Privacy Policy

Bray Capital Pty Ltd trading as Decisio
ABN 21 585 474 632
Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000

Effective date: January 2026
Last updated: January 2026

Your privacy is important to us. It is Bray Capital Pty Ltd's policy to respect your privacy and comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and other applicable privacy laws regarding any personal information we may collect about you.

This policy applies to our website at https://decisio.com.au and our decision governance platform (collectively, the "Service").

Information We Collect

Information we collect includes both information you knowingly and actively provide when using or participating in the Service, and information automatically sent by your devices when accessing our products and services.

Account Information

When you register for an account, we collect:

Email address
First name and last name
Password (stored securely hashed)

Workspace and Organisation Data

When you create or join a workspace, we collect:

Workspace name and settings
Your role within the workspace
Billing contact information (name, email, billing address)

Decision Records

When you use the Service for governance activities, we collect and store:

Issues, motions, and resolutions you create
Submissions (votes, consensus responses, or chair decisions)
Comments and discussions
Exhibits and attachments you upload
Participant information for decision processes

Payment Information

When you subscribe to paid plans, payment card details are collected and processed securely by our payment processor, Stripe. We do not store complete payment card numbers on our systems.

Log Data

When you visit our website or use the Service, our servers may automatically log standard data provided by your web browser, including IP address, browser type and version, pages visited, and time of visit.

How We Collect Information

Direct Collection

When you register for an account
When you create or update your profile
When you create workspaces, projects, issues, motions, or other content
When you invite participants to decision processes
When you contact us for support

Automated Collection

Through cookies and similar technologies when you visit our website
Through server logs when you access the Service
Through error monitoring when issues occur (Sentry)
Through analytics tools that measure website usage (Vercel Analytics)

Why We Collect Information

We only collect and use your personal information when we have a legitimate reason for doing so. We collect personal information that is reasonably necessary to:

Provide, operate, and maintain the Service
Process your transactions and manage your subscriptions
Authenticate you when you log in
Send transactional emails and notifications
Protect against unauthorised access and fraud
Understand how users interact with the Service
Comply with applicable laws and regulations

How We Use Information

Purpose	Types of Information Used
Provide and personalise the Service	Account info, workspace data, decision records
Process payments and billing	Billing contact info, payment details (via Stripe)
Send transactional communications	Email address, name
Provide customer support	Account info, support correspondence, error logs
Monitor security and prevent fraud	IP address, device info, usage patterns

We do not use your personal information for direct marketing purposes without your explicit consent. We do not sell your personal information to third parties.

Service Providers (Sub-processors)

We work with third-party service providers who process personal information on our behalf. These providers are contractually bound to protect your information.

Provider	Purpose	Location
Supabase	Database, Authentication	Sydney, Australia
Stripe	Payment Processing	United States (PCI DSS compliant)
Resend	Email Delivery	United States
Sentry	Error Monitoring	United States
Vercel	Hosting, Analytics	Sydney, Australia (primary compute); global CDN for static assets

International Data Transfers

The personal information we collect is primarily stored and processed in Australia (Sydney region) through our hosting provider, Supabase.

However, some of our service providers are located outside Australia, including in the United States. When we transfer your personal information to these overseas recipients, we take reasonable steps to ensure they handle your information consistently with the Australian Privacy Principles.

Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS
Encryption at rest: Database contents are encrypted at rest
Row Level Security (RLS): Database access controls ensure users can only access data they are authorised to view
Secure authentication: Passwords are securely hashed

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and support legitimate business needs.

Data Type	Retention Period	Rationale
User account	Until deletion requested	Service provision
Workspace data	Until workspace deleted	Service provision
Decision records	Indefinite	Governance audit trail
Payment records	7 years	Tax/legal requirements
Error logs (Sentry)	90 days	Automatic retention policy

Your Rights

Under the Australian Privacy Principles and other applicable laws, you have specific rights regarding your personal information.

Right to Access (APP 12)

You have the right to request access to the personal information we hold about you. You can access your profile information through your account settings or request a copy by contacting us.

Right to Correction (APP 13)

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

Account Deletion

You may request the deletion of your account and associated personal information by emailing privacy@decisio.com.au. Please note that decision records (votes, resolutions, audit trail entries) may be retained in anonymised form to preserve the integrity of organisational governance records — your individual votes and actions will be attributed to “Deleted User” rather than your name. We will process deletion requests within 30 days.

Right to Complain

If you believe we have breached the Australian Privacy Principles, you can:

Contact us first: We encourage you to contact us directly so we can investigate and resolve your complaint. We will respond within 30 days.
Complain to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Online: www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au

Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

Data Breach Notification

In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act, we will notify affected individuals and the OAIC if we experience an eligible data breach that is likely to result in serious harm.

Changes to This Policy

We may update this privacy policy from time to time. For significant changes, we will notify you by email or through a prominent notice on the Service before the changes take effect.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our privacy practices, please contact us:

Privacy Officer

Bray Capital Pty Ltd (trading as Decisio)

Email: privacy@decisio.com.au

Address: Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000

ABN: 21 585 474 632

We will respond to privacy-related enquiries within 30 days.

Privacy Policy

Bray Capital Pty Ltd trading as Decisio
ABN 21 585 474 632
Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000

Effective date: January 2026
Last updated: January 2026

This policy applies to our website at https://decisio.com.au and our decision governance platform (collectively, the "Service").

Information We Collect

Account Information

When you register for an account, we collect:

Email address
First name and last name
Password (stored securely hashed)

Workspace and Organisation Data

When you create or join a workspace, we collect:

Workspace name and settings
Your role within the workspace
Billing contact information (name, email, billing address)

Decision Records

When you use the Service for governance activities, we collect and store:

Issues, motions, and resolutions you create
Submissions (votes, consensus responses, or chair decisions)
Comments and discussions
Exhibits and attachments you upload
Participant information for decision processes

Payment Information

When you subscribe to paid plans, payment card details are collected and processed securely by our payment processor, Stripe. We do not store complete payment card numbers on our systems.

Log Data

How We Collect Information

Direct Collection

When you register for an account
When you create or update your profile
When you create workspaces, projects, issues, motions, or other content
When you invite participants to decision processes
When you contact us for support

Automated Collection

Through cookies and similar technologies when you visit our website
Through server logs when you access the Service
Through error monitoring when issues occur (Sentry)
Through analytics tools that measure website usage (Vercel Analytics)

Why We Collect Information

We only collect and use your personal information when we have a legitimate reason for doing so. We collect personal information that is reasonably necessary to:

Provide, operate, and maintain the Service
Process your transactions and manage your subscriptions
Authenticate you when you log in
Send transactional emails and notifications
Protect against unauthorised access and fraud
Understand how users interact with the Service
Comply with applicable laws and regulations

How We Use Information

Purpose	Types of Information Used
Provide and personalise the Service	Account info, workspace data, decision records
Process payments and billing	Billing contact info, payment details (via Stripe)
Send transactional communications	Email address, name
Provide customer support	Account info, support correspondence, error logs
Monitor security and prevent fraud	IP address, device info, usage patterns

We do not use your personal information for direct marketing purposes without your explicit consent. We do not sell your personal information to third parties.

Service Providers (Sub-processors)

We work with third-party service providers who process personal information on our behalf. These providers are contractually bound to protect your information.

Provider	Purpose	Location
Supabase	Database, Authentication	Sydney, Australia
Stripe	Payment Processing	United States (PCI DSS compliant)
Resend	Email Delivery	United States
Sentry	Error Monitoring	United States
Vercel	Hosting, Analytics	Sydney, Australia (primary compute); global CDN for static assets

International Data Transfers

The personal information we collect is primarily stored and processed in Australia (Sydney region) through our hosting provider, Supabase.

Data Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS
Encryption at rest: Database contents are encrypted at rest
Row Level Security (RLS): Database access controls ensure users can only access data they are authorised to view
Secure authentication: Passwords are securely hashed

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and support legitimate business needs.

Data Type	Retention Period	Rationale
User account	Until deletion requested	Service provision
Workspace data	Until workspace deleted	Service provision
Decision records	Indefinite	Governance audit trail
Payment records	7 years	Tax/legal requirements
Error logs (Sentry)	90 days	Automatic retention policy

Your Rights

Under the Australian Privacy Principles and other applicable laws, you have specific rights regarding your personal information.

Right to Access (APP 12)

You have the right to request access to the personal information we hold about you. You can access your profile information through your account settings or request a copy by contacting us.

Right to Correction (APP 13)

You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.

Account Deletion

Right to Complain

If you believe we have breached the Australian Privacy Principles, you can:

Contact us first: We encourage you to contact us directly so we can investigate and resolve your complaint. We will respond within 30 days.
Complain to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Online: www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au

Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

Data Breach Notification

Changes to This Policy

We may update this privacy policy from time to time. For significant changes, we will notify you by email or through a prominent notice on the Service before the changes take effect.

Contact Us

If you have any questions, concerns, or requests regarding this privacy policy or our privacy practices, please contact us:

Privacy Officer

Bray Capital Pty Ltd (trading as Decisio)

Email: privacy@decisio.com.au

Address: Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000

ABN: 21 585 474 632

We will respond to privacy-related enquiries within 30 days.

Privacy Policy

Information We Collect

Account Information

Workspace and Organisation Data

Decision Records

Payment Information

Log Data

How We Collect Information

Direct Collection

Automated Collection

Why We Collect Information

How We Use Information

Information Sharing and Disclosure

Service Providers (Sub-processors)

International Data Transfers

Data Security

Data Retention

Your Rights

Right to Access (APP 12)

Right to Correction (APP 13)

Account Deletion

Right to Complain

Children's Privacy

Data Breach Notification

Changes to This Policy

Contact Us

Privacy Policy

Information We Collect

Account Information

Workspace and Organisation Data

Decision Records

Payment Information

Log Data

How We Collect Information

Direct Collection

Automated Collection

Why We Collect Information

How We Use Information

Information Sharing and Disclosure

Service Providers (Sub-processors)

International Data Transfers

Data Security

Data Retention

Your Rights

Right to Access (APP 12)

Right to Correction (APP 13)

Account Deletion

Right to Complain

Children's Privacy

Data Breach Notification

Changes to This Policy

Contact Us