid; nothing more about your card.

1.2 Calculator and matter information you enter

While using the calculator you may enter information that includes:

• Asset values (property, vehicles, accounts, investments, business interests, super, other assets)
• Liability values (mortgages, vehicle finance, other debts)
• Allocation choices (who gets what)
• Names and identifying details of the parties to the matter (yourself and a former partner or spouse)
• Children’s names and dates of birth (where you choose to add them)
• Contributions and future-needs inputs (income figures, ages, health categories, primary-carer status)

This information is your matter content. What happens to it depends on whether you are using the free modelling features or the paid PDF unlock — see sections 4 and 5.

1.3 Information about other people (e.g. a former partner)

The calculator allows you to enter information about another person, typically a former partner or spouse to your property settlement matter. You are responsible for ensuring you have a proper basis to enter and use that information for this purpose. We use that information only to operate the calculator on your inputs, generate outputs, store your matter where applicable (paid unlock only), and support the service as described on this page. We do not contact the other party. We do not market to them. Nothing in the system reaches out to anyone other than you.

1.4 Technical information

Like any website, our hosting provider records standard request metadata such as IP address, user agent, request timing, and response status, for the purposes of running, securing, and debugging the service. After you sign in to a paid matter, we record a hashed device fingerprint (an IP-prefix and browser-bucket digest) so we can email you when an unfamiliar device opens your matter. The fingerprint is held per purchase, capped at ten entries, and aged out FIFO.

2. Why we collect it

We use the information described in section 1 to:

• Provide the calculator and produce its outputs (the live split, draft consent orders, the PDF)
• Process your $249 payment for the PDF unlock and meet our resulting obligations to you
• Email you the access link, recovery link, refund confirmation, and security notices triggered by your activity
• Detect new-device sign-ins so we can alert you
• Comply with legal record-keeping requirements (Australian tax)
• Support, maintain, and secure the service, including investigating abuse and responding to support requests

We do not use your information for any other purpose without first making it clear to you.

3. Australian privacy alignment

The service is operated from Australia and is intended to align in good faith with the Privacy Act 1988 (Cth) and the Australian Privacy Principles where applicable, and with the Notifiable Data Breaches scheme where applicable. This page is not a claim that every Australian privacy law applies to the service in every circumstance, and it is not legal advice about your privacy rights. Your rights under the Privacy Act 1988 and the Australian Consumer Law continue to apply on their own terms regardless of anything written here.

4. Free modelling: nothing leaves your browser

While you are modelling for free — building the asset pool, weighting contributions, applying future-needs adjustments, allocating assets, viewing the live split — the figures you enter stay in your browser. They are held in your browser’s session memory and (where you have asked the calculator to remember them) in your browser’s localStorage.

No matter content is transmitted to our servers during free modelling. Close the tab without paying and any session-only data is gone.

Free modelling does involve standard web infrastructure: your browser fetches HTML, CSS, and JavaScript files from our hosting provider (Cloudflare) the way it would for any website, and aggregate page-load measurement happens via Google Analytics — see section 8.

5. Paid unlock: what is stored, where, and for how long

When you choose the $249 PDF unlock, three things are stored on our servers, each with a different retention rule.

5.1 Encrypted matter snapshot — 30 days plus 7-day grace

At the moment of purchase, your matter state (asset pool, party details, contributions, future-needs inputs, allocations, and split target) is encrypted in your browser using AES-256-GCM. The encryption key is derived from a master key held by the site operator and a combination of your purchase email plus a random matter ID. The ciphertext is uploaded to our key-value store at Cloudflare.

The encrypted matter is held for 30 days from your purchase, plus a 7-day grace period to allow operator-assisted recovery if you contact support. After 37 days, the encrypted snapshot is automatically deleted by the storage layer.

While the snapshot is held: opening the access link we email you decrypts the snapshot in your browser, lets you resume editing, and re-encrypts it on save. We can also decrypt the snapshot from the operator side if you contact support — see section 7.

5.2 Cached PDF

When you export your PDF during the editing window, the PDF file itself is also cached on our servers, keyed to your matter ID. The cached PDF is retained indefinitely unless you request deletion, receive a refund, the service is closed, or we are otherwise required to delete it. While retained, you can re-download it from the access link we emailed you.

The cached PDF is encrypted at rest, derived from the same per-matter key as the snapshot.

5.3 Purchase record — 5 years (Australian tax)

The purchase record — your purchase email, Stripe session ID, Stripe charge ID, amount paid, currency, and a timestamp — is stored in our database (Cloudflare D1) for five years from the date of purchase. This retention is set by Australian record-keeping obligations for businesses.

The purchase record contains no matter content — no asset values, no party names, no allocations.

If you request deletion of your data, the encrypted snapshot, the cached PDF, the device-fingerprint list, and the access token are deleted on receipt. The purchase record is the only thing that survives deletion, retained until the 5-year tax-record window expires.

6. Email and access mechanism

There is no sign-in, no account, no password. After purchase you receive an email containing a unique access link. The link contains a signed token that authenticates you to the access page. From the access page you can resume editing your matter (within 30 days) or re-download the cached PDF (while it is retained — see section 5.2).

If you misplace the email, visit the recovery page, enter your purchase email, and we resend the link. The recovery flow is rate-limited (five requests per email per hour) to discourage abuse.

