Privacy Policy

1. Introduction

Welcome to Corefuse. This Privacy Policy explains how Corefuse Technologies Pty Ltd (ABN 52 683 788 721, ACN 683 788 721) ("Corefuse," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our document AI platform for quote management (the "Service").

We are an Australian company committed to protecting your privacy in accordance with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). This Privacy Policy applies to all users of our Service, including visitors to our website, registered users, and enterprise customers.

By accessing or using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide to Us

Account Information

When you create an account, we collect:

• First and last name
• Work email address
• Company name
• Password (encrypted and never stored in plain text)
• Phone number (optional)
• Profile photo/avatar (optional)

Business Information

When you use the Service, we collect:

• Contact information for your customers and suppliers
• Quote data including pricing, items, and margins
• Company branding materials (logos, templates)
• Document files (PDFs and other uploaded documents)
• Comments and communications within the platform
• Account settings and preferences (timezone, profit margins, terms)

Payment Information

Payment processing is handled by Stripe, our third-party payment processor. We do not store complete credit card information on our servers. Stripe processes and stores your payment information securely in compliance with PCI-DSS standards. We may retain:

• Billing address
• Last four digits of payment card
• Payment transaction history
• Stripe customer ID for subscription management

For more information about how Stripe handles your payment data, please review Stripe's Privacy Policy at https://stripe.com/privacy.

Communications

When you contact us, we collect:

• Support ticket content and correspondence
• Email communications
• Feedback and survey responses

2.2 Information Collected Automatically

Usage Information

We automatically collect information about your interaction with the Service:

• Pages and features accessed
• Time and date of visits
• Time spent on pages
• Click patterns and navigation paths
• Search queries within the Service
• Feature usage statistics

Device and Technical Information

• IP address
• Browser type and version
• Operating system
• Device type and identifiers
• Screen resolution
• Language preferences
• Referring website addresses

Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to collect information about your browsing activities. See Section 8 for more details about cookies.

2.3 Information from Third Parties

• Authentication data from AWS Cognito
• Payment information from payment processors
• Analytics data from service providers (e.g., Sentry for error monitoring)

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Maintain the Service

• Create and manage your account
• Authenticate your identity and provide secure access
• Process and extract data from uploaded documents using AI
• Generate and manage quotes
• Store and retrieve your business data
• Enable collaboration with team members
• Provide customer support and respond to inquiries

3.2 To Improve and Develop the Service

• Analyse usage patterns and trends
• Train and improve our AI models and algorithms
• Develop new features and functionality
• Test and optimise performance
• Identify and fix bugs and technical issues
• Conduct research and analytics

3.3 To Communicate with You

• Send transactional emails (password resets, verification, notifications)
• Provide customer support and respond to requests
• Send service announcements and updates
• Request feedback or conduct surveys
• Send marketing communications (with your consent, where required)

3.4 For Security and Fraud Prevention

• Detect and prevent unauthorised access
• Monitor for suspicious activity
• Enforce our Terms and Conditions
• Protect against fraud, spam, and abuse
• Comply with legal obligations

3.5 For Billing and Payment Processing

• Process subscription payments
• Manage billing and invoicing
• Handle refunds and disputes
• Prevent payment fraud

3.6 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Protect our legal rights and interests
• Enforce our agreements and policies

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 With Service Providers

We share information with third-party service providers who perform services on our behalf:

• Cloud Hosting: Amazon Web Services (AWS) for infrastructure and storage
• Authentication: AWS Cognito for user authentication and identity management
• Email Delivery: AWS SES for transactional emails
• Payment Processing: Stripe for subscription billing and payment processing
• Error Monitoring: Sentry for application performance and error tracking
• Customer Support: Atlassian Jira Service Desk for support tickets
• Analytics: Google Analytics (Google LLC) for usage analytics

These service providers are bound by contractual obligations to keep information confidential and use it only for the purposes for which we disclose it to them.

