NewWe've released our MCP for treasury.Learn more
See a demo

Privacy Policy

Last updated: May 18, 2026

This Privacy Policy explains how Primary Technology Pty Limited (ABN 59 663 326 494) (Primary, we, us, our) collects, uses, discloses and protects personal information. It applies to our website, web application, APIs, our Model Context Protocol (MCP) server, and any integrations through which you access Primary via third-party AI tools.

We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Where we hold information about US persons we also comply with applicable US privacy and financial services rules in our capacity as an SEC-registered investment adviser.

1. Who we are and how to contact us

Primary operates a treasury management platform for businesses. We hold an Australian Financial Services Licence and are registered with the US Securities and Exchange Commission as an investment adviser.

For privacy enquiries, complaints or requests: privacy@primary.tech. Postal: see contact details on primary.tech/contact.

Who this policy applies to

Our customer is typically a business entity (the Client). The individuals we interact with are usually the Client's representatives, signatories, beneficial owners, directors, employees and contractors. This policy applies to personal information about those individuals.

Where this policy refers to "you" we mean an individual whose personal information we hold. The Client's use of the platform itself is governed by our customer terms, not this policy. If you are an individual exercising rights under this policy and your employer or principal is a Client of ours, your rights operate alongside (and do not override) our obligations to the Client.

2. Information we collect

2.1. Information you provide directly

  • Account and identity information: name, role, business email, phone number, business name, business address, ABN/ACN, position held, beneficial ownership details, identity verification documents (passport, driver's licence) and the outputs of identity checks we run against them.
  • Authentication credentials: hashed passwords, MFA tokens, SSO identifiers.
  • Banking and counterparty details: account numbers, BSBs, IBANs, SWIFT codes, payee details, counterparty references.
  • Mandate information: signed power of attorney, dealing instructions, allocation preferences, treasury policies you upload.
  • Communications: support tickets, emails, chat messages, recorded calls where you have been notified and consented.
  • Survey and feedback responses.

2.2. Information we collect automatically when you use the platform

  • Product usage: pages viewed, features used, actions taken, session duration, click and scroll behaviour.
  • Device and network: IP address, browser type and version, operating system, device identifiers, language, time zone.
  • Logs: authentication events, API requests, errors, audit trail of actions taken in the platform.
  • Cookies and similar technologies: see section 10.

2.3. Information we receive from third parties

  • Open banking data: account names, balances, transaction histories, interest rates and fees from banks and other financial institutions you connect via the Australian Consumer Data Right (CDR), SaltEdge (EU and broader coverage) and Plaid (US). CDR data is also subject to the additional rules described in section 5.
  • Custody, broker and execution partner data: position, trade, subscription, redemption and settlement data from the financial institutions we use to custody assets, hold funds, execute foreign exchange trades and process payments.
  • Accounting system data: where you connect Xero, NetSuite or similar, we receive ledger, invoice, bill, contact and payroll data subject to the scopes you authorise.
  • Identity verification and screening providers: KYC, AML, PEP and sanctions screening results.
  • Sales and marketing tools: customer relationship management and analytics providers.

You authorise these data flows through the connection or onboarding process for each partner. You can revoke that authorisation at any time as described in section 8.

2.4 Information we collect when you use Primary through a third-party AI tool

You can access Primary through MCP-compatible AI assistants. When you do, the following applies:

  • Inputs to our tools: the AI assistant sends us only the parameters needed to fulfil each request (for example, a currency pair and amount for an FX quote, or an account identifier to retrieve balances). We do not receive your full conversation with the assistant.
  • Outputs from our tools: we return structured responses to the AI provider. These responses include data about your accounts, balances, transactions, holdings, instructions and counterparties as needed to answer the request you have made; this is your data, which you have chosen to expose to the AI provider by initiating the request. The AI provider receives and processes these outputs in order to present them to you and may retain them subject to its own privacy policy.
  • Authentication: you authenticate to Primary directly via OAuth. The AI provider does not see your Primary credentials.
  • No training: we do not provide your data to third-party AI providers for the purpose of training their models, and we do not train AI models on identifiable personal information without your consent. The AI provider's handling of the data once it leaves Primary is governed by that provider's terms.

A list of tools exposed through our MCP server, including the inputs each tool requires and the outputs it returns, is available on request.

2.5 Information about third parties

Where you provide us with personal information about other people (for example, payees, counterparties, beneficial owners or signatories), we collect and process that information on your behalf for the purpose of carrying out the instructions you give us. You are responsible for ensuring you have the right to share that information with us.

Some categories of third party (notably beneficial owners, directors and signatories of our Clients) have personal information processed by us because we are required to identify and verify them under the *Anti-Money Laundering and Counter-Terrorism Financing Act 2006* (Cth) and our other legal and regulatory obligations. We rely on those obligations as the basis for collecting, holding and using that information, and we retain it for the periods set out in section 7. If you are a beneficial owner, director or signatory of a Client and want to exercise the rights described in section 8, contact us at privacy@primary.tech.

2.6 Information we derive

We generate insights and metrics from the data described above (for example, yield comparisons, FX execution benchmarks, treasury health indicators). Where this derived data still identifies you or could reasonably be used to identify you, we treat it under this policy in the same way as the underlying data from which it is generated.

We also produce de-identified and aggregated datasets from underlying customer data; examples include market-wide yield curves, FX spread benchmarks and sector-level liquidity statistics. Once data is genuinely de-identified and aggregated such that it cannot reasonably be re-identified, it is no longer personal information. We may use, publish and share that data for any lawful purpose, including benchmarking, research and product development.

3. How we use information

Categories of data and their purposes:

  • Account, identity and authentication data: Create and operate your account; verify your identity; meet KYC, AML and sanctions obligations; secure the platform
  • Mandate and instruction data: Execute the treasury, FX, payment and allocation actions you instruct us to perform
  • Banking, custody and counterparty data: Provide account aggregation, reporting, reconciliation and execution services
  • Accounting system data: Provide working capital, payroll and cashflow features
  • Product usage and device data: Operate, secure, debug and improve the platform; detect fraud and abuse; produce internal analytics
  • Communications: Provide support; train support staff; meet record-keeping obligations
  • MCP tool inputs and outputs: Fulfil the specific request you have made via a connected AI assistant
  • All categories: Comply with our legal, regulatory and contractual obligations

We do not sell personal information. We do not use your data to train AI models. We do not use your transaction data for advertising.

4. Disclosure of personal information

We disclose personal information to the following categories of recipient, only to the extent necessary for the purposes set out above.

  • Banking, custody and execution partners: the financial institutions and infrastructure providers we engage to custody assets, hold funds, execute foreign exchange trades, settle transactions and process the payments you have instructed.
  • Open banking and data providers: CDR-accredited intermediaries, SaltEdge, Plaid.
  • Identity, KYC, AML and screening providers.
  • Cloud and infrastructure providers: Amazon Web Services (regions ap-southeast-2 and us-east-1) for hosting; supporting infrastructure for logging, monitoring and backups.
  • Operational tools: the third-party platforms we use to run our business, including productivity, communications, identity and access management, customer support, analytics, compliance evidence and source control providers.
  • AI assistant providers: where you choose to connect Primary to an MCP-compatible AI assistant, the inputs and outputs of the specific tool calls you make are disclosed to that provider as described in section 2.4.
  • Professional advisers: lawyers, auditors, accountants, bound by confidentiality.
  • Regulators and law enforcement: ASIC, AUSTRAC, ATO, the SEC, FinCEN, courts and equivalent bodies where required by law or where we reasonably believe disclosure is necessary.
  • Acquirers: any party to whom we sell or transfer our business, or with whom we explore such a transaction under appropriate confidentiality protections.

We require service providers to handle personal information consistently with this policy and to use it only for the purposes for which it is disclosed.

5. Consumer Data Right (CDR) data

Some of the banking data we receive flows through the Australian Consumer Data Right regime. Primary does not hold its own CDR accreditation. We access CDR data through an accredited data recipient (ADR) acting as an intermediary; depending on the connection, you share data with us either as the ADR's outsourced service provider or under a trusted adviser or CDR Representative arrangement disclosed to you at the point of connection.

