How Infraxus handles personal and financial information.
This Policy covers the marketing site (infraxus.com), the client portal (app.infraxus.com), and the work delivered through both. Infraxus Systems is a business name of SP Brands Pty Ltd (ABN 49 669 207 881), an Australian company. Information is handled in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, and where applicable the New Zealand Privacy Act 2020.
- 01Who we are→
- 02What we collect→
- 03How we use information→
- 04Processors and infrastructure→
- 05Cross-border data transfers→
- 06AI processing→
- 07Data security→
- 08Data retention→
- 09Data breach notification→
- 10Access, correction, and deletion→
- 11Cookies and analytics→
- 12Payment processing→
- 13Marketing communications→
- 14Children→
- 15Complaints→
- 16Updates to this policy→
- 17Contact→
1. Who we are.
Infraxus is a finance leadership firm for owner-operated businesses, $2M–$15M in revenue. Two offers: the Control Sprint, a fixed-scope diagnostic, and the Engagement, a monthly retainer that maintains the model and cadence after the Sprint.
Registered entity: SP Brands Pty Ltd (ABN 49 669 207 881). Registered address: 902/8 Joseph Road, Footscray VIC 3011, Australia.
General enquiries: info@infraxus.com. Security and privacy: security@infraxus.com.
2. What we collect.
Information is collected only where it is needed to respond to an enquiry, deliver the work, or operate the Portal.
Information you submit via contact forms or email correspondence: name, email address, company name, and approximate revenue band. Browser and device information (device type, IP address, browser version) is logged automatically by the marketing site host for security and performance purposes.
When a client engages us, named users are created in the Portal. We collect email address, hashed password (we never see or store plaintext passwords), user name and role within the client's business, session tokens generated at login, and a log of authentication events (sign-in, sign-out, password reset).
During a Sprint or Engagement, we collect and process confidential financial data: monthly management accounts (profit and loss, balance sheet, cashflow); budgets, forecasts, and financial models; KPI data (operational and financial metrics specific to the client's industry); historical accounting data exported from platforms such as Xero, MYOB, NetSuite, or QuickBooks; and commentary drafts and published commentary.
Questions submitted via the Ask Your Numbers feature, the financial data context sent alongside those questions, and the AI-generated responses.
3. How we use information.
Collected information is used to:
- Respond to enquiries and provide information about the Sprint and the Engagement
- Deliver contracted client work, including Sprint diagnostics, monthly Engagement cycles, and the Portal
- Generate AI-drafted commentary and financial analysis, reviewed by Infraxus before publication to the client
- Answer questions submitted via Ask Your Numbers using the client's own data as context
- Maintain, secure, and improve the Portal and the surrounding service delivery
- Comply with legal, tax, audit, and regulatory obligations
We do not sell, rent, or trade personal or financial information. Client data is not used to train AI models. See Section 6.
4. Processors and infrastructure.
The following third-party providers process data on our behalf in the course of delivering our services.
| Processor | Role | Data location |
|---|---|---|
| Supabase | Portal database, authentication, session management | Sydney, AU (ap-southeast-2) |
| Vercel | Portal frontend hosting | Sydney, AU (syd1) + global CDN |
| Render | Portal backend API (ingestion, AI request routing) | Singapore |
| OpenRouter | Routing layer for AI requests to Anthropic's API | United States |
| Anthropic | AI model provider (commentary, Ask Your Numbers) | United States |
| Resend | Transactional email delivery (alerts, notifications) | United States |
| Webflow | Marketing site hosting (infraxus.com) | United States |
5. Cross-border data transfers.
Some of our processors operate outside Australia. Client financial data is stored in Sydney, Australia (Supabase, ap-southeast-2) as its primary location.
AI queries and the financial context they require are transmitted to Anthropic (in the United States) for processing. Anthropic's API terms commit that data sent via the API is not retained for model training purposes.
Backend API processing transits Singapore (Render); requests are processed in-memory and responses return to the Sydney-hosted database. No client financial data is retained in Singapore.
Transactional emails (cash alerts, commentary publication notifications) are sent via Resend, located in the United States. These emails contain summary information only, not full financial records.
Marketing site form submissions are processed by Webflow in the United States.
We take reasonable steps to ensure each overseas recipient provides privacy protections substantially similar to those required under the Australian Privacy Principles. If a client requires specific data residency commitments (for example, Australian-only processing), alternative arrangements can be discussed before the Engagement begins.
6. AI processing.
We use Anthropic's Claude models, accessed via OpenRouter, to generate financial commentary and to answer questions submitted via Ask Your Numbers. When these features are used:
- The client's financial data for the period under analysis is included in the API request as context
- The request is transmitted to Anthropic's API over encrypted channels (TLS 1.2 or higher)
- Anthropic's API terms commit that data sent via the API is not used for model training
- The AI response is returned to our systems, reviewed by Infraxus (for published commentary), and stored in the client's Portal
- Ask Your Numbers query logs (the question asked, response length, timestamp, hashed IP) are retained in application logs for operational monitoring and abuse prevention. Raw questions are not associated with individual users in these logs.
7. Data security.
Layered controls protect client information.
- Encryption in transit
- TLS 1.2 or higher on all endpoints.
- Encryption at rest
- AES-256 on the Portal database.
- Database isolation
- Row-level security policies in Supabase Postgres restrict every query to the requesting user's mapped client.
- Authentication
- Supabase Auth with JWT session tokens.
- Access control
- Per-client isolation via user_client_map; administrative access is scoped separately.
- API security
- Service-role keys used only on server-side infrastructure, never exposed to the client browser.
- Audit logging
- Authentication events and commentary publishing events captured.
- Backups
- Daily automated database snapshots with seven-day point-in-time recovery.
8. Data retention.
- Marketing enquiries: retained as long as needed to respond and maintain business records, typically no longer than two years.
- Client Portal data during an active Engagement: retained for the duration of the Engagement.
- Client Portal data after the Engagement ends: Portal access ends within 30 days of Engagement termination. A full CSV export of the client's historical data is provided. Portal-stored data is deleted within 30 days of a verified deletion request.
- Client Excel financial model: remains the property of the client at all times. We do not retain copies after Engagement end unless specifically agreed in writing.
- Ask Your Numbers logs (hashed IP, question text, response metadata): retained for 30 days for operational and abuse-monitoring purposes, then rotated out of the log system.
9. Data breach notification.
Under the Notifiable Data Breaches scheme (Privacy Act 1988), we will notify the Office of the Australian Information Commissioner and affected individuals of any eligible data breach involving personal information.
For client financial data specifically, we will notify affected clients within 24 hours of confirming a breach, with a detailed post-incident report to follow. security@infraxus.com is monitored continuously for security-related correspondence.
10. Access, correction, and deletion.
You have the right to:
- Request access to personal information we hold about you
- Request correction of inaccurate or incomplete information
- Request deletion of your information, subject to legal and contractual retention obligations
- Withdraw consent for optional processing (for example, marketing communications)
Contact security@infraxus.com to exercise these rights. We will respond within a reasonable timeframe in accordance with applicable privacy laws.
11. Cookies and analytics.
- Marketing site (infraxus.com): essential cookies for site functionality and security. No third-party analytics tools are active at this time. If analytics are introduced in the future, this Policy will be updated before the change takes effect.
- Client Portal (app.infraxus.com): essential session cookies from Supabase Auth for authentication and session management. No tracking or analytics cookies.
12. Payment processing.
Online payment processing is not currently active on the website. If payment processing is introduced in future (for example, for Sprint fees or monthly retainers), a PCI DSS-compliant provider will be used and this Policy will be updated to disclose the specific provider.
13. Marketing communications.
We contact you directly in response to an enquiry or during the course of an engagement. No marketing newsletters or automated sequences are currently sent. If marketing emails are introduced, they will be sent only with your consent and will include unsubscribe options.
14. Children.
Our services are directed at businesses, not individuals under 18. We do not knowingly collect personal information from children.
15. Complaints.
If you believe we have handled your information in a way that breaches the Australian Privacy Principles or this Policy, contact security@infraxus.com to lodge a complaint. We will acknowledge your complaint within five business days and respond substantively within 30 days.
If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner.
- Website: oaic.gov.au
- Phone: 1300 363 992
16. Updates to this policy.
This Policy may be updated periodically. The "last updated" date at the top reflects the most recent version. Material changes will be communicated to active clients by email. Continued use of the website or services after an update constitutes acceptance of the revised policy.