dFortix.ai

Privacy Policy

Effective date: 4 April 2026

dFortix.ai (“we”, “our”, or “us”) is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This Privacy Policy explains how we collect, use, store, disclose, and protect your personal information when you use the dFortix.ai platform. By using our service, you agree to the practices described in this policy.

1. About This Policy

  • dFortix.ai is operated by Mercury Road Equipment Pty Ltd (ABN 36 614 422 187) ("we", "our", or "us"). We are committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in that Act.
  • This Privacy Policy explains how we collect, hold, use, disclose, and protect your personal information when you use the dFortix.ai platform ("Platform"). It also describes your rights in relation to your personal information.
  • We are subject to the oversight of the Office of the Australian Information Commissioner (OAIC). If you have concerns about how we handle your personal information, you have the right to lodge a complaint with the OAIC (see Section 15).
  • By creating an account and using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

2. Definitions

  • "Personal Information" has the meaning given in section 6 of the Privacy Act 1988 (Cth) and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether recorded in a material form or not.
  • "Sensitive Information" has the meaning given in the Privacy Act 1988 (Cth) and includes information about an individual's health, biometric data, and other categories specified in the Act. We do not intentionally collect Sensitive Information, except as described in Section 8 (Children's Data).
  • "Child User" means a child whose profile has been created in the Fortie education module by their parent or legal guardian.
  • "AI Processing" means the transmission of data to artificial intelligence model providers for the purpose of generating responses, analyses, or other outputs.
  • "Connector" means a user-authorised OAuth-based integration between the Platform and a third-party service.

3. What Personal Information We Collect

  • Account Information: When you register, we collect your name, email address, and a cryptographically hashed password (we never store plain-text passwords). If you register via a third-party authentication provider (Google, GitHub, Microsoft, Apple, or LinkedIn), we receive your name, email address, and profile picture from that provider.
  • Usage Data: We record token consumption counts, estimated costs (in AUD), session activity, and feature usage for billing, analytics, and service improvement purposes.
  • Conversation Content: Messages, prompts, and AI-generated responses within the Platform's chat and agent features are stored in our database to enable session history, export, and continuity of service.
  • File Uploads: Documents, drawings, images, 3D models, and other files you upload are stored on our servers and cloud storage infrastructure to be processed by the Platform's features.
  • Technical Data: We automatically collect standard server log data including your IP address, browser type and version, operating system, referring URL, and access timestamps for security monitoring and debugging.
  • Payment Information: When you subscribe to a paid plan, payment is processed by Stripe, Inc. We store your Stripe Customer ID for billing management but do not store your full credit card number on our servers.
  • Children's Data: If you create a Child User profile in the Fortie module, we collect the child's first name, age or date of birth, learning preferences, voice recordings (for speech-to-text processing), learning progress data, session summaries, and educational content interaction history. See Section 8 for details.
  • Connector Data: When you authorise a Connector to a third-party service, data from that service (e.g., accounting records from Xero, project data from Procore, emails from Google Workspace) may be accessed and temporarily processed by the Platform in accordance with the permissions you grant.
  • OAuth Profile Data: When you sign in via a third-party authentication provider, we may receive and store your profile picture and display name as provided by that service.

4. How We Collect Information

  • Directly from you: When you register an account, use the chat or agent features, upload files, create projects or estimates, configure Connectors, or contact our support team.
  • From third parties: When you authenticate via an OAuth provider (Google, GitHub, Microsoft, Apple, LinkedIn), we receive identity information from that provider. When you authorise a Connector, we receive data from the connected third-party service.
  • Automatically: Our servers automatically collect technical data (IP address, browser type, access timestamps) when you access the Platform. We use essential session cookies for authentication — see Section 13.

5. Purpose of Collection and Use

  • We collect and use your personal information for the following purposes (APP 6): to provide, operate, and maintain the Platform and its features; to process your inputs through AI models and deliver AI-generated outputs; to calculate, display, and bill for usage in accordance with your subscription plan; to authenticate your identity and maintain the security of your account; to communicate with you about your account, service updates, and support requests; to improve Platform performance, diagnose technical issues, and enhance the user experience; to comply with our legal obligations, including record-keeping for taxation purposes (7 years per Australian Taxation Office requirements); and to enforce these Terms and protect the rights, property, and safety of dFortix.ai, our users, and the public.
  • We do NOT use your personal information for: direct marketing without your explicit consent (Spam Act 2003 (Cth)); selling, renting, or sharing your personal information with third parties for their marketing purposes; or training AI models on your Content — your data is transmitted to AI providers for real-time processing only and is not used to fine-tune or train their models beyond what their own data retention policies may provide for (refer to each provider's privacy policy for their specific data handling practices).

