Privacy Policy

    Effective 2026-05-22. Last updated 2026-05-21.

    1. Introduction and Scope

    This Privacy Policy describes how Auronova Technology Pty Ltd (ABN 43 691 973 725, ACN 691 973 725), an Australian proprietary company trading as Ertas AI ("Ertas," "we," "our," or "us"), collects, uses, shares, retains, and protects personal information when you interact with us. It applies to:

    • Our marketing site at www.ertas.ai.
    • Our application at app.ertas.ai.
    • The Ertas Deployment CLI and other downloadable tools we provide.
    • Our communications with you by email, in-app, or other channels.

    It does not apply to third-party services we link to, or to base model providers and open-source projects whose own terms apply to your use of their software.

    Acting as the data controller (under the European Union General Data Protection Regulation, the United Kingdom General Data Protection Regulation, and the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles), Ertas is responsible for the personal information described in this Policy.

    2. Plain-English Summary

    Here is the short version. Each point is expanded in the sections below.

    • We collect information you give us (account details, training data you upload, support questions, billing details via Stripe), information your device gives us automatically (technical and usage logs, cookies), and information third parties send us about you (Stripe webhooks, ad-click parameters).
    • We use it to provide and improve the Service, bill you, send you transactional and (with your consent where required) marketing communications, prevent fraud, secure the platform, and comply with law.
    • Your data is stored primarily in Australia, with some processing in the United States, Ireland, Singapore, and other regions where our sub-processors operate.
    • We do not sell your personal information. We do not use your training data to train shared base models for other customers.
    • You have rights to access, correct, delete, and port your information, and to object to or restrict certain processing. How to exercise them is described in section 17.
    • For questions, contact privacy@ertas.ai.

    3. Definitions

    In this Policy, we use terms that have specific meanings in privacy law:

    • "Personal information" means information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable natural person. "Personal data" and "personal information" are used interchangeably; the terminology depends on the law that applies to you.
    • "Processing" means any operation we perform on personal information, including collection, storage, use, disclosure, or deletion.
    • "Controller" means the entity that decides why and how personal information is processed. Ertas is the controller for the personal information described in this Policy.
    • "Processor" and "sub-processor" mean entities that process personal information on our instructions. Our sub-processors are listed in section 10.
    • "Sensitive personal information" includes categories of information given special protection under applicable law, such as health information, biometric data, racial or ethnic origin, sexual orientation, religious beliefs, and government identifiers.

    4. Who We Are and How to Contact Us

    • Legal name: Auronova Technology Pty Ltd
    • Trading name: Ertas AI
    • Registered office: 1 Tripovich St, Brunswick, VIC 3056, Australia
    • ABN: 43 691 973 725
    • ACN: 691 973 725
    • Privacy contact: privacy@ertas.ai

    We have not appointed a Data Protection Officer because we are not currently required to under Article 37 of the GDPR. If that changes, we will update this Policy with the appointment.

    We have not appointed an EU representative under Article 27 of the GDPR. We will designate one if our processing activity meets the threshold that requires appointment.

    5. Categories of Information We Collect

    We collect the following categories of personal information:

    • Account information. Email address, name, password (stored as a salted hash, never in plaintext), role, areas of interest, and other profile fields you provide. Collected directly from you when you sign up or update your profile, and from our waitlist form before you create an Account.
    • Billing information. Plan, billing cycle, billing address, payment method type, last four digits of payment cards, and transaction history. We do not store full payment card numbers; payments are processed by Stripe under Stripe's terms and privacy policy, and only the data Stripe returns to us via webhook is held in our systems.
    • Content you upload. Training datasets, prompts, project configurations, and supporting files you upload to or generate within the Service. This may include personal information about other people if you include it in your data. You are responsible for the lawful basis for any such information (see section 6 of the Terms and Conditions).
    • Output we produce for you. Trained LoRA adapters, GGUF files, evaluation results, run logs, and other artefacts produced by your fine-tuning jobs.
    • Usage information. Records of training jobs, Credit consumption, features you use, time stamps, error codes, and other product telemetry.
    • Communications. Messages you send us via support, email, in-app chat, or contact forms.
    • Device and technical information. Internet protocol address, user agent string, device type, operating system, locale and language preference, referring URL, and cookie identifiers. Collected automatically when you visit our sites or use the Service.
    • Marketing and advertising identifiers. Meta Pixel browser identifier (_fbp), Meta click identifier (_fbc and the fbclid URL parameter), Google Analytics 4 client identifier (_ga, ga*), and other tracking cookies, where applicable consent has been given (see section 13).

