Legal
Privacy Policy
This Privacy Policy explains how Stratamate ("we", "us", "our") collects, uses, discloses, and protects personal information when you use our website and services at stratamate.com.au (the "Service").
We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.
Contents
- What information we collect
- How we collect information
- How we use your information
- AI processing and third-party service providers
- Cross-border data transfers
- Document storage and data retention
- Disclosure of personal information
- Security
- Cookies and local storage
- Your rights under Australian privacy law
- Notifiable data breaches
- Children's privacy
- Links to other websites
- Changes to this policy
- How to contact us or make a complaint
1. What information we collect
Documents you upload
When you upload a PDF strata report, AGM minutes, financial statement, or similar document, we receive and process the text content of that document. The document may contain information about third parties (owners, tenants, debtors, committee members). You should only upload documents you have the legal right to share, and you accept responsibility for doing so.
Account information
If you create an account (Agent or subscription plans), we collect your email address and, optionally, your name. We do not collect government identifiers (e.g. driver licence, Tax File Number).
Payment information
For paid services, payments are processed by Stripe. Stripe collects and stores your card number, expiry, and CVC on its secure, PCI-DSS-compliant infrastructure. We receive only a Stripe customer ID and the last four digits of the card used. We do not store full card details.
Technical and usage data
We automatically collect:
- IP address (used for rate limiting and fraud prevention)
- Browser type, version, and operating system
- Pages visited, features used, and time spent on the Service
- HTTP request timestamps and response codes
- Error logs and performance data
Anonymous buyer session data
If you purchase a one-off report without creating an account, we assign your Stripe checkout session a temporary session token stored in your browser's local storage. This token is used solely to authenticate your single report upload. It expires after 7 days or upon use.
2. How we collect information
We collect information:
- Directly from you — when you create an account, upload documents, make a payment, or contact us
- Automatically — via server logs and browser cookies/localStorage when you use the Service
- From third parties — Stripe provides payment event data (e.g. subscription created, payment failed); Supabase provides authentication events
3. How we use your information
We use the personal information we collect to:
- Provide the strata report analysis you requested
- Authenticate your identity and manage your account
- Process payments, issue receipts, and manage subscriptions
- Send you transactional emails (payment receipts, subscription renewal notices, credit usage alerts)
- Respond to support requests or complaints
- Monitor and improve the accuracy of the AI analysis
- Detect, investigate, and prevent fraud, abuse, or security incidents
- Comply with legal obligations, including responding to lawful requests from courts or regulators
We do not use your personal information for direct marketing without your consent. We do not sell your personal information to any third party.
4. AI processing and third-party service providers
To provide the Service, we engage the following third-party service providers who may process personal information on our behalf:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI | AI analysis of uploaded documents | Extracted text from uploaded documents | United States |
| Supabase | Authentication and database storage | Email, user ID, saved report data | Australia (ap-southeast-2) where available |
| Stripe | Payment processing | Payment details, email, Stripe customer ID | United States / Australia |
| Railway | Cloud hosting for the API | Encrypted application data and logs | United States |
OpenAI API and training: We send the text content of your uploaded documents to OpenAI's API for analysis. Per OpenAI's API usage policies, data submitted via the API is not used to train OpenAI's models by default. OpenAI processes this data in accordance with their Privacy Policy. We have data processing agreements in place with our providers where required by law.
5. Cross-border data transfers
Some of our third-party service providers are located in, or process data in, countries outside Australia — primarily the United States. When personal information is transferred overseas, we take reasonable steps to ensure the recipient handles it in accordance with the Australian Privacy Principles, including by:
- Selecting providers who are subject to privacy laws substantially similar to the APPs, or who contractually commit to APP-equivalent protections
- Relying on Standard Contractual Clauses or data processing agreements where applicable
By using the Service, you acknowledge that your information may be transferred to and stored in countries outside Australia, and consent to that transfer for the purposes described in this policy.
