New to this? Start with the plain-English guide at whogetsthehouse.com.au →
Property Split Calculator
Australian family law · FLA 1975 (Cth)
Security

How We Protect Your Information

The data you put into the calculator is sensitive — bank balances, properties, super funds, who gets what after a separation. We’ve designed the system so that even if someone broke in to our servers, your matter stays unreadable; and so that the only way to open your matter is from the email address you used to pay.

Last updated: 7 May 2026

1. What we never see

Things that are at risk in many web services but are never at risk here:

  • Your card details. Payment goes from your browser straight to Stripe. We don’t see, store, or process card numbers.
  • A password. There is no password to set, lose, or have leaked — we don’t use one.
  • Your matter, in plain text on our servers. The matter itself (assets, parties, allocations) is encrypted before it leaves your browser. The version on our servers is unreadable without the right key.

2. How your matter is locked up

When you pay, the calculator encrypts your matter in your browser using AES-256-GCM (the same standard used by online banks and government services). The encryption key is derived from a master secret we hold and the email you used to pay.

What that means in practice:

  • The encrypted matter is uploaded to our storage. The plain matter is not.
  • To decrypt, you need the master secret and the email used at purchase. Even with full access to our database, an attacker without the master secret can’t read your matter.
  • If we ever needed to help you (you contacted support and asked us to look at your matter), we can decrypt server-side — but that decryption is recorded in our audit log for five years. So you can verify whether anyone looked at your matter.

3. How you sign in (without a password)

After you pay, we email you a link with a one-time-use access token. The first time you open it, your browser swaps the token for a secure cookie that lives only on your device, and we strip the token from the URL so it can’t leak via screenshots, browser history, or copy-paste mistakes.

From then on, the cookie is your sign-in. It expires after 365 days; after that you request a fresh link via the recovery page using the email you paid with.

4. What happens if your link is shared or stolen

The link is the access mechanism — treat it like a password. If you suspect your link has been seen by someone you didn’t intend (forwarded email, screenshare, lost laptop, copy-paste accident), open your matter and click “Reset my access link”.

This invalidates the previous link instantly. Even if someone else still has it, it stops working. A fresh link is emailed to the email on file.

5. We’ll alert you about new devices

Every time your matter is opened from a device we haven’t seen before, we send a security email summarising when, where (rough geo from your IP), and what kind of browser. So if your link gets used on a phone you don’t own, you find out.

The first device on file (your own first sign-in) is silent. Only the second-and-later unique device triggers a notice, so you don’t get spammed by your own switch from laptop to phone.

6. Refunds delete everything automatically

If you request a refund, our system fires automatically when Stripe confirms the refund: the encrypted matter is deleted, the cached PDF is deleted, and the access link is revoked — usually within seconds. You don’t need to ask separately for a data deletion.

You also keep the right to request deletion at any time without asking for a refund — email privacy@propertysplitcalculator.com.au from your purchase email and the encrypted matter, cached PDF, and access link are deleted on receipt. The five-year tax-records purchase row (which contains no matter content) survives this.

7. What you can do to keep your matter safe

Most of the security work is on our end, but a few things genuinely matter on yours:

  • Don’t forward your purchase email or paste the link into Slack/Twitter. Anyone with the link can open the matter until you reset it.
  • Use a recoverable email. If you lose access to the email you bought with, recovery becomes hard — we can’t verify your identity any other way without strong evidence.
  • If you suspect anything — a new-device email you didn’t expect, your inbox compromised, a stolen device — reset your access link straight away.
  • Use a current browser. The encryption happens in your browser; older browsers may lack the cryptography we rely on.

8. The communication we send

The only emails we send are transactional, triggered by something you did:

  • Stripe receipt at purchase
  • Access-link email at purchase
  • Recovery-link email when you submit your email at /recover.html
  • Refund confirmation when a refund completes
  • New-device alert (described above)
  • (Future) Reminder a few days before your editing window closes

We never send marketing email. We never send links you didn’t request. If you receive an email that claims to be from us asking for password / payment / personal information, treat it as phishing — we don’t use passwords, we won’t ask for payment outside Stripe, and we don’t need any personal information beyond your purchase email.

9. The technical short version (for the curious)

Everything above in plain language; here it is in slightly tighter terms for people who like that.

  • Hosting and compute: Cloudflare Pages, Cloudflare Workers, Cloudflare KV, Cloudflare D1. Australia region (OC).
  • Encryption at rest: AES-256-GCM, key derived per-record via HKDF over a master key + per-purchase identifiers.
  • Authentication: signed JWT (HS256) with a 365-day TTL plus a server-side revocation record. The JWT lives in an HttpOnly + Secure + SameSite=Strict cookie after first use, never in a URL after the initial landing.
  • Link rotation: bumping a per-purchase “minimum issued-at” timestamp in the revocation record invalidates all earlier JWTs.
  • Device fingerprint: hashed IP /24 + major-browser-bucket; held in a per-purchase device list capped at 10 entries (FIFO).
  • Email transport: MailerSend (transactional), DKIM + SPF on a verified domain.
  • Payment: Stripe Checkout. PCI-DSS compliance is on Stripe.
  • Audit log: 5-year retention; every administrator read or write is recorded.

10. Reporting a security concern

If you find something that looks like a vulnerability, please email security@propertysplitcalculator.com.au. We will acknowledge as soon as practicable (typically within five business days) and work with you in good faith.

If you believe your account has been compromised right now — suspicious new-device email, link forwarded somewhere it shouldn’t have been — the fastest fix is to open your matter and click “Reset my access link”. That stops any leaked copy of the link from working.

If we become aware of a suspected or confirmed data breach, we will assess it promptly and, where required under the Notifiable Data Breaches scheme, notify affected individuals and the Office of the Australian Information Commissioner as soon as practicable. Full data-handling, retention, and deletion details are on the Privacy page.

The short version

Your card never touches our servers — Stripe only
No password to lose or have leaked
Your matter is encrypted before it leaves your browser
Access via emailed link, then secure cookie — token stripped from URL
Reset the link any time if you suspect it leaked
New-device sign-ins trigger an email alert
Refunds delete everything automatically
Operator decryption is logged in a 5-year audit
Open the calculator → Read the full privacy policy
Important note: This tool is a practical modelling aid only. It does not constitute legal advice and does not replace advice from a qualified Australian family lawyer. All outputs are estimates based on your inputs. Do not file consent orders without independent legal review.
Open Calculator →