Last updated: 29 April 2026
OneAddress Pty Ltd (ABN 43 696 078 869) operates the OneAddress platform at oneaddress.io. We are an Australian company based in Western Australia. When we say "OneAddress", "we", "us", or "our", we mean OneAddress Pty Ltd.
Your vault data (addresses, service connections) is encrypted client-side using AES-256-GCM with a key derived from your 6-digit PIN via PBKDF2. The encryption key never leaves your device. We store only the encrypted ciphertext.
Account information: When you create an account, we collect your email address and authentication credentials (via Clerk, our authentication provider). If you sign in with Apple or Google, we receive only the identifier they provide.
Encrypted vault data: Your addresses and service connections are stored in encrypted form. We cannot decrypt this data.
Transmission records: When you send an address update, we record the partner name, timestamp, and delivery status for your transmission history. We do not store the address content — only that a transmission occurred.
Payment information: Payments are processed by Stripe. We do not store credit card numbers or bank details. Stripe's privacy policy applies to payment data.
Identity verification data: When you complete an identity verification (required before each address dispatch), we temporarily process a photograph of your identity document, a short selfie video for liveness detection, and the details extracted from your document (name, date of birth, document number, expiry). What we keep and what we delete is set out in section 6.
Usage data: We collect server-side request logs (IP address, request path, timestamp) for security monitoring and abuse prevention. We do not use third-party analytics tools or track individual browsing behaviour.
We use your information to: provide and operate the OneAddress platform; verify your identity before transmitting addresses to partners; process address update transmissions to your selected partners; send you email notifications about transmission confirmations and account activity; improve our product and fix issues; comply with legal obligations.
We do not sell, rent, or share your personal information with third parties for marketing purposes.
When you initiate an address update, your address is encrypted client-side with the partner's public key using ECDH + AES-256-GCM. The encrypted payload is transmitted via webhook to the partner's registered endpoint. Only the partner can decrypt it with their private key. OneAddress cannot read the address during transmission.
You choose which partners to notify. You can select or deselect individual services before each transmission.
Before your encrypted address can be transmitted to a partner, OneAddress requires you to complete an identity verification. This protects you, and your service providers, from someone updating your registered address without your authority.
We use Global Data Pty Ltd — an Australian-accredited identity service provider, based in Melbourne — to perform the verification on our behalf. The flow has three steps:
Sensitive information and consent. Under the Australian Privacy Principles (APPs), photographs of identity documents and biometric data (your selfie video) are sensitive information. We collect, use and disclose this information only with your explicit consent, which is captured immediately before the verification flow begins. You can decline at that point, or close the verification window before submitting, without affecting any other part of your OneAddress account.
Where data is processed. Global Data processes verification data within Australia. Your document photograph and selfie video do not leave Australian jurisdiction.
What we keep, and for how long. Once a verification reaches a final state (passed or failed), OneAddress permanently deletes the document photograph, the selfie video, and the OCR-extracted document details from our systems. We retain only a verification certificate — a record of the result, document type, timestamp, and an internal reference number — which is consumed by a single subsequent address dispatch and then retained for the life of your account as an audit record. Global Data's own retention of verification artefacts is governed by their privacy policy and the regulatory requirements applicable to accredited identity service providers.
One verification per dispatch. Each completed verification authorises a single address transmission. Subsequent updates require a fresh verification.
If you delete your account. All identity verification records held by OneAddress — both certificates and any in-flight verification artefacts — are permanently deleted immediately. See section 8.
Your encrypted vault data, transmission records, and identity verification certificates are stored in Australian data centres (AWS Sydney, ap-southeast-2). Identity verification is processed in Australia by Global Data. Some of the auxiliary services listed in section 10 (authentication, payments, transactional email) may process limited account metadata outside Australia — see those providers' privacy policies for the specifics. Our infrastructure includes: AES-256-GCM vault encryption, ECDH P-256 key exchange for partner transmissions, HMAC-SHA256 webhook signatures, TLS 1.3 for all connections, and session management with automatic timeout.
Your encrypted vault data is retained for as long as your account is active. Transmission records and identity verification certificates are retained for the life of your account. You can clear your transmission history and address history at any time from Settings. When you delete your account, all data — vault, transmission history, and identity verification records (both certificates and any in-flight verification artefacts) — is permanently deleted immediately.
Under the Australian Privacy Act 1988, you have the right to: access the personal information we hold about you; request correction of inaccurate information; request deletion of your account and data; opt out of marketing communications; lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Because your vault data is zero-knowledge encrypted, we cannot access it ourselves. You control your data entirely through your vault PIN.
We use the following third-party services: Clerk (authentication), Stripe (payments), Neon (database hosting in AWS Sydney), Vercel (application hosting in Sydney), Resend (transactional email), Cloudflare (DNS and DDoS protection), Global Data Pty Ltd (identity verification — see section 6). Each service has its own privacy policy. We select providers that offer Australian data residency where available.
We may update this privacy policy from time to time. We will notify you of material changes via email or through the platform. The "Last updated" date at the top indicates when the policy was last revised.
For privacy-related enquiries, contact us at privacy@oneaddress.io.