6. Document storage and data retention
Uploaded PDF files
Uploaded PDF files are read into memory on our servers for processing, and are not stored permanently. The raw PDF bytes are discarded after text extraction is complete (typically within seconds of upload).
Report results
If you use the Export feature to save a report to your account, the analysis output (insights, red flags, fund data, and executive summary) is stored in our database against your user ID. You can request deletion of saved reports at any time by emailing us.
Account data
Account information is retained for the duration of your account plus a reasonable period after closure (up to 7 years) to comply with financial record-keeping obligations and in case of disputes.
Server logs
Server access logs, including IP addresses, are retained for up to 90 days for security and fraud detection purposes, then deleted.
Anonymous session tokens
Session tokens issued to anonymous buyers expire after 7 days or on first use, whichever is earlier. The associated database record is marked as used but retained for 90 days for fraud detection and dispute resolution.
7. Disclosure of personal information
We do not sell, rent, or trade personal information. We disclose personal information only:
- To our third-party service providers as described in Section 4, for the purposes of providing the Service
- If required by law, court order, or regulatory authority (e.g. the Australian Information Commissioner, the Australian Taxation Office)
- To protect our rights, property, or safety, or the rights, property, or safety of others, if we reasonably believe disclosure is necessary
- In connection with a merger, acquisition, or sale of our business, in which case we will notify you before your personal information is transferred and becomes subject to a different privacy policy
8. Security
We implement reasonable technical and organisational measures to protect personal information from unauthorised access, disclosure, alteration, or destruction, including:
- Encryption in transit (HTTPS/TLS for all data between your browser and our servers)
- Encryption at rest for database records (Supabase managed encryption)
- Role-based access controls — service accounts only have the minimum permissions required
- Rate limiting to prevent brute-force attacks
- HMAC-signed session tokens for anonymous buyer authentication
No method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security but will notify you and the Australian Information Commissioner in the event of an eligible data breach (see Section 11).
9. Cookies and local storage
We use browser local storage (not third-party cookies) for:
- Authentication tokens — your Supabase session token is stored in localStorage to keep you logged in between visits
- Anonymous session tokens — after a one-off report purchase, your session token is stored in localStorage to authenticate your upload
- Session report data — your most recent report result is stored in sessionStorage so it can be displayed on the results page; this is cleared when you close the browser tab
We do not use advertising cookies, tracking pixels, or any analytics cookies that send data to third parties. We do not use Google Analytics or Facebook Pixel.
10. Your rights under Australian privacy law
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:
- Access personal information we hold about you (APP 12)
- Correct inaccurate, out-of-date, or incomplete personal information (APP 13)
- Request deletion of your account and associated data, subject to legal retention obligations
- Complain about a breach of the APPs (see Section 15)
To exercise any of these rights, email us at hello@stratamate.com.au. We will respond within 30 days. In some cases we may ask you to verify your identity before we can fulfil a request.
We will not charge you for making an access or correction request, though we may charge a reasonable fee to cover the cost of providing access if the request is complex.
11. Notifiable data breaches
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to any affected individuals, we will:
- Assess the breach as quickly as practicable (within 30 days of becoming aware)
- Notify the Australian Information Commissioner if the breach is an eligible data breach
- Notify affected individuals as soon as practicable with details of the breach and recommended protective steps
12. Children's privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, please contact us and we will delete it promptly.
13. Links to other websites
The Service may contain links to third-party websites (e.g. Stripe, Supabase documentation). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing personal information to them.
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. The date at the top of this page reflects the most recent revision. We will notify account holders of material changes by email at least 14 days before they take effect. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
15. How to contact us or make a complaint
For privacy questions, access or correction requests, or to make a complaint about our handling of your personal information, contact our Privacy Officer:
- Email: hello@stratamate.com.au
We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):
- Website: oaic.gov.au
- Phone: 1300 363 992
- Online complaint form: oaic.gov.au/privacy/privacy-complaints