New ABN and GST lookups are live alongside PPSR. Read docs
Hoist AIAssets
Sign in / Sign up
HomePrivacy
Legal

Privacy policy.

What data we collect, why we collect it, who helps us process it, and how long we keep it. Plain English first, aligned to the Australian Privacy Principles.

Last updated 2026-06-08Effective 2026-05-15
Australian privacy posture

This policy explains the information HoistAI Pty Ltd handles to run Hoist Assets, process searches, bill accounts, support customers, and keep records verifiable.

Collect

Only what the service needs

Account, billing, search, and technical data are handled for service delivery and support.

Use

No advertising resale

We do not sell personal information or share search history for advertising.

Control

Export, correct, delete

Records are exportable, and deletion requests are honoured unless law requires retention.

Plain-English summary

  • We collect the information needed to run your account, bill you, process searches, and keep records verifiable.
  • We don't sell, share, or use your search history for marketing.
  • We don't search individual grantors. Ever.
  • Your records are exportable. We delete on request unless a law requires us to keep something.
  • Records and certificates stay in Australia where we control storage. Some subprocessors operate globally (see /trust/residency).

Who we are

HoistAI Pty Ltd, ABN 11 695 718 659, 81–83 Campbell Street Surry Hills NSW 2010. "We", "us", or "Hoist Assets" in this policy means HoistAI Pty Ltd trading as Hoist Assets.

What we collect

Account information

  • Email address (for sign-in and notifications)
  • Display name and organisation (optional; for Due Diligence Record branding)
  • Role (broker, IP, dealer, etc. - optional, helps us prioritise features)

Billing information

  • Card or BPay details - held entirely by Stripe; we never see or store payment instrument details.
  • Billing address (if needed for tax invoice).
  • ABN (for GST treatment).

Search activity

  • Searches you run, including the target ACN, serial number, ABN, timestamp, reference, and result status.
  • Records and certificates you generate.
  • Connection and account usage statistics
  • Verification log hashes that let historic records be checked without storing personal details in those hashes.

Technical

  • IP address (request-time only; not stored beyond 30 days for non-payment requests)
  • Browser, SDK, or connected-tool user agent
  • Errors (sent to Sentry AU, with PII scrubbed pre-send)

Connected tool context

When you access Hoist Assets through an AI tool or connected client, we may receive only the details needed to complete that request:

  • The client identifier for the tool or app making the request.
  • The search details submitted by the AI agent, such as an ACN or serial number. We treat these the same as details submitted directly by a human user.
  • We do not receive or store your surrounding AI conversation, prompt history, or model reasoning. We only receive the fields needed for the tool call.
  • If your AI tool sends extra request metadata, such as a session identifier, we keep it on the same 30-day schedule as standard request logs.

Why we collect it

  • To provide the service. Run searches, generate records, bill you, and contact you when something breaks.
  • To meet legal obligations. Keep tax records, meet AFSA reseller-reporting requirements, and support AML/CTF obligations where they apply.
  • To improve the product. Aggregated usage statistics inform what we build next. We do not share per-customer breakdowns externally.

Who we share with

Subprocessors only. Full list at /trust#subprocessors. Notably:

  • AFSA - we send your search inputs (ACN, serial number) to run the official search.
  • Stripe - for payment processing.
  • Cloudflare - for compute/storage.

We do not sell or share personal information for advertising. We do not share with data brokers.

How long we keep it

  • Records and certificates: 30 days after subscription ends.
  • Verification log entries (hashes only): retained indefinitely so historic verification works.
  • Account metadata: 7 years after closure (AU tax requirements).
  • Logs: 30 days unless flagged for incident investigation.

Your rights

Under the Australian Privacy Principles (APPs):

  • Access - request a copy of your personal information. Self-serve in dashboard or use the current contact route at /contact/.
  • Correction - fix inaccurate information.
  • Deletion - request deletion (subject to legal retention obligations).
  • Complaint - to us first; then the OAIC at oaic.gov.au if unresolved.

Cookies

We use first-party cookies for authentication (Clerk session) and a Cloudflare WAF cookie. No third-party advertising cookies. No tracking pixels. Detail at /privacy/cookies.

International transfers

Most data stays in AU. Some subprocessors process in the US (Stripe, Postmark, Clerk). See /trust/residency for the per-category breakdown.

Updates

Material changes to this policy go to all account holders by email and appear in /changelog tagged privacy. The "Last updated" date at the top of this page moves whenever any change ships.

Next step

Need a privacy or account answer?

Use the contact route for privacy rights, account access, billing, and setup questions.

Contact Hoist Read Data Residency

Contact

Privacy officer: /contact/. Postal: HoistAI Pty Ltd, Attn: Privacy, 81–83 Campbell Street Surry Hills NSW 2010.