Privacy Policy

This document describes how Tailor Intelligence Pty Ltd handles personal information on the tailor.au platform. This page is a standard placeholder while our legal counsel finalises the full privacy policy.

What we collect

Tailor collects the information you provide when you create an account (name, work email, organisation), the documents you upload and the content you generate on the platform, and usage telemetry that helps us keep the service reliable (sign-in events, feature usage, error traces).

Where it’s stored

Tailor data is stored on sovereign Australian infrastructure — Microsoft Azure, Australia East (Sydney) region. Encryption at rest is AES-256; keys are held in Azure Key Vault. No customer data leaves Australian jurisdiction as part of normal platform operation.

How long we keep it

We retain account, document, and audit data indefinitely by default while your organisation is an active Tailor customer. A full retention and deletion schedule will be published with the complete policy. In the interim, data-deletion requests are handled manually — email privacy@tailor.au.

Your rights

You can request access to, correction of, or deletion of personal information Tailor holds about you. To exercise those rights, or to ask any other question about how we handle your data, email privacy@tailor.au.

Third parties

Tailor does not sell customer data. We share data with third-party processors only where it is necessary to run the service (e.g. Microsoft Azure for hosting, Azure Communication Services for transactional email).

Data we collect when you connect AI agents

Tailor distributes connectors for ChatGPT (OpenAI Apps SDK / Codex), Claude (Anthropic remote MCP and Claude Code plugin marketplace), Cursor, and other AI runtimes through tailor.au/connect. When you authorise an AI agent to access your Tailor documents, the following additional categories of data are recorded.

Categories of data collected

  • Registered connector clients. Display name, platform identifier (e.g. Cursor, Codex), redirect URIs, and the scopes that the client is permitted to request. Issued either through self-service in the Tailor UI / CLI or via OAuth 2.1 Dynamic Client Registration once that surface is enabled.
  • Authentication tokens. Hashed scoped API keys, OAuth access and refresh tokens, and authorisation codes minted during a connector consent flow. Raw token values are displayed once at issuance and are never persisted in plaintext — only deterministic hashes (SHA-256) are stored.
  • Audit logs. Per-action records of every connector tool call: the actor (human user, AI agent, or service), the tool name and read/write/destructive annotation, the document or entity touched, and the outcome. Audit payloads are passed through a sensitive-value redactor before persistence so tokens, codes, and secrets cannot be re-derived from a log line.
  • Scope grants and consent decisions. The exact set of scopes a user approved on the consent screen, the timestamp, and the IP address and user-agent of the consenting browser.

Why we collect it

  • Authentication — verify a request came from a known connector and a known user.
  • Authorisation — enforce least-privilege scopes per tool call.
  • Audit — show you, your administrators, and your auditors who took which action through which agent.
  • Abuse prevention — rate-limit, anomaly-detect, and revoke compromised clients or tokens.

Retention windows

  • Connector audit logs — retained for 365 days, then deleted on the next monthly sweep. Tenants on enterprise plans may negotiate longer retention contractually.
  • OAuth refresh tokens — rotated every 30 days; older hashes are deleted on rotation.
  • Registered connector clients — retained until the user revokes the client or until the rolling 1-year inactivity sweep runs, whichever is sooner.
  • Scoped API keys — retained until you revoke them or their declared expiry passes; the deterministic hash is purged on revocation.

Your controls

  • Revoke a connector client at any time from the settings menu in Tailor or with the tailor connect revoke CLI command. Revocation invalidates all tokens issued to that client immediately.
  • Revoke a single API key from the keys page without disturbing other connectors using the same client.
  • Request deletion of connector audit logs ahead of the 365-day window by emailing privacy@tailor.au. When a tenant is deleted, all connector audit rows tied to that tenant are deleted as part of the same workflow.
  • View a per-tenant audit summary on the Tailor dashboard; export to CSV is available on enterprise plans.

Tailor never transmits your document contents to the AI runtime vendor (OpenAI, Anthropic, Cursor, etc.) outside of the agent’s own conversation context with you. Tool responses returned to the agent are passed through a sensitive-value redactor so raw tokens, OAuth codes, or secrets cannot reach the agent’s context window or training surface.

We’ll publish a full privacy policy as part of our general-availability launch. Until then, this page is the authoritative summary.

Questions or requests: privacy@tailor.au.

Tailor Intelligence Pty Ltd · Brisbane, Queensland