Privacy Policy

TENSI PTY LTD

ACN 660 817 407  |  ABN 40 660 817 407



1. INTRODUCTION


◆  In plain English

We handle your personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

This Policy explains what we collect, why, who we share it with, and your rights.


Tensi Pty Ltd (ABN 40 660 817 407) ("Tensi", "we", "us", or "our") is committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs").

This Privacy Policy explains how we collect, use, store, disclose, and protect personal information in connection with our AI-powered construction document management platform (the "Platform"), accessible at www.tensi.ai

By using the Platform, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.



2. WHO IS COVERED


◆  In plain English

This Policy applies to everyone who uses or interacts with Tensi — including people whose information appears in documents uploaded by others.


This Privacy Policy applies to:

  • all individuals who register for or use the Platform ("Users");

  • individuals who access the Platform on behalf of an Organisation;

  • visitors to the Platform; and

  • individuals whose personal information is uploaded to the Platform by an Organisation (for example, subcontractors or project participants included in project documentation).

If you are an Organisation subscriber, you are responsible for ensuring that any personal information about third parties that you upload to the Platform has been collected lawfully and that you have appropriate authority to disclose it to us.


3. PRIVACY OFFICER


◆  In plain English

Our Privacy Officer is responsible for privacy compliance. Contact them with any privacy questions or concerns.


Our Privacy Officer is responsible for overseeing compliance with this Privacy Policy and the Privacy Act. You may contact our Privacy Officer at:


Contact Detail Information

Privacy Officer: Jay Anjamani

Email: we@tensi.ai

Postal Address: 28 Blair Street, Maribyrnong, Victoria 3032, Australia



4. WHAT PERSONAL INFORMATION WE COLLECT


◆  In plain English

We collect what we need to run the Platform — account details, payment references, usage data, and your project files.

We never store raw card numbers. Stripe handles that.


4.1 Account & Identity Information

  • Full name

  • Email address

  • Company / organisation name

  • Phone number

  • Account login credentials (password hashed — not stored in plain text)


4.2 Payment & Billing Information

  • Stripe customer ID and tokenised payment references

  • Subscription and billing history

  • GST invoice records

We do not store raw credit card numbers, CVV codes, or bank account details on Tensi servers. All payment-sensitive data is handled exclusively by Stripe in accordance with their PCI-DSS compliance framework.


4.3 Usage & Analytics Data

  • Feature interaction logs

  • Session activity and duration

  • Device type, browser type, and operating system

  • IP address

  • Page views and navigation patterns (via Google Analytics)


4.4 Project & Document Data

  • Construction project information uploaded by Users

  • Documents, drawings, specifications, and other files stored in the Platform

  • RFI (Request for Information) records and responses

  • Markup annotations

  • Communications sent through the Platform's messaging feature

Project and document data may contain personal information about third parties (for example, names, contact details, and signatures of project participants). You are responsible for ensuring that any such information is handled in accordance with applicable privacy laws.


4.5 Sensitive Information

Tensi does not intentionally collect sensitive information as defined by the Privacy Act (for example, health information, racial or ethnic origin, criminal record). If sensitive information is incidentally included in documents uploaded to the Platform, it is handled under the same protections as other personal information.



5. HOW WE COLLECT PERSONAL INFORMATION


◆  In plain English

We collect information directly from you when you sign up, automatically through your usage, and sometimes from third-party services like Stripe.


We collect personal information:

  • directly from you when you register for an account, complete forms, or contact us;

  • automatically when you use the Platform (usage data, device information, cookies);

  • from third-party services (for example, payment confirmations from Stripe); and

  • from your Organisation, if you have been invited to the Platform by an Organisation Admin.



6. HOW WE USE PERSONAL INFORMATION


◆  In plain English

We use your information to run Tensi, process payments, improve the Platform, and communicate with you. We don't sell your data.


We use personal information for the following purposes:


Purpose: Personal Information Used

Providing and operating the Platform: Name, email, company, project data, usage data

Account management and authentication: Name, email, credentials

Processing payments and issuing tax invoices: Stripe customer ID, billing history

Sending transactional emails (e.g., invoices, notifications): Email address

AI-assisted document processing: Documents uploaded by Users (processed via Google Gemini)

Usage analytics and Platform improvement: Usage data, device information (via Google Analytics)

Customer support: Name, email, account information

Legal and compliance obligations: All data as required

Communicating changes to the Platform or Terms: Email address


We will not use your personal information for any purpose that is incompatible with the purposes described above without your consent, except where required by law.



7. DISCLOSURE OF PERSONAL INFORMATION


◆  In plain English

We share your information with the third-party services that power the Platform.

Some process data in the United States. We're required to disclose this under APP 8 of the Privacy Act.


7.1 Third-Party Service Providers

We share personal information with the following third-party service providers to operate the Platform. Each provider is required to handle your data in accordance with applicable privacy laws:


Provider · Purpose · Data Location · Data Leaves Australia?

Google Gemini (GCP) · AI document processing · United States · YES ⚠

Foxit · PDF markup and editing · YES ⚠ · YES ⚠

Supabase · Database and authentication · Sydney, Australia (ap-southeast-2) · No

AWS · Cloud infrastructure and storage · Sydney, Australia (ap-southeast-2) · No

Stripe · Payment processing · United States · YES ⚠

Resend · Transactional email delivery · United States · YES ⚠

Google Analytics · Usage analytics · United States · YES ⚠


⚠ Cross-border disclosures to the United States: Personal information is disclosed to Google (Gemini and Analytics) and Stripe, which process data in the United States. These disclosures are made under APP 8 of the Privacy Act 1988 (Cth). Tensi takes reasonable steps to ensure overseas recipients handle personal information in a manner consistent with the APPs.


7.2 Other Disclosures

We may also disclose personal information:

  • to our legal, accounting, or other professional advisers;

  • where required or authorised by law (for example, to government agencies or courts);

  • in connection with the sale, merger, or acquisition of all or part of Tensi's business (with appropriate confidentiality protections); and

  • with your consent.

We will not sell your personal information to third parties or use it for direct marketing purposes without your consent.



8. CROSS-BORDER DATA TRANSFERS (APP 8)


◆  In plain English

When we send data to overseas providers (Google, Stripe), we take steps to ensure they handle it consistently with Australian privacy law.

Under APP 8 of the Privacy Act, when we disclose personal information to overseas recipients, we are generally accountable for ensuring those recipients handle the information in accordance with the APPs.


By using the Platform, you acknowledge that certain personal information will be transferred to and processed in the United States by Google (Gemini AI and Google Analytics) and Stripe (payment processing). These transfers are necessary to provide the Platform's core functionality.


Tensi takes reasonable steps to ensure that overseas recipients are bound by data protection obligations consistent with Australian privacy law, including through contractual data processing agreements.


9. COOKIES & TRACKING TECHNOLOGIES


◆  In plain English

We use cookies to keep you logged in, remember your preferences, and understand how people use the Platform.

Analytics and marketing cookies are optional.


9.1 Types of Cookies Used


Cookie Type · Purpose · Essential?

Session Cookies · Maintain your login session while using the Platform · Yes ·

Functional Cookies · Remember your preferences and settings · Yes

Analytics Cookies · Collect usage data via Google Analytics to improve the Platform · No

Marketing Cookies · Targeted advertising and retargeting (under review for alpha release) · No


You may control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform. On your first visit to the Platform, you will be presented with a cookie consent notice.



10. DATA RETENTION


◆  In plain English

We keep your data while your account is active. Project data is permanently deleted 121 days after subscription cancellation. Billing records are kept for 7 years.


10.1 Subscription & Account Data

We retain your personal information for as long as your account is active and for a reasonable period thereafter to fulfil the purposes described in this Privacy Policy.


