Last updated: 12 July 2026
v1.3, 12 July 2026
OneAddress Pty Ltd (ABN 43 696 078 869) operates the OneAddress platform at oneaddress.io. We are an Australian company based in Western Australia. When we say "OneAddress", "we", "us", or "our", we mean OneAddress Pty Ltd.
The zero-knowledge guarantee applies specifically to your address vault. Other information we hold, such as your email address, phone number, and transmission records, is standard account data stored on our servers and handled in accordance with this policy.
Your vault data (addresses, service connections) is encrypted in your browser with a key derived from your 6-digit PIN. The encryption key never leaves your device. We store only the encrypted ciphertext.
Account information: When you create an account, we collect your email address and authentication credentials (email verification code, a password with optional two-step verification, or Google/Apple sign-in). If you sign in with Google, we receive your unique account identifier, email address, and display name from Google. If you sign in with Apple, we receive your unique account identifier, email address, and display name on first sign-in only; on subsequent sign-ins Apple provides only the identifier.
Guest sessions (updating without an account): If you use the "Update without account" flow at /quick, we create a short-lived guest session keyed only to an email-verified one-time code. We hold your email, phone number, and the name and any alias names you supply so we can dispatch your update and contact you with the result; these, along with the per-service account or member numbers you enter, are encrypted at rest under a server-held key. See section 5A for the full guest-flow retention and processing detail.
Contact details: The guest flow collects your phone number; both flows collect your preferred full name and (optionally) the alternate names you are known by (e.g. nickname, maiden name). Your name and any alternate names are transmitted to partners only inside the same per-partner encrypted envelope as your address, so a partner can match you to their records after decrypting it. Your phone number is used only by OneAddress to contact you about the update and is not transmitted to partners, see section 5.
Encrypted vault / payload data: Your addresses are stored in encrypted form. In the account flow, your vault is encrypted client-side with a key derived from your PIN. In the guest flow, your new address is encrypted client-side with an ephemeral key held only in your browser (and, after submission, in the URL fragment of your magic link). In neither case can we decrypt the address.
Transmission records: When you send an address update, we record the partner name, timestamp, and delivery status for your transmission history. We do not store the address content, only that a transmission occurred.
Payment information: Payments are processed by Stripe. We do not store credit card numbers or bank details. Stripe's privacy policy applies to payment data.
Identity verification: Before each address dispatch, we ask you to complete an identity check using our provider, Global Data Pty Ltd. The document capture and selfie step runs entirely within Global Data's own hosted verification flow: your selfie and the photograph of your identity document are captured by, and stay within, Global Data's systems, and never reach OneAddress's servers. When the check finishes, Global Data returns to us only the outcome (pass or fail), a reference number, and, if the check passes, your verified name and date of birth. We do not receive or store your selfie, your document photograph, or your document number. We use your verified name to prepare the authorisation letter we send to the service provider you asked us to update (see section 5), and we never share your date of birth with your service providers. See section 6 for the full detail.
Biometric information: The liveness step (a short selfie video used to confirm you are a real, present person) is carried out entirely by Global Data Pty Ltd within their hosted verification flow, and is covered by their privacy policy. Your selfie and the face photograph from your document are processed by Global Data and never reach OneAddress's servers. We do not receive, hold, analyse, or store any biometric information, so we have none to share with anyone.
Usage data: We collect server-side request logs (IP address, request path, timestamp) for security monitoring and abuse prevention. We do not use third-party analytics tools or track individual browsing behaviour.
We use your information to: provide and operate the OneAddress platform; verify your identity before transmitting addresses to partners; process address update transmissions to your selected partners; send you email notifications about transmission confirmations and account activity; improve our product and fix issues; comply with legal obligations.
We do not sell, rent, or trade your personal information to third parties. We do not share your personal information with any third party for their own commercial or marketing purposes.
When you initiate an address update, your address is encrypted in your browser before it leaves your device. It is transmitted to the partner using end-to-end encryption keyed to that partner's credentials. Only the partner can decrypt it. OneAddress cannot read the address during or after transmission.
Alongside the encrypted address, each webhook carries only routing information: an event type and protocol version (e.g. address.updated / 2.0), an update identifier, a pseudonymous user identifier (a stable reference used to link your dispatches at that partner), the partner's identifier, a timestamp, a key-share expiry date (indicating how long a partner is expected to retain cryptographic session data), a payment reference (used by some partner integrations for deduplication), and a verification attestation (a record that your identity was checked, containing no personal details). Your name, any alternate names, and the account or member number you provided are encrypted together with your address in the same per-partner envelope, so only the receiving partner can read them after decrypting with their private key; a separately encrypted authorisation letter carries your name to that partner alone. No address or identity content travels in readable form.
You choose which partners to notify. You can select or deselect individual services before each transmission.
