Privacy Policy
Last updated: 2026-04-28Owner: SymbioTeK Pty Ltd (ACN 694 230 334)
This policy describes how SymbioTeK Pty Ltd ("SymbioTeK", "we", "us") handles personal information collected through the MySafeSigns web application (the "App"), in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). It supplements the in-app End User Licence Agreement (EULA).
1. Who this policy applies to
It applies to anyone who creates an account on, or uses, MySafeSigns. We are a small Australian software company. Our role is generally that of a data processor for the personal information you handle on behalf of your employer or client; however, for your own account credentials and billing data, we act as the data controller.
2. Personal information we collect
2.1 What we collect
- Account credentials — your email address and a hashed copy of your password. Used for sign-in and to associate credit purchases to your account.
- Credit balance and transaction history — how many AI detection credits you have, and when each was purchased or used. Stored to administer the service.
- Payment metadata — billing email and the Stripe customer/session identifiers. Card details are never sent to us; they go directly from your browser to Stripe.
- Sign photographs (during AI detection only) — when you invoke AI-assisted detection, the photograph of the sign is transmitted to Anthropic's Claude Vision API via our edge-function proxy. Photographs may incidentally include faces or vehicle plates if those are in the frame.
- Standard request metadata — IP address, user-agent, request URL — logged transiently by Netlify (CDN) and Supabase (edge functions) for operational and abuse-prevention purposes.
2.2 What we explicitly do NOT collect
The following information is captured by the App and stored on your device, but does not reach SymbioTeK or any of our sub-processors:
- GPS coordinates of your audit sites.
- Site names, client names, auditor names, building/area names.
- Compliance findings, sign categorisations, and free-text notes.
- Context photographs (the wider environment shot, not the sign close-up).
This is the architectural property that makes MySafeSigns suitable for use at sites where location or operational identity is sensitive. See our Security page for a full data-flow table.
3. Why we collect it
- To authenticate you and provide access to your account.
- To process credit purchases and prevent fraud.
- To deliver AI-assisted detection results when you invoke that feature.
- To diagnose service incidents and prevent abuse.
- To meet our legal and regulatory obligations.
4. Legal basis
We rely on:
- The performance of the contract between you and SymbioTeK (the EULA) — APP 6.1(a).
- Our legitimate interest in operating, securing, and improving the service — where balanced against your rights.
- Your explicit consent for any processing not directly necessary for the service (e.g. when invoking AI detection, which transmits the photograph offshore — see §6).
5. Where your information is stored
| Information | Hosting location |
|---|
| Account email, hashed password, credit balance, transaction log | Supabase, Inc. — AWS Singapore (ap-southeast-1) |
| Edge function compute | Supabase, Inc. — AWS Sydney (ap-southeast-2) |
| Sign photograph during AI detection (transit, not stored) | Anthropic, PBC — United States |
| Card / payment details | Stripe Payments Australia Pty Ltd — Australia |
| Static asset delivery (HTML, JS, CSS) | Netlify, Inc. — global CDN |
6. Cross-border disclosure (APP 8)
By using the App, you consent to the disclosure of personal information to the overseas recipients listed in §5 — specifically:
- Anthropic, PBC (United States) — only when you invoke AI-assisted detection. Only the captured sign photograph is transmitted; no other audit data, GPS, or identifying metadata is sent. Anthropic does not train its models on data submitted via its API for commercial customers.
- Supabase, Inc. (United States, with database in Singapore and edge compute in Sydney) — for account credentials, credit balance, and transaction log. No audit content is sent to Supabase.
- Netlify, Inc. — for static asset delivery only. Receives standard HTTP request metadata.
If you do not wish to disclose your sign photographs to a US-hosted AI service, you can use the App's offline / on-device detection fallback (lower accuracy) and never invoke AI detection. The choice is per-capture.
7. How long we keep it
- Account credentials: for as long as your account is active. Deleted within 30 days of your written deletion request.
- Credit balance: for as long as your account is active.
- Credit transaction log: retained for 7 years for audit and tax purposes (Australian record-keeping obligations), in pseudonymised form after account deletion (UUID rather than email).
- Sign photographs sent to Anthropic: not retained by SymbioTeK at any point. Anthropic's retention is governed by their Privacy Policy and commercial terms (typically 30 days unless a customer opts into zero-retention).
- Audit content on your device: retained until you delete it from the App. We have no copy and cannot delete it on your behalf.
8. Accessing and correcting your information (APP 12, 13)
You may request access to or correction of any personal information we hold about you by emailing symbiotek@symbio-tek.com. We will respond within 30 days. There is no fee for routine requests.
9. How we protect it
The full set of controls is documented in our Security page and the accompanying Security & Architecture White Paper. Highlights:
- TLS 1.2+ for all network traffic.
- Supabase Row-Level Security forced on every user-data table.
- Stripe webhook signature verification before any database write.
- AES-256-GCM encryption available for user-exported backups.
- Browser security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy).
- Sub-resource integrity on third-party JavaScript.
10. Cookies and similar technologies
The App uses browser local storage and IndexedDB to keep you signed in and to store your audit data on your device. It does not use third-party advertising, marketing, or analytics cookies. Stripe Checkout (when you make a payment) sets its own cookies on the checkout.stripe.com domain; those cookies are governed by Stripe's privacy policy.
11. Complaints
If you believe we have handled your personal information in breach of the Australian Privacy Principles, please email symbiotek@symbio-tek.com in the first instance. We will respond within 30 days.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC):
- Web: www.oaic.gov.au
- Phone: 1300 363 992
- Post: GPO Box 5288, Sydney NSW 2001
12. Changes to this policy
We will notify account holders by email at least 14 days before any material change to this policy. The current version and last-updated date are always shown at the top of this page.
SymbioTeK Pty Ltd
ACN 694 230 334
Email: symbiotek@symbio-tek.com