10.2 Project & Workspace Data

Following subscription cancellation or expiry, project and workspace data is retained and then deleted in accordance with the lifecycle set out in our Subscription Terms and summarised below:


Period · Status · What Happens

Day 0–30 · Grace Period · Data accessible in read-only mode. Managers may export.

Day 31–120 · Cold Storage · Data archived. Not accessible via Platform UI.

Day 114 · Warning · Email notification to Organisation Admin.

Day 121 · Permanent Deletion · All project data permanently deleted (irreversible).

7 Years · Billing Records · Billing records retained per ATO requirements.


10.3 Billing Records

Invoices, payment history, and subscription records are retained for a minimum of 7 years in compliance with ATO requirements. These records are not deleted on account closure.



11. SECURITY


◆  In plain English

We store Australian user data in Sydney. We use encryption, access controls, and Stripe's PCI-DSS payment security.

If there's ever a notifiable data breach, we'll tell you and the OAIC.


We implement reasonable technical and organisational security measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Data hosted in Australia on AWS Sydney and Supabase ap-southeast-2 (for Australian data);

  • Encryption of data in transit using TLS/HTTPS;

  • Authentication and access controls;

  • Third-party payment processing through Stripe's PCI-DSS compliant infrastructure; and

  • Regular security reviews during the alpha development period.

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security. In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act.



12. YOUR RIGHTS (AUSTRALIAN PRIVACY PRINCIPLES)


◆  In plain English

You have the right to access and correct your personal information, and to make a complaint if we've mishandled it.

We'll respond to access and correction requests within 30 days.

Under the Privacy Act and the APPs, you have the following rights in relation to your personal information:


Right · Description · How to Exercise

Access (APP 12) · Request access to the personal information we hold about you. · Contact our Privacy Officer (see Section 3).

Correction (APP 13) · Request correction of inaccurate, incomplete, or out-of-date personal information. · Contact our Privacy Officer or update your account settings.

Complaint (APP 1) · Lodge a complaint with us about an alleged breach of the APPs. · Contact our Privacy Officer (see Section 3).

OAIC Escalation (Privacy Act s.36) · Lodge a complaint with the Office of the Australian Information Commissioner (OAIC). · Visit www.oaic.gov.au or call 1300 363 992.


We will respond to access and correction requests within 30 days or provide an explanation of any delay. In the event of a privacy complaint, we will work to resolve the matter within a reasonable timeframe.



13. CHILDREN'S PRIVACY


◆  In plain English

Tensi is not for anyone under 18. We don't knowingly collect information from minors.

Tensi is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected information from someone under 18, we will take steps to delete such information and to remove the individual's account.



14. COMPLAINTS


◆  In plain English

If you're not happy with how we've handled your personal information, contact us first. If we can't resolve it, you can escalate to the OAIC.

If you have a complaint about how we have handled your personal information, please contact our Privacy Officer (see Section 3) with details of your complaint. We will acknowledge receipt of your complaint within 5 business days and will endeavour to resolve the matter within 30 days.

If you are not satisfied with our response or if we are unable to resolve the matter, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted at:


Contact · Details

Postal Address · GPO Box 5218, Sydney NSW 2001

Phone · 1300 363 992

Email · enquiries@oaic.gov.au

Website · www.oaic.gov.au



15. CHANGES TO THIS PRIVACY POLICY


◆  In plain English

If we make material changes, we'll notify you by email at least 14 days before they take effect.

Tensi may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address associated with your account) at least 14 days before the changes take effect. Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the updated policy.


16. CONTACT US


◆  In plain English

For any privacy questions, requests, or complaints — contact our Privacy Officer at the details below.

For any questions about this Privacy Policy or to exercise your privacy rights:


Contact Detail · Information

Privacy Officer · Jay Anjamani

Email · we@tensi.ai

Postal Address · 28 Blair Street, Maribyrnong, Victoria 3032, Australia