This Privacy & Data Security Policy explains what information StaxAI collects from you, how we use it, where it is stored, who can see it, and what your rights are. We have written this document in plain language because we believe you deserve to understand exactly what happens to your data — not just tick a box to get past a legal wall.
StaxAI is operated by Strategic Solutions (ABN 52 634 683 467). We are an Australian business and we take Australian privacy law seriously. This policy complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Your business data is stored in Australia on AWS Sydney (ap-southeast-2) infrastructure. We do not sell your data, share it with advertisers, or use it for any purpose other than operating the platform on your behalf.
When you sign up, we collect your email address and a password (stored as a secure hash — we never store your password in plain text). This is the minimum required to create and secure your account.
To personalise the AI tools to your business, we ask you to complete a Business Profile. This includes your business name, trading name, ABN, trade or industry, location, services and products offered, team size, and marketing preferences. This information is stored in your account and used exclusively to make the AI output relevant to your business. You can update or delete it at any time.
When you upload documents, photos, or other files to the Content Library, or connect external sources (your website, Google Drive, or business email), that content is processed by our AI to extract useful business information. The raw files and the extracted information are stored in your account.
If you use the AI Email Assistant, you connect your personal Gmail or Outlook inbox via OAuth. We access your email metadata (sender, subject, date, preview) and use AI to summarise and categorise your emails. Email summaries are stored per user — no other user on your account can see your inbox. We do not read the full body of emails unless the subject and preview suggest it is relevant to your business.
When you subscribe, payment is processed entirely by Stripe. StaxAI never sees or stores your credit card number. We store your Stripe customer ID, your active tool subscriptions, and your billing status.
We collect anonymised, aggregated data about how the platform is used — for example, which tools are most popular, how often features are used, and common content patterns. This data cannot be linked back to you as an individual and is used solely to improve the platform.
If you invite team members to your account, we store their email address, security level, and the date they joined. This is used to manage access to your account.
| Data | How we use it |
|---|---|
| Account email | Authentication, account recovery, transactional notifications (subscription confirmations, password resets) |
| Business Profile | Personalising all AI tool outputs to your specific business, trade, and location |
| Content Library data | Powering AI tools — the content you approve flows into the tools you have activated |
| Email summaries | Displaying your email dashboard within the AI Email Assistant only |
| Subscription data | Managing your active tools, trial status, and billing |
| Usage data | Anonymised product improvement only — never linked to your identity |
| Team member data | Access control only — who can log in to your account and what they can see |
We do not send marketing emails. Promotional offers are displayed as in-platform banners only. You will never receive unsolicited commercial email from StaxAI.
Your business data is stored in the AWS Sydney region (ap-southeast-2), located in Sydney, Australia. This covers your Business Profile, Content Library, email summaries, account data, and all tool outputs.
StaxAI uses Supabase as its database and authentication platform. Supabase operates on AWS infrastructure and your data is provisioned in the AWS Sydney data centre. Supabase is the direct data processor — AWS is their infrastructure provider. Both Supabase and AWS are US-headquartered companies operating Australian infrastructure. Your data does not leave Australia during normal platform use.
When you use an AI-powered feature (generating a social post, summarising emails, refreshing your news digest, analysing your strategic plan), the relevant content is temporarily transmitted to Anthropic's API in the United States for processing. This is explained in detail in Section 4. The result is returned to your account in Sydney. Anthropic does not store your content after processing is complete.
The StaxAI web application is hosted on Vercel. Vercel's serverless functions — which handle all AI calls and data processing — run in the Sydney region (syd1). Stripe (payment processing) and SerpAPI (news search) operate from servers outside Australia. None of these services store your personal business data.
StaxAI is powered by Anthropic's Claude AI. When you use any AI feature on the platform, the relevant content from your account is sent to Anthropic's API for processing. This is how the AI reads your uploaded documents, summarises your emails, generates your social posts, and produces your strategic plan.
Anthropic is a US company. When AI processing occurs, your content is temporarily transmitted to servers in the United States. This is an overseas disclosure under the Australian Privacy Principles (APP 8). We disclose this transparently here.
Under Anthropic's API terms of service (which govern our use of their API), content submitted via the API is not used to train Anthropic's AI models and is not retained by Anthropic after your request is processed. Your content goes in, the AI response comes back, and Anthropic does not keep a copy.
The AI capabilities that make StaxAI valuable — personalised content generation, intelligent email summarisation, strategic business analysis — require Anthropic's API. There is no Australian-hosted equivalent that provides comparable capability. We have chosen to be fully transparent about this rather than obscure it in legal language.
All data stored in Supabase (on AWS Sydney) is encrypted at rest using AES-256 encryption — the same standard used by banks and government agencies. This means that even if someone gained unauthorised access to the underlying storage infrastructure, your data would be unreadable without the encryption keys.
All data transmitted between your browser and StaxAI, and between StaxAI's servers and Supabase, is encrypted using TLS (HTTPS). You will always see the padlock icon in your browser when using StaxAI. We do not support unencrypted HTTP connections.
