Hoist AIAssets Sign in
HomePrivacy

Privacy policy.

What data we collect, why, how long we keep it. Plain English first, then the legal version. APP-compliant.

Last updated 2026-05-15Effective 2026-05-15

Plain-English summary

  • We collect your account email, billing details (held by Stripe, not us), search history, and basic analytics.
  • We don't sell, share, or use your search history for marketing.
  • We don't search individual grantors. Ever.
  • Your records are exportable any time. We delete on request.
  • AU residency for records and certificates. Some subprocessors are global (see /trust/residency).

Who we are

HoistAI Pty Ltd, ABN 11 695 718 659, 81–83 Campbell Street Surry Hills NSW 2010. "We", "us", or "Hoist Assets" in this policy means HoistAI Pty Ltd trading as Hoist Assets.

What we collect

Account information

  • Email address (for sign-in and notifications)
  • Display name and organisation (optional; for Due Diligence Record branding)
  • Role (broker, IP, dealer, etc. — optional, helps us prioritise features)

Billing information

  • Card or BPay details — held entirely by Stripe; we never see or store payment instrument details.
  • Billing address (if needed for tax invoice).
  • ABN (for GST treatment).

Search activity

  • Searches you run (target ACN/serial/ABN, timestamp, reference, results)
  • Records and certificates you've generated
  • API key usage statistics
  • Audit-chain entries (hashes, no PII)

Technical

  • IP address (request-time only; not stored beyond 30 days for non-payment requests)
  • Browser / SDK / MCP-host user-agent
  • Errors (sent to Sentry AU, with PII scrubbed pre-send)

Why we collect it

  • To provide the service. Run searches, generate records, bill you, contact you when something breaks.
  • To meet legal obligations. Tax records, AFSA reseller-reporting requirements, AML/CTF where applicable.
  • To improve the product. Aggregated usage stats inform what we build next. Never per-customer breakdowns shared externally.

Who we share with

Subprocessors only. Full list at /trust#subprocessors. Notably:

  • AFSA — we send your search inputs (ACN, serial number) to run the official search.
  • Stripe — for payment processing.
  • Cloudflare — for compute/storage.

We do not sell or share personal information for advertising. We do not share with data brokers.

How long we keep it

  • Records and certificates: 30 days after subscription ends.
  • Audit-chain entries (hashes only): retained indefinitely so historic verification works.
  • Account metadata: 7 years after closure (AU tax requirements).
  • Logs: 30 days unless flagged for incident investigation.

Your rights

Under the Australian Privacy Principles (APPs):

  • Access — request a copy of your personal information. Self-serve in dashboard or email [email protected].
  • Correction — fix inaccurate information.
  • Deletion — request deletion (subject to legal retention obligations).
  • Complaint — to us first; then the OAIC at oaic.gov.au if unresolved.

Cookies

We use first-party cookies for authentication (Clerk session) and a single analytics cookie (anonymised, AU-hosted Plausible). No third-party advertising cookies. No tracking pixels. Detail at /privacy/cookies — coming soon.

International transfers

Most data stays in AU. Some subprocessors process in the US (Stripe, Postmark, Clerk). See /trust/residency for the per-category breakdown.

Updates

Material changes to this policy go to all account holders by email and appear in /changelog tagged privacy. The "Last updated" date at the top of this page moves whenever any change ships.

Contact

Privacy officer: [email protected]. Postal: HoistAI Pty Ltd, Attn: Privacy, 81–83 Campbell Street Surry Hills NSW 2010.