Legal

Privacy policy

Senly AML is an AML/CTF compliance platform for Australian businesses newly regulated under AUSTRAC's Tranche 2 reforms (real estate, professional services, precious metals). This policy explains what Personal Information we collect when you use the Service, why we collect it, and the rights you have over it.

Our commitment to your privacy. We are committed to handling Personal Information transparently and securely, in accordance with the Australian Privacy Principles. Nothing in this policy limits your rights under the Privacy Act 1988 (Cth). We review and update this policy as our product changes or as the law requires, and any changes take effect when we publish them. This policy was last updated on 10 June 2026.

1. Who we are

Senly AML is a product of SenlyAI, a business name registered to Uinspo Pty Ltd (ABN 47 664 833 872), an Australian company. In this policy, Senly AML, “we”, “us” and “our” refer to Uinspo Pty Ltd, trading as SenlyAI.

We help Australian businesses newly regulated under AUSTRAC's Tranche 2 reforms meet their anti-money-laundering and counter-terrorism-financing (AML/CTF) obligations under the AML/CTF Act 2006 (Cth), as amended in 2024 and in force from 31 March 2026 (program obligations) and 1 July 2026 (Tranche-2 commencement). The Tranche-2 sectors are real estate agencies and developers, conveyancers, lawyers, accountants and TCSPs, and precious-metals dealers.

This policy explains what Personal Information we collect when you use the Service, why we collect it, how we hold and use it, and the rights you have over it. It applies to aml.senly.ai and any related Senly AML service.

In this policy, a Customer is a business that uses the Service to meet its obligations under AML Legislation. An Applicant is an individual whose identity is verified by a Customer. A website visitor is anyone who browses our public website without signing up. Today, Senly AML holds Personal Information for Customers and website visitors only. Applicant data is held by the Customer that verifies the Applicant. Senly AML will begin handling Applicant data directly in a future release, and a separate collection notice will be issued at that point. This is described further in section 12.

2. What information do we collect?

In the current early-access phase of the product, we only collect what you give us:

  • Early-access signup details. Your name, business name (agency, firm or dealer), work email, and (optional) role, staff count, sector and CRM choice.
  • Email correspondence. If you reply to one of our emails or write to us at privacy@senly.ai, we hold that thread in our inbox.
  • Technical request data. Your IP address, browser type, and page requested, recorded transiently by our hosting provider for security and abuse prevention.
  • Anonymised analytics. We use a privacy-friendly, cookieless analytics service to count page views and measure how quickly the site loads for real visitors. No cookies are set. No identifying information is sent. The analytics service is run by our hosting provider and is described in section 6.

We do not currently store identity documents, customer due diligence records or transactional data. When future product features go live, this policy will be updated and we will tell you what changes.

3. Whose information flows through the Service?

Three populations contribute Personal Information to Senly AML. Understanding which population you fall into helps you understand which sections of this policy apply to you.

  • Website visitors. Anyone who browses our public website. Information we collect is limited to early-access signup details, email correspondence with us, and transient technical request data such as your IP address.
  • Customers. Australian businesses that have signed up to use the Service. Once a Customer signs up, we collect business profile information, the names and contact details of team members the Customer authorises, billing information when subscription fees begin, and the compliance records the Customer creates while using the Service.
  • Applicants. Individuals whose identity a Customer verifies through the Service. Today, the Applicant's identity-document details (name, date of birth, document type and number) are entered into Senly AML by the Customer for the purpose of recording the verification outcome. Senly AML never stores copies of the underlying identity document and never receives biometric data. The verification record belongs to the Customer. When the Service begins offering vendor-API verification in a future release, Applicant data will pass through Senly AML directly, and a separate collection notice will be issued at that point. See section 12.

4. How do we use your information?

We use your information only for these purposes.

  • To respond to your early-access request and to tell you when Senly AML is available.
  • To send you product updates about Senly AML only, not other products.
  • To improve the website, in aggregate, without ever identifying individuals.
  • To meet our legal obligations, for example by retaining a record of consent.

You can unsubscribe from product emails at any time by replying with the word “unsubscribe” or by contacting us.

We rely on the following legal grounds, drawn from the Australian Privacy Principles and other applicable law, to handle your Personal Information:

  • Your consent. For example, when you submit the early-access form, or when you opt in to product updates.
  • Performance of a contract. Where we have entered an engagement with a Customer, to provide the Service and perform our obligations under those engagement terms.
  • Compliance with legal obligations. To meet record-keeping, reporting and audit obligations under AML Legislation and other Australian laws.
  • Our legitimate interests. To keep the Service secure, prevent abuse, and improve how the Service works, where doing so does not override your interests or rights.

6. Who do we share your information with?

We engage a small number of third-party service providers to deliver the Service. These fall into the following categories.

  • Cloud hosting and database. For storing the information you give us and running the application.
  • Email delivery and outbound messaging. For responding to your early-access enquiry and sending product updates.
  • Payment processing. When the Service moves out of early access and we collect subscription fees.
  • Identity verification (future release). Senly AML does not currently engage an identity-verification vendor. When the Service begins offering vendor-API verification, the vendor will be named here and Customers will be notified before the data flow begins. See section 12.
  • Analytics and performance measurement. Our hosting provider runs a privacy-friendly analytics service that counts anonymised page views and measures Core Web Vitals from real visitors. The service does not set cookies, does not transmit identifying information, and is processed in the United States under the cross-border disclosure described in section 7.
  • Bot protection on forms. Our early-access form is protected by Cloudflare Turnstile, which classifies form submissions as human or automated. Turnstile receives the form token and the visitor IP address. It does not receive the form's business data (name, agency, email). The service is cookieless and is processed by Cloudflare in the United States under the cross-border disclosure described in section 7.

