Privacy Policy

Last updated: 30 April 2026. This is a placeholder pre-launch policy — replace with content reviewed by your legal counsel before publishing widely.

1. Who we are

Allwis (the "Service") is operated by Allwis Pty Ltd ("we", "us"). Contact us at privacy@allwis.ai.

2. What we collect

• Account data: name, email, password hash, role, organisation membership.
• Customer data: contacts, deals, invoices, emails, documents, financial records that you upload or generate in the Service. You are the data controller for this content.
• Usage data: pages visited, actions taken, IP address, browser, device, error reports. Used for product analytics and security monitoring.
• Cookies: strictly-necessary session cookies, your theme preference, and cross-tenant routing cookies. We do not place third-party advertising cookies.

3. How we use it

To operate the Service, authenticate you, send transactional emails, prevent abuse, comply with legal obligations, and improve the product. We do not sell personal information.

4. Sub-processors

We rely on Supabase (database + auth), Vercel (hosting), Sentry (error tracking), Resend (transactional email), Stripe (payments), and other providers listed in our Data Processing Addendum. Each is contractually obligated to protect your data.

5. International transfers

Some sub-processors operate outside Australia / New Zealand. Where required, we use Standard Contractual Clauses or equivalent safeguards.

6. Your rights

You can request a copy of your personal data, ask us to correct it, or request deletion. Email privacy@allwis.ai. AU residents may also contact the OAIC; NZ residents the Privacy Commissioner; EU residents your local supervisory authority.

7. Retention

We retain account data while your account is active and for up to seven years afterwards to satisfy financial-record obligations. Customer data is retained per your subscription. Audit logs are retained for compliance purposes; ephemeral logs (errors, AI prompts) for up to 365 days.

8. Security

Data is encrypted at rest and in transit. Access is least-privilege and audit-logged. We disclose security incidents that affect your data without undue delay.

9. Changes

We will notify customers of material changes by email at least 14 days before they take effect.