CDR data is regulated by the Competition and Consumer Act 2010 (Cth) and the Competition and Consumer (Consumer Data Right) Rules. The Privacy Safeguards in Part IVD of that Act take precedence over the Australian Privacy Principles in respect of CDR data.

When you authorise a CDR connection:

  • Separate consent and dashboard requirements apply under the CDR rules.
  • You can view, amend and withdraw active CDR consents through the consent dashboard available in the platform settings, or through the ADR's dashboard where the connection is made via a CDR Representative or trusted adviser route.
  • You can request deletion or de-identification of CDR data we hold; we will action this subject to any legal hold or retention requirement.
  • We do not use CDR data for any purpose beyond providing the services you have requested, plus the narrow internal purposes permitted by the CDR rules.

We publish a separate CDR Policy describing our CDR handling in detail. Contact privacy@primary.tech for a copy or with any CDR-specific queries.

6. International transfers

Primary stores and processes personal information in Australia (AWS ap-southeast-2) and the United States (AWS us-east-1). Some of our service providers are located in, or process data from, the United States, the European Union, the United Kingdom and other jurisdictions.

Where we transfer personal information outside Australia we take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles, or we rely on a lawful basis for the transfer (including your consent where applicable).

Personal information held in the United States may be subject to lawful access requests by US authorities, including under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), national security letters and equivalent processes. We will challenge requests we consider overbroad or unlawful where it is appropriate and lawful to do so.

7. Retention

We retain personal information only for as long as necessary for the purposes set out in this policy and to comply with our legal obligations.

  • KYC, AML and identity verification records: 7 years after the end of our relationship with you (AML/CTF Act)
  • Financial records, transaction records, instructions: 7 years from the date of the record (Corporations Act)
  • Tax-related records: At least 5 years from the date of the record
  • Account and profile data: Duration of your account, then archived for the periods above
  • Product usage logs and analytics: Up to 24 months in identifiable form, then aggregated or deleted
  • Support communications: 5 years from last contact
  • Marketing data: Until you unsubscribe, then up to 12 months in suppression lists
  • MCP tool request and response logs: 12 months for audit and debugging, then deleted

After the applicable retention period we delete, anonymise or aggregate the data. Backups may persist for a further period until they are overwritten in the ordinary course.

8. Your rights and how to exercise them

You can:

  • Access the personal information we hold about you.
  • Correct information you believe is inaccurate, incomplete or out of date.
  • Request deletion of information, subject to our retention obligations described in section 7.
  • Withdraw consent to specific uses, including direct marketing.
  • Revoke connections to banks, accounting systems and AI assistants at any time through the platform settings.
  • Export the data you have provided in a structured, machine-readable format on request.
  • Complain to us about how we have handled your personal information.

Email privacy@primary.tech to exercise any of the above. We aim to respond within 30 days. We may need to verify your identity before acting on a request.

If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

9. Security

We maintain administrative, technical and physical controls to protect personal information, including encryption in transit and at rest, role-based access controls, MFA on internal systems, vendor security reviews, logging and monitoring, and an ISO 27001-aligned information security programme evidenced through a third-party compliance platform.

No internet transmission is fully secure. Promptly notify us at security@primary.tech if you suspect any unauthorised access to your account.

Data breach notification

We comply with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth). If we become aware of an eligible data breach that is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner as soon as practicable, consistent with the requirements of the scheme. Where notifying individuals directly is not practicable, we will publish a statement and take reasonable steps to publicise it.

10. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, secure the platform, and measure usage. You can disable non-essential cookies through your browser or our cookie banner. Disabling essential cookies will prevent the platform from working.

11. Children

Primary is for business use. We do not direct our services to anyone under 18 and do not knowingly collect information from minors.

12. Changes

We may update this policy from time to time. We will post the updated policy at primary.tech/privacy and update the "Last updated" date. Where changes are material we will notify you by email or in-app before the changes take effect.

13. Contact

Primary Technology Pty Limited
ABN 59 663 326 494
privacy@primary.tech