Privacy policy
Your privacy is important to us.




Table of contents
CTC Ledger Pty Ltd (ABN 53 655 951 812) trading as Summ (Summ, Summ Labs, we, us or our) is committed to protecting your privacy. This policy explains how we collect, use and protect your personal information. It applies to all personal information we handle, whether we collect it through our website, in person, or through other means.
For individuals located in the European Economic Area (EEA), United Kingdom or Switzerland: Additional rights and protections apply to you under the General Data Protection Regulation (EU) 2016/679 (GDPR) and, for UK residents, the UK General Data Protection Regulation (as incorporated into UK law) and the Data Protection Act 2018 (UK GDPR). Please refer to Appendix 1 at the end of this policy for information specific to your additional rights and how we process your personal information in accordance with GDPR and UK GDPR requirements.
For individuals located in California, please see Appendix 2 at the end of this policy for information specific to your additional rights.
This policy is effective as of 15 September 2022. Last updated: 28 May 2026.
Quick overview
- We collect information you provide to us and information we gather when we interact with you
- We use this information to provide our services and improve your experience
- We protect your information using secure systems and processes
- You have rights regarding your personal information, including access and correction rights
Information we collect
Identity and contact details
- Email address
- Tax jurisdiction
- Name and billing address (only collected when you subscribe to a paid plan)
Service related information
- Payment and transaction details for services you've purchased from us or enquiries about our services
- Your preferences for our services and your marketing preferences
- Feedback and survey responses
- Personal information contained in user-uploaded documentation (see User Documentation section below)
Cryptocurrency information
- Cryptocurrency wallet addresses
- Transaction IDs for cryptocurrency transactions
- Cryptocurrency balances on centralised exchanges
- List of exchanges you have traded on
Digital information
- IP address and general location information derived from your IP address
- Security tokens
- Search and browsing behaviour
- Website usage patterns
- Cookie preferences and usage
Recordings
- Records of chat interactions you have with our support team
- Call recordings
- Records of meetings and decisions
Professional information (for job applicants and workers)
- Employment history
- Professional experience
- Required authorisations and licences
- Professional registrations
- Information about your right to work in the relevant jurisdiction
Connected App Integration Data
- Your cryptocurrency transaction history
- Your portfolio holdings
- Your tax reports and capital gains or loss summaries
- The wallets and exchanges you have connected to your account
- Your tax settings and jurisdiction
Connection and session details generated when you authorise a third party application or AI tool to connect to your account
How we collect personal information
- Directly from you when you: when you interact with us, contact us, fill out forms.
- Automatically when you: visit our website, use our technologies, interact with our online services.
- From third parties: service providers, business partners, public sources, government organisations and organisations or people authorised by you.
Why we collect, hold, use and disclose personal information
We collect and use your personal information to run our business and provide our services as set out below.
Business operations
- To manage our relationship with you as a customer or supplier
- To process and deliver our services
- To handle your inquiries, support requests, and communications
- To maintain accurate records for billing and administration
- To verify your identity when required or permitted by law
- To facilitate connections between yours account and any third-party apps or tools you choose to connect, including passing your personal information to those apps on your instructions and managing the access tokens that keep those connections running
Communication and support
- To respond to your questions and support requests
- To communicate important updates about our services
- To handle inquiries made through our website or platforms
- To manage your participation in surveys, feedback sessions, or events
Service improvement
- To conduct analytics and market research
- To improve our business operations and services
- To develop and enhance our applications and platforms
- To understand how our services are used
Marketing and promotions
- To send you promotional information about our services and events
- To inform you about products or services that may interest you
- To manage your marketing preferences
- To run competitions, promotions, and special offers
- To provide additional benefits to our customers
Employment purposes
- To assess employment applications
- To evaluate candidate qualifications
- To manage professional certifications and licences
- To maintain employment records
Legal and compliance
- To comply with our legal obligations
- To respond to court orders or legal processes
- To maintain required business records
- To fulfill regulatory requirements or reporting obligations
- To protect our legal rights and interests or as authorised by law
User Documentation
We actively minimise and strip unnecessary personal information from customer-uploaded documents like 1099-DAs, and only retain the data required to process the form and reconcile your transactions. Reducing our long-term data footprint is a deliberate design choice for Summ.
Our disclosures of personal information to third parties
We may disclose personal information to:
Service providers
- IT service providers
- Data storage providers
- Web hosting and server providers
- Payment processors
- Marketing and advertising providers
- Analytics providers
Professional advisers
- Bankers
- Auditors
- Insurers and insurance brokers
- Legal advisers
Business partners
- Our existing or potential agents
- Our business partners or contractors
Corporate transactions
If we merge with or are acquired by another company, or sell our business assets:
- Your information may be disclosed to our advisers
- Your information may be disclosed to the potential purchaser's advisers
- Your information may be included in the transferred assets
Legal and regulatory bodies
- Courts and tribunals
- Regulatory authorities including as required for reporting obligations
- Law enforcement officers
Other parties
- A parent, subsidiary, or affiliate of our company
- Third parties you have authorised
- Emergency services when necessary
- Any other parties as required or permitted by law
Third parties we currently use include, but are not limited to:
- Amazon Web Services
- Anthropic
- CookieBot
- FirstPromoter
- Google Marketing Platform
- Intercom
- Meta
- Microsoft Advertising
- OpenAI
- Ortto
- PostHog
- SendGrid
- Stripe
- VWO
- X (Twitter)
Third Party Tools You Connect Your Account To
If you choose to connect a third-party app or AI tool to your Summ account (for example Claude.ai, Claude Desktop, Cursor, or any other third-party application), we will share your information with that app to the extent you allow when you set up the connection. When you do this:
- the third-party provider will receive and process your information, including your prompts and the responses our platform returns. This is governed by that provider's own privacy policy and terms, not ours
- your prompts and the outputs from our platform are processed by the third-party provider's systems. We have no control over how they handle, store or use your information once it has been passed to them
- the third-party app operates as a separate, independent business in respect of your information. We are not responsible for how they handle it
- we only share what is necessary to carry out the connection you have set up
- you are responsible for reading the privacy policy and terms of any app before connecting it to your account
Overseas disclosure
Storage and access
We store your personal information in Australia and the United States of America. However, your information may be accessed from or transferred to other locations in these circumstances:
- When our service providers are located overseas
- When we work with overseas business partners
- When using cloud-based services or data storage solutions
If you connect a third-party app to your account, your information may be sent to and processed by that app in countries outside Australia, including the United States. That processing is covered by the third-party provider's own privacy policy. We are not responsible for how they handle your information once it has been passed to them.
Our approach to overseas disclosure
Before disclosing your personal information overseas, we take reasonable steps to ensure that the recipient treats your information in accordance with applicable law by only sending what is necessary, requiring recipients to protect your information through contractual agreements which require the recipient to comply with the privacy standards in applicable law or through other mechanisms that provide comparable safeguards and by monitoring how recipients handle your information.
Your privacy rights and choices
Providing information
You can choose whether to provide personal information to us, however, if you don't provide certain information, we may not be able to provide some services. Let us know if you don’t want to provide information and we will let you know when information is required versus optional.
Access to your information
You can request access to the personal information we hold about you and we will respond to your request within a reasonable time. We may charge a reasonable administrative fee for providing access and if we cannot provide access, we will explain why and explore alternative ways to share relevant information.
Correction rights
You can ask us to correct any information that is inaccurate, out of date, incomplete, irrelevant or misleading and we will take reasonable steps to correct your information promptly. If we cannot make the correction, we will explain why and discuss alternatives. You can ask us to add a statement to your information noting your requested correction.
Marketing communications
You can opt-out of receiving marketing communications at any time. Each marketing communication will include an unsubscribe option. You can change your marketing preferences by contacting us. We will process your request as soon as practicable.
How to contact us about your rights or to make a complaint and what happens next
Step 1: Contact our privacy officer
- Email: [email protected]
What to include:
Your full name, contact details, clear details about your request or complaint, and any relevant dates or reference numbers.
Step 2: Our response
We will:
- Verify your identity before processing your request
- Investigate thoroughly (for complaints) or process your request (for rights)
- Respond to you in writing within reasonable timeframes and as required by law
- Explain what actions we will take and keep you updated on progress
- Not charge you for making a request (except for reasonable access fees if applicable)
- Help you understand and exercise your rights
Step 3: If you're not satisfied (complaints only)
If you're not satisfied with our response to your complaint, you can:
- Ask for a review by our senior management, or
- Contact external bodies:
- Australian residents: Office of the Australian Information Commissioner (Phone: 1300 363 992, Website: www.oaic.gov.au)
- NZ residents: Office of the Privacy Commissioner (Phone: 0800 803 909, Website: www.privacy.org.nz)
- EU residents: Your local Data Protection Authority (DPA). Each EU member state has its own supervisory authority. You can find your local DPA through the European Data Protection Board website: https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK residents: Information Commissioner’s Office (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, helpline number: 0303 123 1113, website: https://www.ico.org.uk/make-a-complaint)
- Any other country: your local authority which regulates data protection issues.
