Your data,
your rules.

About this policy

This Privacy Policy explains how Charles Elena Pty Ltd (“we”, “us”, “our”) collects, holds, uses, and discloses personal information through the Sprintora service and associated websites.

We are an Australian business and comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we serve users in New Zealand, we also comply with the Privacy Act 2020 (NZ) and the New Zealand Information Privacy Principles.

By using Sprintora, you agree to the collection and use of information as described here. If you do not agree, please do not use the service.

Information we collect

Account information

• Full name and email address when you sign up
• Password (stored as a secure hash — we never store your plain-text password)
• Business name, role, and team size collected during onboarding to personalise the service

Integration credentials

• API keys for connected time trackers (e.g. Paymo). Keys are encrypted at rest and never displayed in plain text after entry.

Project and operational data

• Project names, task lists, time entries, and team member information synced from your connected time tracker
• Cost rates and billing rates you enter into Sprintora

This data belongs to your studio. We process it solely to power Sprintora features and never use it for any other purpose.

Usage and technical information

• Pages visited and features used (aggregate — no keystroke or content capture)
• Browser type, operating system, IP address, and session identifiers
• Error logs and performance diagnostics

Communications

• Emails or messages you send via the contact form or support channels

We do not collect sensitive information as defined by the Privacy Act (such as health information, ethnicity, or political views). We do not knowingly collect information from individuals under 18.

How we collect it

Directly from you

When you create an account, complete onboarding, enter team rates, or contact us.

From your integrations

Time entries, projects, tasks, and team data are fetched from your connected time tracker via their API. You control what is connected — we only access what you explicitly authorise.

Automatically

Session cookies and server logs capture technical information when you use the service.

Why we collect it

We collect personal information to:

• Create and manage your account
• Deliver core features: capacity planning, sprint generation, and profitability tracking
• Personalise the product based on your studio type and role
• Send product-related communications (updates, invoices, critical security notices)
• Investigate and resolve support requests
• Monitor for security threats and service reliability
• Comply with our legal obligations

We do not collect personal information for direct marketing purposes without your consent. You may opt out of non-essential emails at any time via the unsubscribe link in those messages or by contacting us.

Third parties we work with

We share information only where necessary to deliver the service. We do not sell, rent, or trade personal information and we do not share it with advertising networks.

Each provider is bound by contractual data-protection obligations. Where a provider is located overseas, we take reasonable steps (including contractual arrangements) to ensure they handle your information in accordance with the APPs.

AI and your data

Sprintora uses Anthropic Claude to power optional AI features: sprint recommendations, insight summaries, and the analytics chat. When you use these features:

• Only the minimum context required is sent to Anthropic (project summaries, task aggregates — never raw time entries or personal financial records)
• All requests are made with zero-retention enabled — Anthropic does not log, store, or train on your data after the API call completes
• AI features are always triggered by a deliberate action — you are never automatically enrolled
• Every AI-powered action has a non-AI equivalent if you prefer not to use it

If you have questions about how a specific AI feature uses your data, contact us.

Data storage & security

Your data is primarily stored in Australia on AWS ap-southeast-2 (Sydney). We implement the following technical controls:

• All data encrypted in transit using TLS 1.2+
• All data encrypted at rest using AES-256
• Database access restricted by row-level security (RLS) — each account can only read its own data
• API keys and integration credentials encrypted before storage, never exposed in plain text
• Application access protected by Supabase Auth with email verification
• Administrative access requires multi-factor authentication

We regularly review our security practices and take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification, and disclosure (APP 11).

Cross-border disclosure (APP 8)

Some personal information is processed by providers outside Australia (see Third Parties above). Before disclosing personal information to overseas recipients, we take reasonable steps to ensure those recipients handle it in accordance with the APPs.

• AWS and Vercel participate in recognised compliance frameworks (ISO 27001, SOC 2)
• Anthropic has contractually agreed to zero data retention for API requests from Sprintora
• Stripe complies with PCI DSS and applicable data protection laws

Data retention

We retain personal information for as long as your account is active or as needed to provide the service:

• Account and operational data — retained while your account is open
• On account deletion — personal information removed within 30 days, except where retention is required by law
• Billing records — retained for up to 7 years to comply with Australian tax law (ATO requirements)
• Security and activity logs — retained for up to 90 days, then deleted
• Integration data (synced from Paymo etc.) — deleted within 30 days of account closure or integration removal

You can request deletion of your account and data at any time — see Your Rights below.

Your rights

Under the Privacy Act 1988 (Cth) and the APPs, you have the following rights:

Access (APP 12)

Request a copy of the personal information we hold about you. We will respond within 30 days. We may charge a reasonable fee to cover the cost of providing access, but we will never charge you simply for making the request.

Correction (APP 13)

Request correction of personal information that is inaccurate, incomplete, or out of date. You can update most information directly in your account settings. For other corrections, contact us.

Deletion

Request deletion of your personal information. We will action this promptly, subject to any legal retention requirements noted above.

Opt-out of direct marketing

Opt out of any direct marketing communications using the unsubscribe link in those messages or by contacting us directly.

Cookies

Sprintora uses session cookies to maintain your authenticated session. We do not use third-party advertising cookies, tracking pixels, or behavioural analytics tools. Usage metrics we collect are anonymised and aggregated.

Your browser can be set to refuse cookies. Doing so will prevent you from accessing authenticated areas of the service.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and notify you by email if the changes significantly affect how we handle your personal information.

Continued use of Sprintora after changes take effect constitutes acceptance of the updated policy.

Contact & complaints

For privacy-related questions, access requests, correction requests, or complaints, contact us first:

If you are not satisfied with our response, you may escalate to the relevant regulator: