Privacy Policy

Effective Date: April 15, 2025

Last Updated: April 15, 2025

This policy explains how we collect and use your information. We collect account details, uploaded strata reports, and your queries. We attempt to redact personal information like names and emails before analysis, but this process isn't perfect. We send redacted text to Google Gemini (which operates servers outside Australia) for AI analysis. Generated reports are not stored. You have rights to access and correct your personal information.

1. Introduction

1.1. PropVista Pty Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect your Personal Information when you use our web application (PropVista.au) (the "Service").

1.2. We comply with the Australian Privacy Act 1988 (Cth) (the "Privacy Act") and the Australian Privacy Principles (APPs).

1.3. By accessing or using the Service, you consent to the collection, use, disclosure, and storage of your information as described in this Privacy Policy and our Terms of Service. Please read this policy carefully.

2. What is Personal Information?

2.1. "Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not (as defined in the Privacy Act). This can include names, addresses, email addresses, financial information, and potentially other details found within Strata Reports or provided by you.

3. Information We Collect

We collect information necessary to provide and improve the Service. This includes:

3.1. Information You Provide Directly:

• Account Information: When you register, we collect your username and hashed password (managed via streamlit-authenticator and stored according to Streamlit Cloud practices).
• Uploaded Strata Reports: You upload PDF Strata Reports ("Uploaded Reports"). These reports often contain Personal Information about various individuals (e.g., owners, committee members, strata managers), including names, addresses, financial details (levies, balances), email addresses, and potentially phone numbers.
• User Queries: We collect the questions and prompts you submit to the Service's chat interface.
• Communications: If you contact us directly (e.g., via email), we collect information contained in your communications.

3.2. Information Processed by the Service:

• Extracted Text: Text content extracted from Uploaded Reports.
• Redacted Text: Text content from which we attempt to automatically identify and redact certain PII (currently names and email addresses) using tools like Presidio. Addresses and financial figures are generally not redacted.
• Generated Content: The AI-generated answers, Full Reports, and Summary Reports derived from processing the (redacted) Uploaded Reports and your queries.

3.3. Information Collected Automatically:

• Log Data: Like most web services, we automatically collect log information about your use of the Service, such as IP address, browser type, operating system, access times, pages viewed, actions taken (e.g., uploads, report generation), and error logs (stored in app.log).
• Cookies: We use cookies for session management and authentication (via streamlit-authenticator). Cookies are small data files stored on your device. You can usually modify your browser setting to decline cookies if you prefer.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1. To Provide and Operate the Service:

• Authenticate users and manage accounts.
• Receive, process (including text extraction and PII redaction), and temporarily store Uploaded Reports.
• Facilitate interaction with the AI (Google Gemini) to answer queries and generate reports based on redacted content.
• Generate and provide download links for Generated Content during your active session.
• Maintain and manage user sessions.

4.2. To Improve the Service:

• Analyse usage patterns and log data to understand how the Service is used, diagnose technical issues, and improve functionality (using anonymised or aggregated data where feasible).

4.3. To Communicate with You:

• Respond to your inquiries and support requests.
• Send service-related announcements (if necessary).

4.4. For Security and Compliance:

• Monitor for and prevent fraudulent or unauthorised activity.
• Comply with legal obligations.

5. PII Redaction Process and Limitations

5.1. We use automated tools (Presidio AnalyzerEngine and AnonymizerEngine) to attempt to identify and redact specific types of Personal Information – primarily person names and email addresses – from the text extracted from Uploaded Reports before it is used for detailed analysis or sent to the AI (Google Gemini).

5.2. Limitations: Automated redaction is not foolproof. It may fail to identify some names/emails or incorrectly redact other text.

5.3. Significant Personal Information, such as property addresses and financial details (levy amounts, budgets, balances), is intentionally not redacted by this process, as it is often essential for the strata report analysis you request.

5.4. We also instruct the AI (Google Gemini) via prompts not to output specific PII types as a secondary precaution, but this relies on the AI's compliance and is not guaranteed.

5.5. By using the Service, you acknowledge and accept the limitations of our automated PII redaction process.

5.6. If you are concerned about specific sensitive information in your strata report, we recommend you manually redact this information before uploading the document.

6. Data Sharing and Disclosure

We do not sell your Personal Information. We may share your information in the following limited circumstances:

6.1. Third-Party Service Providers:

• Google Gemini: We send redacted text chunks from Uploaded Reports, your queries, and content from generated reports (for summarisation) to Google's Generative AI (Gemini) API for processing to provide the core analysis and generation features of the Service. This constitutes a disclosure to Google. Google's handling of this data is subject to its own terms and privacy policies (refer to Google Cloud's data processing terms).
• Hosting Provider: The application is hosted on Streamlit Cloud, which stores application data and logs according to its security practices.
• Other Providers: We may use other vendors for functions like logging or analytics, who process data on our behalf under confidentiality agreements.

