Data Protection

Last updated: January 2025

1. Our Data Protection Commitment

At Bill Zap, data protection is not just compliance—it's fundamental to our service design. We've built our electricity bill comparison platform with privacy-by-design principles, ensuring your personal information is protected at every step.

This page provides technical details about our data protection measures, complementing our Privacy Policy with specific implementation details.

2. Regulatory Compliance

2.1 Australian Privacy Principles (APPs)

We comply with all 13 Australian Privacy Principles under the Privacy Act 1988 (Cth):

  • APP 1: Open and transparent management of personal information
  • APP 3: Collection of solicited personal information
  • APP 5: Notification of the collection of personal information
  • APP 6: Use or disclosure of personal information
  • APP 8: Cross-border disclosure of personal information
  • APP 11: Security of personal information
  • APP 12: Access to personal information
  • APP 13: Correction of personal information

2.2 Additional Standards

We also align with:

  • ISO 27001 information security management principles
  • OWASP security guidelines for web applications
  • Australian Government Information Security Manual (ISM) recommendations

3. Data Processing Lifecycle

3.1 Upload and Initial Processing (0-5 minutes)

Step 1: Secure Upload

  • Files encrypted during transmission using TLS 1.3
  • Temporary storage in encrypted Australian-based servers
  • Virus and malware scanning of all uploads
  • File format validation and size limits enforced

Step 2: OCR and Data Extraction

  • Google Cloud Vision API processing (Australia region)
  • Automated extraction of usage data, rates, and charges
  • Immediate flagging and removal of personal identifiers
  • Data validation and error checking

3.2 Data Anonymisation (5-15 minutes)

Automatic Personal Data Removal

  • Pattern matching to identify names, addresses, account numbers
  • Regular expression filtering for phone numbers and emails
  • Postcode generalisation (specific address → distribution zone)
  • Customer reference number stripping

3.3 Analysis and Comparison (15-60 minutes)

Anonymous Data Processing

  • Rate comparison against market database
  • Usage pattern analysis using anonymised data
  • Savings calculation based on available plans
  • Results generation without personal identifiers

3.4 Data Cleanup (24 hours)

Permanent Deletion

  • Original bill files permanently deleted from all servers
  • Temporary processing files wiped using secure deletion
  • Only anonymised, aggregated statistics retained
  • Deletion logs maintained for audit purposes

4. Technical Security Measures

4.1 Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for all stored data
  • Processing: Encrypted memory during OCR processing
  • Backups: All backups encrypted with separate keys

4.2 Access Controls

  • Multi-factor authentication for all system access
  • Role-based access control (RBAC) implementation
  • Principle of least privilege for all user accounts
  • Regular access reviews and deprovisioning

4.3 Infrastructure Security

  • Australian-hosted servers with physical security controls
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems
  • Regular security patching and updates

4.4 Application Security

  • Input validation and sanitisation
  • SQL injection and XSS protection
  • Rate limiting and DDoS protection
  • Security headers and CSP implementation

5. Data Minimisation Principles

5.1 Collection Limitation

We only collect data necessary for bill comparison:

  • Usage data (kWh, billing periods)
  • Rate information (tariffs, charges)
  • Provider and distribution network details
  • Optional email addresses for notifications

5.2 Purpose Limitation

Data is used exclusively for:

  • Electricity bill analysis and comparison
  • Generating personalised savings recommendations
  • Improving service through anonymous analytics
  • Sending opted-in savings notifications

5.3 Storage Limitation

We enforce strict data retention limits:

  • Original bills: Deleted within 24 hours
  • Personal identifiers: Removed immediately during processing
  • Anonymous usage data: Retained for service improvement
  • Email addresses: Retained until unsubscribed

6. Third-Party Data Processors

6.1 Google Cloud Platform

  • Service: OCR processing via Vision API
  • Location: Australia region (sydney-australia-southeast1)
  • Data: Temporary bill images for text extraction
  • Retention: Deleted immediately after processing
  • Agreement: Data Processing Addendum in place

6.2 Email Service Providers

  • Service: Transactional email delivery
  • Location: Australian-based providers only
  • Data: Email addresses and notification content
  • Security: TLS encryption and access controls

6.3 Analytics Providers

  • Service: Privacy-focused website analytics
  • Data: Anonymous usage statistics only
  • Cookies: Essential cookies only, no tracking
  • IP Addresses: Anonymised before processing

7. Incident Response and Breach Management

7.1 Incident Detection

  • 24/7 monitoring of system security and integrity
  • Automated alerts for suspicious activities
  • Regular security assessments and penetration testing
  • Employee training on security incident identification

7.2 Breach Response Procedure

In the event of a data breach, we will:

  1. Immediate Response (0-1 hour): Contain the breach and assess impact
  2. Investigation (1-24 hours): Determine scope and cause
  3. Notification (24-72 hours): Notify OAIC if required by law
  4. User Communication: Inform affected users if personal data involved
  5. Remediation: Implement fixes and prevent recurrence

7.3 Notification Requirements

We will notify the Office of the Australian Information Commissioner (OAIC) within 72 hours if a breach:

  • Involves personal information
  • Is likely to result in serious harm
  • Meets the threshold for a notifiable data breach

8. Your Data Protection Rights

8.1 Right to Information

You can request information about:

  • What personal information we hold (minimal, due to our data practices)
  • How we use your information
  • Who we share information with
  • How long we retain information

8.2 Right to Access and Correction

You can:

  • Request access to any personal information we hold
  • Request correction of inaccurate information
  • Update your email preferences at any time

8.3 Right to Deletion

You can request deletion of:

  • Your email address from our notification system
  • Any remaining personal information (though minimal is retained)

8.4 Right to Complaint

You can lodge complaints about our data practices with:

  • Bill Zap: privacy@billzap.com.au
  • OAIC: oaic.gov.au or 1300 363 992

9. Continuous Improvement

9.1 Regular Reviews

We conduct regular reviews of:

  • Data protection policies and procedures
  • Technical security measures
  • Third-party processor agreements
  • Staff training and awareness programs

9.2 Technology Updates

We continuously improve our data protection through:

  • Adoption of new security technologies
  • Regular system updates and patches
  • Enhanced anonymisation techniques
  • Improved data minimisation practices

10. Contact Our Data Protection Officer

For specific data protection questions or concerns:

  • Email: dpo@billzap.com.au
  • Mail: Data Protection Officer, Bill Zap, PO Box 123, Sydney NSW 2000

For general privacy questions, see our Privacy Policy or contact privacy@billzap.com.au