Privacy Policy
Effective date: 2026-05-19
We operate under the Australian Privacy Principles (Privacy Act 1988) and apply equivalent protections to EU/UK customers.
What we collect
- Email. For account + transactional email.
- Stripe customer ID + billing details. Stripe holds card numbers, never us.
- IP. Transiently, for rate-limit + abuse prevention.
- API usage logs. Endpoint, timestamp, status, response size, key hash. We do NOT log response contents.
- Support correspondence. Emails you send.
No name, address, DOB, or sensitive info. No third-party analytics or ad trackers.
Why
Account management, billing, abuse prevention, debugging. We don't profile you, sell your data, or use your patterns to train models.
Retention
Email + key hash: while account is active + 90d. Usage logs: 24 months. Billing records: 7 years (ATO requirement). Support emails: 24 months unless deletion requested earlier.
Sub-processors
| Processor | Purpose | Location |
|---|---|---|
| Fly.io | API hosting | Sydney (syd) |
| Supabase | Auth + database | Sydney |
| Stripe | Payments | AU + global |
| Resend | Transactional email | US |
Third-party sharing
No sales. No advertisers / data brokers. Only the processors above. Disclosure only under valid Australian legal process; we notify where law permits.
Cookies
Minimal. Only auth session cookies. No tracking pixels.
Your rights
Access, correct, delete, port, object. Email privacy@ausdata.io, 30-day response. Complain to OAIC (oaic.gov.au) if you think we've mishandled.
Security
HTTPS + HSTS. Salted-hashed API keys. DB encrypted at rest. Stripe webhook signatures verified. Small attack surface.
Children
Not intended for under-18s.
Changes
30 days email notice for material changes.
Contact
privacy@ausdata.io for privacy questions / access / deletion. support@ausdata.io for everything else.