Privacy Policy

Capturio Last updated: [DATE]

This Privacy Policy explains how [YOUR COMPANY NAME] (ABN: [YOUR ABN]) ("we", "us", "our") manages personal information when you use Capturio ("Service"). It has been prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We are committed to protecting the privacy of individuals whose personal information is processed through our Service.

1. About us and this policy

Our details: [YOUR COMPANY NAME] ABN: [YOUR ABN] Address: [YOUR ADDRESS] Privacy contact: privacy@[YOUR-DOMAIN]

This policy covers:

• Personal information we collect about our customers and their team members (account data)
• Personal information contained in documents processed through the Service (document data)

For the purpose of the Privacy Act 1988 (Cth), we are an APP entity and this document is our APP Privacy Policy as required by Australian Privacy Principle 1.4.

2. What personal information we collect

2.1 Account information

When you register or use our Service, we collect:

• Name and work email address of team members
• Company / team name and ABN (if provided)
• Billing contact details (name, email, billing address)
• Usage data — API requests, login events, and audit logs (see section 2.3)

We do not collect sensitive information (as defined in the Privacy Act) about our customers or their team members in the ordinary course of business.

2.2 Document data (processed, not stored)

When you upload an invoice or receipt for OCR processing, the document image may contain personal information about third parties, including:

• Names of individuals appearing as vendors, contacts, or customers
• Business and personal addresses
• Phone numbers and email addresses
• Tax file numbers (TFNs) or ABNs
• Financial account details or payment information

We do not store uploaded document images. Images are transmitted to our AI processing provider (Anthropic, USA — see section 5) and deleted after extraction is complete. The extracted structured data is returned to you.

The personal information within documents is collected and processed by us on your behalf. You, as the business uploading the documents, are responsible for ensuring you have a lawful basis to upload and process that personal information.

2.3 Usage and technical data

We collect technical data including:

• Timestamps and endpoints for API requests (no request body content)
• Webhook delivery logs (endpoint URL, HTTP status)
• Authentication events (logins, API key usage, team changes)
• Browser type and IP address for security monitoring

This data helps us operate, secure, and improve the Service.

2.4 Cookies

We use only essential session cookies required for authentication. We do not use advertising or tracking cookies, and we do not use third-party analytics services.

3. How we collect personal information

We collect personal information:

• Directly from you when you register, configure your account, or contact us
• From your team members when they accept invitations and create accounts
• Indirectly through documents you upload for OCR processing
• Automatically through your use of the Service (logs and usage data)

We collect personal information only by lawful and fair means. We will not collect personal information by unreasonably intrusive means.

4. How we use personal information

We use personal information only for the purposes for which it was collected or for directly related purposes:

We do not:

• Use personal information from your documents for any purpose other than completing the extraction
• Use personal information for advertising or marketing to third parties
• Sell personal information to any third party
• Use extracted invoice data to train AI models

5. Disclosure of personal information — including overseas disclosure

5.1 Overseas disclosure (APP 8)

We disclose personal information to overseas recipients in order to provide the Service. Under APP 8 of the Australian Privacy Principles, we are required to inform you of this.

Anthropic PBC (United States)

Document images you upload are transmitted to Anthropic PBC, located in the United States, for AI processing. Anthropic is our AI model provider. This transmission is necessary to provide the OCR extraction service.

Before making this disclosure, we have taken reasonable steps to ensure Anthropic does not breach the Australian Privacy Principles in relation to that information, including by:

• Entering into a commercial API agreement with Anthropic that prohibits use of API inputs for model training
• Confirming Anthropic's security certifications (SOC 2 Type II)
• Reviewing Anthropic's privacy and security documentation

You consent to this overseas disclosure by using the Service. If you do not consent, you should not upload documents containing personal information.

Fly.io, Inc. (United States)

Our servers and database are hosted by Fly.io, Inc. in [REGION]. Your account data and audit logs are stored on Fly.io infrastructure. We have entered into data processing terms with Fly.io.

[PAYMENT PROCESSOR] ([COUNTRY])

Billing information is processed by [PAYMENT PROCESSOR]. We share your billing email and plan details for payment processing purposes only.

5.2 No other overseas disclosure

We do not disclose personal information to any other overseas recipients.

5.3 Domestic disclosure

We do not sell, rent, or trade personal information with any domestic third parties. We may disclose personal information to professional advisers (lawyers, accountants) bound by confidentiality, or to law enforcement where required by law.

6. Data storage and security (APP 11)

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:

• TLS encryption for all data transmitted to and from the Service
• Passwords and API keys stored as cryptographic hashes — never in plaintext
• API credentials handled server-side only — never exposed to browsers
• Access controls and role-based permissions for team data
• Audit logging of all data access events
• Automated deletion of uploaded document images after extraction
• 90-day retention limit for extracted data and audit logs, then permanent deletion

When personal information is no longer needed for the purpose for which it was collected, and we are not required by law to retain it, we will take reasonable steps to destroy or de-identify it.

7. Data retention

8. Your rights under the Australian Privacy Principles

8.1 Access to your personal information (APP 12)

You have the right to request access to the personal information we hold about you. To make a request, contact privacy@[YOUR-DOMAIN]. We will respond within 30 days. We will not charge for access requests.

In limited circumstances, we may refuse access — for example, if providing access would unreasonably impact the privacy of another individual, or if the information is subject to legal professional privilege. If we refuse access, we will explain why in writing.

8.2 Correction of your personal information (APP 13)

If you believe personal information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you may request that we correct it. We will respond within 30 days.

8.3 Anonymity and pseudonymity (APP 2)

Where practicable, you may interact with us anonymously or using a pseudonym. However, we require identifying information to create an account and use the Service.

9. Notifiable Data Breaches (NDB scheme)

We are subject to the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth). If we have reasonable grounds to believe an eligible data breach has occurred (i.e. unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm), we will:

1. Notify you as soon as practicable
2. Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
3. Include in the notification: the nature of the breach, the type of information involved, and the steps we have taken or propose to take

10. Complaints (APP 1.4)

If you have a complaint about how we have handled your personal information, please contact us first:

Privacy complaint contact: privacy@[YOUR-DOMAIN] Response timeframe: We will acknowledge your complaint within 5 business days and respond substantively within 30 days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: oaic.gov.au
• Phone: 1300 363 992
• Post: GPO Box 5218, Sydney NSW 2001

11. Children

The Service is for business use only. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us immediately.

12. Changes to this policy

We will notify you of material changes to this Privacy Policy by email at least 14 days before they take effect. The current version is always available at [LINK]. We will also update the "Last updated" date at the top of this document.

Contact us

For privacy enquiries, access requests, or complaints:

[YOUR COMPANY NAME] ABN: [YOUR ABN] Email: privacy@[YOUR-DOMAIN] Address: [YOUR ADDRESS]

This Privacy Policy was prepared in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Last updated: [DATE].