Privacy Policy

1. Who This Policy Applies To

This policy applies to:

• Account holders — professional services firms and individuals who create a FileRequest account and use the platform to collect documents from their clients.
• Portal users — the clients of account holders who access a FileRequest portal to upload documents or submit information.

Account holders are responsible for ensuring their own clients are aware of how their information is handled when submitting documents through a FileRequest portal.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use FileRequest, we collect:

• Your name, email address, phone number, and business details (company name, role, ABN)
• Payment information — processed securely by Stripe. We do not store credit card numbers or payment card data on our servers.
• Profile preferences including portal branding, sender details, and notification settings.
• Any content you create within the platform, including request templates, drafts, and client records.

2.2 Information Collected From Your Clients

When your clients submit documents through a FileRequest portal, we collect on your behalf:

• Files and documents uploaded by the client
• Form field responses (such as tax file numbers, dates of birth, addresses, and other information you request)
• The client's name and email address as provided by you when creating the request

This information is collected as a data processor acting on your instructions as the data controller. You remain responsible for the lawful basis of collecting this information from your clients.

2.3 Information Collected Automatically

When you use FileRequest, we automatically collect:

• Log data including IP addresses, browser type, pages visited, and timestamps
• Usage data such as features used, requests created, and portal interactions
• Device information including operating system and screen resolution

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the FileRequest service
• Process your subscription and manage billing through Stripe
• Send transactional emails including portal invitations, reminders, and submission notifications via Amazon Web Services Simple Email Service (AWS SES)
• Authenticate users and maintain account security
• Count unique recipients for quota tracking in accordance with your subscription plan
• Sync submitted files to connected third-party storage services (such as Google Drive) where you have authorised this
• Respond to support requests and communications
• Monitor platform performance and diagnose technical issues
• Comply with legal obligations

We do not use your information or your clients' information for advertising purposes. We do not sell personal information to third parties.

4. Third-Party Services

FileRequest uses the following third-party services to operate. Each service has its own privacy policy and data handling practices:

• Supabase — database, authentication, and file storage. Data is stored in the ap-southeast-2 (Sydney, Australia) region. supabase.com/privacy
• Amazon Web Services (AWS) — email delivery via Simple Email Service (SES) and event notifications via Simple Notification Service (SNS). Data processed in the ap-southeast-2 region. aws.amazon.com/privacy
• Stripe — payment processing and subscription management. Stripe handles all payment card data. We never receive or store card numbers. stripe.com/au/privacy
• Vercel — application hosting and deployment. vercel.com/legal/privacy-policy
• Google LLC — if you connect Google Drive, we access your Google Drive using OAuth 2.0 to store submitted files. We only access files we create; we do not read, modify, or delete other files in your Drive. You can revoke this access at any time from Settings. policies.google.com/privacy

We only share personal information with third parties to the extent necessary to provide the FileRequest service. We do not authorise third parties to use your personal information for their own purposes.

5. Google Drive Integration

If you choose to connect Google Drive, FileRequest will:

• Request permission to create and manage files in your Google Drive using the drive.file scope
• Automatically save submitted client documents to a structured folder: FileRequest / [Client Name] / [Request Title] /
• Store your Google OAuth access and refresh tokens securely in our database to enable ongoing sync
• Refresh your access token automatically to maintain the connection

FileRequest does not access, read, modify, or delete any files in your Google Drive other than those it creates. Your Google Drive credentials are never shared with third parties.

You can disconnect Google Drive at any time from Settings → Integrations. Upon disconnection, your OAuth tokens are immediately revoked and deleted from our systems.

6. Data Storage and Security

All FileRequest data is stored in Australia (ap-southeast-2, Sydney) using Supabase and AWS infrastructure. We implement the following security measures:

• All data is encrypted in transit using TLS/HTTPS
• Database access is protected by row-level security policies
• Authentication is managed by Supabase Auth with secure session handling
• Payment data is handled entirely by Stripe and never touches our servers
• Access to production systems is restricted to authorised personnel only

While we take reasonable precautions to protect your information, no internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your information for as long as necessary to provide the service and meet our legal obligations:

• Active account data — retained for the duration of your subscription
• Submitted documents and files — retained indefinitely while requests are active; retained for 7 years after a request is archived (to support Australian professional services record-keeping requirements)
• Deleted requests — files permanently deleted within 30 days of the request being deleted
• Account cancellation — all data retained for 90 days after cancellation, then permanently deleted upon request or at the end of the 90-day period
• Payment records — retained as required by Australian taxation law (generally 7 years)

You may request deletion of your data at any time by contacting us at admin@filereq.com. We will action deletion requests within 30 days, except where retention is required by law.

8. Your Privacy Rights

Under the Australian Privacy Act 1988, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate, incomplete, or outdated information
• Request deletion of your personal information (subject to legal retention requirements)
• Complain about a breach of the Australian Privacy Principles

To exercise any of these rights, contact us at admin@filereq.com. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Cookies

FileRequest uses cookies and similar technologies to maintain your session, remember your preferences, and analyse platform usage. We use:

• Session cookies — required for authentication and to keep you logged in
• Preference cookies — to remember your settings and last-used features

We do not use advertising cookies or track users across third-party websites. You can disable cookies in your browser settings, but this may affect your ability to use the platform.

10. Children's Privacy

FileRequest is designed for use by professional services firms and is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided us with personal information, please contact us at admin@filereq.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) or by displaying a prominent notice within the platform. The effective date at the top of this policy will be updated accordingly.

Continued use of FileRequest after a policy update constitutes acceptance of the revised policy.