Skip to content
Back to App

Privacy Policy

Effective Date: 1 June 2026

1. Introduction

PirateApeStudios (ABN 47 340 546 246) ("We," "Us," "Our") operates the product XrayFlow. We are committed to protecting your privacy in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the California Consumer Privacy Act (CCPA) for users in California, USA.

This policy explains how we collect, use, and safeguard your information when you use the XrayFlow service.

2. The Data We Collect

2.1 Information You Provide

  • Account Data: When you sign up, we collect your Email Address and User ID (via our authentication providers).
  • Billing Data: Transaction history and Plan status. Note: We do not store credit card numbers. All financial data is handled securely by Stripe.

2.2 Automated Usage Data

  • Operational Metrics: We track the number of reports generated and the generic IDs of scenarios processed to manage usage quotas.
  • Telemetry: We use anonymous analytics tools (PostHog — EU-hosted instance) to understand how users navigate the site. This includes page views, feature usage, and session metadata. No personal data is sent to PostHog.

3. Cookies & Tracking

We use a minimal set of cookies and local storage for functionality and analytics:

  • cookie_consent (localStorage) — Records your cookie preference so we do not show the banner on every visit. No personal data stored.
  • PostHog (first-party cookies) — Session replay and page view analytics. Only active after you explicitly accept cookies. You may decline at any time.
  • Supabase / Stripe — Essential authentication and payment session cookies. Required for the service to function.

You can control cookie preferences via our Cookie Consent banner. You may also disable all non-essential cookies through your browser settings.

4. Our "Ephemeral Data" Promise

XrayFlow is designed with privacy-by-design principles:

  • No Blueprint Storage: We fetch your automation blueprints into volatile memory solely to generate the visualization. Once the session ends, this data is discarded. We do not persist your business logic in our database.
  • No API Key Storage: Your third-party API keys (e.g., for Make.com) are transmitted securely via TLS for the sole purpose of the immediate request. They are not stored in our persistent database.
  • No AI Training: We do not use your blueprints, scenarios, or any content you process through XrayFlow to train AI or machine learning models.

5. How We Use Your Data

We use your information strictly to:

  • Provide and maintain the XrayFlow service.
  • Process payments via Stripe.
  • Notify you of technical updates or security alerts.
  • Improve our product through anonymized usage analytics (with your consent).
  • Comply with legal obligations (e.g., tax reporting).

6. Data Retention

We retain your personal data only as long as necessary to provide the service and fulfil legal obligations:

  • Account data: Retained for the duration of your account plus 90 days after deletion, then permanently erased.
  • Billing records: Retained for 7 years to comply with Australian tax law.
  • Analytics data: Retained for 13 months (PostHog default).
  • Blueprint data: Never stored (ephemeral — discarded when the session ends).

7. Third-Party Sub-Processors

To provide XrayFlow, we share data with trusted third-party providers:

  • Stripe — Payment processing (PCI-DSS compliant).
  • Supabase — Authentication, database, and storage (SOC 2 compliant).
  • Vercel — Cloud hosting and serverless functions (SOC 2 compliant).
  • Google — OAuth login services.
  • PostHog — Product analytics (EU-hosted, GDPR-compliant, only with your consent).

8. International Data Transfers

PirateApeStudios is an Australian entity. Our cloud infrastructure (Supabase / Vercel) uses servers in Australia and the United States. By using the Service:

  • EEA users: We ensure adequate safeguards via Standard Contractual Clauses (SCCs) with our sub-processors.
  • Australian users: Data remains within the APAC region where possible.
  • US users: Data may be processed in the US in compliance with applicable law.

All sub-processors adhere to SOC 2 Type II or ISO 27001 security standards.

9. Your Rights

9.1 Australian Users (Privacy Act)

  • Right to access your personal data.
  • Right to correct inaccurate data.
  • Right to complain about a breach of the APPs.

9.2 EEA Users (GDPR)

  • Right to be informed — This policy fulfills our transparency obligation.
  • Right of access — Request a copy of your personal data.
  • Right to rectification — Correct inaccurate data.
  • Right to erasure ("Right to be forgotten") — Delete your account and associated data.
  • Right to restrict processing — Limit how we use your data.
  • Right to data portability — Receive your data in a machine-readable format.
  • Right to object — Object to processing for analytics.
  • Right to withdraw consent — Withdraw cookie consent at any time.

To exercise any GDPR right, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local Data Protection Authority.

9.3 California Users (CCPA)

  • Right to Know — Request details of the personal data we collect, use, and share.
  • Right to Delete — Request deletion of your personal data.
  • Right to Opt-Out — We do not sell your personal data. No opt-out is needed.
  • Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

To exercise your CCPA rights, email [email protected]. We will verify your identity and respond within 45 days.

10. Data Breach Notification

In the event of a data breach that affects your personal data, we will:

  • Notify you within 72 hours of becoming aware of the breach.
  • Provide details of the nature and scope of the breach.
  • Advise on steps you can take to protect yourself.
  • Notify the relevant supervisory authority (OAIC for Australia, ICO for UK, relevant DPA for EEA).

11. Do Not Track

We honor Do Not Track (DNT) signals from your browser. When DNT is enabled, we disable PostHog analytics for your session.

12. Contact Us

If you have questions about this policy, wish to exercise your rights, or need to report a concern:

Email: [email protected]
Security: [email protected]
Entity: PirateApeStudios (ABN 47 340 546 246)
Jurisdiction: Western Australia, Australia

Disclaimer: This Privacy Policy is provided as a compliance framework. You should review it with your legal counsel to ensure it meets all applicable regulatory requirements for your jurisdiction.