Privacy Policy

GetPost Labs Pty Ltd operates lex-aml, an AML/CTF compliance platform designed for Tranche-2 reporting entities regulated under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006. Our platform enables lawyers, accountants, real estate agents, conveyancers and dealers in precious metals, stones and products to meet their Customer Due Diligence (CDD) obligations under AUSTRAC.

• Name: Sumit Arora, Founder & Director
• Email: sumit@getpostlabs.io
• Address: 9 Parolin Parade, Rochedale, Queensland 4123
• Website: https://lex-aml.com.au

lex-aml is designed with the following core data principles, which govern how all personal information is handled across every deployment model:

• Zero data retention by GetPost Labs — we do not hold, store, or retain any compliance, operational, or end-customer data belonging to reporting entities or their clients.
• Customer-controlled infrastructure — lex-aml can be deployed on the reporting entity's own chosen premises or cloud environment. In managed service arrangements, the platform is configured on infrastructure owned and controlled by the customer.
• Data in transit is encrypted using TLS 1.2+ between client devices and lex-aml servers. Data at rest is encrypted using AES-256. Internal services operate within a secured private network (VPC/DMZ). Encryption keys for customer data belong to the reporting entity.
• Full data portability — customers can download all their data and exit the platform at any time. Nothing is retained by GetPost Labs after exit.
• No unauthorised access — GetPost Labs staff do not access customer or end-customer data without explicit written authorisation from the customer, granted on a case-by-case basis only.
• Transparent onboarding — these data practices are disclosed to customers before onboarding as part of our standard process.

These principles apply across all service models — self-managed, assisted setup, and managed service deployments.

GetPost Labs collects and retains only the personal information necessary to establish and manage the commercial relationship with reporting entities. This is limited to:

• Name and contact details of the authorised representative
• Organisation name, ABN/ACN, and registered address
• Billing and subscription information

This information is collected as part of the sales contract process and is stored in our internal billing platform. We do not collect or retain any other personal information from reporting entities or their staff beyond what is required for the commercial relationship.

Platform configuration, user roles, activity logs, preferences, CDD data, compliance records, and all end-customer personal information are held entirely on the customer's own infrastructure and are not accessible to GetPost Labs. In limited circumstances where a customer raises a support request, specific technical information may be shared by the customer with our support team under the terms of the standard support agreement, strictly for the purpose of resolving the issue, and handled confidentially.

We do not collect sensitive health or medical information. We do not collect personal information for marketing purposes without express consent.

The limited personal information we hold is collected directly from the authorised representative of the reporting entity during the sales and onboarding process — specifically through the execution of the sales contract.

We do not collect personal information through the lex-aml platform itself. All data entered into the platform by reporting entities and their staff is stored on their own infrastructure and is not accessible to GetPost Labs.

We collect sales contract information for the following purposes only:

• To establish and manage the commercial relationship with the reporting entity
• To process billing and subscription payments
• To communicate with the authorised representative regarding the service
• To comply with our own legal and regulatory obligations as a business

We use sales contract information only for the purposes described in Section 5. We do not use it for any other purpose.

We may disclose this information to:

• Our billing and payment processing providers, under strict data processing agreements
• Professional advisors such as lawyers and accountants, where necessary
• Government regulators where required by applicable Australian law

We do not sell, rent, or trade personal information to third parties for any purpose.

GetPost Labs does not handle, access, or control any compliance data or end-customer personal information processed through the lex-aml platform. All such data:

• Is stored on infrastructure owned and controlled by the reporting entity
• Is encrypted end-to-end with keys held solely by the reporting entity
• Is never transmitted to or stored on GetPost Labs systems
• Remains the sole responsibility of the reporting entity as data controller

Reporting entities are responsible for ensuring they handle their clients' personal information in accordance with the Privacy Act 1988 (Cth) and their obligations under the AML/CTF Act 2006.