4.2 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

4.3 Within Your Organisation

If you use Corefuse as part of an organisation, we share your information with other users in your organisation account based on their roles and permissions. This includes:

• Account administrators and owners
• Team members with appropriate access permissions
• Users collaborating on shared quotes and contacts

4.4 For Legal Reasons

We may disclose your information if required to do so by law or in response to:

• Valid legal requests (subpoenas, court orders, warrants)
• Legal proceedings or governmental investigations
• Requests to protect safety and prevent harm
• Enforcement of our Terms and Conditions
• Protection of our rights, property, or safety

4.5 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and provide choices regarding your information.

4.6 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify you for analytics, research, or marketing purposes.

5. Data Security

We implement comprehensive security measures to protect your information from unauthorised access, disclosure, alteration, or destruction.

5.1 Technical Security Measures

• Encryption: We use encryption for data in transit and at rest using industry-standard protocols (specific implementations may change over time)
• Secure Authentication: Managed authentication and access controls (for example, via AWS Cognito) with configurable password and access policies
• Multi-Factor Authentication: Optional MFA using authenticator apps
• Access Controls: Role-based access control and user permission management
• Secure Infrastructure: AWS cloud infrastructure with security best practices
• Data Backup: Regular automated backups of your data
• Network Security: Firewalls, intrusion detection, and DDoS protection

5.2 Operational Security Measures

• Regular security audits and vulnerability assessments
• Security monitoring and incident response procedures
• Employee access controls and security training
• Secure software development practices
• Third-party security reviews

5.3 Your Security Responsibilities

While we implement strong security measures, you also play a role in protecting your information:

• Keep your password secure and confidential
• Use a strong, unique password
• Enable multi-factor authentication
• Log out when using shared devices
• Report suspicious activity immediately
• Keep your contact information up to date

5.4 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law, as soon as practicable and within any timeframes required by applicable law.

6. Data Retention

6.1 Active Accounts

We retain your information for as long as your account is active or as needed to provide you with the Service.

6.2 Closed Accounts

When you close your account, we will:

• Delete or anonymise your personal information within 90 days
• Retain information for longer if required by law or for legitimate business purposes
• Maintain aggregated, de-identified data for analytics and improvement

6.3 Legal and Business Requirements

We may retain certain information longer when required for:

• Compliance with legal obligations (tax, accounting, audit requirements)
• Resolution of disputes or enforcement of agreements
• Prevention of fraud and abuse
• Backup and disaster recovery purposes

6.4 Specific Retention Periods

• Account data: Duration of account plus 90 days
• Transaction records: 7 years (for tax and accounting purposes)
• Support tickets: 3 years
• System logs: 90 days
• Backups: 30 days

7. Your Privacy Rights

7.1 Australian Privacy Rights (APPs)

Under the Australian Privacy Principles, you have the following rights:

Access to Personal Information (APP 12)

• Request access to your personal information we hold
• Receive a copy in a structured, commonly used format
• Export your data directly from the Service or contact [email protected]
• We will respond within 30 days and provide access free of charge (except for reasonable costs in some cases)

Correction of Personal Information (APP 13)

• Request correction of inaccurate, out-of-date, incomplete, or misleading information
• Update most information directly in your account settings
• If we refuse to correct information, we will provide you with a written notice explaining why
• You can request that we associate a statement with your information that you believe it to be inaccurate

Deletion and Anonymisation

• Request deletion of your personal information
• Delete your account through the Service or by contacting us
• Some information may be retained as required by Australian law

Opt-Out Rights

• Opt out of direct marketing communications at any time
• Request not to receive direct marketing materials
• Withdraw consent for specific data processing activities

7.2 Complaints and Privacy Commissioner

If you have a complaint about how we handle your personal information:

1. Contact Us First: Email your complaint to [email protected] or [email protected]. We will investigate and respond within 30 days.
2. Australian Privacy Commissioner: If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
   • Website: www.oaic.gov.au
   • Phone: 1300 363 992
   • Email: [email protected]
   • Mail: GPO Box 5288, Sydney NSW 2001

7.3 International Users' Rights

If you are located outside Australia (including the EEA, UK, or California), you may have additional rights under your local privacy laws. See Sections 14 and 15 for specific regional rights.