The "Update without account" flow at /quick is a one-shot path that lets you send an address update to selected service providers without registering. Because there is no vault and no PIN, the data model differs from the account flow in three ways:
#k=, which servers cannot see); the email we send does not contain this key. OneAddress only ever sees the ciphertext.Magic link. After you submit, we email you a one-time URL of the form oneaddress.io/g/<token>. This link lets you view delivery status for each partner and, if eligible, request a refund. It does not show your address content, because the server never holds the decryption key. That key exists only in your browser session at the moment you submit. If you want to view the address you sent, you must follow the browser redirect at submission time. If you lose the email, you can request a resend from the guest status flow; status and refund eligibility are always available, but the address itself cannot be recovered after that browser session ends.
Retention. Guest sessions are pruned 30 days after submission. Abandoned sessions (no submission, no payment) are pruned shortly after they expire. Once a session is pruned, your personal information and the encrypted address blob are deleted from our systems; transmission records (partner, timestamp, status) are kept for the same period as the account-flow records described in section 8.
Before your encrypted address can be transmitted to a partner, OneAddress requires you to complete an identity verification. This protects you, and your service providers, from someone updating your registered address without your authority.
We use Global Data Pty Ltd, an accredited Australian identity service provider, to perform the verification on our behalf. Global Data is our Information Matching Agent under the Australian Privacy Principles (APP 6), and submits your identity data to the government's Document Verification Service (DVS) on our behalf. The flow runs within Global Data's hosted verification page and has three steps:
Sensitive information and consent. Identity verification uses sensitive information, including photographs and biometric data. This information is processed by Global Data Pty Ltd, who obtain your explicit consent within their own verification flow before any collection begins. You can decline at that point without affecting any other part of your OneAddress account. For information on how Global Data handles this data, see their privacy policy.
Where data is processed. Global Data processes verification data as an accredited Australian identity service provider. For details of where Global Data processes and stores data, please refer to their privacy policy.
What we receive. The document capture, selfie, and DVS cross-check all take place within Global Data's hosted verification flow. Your selfie, the photograph of your document, and your document number never reach OneAddress's servers, so we do not receive, hold, or delete them. When the check reaches a final result, pass or fail, Global Data returns to us only the outcome, a reference number, and, on a pass, your verified name and date of birth. Those are handled as described in "What we keep, and for how long" below. Global Data's own retention of the source photographs and liveness video is governed by their privacy policy.
What we keep, and for how long. For each identity check that reaches a final result, we permanently store the result (pass or fail), a reference number, and a timestamp as an audit record. When the check passes, we also temporarily retain the name and date of birth extracted during the check as part of the verification record; these are encrypted at rest and removed from our systems after a minimum 48-hour retention period following dispatch (typically within 49 hours). Your date of birth is never sent to your service providers. The audit record is kept until your account is closed.
One verification per dispatch. Each completed verification authorises a single address transmission. Subsequent updates require a fresh verification.
No AI/ML profiling. OneAddress does not perform machine learning, profiling, or automated decision-making on your personal data. Our platform was developed with AI assistance, but no ML models process your address or identity information. The liveness check performed by Global Data uses computer vision to confirm physical presence and document authenticity; this is performed by Global Data (not by OneAddress) and is limited to identity verification.
If you delete your account. The identity verification records held by OneAddress (verification result, reference number, and timestamp, along with any name and date of birth details not yet automatically removed after dispatch) are scheduled for permanent deletion and removed within 48 hours as part of the account deletion process. See section 8.
Your encrypted vault data, transmission records, and identity verification records are stored in Australian data centres (AWS Sydney, ap-southeast-2) via Neon (database) and Vercel (application hosting, Sydney region). Identity verification is performed by Global Data, an accredited Australian identity service provider.
Overseas transfers (APP 8). Some auxiliary services process account data outside Australia. Specifically: Stripe (payments) is based in the United States and receives payment metadata and billing information; Resend (transactional email) is based in the United States and European Union and receives your email address and the content of transactional notifications we send you; Upstash (rate limiting and short-lived one-time codes, using a Redis service) may process data outside Australia and receives IP addresses and hashed identifiers for rate limiting, along with HMAC-SHA256 hashes of short-lived verification codes used for admin sign-in (the plaintext codes are never stored). No address or vault content is stored with Upstash. We have entered into data processing agreements with each of these providers and require them to protect your information in accordance with standards comparable to the Australian Privacy Principles. Encrypted vault data and address payloads are not sent to any of these providers. If you choose to sign in with Google or Apple, Google LLC (United States) and Apple Inc. (United States) act as identity providers: Google receives your account identifier, email address, and display name on each sign-in; Apple receives your account identifier and email address on every sign-in, and your display name on first sign-in only. These transfers are covered by this APP 8 disclosure. Address autocomplete additionally uses Google (Google Places API), based in the United States, and OpenStreetMap / Nominatim (OpenStreetMap Foundation), based in the United Kingdom, as a fallback when Google Places is unavailable. When you type an address during onboarding or an address update, the address fragments you type are sent to these services to suggest and validate addresses. These transfers send data outside Australia, Google to the United States and OpenStreetMap to the United Kingdom, and are covered by this APP 8 disclosure.