Your data is protected by Row Level Security (RLS) — a database-level access control system that ensures every query is automatically filtered so you can only access your own data. Even within the platform, no user can read another user's data. RLS is enforced at the database level, not just the application level, meaning it cannot be bypassed by application bugs.
Passwords are hashed using industry-standard cryptographic functions before storage. We never store plain-text passwords. Authentication is managed by Supabase Auth, which follows security best practices including secure session token management and email verification.
If you connect Gmail, Outlook, or Google Drive, the OAuth access and refresh tokens are stored encrypted in your account profile. These tokens give StaxAI read access to the connected service on your behalf. You can revoke this access at any time from the Settings page, which deletes the stored tokens immediately.
All sensitive API keys (Anthropic, Stripe, Google, Microsoft) are stored as encrypted environment variables on Vercel's servers and are never exposed to your browser. All AI calls are made server-side through Vercel serverless functions.
Your account data is accessible to you and any team members you have invited, subject to the security level you have assigned them. Level 1 (Account Owner) has full access. Level 2 (Manager) can access all tools and your Business Profile. Level 3 (Staff) can access activated tools only. The AI Email Assistant is always private — each user sees only their own inbox, regardless of security level.
As the operator of StaxAI, we have administrative access to the Supabase database and can view data stored in any user account. We want to be honest about this because we believe you deserve to know. This access exists for legitimate purposes — diagnosing technical issues, investigating support requests, and ensuring the platform operates correctly.
We commit to the following: we will not access your account data without a legitimate reason, we will not share your data with any third party except as described in this policy, and we will not use your business content for any purpose other than operating the platform on your behalf. If we access your account to investigate a support issue, we will tell you we did so if you ask.
We do not sell your data. We do not share your data with advertisers. We do not share your data with any third party except the sub-processors listed in Section 7, and only to the extent necessary to operate the platform.
We may be required to disclose your data if compelled by Australian law, a court order, or a regulator with lawful authority to require disclosure. We will notify you of any such request where we are legally permitted to do so.
The following companies process data on our behalf as part of operating the StaxAI platform. We have assessed each against our privacy and security requirements.
Under Australian Privacy Principle 8, we disclose that some of these sub-processors are located overseas. By using StaxAI, you consent to these disclosures as necessary for the operation of the platform. We have taken reasonable steps to ensure each sub-processor handles data appropriately.
If you subscribe to the AI Website Chatbot tool and embed it on your own website, your customers may submit their contact details (name, email address, phone number) and enquiry information through the chatbot. This data is stored in your StaxAI account.
When you embed the StaxAI chatbot on your website, you become the data controller for your customers' information. StaxAI is the data processor — we store and process that data on your instruction. You are responsible for ensuring your website visitors are informed that their data is being collected and for obtaining any consent required by applicable law.
StaxAI does not use your customers' contact details for any purpose other than displaying them to you in your chatbot dashboard. We do not contact your customers, add them to any mailing list, or share their information with any third party.
While your account is active, we retain all data associated with your account. When you cancel your subscription and close your account, we retain your data for 30 days to allow for account recovery in case of accidental cancellation. After 30 days, your data is permanently deleted from our systems.
Anonymised aggregate usage data (which cannot be linked to you) may be retained indefinitely as it is used for platform improvement.
If you request deletion of your account and data before the 30-day period, we will action that request within 5 business days. See Section 10 for how to make this request.
Stripe retains billing records and transaction history for their own legal and compliance requirements. This is governed by Stripe's privacy policy and is outside our control.
Under the Australian Privacy Principles, you have the following rights in relation to your personal information:
| Right | What it means | How to exercise it |
|---|---|---|
| Access | You can request a copy of the personal information we hold about you | Email privacy@staxai.com.au |
| Correction | You can update your Business Profile and account details directly in the platform at any time | In-platform via your account settings |
| Deletion | You can request deletion of your account and all associated data | Email privacy@staxai.com.au |
| Complaint | If you believe we have mishandled your personal information, you can lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) | Email privacy@staxai.com.au or oaic.gov.au |
We will respond to all privacy requests within 30 days. If your request is complex, we will acknowledge it within 5 business days and provide a timeline for resolution.
StaxAI uses essential cookies only — small files stored in your browser that are necessary for the platform to function, such as keeping you logged in. We do not use advertising cookies, tracking pixels, or third-party analytics platforms that profile your behaviour across the web.
We use anonymised aggregate usage data (collected within our own platform) to understand how the product is being used. This is not cookie-based tracking and does not involve any third-party analytics service.
StaxAI does not display advertisements and does not allow advertisers to target you based on your usage of the platform.
We may update this Privacy & Data Security Policy from time to time as the platform evolves. When we make material changes, we will notify you via an in-platform banner at least 14 days before the changes take effect. The effective date at the top of this document will always reflect the most recent version.
Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree with a material change, you may close your account before the change takes effect.
We are committed to handling your data responsibly. If you have any questions about this policy, want to access or delete your data, or have a privacy concern you'd like to raise, please get in touch.
privacy@staxai.com.auStrategic Solutions · ABN 52 634 683 467 · staxai.com.au