6. Disclosure to Third Parties

  • We disclose your personal information to the following categories of third-party recipients as necessary to provide the Platform's services. Where these recipients are located overseas, we take reasonable steps to ensure they handle your information consistently with the APPs (APP 6, APP 8).
  • AI and LLM Processing (overseas — primarily United States): Your conversation content, prompts, and contextual data are transmitted to AI model providers for processing. These include OpenRouter (USA), OpenAI (USA), Anthropic (USA), Google (USA), and Microsoft Azure (USA). The specific provider used depends on your configuration and the model selected. Each provider's own privacy policy governs their handling of data they receive.
  • Cloud Storage (Australia): Files you upload are stored on Amazon Web Services (AWS) S3 in the Asia Pacific (Sydney) region (ap-southeast-2), within Australia.
  • Payment Processing (overseas — United States): Stripe, Inc. (USA) processes payment transactions. Stripe receives your name, email, and payment card details. We do not store full card numbers.
  • Vector Database: Document embeddings (mathematical representations of your content, not the raw text) are stored in our Qdrant vector database for search and retrieval features.
  • Email Delivery: Your email address and notification content are transmitted to our SMTP email delivery service for sending verification codes, notifications, and system communications.
  • Authentication Providers (overseas): If you sign in via Google (USA), GitHub (USA), Microsoft (USA/Ireland), Apple (USA), or LinkedIn (USA/Ireland), your identity information is exchanged with that provider under their privacy policy.
  • User-Authorised Connectors: When you authorise a Connector, data is exchanged with the connected service. This may include accounting platforms (Xero — New Zealand/Australia; MYOB — Australia), construction project management tools (Procore — USA; Autodesk — USA; Bluebeam — USA; Buildxact — Australia; ServiceM8 — Australia), collaboration tools (Google Workspace — USA; Microsoft 365 — USA/Ireland; Slack — USA; Zoom — USA), productivity tools (Asana — USA; Trello — USA; Notion — USA; Airtable — USA; Figma — USA), cloud storage (Dropbox — USA), and others. Data is shared only to the extent you authorise and only for the features you use. You may disconnect a Connector at any time.
  • Search and Tool Providers: When you use search or computation features, queries are sent to SerpAPI, Brave Search, Tavily, Google Maps, Wolfram Alpha, or NewsAPI. Only search queries are transmitted — not your identity or account information.
  • Government and Public Register APIs: The Platform may query Australian government APIs on your behalf, including ABN Lookup (Australian Business Register), ASIC company register, NSW Planning Portal, NSW Valuer-General, and IP Australia. Only the specific lookup parameters (e.g., ABN, company name, property address) are transmitted.
  • Stock Image Providers: Search queries (not identity data) may be sent to Unsplash, Pexels, or Pixabay when using the website builder's image search feature.

7. Cross-Border Disclosure

  • In accordance with APP 8 of the Privacy Act 1988, we are required to inform you when your personal information may be disclosed to recipients located outside Australia.
  • The primary countries to which your personal information may be transferred are: United States of America — AI model providers (OpenRouter, OpenAI, Anthropic, Google, Azure), payment processing (Stripe), and various Connector services; Ireland — Microsoft 365, LinkedIn (which may process data in Ireland or the USA); New Zealand — Xero (accounting connector); and other countries — where third-party Connector services that you authorise may be headquartered or operate infrastructure.
  • Before disclosing your personal information overseas, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to your information. These steps include: reviewing the privacy policies and data handling practices of major service providers; using providers that maintain recognised security certifications and compliance frameworks; transmitting data over encrypted connections (TLS/HTTPS); and limiting data disclosure to what is necessary for the specific service function.
  • By using the Platform and consenting to this Privacy Policy, you acknowledge and agree to the cross-border transfer of your personal information as described in this section. Under section 16C of the Privacy Act 1988, where you have provided informed consent to an overseas disclosure, we may not be accountable under APP 8.1 if the overseas recipient handles your information in a way that breaches the APPs. However, you retain the right to seek redress directly from the overseas recipient.

8. Children's Data

  • The Fortie education module allows parents or legal guardians ("Parents") to create profiles for their children ("Child Users"). We take the privacy of children seriously and handle children's data with additional safeguards.
  • Collection: We collect children's data only when a Parent creates a Child User profile. Data collected includes the child's first name, age or date of birth, learning preferences, and educational interaction history. Voice recordings are processed in real time by third-party speech-to-text services and are not permanently stored in raw audio form beyond the active session.
  • Parental Consent: By creating a Child User profile, the Parent provides verifiable consent for the collection and processing of their child's data for the purposes described in this section. The Parent represents and warrants that they are the child's parent or legal guardian.
  • Purpose: Children's data is used solely for: delivering age-appropriate educational content and activities; tracking learning progress and generating session summaries for the Parent; and improving the educational experience within the Fortie module.
  • Parental Controls: Parents can configure session time limits and cost limits for their Child User. Parents can view session summaries, learning progress, and interaction history.
  • No Marketing: We do not use children's data for marketing, advertising, or profiling purposes. The Fortie module does not display advertisements.
  • Deletion: Parents may request deletion of all data associated with a Child User profile at any time by contacting vlad@snip-snip.org. We will process deletion requests within 30 days.
  • Third-Party Processing: Children's voice data is processed by third-party speech-to-text and text-to-speech services. Educational content is generated by AI model providers. These transmissions are subject to the cross-border disclosure provisions in Section 7.