    We do not knowingly collect or solicit sensitive personal information. If you do not want sensitive personal information to be processed by us, do not include it in Content you upload.

    6. How We Collect It

    • Directly from you, when you sign up, complete forms (including the waitlist signup form), upload Content, configure runs, contact support, or otherwise interact with the Service.
    • Automatically, through cookies and similar technologies, server logs, and product telemetry.
    • From third parties, including Stripe (billing and webhook events), Meta and Google (ad-click parameters such as fbclid or gclid when you arrive via an advertisement), and identity providers if you authenticate via a third party.

    7. Children's Data

    The Service is not directed to anyone under 16 years of age. We do not knowingly collect personal information from minors. If we learn that we have collected personal information from a minor, we will delete it. If you believe we have personal information of a child or minor in your jurisdiction, contact privacy@ertas.ai.

    8. Purposes of Processing

    We use personal information to:

    • Provide, operate, and maintain the Service, including authentication, training jobs, exports, and the Ertas Deployment CLI.
    • Bill for paid Subscriptions and process top-up purchases via Stripe.
    • Communicate with you about your Account, including service announcements, security alerts, billing notices, support replies, and changes to these terms.
    • Send marketing communications, where you have given consent to do so or where we have a permitted basis under applicable law. You can opt out of marketing communications at any time using the unsubscribe link in our emails or by emailing privacy@ertas.ai.
    • Improve and develop the Service, including diagnosing problems, analysing usage patterns in aggregate, and prioritising feature work.
    • Detect, prevent, and respond to fraud, abuse, security incidents, illegal activity, and breaches of our Terms and Conditions.
    • Comply with applicable law and respond to lawful requests from public authorities.
    • Establish, exercise, or defend legal claims.

    We do not use your uploaded Content to train shared, multi-tenant base models. Models we train for you with your data belong to you. Aggregated and de-identified statistics derived from product usage may be used to evaluate Service performance.

    9. Legal Bases for Processing (EU, EEA, UK)

    Under the GDPR and UK GDPR, we rely on the following legal bases:

    • Performance of a contract (Article 6(1)(b)) for providing the Service, processing payments, and providing customer support.
    • Legitimate interests (Article 6(1)(f)) for securing the Service, preventing fraud and abuse, communicating service announcements, and improving the Service. Our legitimate interests are described in the relevant purposes in section 8; you may object to processing on this basis using the mechanism in section 17.
    • Consent (Article 6(1)(a)) for sending marketing communications to EU and UK residents, and for setting non-essential cookies (including analytics and advertising cookies). You can withdraw consent at any time.
    • Legal obligation (Article 6(1)(c)) for tax record retention, responding to lawful authority requests, and other compliance obligations.

    Where we process sensitive personal information that you have voluntarily provided, we rely on your explicit consent under Article 9(2)(a) of the GDPR.

    10. Sub-processors

    We use the following sub-processors to operate the Service. Each is bound by a written agreement (typically a data processing agreement) that requires it to process personal information only on our instructions, to maintain appropriate security, and to honour data subject rights.

