1. Introduction

SideStacks (“we”, “our”, or “us”) is a mobile application operated by SideStacks, based in Australia. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use the SideStacks app (the “App”). We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using SideStacks, you consent to the practices described in this policy. If you do not agree, please do not use the App.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address and display name (via email/password sign-up or Google Sign-In)
• Profile picture (if you choose to upload one)
• Firebase User ID (automatically generated)

2.2 Financial Data You Provide

The core purpose of SideStacks is to help you track your side hustles and small businesses. You may choose to enter:

• Income and expense transactions (amounts, dates, categories, notes)
• Invoice details (client name, client email, amounts, payment status, due dates)
• Australian Business Number (ABN) for invoicing purposes
• Mileage trip logs (distance, purpose, origin and destination descriptions)
• Tax rate preferences and currency selection
• Monthly income goals

2.3 Bank Data (Optional)

If you choose to connect a bank account via our third-party provider TrueLayer, the following data is accessed:

• Bank account identifiers
• Transaction history (amounts, dates, merchant names, categories)
• Institution name

Bank login credentials are never seen or stored by SideStacks. The authentication is handled entirely by TrueLayer through a secure OAuth2 flow. Access tokens are stored server-side in encrypted Firebase infrastructure and are never transmitted to your device.

2.4 Images

If you attach receipt photos to transactions or upload a profile picture, these images are stored securely in Firebase Storage associated with your account.

2.5 Device and Usage Data

We collect minimal technical data necessary for the App to function:

• Push notification tokens (for delivering reminders you configure)
• Device type and operating system (for App Check verification)

We do not use analytics services such as Google Analytics or Firebase Analytics. We do not track your behaviour within the App.

3. How We Use Your Information

We use your information solely to provide and improve the App:

• To create and maintain your account
• To store and display your financial records, invoices, and mileage logs
• To calculate tax estimates, GST, and deductions based on data you enter
• To import bank transactions when you choose to connect a bank
• To send push notification reminders that you have configured
• To process subscription payments through your device’s app store
• To verify that requests to our servers come from the genuine SideStacks app (via Firebase App Check)

4. Third-Party Services

SideStacks relies on the following third-party services to operate. Each has its own privacy policy:

• Firebase (Google) — authentication, cloud database, file storage, push notifications, and server-side functions. Google’s privacy policy
• TrueLayer — bank account connection and transaction retrieval via Open Banking. TrueLayer’s privacy policy
• RevenueCat — subscription and in-app purchase management. RevenueCat’s privacy policy
• Google Sign-In — optional authentication method. Covered by Google’s privacy policy above.

We do not sell, rent, or share your personal information with any third party for marketing or advertising purposes.

5. Data Storage and Security

Your data is stored in two locations:

• Cloud: Financial records, invoices, bank connections, and profile data are stored in Google Firebase (Cloud Firestore and Firebase Storage).
• On-device: Certain preferences (theme, currency, notification settings, mileage trips) are stored locally on your device.

We protect your data using:

• Firebase App Check to ensure only the genuine SideStacks app can access our servers
• Firebase Authentication for secure sign-in
• Server-side storage of bank access tokens (never stored on your device)
• Input validation on all server endpoints to prevent abuse
• Optional biometric lock (fingerprint or Face ID) for app-level security

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, we will delete your personal data from our active systems within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently removed.

Bank connection tokens are deleted immediately when you disconnect a bank within the App.

7. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Withdraw consent for bank account access at any time by disconnecting within the App
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, contact us at the email address below.

8. Children’s Privacy

SideStacks is not intended for use by children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or via email. The effective date at the top of this document will be updated accordingly.

10. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at: