Privacy Policy
Last updated: 15 March 2026
EquiSight Pty Ltd ("EquiSight", "we", "us") is committed to protecting your personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). This policy explains how we collect, use, store, and disclose your data.
1. What We Collect
We collect only the information necessary to calculate your Portfolio Health Score:
- Account information — email address, name, and password (hashed)
- Property details — address, state, postcode, property type, current value, purchase price, weekly rent, annual expenses
- Loan details — loan balance, interest rate, loan term, repayment type, rate type, fixed rate expiry, lender name
- Financial settings — cash reserves
- Billing — Stripe customer ID and subscription status (we never see your credit card number)
2. Why We Collect It
Your data is used solely to:
- Calculate and display your Portfolio Health Score and pillar breakdown
- Generate score change notifications and monthly monitoring emails
- Process your subscription and billing
- Send transactional emails (e.g. score alerts, account notifications)
- Monitor errors and improve application reliability (anonymised)
We do not sell, rent, or share your data with advertisers or data brokers.
3. How We Protect Your Data
- All data is encrypted at rest (AES-256) and in transit (TLS/HTTPS)
- Database row-level security (RLS) ensures you can only access your own data
- API endpoints are rate-limited and require authenticated sessions
- All sensitive operations are recorded in an audit log
- Financial data is never included in application logs or error reports
4. Third-Party Data Processors
We use the following services to operate EquiSight:
| Service | Data Shared | Location | Purpose |
|---|---|---|---|
| Supabase | All user data (encrypted, RLS enforced) | Sydney, AU | Database and authentication |
| Stripe | Email, subscription tier | US / EU | Payment processing |
| Resend | Email address | US | Transactional email |
| Sentry | Error traces (PII scrubbed) | US | Error monitoring |
| PostHog | Anonymised usage events | EU / US | Product analytics |
| AWS Lambda | Portfolio snapshots (in-memory only) | Sydney, AU | Score calculation |
| AWS S3 | Exported PDF reports | Sydney, AU | File storage |
Authentication credentials (email, hashed password) are stored in Supabase in the Sydney region. No authentication data is transferred outside Australia.
5. Data Retention
| Data | Retention |
|---|---|
| Account, property, loan, and score data | While your account is active, plus 30 days after a deletion request |
| Audit logs | 90 days (automatically deleted) |
| Email send records | 90 days (automatically deleted) |
| Error logs (Sentry) | 90 days |
| Exported PDF reports | 7 days after generation |
| Billing data | Per Stripe retention policy |
6. Account Deletion
You can request account deletion from your dashboard settings. The process is:
- Your account is immediately disabled (you will be signed out)
- A 30-day grace period begins — you can contact us to cancel the deletion
- After 30 days, all your data is permanently and irreversibly deleted, including properties, loans, scores, settings, and your authentication account
- Any active subscription is cancelled
- A confirmation email is sent to your registered address
7. Your Rights
- Access (APP 12) — You can export all your data as JSON from the dashboard at any time.
- Correction (APP 13) — All property, loan, and settings data is editable from the dashboard. Your score recalculates automatically when you make changes.
- Deletion — You can request full account deletion from the dashboard settings (see Section 6).
- Marketing opt-out (APP 7) — All marketing emails include a one-click unsubscribe link. You can also manage your notification preferences in dashboard settings.
8. Cross-Border Data Disclosure
Your primary data (property, loan, financial, and authentication data) is stored in Australia (Sydney region). Some services we use are based overseas — see Section 4 for a full list. We only share the minimum data necessary with each service, and no financial data (property values, loan balances, scores) is sent to any overseas service.
9. Data Breach Notification
In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) within 30 days and contact affected users directly with details of the breach, what data was affected, and recommended actions.
10. Contact Us
For privacy inquiries, data access requests, or complaints, contact us at: privacy@equisight.com.au
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email to your registered address. Continued use of EquiSight after changes constitutes acceptance of the updated policy.