Privacy policy

Trail AI is an Australian software-as-a-service product for mortgage brokers and small brokerages. This policy explains how we collect and handle personal information when you sign up for an account, use the product, visit trailai.com.au, or correspond with us.

We are bound by the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) and apply them as the default standard for everyone, whether or not they live in Australia.

We collect three kinds of information.

Account information — your email address, name (if you supply it), brokerage name, and team membership. Required to identify you and bill the right subscription tier.

Aggregator files you upload — typically monthly trail spreadsheets from AFG, LMG, Connective, or another panel aggregator. These files contain personal information about your clients — borrower names, account numbers, balances, lender names, settlement dates. You are the data controller for that information; we process it on your instructions as a service provider.

Usage information — basic logs of when you sign in, which pages you view, and which actions you take (e.g. "generated a valuation PDF"). We do not run third-party advertising or marketing-tracking scripts on logged-in pages.

We use the information you give us to:

• provide the product features you signed up for;
• verify it is you when you log in (via one-time codes emailed to you);
• process subscription payments (via Stripe, see §5);
• email you about your trial, billing, or material changes to the service;
• diagnose bugs and improve the product (using aggregated, non-identifying signals where possible);
• meet our legal obligations (e.g. tax records, fraud prevention).

We do not sell your information or your clients' information to anyone, and we do not use uploaded broker data to train any AI model.

All customer data — including uploaded aggregator files, extracted loan records, and PDF valuations — is stored in our Supabase Postgres database and object storage in the Sydney (ap-southeast-2) region. Application hosting is on Vercel in the Sydney (syd1) region. We do not store customer data outside Australia.

AI document extraction is performed on demand by an LLM accessed through the Vercel AI Gateway. Provider routing is determined at request time; payloads are sent over TLS and are not retained by providers beyond the request lifecycle under our gateway agreement. We send only the contents needed to extract structured fields — typically a chunk of the uploaded file — and we discard the model response after we have parsed the data we need.

We use the following sub-processors. Each is contractually bound to protect the data they handle on our behalf.

• Supabase — managed Postgres + authentication + object storage (Sydney region).
• Vercel — application hosting and edge delivery (Sydney region).
• Vercel AI Gateway — routing layer to multiple LLM providers for AI extraction and reasoning.
• Stripe — payment processing. We do not see or store full card numbers; Stripe handles all PCI-DSS scope.
• Resend — transactional email delivery (sign-in codes, trial reminders, billing notifications).
• Google — if you sign in with Google, we receive your email address and a stable user identifier from Google.

Specific measures:

• TLS 1.2+ in transit between your browser and our servers;
• encryption at rest for all stored files and database rows;
• row-level security policies on every database table scoped by your team identifier — meaning your team's data cannot be queried by another team even if application code were to make a mistake;
• access to production credentials is restricted to the founders and rotated on personnel changes;
• no production data is copied to staff laptops; all administrative actions run through the Supabase or Vercel dashboards with multi-factor authentication.

We will tell you and the Office of the Australian Information Commissioner (OAIC) promptly if we become aware of an eligible data breach affecting your account, as required by the Notifiable Data Breaches scheme.

Under the Australian Privacy Principles, you can ask us to:

• tell you what personal information we hold about you;
• correct information that is wrong or out of date;
• delete your account and the data attached to it (subject to legal record-keeping requirements — see §8);
• export your data in a portable format (CSV or JSON for loans and commission history);
• complain about how we have handled your information.

Email privacy@trailai.com.au for any of the above. We aim to respond within 30 days. If you are not satisfied with our response you can complain to the OAIC at oaic.gov.au.

While your subscription is active, we keep your account and broker data so the product works as intended. When you close your account we delete or anonymise your broker data within 90 days, except where we are required to keep certain records (e.g. tax invoices for seven years under ATO record-keeping rules).

You can also delete individual uploaded statements or generated valuations from inside the product at any time.

We set a small number of cookies that are strictly necessary for the product to work — for example, the cookie that keeps you signed in after you enter your one-time code.

We do not use third-party analytics that profile you across the web. If we add first-party analytics in the future (for example, Vercel Analytics to measure page speed and traffic), we will update this policy and tell you about it.

Trail AI is a B2B product for licensed Australian mortgage brokers. It is not directed at children under 16, and we do not knowingly collect information from anyone under 16. If you believe a minor has signed up, email privacy@trailai.com.au and we will close the account.

We may update this policy as the product evolves or as the law changes. If a change materially affects how we treat your information, we will email you and post a notice on this page at least 14 days before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

Privacy questions: privacy@trailai.com.au. General enquiries: hello@trailai.com.au. Trail AI is operated from Sydney, Australia.