9. Data Security

  • We take reasonable steps to protect your personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure (APP 11). Our security measures include:
  • All data transmitted between your browser and the Platform is encrypted using HTTPS/TLS.
  • Passwords are cryptographically hashed using bcrypt with a cost factor of 12 before storage. We never store plain-text passwords.
  • Database access is restricted to authorised application services only, with role-based access controls.
  • Session tokens are cryptographically signed using industry-standard algorithms (JWT) and expire automatically.
  • We conduct regular security reviews, apply security patches promptly, and monitor for suspicious activity.
  • Cache and session data in Redis is transmitted over encrypted connections where available.
  • Despite our best efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. We encourage you to use a strong, unique password for your account and to report any suspected security issues immediately to vlad@snip-snip.org.

10. Data Retention and Deletion

  • We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law (APP 11.2).
  • Account data (name, email, profile) is retained for as long as your account remains active.
  • Conversation history and AI interaction logs are retained until you delete the associated session or request account deletion.
  • Uploaded files are retained until you delete them or until your account is terminated, subject to the 30-day export window described in our Terms.
  • Usage records (token counts, costs) are retained for a minimum of seven (7) years to comply with Australian Taxation Office record-keeping requirements.
  • Payment transaction records are retained for seven (7) years in accordance with taxation and financial record-keeping obligations.
  • When you delete data or your account is terminated, we will take reasonable steps to destroy or de-identify the relevant personal information within 30 days, except where retention is required by law. Backup copies may persist for up to 90 days before being overwritten in the normal course of backup rotation.

11. Your Rights — Access, Correction, and Portability

  • Under the APPs, you have the right to: access the personal information we hold about you (APP 12); and request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13).
  • Access: You may view your profile information, conversation history, usage data, and connected services at any time within the Platform. To request a comprehensive record of all personal information we hold about you, contact vlad@snip-snip.org.
  • Correction: You may update your display name and profile picture via the Platform's profile settings. For corrections to other data, contact vlad@snip-snip.org.
  • Data Portability: You may export your conversations in Markdown, PDF, or DOCX format using the Platform's built-in export features. You may export estimates, reports, and other documents in PDF or Excel format where the Platform provides such functionality.
  • Account Deletion: You may request deletion of your account and all associated personal information by contacting vlad@snip-snip.org. We will process your request within 30 days, subject to any legal obligations to retain certain records.
  • We will respond to all access and correction requests within 30 days. If we refuse a request, we will provide written reasons for the refusal and information about how to complain.

12. Notifiable Data Breaches

  • We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).
  • If we become aware of an eligible data breach (or suspected eligible data breach) — that is, unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm to any affected individual — we will: promptly assess the breach within 30 days (or sooner where practicable); take reasonable steps to contain the breach and mitigate potential harm; notify the OAIC and affected individuals as required by the Act; and provide affected individuals with recommendations about steps they can take to protect themselves.
  • If you become aware of any actual or suspected security incident involving the Platform, please report it immediately to vlad@snip-snip.org.

13. Cookies and Tracking Technologies

  • The Platform uses essential session cookies to maintain your authenticated session and enable core functionality. These cookies are strictly necessary for the operation of the Platform and do not require separate consent under Australian law.
  • We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies.
  • We do not use pixel tags, web beacons, or similar tracking technologies for marketing or advertising purposes.
  • Your browser may allow you to disable cookies; however, disabling essential session cookies will prevent you from using the Platform.

14. Changes to This Policy

  • We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or applicable law.
  • For material changes, we will provide at least thirty (30) days' prior notice through the Platform or by email. Material changes include changes to the categories of personal information collected, the purposes for which information is used, the third parties to whom information is disclosed, or cross-border data transfer practices.
  • For material changes, you may be required to re-acknowledge or re-accept the updated Privacy Policy before continuing to use the Platform.
  • Prior versions of this Privacy Policy are available on request by contacting vlad@snip-snip.org.

15. Complaints and Contact

  • If you have any questions, concerns, or complaints about this Privacy Policy or the way we handle your personal information, please contact us at: Mercury Road Equipment Pty Ltd (ABN 36 614 422 187), trading as dFortix.ai — Email: vlad@snip-snip.org
  • We will acknowledge your complaint within 7 days and endeavour to resolve it within 30 days. If we need more time, we will inform you of the reasons for the delay and the expected timeframe for resolution.
  • If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC): Website: www.oaic.gov.au — Phone: 1300 363 992 — Post: GPO Box 5218, Sydney NSW 2001
  • You may also contact the OAIC directly without first raising the matter with us, although the OAIC generally recommends contacting the organisation first.

This policy may be updated from time to time. Material changes will be communicated with at least 30 days' notice. Prior versions are available on request.