Data Use Policy – Rask AI

Last Updated: 7 March, 2025

This Data Use Policy explains how Bongo Wongo Pty Ltd (ABN: [Your ABN]) (“Bongo Wongo”, “we”, “us”, “our”) uses your data within our Financial Onboarding System. It supplements our Privacy Policy by providing detailed information about data processing, storage, and usage practices.

Bongo Wongo is an authorised representative of Rask Licensing Pty Ltd (ABN: 32 681 073 478) (AFSL: 563 907).

1. Purpose

This Data Use Policy provides transparency about:

How we collect and process your data
Where your data is stored
How your data is used for different features and services
Who has access to your data
Your rights regarding your data

2. Data Collection and Processing

2.1 Data Collection Methods

Direct Input:

Form submissions (Fact Find, Goals & Objectives, Insurance Needs Assessment)
Calculator inputs (Wealth Projector, Retirement Calculator)
Document uploads to our document vault
Profile updates and account information
Correspondence and communications

Automatic Collection:

Usage analytics and system logs
Error tracking and performance metrics
Browser and device information
IP addresses and connection data

Third-Party Integration (with your explicit consent):

Basiq: Financial transaction data, account balances, income, expenses
Navexa: Investment portfolio data, holdings, performance metrics
ActiveCampaign: Marketing and activity tracking data
Google Maps: Address information for form autocomplete

2.2 Data Processing Purposes

Primary Processing:

Generate personalised financial advice (Statements of Advice)
Create financial projections and scenarios
Calculate retirement and wealth projections
Analyse financial position and goals
Provide tailored recommendations
Process form submissions and maintain records

Secondary Processing:

Improve service quality and user experience
Develop new features and tools
Conduct research and analysis (using anonymized data)
Ensure system security and prevent fraud
Comply with legal and regulatory obligations

3. Data Storage and Architecture

3.1 Storage Architecture

Tier 1: WordPress Database (Non-Sensitive Data)

User profiles and account information
Form submission metadata
User preferences and settings
System configuration
Integration connection status
Location: Production database server (Australia)
Encryption: At rest and in transit
Access: Authenticated admin users only with role-based permissions

Tier 2: Google Drive (Sensitive Documents)

Form submission exports (text files)
Statements of Advice (SOA) – all versions
File notes (ASIC compliance records)
Uploaded documents (statements, certificates, etc.)
Location: Google Drive (encrypted, United States)
Access: Service account with Editor permissions only
Retention: Indefinite (compliance requirement)
Structure: Organised by client in individual folders

Tier 3: Third-Party Services

ActiveCampaign: Contact and activity data (United States)
Basiq: Transaction data (user-controlled, Australia)
Navexa: Portfolio data (user-controlled, Australia)
OpenAI: Temporary processing only (United States)

3.2 Data Structure

Structured Data:

Database tables for queryable data
Form field mappings and relationships
User meta data and preferences
Submission tracking and status
Integration connection records

Unstructured Data:

JSON form submissions
SOA documents (text format)
File notes (text format)
Uploaded documents (various formats: PDF, images, etc.)

4. Data Usage by Feature

4.1 Form Submissions

Data Used:

All form field responses
Submission timestamps
User identification
Form completion status

How Used:

Stored in WordPress database
Exported to Google Drive as text files
Used for Statement of Advice (SOA) generation
Analyzed for completeness and validation
Extracted to structured data tables for reporting
Synced to ActiveCampaign (if integration enabled)

Retention: 7 years minimum (AFSL requirement), typically indefinite for compliance

4.2 Statement of Advice (SOA) Generation

Data Used:

Fact Find data (comprehensive financial information)
Goals & Objectives data
Insurance Needs Assessment data (if provided)
Risk profile and preferences
Financial calculations and projections

How Used:

Sent to OpenAI API for AI-powered advice generation
Processed through multi-stage pipeline for quality assurance
Generated SOA document stored in database
All versions archived to Google Drive
Previous versions automatically archived before new version is saved
Used for compliance record-keeping

AI Processing:

Data is anonymized where possible before sending to OpenAI
Not stored by OpenAI beyond the API request duration
Used solely for advice generation purposes
Complies with OpenAI’s data usage policies
No training data: OpenAI does not use our data to train their models

Retention: Indefinite (all versions retained for compliance)

4.3 Calculators and Financial Tools

Data Used:

User inputs (starting balance, contributions, growth rates, etc.)
Form data (synced via two-way binding where applicable)
Calculation results and projections

How Used:

Real-time calculations and projections
Scenario comparisons and analysis
Interactive charts and visualizations
Synced back to form data where applicable
Stored in structured data tables for historical tracking

Retention: While account is active, plus 7 years after closure

4.4 Document Vault

Data Used:

Uploaded documents (PDFs, images, statements, etc.)
Document metadata (type, upload date, size)
Access logs and viewing history

How Used:

Secure storage in Google Drive
Organised by document type in client folders
Protected access with authentication
Future: Document type detection and data extraction

Retention: While account is active + 7 years (AFSL requirement)

4.5 Third-Party Integrations

Basiq Integration (Optional):

Data Collected: Transaction data, account balances, income, expenses, spending categories
How Used: Cashflow analysis, spending categorization, savings calculations, financial health insights
Storage: Cached in WordPress database, fetched on-demand from Basiq
User Control: User controls which accounts are connected, can disconnect at any time
Retention: While integration is active, deleted upon disconnection
Location: Australia (Basiq’s servers)

Navexa Integration (Optional):

Data Collected: Portfolio holdings, performance data, investment returns, asset allocation
How Used: Investment tracking, performance analysis, portfolio charts and analytics
Storage: Cached in WordPress database, fetched on-demand from Navexa
User Control: User controls API key and connection, can disconnect at any time
Retention: While integration is active, deleted upon disconnection
Location: Australia (Navexa’s servers)

ActiveCampaign Integration:

Data Collected: Contact information, activity data, form submissions, email engagement
How Used: Marketing automation, email campaigns, activity tracking, lead scoring
Storage: ActiveCampaign platform
User Control: Opt-out of marketing emails via unsubscribe links
Retention: Per ActiveCampaign’s privacy policy
Location: United States (ActiveCampaign’s servers)

5. Data Sharing and Disclosure

5.1 Internal Sharing

Within Our Organization:

Authorized staff members with role-based access
Financial advisors providing advice services
Support team for customer service
System administrators for technical maintenance

Access Controls:

Role-based permissions (minimum necessary access)
Audit logging of all data access
Regular access reviews and updates
Staff training on data protection

5.2 External Sharing

Service Providers:

Google: Drive storage, Maps API (United States)
OpenAI: AI-powered SOA generation (United States)
ActiveCampaign: CRM and marketing automation (United States)
Basiq: Financial data aggregation (Australia)
Navexa: Investment tracking (Australia)
Payment Processors: Stripe, PayPal (various locations)

All service providers are contractually bound to protect your data and use it only for specified purposes.

Legal and Regulatory:

ASIC: As required by Australian Financial Services Licence (AFSL)
ATO: If required by tax law or audit
Courts: In response to legal processes
Law Enforcement: With proper authorization and legal process

5.3 No Unauthorized Sharing

We do not:

Sell your data to third parties
Share data for marketing purposes without your explicit consent
Use your data for purposes unrelated to providing financial services
Disclose your information except as described in this policy

6. Data Security

6.1 Technical Security Measures

Encryption: All data encrypted in transit (HTTPS/TLS) and sensitive data encrypted at rest
Authentication: Secure password requirements, optional two-factor authentication
Access Controls: Role-based permissions, minimum necessary access principles
Network Security: Firewalls, intrusion detection, regular security updates
Secure APIs: All third-party integrations use secure, authenticated API connections

6.2 Organizational Security Measures

Staff Training: Regular training on data protection and privacy
Access Reviews: Regular audits of who has access to what data
Incident Response: Procedures for detecting and responding to security incidents
Data Breach Notification: Procedures for notifying affected users and regulators

6.3 Third-Party Security

All third-party service providers are required to:

Maintain appropriate security measures
Comply with relevant privacy laws
Notify us of any security incidents
Allow audits where appropriate

7. Data Retention

7.1 Retention Periods

Active Accounts:

Data retained while account is active
Plus 7 years after account closure (AFSL requirement)

Financial Records:

Minimum 7 years as required by ASIC
Typically retained longer for compliance

Statements of Advice (SOA):

All versions retained indefinitely
Required for compliance and record-keeping

File Notes:

Retained indefinitely
Required for ASIC record-keeping

Integration Data:

Retained while integration is active
Deleted upon disconnection (subject to legal requirements)

7.2 Deletion and Anonymization

After retention periods:

Data is securely deleted where legally permitted
Some data may be anonymized for research purposes
Legal and compliance requirements may prevent deletion of certain records

8. Your Rights and Choices

8.1 Access and Correction

You have the right to:

Access your personal information
Request correction of inaccurate or incomplete information
Request a copy of your data in a portable format

8.2 Deletion and Opt-Out

You can:

Request deletion of your account (subject to legal requirements)
Opt-out of marketing communications
Disconnect third-party integrations at any time
Request deletion of specific data (where legally permitted)

8.3 Complaints

If you believe we have breached your privacy, you can:

Contact us directly to resolve the issue
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

9. International Data Transfers

Some of our service providers are located outside Australia:

United States: Google services, OpenAI, ActiveCampaign
Various: Payment processors (Stripe, PayPal)

When we transfer data internationally, we ensure:

Appropriate contractual safeguards are in place
Service providers comply with relevant privacy laws
Data is protected to Australian standards

10. Changes to This Policy

We may update this Data Use Policy from time to time. We will:

Notify you of significant changes via email or website notice
Update the “Last Updated” date at the top of this policy
Maintain previous versions for your reference

11. Contact Us

If you have any questions about this Data Use Policy or how we handle your data, please contact us:

Bongo Wongo Pty Ltd
[Your Address]
[Your Email]
[Your Phone Number]

We will endeavour to respond to you within a reasonable period after contact is made.

By using our Financial Onboarding System, you acknowledge that you have read and understood this Data Use Policy.