◆ compliance · public · 16 rules tracked

Every rule we know applies to us.

Australian Consumer Law, Privacy Act, ACCC guidance, and adjacent global standards. Each line names the rule, where it applies, our status, and a link to the actual surface that demonstrates compliance. No vague trust claims — every “we comply” is auditable. See also /terms, /privacy, and /rankings.

Compliant

evidence linked

Partial

documented gap + plan

Not yet applicable

triggers post-launch or never

Total

rules audited

01Australian rules— ACCC + ACL + Privacy Act

compliant

ACCC Guidance on RRP comparisons (2024)

Australian Competition and Consumer Commission · Comparison-pricing displays

evidenceNo strike-through "was" prices until live affiliate feeds land with verified 90-day history

noteEarly-access catalogue is illustrative; banner makes this explicit

compliant

Privacy Act APP 1 — Open and transparent management of personal information

Office of the Australian Information Commissioner · Privacy policy availability + clarity

evidence/privacy is plain-English, linked from every page footer, and lists exactly what we collect see /privacy

compliant

Privacy Act APP 5 — Notification of collection

Office of the Australian Information Commissioner · Sign-up, waitlist, price-alert forms

evidenceEach collection point names the data taken and the lawful purpose at the form itself

compliant

Notifiable Data Breaches scheme

Office of the Australian Information Commissioner · Personal-info breach handling

evidenceDocumented breach procedure in operational runbook; OAIC notification path established

compliant

Privacy Act APP 8 — Cross-border disclosure

Office of the Australian Information Commissioner · Where we store + process user data

evidenceSupabase region locked to AU; email transport (Resend) US-routed and disclosed in /privacy see /privacy

compliant

ACCC Advertising on Digital Platforms — disclosure of paid relationships

Australian Competition and Consumer Commission · Affiliate redirect links

evidence/about + /terms disclose the affiliate model; click-through URLs flagged rel="nofollow sponsored" in markup see /about

compliant

ACCC: ranking must not misrepresent merit-based ordering

Australian Competition and Consumer Commission · Search-result sort order

evidenceTwo-stage sort fully named on /rankings; affiliate commission % explicitly never read at rank-time see /rankings

n/a yet

AU CDR — Consumer Data Right (retail energy + open banking)

ACCC + Treasury · Open-banking or accredited-data-recipient flows

evidenceWe are a comparison service, not an Accredited Data Recipient. No CDR data is requested or stored

n/a yet

AFSL — Australian Financial Services Licence

ASIC · Financial product advice

evidenceWe compare retail consumer goods. No financial product, advice, or recommendation is offered

02Global + adjacent standards— GDPR · OWASP · PCI · STRIDE

compliant

ACL § 18 — Misleading or deceptive conduct

Competition and Consumer Act 2010 (Cth) Sch 2 · All public price comparisons + ranking claims

evidenceRanking algorithm fully disclosed; no paid placement; data-source advisory shipped on every search response see /rankings

compliant

ACL § 29(1)(i) — False statements about price

Competition and Consumer Act 2010 (Cth) Sch 2 · Price history + "was" pricing displays

evidenceFake-discount flagging is wired into get_price_history; current_vs_median uses 30-day window, not RRP see /rankings

compliant

ACL § 64 — Non-excludable consumer guarantees

Competition and Consumer Act 2010 (Cth) Sch 2 · Our service to AU consumers

evidence/terms § 9 acknowledges non-excludable consumer guarantees apply alongside the liability cap see /terms

compliant

OWASP ASVS Level 2 (self-audit)

Open Worldwide Application Security Project · Web application security baseline

evidencePre-launch security audit shipped Phase 9.5a; CSP + HSTS + X-Frame + Permissions-Policy headers wired

compliant

STRIDE threat-model

Microsoft Threat Model (industry baseline) · Authentication + session + RPC surfaces

evidenceModelled Phase 9.5a; bypass paths documented and remediated. Admin cookie uses constant-time HMAC verify

partial

GDPR Art. 5 — Lawfulness, fairness, transparency

EU Regulation 2016/679 · EU-based visitors who land on the site

evidenceNo analytics or third-party tracking scripts; cookies are essential-only. Formal GDPR controller designation deferred until EU traffic justifies it

noteAU-first; we treat EU visitors with AU privacy posture which exceeds GDPR floor on most clauses but does not formally adopt GDPR roles

n/a yet

PCI DSS — cardholder data handling

PCI Security Standards Council · Card payments

evidenceStripe-hosted Checkout when paid tier launches; no card data ever touches our servers

noteCurrently STRIPE_ALLOW_LIVE=false; pricing UI is a test-mode scaffold

◆This page is maintained alongside the actual code. When a rule changes or a new finding is added, the surface that demonstrates compliance is updated first, then this row is added. Spot something we’ve missed? Email support via /about— we’d rather hear about it than quietly drift.