The access link is the access mechanism. Treat it like a password — do not share it with anyone you would not want to read your matter. If you suspect your link has been seen by someone you did not intend, you can reset it from the access page; this invalidates the previous link.

Email is sent via MailerSend. Our MailerSend account holds only the addresses needed for transactional delivery; we do not run marketing campaigns and we do not subscribe paying customers to any list.

7. Operator decryption — the trade-off in plain English

The encryption is “at-rest”: the snapshot and cached PDF are encrypted before they hit storage, and decryption requires a key. The key is derived from a master key held by the site operator plus your email and matter ID. This means two things, one good and one to be honest about.

The good: someone who breaches our hosting account does not get usable matters from the storage layer alone.

The trade-off: the site operator can decrypt your snapshot if you contact support. This is sometimes useful (you write in saying “I need help fixing X in my matter” and the operator opens it to assist) and sometimes uncomfortable (it means we can read your data; we are not a zero-knowledge service).

Every operator decryption writes an entry to a 5-year audit log including the timestamp, the operator email, and the purchase being decrypted. If you ever ask “has anyone read my matter,” we can answer.

If full zero-knowledge is a hard requirement for you, this tool is not the right fit.

8. Google Analytics

We use Google Analytics for aggregate usage measurement — for example, how many sessions opened the calculator, which pages they reached, which step they stopped at. We do not send matter content, asset values, party names, calculator inputs, or PDF contents to Google Analytics. Google Analytics processes its own data on its own infrastructure under its own terms.

Google Analytics is a Google service and may transfer information overseas as part of its operation. You can opt out of Google Analytics tracking by using your browser’s privacy controls, by installing the Google Analytics Opt-out Browser Add-on, or by using a tracker-blocking extension — the calculator continues to work without analytics enabled.

9. What we don’t do

• We don’t sell your data.
• We don’t share matter details with any third party except the sub-processors in section 10, used as data processors only.
• We don’t use your inputs to train any machine-learning model. There is no model training step, no LLM ingestion, nothing of that nature.
• We don’t notify the other party to your matter that you are using the tool.
• We don’t require a Google account, a Microsoft account, or any third-party identity provider for end users. The system is intentionally email-only.
• We don’t send marketing email. The only emails we send are transactional (access link, recovery, refund confirmation, new-device alert, and a future editing-window-closing reminder).

10. Sub-processors and overseas processing

The tool runs on the following infrastructure. Each is a contractor that handles part of the technical work; we use them as data processors and they have their own privacy commitments. Some of these providers are based outside Australia or process information outside Australia in the course of operating their services. By using the tool you acknowledge that some processing may occur overseas.

• Cloudflare — hosting (Cloudflare Pages), serverless compute (Cloudflare Workers), encrypted matter and PDF storage (Cloudflare KV), purchase record database (Cloudflare D1). Our resources are configured to the Oceania region; some platform operations (e.g. logging, edge caching) may transit Cloudflare’s global network.
• Stripe — payment processing. Your card details go directly from your browser to Stripe; we never see them. Stripe holds your purchase email, payment method metadata, and charge details under its own privacy terms. Stripe is a US company.
• MailerSend — transactional email delivery (the access link email, recovery resends, refund confirmation, security notices). MailerSend operates internationally.
• Google Analytics — aggregate page-load measurement. No matter content is sent. Google may process information outside Australia.

We don’t use any other third-party services for matter handling.

11. Refund and deletion

Within 7 days of purchase, you can request a full refund — no questions, no forms. After 7 days, your rights under the Australian Consumer Law continue to apply on their own terms.

When a refund is processed, our system automatically: (a) marks the purchase as refunded in the database, (b) deletes the encrypted matter snapshot, (c) deletes the cached PDF, (d) revokes the access token, and (e) emails you a refund confirmation. Stripe processes the refund itself and your card is credited within 5–10 business days.

12. Access, correction and deletion

You can request access to, correction of, or deletion of personal information we hold about you by emailing privacy@propertysplitcalculator.com.au from your purchase email. We will respond within a reasonable period.

Some limited purchase records may need to be retained for Australian tax and business-record purposes (see section 5.3). Where a record cannot be deleted because of such an obligation, we will tell you, explain why, and delete it once the obligation expires.

If you have lost access to the email you used at purchase, the operator-assisted recovery path requires us to be reasonably satisfied of your identity before we act on a request — see section 7.

13. Privacy complaints

If you have a privacy concern or complaint, please contact us first at privacy@propertysplitcalculator.com.au. We will review and respond within a reasonable period.

If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (oaic.gov.au).

14. Security incidents

If we become aware of a suspected or confirmed data breach, we will assess it promptly and, where required under the Notifiable Data Breaches scheme, notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable. The technical detail of how the system is secured is on our Security page.

15. Children

The tool is intended for adults working through Australian property settlement. We do not knowingly accept purchases from children under 18.

16. Changes to this page

We may update this page as the system evolves. The “Last updated” date at the top reflects the most recent change. Material changes that affect how existing data is handled will be communicated by email to affected paying users.

17. Contact

Privacy questions and complaints: privacy@propertysplitcalculator.com.au. Security reports: security@propertysplitcalculator.com.au. Operated by Simon Pickard, an Australian sole trader.