6.2. Legal Requirements:

We may disclose your information if required by law, subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

6.3. Business Transfers:

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction, subject to confidentiality arrangements.

7. Cross-Border Disclosure of Personal Information

7.1. Providing the Service involves disclosing information to third parties located outside of Australia. Specifically, when we send redacted report content and queries to Google Gemini for processing, this data is transferred to and processed on servers located outside Australia (primarily in the USA or other locations where Google operates data centres).

7.2. To protect your information in accordance with Australian Privacy Principle 8, we take the following steps:

• We maintain a Data Processing Agreement with Google that includes privacy protections.
• We only send redacted text (with names and emails attempted to be removed) to Google.
• Google Cloud Platform, which powers the Gemini API, maintains various security certifications including ISO 27001, SOC 2/3, and others.
• We regularly review Google's compliance documentation and security practices.

7.3. Despite these measures, we cannot guarantee that overseas recipients will handle your Personal Information in complete compliance with the Australian Privacy Principles. By using the Service, you acknowledge this risk.

7.4. If you do not consent to this cross-border disclosure, you should not use the Service, as this transfer is essential to our core functionality.

8. Data Security

8.1. We implement reasonable technical and organisational measures to protect your Personal Information from unauthorized access, use, disclosure, alteration, or destruction. These include:

• User authentication and password hashing.
• Attempted PII redaction before AI processing.
• Using HTTPS for all data transmission between your browser and our server, and between our server and Google Gemini.
• Storing sensitive credentials (API keys, user secrets) using secure mechanisms.
• Implementing session management with timeouts and clearing session state upon logout.
• Using temporary file handling for uploaded PDFs, deleting them after initial processing.

8.2. Generated Reports:

• Generated reports are created dynamically and exist only within your active user session. They are held in temporary server memory and/or as temporary files solely to create a download link for you. They are not stored persistently on our servers and are permanently purged when your session terminates.

8.3. Data Breach Response:

In the event of a data breach that may affect your Personal Information, we will:

• Investigate the breach promptly.
• In the event we have reasonable grounds to believe an eligible data breach has occurred, notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, in accordance with our obligations under the Notifiable Data Breaches scheme.
• Take steps to remediate the breach and prevent recurrence.

8.4. No Method is Perfect: Despite our efforts, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

9.1. Session Data: Information stored in your active session state (including redacted text chunks, chat history, and the content of any Generated Reports) is held in temporary memory. This data is fundamental to the Service's operation during your visit and is permanently cleared when your session ends (e.g., upon logout, session timeout after 2 hours of inactivity, or closing the browser tab/window).

9.2. Uploaded PDFs: Original Uploaded PDFs are stored only temporarily during the initial reading and text extraction process (typically less than 1 minute) and are deleted immediately thereafter.

9.3. Generated Reports: Generated PDF reports are created on-demand and exist only for the duration of your active session. They are not saved to any persistent storage and are irrecoverably deleted when your session terminates.

9.4. Account Information: We retain your account credentials as long as your account is active or as needed to comply with legal obligations. Inactive accounts may be deleted after 12 months of non-use.

9.5. Logs: Application logs are retained for 30 days for troubleshooting, security analysis, and usage monitoring, then automatically deleted. Error logs containing user-specific information are anonymized after 7 days.

9.6. Google Gemini: According to Google's standard data processing terms for the Gemini API, your data sent for processing is typically retained for a limited time to process your request. For specific details about Google's retention policies, please review Google's privacy documentation.

10. Your Rights (Access, Correction, Complaints)

10.1. Under the Privacy Act, you have the right to:

• Request access to the Personal Information we hold about you.
• Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading Personal Information we hold about you.
• Request deletion of your personal information (subject to certain exceptions).

10.2. To exercise these rights, please contact us at info@PropVista.au. We will respond to your request within 30 days. We may need to verify your identity before processing your request. There may be circumstances under the Privacy Act where we are unable to provide access or make corrections.

10.3. If you believe we have breached the Australian Privacy Principles, please contact us with details of the alleged breach. We will investigate your complaint and respond within 30 days.

10.4. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Cookies

11.1. We use cookies primarily for authentication and session management via the streamlit-authenticator library. These are essential for the Service to function securely.

11.2. You may be able to configure your browser to refuse cookies, but this may prevent you from using parts of the Service, particularly logging in.

11.3. We do not use cookies for advertising or tracking purposes.

12. Third-Party Links

12.1. The Service may contain links to third-party websites or services (e.g., Google's terms). This Privacy Policy does not apply to those third-party sites. We encourage you to read their privacy policies.

13. Children's Privacy

13.1. The Service is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Information from children under 18.

14. Changes to this Privacy Policy

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the updated policy on the Service and indicate the "Last Updated" date. For significant changes, we will provide a more prominent notice, such as an email notification.

14.2. We encourage you to review this policy periodically. Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy.

15. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us at:

info@PropVista.au