We do not sell or rent Personal Information to anyone, ever.

7. Where is your information held?

Personal Information collected through the Service is held in Australia, in AWS Sydney (region ap-southeast-2). Some narrower categories of data may be processed by overseas service providers, primarily in the United States, in the course of delivering the Service. This can happen where an email-delivery or payment provider operates primarily out of the United States, where a sub-processor we engage holds backup or telemetry data outside Australia, where customer-support escalation requires a vendor's overseas team to investigate an issue, or where you access the Service from outside Australia. Where this occurs we have taken reasonable steps to ensure those providers handle the data in a manner consistent with the Australian Privacy Principles (APP 8). By using the Service you consent to this disclosure for the limited purpose of providing the Service.

8. How long do we keep your information?

We hold early-access signup details until you ask us to delete them, or for two years after our last interaction with you, whichever comes first. Email threads are retained for as long as they have a legitimate business use.

Where AML Legislation applies to a Customer's use of the Service, verification records, customer due diligence records and related compliance artefacts must be retained for the period required by law (generally seven years from the end of the relationship). During that period, we may not be able to action a deletion request from an Applicant. Records are deleted once the statutory retention period has lapsed.

9. How do we keep your information secure?

We take reasonable steps to protect Personal Information from misuse, interference, loss and unauthorised access. Our servers use encryption in transit and at rest using at least industry-standard protocols, and access to our administrative consoles is restricted and protected by multi-factor authentication. Where we are required to keep a record (for audit or AML Legislation purposes), the record is held in a tamper-evident form so any change is detectable on review.

Further information about our security posture is on our Security page.

10. Do we make automated decisions about you?

No. Senly AML does not make automated decisions about you and does not use any AI provider. Risk ratings, suspicious-matter assessments and verification outcomes are all entered and signed off by a person at the Customer using the Service.

Risk scoring is performed by a transparent rules engine, where every weight is visible to the Customer and every score is replayable. The Customer can show, on audit, why each Applicant's risk rating came out the way it did. There is no black-box model and no third-party AI inference in the loop. If this position ever changes, we will update this section first.

11. What rights do you have over your information?

Under the Privacy Act, you have a number of rights over your Personal Information.

  • You can ask what Personal Information we hold about you.
  • You can ask us to correct information that is inaccurate, incomplete or out of date.
  • You can ask us to delete your information, subject to any legal record-keeping obligations we are under.
  • You can withdraw consent to receive product emails at any time.

To exercise any of these rights, please contact us. We aim to respond within 30 days.

12. A note about AML/CTF

The Service helps Customers meet their own obligations under AML Legislation. Personal Information that a Customer collects from an Applicant (for example, identity documents) is held by the Customer and processed through the Service in accordance with the Customer's own AML/CTF program and privacy policy. In that processing, we act as the Customer's service provider.

Where an Applicant has been verified by a Customer, the verification record belongs to that Customer and may be used by it for subsequent engagements with the same Applicant during the period the Customer is required to retain the record. An Applicant who wishes to access or correct their record should contact the Customer that holds it.

AML Legislation also permits one Customer to rely on the customer-identification work performed by another, where the two have entered into a written reliance arrangement. Where you elect to enter such an arrangement using the Service, the verifying Customer's record of the Applicant's identity check is made available to the relying Customer through the Service. The information shared is the structured verification outcome that the relying Customer needs to meet its own obligations under AML Legislation. The underlying identity documents are not shared because the Service does not hold them. Both Customers see the arrangement on file. The relying Customer remains solely responsible for satisfying itself that the arrangement, and the verification work it covers, are adequate for its purposes.

13. When the Service handles Applicant data directly (future release)

Today, Applicant identity data is entered into the Service by a Customer, and only the verification outcome is retained. In a future release, the Service will offer an optional vendor-API verification path. When a Customer chooses to use that path, the Applicant's identity information will pass through Senly AML to a named identity-verification vendor for checking against government and commercial databases.

Before that path is offered to Customers, this policy will be updated to name the vendor, the categories of data sent, the jurisdiction of processing, and the retention treatment of any receipt or audit identifier returned by the vendor. A separate collection notice in the form required by Australian Privacy Principle 5 will be presented to the Applicant before any data is transmitted, every time the path is used. We will not enable this path silently.

14. What happens if there is a data breach?

We are subject to the Notifiable Data Breaches scheme. If an eligible data breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable after we become aware of it, and in any case within 30 days.

15. How do you complain?

If you believe we have mishandled your Personal Information, please contact us first so we can address it directly. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au or call 1300 363 992.

16. Changes to this policy

We may update this policy as our product changes or as the law requires. We will update the “last updated” date at the top, and for any material change we will notify existing early-access subscribers by email before the change takes effect.

17. How do you contact us?

We have appointed a Privacy Officer to handle privacy enquiries. The Privacy Officer can be contacted at privacy@senly.ai. We aim to respond to privacy requests within 30 days.