7.4 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] or [email protected]. We will:

• Respond to your request within 30 days
• Verify your identity before processing your request
• Provide reasons if we cannot fulfill your request
• Not charge a fee for making a request (except for reasonable costs in certain circumstances)

8. Cookies and Tracking Technologies

8.1 What Are Cookies

Cookies are small text files stored on your device that help us provide and improve the Service. We also use similar technologies like web beacons, pixels, and local storage.

8.2 Types of Cookies We Use

Essential Cookies (Required)

• Authentication and session management
• Security and fraud prevention
• Load balancing and performance
• You cannot opt out of these cookies

Functional Cookies

• Remember your preferences and settings
• Store your timezone and language choices
• Enhance user experience

Analytics Cookies

• Understand how you use the Service
• Analyse usage patterns and performance
• Improve features and functionality
• We may use Google Analytics cookies and similar identifiers to measure and improve our Service

Marketing Cookies (with consent)

• Track effectiveness of marketing campaigns
• Deliver relevant advertisements
• Measure ad performance

8.3 Managing Cookies

You can control cookies through your browser settings:

• Block all cookies (may affect Service functionality)
• Delete existing cookies
• Allow only certain cookies
• Receive notifications when cookies are set

Note: Disabling essential cookies will prevent you from using the Service.

8.4 Third-Party Cookies

Some cookies are set by third-party services we use. These are governed by the respective third party's privacy policy.

9. International Data Transfers (APP 8)

9.1 Data Location

Your data is primarily stored on servers located in Australia (AWS ap-southeast-2 region in Sydney). As an Australian company, we prioritise keeping your data within Australia where it is subject to Australian privacy laws.

Where we provide AI-powered document features, we process documents using AI models within the AWS ap-southeast-2 (Sydney) region.

9.2 Overseas Disclosure (APP 8)

In certain circumstances, we may disclose your personal information to overseas recipients, including:

• Cloud service providers: AWS (United States - parent company, though data stored in Australia)
• Payment processing: Stripe (United States)
• Support services: Atlassian (United States/Australia)
• Error monitoring: Sentry (United States)
• Analytics: Google Analytics (United States)
• Email services: AWS SES infrastructure (may involve US-based processing)

9.3 APP 8 Compliance

When we disclose personal information overseas, we take reasonable steps to ensure that overseas recipients comply with the APPs in relation to that information. This includes:

• Using service providers with strong privacy and security commitments
• Entering into contracts that require overseas recipients to protect your information
• Ensuring service providers have appropriate technical and organisational measures
• Selecting service providers with recognised compliance certifications (ISO 27001, SOC 2, etc.)

9.4 Your Consent

Some overseas disclosures may be necessary to provide the Service (for example, to process payments, deliver emails, provide support, or monitor errors). By using our Service, you acknowledge that your personal information may be disclosed to overseas recipients as described in this Privacy Policy.

When we disclose personal information overseas, we aim to comply with APP 8 by taking reasonable steps to ensure overseas recipients handle that information in a way that is consistent with the APPs. This may include contractual safeguards, due diligence, and security requirements appropriate to the type of information and the services being provided.

Please note that privacy laws and protections in the recipient’s country may differ from those in Australia. If you have questions about our overseas disclosures, contact us at [email protected].

9.5 International Transfers for Non-Australian Users

For users outside Australia, when we transfer your information internationally, we ensure appropriate safeguards including standard contractual clauses, adequacy decisions, or your explicit consent.

10. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 16, please contact us immediately at [email protected].

11. AI and Machine Learning

11.1 How We Use AI

Our Service uses artificial intelligence and machine learning to:

• Extract data from PDF documents
• Identify and structure information
• Improve accuracy and performance over time
• Provide intelligent features and suggestions

11.2 Training AI Models

We may use aggregated, de-identified data from documents you upload to improve our AI models. This data cannot be used to identify you or your organisation. We never use your proprietary business data to train models for other customers.

11.3 AI Accuracy

While we strive for high accuracy, AI-extracted data may contain errors. You are responsible for reviewing and verifying all AI-processed information.

12. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services. This Privacy Policy applies only to our Service.

We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access through our Service.

