Privacy Policy

About Yak Advisory

Yak Advisory is a finance and operations services firm headquartered in Kathmandu, Nepal, providing services primarily to businesses in Australia. Tax agent services are delivered through our Australian TPB-registered partner firm.

[Entity name, registration details and registered office to be inserted upon incorporation.]

What this policy covers

This policy covers:

• Personal information collected through yakadvisory.com
• Personal information we process as a service provider to our clients

It does not cover:

• Information our clients collect about their own customers, staff or NDIS participants. In those engagements our client is the data controller and we are a service provider acting under written contract.
• Third-party websites or services linked from ours, which have their own privacy practices.

Information we collect

3.1 Information you give us directly

When you contact us through the website, we collect: your name, email address, business name (optional), the service area you are interested in, and the contents of your message. We collect this only because you have chosen to submit it.

3.2 Information collected automatically

Our website is hosted on Cloudflare Pages and uses Cloudflare's default infrastructure security and analytics. This may include your IP address (truncated for analytics purposes), browser type, pages visited, referring URL, and approximate location at country level. We do not place identifying cookies, advertising pixels or cross-site tracking.

3.3 Information received during service delivery

When you engage us, we may process personal information about your staff, contractors, customers and (for NDIS providers) participants — strictly to deliver the services contracted. The scope, purposes, sub-processors and protections are governed by the engagement letter and any data processing addendum signed alongside it.

How we use information

We use personal information to:

• Respond to your enquiries and provide information you have requested
• Deliver the services you have engaged us for
• Communicate with you about active engagements and account matters
• Meet our legal, regulatory and professional obligations
• Improve our own operations in aggregated, de-identified form

We do not sell personal information. We do not use it for third-party advertising or share it for marketing purposes.

Who we share information with

5.1 Service providers (sub-processors)

We rely on a limited number of trusted vendors to operate our business. The current list includes:

• Cloudflare, Inc. (United States) — website hosting, CDN and security
• Web3Forms (United States) — contact form processing
• Zoho Corporation (India / global) — email, calendar and CRM
• Microsoft Corporation (Australia / global) — productivity and document storage
• Client-specified platforms during service delivery (for example Xero) — accessed within the client's own tenancy where possible

An up-to-date sub-processor list is available on request.

5.2 Our registered tax agent partner

Where engagements include tax agent services, relevant information is shared with our Australian TPB-registered partner firm under a written outsourcing arrangement that includes confidentiality and data handling obligations.

5.3 Legal disclosure

We may disclose personal information where required by law, court order, or a lawful request from a regulatory authority.

Cross-border data handling

Our delivery operations are based in Nepal. When an Australian client engages us, personal information may be accessed and processed from Nepal by Yak Advisory personnel. To support our clients' obligations under APP 8 (cross-border disclosure of personal information), we:

• Apply technical and contractual controls equivalent to the Australian Privacy Principles
• Bind all personnel to written confidentiality deeds and information security obligations
• Limit access on a need-to-know basis with role-based controls and multi-factor authentication
• Where practical, access client data within the client's own cloud tenancy rather than copying it to our environment

Under APP 8, an Australian client remains accountable for personal information it discloses to an overseas recipient. We support clients in meeting that accountability through a written data processing addendum.

Security

We protect personal information with administrative, technical and physical safeguards proportionate to the sensitivity of the data. These include encryption in transit and at rest where data is stored by us, role-based access control, multi-factor authentication, regular access reviews, staff training and a documented incident response procedure. No system is perfectly secure, and we cannot guarantee absolute security, but we work to minimise risk and respond promptly to issues.

Notifiable data breaches

If we become aware of a data breach that is likely to result in serious harm, we will notify the affected client without undue delay — and in any event within 72 hours of becoming aware — and support the client's notification obligations under the Notifiable Data Breaches scheme (Privacy Act, Part IIIC).

Retention

• Website enquiry data: up to 24 months, then deleted or anonymised
• Client engagement records: for the duration of the engagement and for 7 years afterwards, to meet Australian record-keeping requirements under the Corporations Act and ATO rules
• Personal information of client end-users (such as payroll subjects or NDIS participants): only for as long as needed to deliver the contracted service, then returned to the client or securely destroyed as the engagement specifies

Your rights

Subject to applicable law, you have the right to:

• Request access to personal information we hold about you
• Request correction of information that is inaccurate or out of date
• Request deletion of information where we have no continuing lawful basis to retain it
• Withdraw consent for any optional processing you have previously agreed to
• Lodge a complaint with us or with the relevant regulator

Where you are a customer, staff member or participant of a Yak Advisory client, your rights are usually exercised through that client (the data controller). We will support our client in responding to any verified request.

Cookies and tracking

yakadvisory.com does not set tracking, advertising or analytics cookies. The hosting infrastructure may set short-lived technical cookies necessary for site operation and security, which do not identify you. Because we do not use non-essential cookies, no consent banner is required.

Children's privacy

Our services are directed to businesses. We do not knowingly collect personal information from individuals under 16 through the website. If you believe we have done so inadvertently, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. Material changes will be reflected in the "Last updated" date at the top, and for active clients communicated by email.

Contact and complaints

For any privacy enquiry or complaint, contact us at: