Privacy Policy

Introduction

2102 Pty Ltd (ABN 91 391 518 847) trading as Wren ("we", "us", "our") operates the Wren platform, a cloud-based automated invoice reminder service for Australian businesses.

We are committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). This policy explains how we collect, use, store, and disclose personal information when you use our platform and related services.

By creating an account or using Wren, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the service.

Definitions

In this Privacy Policy, the following terms have the meanings set out below:

Information We Collect

Customer Data

When a Customer registers and uses the Platform, we collect:

• Account information: Full name, email address, business name, and Australian Business Number (ABN) provided during registration.
• Authentication credentials: Password (stored as a bcrypt hash; we never store your plaintext password) and, if applicable, OAuth tokens for Accounting Platform connections (encrypted at rest using AES-256-GCM).
• Business configuration: Reminder schedule settings, escalation rules, email templates, SMS sender name, and notification preferences configured within the Platform.
• Support communications: Content of support emails, contact form submissions, and in-app feedback sent to us.

Debtor Data

As part of providing the reminder service, we process personal information about Debtors on behalf of Customers. This information is provided to us by the Customer (directly or via their connected Accounting Platform) and includes:

• Full name and trading name (if a business).
• Email address (for email reminders).
• Mobile phone number (for SMS reminders, where the Customer has provided it).
• Invoice details including invoice number, amount outstanding, due date, and payment status.
• Reminder history: dates and times reminders were sent, delivery status, and whether the Debtor opened or clicked the reminder (where technically detectable).
• Opt-out records: whether a Debtor has exercised their right to opt out of reminders, and the date of that opt-out.
• Payment link interactions: whether a Debtor has opened or used a Stripe-powered payment link generated by the Platform.

We collect and use Debtor data solely to provide the reminder service to the Customer. We do not use Debtor data for our own marketing purposes. Customers are responsible for ensuring they have a lawful basis to provide Debtor personal information to us, including any necessary consents.

Accounting Platform Data

When a Customer connects an Accounting Platform (currently Xero and QuickBooks; FreshBooks and Sage are planned future integrations), we access and sync:

• Invoice records: invoice numbers, line items, amounts, due dates, and payment statuses.
• Contact records: Debtor names, email addresses, and phone numbers stored in the Customer's accounting system.
• Organisation details: the Customer's trading name and base currency as configured in the Accounting Platform.

We request only the minimum OAuth scopes necessary to perform invoice syncing and to mark invoices as paid when a Debtor completes payment through a Wren payment link. We do not access payroll data, bank feeds, tax returns, or other financial records beyond what is required for the reminder service. OAuth tokens are encrypted at rest using AES-256-GCM.

Technical and Usage Data

We automatically collect certain technical data when you use the Platform:

• IP address, device type, operating system, and browser version.
• Pages visited, features used, and session duration.
• Approximate geographic location derived from IP address (city-level only).
• Server logs including request timestamps, HTTP status codes, and response times.

This data is used for security monitoring, performance optimisation, and debugging. We do not use it for individual-level profiling or behavioural advertising.

Payment Data

Subscription payments are processed by Stripe. We do not store your full credit card number, CVV, or complete card data on our servers. We retain only a tokenised Stripe payment method reference and the last four digits of your card for display purposes. Stripe's handling of payment card data is governed by their own privacy policy and is PCI DSS Level 1 certified.

How We Use Your Information

We use the personal information described above for the following purposes:

• To provide, operate, and maintain the Wren service, including sending automated invoice reminders on behalf of Customers.
• To authenticate users and maintain session security.
• To process subscription payments and manage billing cycles.
• To generate and deliver Stripe-powered payment links to Debtors where enabled by the Customer.
• To communicate with Customers about their account, service updates, scheduled maintenance, and support enquiries.
• To analyse aggregated and anonymised usage patterns to improve the Platform, identify bugs, and develop new features.
• To detect, prevent, and respond to fraud, abuse, unauthorised access, and security incidents.
• To comply with applicable legal obligations, including tax reporting and responses to lawful requests from government authorities.

We will not use personal information for purposes materially different from those described above without notifying you and, where required by law, obtaining your consent.

Automated Processing

The Wren Platform uses automated scheduling logic to operate the reminder service. This includes:

• Cron-based reminder scheduling: The Platform runs scheduled jobs to evaluate which invoices are due, overdue, or approaching a payment milestone, and dispatches reminders according to the Customer's configured rules.
• Escalation logic: The Platform automatically advances a Debtor's reminder tier (for example, from a polite first notice to a firm final notice) based on elapsed time and the Customer's escalation settings.
• Opt-out enforcement: Before dispatching any reminder, the Platform checks whether the Debtor has opted out. If an opt-out record exists, no reminder is sent, regardless of the Customer's settings.
• Invoice sync: The Platform periodically polls the connected Accounting Platform to update invoice statuses and stop reminders for invoices that have been paid.

