What Nexes collects, why we collect it, how long we keep it, and your rights under the Australian Privacy Act 1988 and the Privacy Act 2026 amendments.
Nexes is a trading name of Ninth Gate Holdings Pty Ltd, ABN 41 693 266 465, registered in NSW, Australia (the “Data Controller”). Contact for privacy matters: privacy@nexes.com.au.
When you submit a Cover Audit intake, we receive the documents you upload (insurance policy schedules, certificates of currency, WorkCover notices, payroll records, contractor agreements, intake form answers).
Name, business name, email, phone, business address, ABN/ACN where provided.
IP address, browser type, device fingerprint hash, and standard server logs for fraud, security, and abuse monitoring. Cookies used only for session and rate-limit enforcement — no third-party advertising trackers.
Stripe processes all payments on our behalf. We receive only the billing summary (last 4 digits of card, brand, country) — we never see or store full card numbers.
We do not sell, rent, or share your data with insurers, brokers, marketing companies, or any third party for their own commercial purposes.
| Data | Storage | Region |
|---|---|---|
| Intake answers, contact details | Supabase (Postgres) | AU / Sydney |
| Uploaded documents | Cloudflare R2 object storage | AU / APAC |
| Audit reports (generated) | Supabase + R2 (mirrored) | AU / Sydney |
| Payment records | Stripe (PCI-DSS Level 1) | US / EU (Stripe global) |
| Email delivery logs | Resend | US |
| AI processing (transient) | Anthropic Claude API | US / EU (no training data retention) |
Anthropic processes documents under their commercial API terms — no data is used for model training, all transit is TLS-encrypted, all rest is AES-256-encrypted.
| Data | Retention |
|---|---|
| Uploaded source documents | 90 days from audit completion, then auto-deleted |
| Generated audit reports | 7 years (compliance & refund-window obligations) |
| Identity & contact records | 7 years (ATO & Corporations Act) |
| Payment records | 7 years (Stripe + our records) |
| Server / security logs | 180 days, then auto-rotated |
| Marketing email subscribers | Until you unsubscribe + 30 days |
Under the Australian Privacy Principles you have the right to:
To exercise any of these rights, email privacy@nexes.com.au. We respond within 30 days.
The Privacy Act 2026 amendments introduce new obligations around automated decision-making. Nexes Sentinel is an AI-assisted diagnostic — every audit finding is generated by a Claude model and reviewed by a human operator before delivery. No fully-automated decisions are made about you without human oversight.
If you would like to understand how a specific finding was produced, request a methodology explanation at privacy@nexes.com.au or read our public /methodology page.
If we become aware of a notifiable data breach affecting your personal information, we will notify you and the OAIC within 72 hours of confirmation, as required by the Notifiable Data Breaches scheme.
Nexes services are intended for Australian businesses. We do not knowingly collect personal information from children under 18. If you believe we have, contact us and we will delete it.
We may update this policy from time to time. Material changes will be emailed to customers whose data we hold. The latest version is always at nexes.com.au/privacy.
Quick reference: the legal scope, AFSL disclaimer, refund terms, and limitation of liability are at /legal. The methodology behind audit findings is at /methodology.