Our infrastructure includes: industry-standard encryption of your vault, end-to-end encryption of each partner transmission, signed webhooks so partners can confirm messages genuinely come from us, encryption in transit for all connections, and session management with automatic timeout.
If a data breach happens. If we discover a data breach that is likely to cause you serious harm, we will notify you as soon as reasonably practicable, and we will notify the Office of the Australian Information Commissioner (OAIC) if the law requires us to.
Legal requests. We may be required to disclose certain account information, such as your email address or transmission records, in response to a valid legal order under Australian law. Where the law permits, we will notify you before complying with any such demand. We will never be able to disclose your encrypted address vault contents, because we do not hold the decryption key.
Your encrypted vault data is retained for as long as your account is active. Transmission records and identity verification records are retained for the life of your account. You can clear your transmission history and address history at any time from Settings.
Specific retention periods:
dispatch_log): retained for 7 years from the date of each event (aligned with the statute of limitations for contractual disputes). This table contains no plaintext address data and no vault content, only cryptographic references (key identifiers and a cryptographic fingerprint of each payload) and dispatch timestamps.dvs_compliance_events): retained for at least 7 years in accordance with OneAddress's obligations under the Document Verification Service Participation Agreement. This log records verification events keyed by a hashed user identifier only, with no plaintext address or identity-document content.Account deletion. When you request account deletion, your account enters a 48-hour grace period. During those 48 hours your account remains active and you can cancel the deletion from your dashboard. After 48 hours, all data, including your vault, transmission history, and identity verification records, is permanently and irreversibly deleted. At the 39-hour mark you will receive a final account export email before deletion proceeds. We do not retain readable copies of your vault, transmission history, or identity verification records after deletion. The de-identified audit and compliance logs listed above are kept only where the law requires it, and they cannot be linked back to you.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), you have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your account and data; opt out of direct marketing communications; lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Because your vault data is zero-knowledge encrypted, we cannot access it ourselves. You control your data entirely through your vault PIN.
Deceased account holders. If an account holder has passed away, an authorised representative (such as the executor of their estate) may request deletion of the account by contacting us at privacy@oneaddress.io with appropriate documentation of their authority. We will handle such requests in accordance with our obligations under the Privacy Act 1988 (Cth) and applicable Australian succession law. Because vault data is zero-knowledge encrypted, we cannot access the address contents themselves.
OneAddress uses a small number of server-set, functional-only cookies. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
/quick. Contains a signed session identifier (no plaintext PII). HttpOnly, Secure, SameSite=Lax. Expires after 30 days or when you cancel or restart the flow; completing a submission does not immediately clear this cookie.oa-oauth-state, oa-oauth-nonce, oa-oauth-redirect), short-lived (5 minutes) CSRF and nonce tokens set during Google/Apple sign-in. HttpOnly, Secure, SameSite=None (required because Apple's sign-in uses a cross-site POST callback and the cookies must survive it). Deleted immediately after sign-in completes.oa-google-retry, oa-apple-retry), one-shot markers used to prevent an infinite retry loop when a browser drops an OAuth state cookie on the first cross-site redirect. Short-lived (60 seconds), HttpOnly, Secure, SameSite=None. Contain no personal data; deleted after the retry is resolved.__cf_bm), set by Cloudflare, our DNS and DDoS-protection provider, for bot management and traffic security. These are not under OneAddress's control. No personal data is stored by Cloudflare on OneAddress's behalf. Cloudflare's privacy policy applies.Cookies that carry session data or personal information are HttpOnly (inaccessible to JavaScript) and Secure. One non-HttpOnly cookie (oa-auth-hint) is used solely as a browser-side UI signal; it contains no personal data. You can block or delete cookies in your browser settings, but doing so may prevent you from signing in or using the guest flow. On your first visit we show a short cookie notice for transparency; because our cookies are strictly necessary, this notice is informational and does not gate any consent.
We use the following third-party services. Where a provider is based outside Australia, the nature of data transferred is described, see section 7 for the full APP 8 overseas disclosure.
Each provider has its own privacy policy and, where applicable, a data processing agreement with OneAddress.
We may update this privacy policy from time to time. For material changes, those that reduce your rights, add new data collection, or change how we share your information, we will notify you by email at least 30 days before the change takes effect. Minor changes (such as clarifications or typographical corrections) may take effect immediately. The “Last updated” date at the top indicates when the policy was last revised.
OneAddress Pty Ltd (ACN 696 078 869 · ABN 43 696 078 869)
Western Australia, Australia
For privacy-related enquiries, contact us at privacy@oneaddress.io. We aim to respond to privacy enquiries within 10 business days. If you believe we have not complied with our obligations under the Privacy Act 1988 (Cth), you may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).