Privacy Policy

We collect the following categories of information:

• Account data: name, business name, role, email address, hashed password, industry classification, two-factor authentication seed (if enabled), and email-consent timestamp.
• Workspace data: business data you upload, paste, or sync into your workspace — including (where you choose to connect them) transactions from your POS provider (e.g. Square), invoices from your accounting provider (e.g. Xero or MYOB), and structured CSV files you upload. This data belongs to you.
• Operational logs: IP addresses, browser user-agents, request paths, and event timestamps, kept for security and abuse-prevention purposes for up to 90 days.
• Billing data: payment-method metadata (card brand, last four digits, expiry) handled through Stripe — DARA does not store full card numbers.
• Marketing data: if you tick our email consent box, we record the consent action with timestamp, IP, and source URL.

We use the data described above to:

• Provide and operate the DARA platform — including authentication, data ingestion, AI-grounded briefings, and integration with any third-party services you elect to connect.
• Bill you for subscriptions and process refunds through Stripe.
• Send transactional emails (account verification, billing receipts, security alerts) that are required to operate the service.
• Send marketing or product-update emails only where you have given explicit consent, with a one-click unsubscribe in every email.
• Monitor for fraud, abuse, performance issues, and unauthorised access.
• Comply with our legal obligations under Australian and other applicable law.

DARA uses Anthropic's Claude (Sonnet 4.5) large language model to synthesise your workspace data into daily briefings and answer your natural-language queries. We submit your data to the Claude API solely for the purpose of returning the response you have requested.

Anthropic does not train its commercial models on data submitted via their API. We do not authorise or instruct any model provider to train on your data. We retain Claude prompts and responses associated with your workspace for up to 30 days for debugging and quality-assurance purposes, after which they are deleted.

If you operate in a sector with strict data-residency requirements (defence, government, regulated finance) please contact us at privacy@daraos.ai to discuss an air-gapped Enterprise deployment.

We rely on the following third-party services to operate DARA. Each provider operates its own privacy policy, which you should review:

• Anthropic — AI synthesis layer (Claude 4.5 Sonnet)
• Stripe — payment processing
• Resend — transactional and consent-based marketing email delivery
• MongoDB Atlas — primary data store
• Square, Xero, MYOB — only where you have explicitly connected one of these services to your workspace

We do not sell, rent, or otherwise share your personal information with third parties for their own marketing purposes. We only share the minimum information necessary for these providers to deliver the services we contract them to perform.

We maintain commercially reasonable safeguards to protect your data, including:

• TLS 1.3 for all data in transit
• Fernet-encrypted vault for stored API keys and OAuth tokens
• Per-user TOTP two-factor authentication available on every account
• Server-side rate-limiting and brute-force protection on authentication endpoints
• Bcrypt password hashing
• Email-consent audit trail with IP + timestamp
• Audit log of administrative actions
• SOC 2 Type I attestation in progress (target 2026)

If you reside in Australia, under the Privacy Act 1988 (Cth) you have the right to:

• Access the personal information we hold about you
• Correct any personal information that is inaccurate or out of date
• Request that we delete your account and associated data (data deletion is also available self-serve within the app: Settings → Account → Delete account)
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

If you reside in the European Union or United Kingdom, the rights granted under the General Data Protection Regulation (GDPR) apply to you in addition to the above — including the right to data portability and the right to object to processing.

We retain your data as follows:

• Account data: for the lifetime of your account, plus 90 days after deletion to handle billing reconciliation and abuse investigations.
• Workspace data: for the lifetime of your subscription, plus 30 days after subscription cancellation to allow for restoration if you reactivate.
• Operational logs: up to 90 days.
• Billing records: 7 years, as required by Australian tax law.