Last updated: 2 June 2026
OneAddress Pty Ltd (ABN 43 696 078 869) operates the OneAddress platform at oneaddress.io. We are an Australian company based in Western Australia. When we say "OneAddress", "we", "us", or "our", we mean OneAddress Pty Ltd.
Other account data — including your email address, phone number, server request logs (IP address and timestamp), identity verification certificates, and transmission records — is not covered by zero-knowledge encryption and could be required to be disclosed pursuant to a valid court order, subpoena, or other lawful legal process under Australian law. Where permitted by law, we will notify you before complying with any such demand.
Your vault data (addresses, service connections) is encrypted client-side using AES-256-GCM with a key derived from your 6-digit PIN via PBKDF2. The encryption key never leaves your device. We store only the encrypted ciphertext.
Account information: When you create an account, we collect your email address and authentication credentials (email verification code, or Google/Apple sign-in). If you sign in with Apple or Google, we receive only the identifier they provide.
Guest sessions (updating without an account): If you use the "Update without account" flow at /quick, we create a short-lived guest session keyed only to an email-verified one-time code. We hold your email, phone number, the name and any alias names you supply, and the per-service account or member numbers you enter, in cleartext at rest so we can dispatch your update and contact you with the result. See section 5A for the full guest-flow retention and processing detail.
Contact details: Both flows collect your phone number, your preferred full name, and (optionally) the alternate names you are known by (e.g. nickname, maiden name). These travel cleartext with each address update so partners can match you to their records — see section 5.
Encrypted vault / payload data: Your addresses are stored in encrypted form. In the account flow, your vault is encrypted client-side with a key derived from your PIN. In the guest flow, your new address is encrypted client-side with an ephemeral key held only in your browser (and, after submission, in the URL fragment of your magic link). In neither case can we decrypt the address.
Transmission records: When you send an address update, we record the partner name, timestamp, and delivery status for your transmission history. We do not store the address content — only that a transmission occurred.
Payment information: Payments are processed by Stripe. We do not store credit card numbers or bank details. Stripe's privacy policy applies to payment data.
Identity verification data: When you complete an identity verification (required before each address dispatch), we temporarily process a photograph of your identity document, a short selfie video for liveness detection, and the details extracted from your document (name, date of birth, document number, expiry). What we keep and what we delete is set out in section 6.
Usage data: We collect server-side request logs (IP address, request path, timestamp) for security monitoring and abuse prevention. We do not use third-party analytics tools or track individual browsing behaviour.
We use your information to: provide and operate the OneAddress platform; verify your identity before transmitting addresses to partners; process address update transmissions to your selected partners; send you email notifications about transmission confirmations and account activity; improve our product and fix issues; comply with legal obligations.
We do not sell, rent, or trade your personal information to third parties. We do not share your personal information with any third party for their own commercial or marketing purposes.
When you initiate an address update, your address is encrypted client-side with the partner's public key using ECDH + AES-256-GCM. The encrypted payload is transmitted via webhook to the partner's registered endpoint. Only the partner can decrypt it with their private key. OneAddress cannot read the address during transmission.
Alongside the encrypted address, each webhook also carries a small cleartext customer block containing your email address, your name, any alternate names you supplied, and the account or member number you provided for that service. Partners need these fields cleartext to match the update to the correct record in their CRM. The encrypted address remains unreadable to OneAddress.
You choose which partners to notify. You can select or deselect individual services before each transmission.
The "Update without account" flow at /quick is a one-shot path that lets you send an address update to selected service providers without registering. Because there is no vault and no PIN, the data model differs from the account flow in three ways:
#k=, which servers cannot see). OneAddress only ever sees the ciphertext.Magic link. After you submit, we email you a one-time URL of the form oneaddress.io/g/<token>#k=<key>. The token authenticates you to our status API; the key (after the #) decrypts your stored address in your browser so the page can show you what was sent. The key never reaches our server. If you lose this email, we cannot show you the address again — but the dispatch will already have happened.
Retention. Guest sessions are pruned 30 days after submission. Abandoned sessions (no submission, no payment) are pruned shortly after they expire. Once a session is pruned, your cleartext PII and the encrypted address blob are deleted from our systems; transmission records (partner, timestamp, status) are kept for the same period as the account-flow records described in section 8.
Before your encrypted address can be transmitted to a partner, OneAddress requires you to complete an identity verification. This protects you, and your service providers, from someone updating your registered address without your authority.
We use Global Data Pty Ltd — an Australian-accredited identity service provider, based in Melbourne — to perform the verification on our behalf. Global Data is our Information Matching Agent under the Australian Privacy Principles (APP 6), and submits your identity data to the government's Document Verification Service (DVS) on our behalf. The flow has three steps:
Sensitive information and consent. Under the Australian Privacy Principles (APPs), photographs of identity documents and biometric data (your selfie video) are sensitive information. We collect, use and disclose this information only with your explicit consent, which is captured immediately before the verification flow begins. You can decline at that point, or close the verification window before submitting, without affecting any other part of your OneAddress account.
Where data is processed. Global Data processes verification data within Australia. Your document photograph and selfie video do not leave Australian jurisdiction.
What we keep, and for how long. Once a verification reaches a final state (passed or failed), OneAddress permanently deletes the document photograph, the selfie video, and the OCR-extracted document details from our systems. We retain only a verification certificate — a record of the result, document type, timestamp, and an internal reference number — which is consumed by a single subsequent address dispatch and then retained for the life of your account as an audit record. Global Data's own retention of verification artefacts is governed by their privacy policy and the regulatory requirements applicable to accredited identity service providers. Global Data is a Data Processor under the Australian Privacy Principles (APP 8). OneAddress has a Data Processing Agreement with Global Data requiring them to protect your information in accordance with the Privacy Act 1988 (Cth).
One verification per dispatch. Each completed verification authorises a single address transmission. Subsequent updates require a fresh verification.
No AI/ML profiling. OneAddress does not perform machine learning, profiling, or automated decision-making on your personal data. Our platform was developed with AI assistance, but no ML models process your address or identity information. The liveness check performed by Global Data uses computer vision to confirm physical presence and document authenticity; this is performed by Global Data (not by OneAddress) and is limited to identity verification.
If you delete your account. All identity verification records held by OneAddress — both certificates and any in-flight verification artefacts — are scheduled for permanent deletion and removed within 48 hours as part of the account deletion process. See section 8.
Your encrypted vault data, transmission records, and identity verification certificates are stored in Australian data centres (AWS Sydney, ap-southeast-2) via Neon (database) and Vercel (application hosting, Sydney region). Identity verification is performed in Australia by Global Data.
Overseas transfers (APP 8). Some auxiliary services process account data outside Australia. Specifically: Stripe (payments) is based in the United States and receives payment metadata and billing information; Resend (transactional email) is based in the United States and European Union and receives your email address and the content of transactional notifications we send you. We have entered into data processing agreements with each of these providers and require them to protect your information in accordance with standards comparable to the Australian Privacy Principles. Encrypted vault data and address payloads are not sent to any of these providers.
Our infrastructure includes: AES-256-GCM vault encryption, ECDH P-256 key exchange for partner transmissions, HMAC-SHA256 webhook signatures, TLS 1.3 for all connections, and session management with automatic timeout.
Your encrypted vault data is retained for as long as your account is active. Transmission records and identity verification certificates are retained for the life of your account. You can clear your transmission history and address history at any time from Settings.
Specific retention periods:
dispatch_log): retained for 7 years from the date of each event (aligned with the statute of limitations for contractual disputes). This table contains no plaintext address data and no vault content — only cryptographic references (key IDs, payload HMACs) and dispatch timestamps.dvs_compliance_events): retained for 7 years in accordance with OneAddress's obligations under the Document Verification Service Participation Agreement. This log records verification events keyed by a hashed user identifier only, with no plaintext address or identity-document content.Account deletion. When you request account deletion, your account enters a 48-hour grace period. During those 48 hours your account remains active and you can cancel the deletion from your dashboard. After 48 hours, all data — vault, transmission history, and identity verification records (both certificates and any in-flight verification artefacts) — is permanently and irreversibly deleted. At the 39-hour mark you will receive a final account export email before deletion proceeds. OneAddress does not retain any copies after deletion.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your account and data; opt out of direct marketing communications; lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Because your vault data is zero-knowledge encrypted, we cannot access it ourselves. You control your data entirely through your vault PIN.
Deceased account holders. If an account holder has passed away, an authorised representative (such as the executor of their estate) may request account data export or deletion by contacting us at privacy@oneaddress.io with appropriate documentation of their authority. We will process such requests in accordance with our obligations under the Privacy Act 1988 (Cth) and applicable Australian succession law. Because vault data is zero-knowledge encrypted, we may not be able to retrieve the address contents — only the transmission history and account metadata.
OneAddress uses a small number of server-set, functional-only cookies. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
/quick. Contains an HMAC-signed session identifier (no plaintext PII). HttpOnly, Secure, SameSite=Lax. Expires after 30 days or when you complete or cancel the flow.__cf_bm) — set by Cloudflare, our DNS and DDoS-protection provider, for bot management and traffic security. These are not under OneAddress's control. No personal data is stored by Cloudflare on OneAddress's behalf. Cloudflare's privacy policy applies.All OneAddress-set cookies are HttpOnly (inaccessible to JavaScript) and Secure (HTTPS only). You can block or delete cookies in your browser settings, but doing so may prevent you from signing in or using the guest flow.
We use the following third-party services. Where a provider is based outside Australia, the nature of data transferred is described — see section 7 for the full APP 8 overseas disclosure.
Each provider has its own privacy policy and, where applicable, a data processing agreement with OneAddress.
We may update this privacy policy from time to time. For material changes — those that reduce your rights, add new data collection, or change how we share your information — we will notify you by email at least 30 days before the change takes effect. Minor changes (such as clarifications or typographical corrections) may take effect immediately. The “Last updated” date at the top indicates when the policy was last revised.
OneAddress Pty Ltd (ACN 696 078 869 · ABN 43 696 078 869)
Western Australia, Australia
For privacy-related enquiries, contact us at privacy@oneaddress.io. We aim to respond to privacy enquiries within 10 business days. If you believe we have not complied with our obligations under the Privacy Act 1988 (Cth), you may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).