Privacy Policy

Effective date: [EFFECTIVE DATE] · Entity: [LEGAL ENTITY NAME] (ABN [ABN]), [REGISTERED ADDRESS](“Optiva”, “we”, “us”)

This policy explains how we handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It applies to our customers (small businesses, the “Client”) and to individuals whose information a Client processes through the service.

1. Who handles the information

Optiva provides an AI workflow-automation platform. For most personal information that flows through the service (a Client’s customers, suppliers, employees, emails, invoices), the Client is the entity that decides how it is used— Optiva processes it on the Client’s behalf to operate the automations the Client configured. For the Client’s own account information, Optiva is the handler.

2. What we collect

  • Account information — name, email, hashed password, role, and security data (multi-factor authentication secrets, session and login metadata) for the people who use the dashboard.
  • Business data the Client puts through the service— contacts and their details, suppliers, quotes, invoices and receivables, appointments, leads, support questions, online reviews, and the content of emails and documents the Client connects for processing. This may include personal information about the Client’s own customers.
  • Employee payroll information (only if the Client uses payroll features) — including Tax File Numbers and bank details, which are treated as sensitive and encrypted at rest (see §6). TFNs are handled in accordance with the TFN Rule under the Privacy Act.
  • Operational and technical data — automation execution logs, audit events, and usage metrics needed to run, secure, and bill the service.

We do not sell personal information, and we do not use Client business data to train our own models.

3. How we collect it

Directly from the Client (account sign-up, data they enter or upload) and, where the Client connects a third-party account (their mailbox, calendar, accounting ledger, or Google Business Profile) via OAuth, from those services with the Client’s authorisation and only within the scopes granted. We do not buy personal information from third parties.

4. How we use it

To provide and operate the automations the Client configured — for example classifying and drafting replies to inbound email, drafting quotes and invoices, proposing appointment times, scoring leads, drafting review replies, bookkeeping intake, and payroll calculations. Also to secure the service, provide support, meet legal obligations, and bill the Client. We use information only for these purposes or directly related ones the Client would reasonably expect.

5. Disclosure & overseas transfers

We use a small set of sub-processorsto deliver features the Client switches on (the AI model provider, the Client’s connected mail/calendar/accounting/review providers, text embeddings, hosting). Each receives only what the relevant feature needs, to act on the Client’s instructions. The current list, what each does, and where it is located is maintained on our Sub-processors page. Some sub-processors may process data outside Australia; where that occurs we take reasonable steps consistent with APP 8. The platform and the Client’s stored data are hosted in Australia (Sydney).

We may also disclose information where required by law.

6. Security

  • Tenant isolation— every Client’s data is segregated by database row-level security; one Client can never see another’s.
  • Encryption — passwords hashed with Argon2id; third-party tokens and sensitive payroll data (TFN, bank details) encrypted at rest; TLS in transit.
  • Access control — role-based permissions, multi-factor authentication, and an audit trail of significant actions.

No security is perfect, but we take reasonable steps to protect information from misuse, loss, and unauthorised access.

7. Retention & destruction

We keep personal information only as long as needed for the purposes above or as required by law. Operational logs are automatically purged after the Client’s configured retention window. Financial records are retained for at least five years as required by Australian tax law. When a Client deletes their account, all their data is permanently destroyed (see §9).

8. Access & correction

A Client can export a copy of their data at any time (Settings → Privacy → Export) and can correct information directly in the app. Individuals whose information a Client processes should contact that Client (the controlling entity); we will assist the Client to meet such requests.

9. Erasure

A Client owner can permanently delete the account and all associated data from Settings → Privacy. This is immediate and irreversible (subject to any minimum legal retention that applies to specific records, such as financial records).

10. Complaints & contact

Questions or complaints: contact@optiva-solutions.com. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Changes

We may update this policy; the current version is always available at this page. Material changes will be notified to Clients.