Privacy Policy
Bray Capital Pty Ltd trading as Decisio
ABN 21 585 474 632
Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000
Effective date: January 2026
Last updated: January 2026
Your privacy is important to us. It is Bray Capital Pty Ltd's policy to respect your privacy and comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and other applicable privacy laws regarding any personal information we may collect about you.
This policy applies to our website at https://decisio.com.au and our decision governance platform (collectively, the "Service").
Information We Collect
Information we collect includes both information you knowingly and actively provide when using or participating in the Service, and information automatically sent by your devices when accessing our products and services.
Account Information
When you register for an account, we collect:
- Email address
- First name and last name
- Password (stored securely hashed)
Workspace and Organisation Data
When you create or join a workspace, we collect:
- Workspace name and settings
- Your role within the workspace
- Billing contact information (name, email, billing address)
Decision Records
When you use the Service for governance activities, we collect and store:
- Issues, motions, and resolutions you create
- Submissions (votes, consensus responses, or chair decisions)
- Comments and discussions
- Exhibits and attachments you upload
- Participant information for decision processes
Payment Information
When you subscribe to paid plans, payment card details are collected and processed securely by our payment processor, Stripe. We do not store complete payment card numbers on our systems.
Log Data
When you visit our website or use the Service, our servers may automatically log standard data provided by your web browser, including IP address, browser type and version, pages visited, and time of visit.
How We Collect Information
Direct Collection
- When you register for an account
- When you create or update your profile
- When you create workspaces, projects, issues, motions, or other content
- When you invite participants to decision processes
- When you contact us for support
Automated Collection
- Through cookies and similar technologies when you visit our website
- Through server logs when you access the Service
- Through error monitoring when issues occur (Sentry)
- Through analytics tools that measure website usage (Vercel Analytics)
Why We Collect Information
We only collect and use your personal information when we have a legitimate reason for doing so. We collect personal information that is reasonably necessary to:
- Provide, operate, and maintain the Service
- Process your transactions and manage your subscriptions
- Authenticate you when you log in
- Send transactional emails and notifications
- Protect against unauthorised access and fraud
- Understand how users interact with the Service
- Comply with applicable laws and regulations
How We Use Information
| Purpose | Types of Information Used |
|---|---|
| Provide and personalise the Service | Account info, workspace data, decision records |
| Process payments and billing | Billing contact info, payment details (via Stripe) |
| Send transactional communications | Email address, name |
| Provide customer support | Account info, support correspondence, error logs |
| Monitor security and prevent fraud | IP address, device info, usage patterns |
We do not use your personal information for direct marketing purposes without your explicit consent. We do not sell your personal information to third parties.
Information Sharing and Disclosure
Service Providers (Sub-processors)
We work with third-party service providers who process personal information on our behalf. These providers are contractually bound to protect your information.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, Authentication | Sydney, Australia |
| Stripe | Payment Processing | United States (PCI DSS compliant) |
| Resend | Email Delivery | United States |
| Sentry | Error Monitoring | United States |
| Vercel | Hosting, Analytics | Sydney, Australia |
International Data Transfers
The personal information we collect is primarily stored and processed in Australia (Sydney region) through our hosting provider, Supabase.
However, some of our service providers are located outside Australia, including in the United States. When we transfer your personal information to these overseas recipients, we take reasonable steps to ensure they handle your information consistently with the Australian Privacy Principles.
Data Security
We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our security measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS
- Encryption at rest: Database contents are encrypted at rest
- Row Level Security (RLS): Database access controls ensure users can only access data they are authorised to view
- Secure authentication: Passwords are securely hashed
Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and support legitimate business needs.
| Data Type | Retention Period | Rationale |
|---|---|---|
| User account | Until deletion requested | Service provision |
| Workspace data | Until workspace deleted | Service provision |
| Decision records | Indefinite | Governance audit trail |
| Payment records | 7 years | Tax/legal requirements |
| Error logs (Sentry) | 90 days | Automatic retention policy |
Your Rights
Under the Australian Privacy Principles and other applicable laws, you have specific rights regarding your personal information.
Right to Access (APP 12)
You have the right to request access to the personal information we hold about you. You can access your profile information through your account settings or request a copy by contacting us.
Right to Correction (APP 13)
You have the right to request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
Right to Complain
If you believe we have breached the Australian Privacy Principles, you can:
- Contact us first: We encourage you to contact us directly so we can investigate and resolve your complaint. We will respond within 30 days.
- Complain to the OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
- Online: www.oaic.gov.au/privacy/privacy-complaints
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
Children's Privacy
The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.
Data Breach Notification
In accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act, we will notify affected individuals and the OAIC if we experience an eligible data breach that is likely to result in serious harm.
Changes to This Policy
We may update this privacy policy from time to time. For significant changes, we will notify you by email or through a prominent notice on the Service before the changes take effect.
Contact Us
If you have any questions, concerns, or requests regarding this privacy policy or our privacy practices, please contact us:
Privacy Officer
Bray Capital Pty Ltd (trading as Decisio)
Email: privacy@decisio.com.au
Address: Suite 2, Level 3A/1 Bligh St, Sydney NSW 2000
ABN: 21 585 474 632
We will respond to privacy-related enquiries within 30 days.
See also: Cookie Policy