You don't have to contact us first before going to the regulatory authority, but we'd appreciate the opportunity to try to resolve your concerns directly with you.
This is the same process whether you want to access your information, correct mistakes, change marketing preferences, or make a complaint about our privacy practices.
Protecting your information
We use multiple layers of security to protect your information.
Technical safeguards
- Enterprise-grade encryption for data storage and transmission
- Regular security testing and monitoring
- Automated threat detection systems
Operational security
- Staff training on security and privacy
- Strict access controls based on job requirements
- Regular security audits and incident response procedures testing
Physical security
- Secure premises with controlled access
- Secure disposal of physical documents
- Equipment security protocols
Public information
Please note that any information you choose to share publicly on online platforms (such as comments or reviews) can be accessed and used by others. We cannot control or protect information that you make publicly available.
How long we keep your information
We keep your personal information only as long as we need it for the purposes we collected it, or as required by law. When we no longer need it, we securely destroy or de-identify it.
When you connect a third-party app to your account, we create an access token to keep that connection running. These tokens expire automatically after a set period, after which the app will need to reconnect. You can also cancel a token at any time by disconnecting the app through your account settings. Once a token expires or is cancelled, the app can no longer access your account.
Cookies and Analytics
What We Use
We use cookies, tracking pixels, and similar technologies on our website and in our emails to improve your experience and our services.
Cookies
- Small text files stored on your device
- Help remember your preferences
- Enable certain website functions
- Make your interactions with our website more efficient
Tracking Pixels
- Tiny, invisible images in web pages and emails
- Help us understand how you interact with our content
- Allow us to measure email engagement
- Enable more relevant content delivery
How we use these technologies
Essential Functions:
- Remember your login status
- Maintain your session security
- Store your preferences
- Enable core website features
Analytics and Performance:
- Understand how our website is used
- Measure page views and traffic
- Analyse user navigation patterns
- Identify areas for improvement
Personalisation:
- Remember your preferences
- Tailor content to your interests
- Improve your browsing experience
- Provide relevant recommendations
Your control
You can manage these technologies by:
- Adjusting your browser settings to block or delete cookies
- Using privacy-focused browser extensions
- Configuring your email client to block images
- Using our cookie preference settings
Note: Blocking all cookies may affect website functionality and your user experience.
Google Analytics
We use Google Analytics to understand how people use our website. This involves cookies that collect information about your browsing activity. You can opt out of Google's advertising features through your Google account settings, browser add-ons, or your device's privacy settings. Google provides various tools and options to control how your data is used for advertising purposes. You can learn more about how Google uses your data and your available options on Google's privacy pages.
Meta advertising tools
We use Meta's advertising tools (such as Meta Pixel) to understand how our ads perform and to show you more relevant advertisements on Meta platforms like Facebook and Instagram when you visit our website or app. You can manage whether we connect information from our website with your Meta account for advertising purposes by adjusting your settings within your Meta account preferences.
When you sign in with another account (like Coinbase or Google)
What we collect
When you use single sign-on to connect with us, we'll receive personal information from that provider based on your privacy settings with them. This may include your name, username, profile picture, and other details you've chosen to share.
How we use it
We use this information to create your profile on our platform and give you access to our services.
Artificial Intelligence (AI) Technologies
Overview
We use artificial intelligence and machine learning technologies in our business operations and services, including AI tools provided by third parties. We only use these technologies when legally permitted and necessary for our business.
How we use AI
We may use AI technologies to:
- Conduct analysis and data processing
- Generate and modify content and coding
- Improve and optimise our services and operations
- Automate routine tasks and communications
- Personalise your experience with our services
- Support quality assurance processes
- Assist with customer support and queries
Data protection and security
When we work with third-party AI providers, we ensure they handle your personal information in accordance with privacy laws through contractual requirements and appropriate safeguards.
