How we handle your data.
Last updated · 22 April 2025
Engis is committed to protecting your privacy. This Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Engis platform. We comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and applicable GDPR provisions.
1Overview
Engis ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Engis platform ("Service").
We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as applicable provisions of the General Data Protection Regulation (GDPR) for users in the European Economic Area.
By using the Service, you consent to the collection and use of your information as described in this Policy.
2Information We Collect
2.1 Information you provide directly
- Account information: name, work email address, job title, and role within your firm.
- Project data: project names, phases, financial values, timesheet entries, claims, and associated documents.
- Communications: emails or messages you send to our support team.
- Payment information: billing details processed by Stripe (we do not store card numbers directly).
2.2 Information collected automatically
- Usage data: pages visited, features used, actions taken within the platform, and session timestamps.
- Device and browser information: IP address, browser type, operating system, and device identifiers.
- Log data: server logs including request times, error reports, and performance metrics.
- Cookies: session cookies for authentication and preference cookies for settings like dark mode. See Section 7 for more detail.
2.3 Information from third parties
- Xero: if you connect your Xero account, we receive invoice and contact data from Xero's API to enable invoice synchronisation.
- Stripe: payment status and subscription information from Stripe's billing infrastructure.
3How We Use Your Information
We use the information we collect to:
- Provide, operate, and improve the Service.
- Authenticate users and maintain account security.
- Process payments and manage subscriptions.
- Send transactional communications (account invitations, password resets, billing receipts).
- Provide customer support and respond to your enquiries.
- Analyse usage patterns to improve product features.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
We do not use your data for advertising, and we do not sell your personal information to third parties.
4Third-Party Services
We use the following third-party services to operate the platform. Each service has its own privacy policy and data practices:
Database and authentication infrastructure. Your data is stored in Supabase-managed PostgreSQL databases hosted in Australia (Sydney region).
Hosting and deployment platform. Vercel serves the Engis web application and processes request logs.
Payment processing. Stripe handles all credit card transactions and stores billing information securely.
Transactional email delivery for system notifications, invitations, and password resets.
Accounting integration (optional). Connected only when you explicitly authorise the integration.
Product analytics (optional, EU-hosted). Records anonymous feature-usage events. Sent only after you click “Accept analytics” in the cookie banner — opt out any time by clearing the engis_analytics_consent cookie. Never includes project data, financial figures, or message content.
Web analytics (optional). Aggregate, cookieless visitor counts and Web Vitals shown in our Vercel dashboard. Loads only after you click “Accept analytics” (engis_analytics_consent) and never records project data, financial figures, or message content.
Interactive map basemaps for the spatial and dashboard maps. Mapbox receives map view requests (approximate map location and zoom) to serve tiles; no account, project, or financial data is sent.
5Data Storage and Security
Your data is stored on servers located in Australia (Sydney). We implement industry- standard security measures including:
- TLS encryption for all data in transit.
- AES-256 encryption for data at rest.
- Row-level security (RLS) policies ensuring each firm can only access its own data.
- Regular security assessments and access controls.
- Multi-factor authentication options for user accounts.
Despite these measures, no method of transmission over the internet is 100% secure. If you become aware of a security issue, please contact us immediately at support@engis.au.
6Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:
- Active accounts: data is retained indefinitely while you maintain an active subscription.
- Cancelled accounts: data is retained for 30 days after cancellation, during which you may request an export. After this period, data is deleted from production systems.
- Backup systems: data may persist in encrypted backups for up to 90 days after deletion from production systems.
- Legal hold: we may retain data for longer periods where required by law or to resolve disputes.
7Cookies
We use cookies and similar tracking technologies to operate the Service. The cookies we use are:
| Cookie | Purpose | Duration |
|---|---|---|
| sb-* | Supabase authentication session | Session / 7 days |
| engis_theme | Dark/light mode preference (localStorage) | Persistent |
| engis_view_as_role | Role preview setting (localStorage) | Persistent |
| engis_cookie_consent | Records that you saw the cookie banner | 1 year |
| engis_analytics_consent | Records that you opted into product analytics (PostHog) and Vercel Web Analytics. Set only if you click “Accept analytics”. | 1 year |
We do not use third-party advertising or analytics cookies. You can clear cookies through your browser settings, though this may affect your ability to log in.
8Your Rights
Under the Australian Privacy Act and, where applicable, the GDPR, you have the following rights regarding your personal information:
- Access: You have the right to request a copy of the personal information we hold about you.
- Correction: You have the right to request correction of inaccurate or incomplete personal information.
- Deletion: You may request deletion of your personal information, subject to our legal obligations and data retention requirements. To request account deletion, contact support@engis.au.
- Portability: You may request an export of your firm's data in a machine-readable format (CSV or JSON).
- Objection: You may object to processing of your personal information in certain circumstances.
- Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at support@engis.au. We will respond within 30 days.
If you believe we have mishandled your personal information, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
9Children's Privacy
The Service is intended for use by professionals aged 18 and over. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, please contact us to have it deleted.
10Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice within the Service at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
11Contact Us
For any privacy-related questions, concerns, or requests, please contact our Privacy Officer: