Privacy policy.

1. Introduction

Devalo ("we", "us", "our") is committed to protecting the privacy of individuals whose personal information we collect and handle. This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all users of the Devalo platform (app.devalo.com.au), our marketing website (devalo.com.au), and any related services we provide.

By using our platform or providing us with personal information, you acknowledge that you have read and understood this Privacy Policy.

2. Personal information we collect

We collect the following types of personal information depending on how you interact with our platform:

Account and identity information

When you create an account or are invited to an organisation on Devalo, we collect your name, email address, and role within the organisation. If you are an organisation owner, we also collect your organisation name and business details.

Authentication and security information

We collect information necessary to secure your account, including hashed passwords (we never store passwords in plain text), two-factor authentication credentials (TOTP secrets, WebAuthn/passkey public keys, backup codes), session tokens, device fingerprints, and IP addresses associated with sign-in activity.

Billing and payment information

Payments are processed by Stripe. We do not store your full credit card number, CVC, or bank account details on our servers. Stripe provides us with limited information such as the last four digits of your card, card type, and billing address for record-keeping and invoice purposes. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

Platform usage data

We collect information about how you use the platform, including pages accessed, features used, module activity, and timestamps. This data is tied to your user account and organisation for audit, security, and service improvement purposes.

Organisation and business data

Data you or your organisation enters into Devalo modules (such as CRM contacts, calendar bookings, marketing campaigns, scoreboard metrics, or finance brokerage records) is stored on your behalf. This data belongs to your organisation and is accessible only to authorised users within your organisation based on their assigned role.

Finance module data

If your organisation uses the Finance Brokerage module, additional sensitive information may be collected as required for Australian Credit Licence compliance. This includes information about loan applicants, financial circumstances, and supporting documentation. This data is stored in a physically separate database with additional security controls as detailed in Section 7.

Communications

If you contact us via email, our contact form, or any other channel, we collect the contents of your communication along with your name and email address.

Information from third parties

We may receive information about you from your organisation's owner or administrator when they create your account. We do not purchase personal information from data brokers or third-party sources.

3. How we use your personal information

We use personal information for the following purposes:

Providing and operating the platform. To create and manage your account, authenticate your identity, provide access to modules your organisation has enabled, and deliver the core functionality of the platform.

Security and fraud prevention. To protect your account and our platform through two-factor authentication, session management, login monitoring, rate limiting, and immutable audit logging of all data changes.

Billing and payments. To process subscription payments, manage billing cycles, issue invoices, and communicate about payment-related matters.

Transactional communications. To send you essential service communications including verification codes, password reset links, security alerts, team invitations, and account notifications. These are not marketing messages and cannot be opted out of while you maintain an active account.

Platform improvement. To understand how the platform is used, identify issues, and improve our services. We do not use your organisation's business data for this purpose. Only aggregated, de-identified usage patterns inform product decisions.

Legal and regulatory compliance. To comply with applicable laws, regulations, and legal processes, including the Privacy Act 1988, the Spam Act 2003, and any financial services regulations applicable to specific modules.

Responding to enquiries. To respond to your questions, feedback, or requests submitted through our contact channels.

4. Marketing communications

If your organisation uses our Marketing Automation module to send email or SMS campaigns, your organisation is responsible for obtaining and managing consent from their recipients in accordance with the Spam Act 2003 (Cth) and relevant telecommunications legislation.

Devalo provides the tools for consent management, unsubscribe handling, and compliance tracking, but the obligation to use those tools correctly rests with the organisation operating the campaigns.

We may send you occasional communications about platform updates, new modules, or service changes. You may opt out of these non-essential communications at any time. We will never sell your email address or personal information to third parties for marketing purposes.

5. Disclosure of personal information

We may disclose personal information to the following categories of recipients:

Your organisation. If you are a member of an organisation on Devalo, your name, email, role, and activity within the platform may be visible to other authorised users in your organisation, subject to role-based access controls.

Infrastructure service providers. We use a limited number of third-party services to operate the platform. These providers process data on our behalf and are contractually bound to protect it:

We do not use third-party analytics tools, advertising pixels, or tracking scripts on the platform. We do not sell, rent, or trade personal information to any third party.

Legal requirements. We may disclose personal information if required to do so by law, regulation, legal process, or enforceable government request. We may also disclose information if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Devalo, our users, or the public.

6. Cross-border disclosure of personal information

As noted in Section 5, some of our infrastructure service providers are located in the United States. In accordance with APP 8, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information in a manner consistent with the APPs.

Our contracts with these providers require them to protect personal information to standards substantially similar to the APPs. Where possible, we use service regions located in Australia (such as AWS Sydney) to minimise cross-border data transfer.

