Privacy Policy
Last updated: 8 June 2026
1. About This Policy
PropInvestor (ABN to be advised) is committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes how we collect, hold, use, and disclose your personal information. This policy applies to all users of the PropInvestor website and application.
2. Information We Collect
When you use PropInvestor, we collect:
- Account information: Name and email address (via Google OAuth sign-in)
- Property & financial data: Property details, loan information, rental income, and expense data you voluntarily enter into the platform
- Payment information: Handled entirely by Stripe Payments Australia Pty Ltd. We receive only a Stripe customer ID and subscription status. We do not store, process, or have access to your credit card number, CVV, or full card details.
- Usage data: Pages visited, features used, timestamps, IP address, browser type, and device information (for improving the Service and diagnosing issues)
We do not require you to provide sensitive information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, or criminal records. If you inadvertently provide sensitive information in free-text fields, we will treat it with the highest level of protection.
3. Anonymity and Pseudonymity (APP 2)
Where practicable, you may interact with us without identifying yourself. However, to use the core features of PropInvestor (property analysis, saving data), you must create an account with your name and email address via Google OAuth. We cannot provide personalised services on an anonymous basis.
4. Purpose of Collection (APP 3 & 6)
We collect personal information only for purposes that are:
- Directly related to providing the Service (portfolio analysis, cashflow projections, suburb research)
- Reasonably necessary for managing your subscription and billing
- Required for sending important account notifications (billing confirmations, Terms or policy changes, security alerts)
- Necessary for improving the Service, fixing issues, and ensuring security
- Required or authorised by Australian law (e.g., tax record-keeping obligations)
We do not sell your personal data. We do not use your data for advertising or marketing by third parties. We will not use your personal information for a purpose other than the purpose for which it was collected, unless you consent or an exception under APP 6 applies.
5. Data Storage & Security (APP 11)
Your data is stored in a PostgreSQL database hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2). Data is encrypted at rest using AES-256 AWS-managed encryption keys. All connections to our servers use HTTPS/TLS 1.2+ encryption in transit.
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include: access controls limiting data access to authorised personnel, encrypted database connections, regular security reviews, and secure authentication via Google OAuth (no passwords stored by PropInvestor).
6. Disclosure to Third Parties (APP 6)
We may disclose your personal information to:
- Stripe Payments Australia Pty Ltd: Your email and name for payment processing and subscription management
- Google (via OAuth): Authentication token exchange only; we do not share your property data with Google
- Amazon Web Services (AWS): As our infrastructure provider hosting your encrypted data in Sydney
- Law enforcement or regulators: Where required by Australian law, court order, or to protect safety
Suburb data is sourced from Microburbs, SQM Research, ABS Census, and other public sources. No user data is shared with these providers.
7. Overseas Disclosure (APP 8)
Your property and financial data is stored exclusively in Australia (AWS Sydney ap-southeast-2). However, some third-party service providers may process limited personal information overseas:
- Stripe: Headquartered in the United States; processes payment information under their PCI-DSS compliance and privacy policies
- Google: Headquartered in the United States; processes authentication data only (name, email) during sign-in
Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient handles information in accordance with the APPs, or is subject to a substantially similar privacy regime.
8. Cookies & Tracking
We use a single session cookie (managed by NextAuth.js) to keep you signed in. We do not use third-party tracking cookies, advertising pixels, or analytics services that track you across websites. We do not engage in cross-device tracking or behavioural advertising.
9. Data Retention & Deletion
Your account and property data are retained for as long as your account is active. If you cancel your paid subscription, your data remains accessible on the free tier. You may request full deletion of your account and all associated data at any time by contacting us at the email below. Upon receiving a verified deletion request, we will permanently delete your personal information within 30 days, except where we are required by law to retain certain records (e.g., transaction records for tax purposes, which may be retained for up to 7 years).
10. Your Rights (Australian Privacy Principles)
Under the Privacy Act 1988 (Cth), you have the right to:
- Access (APP 12): Request a copy of all personal information we hold about you. We will respond within 30 days.
- Correction (APP 13): Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information. We will correct information within 30 days or provide reasons for refusal.
- Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Complaint: Lodge a complaint with us first (see below), then with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if unsatisfied
To exercise any of these rights, contact our Privacy Officer at the email address below. We will verify your identity before processing any request. There is no fee for making a request, though we may charge a reasonable fee for manifestly unfounded or excessive requests as permitted under the APPs.
11. Data Breach Notification (NDB Scheme)
In the event of an eligible data breach (where unauthorised access to, or loss of, personal information is likely to result in serious harm to any individual), we will:
- Take immediate steps to contain the breach and assess the risk of serious harm
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and no later than 30 days after becoming aware of the breach
- Notify affected individuals as soon as practicable, including what information was involved and recommended steps to protect themselves
This is in accordance with Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme).
12. Children's Privacy
PropInvestor is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 30 days in advance. The "Last updated" date at the top indicates when this policy was last revised. We encourage you to review this policy periodically.
14. Complaints Process
If you believe we have breached your privacy or mishandled your personal information, you may lodge a complaint with our Privacy Officer at the email below. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints.
15. Contact & Privacy Officer
For privacy inquiries, data access or correction requests, deletion requests, or complaints, contact our Privacy Officer at: privacy@propinvestor.com.au
You may also write to us at: Privacy Officer, PropInvestor, New South Wales, Australia.