In the rare circumstance where a reporting entity explicitly authorises GetPost Labs to access their environment — for example for debugging or data migration — this occurs strictly under a formal authorisation process, on a case-by-case basis, with full audit logging, and only for the duration and purpose specified by the customer.

lex-aml includes an AML/CTF domain intelligence module that interacts with large language models (LLMs) to assist users with compliance guidance. This module is designed with the following strict principles:

• No customer data is sent to any LLM or external AI service under any circumstances.
• The AI module interacts only with publicly available regulatory context, AUSTRAC guidance, and platform workflow documentation designed for this purpose.
• No CDD data, compliance records, end-customer personal information, or any other customer-specific data is used as input to any AI or machine learning system.

GetPost Labs is committed to ensuring that AI features within lex-aml are implemented responsibly and in a manner that does not compromise the privacy or security of any personal information.

lex-aml integrates with a number of third-party services to deliver identity verification and AML/CTF screening capabilities, including the Australian Government's Document Verification Service (DVS) and PEP/Sanctions screening providers.

GetPost Labs thoroughly reviews the privacy policies of all third-party service providers before integration. Where those providers handle personal information on behalf of our customers, their privacy practices are governed by their own published privacy policies. We reference relevant third-party privacy policies within our platform documentation and update these references as providers change or as new integrations are added.

We do not integrate with any third-party service whose privacy practices we consider inconsistent with the Australian Privacy Principles or the standards we apply to our own operations.

Sales contract information is stored within Australia on our billing platform. In limited circumstances, billing or payment processing providers engaged by us may operate outside Australia. Where this occurs, we take reasonable steps to ensure those recipients handle personal information consistently with the Australian Privacy Principles.

GetPost Labs does not transfer any compliance data or end-customer data outside Australia — we do not hold such data.

The limited sales contract information held by GetPost Labs is stored securely on our internal billing platform with the following protections:

• All data transmitted between client devices and lex-aml servers is encrypted in transit using TLS 1.2+
• Data at rest is encrypted using AES-256
• Internal service communication operates within a secured private network (VPC/DMZ)
• Encryption keys for customer data belong to the reporting entity
• Access restricted to authorised GetPost Labs personnel only
• Regular security assessments and monitoring
• System and application logs do not contain personally identifiable information — logs capture operational metadata only such as actions performed, timestamps, and system events, for debugging and platform reliability purposes

Sales contract information is retained for the duration of the commercial relationship and for as long as required by applicable legal and tax obligations, after which it is securely deleted.

In the event of a data breach involving personal information held by GetPost Labs, we will promptly assess the situation in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If a breach is likely to result in serious harm, we will:

• Notify affected individuals as soon as practicable
• Notify the Office of the Australian Information Commissioner (OAIC) as required
• Take immediate steps to contain the breach

Because GetPost Labs does not hold or have access to compliance or end-customer data, any data incident affecting a reporting entity's platform environment is the responsibility of that reporting entity to assess and respond to under their own obligations.

When you visit https://lex-aml.com.au, we may collect technical information including your IP address, browser type, and pages visited, solely to improve our website experience. We use cookies (including Google Analytics) for this purpose. You may adjust your browser settings to manage or disable cookies. We do not use cookies to collect personally identifiable information for marketing purposes.

You have the right to request access to the sales contract information we hold about you, and to request corrections if it is inaccurate or out of date. To make a request, contact us at sumit@getpostlabs.io. We will respond within 30 days at no charge.

For any personal information held within the lex-aml platform on your own infrastructure, you have full direct access and control — no request to GetPost Labs is required.

If you have a concern about how GetPost Labs has handled your personal information, please contact us in the first instance:

• Email: sumit@getpostlabs.io
• Post: GetPost Labs Pty Ltd, 9 Parolin Parade, Rochedale, Queensland 4123

We will acknowledge your complaint within 5 business days and provide a full response within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

This is a living document. As lex-aml evolves and our information handling practices develop, this policy is reviewed and updated regularly to reflect those changes. Updates will be published at lex-aml.com.au/privacy with an updated effective date. Where changes are material, we will notify existing customers directly.