Privacy Policy

About This Policy

Meister Athlete Pty Ltd (ABN 49 162 434 513), trading as Valutten (“Valutten”, “we”, “us”, “our”), is committed to protecting your privacy and complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our commission intelligence platform for Australian mortgage brokerages (“Service”, “Platform”).

This policy applies to:

• Users of the Valutten platform (brokers, administrators, office managers)
• Individuals whose data appears in commission records uploaded to our platform
• Visitors to our website
• Business contacts and prospective customers

By using our Service, you consent to the collection and use of information in accordance with this Privacy Policy. This policy should be read in conjunction with our Terms of Service.

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Legal Basis for Processing
4. Data Storage and Security
5. Data Retention
6. Disclosure of Information
7. Cross-Border Disclosure
8. Product Analytics (PostHog)
9. AI Processing
10. Gmail Integration
11. Email Communications
12. Meta Platform Integrations
13. Cookies and Tracking
14. Your Rights
15. Children's Privacy
16. Changes to This Policy
17. Contact Information

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, phone number, job title, company name
• Authentication Data: Password (stored encrypted), multi-factor authentication settings
• Company Information: Business name, ABN, office locations, aggregator relationships
• Commission Data: Commission records you upload including broker names, lender details, loan information, payment amounts, customer/borrower names
• Support Communications: Correspondence when you contact us for assistance

1.2 Information Collected Automatically

When you access our Service, we automatically collect:

• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, pages viewed, actions taken
• Usage Information: Features used, reports generated, files uploaded
• Product Analytics: Page views, UI interactions, and error reports collected via PostHog (consent-gated; see Section 8)

1.3 Information from Third Parties

• Authentication Providers: Identity data from Google Sign-In (if enabled)
• Payment Processors: Subscription and billing data from Stripe (we do not store full payment card details)
• Gmail API: Commission email content if you enable the optional email integration (see Section 10)

1.4 Sensitive Information

We do not intentionally collect sensitive information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, or religious beliefs. The commission data you upload may contain financial information related to loan transactions, which we treat with appropriate security measures.

2. How We Use Your Information

2.1 Primary Purposes

We use your information to:

• Provide, maintain, and improve our commission tracking and analytics Service
• Process and display your commission data in dashboards and reports
• Create and manage your user account
• Communicate with you about your account, updates, and support requests
• Send transactional emails (password resets, security alerts, subscription confirmations)
• Generate AI-powered commission insights (see Section 9)
• Ensure the security and integrity of our Service

2.2 Secondary Purposes

We may also use your information to:

• Analyse product usage patterns via PostHog to improve the Service (consent-gated)
• Generate anonymised, aggregated statistics about platform usage (not identifiable to you)
• Comply with legal obligations and regulatory requirements
• Protect our rights and prevent fraud or abuse

2.3 What We Do Not Do

We will never:

• Sell your personal information or commission data to third parties
• Share your commission data with other Valutten customers
• Use your data for purposes unrelated to providing our Service without your consent
• Send marketing communications without your express consent
• Use commission data to train AI models (data is used for inference only, not training)

3. Legal Basis for Processing

Under the Australian Privacy Principles, we collect and process your personal information on the following bases:

• Consent: You have provided consent by creating an account and uploading data. For analytics and AI features, separate opt-in consent is obtained.
• Contractual Necessity: Processing is necessary to provide our Service under the Terms of Service
• Legal Obligation: Processing is required to comply with Australian law (e.g., record keeping requirements)
• Legitimate Interests: Processing is necessary for our legitimate interests in improving our Service, provided this does not override your rights

4. Data Storage and Security

4.1 Data Location

Primary data is stored in Google Cloud Platform's australia-southeast1 (Sydney) region. This includes your commission data (BigQuery), user accounts (Firestore), uploaded files (Cloud Storage), and audit logs.

