This Privacy Policy explains how SWL PNG Limited (“SWL PNG”, “we”) collects, uses, discloses, and protects personal information when you use the PNG Tax Management System (the “Service”).

1. Information We Collect

We collect only what is necessary to provide the Service:

Account information – full name, email, phone, firm name, and role.
Firm & company data – TIN, GST number, address, fiscal-year settings.
Operational data – contacts, invoices, bills, journal entries, bank statements, payroll records you upload or enter.
Authentication data – salted password hashes (we never store plaintext passwords), JWT access / refresh tokens, login attempts, IP address of sign-in.
Usage data – HTTP request logs, error logs, and aggregated analytics to improve the Service.

2. How We Use Your Information

to operate, maintain, and improve the Service;
to authenticate you and protect against fraud or unauthorised access;
to process payments for paid plans;
to contact you about service updates, security notices, and (with your consent) product news;
to comply with legal obligations, including lawful requests from PNG authorities such as the IRC or Central Bank.

3. Sharing & Disclosure

We do not sell personal information. We share personal information only with:

Service providers who help us run the platform (hosting, backups, email delivery, payment processing) under written confidentiality and data-protection obligations;
Your own firm – if you were invited into a firm account, staff and owners of that firm can see your activity within it;
Authorities – when required by law, with notice to you where permitted.

4. Storage & International Transfers

Production data is hosted on servers located in the Asia-Pacific region, with encrypted off-site backups in Singapore (Wasabi, AES-256). Some of our service providers, including the development team at Onepiecetechnology Co., Ltd., are based outside of Papua New Guinea. Where data is transferred abroad, we rely on contractual safeguards with those providers.

5. Security

All data in transit is encrypted with TLS 1.3.
Sensitive fields (e.g. TINs) are encrypted at rest.
Passwords are hashed using bcrypt with a work factor of 12.
Daily database and source-code backups are retained for 30 days.
Administrative access is limited to named individuals and requires key-based authentication.

No system is perfectly secure. If we detect a data breach that materially affects your rights, we will notify you by email within 72 hours of becoming aware.

6. Retention

We keep Customer Data for as long as your account is active. If you close your account, we retain data for up to 30 days to allow export, then delete or de-identify it, except where longer retention is required by law (e.g. statutory records under PNG tax law).

7. Your Rights

Subject to applicable law, you may request to: access your personal information; correct inaccuracies; export a copy; or delete your account. Send requests to adam@swlpng.com. We aim to respond within 30 days.

8. Cookies

We use strictly-necessary cookies to keep you signed in (httpOnly access and refresh tokens). We do not use tracking cookies for advertising. Aggregated, anonymised analytics may be used to improve the Service.

9. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

Material changes will be notified by email and posted on this page at least 30 days before they take effect.

11. Contact

Privacy questions? Write to adam@swlpng.com. See our contact page for more options.