Your rights and our commitments
Any information generated or inferred about you by AI technologies is treated as personal information, and you maintain all the rights outlined in this privacy policy. When using AI with your personal information, we commit to:
Transparency and control
- We'll inform you when AI is used to make decisions that may significantly affect you
- We maintain human oversight and review of significant AI-generated decisions
- Our staff are trained to understand AI limitations and verify outputs before relying on them
- We implement processes to verify the accuracy of AI-generated outputs
Security
- We use appropriate technical and organisational measures to maintain the security and integrity of your personal information
- We do not permit the AI providers we use to use any information to train their large language models
- We regularly test and monitor AI outputs for accuracy and reliability
Risk mitigation
- We regularly assess and document risks associated with using AI to process personal information
- We implement appropriate measures to address these risks
- We continuously monitor AI performance and regularly review their impact
Third party AI tools you connect to your account
As well as our own use of AI described above, you can connect third-party AI tools to your Summ account. If you do:
- depending on the permissions you grant, the tool may access your transaction history, portfolio, tax reports, connected wallets and exchanges, and tax settings. If you also turn on write access, the tool may be able to add or change information in your account
- we do not store the prompts you send to the third-party tool or the responses it gives you. That information passes through in transit and is not kept by us
- your account information accessed through the connection is stored in the same systems we use for the rest of your Summ data
- we do not guarantee the accuracy of anything a third-party AI tool produces, including any tax-related outputs like capital gains summaries or tax reports. You should check these with a qualified accountant before relying on them
- you can disconnect a third-party tool at any time through your account settings. This will stop it from accessing your account going forward, but we cannot retrieve or delete any information it has already received
Amendments
We may update this policy at any time by posting the revised version on our website. We recommend that you review our website regularly to stay current with any policy changes.
Appendix 1: additional rights and information for individuals located in the eu or uk
Under the General Data Protection Regulation (EU) 2016/679 (GDPR) and, for UK residents, the UK General Data Protection Regulation (as incorporated into UK law) and the Data Protection Act 2018 (together, the European Data Protection Laws), individuals located in the EU and UK have additional rights which apply to their personal information. Personal information under these Data Protection Laws is often referred to as personal data and is defined as information relating to an identified or identifiable natural person. This Appendix 1 sets out the additional rights we give to individuals located in the EU and UK, as well as the lawful basis on how we process the personal information of individuals located in the EU and UK.
Legal bases for processing personal information
European Data Protection Law requires us to have proper legal reasons for using your personal data. We can only use your information when we have one or more of these legal bases.
- Consent - You have clearly agreed to us using your personal data for a specific purpose.
- Performance of a contract - We need to use your information to fulfil a contract with you, or because you've asked us to do something before entering into a contract.
- Legal duty - We must use your information to comply with the law.
- Vital interests - We need to use your information to protect someone's life.
- Public interest - We need to use your information to perform a task in the public interest or carry out official functions that have a clear legal basis.
- Legitimate interests - We have a genuine business reason to use your information, or a third party does, but only if this doesn't unfairly override your rights and interests. Where we rely on legitimate interests as our legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. These assessments consider:
- The nature of our legitimate interest
- The impact on you
- Any safeguards we can implement
- Your reasonable expectations
- The broader context of our relationship
Note that we may process your personal data for more than one legal basis depending on the specific purpose for which we are using your data. We have listed the reasons we process your data and the legal basis below. Please reach out to us if you need further details about the specific legal basis we are relying on to process your personal data.
The full purposes of processing are set out in the policy above under “Why we collect, hold, use and disclose personal information” and the legal basis for this processing is set out below
Purpose: Business operations
Legal basis for using this information:
- Performance of a Contract
- Legal Duty (for billing and record-keeping requirements)
- Legitimate interests
Types of information we use:
- Identity and contact details
- Service related information
- Cryptocurrency information
- Digital information
- Recordings
- Connected App Integration Data
Purpose: Communication and support
Legal basis for using this information:
- Legitimate interests
Types of information we use:
- Identity and Contact Data
- Cryptocurrency information
- Digital Information
Purpose: Service improvement
Legal basis for using this information:
- Legitimate interests
Types of information we use:
- Service related information
- Cryptocurrency information
- Digital information
- Recordings
Purpose: Marketing and promotions
Legal basis for using this information:
- Legitimate interests
Types of information we use:
- Identity and Contact Data
- Digital Information
Purpose: Employment purposes
Legal basis for using this information:
- Legitimate interests
- Legal Duty
- Consent
- Performance of a Contract
Types of information we use:
- Identity and Contact Data
- Professional Data
Purpose: Legal and compliance
Legal basis for using this information:
- Legal Duty
Types of information we use:
- All relevant personal information
Overseas transfers
Your information may be transferred to locations outside the EU or United Kingdom in these circumstances:
- When required as part of providing our services
- When our service providers are located overseas
- When we work with overseas business partners
- When using cloud-based services or data storage solutions
- When required by law or legal proceedings
If you connect a third-party app to your account, your information may be transferred to that provider's systems outside the EU or UK. This happens on your instruction and that provider acts as a separate data controller for that information. We recommend you check their privacy policy before connecting.