7. How we protect your information

We take the security of your personal information seriously and implement technical and organisational measures that go well beyond industry minimums:

Password security. All passwords are hashed using Argon2id with a server-side pepper. We enforce a minimum 12-character length, complexity requirements, and check passwords against known breach databases. Passwords expire every 90 days.

Two-factor authentication. 2FA is mandatory for all users on the platform. We support TOTP authenticator apps, WebAuthn/FIDO2 passkeys (hardware keys, biometrics), and email verification codes. Backup codes are individually hashed before storage.

Encryption. Sensitive data fields (personal information, credentials, security tokens) are encrypted at rest using AES-256-GCM authenticated encryption. Each encrypted value uses a unique nonce to ensure ciphertext uniqueness. Separate encryption keys are derived for each data category (e.g. identity, contact details, billing, credentials) so that a compromise of one category does not expose data from another. Encryption keys are stored in environment configuration, never committed to source code.

Session management. Session tokens are hashed (SHA-256) before database storage. Sessions have inactivity timeouts, device fingerprint binding, concurrent session limits, and can be explicitly revoked by the user or administrator.

Multi-tenant data isolation. Every piece of organisation-scoped data is isolated by a mandatory organisation identifier. Cross-tenant data access is architecturally impossible through the standard API layer. Every database query is scoped to the authenticated user's organisation.

Audit logging. Every data change (create, update, delete), every login attempt (success and failure), every permission change, and every session event is recorded in an immutable audit log. Audit entries capture old and new values and cannot be modified or deleted through any API.

Finance module isolation. The Finance Brokerage module operates on a completely separate database with its own authentication system. It connects to the core platform only through a time-limited, signed handoff with a 30-second expiry. There is no direct database connection between the core platform and the finance database. This isolation is a compliance requirement for Australian Credit Licence operations.

API hardening. Response schemas explicitly whitelist returned fields to prevent accidental data leakage. Error messages are sanitised. Authentication endpoints are rate-limited. Cross-origin requests are restricted to configured domains.

8. Data retention

We retain personal information for as long as your account is active or as needed to provide services to your organisation. Specific retention periods include:

Account data. Retained while your account is active. If your account is removed from an organisation, your personal data is deleted in accordance with our data retention schedule unless required for audit or legal purposes.

Audit logs. Retained for a minimum of 7 years to meet regulatory obligations and support dispute resolution. Audit logs are immutable and cannot be selectively deleted.

Billing records. Retained for 7 years in accordance with Australian Taxation Office requirements.

Finance module data. Retained in accordance with the National Consumer Credit Protection Act 2009 and associated regulations, which may require retention for 7 years after the last action on a file.

Organisation business data. When a module is disabled, data is preserved but inaccessible. When an organisation's account is terminated, data is scheduled for deletion after a grace period (currently 30 days) during which the data can be exported.

9. Your rights

Under the Australian Privacy Principles, you have the right to:

Access your information. You may request access to the personal information we hold about you. We will respond to your request within 30 days. Where possible, you can access and export your data directly through the platform's data export feature.

Correct your information. If you believe personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you may request that we correct it. You can update much of your information directly through your account settings.

Request deletion. You may request that we delete personal information we hold about you, subject to legal and regulatory retention requirements. Some data (such as audit logs) cannot be deleted where retention is required by law.

Anonymity. In accordance with APP 2, you have the option of not identifying yourself or using a pseudonym when dealing with us, unless it is impracticable for us to operate without your identification (for example, to create an account or process a payment).

To exercise any of these rights, contact us at privacy@devalo.com.au.

10. Cookies and local storage

Our marketing website (devalo.com.au) uses minimal cookies limited to essential functionality such as remembering your dark mode preference. We do not use third-party tracking cookies, advertising cookies, or analytics cookies on our marketing site.

The platform (app.devalo.com.au) uses session cookies and local storage to maintain your authenticated session, store your display preferences, and manage the token refresh cycle. These are strictly necessary for the platform to function and are not used for tracking or advertising.

11. Data breach notification

In the event of an eligible data breach as defined under Part IIIC of the Privacy Act 1988 (the Notifiable Data Breaches scheme), we will:

Promptly assess any suspected breach to determine if it is likely to result in serious harm to any individuals whose personal information is involved. If serious harm is likely, we will notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable in accordance with our obligations under the NDB scheme. Our notification will include the nature of the breach, the types of information involved, and recommended steps individuals can take to protect themselves.

12. Children's privacy

Devalo is a business platform and is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email or through a notice on our platform prior to the changes taking effect. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Complaints

If you believe we have breached the Australian Privacy Principles or handled your personal information inappropriately, you may lodge a complaint with us at privacy@devalo.com.au. We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5218, Sydney NSW 2001

15. Contact us

If you have any questions about this Privacy Policy or how we handle your personal information, please contact us:

Devalo
Email: privacy@devalo.com.au
Website: devalo.com.au/contact