← Back to Capturio

⚠ This document contains unfilled placeholders (e.g. [YOUR COMPANY NAME], [ABN]). It is a working template and must be completed before use with customers.

Customer Data Agreement

Capturio

Important note: Australia does not have a mandatory data processing agreement (DPA) regime equivalent to the EU GDPR. This Customer Data Agreement is not legally required but is provided as a transparency document and enterprise-facing commitment that explains your obligations and ours under the Privacy Act 1988 (Cth).

Between:

[CUSTOMER COMPANY NAME] (ABN: [CUSTOMER ABN]), of [CUSTOMER ADDRESS] ("Customer")

and

[YOUR COMPANY NAME] (ABN: [YOUR ABN]), of [YOUR ADDRESS] ("Capturio")

Effective date: [DATE]

Background

The Customer uses the Capturio invoice OCR platform ("Service"). In providing the Service, Capturio processes personal information contained in documents uploaded by the Customer. This agreement sets out the privacy and data handling commitments between the parties, consistent with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This agreement supplements and is incorporated into the Capturio Terms of Service.

1. Roles and responsibilities

1.1 Customer's role

The Customer is the entity that collects and is responsible for the personal information contained in documents uploaded to the Service. The Customer determines what documents are uploaded and for what purpose.

Under the Privacy Act 1988 (Cth), the Customer is responsible for:

Ensuring it has a lawful basis to collect and upload documents containing personal information
Notifying individuals whose personal information appears in uploaded documents, as required by APP 5
Ensuring its use of the Service complies with all applicable privacy laws
Responding to any access or correction requests from individuals whose personal information appears in uploaded documents

1.2 Capturio's role

Capturio processes personal information contained in uploaded documents solely for the purpose of providing the OCR extraction service to the Customer. Capturio does not:

Use that personal information for its own purposes beyond providing the Service
Disclose that personal information to third parties except as set out in this agreement and the Privacy Policy
Retain uploaded document images after processing
Use extracted data to train AI models

2. What Capturio does with uploaded documents

When the Customer uploads a document:

The document image is transmitted over an encrypted connection (TLS) to Anthropic PBC's Claude API in the United States for AI-based data extraction
Anthropic processes the image and returns structured data to Capturio
Capturio returns the extracted data to the Customer
The original document image is deleted immediately — it is not stored on Capturio's servers
The extracted data is retained for 90 days in the Customer's account, then permanently deleted

3. Overseas disclosure — Anthropic

Capturio discloses personal information contained in uploaded documents to Anthropic PBC (USA) as part of the extraction process. Capturio has taken the following reasonable steps (as required by APP 8) to ensure Anthropic handles personal information appropriately:

Commercial API agreement with Anthropic prohibiting use of API inputs for model training
Review of Anthropic's SOC 2 Type II certification
Review of Anthropic's Privacy Policy and API usage policies
Data processed in Anthropic's US infrastructure under their enterprise security controls

The Customer acknowledges this overseas disclosure and consents to it by using the Service.

4. Security measures

Capturio maintains the following technical and organisational security measures:

Access controls

Role-based access controls — team members only access data within their team
API key authentication with SHA-256 hashing — keys not stored in plaintext
JWT session management with expiry
Admin-only access to team management functions

Data security

TLS 1.2+ encryption for all data in transit
Encryption at rest for database storage
Passwords stored as bcrypt hashes (cost factor 12)
API credentials handled server-side — never transmitted to browsers

Data minimisation and deletion

Document images deleted immediately after extraction
Extracted data deleted after 90 days
Audit logs deleted after 90 days
No document storage beyond what is necessary for the extraction

Incident response

Defined breach response procedure
Customer notification as soon as practicable following an eligible data breach
OAIC notification as required under the Notifiable Data Breaches scheme

5. Data breach notification

If Capturio becomes aware of an eligible data breach (as defined in the Privacy Act 1988 (Cth)) affecting the Customer's data, Capturio will:

Notify the Customer as soon as practicable
Provide details of the nature of the breach, the types of personal information involved, and the steps taken or proposed
Cooperate with the Customer in any required notification to the OAIC or affected individuals

6. Customer's access and correction obligations

The Customer is responsible for responding to requests from individuals to access or correct their personal information that may appear in documents processed through the Service. Capturio will:

Cooperate with reasonable requests from the Customer for information held by Capturio about a specific individual
Provide the Customer with access to extracted data within their account for the 90-day retention period
Delete extracted data on request (subject to the 90-day automatic deletion schedule)

7. Sub-processors

Capturio uses the following third-party services in delivering the Service:

Provider	Purpose	Location	Privacy information
Anthropic PBC	AI model processing	United States	anthropic.com/privacy
Fly.io, Inc.	Cloud hosting and database	[REGION]	fly.io/legal/privacy-policy
[PAYMENT PROCESSOR]	Payment processing	[COUNTRY]	[LINK]

Capturio will notify the Customer of any material change to its sub-processors that could affect the handling of personal information.

8. Audit and compliance

Capturio will, on reasonable written request (and no more than once per 12 months), provide the Customer with:

A summary of Capturio's current security measures
Confirmation of compliance with this agreement
Copies of any relevant third-party security certifications

More extensive audits may be agreed by the parties on terms to be negotiated.

9. Term and termination

This agreement continues for the term of the Customer's subscription. On termination of the subscription:

Capturio will delete all Customer data within 30 days
Capturio will provide written confirmation of deletion on request

10. Governing law

This agreement is governed by the laws of [STATE — e.g. New South Wales]. The parties submit to the non-exclusive jurisdiction of the courts of [STATE] and the Federal Court of Australia.

11. Contact for privacy matters

For privacy questions, data access requests, or breach notifications under this agreement:

Capturio privacy contact: privacy@[YOUR-DOMAIN] Phone: [YOUR PHONE] Address: [YOUR ADDRESS]

Signatures

On behalf of the Customer:

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________

Company: ___________________________

ABN: ___________________________

On behalf of Capturio ([YOUR COMPANY NAME]):

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________

Appendix A — Australian Privacy Principles summary relevant to Capturio

APP	Title	How Capturio addresses it
APP 1	Open and transparent management	This Privacy Policy and Customer Data Agreement
APP 2	Anonymity and pseudonymity	Not applicable to Service accounts; anonymous use not supported
APP 3	Collection of solicited personal information	Collected only as necessary to provide the Service
APP 4	Dealing with unsolicited personal information	Not applicable — all information is solicited by Customer uploading documents
APP 5	Notification of collection	Covered in Privacy Policy; Customer responsible for notifying their data subjects
APP 6	Use or disclosure for primary purpose	Used only to provide OCR extraction — not for secondary purposes
APP 7	Direct marketing	We do not use Customer data for direct marketing
APP 8	Cross-border disclosure	Disclosed to Anthropic (USA) and Fly.io (USA) with reasonable steps taken
APP 9	Adoption of government identifiers	We do not adopt TFNs or ABNs as identifiers
APP 10	Quality of personal information	Extracted data accuracy is Customer's responsibility to verify
APP 11	Security of personal information	Encryption, hashing, deletion schedule, breach response
APP 12	Access to personal information	Available via account dashboard for 90 days; requests via privacy contact
APP 13	Correction of personal information	Editable via account dashboard; requests via privacy contact

This Customer Data Agreement was last updated on [DATE]. It is provided as a transparency and accountability document under the Privacy Act 1988 (Cth) and does not constitute legal advice. Both parties should seek independent legal advice as appropriate.