    • Stripe Payments Europe Limited and affiliates (Ireland, United States). Payment processing, fraud prevention, and tax calculation via Stripe Tax. Stripe is certified under the EU-US Data Privacy Framework where applicable, and SCCs apply otherwise.
    • Supabase Inc. (Sydney, Australia ap-southeast-2 region). Primary application database. Data hosted within Australia.
    • Railway Corp (Singapore region). Backend application hosting. Standard Contractual Clauses apply to transfers from the EU and UK, and equivalent measures apply for Australian Privacy Principle 8 (cross-border disclosure of personal information).
    • Formspark, Inc. (Cloudflare global edge). Primary form ingestion for the waitlist and contact forms.
    • Resend, Inc. (United States). Transactional and marketing email delivery. EU-US Data Privacy Framework where applicable.
    • Cloudflare, Inc. (global edge). Content delivery, edge security, and bot protection.
    • Google LLC and affiliates (United States, Ireland). Google Analytics 4 (product and marketing analytics) and Google Ads conversion measurement.
    • Meta Platforms, Inc. and Meta Platforms Ireland Limited (United States, Ireland). Meta Pixel and the Conversions API for advertising measurement and audience building, set only when applicable consent is given.
    • Calendly, LLC (United States). Scheduling Enterprise consultation calls booked from the marketing site. Calendly is not used inside the product.
    • Amazon Web Services, Inc. and affiliates (currently ap-southeast-2 Sydney and other regions used as required for GPU capacity). Compute infrastructure for fine-tuning jobs.

    We may update this list from time to time. Material additions will be communicated via this Policy or via direct notice where required by law. A current sub-processor list is available on request to privacy@ertas.ai.

    11. Other Recipients

    In addition to our sub-processors, we may share personal information with:

    • Law enforcement and government authorities, where we are legally required to disclose information, or where disclosure is necessary to protect the rights, property, or safety of Ertas, our users, or the public, and the request is otherwise valid.
    • Counterparties to a corporate transaction, including in connection with a proposed or actual merger, acquisition, financing, sale of assets, or insolvency event. Where the recipient's use of the information differs materially from this Policy, we will notify you.
    • Our professional advisors, including legal, accounting, audit, and insurance advisors, under confidentiality obligations.

    12. International Data Transfers

    Our primary data storage is in Australia (Supabase, ap-southeast-2 Sydney). Some sub-processors process personal information in other regions, including the United States, Ireland, Singapore, and other regions used by our infrastructure providers.

    When we transfer personal information out of the European Economic Area, the United Kingdom, or other jurisdictions that restrict cross-border transfers, we rely on appropriate safeguards including:

    • The European Commission's Standard Contractual Clauses (2021/914).
    • The United Kingdom International Data Transfer Addendum.
    • The EU-US Data Privacy Framework, where the receiving entity is certified.
    • Supplementary technical and organisational measures, such as encryption in transit and at rest, where applicable.

    Australia is recognised in many international privacy frameworks as having a comparable level of protection through the Australian Privacy Principles, although it is not currently the subject of a European Commission adequacy decision.

    13. Cookies and Similar Technologies

    We use cookies and similar technologies on our sites and Service. Cookies fall into four categories:

    • Essential cookies. Required for the Service to function (session cookies, security tokens, locale preference). Set without consent because they are strictly necessary.
    • Analytics cookies. Used for product and marketing analytics (Google Analytics 4 cookies including _ga and ga*). Set only with consent in jurisdictions where consent is required.
    • Advertising cookies. Used for advertising measurement and audience building (Meta Pixel cookies including _fbp and _fbc). Set only with consent in jurisdictions where consent is required.
    • Functional cookies. Used to remember non-essential preferences. Set only with consent in jurisdictions where consent is required.

    You can withdraw consent or change your cookie preferences at any time via your browser settings or, where available, the cookie preferences control on our site. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

    14. Data Retention

    We retain personal information for as long as necessary to provide the Service and to comply with our legal obligations. The principal retention periods are:

    • Account and profile data. While your Subscription is active. After cancellation or termination, we retain Account data for 30 days to allow you to export Content and Output (the export window described in section 13 of the Terms and Conditions). After the export window, Account data is deleted or anonymised, except as required for the other retention periods below.
    • Content and Output. Same as Account data.
    • Billing and tax records. 7 years from the end of the relevant financial year, to meet Australian Taxation Office and equivalent record-keeping obligations.
    • Support communications. 3 years from the most recent interaction, for service quality and dispute resolution purposes.
    • Marketing engagement data. Until you unsubscribe, plus 12 months for suppression-list and audit purposes.
    • Server and security logs. 90 days for operational logs, longer where retention is necessary to investigate an active security incident.

    We may retain information longer where required by law, where necessary to establish, exercise, or defend legal claims, or where required for ongoing security investigations.

    15. Security

    We implement technical and organisational measures appropriate to the risk, including:

    • Encryption in transit (TLS 1.2 or higher) and encryption at rest for personal information at our database tier.
    • Role-based access controls and the principle of least privilege for internal access to production systems.
    • Audit logging of administrative and security-relevant events.
    • Vault encrypted storage for Enterprise customer datasets and secrets.
    • Regular security reviews of our infrastructure and sub-processors.
    • Incident response procedures including breach notification under the Notifiable Data Breaches scheme of the Australian Privacy Act, GDPR Articles 33 and 34, and equivalent laws.

    No security measure is perfect. If you become aware of a security issue affecting the Service, please report it to privacy@ertas.ai.

    16. Your Rights

    You have the following rights with respect to your personal information. The exact scope of each right depends on the law that applies to you.

    • Access. Receive a copy of the personal information we hold about you.
    • Rectification or correction. Request that we correct inaccurate or incomplete information.
    • Erasure or deletion. Request that we delete your personal information, subject to exceptions in applicable law (for example, ongoing billing records).
    • Restriction. Request that we limit how we process your personal information in specified circumstances.
    • Objection. Object to processing based on legitimate interests, including profiling. We will stop unless we have compelling legitimate grounds to continue or the processing is necessary for legal claims.
    • Portability. Receive your personal information in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.
    • Withdraw consent. Withdraw any consent you have given for processing, without affecting the lawfulness of past processing.
    • Lodge a complaint. Lodge a complaint with your supervisory authority (see section 19 for EU/UK, section 20 for California, section 21 for other regions, and section 22 for Australia).

    If you are a California resident, you have additional rights described in section 20, including the right to opt out of the sale or sharing of personal information and the right to limit the use of sensitive personal information. We do not sell personal information.

    If you are an Australian resident, you have rights under the Australian Privacy Principles described in section 22.

    17. How to Exercise Your Rights

    To exercise any of the rights above, contact privacy@ertas.ai with a clear description of the right you are exercising and enough information for us to verify your identity. We may ask for additional information to confirm your identity before responding, in order to protect your information from unauthorised disclosure.

    We aim to respond within 30 days of a verified request, extendable by a further 60 days for complex or numerous requests as permitted by the GDPR (Article 12(3)). California requests under the CCPA and CPRA are answered within 45 days of a verified request, extendable by a further 45 days where reasonably necessary. Australian access requests under the Privacy Act are answered within 30 days.

    Exercising a right is free. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse the request, and we will tell you why.

    18. Automated Decision-Making and Profiling

    We do not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing, including profiling, within the meaning of Article 22 of the GDPR.

    Some of our internal product analytics use aggregate behavioural data to evaluate features and to prioritise development, but these analytics do not produce individual decisions about you. We may apply automated security controls (such as rate limiting and abuse detection) to protect the Service, but those controls do not produce binding decisions about you without human review where review is required.

    19. EU, EEA, and UK Supplement

    If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR or UK GDPR applies to our processing of your personal information.

    The disclosures required by Articles 13 and 14 of the GDPR are contained throughout this Policy:

    • Identity and contact details of the controller: section 4.
    • Purposes of processing and legal bases: sections 8 and 9.
    • Recipients: sections 10 and 11.
    • Transfers outside the EEA: section 12.
    • Retention: section 14.
    • Your rights: sections 16 and 17.

    You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. The United Kingdom supervisory authority is the Information Commissioner's Office (ico.org.uk). The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

    If our processing of your personal information regularly targets or monitors EU residents at material scale, we will appoint an EU representative under Article 27 of the GDPR and update this section.

