1. Who handles your data
The data controller for AUSynth is Verosynthea (the “Company”, “we”, “us”). AUSynth is one of our products; this policy covers everything you do while using it. Review by legal counsel: company name + ABN once registered
2. What we collect
We collect only what we need to run the service. Specifically:
- Account — your email address (used for magic-link sign-in and account-related notifications).
- Payment — handled by Stripe. AUSynth receives only a Stripe customer reference and the type of bundle purchased. We never see or store your credit-card number.
- Queries you run — geography, dataset, size, and timestamp of each query. Used for billing, history, and aggregate product analytics.
- API keys — only their hash (irreversible) plus a short prefix for UI display. The secret key is shown to you once at creation; we cannot recover it.
- Server logs — request method, path, status, and IP address. Retained 30 days for security and debugging.
3. What we don't collect
AUSynth does not collect demographic or behavioural profile data. We do not use any third-party advertising or tracking pixels.
4. How we use it
- To authenticate you and deliver the service you paid for.
- To bill correctly, refund failed downloads, and respond to support questions.
- To detect and prevent abuse (e.g. multiple accounts created to exploit the free tier).
- For aggregated product analytics: how many queries are run, average download size, popular geographies. Always aggregated; never tied back to a specific user in any external reporting.
5. Third parties that handle your data
- Supabase (database + authentication). Data hosted in Singapore.
- Stripe (payments). Data hosted per Stripe's regional infrastructure.
- Amazon Web Services — S3 storage in Sydney (ap-southeast-2). Customer download files are kept here for 7 days.
- Vercel (web hosting). Edge regions worldwide; server functions run in ap-southeast-2 to minimise data transit.
- Resend (transactional email). Used to send download notifications and receipts. Email address only.
6. Where your data lives
Primary application data (account, queries, downloads metadata) is held by Supabase in Singapore. Generated download files sit in AWS Sydney. Source synthetic data also lives in AWS Sydney.
7. Your rights
Under the Australian Privacy Principles, you can:
- Access the personal information we hold about you. Most of it is visible on your account pageand history. For anything else, email support.
- Correct any inaccurate information by emailing support.
- Delete your account. We will remove your account record, queries, downloads, and API keys. Aggregated, anonymised analytics may persist. Stripe payment records persist as required by tax law.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your information.
8. Security
We use industry-standard practices: TLS for all traffic, hashed passwords (we don't actually use passwords — magic link only), hashed API keys, row-level security on the database, least-privilege IAM roles for service accounts, and infrastructure-as-code so configuration is auditable.
No system is unbreakable. We will notify affected users within 72 hours of becoming aware of any breach that affects their personal information, in line with the OAIC Notifiable Data Breaches scheme.
9. Cookies
AUSynth uses a single cookie for authentication (the Supabase session cookie). It is essential for the service to function. No tracking cookies, no analytics cookies, no advertising cookies.
10. Children
The service is not directed at children. You must be at least 18 to open an account.
11. Changes
We'll update this page if our practices change. Material changes are emailed to active accounts.
12. Contact
Privacy questions or requests: see the contact page. For a formal complaint, ask for it to be marked “Privacy Officer”.
Review by legal counsel: privacy officer name + email