These automated processes do not make decisions with legal or similarly significant effects on Debtors. A reminder is a communication, not a legal determination. No credit decisions, debt collection agency referrals, or legal proceedings are initiated by the Platform.

Third-Party Sharing

We do not sell, rent, or trade personal information to any third party.

We share personal information only with the following service providers, and only to the extent necessary to operate the Wren Platform:

• Stripe (payment processing): Customer billing information and payment card tokens are shared with Stripe for subscription management. Debtor payment link transactions are also processed through Stripe. Stripe is PCI DSS Level 1 certified and subject to their own privacy policy. Stripe processes data in the United States; see the Cross-Border Transfers section below.
• Xero Limited (accounting integration): When a Customer connects their Xero account, we exchange invoice and contact data with Xero via their API. Data shared with Xero is governed by Xero's privacy policy. We connect to Xero via their official OAuth2 API.
• Resend (transactional email delivery): Customer and Debtor email addresses, and the content of reminder emails and account notifications, are shared with Resend solely for email delivery. Resend does not use this data for their own purposes beyond delivery.
• ClickSend (primary SMS delivery): Debtor mobile phone numbers and the content of SMS reminder messages are shared with ClickSend for SMS delivery on behalf of Customers. ClickSend processes data in Australia and is subject to Australian privacy law.
• Twilio (fallback SMS delivery): In the event that ClickSend is unavailable, Twilio may be used as a fallback SMS provider. The same data categories (Debtor mobile number and message content) are shared. Twilio processes data in the United States; see the Cross-Border Transfers section below.
• Cloudflare (infrastructure and security): All traffic to the Wren Platform passes through Cloudflare's network for DDoS protection, content delivery, and DNS resolution. Cloudflare may process IP addresses and request metadata. Cloudflare's data processing practices are governed by their privacy policy.

All third-party service providers are bound by data processing agreements that restrict how they may use and store information. We conduct due diligence to ensure our providers maintain appropriate security standards.

How We Store and Protect Your Information

Our primary application database and file storage are hosted in Sydney, New South Wales, Australia via Cloudflare's Australian infrastructure. We take the following technical and organisational measures to protect personal information:

• Encryption in transit: All data transmitted between your browser, the Platform, and our infrastructure is encrypted using TLS 1.2 or higher.
• Encryption at rest: Accounting Platform OAuth tokens (Xero, and any future integrations) are encrypted at rest using AES-256-GCM before being stored in the database.
• Password security: Customer passwords are hashed using bcrypt with a per-password salt. Plaintext passwords are never stored or logged.
• Session security: Authentication uses short-lived JSON Web Tokens (JWTs) stored in httpOnly cookies, which are not accessible to JavaScript and are protected against cross-site scripting (XSS) attacks. A separate refresh token with a longer lifespan is also stored in an httpOnly cookie.
• Rate limiting: The Platform applies rate limiting on authentication endpoints (login, registration, password reset) to protect against brute-force attacks.
• Access controls: Role-based access controls ensure that only authorised personnel within 2102 Pty Ltd can access personal information, and only to the extent necessary for their role.
• Audit logging: All significant data access and modification events are recorded in an audit log.
• Regular security reviews: We conduct periodic security assessments and vulnerability reviews of the Platform.

Data Retention

We retain personal information for the following periods:

• Customer account data: Retained for the duration of the active subscription, plus 30 days following account closure to allow data export. After this period, account data is permanently deleted.
• Debtor contact and invoice data: Retained for the duration of the Customer's subscription, plus 30 days following account closure to allow data export and support reporting obligations. After this period, Debtor data is permanently deleted.
• Debtor opt-out records: Retained indefinitely after opt-out, as required to honour the opt-out and comply with applicable communications law. Opt-out records are retained even after a Customer account is closed, to prevent accidental re-contact if the Customer reactivates.
• Reminder dispatch logs: Retained for 24 months from the date of dispatch for auditing and performance analysis, then permanently deleted.
• Payment records (Stripe): Retained for 7 years from the date of the transaction to meet Australian taxation and record-keeping obligations.
• Server and security logs: Retained for 90 days, then permanently deleted.
• Support communications: Retained for 3 years from the date of the communication, then permanently deleted.

You may request earlier deletion of your personal information at any time by contacting [email protected]. We will comply unless we are required by law to retain certain records.

Debtor Rights and Opt-Out

Debtors who receive reminder communications from the Platform have the following rights:

• Right to opt out of reminders: Any Debtor may request to stop receiving reminders from a particular Customer by replying STOP to an SMS reminder, or by using the opt-out link included in each email reminder. Opt-outs are recorded and enforced immediately. Once a Debtor opts out in relation to a Customer, no further reminders from that Customer will be sent to that Debtor through our Platform, regardless of the Customer's configuration.
• Right to access: A Debtor may request a copy of the personal information we hold about them by contacting us at [email protected]. We will respond within 30 days.
• Right to correction: A Debtor may request correction of inaccurate personal information. We will notify the relevant Customer of the correction request, as the Customer is the original data source.
• Right to deletion: A Debtor may request deletion of their personal information. We will comply subject to our obligation to retain opt-out records (see Data Retention above) and any other legal obligations. We will also notify the relevant Customer.