Our approach to overseas transfers
When we transfer your personal data outside the EU or United Kingdom, we ensure it receives appropriate protection by:
- Only transferring your information to countries that European Data Protection Laws recognise as providing adequate protection for personal information,
- Putting in place a contract with the third party that means they must protect personal data to the same standards as the EU or UK, or
- Transferring personal data to organisations that are part of specific agreements on cross-border data transfers with the EU or UK.
Data retention
How long we keep your information
We only keep your personal data for as long as we need it to:
- Provide our services to you
- Meet our legal, tax, accounting or regulatory obligations
- Handle any complaints or legal issues that may arise
We may keep your information for longer periods if:
- You make a complaint that we need to investigate or respond to
- We reasonably believe legal action involving our relationship with you might occur
- The law requires us to keep it for specific timeframes
How we decide retention periods
When determining how long to keep your information, we consider:
- How much information we have and how sensitive it is
- The risk of harm if the information was accessed without permission
- Whether we can achieve our purposes in other ways
- What legal, regulatory, tax or accounting rules require
- The nature of our relationship with you and the services we provide
What happens when we no longer need your information
Once we no longer need your personal data, we will securely delete or destroy it in accordance with our data retention policies and legal requirements.
You can request information about retention periods for your data and ask for early deletion where legally possible.
Rights in relation to personal data
In addition to the rights you have in our policy above, you also have the below rights.
Right to Erasure
You can request deletion of your personal data in certain limited circumstances as set out in European Data Protection Law, such as where the data is no longer necessary or has been unlawfully processed. This right is not absolute and we may be required or entitled to retain your data for legal, regulatory or legitimate business reasons.
Right to Restrict Processing
You can ask us to suspend processing where:
- You contest the accuracy of the data
- Processing is unlawful but you don't want erasure
- We no longer need the data but you need it for legal claims
- You've objected to processing pending verification of our legitimate grounds
Right to Data Portability
Where technically feasible, you can receive your personal data in a structured, commonly used format or have it transmitted to another controller where:
- Processing is based on consent or contract
- Processing is automated
Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
- United Kingdom (UK)
- European Union (EU)
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/17779954965
Appendix 2: Additional disclosures for California compliance (US)
Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.
To make such a request, please contact us using the details provided in this privacy policy with “Request for California privacy information” in the subject line. You may make this type of request once every calendar year. We will email you a list of categories of personal information we revealed to other organisations for their marketing purposes in the last calendar year, along with their names and addresses. Not all personal information shared in this way is covered by Section 1798.83 of the California Civil Code.
Do not track
Some browsers have a “Do Not Track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser “Do Not Track” signals.
We adhere to the standards outlined in this privacy policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate, legal reasons for doing so.
CCPA-permitted financial incentives
In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels for the goods or services we provide.
Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.
California notice of collection
In the past 12 months, we have collected the following categories of personal information enumerated in the California Consumer Privacy Act:
- Identifiers, such as name, email address, phone number, account name, IP address, and an ID or number assigned to your account;
- Commercial information, such as products or services history and purchases;
- Geolocation data.
For more information on information we collect, including the sources we receive information from, review the “Information We Collect” section. We collect and use these categories of personal information for the business purposes described in the “Collection and Use of Information” section, including to provide and manage our Service.
Right to know and delete
If you are a California resident, you have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us, the:
- Categories of personal information we have collected about you;
- Categories of sources from which the personal information was collected;
- Categories of personal information about you we disclosed for a business purpose or sold;
- Categories of third parties to whom the personal information was disclosed for a business purpose or sold;
- Business or commercial purpose for collecting or selling the personal information; and
- Specific pieces of personal information we have collected about you.
To exercise any of these rights, please contact us using the details provided in this privacy policy.
Shine the light
If you are a California resident, in addition to the rights discussed above, you have the right to request information from us regarding the manner in which we share certain personal information as defined by California’s “Shine the Light” with third parties and affiliates for their own direct marketing purposes.
To receive this information, send us a request using the contact details provided in this privacy policy. Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code.
Contact us
For any questions or concerns regarding your privacy, you may contact us using the following details:
Email: [email protected]

