Privacy Policy

Last updated: April 2026

1. Overview

Redbark Sync (“we”, “our”, “the Service”) is committed to protecting your privacy and handling your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Consumer Data Right (CDR) rules.

This policy explains what information we collect, how we use it, and your rights regarding your data.

2. Information We Collect

Account Information

When you create an account, we collect your name and email address via our authentication provider (Clerk). This information is used to identify you and manage your account.

Banking Data (via CDR)

When you connect a bank account, we access the following data categories under your explicit CDR consent:

  • Account details (account name, type, masked account number)
  • Account balances
  • Transaction history (dates, amounts, descriptions, categories)

Redbark (SKINT AI Pty Ltd, ACN 685 364 729) is a CDR Representative of Fiskil Pty Ltd (ADR accreditation ADRBNK000246). Fiskil is our CDR Principal and collects and discloses CDR data to Redbark on your behalf under Fiskil's CDR Policy, which we adopt and comply with in accordance with CDR Rule 1.10AA(2)(e). We only access the data categories you have consented to, and only for the duration of your consent (maximum 12 months).

Google Account Data

When you connect Google Sheets, we access your Google Drive (read-only, to list spreadsheets) and Google Sheets (read/write, to sync transaction data). We only access the specific spreadsheets you select.

You Need a Budget Data (via You Need a Budget API)

If you connect You Need a Budget as a destination, we access your account via the You Need a Budget API using OAuth. We request access to your plans and transactions in order to import your bank transactions. We access only the minimum data necessary to provide the sync service:

  • Plan names and IDs (to let you select a plan)
  • Existing categories and payees (to map incoming transactions)
  • Write access to create transactions in your selected plan

Your You Need a Budget OAuth access token is encrypted at rest using AES-256-GCM and is only used to communicate with the You Need a Budget API on your behalf. Transaction data synced to You Need a Budget is transmitted directly and is not permanently stored on our servers. Your You Need a Budget data will not be passed to any third party without your knowledge or consent.

You can disconnect your You Need a Budget account at any time via the Destinations page, which revokes our access and deletes the stored token. If you delete your Redbark account, all You Need a Budget tokens and associated configuration are permanently removed.

Notion Data (via Notion API)

If you connect Notion as a destination, we access your Notion workspace via the Notion API using OAuth. We access only the minimum data necessary to provide the sync service:

  • Workspace and database listing (to let you select a database)
  • Write access to create entries in your selected database

Your Notion OAuth access token is encrypted at rest using AES-256-GCM and is only used to communicate with the Notion API on your behalf. You can disconnect Notion at any time via the Destinations page, which revokes our access and deletes the stored token.

Webhook Destinations

If you configure a webhook destination, we send your transaction data to the URL you specify via HTTPS. We do not control or have access to the receiving endpoint. You are responsible for ensuring the security of your webhook URL.

Payment Information

Payment processing is handled by Stripe. We do not store your credit card details. Stripe may collect billing information in accordance with their privacy policy.

3. How We Use Your Information

  • To provide the transaction synchronisation service you have requested
  • To maintain and improve the Service
  • To communicate with you about your account and the Service
  • To comply with legal obligations, including CDR requirements

We do not use your banking data for any purpose other than providing the synchronisation service. We do not sell or share your personal information with third parties for marketing purposes.

4. Data Storage and Security

Transaction data (amounts, dates, descriptions, merchants, balances) is proxied live from Fiskil at sync time and written directly to the destination you configured. No transaction payload is persisted to our database or our logs. What we do persist, to run the service, is limited to:

  • Account metadata — institution name, account name, account type, currency, and a masked account number (e.g. “xxxx1234”) — so the UI can show your connected accounts without re-fetching on every page load.
  • CDR consent records — status, purpose, data categories, expiry, and a history of state transitions.
  • Encrypted OAuth and banking tokens, encrypted at rest with AES-256-GCM using unique random IVs.
  • Sync configuration and execution statistics (record counts and timestamps, never transaction content).
  • An audit log of state-changing actions.

All traffic is HTTPS / TLS. Our database is hosted on SOC 2-compliant infrastructure. Access to production systems is restricted and audited. Our error monitoring and logs run through a scrubbing layer that redacts CDR transaction fields, PII, and secrets before events leave the app.

5. Data Retention

  • Account information is retained for the duration of your account.
  • Banking data access is limited to the duration of your CDR consent (maximum 12 months).
  • Account metadata and consent records are retained while the underlying consent is active, and deleted when consent is withdrawn through Fiskil's consent dashboard or when you delete your Redbark account.
  • Sync run history (metadata only — record counts and timestamps, never transaction data) is retained for the duration of your account.
  • Audit log entries are retained for 7 years to meet our record-keeping obligations under the CDR Rules, and are purged thereafter.
  • When you delete your account, all of the above is permanently removed from our systems. Data already written to your own destinations (Google Sheet, YNAB plan, webhook endpoint, etc.) sits in your own accounts with those providers and remains under your control — we do not have the ability to delete it on your behalf.

6. Your Rights

Under Australian privacy law and CDR rules, you have the right to:

  • Withdraw consent — Revoke CDR consent at any time through Fiskil's consent dashboard. This immediately stops data access.
  • Delete your account — Request complete deletion of your account and all associated data via Settings.
  • Access your data — Request a copy of the personal information we hold about you.
  • Correct your data — Request correction of any inaccurate personal information.
  • Complain — Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

7. Third-Party Services

The Service integrates with the following third-party providers:

  • Clerk — Authentication and account management
  • Fiskil— CDR Principal (Accredited Data Recipient, ADRBNK000246). Redbark operates as Fiskil's CDR Representative. See Fiskil's CDR Policy.
  • Google — Sheets and Drive API for data synchronisation
  • You Need a Budget — Budgeting platform; transaction sync destination via OAuth API
  • Notion — Database platform; transaction sync destination via OAuth API
  • Stripe — Payment processing
  • Resend — Transactional email delivery
  • PostHog — Product analytics (usage patterns, feature adoption)
  • Sentry — Error tracking and application monitoring

Each provider operates under their own privacy policies. We encourage you to review them.

8. Analytics

We use PostHog to collect anonymised product analytics, such as which features are used and how users navigate the Service. Analytics data does not include your banking data or transaction details. We use Sentry to monitor application performance and track errors. These services help us maintain and improve the Service.

9. Cookies

The Service uses essential cookies for authentication and session management, and analytics cookies for product usage tracking (via PostHog). We do not use third-party advertising cookies.

10. Children's Privacy

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The “Last updated” date at the top of this page indicates when the policy was last revised.

12. Access, Correction, and Complaints

To request access to personal information we hold about you, to request correction of any inaccurate personal information, or to raise a privacy or CDR-related enquiry, contact us at privacy@redbark.co. We will respond within 30 days.

If you are not satisfied with our response, you may escalate:

  • Privacy complaints — Office of the Australian Information Commissioner at www.oaic.gov.au.
  • CDR-specific complaints — Our CDR Principal is Fiskil Pty Ltd, who operates their complaints process under Fiskil's CDR Policy. The external dispute resolution body for Fiskil is the Australian Financial Complaints Authority (AFCA, member 83521) at www.afca.org.au.