Limited data is processed by overseas providers as disclosed in Section 7. This includes authentication tokens (Firebase Authentication, US), product analytics events (PostHog, EU), AI inference requests (Anthropic, US), transactional email delivery (Resend, US), payment processing (Stripe, US/Global), and Meta platform integrations for lead capture and Page messaging (Meta, US/Ireland) where you have explicitly connected a Meta Page (see Section 12).

4.2 Security Measures

We implement industry-standard security measures including:

• Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Controls: Role-based access control (RBAC) ensures users only access authorised data
• Authentication: Strong password requirements and multi-factor authentication (MFA)
• Audit Logging: Immutable audit trail of all data access and modifications
• Regular Backups: Automated daily backups with secure retention
• Tenant Isolation: Multi-tenant architecture with strict data separation between customer accounts
• PII Tokenization: Broker and lender names are tokenized before transmission to AI providers (see Section 9)

4.3 Security Incident Response

In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) within 72 hours and notify affected individuals as soon as practicable, in accordance with the Notifiable Data Breaches scheme under the Privacy Act.

5. Data Retention

5.1 Retention Periods

5.2 Account Deletion

When you delete your account, we will remove your personal information within 90 days. However, commission data may be retained as required by law (7-year retention period for financial records under the Corporations Act 2001). Retained data will be anonymised where possible. Backups are retained for disaster recovery (maximum 30 days after deletion).

6. Disclosure of Information

6.1 Disclosures Within Your Organisation

We disclose personal information to authorised users within your organisation based on their assigned roles and permissions. Company administrators can view all users and brokers within their company; office administrators can view users and data within their assigned offices; brokers can view their own commission data only.

6.2 Service Providers

We engage the following third-party service providers who process personal information on our behalf:

All service providers are contractually obligated to protect your information, implement appropriate security measures, process data only as instructed by us, and delete data when no longer needed.

6.3 Legal Requirements

We may disclose your information if required to:

• Comply with a legal obligation, court order, or regulatory request
• Respond to requests from ASIC, AUSTRAC, OAIC, or other regulatory bodies
• Protect our rights, property, or safety, or that of our users
• Investigate potential violations of our Terms of Service

6.4 Business Transfers

If Valutten is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

7. Cross-Border Disclosure

While our primary data infrastructure is in Australia (GCP australia-southeast1), certain service providers process limited categories of data outside Australia. Under APP 8, we disclose the following:

Before disclosing personal information overseas, we take reasonable steps to ensure the recipient is subject to a law or binding scheme substantially similar to the Australian Privacy Principles, or has contractually agreed to handle the information in accordance with the APPs.

By using Valutten, you consent to the international transfers described above. If you do not consent, please contact us to discuss alternatives, noting this may limit available functionality.

8. Product Analytics (PostHog)

We use PostHog (EU-hosted at eu.posthog.com) for product analytics, routed through our own servers to ensure reliability. Analytics data collection requires your opt-in consent.

8.1 What We Collect

• Page views and navigation patterns
• UI interactions (button clicks, feature usage)
• Error reports and performance metrics
• Device type and browser information

8.2 What We Do NOT Collect

• Session recordings: Disabled — we do not record your screen
• Console logs: Disabled — we do not capture browser console output
• Form input values: Masked — we do not capture text you type into forms
• Commission data: Never sent to analytics

8.3 Consent and Control

• Opt-in: Analytics data is only collected after you consent via the consent banner
• Settings: You can manage your analytics preferences at any time in Settings > Privacy
• Do Not Track: We respect the Do Not Track (DNT) browser signal — if your browser sends DNT, no analytics events are collected
• Ad blockers: Analytics is routed through our own domain to ensure data integrity, but blocking it will not affect platform functionality

9. AI Processing

Valutten uses Anthropic's Claude AI to provide commission intelligence features. This section explains what data is sent, how it is protected, and your opt-out rights.

9.1 AI-Powered Features

• First-Login Briefing: An automated summary of your company's commission activity, generated on first login for administrators
• AI Assistant: Natural-language queries about your commission data (e.g., “What was our trail income last quarter?”)