We act as a data processor in relation to Debtor personal information. The Customer is the data controller who has provided that data to us and bears primary responsibility for the lawful basis of collecting and sharing it. We process Debtor data only in accordance with the Customer's instructions and these Terms.

If a Debtor has a dispute about the content of an invoice or reminder, that dispute is between the Debtor and the Customer. Wren is not a party to the underlying commercial transaction.

Cookies and Tracking

We use the following cookies on the Wren Platform:

Cookie name	Purpose	Type	Duration
wren_access	Short-lived JWT access token for authenticated sessions. httpOnly, Secure, SameSite=Strict.	Essential	15 minutes
wren_refresh	Long-lived JWT refresh token used to obtain new access tokens without re-authentication. httpOnly, Secure, SameSite=Strict.	Essential	7 days
xero_oauth_state	CSRF protection token used during the Xero OAuth 2.0 authorisation flow. Deleted after flow completes.	Essential	Session
wren_session	Session indicator set when a user logs in to the dashboard (app.getwren.au). Contains a session indicator value ("1") to maintain authentication state. httpOnly, Secure.	Essential	Session (cleared when browser closes)
wren_demo_mode	Demo mode indicator set when a user enters demo mode to preview dashboard features without an account. Contains value "true". No personal data stored.	Functional	Session

We do not use advertising cookies, tracking pixels, retargeting technologies, or behavioural advertising networks. We do not participate in cross-site tracking.

We use Google Analytics 4 (GA4) on the Wren landing site (getwren.au) to understand how visitors interact with our marketing pages. GA4 may set cookies (such as _ga and _ga_*) to distinguish unique users and track session data. GA4 collects anonymised and aggregated data including page views, referral sources, approximate geographic location (derived from IP address), and device/browser information. Google's use of this data is governed by Google's Privacy Policy. We do not use Meta Pixel, retargeting pixels, or similar third-party advertising analytics services.

You can manage or disable cookies through your browser settings. Disabling essential cookies will prevent you from logging in and using the Platform.

Cross-Border Transfers

Certain third-party service providers we engage process personal information outside Australia. Under Australian Privacy Principle 8, we are required to take reasonable steps to ensure that overseas recipients handle personal information in accordance with the APPs.

• Stripe (United States): Stripe is certified under the EU-US Data Privacy Framework and maintains SOC 2 Type II compliance. We have in place a data processing agreement with Stripe incorporating appropriate safeguards.
• Resend (United States, transactional email): Resend processes email delivery from infrastructure located in the United States. Email addresses, sender details, and email content are transmitted to Resend solely for the purpose of delivering reminder emails and account notifications on your behalf.
• Twilio (United States, fallback SMS): Twilio is certified under applicable privacy frameworks and maintains SOC 2 Type II compliance. Twilio is used only as a fallback when ClickSend is unavailable.
• Cloudflare (global edge network, including United States): Our application runs on Cloudflare Workers, and our primary database is hosted on Cloudflare D1. While we configure Australian data residency where available, Cloudflare's global infrastructure may process request data (including IP addresses and request metadata) at edge locations outside Australia, including in the United States. Cloudflare is certified under applicable privacy frameworks and maintains SOC 2 Type II compliance.

By using the Platform, you acknowledge and consent to these overseas transfers where they are necessary to provide the service. We take reasonable steps to ensure that all overseas recipients handle personal information in accordance with the Australian Privacy Principles.

Children's Privacy

Wren is a business-to-business service designed for use by Australian businesses and their representatives. We do not knowingly collect personal information from individuals under the age of 18. If you are under 18, please do not use the Platform. If we become aware that we have inadvertently collected personal information from a person under 18, we will delete that information as soon as practicable.

Data Breach Notification

In the event of an eligible data breach that is likely to result in serious harm to any individual whose personal information is involved, we will notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

If you believe your personal information has been compromised, please contact us immediately at [email protected].

Your Rights Under the Privacy Act

Under the Australian Privacy Principles, you have the right to:

• Access the personal information we hold about you. You can request a copy of your data at any time by emailing [email protected].
• Correct any personal information that is inaccurate, incomplete, or out of date. Most account information can be updated directly in your account settings.
• Request deletion of your personal information. We will comply unless we are required by law to retain certain records.
• Withdraw consent for specific data processing activities, including revoking Accounting Platform OAuth access through your account settings or directly through the third-party platform.
• Lodge a complaint with the OAIC if you believe your privacy has been breached.

To exercise any of these rights, please email us at [email protected]. We will respond to your request within 30 days.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. When we make material changes, we will notify you via email at the address associated with your account at least 14 days before the changes take effect.

Your continued use of Wren after the updated policy takes effect constitutes your acceptance of the revised policy. We encourage you to review this page periodically.

Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or how we handle personal information, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.