Privacy Policy

This document describes how Tailor Intelligence Pty Ltd handles personal information on the tailor.au platform. This page is a standard placeholder while our legal counsel finalises the full privacy policy.

What we collect

Tailor collects the information you provide when you create an account (name, work email, organisation), the documents you upload and the content you generate on the platform, and usage telemetry that helps us keep the service reliable (sign-in events, feature usage, error traces).

Analytics, cookies, and session replay

We use two product-analytics services to understand how the platform is used and to find and fix problems:

  • PostHog — product analytics (page views, feature usage, funnels). Events are associated with your account when you are signed in.
  • Microsoft Clarity — behavioural analytics including heatmaps and session replay (a reconstruction of clicks, scrolls, and page interactions). Clarity applies masking to text inputs, but you should be aware that your on-screen interactions with the product may be replayed by our team for debugging and product improvement.

We also use cookies and browser localStorage for session authentication, remembering preferences (e.g. UI state), and the analytics above. We do not use third-party advertising cookies.

Where it’s stored

Tailor data at rest — your account, organisation, uploaded documents, generated content, and audit trail — is stored on sovereign Australian infrastructure: Microsoft Azure, Australia East (Sydney) region. Encryption at rest is AES-256; keys are held in Azure Key Vault.

Voice and vision — offshore inference

Certain real-time voice and vision workloads require AI models that are not yet available in Australian Azure regions. For those workloads:

  • Real-time speech-to-speech — processed in Microsoft Azure (United States, East 2 region) using the GPT-realtime model. Audio inputs transit to that region for inference; audio outputs return to and remain in Australia, along with any persisted transcripts.
  • Text-to-speech via ElevenLabs — when a tenant opts in to ElevenLabs voices, the prompt text we send is processed by ElevenLabs Inc. (United States) under a Data Processing Agreement. Audio is streamed back to your application and is not persisted by Tailor.
  • Conversational AI sessions — when a tenant uses Tailor’s Conversational AI Agent service (for example, quotefor.au’s video-call quote flow), the homeowner’s voice audio is streamed bidirectionally to ElevenLabs Inc. (United States) for the duration of the session, processed by the underlying conversational model, and synthesised speech is streamed back to the caller. Camera frames captured during the same session are sent to Tailor’s scene-analysis endpoint, which processes them via Microsoft Azure OpenAI (United States, East 2 region). Neither raw audio nor frames are persisted by Tailor outside the session lifetime. Conversation transcripts may be persisted in Australia for audit and quality purposes, per the tenant’s configuration.

These offshore arrangements are interim while Tailor builds sovereign Australian voice and vision infrastructure. Document content, generated text, audit data, and all other categories of personal information do not leave Australian jurisdiction.

How long we keep it

We retain account, document, and audit data indefinitely by default while your organisation is an active Tailor customer. A full retention and deletion schedule will be published with the complete policy. In the interim, data-deletion requests are handled manually — email privacy@tailor.au.

Your rights

Tailor handles personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Under the APPs you can request access to, and correction of, personal information Tailor holds about you, and you can ask us to delete it. If you believe we have mishandled your personal information you can complain to us first, and if you are not satisfied with our response, to the Office of the Australian Information Commissioner (OAIC). To exercise those rights, or to ask any other question about how we handle your data, email privacy@tailor.au.

Third parties

Tailor does not sell customer data. We share data with third-party processors only where it is necessary to run the service. The current processors are:

  • Microsoft Azure — hosting, storage, and transactional email (Azure Communication Services), Australia East region for data at rest.
  • Azure OpenAI Service — AI inference over your prompts and document context. Content sent to Azure OpenAI is not used to train models; certain voice/vision workloads run in US Azure regions as described above.
  • PostHog — product analytics (usage events).
  • Microsoft Clarity — behavioural analytics and session replay.
  • ElevenLabs Inc. — opt-in voice synthesis and conversational AI, as described above.

Data we collect when you connect AI agents

Tailor distributes connectors for ChatGPT (OpenAI Apps SDK / Codex), Claude (Anthropic remote MCP and Claude Code plugin marketplace), Cursor, and other AI runtimes through tailor.au/connect. When you authorise an AI agent to access your Tailor documents, the following additional categories of data are recorded.

Categories of data collected

  • Registered connector clients. Display name, platform identifier (e.g. Cursor, Codex), redirect URIs, and the scopes that the client is permitted to request. Issued either through self-service in the Tailor UI / CLI or via OAuth 2.1 Dynamic Client Registration once that surface is enabled.
  • Authentication tokens. Hashed scoped API keys, OAuth access and refresh tokens, and authorisation codes minted during a connector consent flow. Raw token values are displayed once at issuance and are never persisted in plaintext — only deterministic hashes (SHA-256) are stored.
  • Audit logs. Per-action records of every connector tool call: the actor (human user, AI agent, or service), the tool name and read/write/destructive annotation, the document or entity touched, and the outcome. Audit payloads are passed through a sensitive-value redactor before persistence so tokens, codes, and secrets cannot be re-derived from a log line.
  • Scope grants and consent decisions. The exact set of scopes a user approved on the consent screen, the timestamp, and the IP address and user-agent of the consenting browser.

Why we collect it

  • Authentication — verify a request came from a known connector and a known user.
  • Authorisation — enforce least-privilege scopes per tool call.
  • Audit — show you, your administrators, and your auditors who took which action through which agent.
  • Abuse prevention — rate-limit, anomaly-detect, and revoke compromised clients or tokens.

Retention windows

  • Connector audit logs — retained for 365 days, then deleted on the next monthly sweep. Tenants on enterprise plans may negotiate longer retention contractually.
  • OAuth refresh tokens — rotated every 30 days; older hashes are deleted on rotation.
  • Registered connector clients — retained until the user revokes the client or until the rolling 1-year inactivity sweep runs, whichever is sooner.
  • Scoped API keys — retained until you revoke them or their declared expiry passes; the deterministic hash is purged on revocation.

Your controls

  • Revoke a connector client at any time from the settings menu in Tailor or with the tailor connect revoke CLI command. Revocation invalidates all tokens issued to that client immediately.
  • Revoke a single API key from the keys page without disturbing other connectors using the same client.
  • Request deletion of connector audit logs ahead of the 365-day window by emailing privacy@tailor.au. When a tenant is deleted, all connector audit rows tied to that tenant are deleted as part of the same workflow.
  • View a per-tenant audit summary on the Tailor dashboard; export to CSV is available on enterprise plans.

Tailor never transmits your document contents to the AI runtime vendor (OpenAI, Anthropic, Cursor, etc.) outside of the agent’s own conversation context with you. Tool responses returned to the agent are passed through a sensitive-value redactor so raw tokens, OAuth codes, or secrets cannot reach the agent’s context window or training surface.

We’ll publish a full privacy policy as part of our general-availability launch. Until then, this page is the authoritative summary.

Questions or requests: privacy@tailor.au.

Tailor Intelligence Pty Ltd · Brisbane, Queensland