Privacy Policy

DevSite AI ("we", "us", "our") operates the website at devsiteai.com. We provide property development feasibility analysis to Australian users. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We collect the minimum personal information needed to operate the service:

• Account details: email address, name (optional), and a hashed password.
• Search data: property addresses you search, prices you enter, and feasibility outputs we generate. Stored against your account so you can revisit prior reports.
• Payment information: processed by Stripe Inc. We never store your full card number — Stripe gives us a customer ID and the last four digits only.
• Usage data: IP address, browser type, pages visited, and timestamps. Used for security monitoring and to fix bugs.

• To deliver the feasibility reports and dashboards you requested.
• To process payments and manage subscriptions.
• To send transactional emails (password resets, payment receipts, account notifications).
• To send marketing emails about features and pricing — only if you have opted in. You can unsubscribe at any time using the link in any marketing email.
• To detect and prevent fraud, abuse, and security incidents.
• To improve our analysis algorithms — using aggregate, de-identified search data only.

We share personal information only with the third parties needed to run the service:

• Stripe (payments) — name, email, payment details. stripe.com/au/privacy
• Vercel (hosting) — incidental access to logs and request data. vercel.com/legal/privacy-policy
• Neon (database) — encrypted storage of all account and report data. neon.tech/privacy-policy
• Klaviyo (email marketing) — email address, name, plan tier (only if you have opted in to marketing). klaviyo.com/legal/privacy-policy
• Resend (transactional email) — email address only, used to deliver password reset and account emails. resend.com/legal/privacy-policy
• Anthropic (AI scraping) — addresses and council names only. We never share your name, email, or payment details. anthropic.com/legal/privacy
• Google Cloud (geocoding) — addresses you enter. cloud.google.com/terms/cloud-privacy-notice
• Sentry (error monitoring) — error stack traces and IP addresses. sentry.io/privacy/

Some of these providers store data outside Australia (primarily the United States and the European Union). By using DevSite AI you consent to that overseas transfer. We select providers that publish equivalent privacy commitments.

We will disclose your information when required by law (e.g. court order, regulator request) or to protect our rights and the safety of our users. We do not sell or rent personal information.

We use a small number of cookies, all first-party:

• Session cookie (essential) — keeps you logged in. Auto-deleted on logout or after 30 days.
• Klaviyo onsite tracking (only set if you visit a Klaviyo email link) — tracks email engagement.

We do not use third-party advertising cookies or cross-site trackers.

• Account data: kept until you delete your account.
• Search history: kept until you delete your account.
• Payment records: retained for at least 7 years to meet ATO record-keeping obligations.
• Server logs: retained for 90 days then purged.

• Access: you can request a copy of the personal information we hold about you.
• Correction: you can ask us to fix data that is inaccurate or out of date.
• Deletion: you can ask us to delete your account; we will delete your personal data within 30 days, subject to retention obligations under section 6.
• Marketing opt-out: use the unsubscribe link in any marketing email or contact us directly.
• Complaints: if you believe we have mishandled your data, contact us first. If unresolved you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

We use bcrypt to hash passwords, TLS 1.2+ for all connections, encrypted storage at rest, and rate-limiting on authentication endpoints. No system is 100% secure — if we become aware of a breach affecting your data we will notify you in line with the Notifiable Data Breaches scheme.

DevSite AI is not directed at people under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the most recent change. Material changes will be notified by email to active accounts.

For privacy enquiries, data access requests, or complaints, email privacy@devsiteai.com.