Privacy Policy

1. Introduction

Pixelex Pty Ltd (ABN pending) (“Pixelex”, “we”, “us”) operates Pixelex Exchange, a document control and tracked correspondence platform for AEC design practices. This Privacy Policy describes how we collect, use, store, and protect your personal information.

We comply with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the EU General Data Protection Regulation (GDPR) where applicable.

2. Information We Collect

Account information: Full name, email address, organisation name and type, role within organisation.

Usage data: Login timestamps, IP addresses, user agent strings, pages visited, actions performed (via audit trail).

Content data: Documents, correspondence, transmittals, and other files uploaded to or created within the platform by you and your organisation.

Billing data: Payment processing is handled by Stripe. We store your Stripe customer ID but do not store credit card numbers or full payment details.

3. How We Use Your Information

• To provide and operate the Pixelex Exchange platform
• To authenticate your identity and manage access control
• To maintain the audit trail (a core platform feature)
• To send transactional emails (correspondence notifications, password resets)
• To process billing and subscription management
• To respond to support requests
• To improve the platform based on aggregated, anonymised usage patterns

We do not sell your personal information. We do not use your content data for marketing or advertising purposes.

4. Data Storage & Security

Your data is stored using the following infrastructure:

• Database & authentication: Supabase (hosted on AWS ap-southeast-2, Sydney, Australia)
• File storage: Cloudflare R2 (globally distributed, S3-compatible object storage)
• Application hosting: Vercel (Sydney region, ap-southeast-2)

Security measures include:

• Row-level security (RLS) ensuring strict tenant data isolation
• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• JWT-based authentication with bcrypt password hashing
• All file access via short-lived signed URLs (no direct public access)
• Malware scanning on all uploaded files via attachmentAV (Sophos-powered)

5. Sub-Processors

We use the following third-party services to operate the platform:

6. Your Rights

You have the right to:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate personal information
• Deletion: Request deletion of your account and personal data (subject to audit trail retention requirements)
• Export: Export your data in standard formats (CSV, PDF)
• Restrict processing: Request restriction of processing in certain circumstances (GDPR)
• Data portability: Receive your data in a structured, machine-readable format (GDPR)

Note: Due to the immutable audit trail, certain records (audit logs, sent correspondence metadata) cannot be deleted as they ensure platform integrity for all parties.

7. Data Retention

Active account data is retained for the duration of your subscription. Upon account termination, you have 90 days to export your data. After this period, personal data is deleted, though anonymised audit records may be retained for compliance purposes.

8. Cookies

Pixelex Exchange uses only essential cookies and local storage for authentication tokens. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.

10. Contact

For privacy inquiries or to exercise your rights, contact us at privacy@pixelex.app.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.