Privacy Policy
Last updated: 4 June 2026
brokerpal ("we", "us") is committed to protecting personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). brokerpal is a B2B platform. Our customers are mortgage brokers ("users"). We process their clients' personal information on behalf of the user who uploaded it. If you are a borrower whose documents have been processed through brokerpal, please contact the user acting for you — they are your primary point of contact for data rights.
1. What Personal Information We Collect
About users (our customers): account information (name, email, phone, job title); organisation details (business name, ABN, aggregator group); billing information handled by Stripe — we do not store raw card numbers; and usage data (login times, features used, IP address, browser type). About borrowers/clients (uploaded by users): identity information (name, date of birth, address history); financial information (income, assets, liabilities, employment); document contents (payslips, bank statements, tax returns, PAYG summaries); and AI-detected indicators (gambling transactions, BNPL usage, undeclared debts, cashflow stress signals). We treat all borrower financial documents as sensitive information and apply a higher standard of care.
2. How We Collect Information
Directly from users via account registration, billing, and platform use; via document upload when users upload client documents for processing; automatically via cookies and server logs when you visit our website; and from Stripe for billing and subscription management.
3. Why We Collect and Use Personal Information
For user account holders: to create and manage your account; process payments and issue invoices; provide customer support; send product updates and service notices; detect fraud, abuse, and security incidents; and comply with our legal obligations. For borrower data uploaded by users: to provide AI-assisted document processing, fact-find generation, red flag detection, BID drafting, and related services to the user — solely on the user's instructions. We do not use borrower data for our own purposes, for marketing, or to train AI models.
4. Third-Party Processors
We use the following third-party processors, each bound by a data processing agreement requiring protections at least as strong as this Policy: Supabase (database, authentication, file storage — Australia/US); Google Gemini (AI document processing and extraction — United States); Twilio (SMS follow-up messages — United States); Stripe (subscription billing and payment processing — United States); and our hosting provider (platform hosting — Australia primary). We do not sell personal information to third parties.
5. Overseas Disclosure and AI Processing
Our servers are primarily hosted in Australia. However, when documents are submitted for AI processing, they are transmitted to Google Gemini's API, which operates in the United States — meaning borrower document data is disclosed overseas during AI extraction. Google's standard paid API terms prohibit use of your data to train models; however, due to technical limitations at the file-input level, zero data retention cannot be fully guaranteed for uploaded files, which may be temporarily retained by Google in accordance with their enterprise data processing terms before deletion. We minimise risk by calling Gemini only from our secure Edge Functions, operating under Google's Data Processing Agreement, auto-deleting workspace documents on the user's configured schedule, and sending no more data than necessary. By using the Platform, users acknowledge and accept that overseas AI processing occurs and agree to inform their clients accordingly.
6. Data Retention and the Sandbox Model
We retain personal information only for as long as necessary to provide the service and meet our legal obligations. Documents you upload are stored only as long as needed for processing and can be deleted by you at any time; we maintain transparent deletion records and keep no hidden archive. Indicative retention periods: user account data — duration of subscription plus 7 years (tax/legal); uploaded documents and extracted data — deleted on your request or after our standard processing window; billing records — 7 years; server/access logs — 90 days rolling; deletion audit logs — 7 years.
7. Data Security
We implement: TLS encryption in transit (HTTPS only, HSTS enforced); AES-256 encryption at rest via Supabase; Content Security Policy, X-Frame-Options, and X-Content-Type-Options headers; Supabase Row Level Security on all user-facing data; role-based access controls (Gemini and Twilio only callable from secure Edge Functions, never the browser); multi-factor authentication; an append-only compliance audit schema for regulatory records; and regular security assessments. No method of transmission or storage is 100% secure. If you suspect a security issue, contact us at hello@brokerpal.com.au immediately.
8. Privacy by Design & Compliance
brokerpal is built on privacy-by-design and privacy-by-default principles — privacy and data protection are embedded into the platform from the ground up rather than bolted on afterwards. In practice this means: data minimisation (we collect and process only the information necessary to deliver the service); purpose limitation (data is used only for the purposes for which it was provided); least-privilege access (staff and systems access only the data strictly required for their role); encryption by default (in transit and at rest); secure-by-default infrastructure (Row Level Security, audit logging, and hardened API boundaries); data segregation (operational, compliance, and billing data are logically separated); transparency (clear deletion logs and no hidden archives); and continuous review (regular security assessments and privacy considerations for new features). We align our practices with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and follow industry-standard security frameworks and best practices.
9. No Guarantee & Shared Responsibility
While we apply industry-standard safeguards, no method of electronic transmission, storage, or processing is ever completely secure, and no system can be guaranteed to be 100% safe from unauthorised access, breach, or failure. We cannot warrant the absolute security of any information you transmit to or store on the Platform, and you provide such information at your own risk. Data privacy is a shared responsibility: you are responsible for maintaining the confidentiality of your account credentials, for obtaining and managing all necessary client consents, for the accuracy and lawful handling of any data you upload, and for complying with your own obligations under the Privacy Act 1988 (Cth), the NCCP Act, and applicable laws. To the maximum extent permitted by law, brokerpal is not liable for loss or damage arising from unauthorised access to or use of your data that occurs despite our reasonable security measures. If you become aware of any security vulnerability or suspected breach, please notify us immediately at hello@brokerpal.com.au.
10. Your Privacy Rights
User account holders may: access the personal information we hold about you; correct inaccurate or outdated information; request deletion of your account and associated data (subject to legal retention obligations); withdraw consent for marketing communications at any time; and complain to us, and if unresolved, to the Office of the Australian Information Commissioner (OAIC). Borrowers should direct access, correction, and deletion requests to the user in the first instance; we will cooperate with users to fulfil verified requests. Contact us: hello@brokerpal.com.au
11. Cookies
Our website uses essential cookies for session management and analytics cookies to understand traffic patterns. We do not use advertising or behavioural tracking cookies. You can control cookies via your browser settings — disabling essential cookies may affect Platform functionality.
12. Changes to This Policy
We will notify you of material changes by email or prominent notice at least 14 days before they take effect. Continued use after that date constitutes acceptance.
13. Contact and Complaints
For privacy questions or requests, contact us at hello@brokerpal.com.au. If unsatisfied with our response, contact the Office of the Australian Information Commissioner: oaic.gov.au or 1300 363 992.