9.2 PII Protection

Before any data is sent to Anthropic:

• Broker names are replaced with opaque tokens (e.g., [VT_BROKER_0])
• Lender names are replaced with opaque tokens (e.g., [VT_LENDER_0])
• Loan IDs are omitted entirely from AI requests
• Dollar amounts and date ranges are included as they are necessary for meaningful analysis
• Tokens are mapped back to real names only within our Australian infrastructure after the AI response is received

9.3 Data Retention by Anthropic

Anthropic may retain prompts for up to 30 days for safety and abuse monitoring purposes. Prompts are not used to train AI models. After 30 days, prompts are deleted from Anthropic's systems.

9.4 Opt-Out

AI features are available to Enterprise and Pro tier subscribers. If you do not wish to use AI features, you can avoid them entirely — they are not invoked unless you navigate to the AI Assistant or trigger the first-login briefing. You may also contact us to disable AI features for your account.

10. Gmail Integration

Valutten offers an optional Gmail integration to help automate commission file imports. This feature requires explicit authorization and can be revoked at any time.

10.1 Scope and Access

• OAuth scope: gmail.readonly — read-only access to email messages
• What we access: Email messages matching commission-related sender addresses and subject lines (e.g., lender commission statements)
• What we extract: Attached commission files (CSV, XLSX, PDF) for processing through our pipeline
• What we do NOT access: Emails unrelated to commission statements, drafts, sent mail, or contacts

10.2 Data Storage

Extracted commission files are stored in our Australian infrastructure (Cloud Storage, australia-southeast1) and processed identically to manually uploaded files. We do not store the full email body — only the extracted attachments and metadata needed for processing (sender, subject, date).

10.3 Revocation

You can revoke Gmail access at any time by:

• Visiting your Google Account > Security > Third-party apps with account access
• Contacting us at support@valutten.com

Revoking access stops future email imports but does not delete commission data already processed (retained per Section 5).

11. Email Communications

11.1 Transactional Emails

We send transactional emails via Resend for:

• Account verification and password resets
• Security alerts (new sign-in, MFA changes)
• Subscription confirmations and billing receipts
• Team invitations

Tracking pixels are disabled on all transactional emails. We do not track whether you open transactional emails or click links within them.

11.2 Marketing Emails

Marketing emails require your explicit opt-in consent, collected during the subscription checkout process via Stripe. You may unsubscribe at any time via the unsubscribe link in any marketing email, or by contacting us. We comply with the Spam Act 2003 (Cth) for all commercial electronic messages.

11.3 Email Sender

All emails from Valutten are sent from noreply@valutten.com or support@valutten.com. We authenticate all outgoing email with SPF, DKIM, and DMARC to protect against spoofing.

12. Meta Platform Integrations

Valutten offers optional integrations with Meta platforms (Facebook and Instagram) to help your team capture leads and respond to customer enquiries from a single inbox. These integrations are off by default and are only enabled when an authorised user of your organisation connects a Facebook Page through Settings > Integrations > Meta.

12.1 Scope of Integration

• Meta Lead Ads (live): Valutten receives lead form submissions from Facebook and Instagram ad campaigns operated by your connected Facebook Page, delivered via Meta's Webhooks API.
• Meta Page Messaging (subject to Meta App Review approval of the pages_messaging permission): Valutten surfaces direct messages sent by Facebook users to your connected Page inside the Valutten lead inbox so your team can respond from within the platform. This feature is available only after Meta grants the permission and you enable it on your Page.

12.2 Information We Receive from Meta

We do not receive a Facebook user's broader profile, friends list, ad preferences, location, or content posted outside the conversation with your Page.