    20. California Supplement (CCPA and CPRA)

    This section applies to California residents and supplements the rest of this Policy with disclosures required by the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (together, the "CCPA").

    We collect the following CCPA categories of personal information in the 12 months before the effective date of this Policy:

    • Identifiers (email address, IP address, online identifiers).
    • Customer records (billing-related information from Stripe).
    • Commercial information (Subscription history, transactions, products considered).
    • Internet activity (browsing on our sites, interactions with the Service).
    • Geolocation (general, derived from IP address).
    • Inferences (interests inferred from product use to provide and improve the Service).

    Sources, purposes, and recipients of these categories are described in sections 6, 8, 10, and 11.

    We do not sell personal information. We do not "share" personal information for cross-context behavioural advertising as that term is defined in the CCPA, except to the extent that advertising cookies set with your consent (Meta Pixel, Google Analytics) constitute sharing under the CCPA. You can opt out at any time by withdrawing cookie consent and by emailing privacy@ertas.ai with the subject line "Do Not Sell or Share."

    We do not use or disclose sensitive personal information for purposes other than those permitted without the right to limit under the CCPA.

    You have the right to:

    • Know what personal information we have collected about you.
    • Delete personal information we have collected.
    • Correct inaccurate personal information.
    • Opt out of sale or sharing (we do not sell, and you can withdraw cookie consent to opt out of any conduct that would be sharing under the CCPA).
    • Limit the use and disclosure of sensitive personal information (we do not use sensitive personal information beyond purposes permitted without this right).
    • Non-discrimination in price or service for exercising any CCPA right.

    To exercise any CCPA right, contact privacy@ertas.ai. We do not offer financial incentives in exchange for personal information.

    21. Other Regions

    • Canada (PIPEDA). We comply with the principles of the Personal Information Protection and Electronic Documents Act. You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) if you believe we have not handled your personal information appropriately.
    • Brazil (LGPD). Brazilian residents have rights of access, rectification, deletion, portability, anonymisation, and information about sharing of personal data under the Lei Geral de Proteção de Dados. You may complain to the Autoridade Nacional de Proteção de Dados (ANPD).
    • China (PIPL). Mainland China imposes specific requirements on the cross-border transfer of personal information under the Personal Information Protection Law, including separate consent and security assessment, certification, or standard contract requirements depending on the volume and sensitivity of the data. Our Service is offered to and accepts subscriptions from users in Hong Kong, Taiwan, and the Chinese-speaking diaspora; users in Mainland China who interact with the Service should be aware that personal information will be transferred to Australia and the other jurisdictions described in section 12.

    22. Australia Supplement (Privacy Act 1988)

    If you are an Australian resident, the Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth) apply to our handling of your personal information.

    You may request access to or correction of your personal information at any time by contacting privacy@ertas.ai. We will respond within 30 days under Australian Privacy Principle 12 (access) and Australian Privacy Principle 13 (correction).

    If you believe we have breached the Australian Privacy Principles or the Notifiable Data Breaches scheme, you may complain to us first at privacy@ertas.ai. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

    We will notify the Office of the Australian Information Commissioner and affected individuals of an eligible data breach in accordance with the Notifiable Data Breaches scheme.

    23. Changes to This Policy

    We may update this Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change.

    If we make a material change, we will give you at least 30 days' notice via email or in-app notification before the change takes effect, unless an earlier change is required by law. Your continued use of the Service after the change takes effect is acceptance of the updated Policy.

    A history of material changes is available on request to privacy@ertas.ai.

    24. Contact Us

    For questions about this Policy or to exercise your rights, contact us at:

    • Email: privacy@ertas.ai
    • Post: Auronova Technology Pty Ltd (ABN 43 691 973 725, ACN 691 973 725), 1 Tripovich St, Brunswick, VIC 3056, Australia
    • Trading name: Ertas AI

    Questions about this page?

    Email us at privacy@ertas.ai.