How we protect your data

All customer data is stored in Australia in Supabase, hosted on AWS in the Sydney region (ap-southeast-2). No customer data is stored outside Australia.

The Vercel edge network routes requests globally, but data at rest remains in Sydney. When customer data is sent to third-party APIs during a scan (Anthropic, Brave Search, Stripe), those services process the request and do not retain customer data for training or reuse. See Privacy Policy §5 for the full list.

• Row-level security (RLS) is enforced on every user-facing table. A user can only read or modify rows they own.
• Service-role-only tables are used for audit and operational data (email queue, organisation facts, firm members, scan shares). These tables are not readable from the browser under any circumstances.
• API keys and service-role credentials are stored as environment variables and never exposed to client code.
• Supabase Auth backs all user sessions. We support email sign-in and Google OAuth. Passwords are hashed by Supabase using bcrypt; we never see them.

• TLS 1.2+ on every connection. Certificates are managed by Vercel.
• Strict Transport Security (HSTS) with a one-year max-age.
• Content Security Policy (CSP) restricts scripts, styles, connections, and frames to an explicit allow-list. The policy is declared in the project configuration and applied to every response.
• Frame-Ancestors: none and X-Content-Type-Options: nosniff prevent clickjacking and MIME sniffing.
• Referrer-Policy: strict-origin-when-cross-origin limits what we and third parties can see about where users came from.

• CSRF protection on all mutating API requests. Cross-origin POST, PUT, PATCH, and DELETE requests are rejected unless they carry a matching token. Enforced in middleware before the handler runs.
• Rate limiting on auth, scan start, tool runs, and AI conversation endpoints to prevent abuse. Limits are applied per user and per IP.
• PII scrubbing on uploaded documents. Tax File Numbers, Australian Business Numbers, Medicare numbers, BSBs, and account numbers are detected and stripped before any AI processing occurs.
• Input validation with Zod on new and recently touched API routes. Payloads that do not match the expected schema are rejected with a structured error, never executed.

• HMAC-signed unsubscribe tokens so every unsubscribe link is tamper-evident and tied to the recipient. Links cannot be guessed or reused across accounts.
• Spam Act 2003 compliance. Every marketing email includes a one-click unsubscribe. Unsubscribes are honoured immediately by a kill-switch flag that suppresses all future sequence emails.
• SPF, DKIM, and DMARC are configured on highimpactgroup.com.au so our mail is authenticated at the receiver.

• Stripe Checkout handles every payment. We never see or store card numbers, CVCs, or bank details.
• Stripe webhook signature verification on every inbound event. Events that fail signature check are rejected with 400 and never reach the handler.
• Idempotent handlers. Credit-granting events check for an existing purchase record before taking action, so Stripe retries cannot double-credit an account.

• Free-tier scan data is automatically deleted 90 days after creation by a scheduled retention job.
• Paid-tier scan data is retained while the user has active access, plus 90 days thereafter.
• Raw uploaded document text is retained for 90 days, then deleted. Only structured insights extracted from the document remain long-term.
• User-initiated deletion is immediate and permanent. Every deletion event is recorded in a deletion audit table so we can demonstrate compliance on request.

• Claude models are pinned to specific version IDs in code, not a floating alias. A silent model change cannot affect output quality without a code deployment.
• Commercial API terms apply. Data sent to Anthropic via the Claude API is not used to train Anthropic's models, per their published commercial terms.
• Prompt injection defences on user-supplied inputs routed into AI calls. We treat uploaded documents and chat messages as untrusted input.

• Hosting: Vercel (global edge network, data at rest in Sydney).
• Database and auth: Supabase (Sydney, ap-southeast-2). Encryption at rest is AES-256; backups are managed by Supabase.
• Payments: Stripe (PCI DSS Level 1 compliant).
• Email: Resend for transactional and sequence email, with SPF, DKIM, and DMARC configured on the sending domain.
• Research and enrichment: Brave Search API and Cloudflare for website crawling. Queries are not linked to user identity.

If you believe you have found a security issue in myAIstrategy, please email support@highimpactgroup.com.au with a description of the issue and, where possible, steps to reproduce. We will acknowledge receipt within two business days and keep you informed through remediation. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to respond.

myAIstrategy handles personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Spam Act 2003. We do not currently hold ISO 27001 or IRAP certification. If your procurement process requires either, contact us and we will respond directly on our plan and timeline.

General security enquiries and privacy matters: Contact us

High Impact Group Pty Ltd
ABN 40 682 923 128
Australia