Third-party services we integrate with include:

• Amazon Web Services (AWS)
• Stripe (payment processing)
• Sentry (error monitoring)
• Atlassian Jira Service Desk
• Google Analytics

These third parties have their own privacy policies and terms of service:

• Stripe Privacy Policy: https://stripe.com/privacy
• AWS Privacy Notice: https://aws.amazon.com/privacy/
• Sentry Privacy Policy: https://sentry.io/privacy/
• Atlassian Privacy Policy: https://www.atlassian.com/legal/privacy-policy

13. Marketing Communications

13.1 Types of Communications

We may send you:

• Transactional emails: Account verification, password resets, receipts (you cannot opt out)
• Service notifications: Updates, maintenance, security alerts
• Product updates: New features, improvements, tips
• Marketing emails: Promotions, newsletters, educational content (you can opt out)

13.2 Opt-Out

You can opt out of marketing communications by:

• Clicking the unsubscribe link in emails
• Updating your communication preferences in account settings
• Contacting us at [email protected]

Note: You cannot opt out of transactional emails necessary for the Service.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

14.1 Your CCPA Rights

• Right to Know: Request information about data collected, used, or shared
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of sale of personal information (we do not sell data)
• Right to Non-Discrimination: Not be discriminated against for exercising rights

14.2 Categories of Information

We collect and disclose the following categories of personal information as described in Section 2:

• Identifiers (name, email, IP address)
• Commercial information (transaction history, subscription data)
• Internet or network activity (usage data, log files)
• Professional information (company name, business data)

14.3 No Sale of Personal Information

We do not sell your personal information to third parties. We have not sold personal information in the past 12 months.

14.4 Exercising CCPA Rights

To exercise your CCPA rights, contact us at [email protected]. We will verify your identity and respond within 45 days.

15. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

15.1 Legal Basis for Processing

We process your personal information based on:

• Contract: Processing necessary to provide the Service
• Legitimate Interests: Improve the Service, prevent fraud, ensure security
• Consent: Marketing communications, optional features
• Legal Obligation: Comply with laws and regulations

15.2 Your GDPR Rights

In addition to rights described in Section 7, you have:

• Right to lodge a complaint with supervisory authority
• Right to withdraw consent at any time
• Right to object to automated decision-making

15.3 Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer at [email protected].

16. Enterprise Customers

16.1 Enhanced Privacy and Security

Enterprise customers may require additional privacy and security measures beyond those outlined in this Privacy Policy. We offer:

• Data Processing Agreements (DPA): Formal agreements detailing data processing activities and responsibilities
• Custom Data Retention: Tailored data retention and deletion policies
• Dedicated Infrastructure: Options for isolated or dedicated cloud resources
• Advanced Security Controls: Enhanced encryption, access controls, and monitoring
• Regular Security Reviews: Scheduled security assessments and audits
• Compliance Certifications: Documentation for ISO 27001, SOC 2, and other standards

16.2 Data Residency Options

While our standard offering stores data in Australia (AWS ap-southeast-2), enterprise customers with specific data residency requirements may discuss custom arrangements.

16.3 Business Associate Agreements

For customers in regulated industries (healthcare, finance, etc.), we can execute Business Associate Agreements (BAAs) or equivalent compliance documents as required.

16.4 Privacy Officer and Dedicated Support

Enterprise customers receive direct access to our Privacy Officer and dedicated support for privacy-related inquiries, data subject requests, and compliance matters.

16.5 Vendor Risk Management

We support enterprise customers' vendor risk management programs by providing:

• Security questionnaires and assessments
• Audit reports and certifications
• Incident response procedures
• Business continuity and disaster recovery documentation
• Subprocessor lists and agreements

16.6 Contact for Enterprise Privacy Inquiries

For enterprise privacy requirements and custom data protection agreements, contact [email protected] or [email protected].

17. Changes to This Privacy Policy

17.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

17.2 Notification

We will notify you of material changes by:

• Posting the updated Privacy Policy on our website
• Updating the "Last Updated" date
• Sending an email notification to your registered email address
• Displaying a prominent notice in the Service

17.3 Review

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17.4 Continued Use

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to your inquiry within 30 days as required by the Australian Privacy Principles.