12.3 How We Use This Information

• Route incoming leads and Page messages into your Valutten lead inbox according to the routing rules your organisation has configured
• Trigger assignment notifications to the responsible user in your team
• Display the conversation thread so an authorised user can respond from inside Valutten
• We do not share Meta-sourced personal information with other Valutten customers and we do not use it for marketing, training of AI models, or any purpose other than operating the integration you enabled

12.4 Authentication and Security

• OAuth credentials issued by Meta (Page Access Tokens and, where applicable, System User tokens) are stored encrypted in Google Secret Manager in our Australian infrastructure (australia-southeast1)
• Webhook payloads from Meta are verified via HMAC-SHA256 signature using the Meta App Secret before processing — payloads that fail signature verification are rejected
• The integration uses least-privilege OAuth scopes appropriate to each capability (for example, leads_retrieval, pages_show_list, pages_manage_metadata, and, where granted, pages_messaging)
• All communications with Meta are over TLS 1.2+ encrypted channels

12.5 Retention

• Leads and message threads are retained inside your Valutten tenant for the same period as other CRM records (the life of your active account, plus 90 days after deletion, unless an earlier deletion is requested)
• Meta-issued tokens are refreshed periodically; when you disconnect an integration the tokens are revoked at Meta and deleted from our Secret Manager
• Webhook delivery logs are retained for 180 days for deliverability monitoring

12.6 Lawful Basis and Notice to Lead Submitters

When you run Meta Lead Ads, you are the controller of the data subject's lead submission and you are responsible for the privacy notice presented to the lead inside the Meta lead form, as required by Meta's Terms for Lead Ads. Valutten acts as your processor for the purpose of receiving, storing, routing, and surfacing those submissions inside your tenant.

For Page Messaging, Meta presents its own messaging notices to the Facebook user; by sending your Page a message the user has initiated a 1:1 conversation that we surface to your team in line with Meta's Platform Terms.

12.7 Revocation

You can disconnect a Meta integration at any time. Either:

• Inside Valutten — Settings > Integrations > Meta — choose Disconnect; or
• Inside Meta — Business Manager > Business Settings > Integrations > Apps, locate Valutten, and remove access

Either action immediately revokes our tokens and stops further lead or message ingestion from that Page. Records already received remain inside your tenant per Section 12.5 unless you separately request deletion under Section 14.

13. Cookies and Tracking

13.1 Essential Cookies

We use essential cookies that are necessary for the operation of our Service, including authentication tokens and session management. These cookies cannot be disabled as they are required for the Service to function.

13.2 Analytics Cookies

PostHog may set first-party cookies to track anonymous session identifiers if you consent to analytics. No third-party advertising or tracking cookies are used. We do not use Google Analytics.

13.3 Managing Cookies

You can manage cookie preferences through your browser settings or via our consent banner. Please note that disabling essential cookies may prevent you from using some features of our Service.

For detailed information about specific cookies, their purposes, and durations, see our Cookie Notice.

14. Your Rights

Under the Privacy Act 1988 and Australian Privacy Principles, you have the following rights:

14.1 Access (APP 12)

You have the right to request access to the personal information we hold about you. We will provide this information within 30 days of your request, subject to verification of your identity. We may charge a reasonable fee for access requests that require significant effort to fulfil.

14.2 Correction (APP 13)

You have the right to request correction of any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. You can update most account information directly through your account settings.

14.3 Account Deletion

You can request deletion of your account and personal information by contacting us. Please note that some information may be retained as required by law (see Section 5).

14.4 Right to Anonymity (APP 2)

Where practical, you may choose not to identify yourself when dealing with us. However, this is not possible for account registration, commission data processing, or support requests where identity verification is required.

14.5 Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details below. We will investigate and respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by phone at 1300 363 992.

15. Children's Privacy

Our Service is intended for business use by mortgage broking professionals and is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this policy
• Notify you by email and/or prominent notice within the Service at least 14 days before material changes take effect
• For significant changes that affect your rights, seek your consent where required
• Make previous versions available upon request

Your continued use of Valutten after changes take effect constitutes acceptance of the updated policy.