Privacy Policy

This Privacy Policy explains how Polinate PTY LTD (“Polinate”, “we”, “us”) collects, uses, discloses, and protects information when you and your organisation use our ordering, invoicing, and integration platform (the “Services”). It applies to account holders, supplier/buyer users, franchise users, and other authorised personnel who interact with our Services, websites, APIs, and support channels. By using the Services, you acknowledge this Policy and, where applicable, obtain any consents from your users and customers that are required for your use of the Services.

Polinate PTY LTD is an Australian SaaS provider that enables restaurants, franchisees, and wholesale suppliers to exchange orders, invoices, and related operational data. We provide AI-powered agents for order capture and processing, integrations to ERPs and accounting platforms, and tooling for par levels, fulfilment, and reporting.

This Policy covers information we process as a service provider to business customers (B2B). Enterprise customers may enter into Master Services Agreements and data protection terms with us; if there is a conflict, those signed terms prevail for that customer’s tenancy.

We collect business and personal information to operate and secure the Services: - Organisation identifiers (legal name, trading name, ABN/ACN), billing and service contacts - User account data (name, work email, phone, role/permissions, authentication events, audit logs) - Order, fulfilment, invoice, credit memo, and delivery metadata - Buyer–supplier relationship data (price lists, catalog entries, franchise mappings) - Uploaded artefacts (PDFs, images, CSVs, invoices, purchase orders, confirmations) - Communications content submitted to the Services (e.g., email bodies, chat messages, phone/voicemail transcripts processed by AI agents) and related metadata - Integration data retrieved from or sent to third-party systems (e.g., ERP/accounting/email providers), subject to your configuration - Device and usage telemetry (browser/OS, IP address, page views, feature usage, error diagnostics, performance metrics) - Support content (tickets, call notes, attachments)

We collect information from: (1) you and your users (forms, uploads, emails/SMS routed to the platform, API calls), (2) connected systems you authorise (e.g., ERPs, accounting/email providers), (3) automated collection via SDKs/cookies/logs, and (4) our support interactions (tickets, calls).

We use information to: - Provide, operate, maintain, and improve the Services for your tenancy - Automate order capture (e.g., AI parsing of emails/SMS/voice) and invoice processing with human-in-the-loop review where configured - Sync data with connected systems (e.g., items, customers, pricing, invoices, order status) - Provide par-level tools, historical views, analytics dashboards, and proactive issue detection - Secure the platform (fraud monitoring, access control, incident detection and response) - Provide support, service communications, and product updates - Comply with legal obligations and enforce our terms

Australia: We handle Personal Information consistent with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), including transparency, access/correction, and reasonable security steps. EU/UK (if applicable to you): Where GDPR/UK GDPR applies, our legal bases typically include performance of contract (Art. 6(1)(b)), legitimate interests (6(1)(f)) for security/analytics (balanced against your rights), compliance with law (6(1)(c)), and consent (6(1)(a)) where required (e.g., certain cookies/marketing in EU/UK). US/California (if applicable to you): We do not “sell” Personal Information as defined by CPRA. If we ever engage in “sharing” for targeted advertising, we will provide opt-out mechanisms and required disclosures.

Operational (transactional) messages—e.g., order confirmations, delivery updates, billing notices—may be sent without marketing consent. Marketing communications (e.g., product newsletters, promotions) are sent only in compliance with applicable law and include an unsubscribe or opt-out. Administrators can configure which operational communications are enabled for your tenancy.

Our AI agents convert unstructured inputs (emails, SMS, PDFs, voice transcriptions) into structured orders. To improve accuracy and reliability, we may use de-identified and aggregated artefacts, applying technical and organisational measures aimed at reducing re-identification risk. We do not train models on identifiable customer content for third-party benefit. Where your agreement provides an opt-out for de-identified improvement data, we honour that configuration.

We disclose information only as necessary to operate the Services or as required by law: - Subprocessors and infrastructure providers (hosting, storage, email/SMS delivery, observability, security tooling) - Integrations you enable (e.g., ERP/accounting/email APIs) per your configuration and access scopes - Professional advisers (auditors, legal counsel) under confidentiality - Government and regulatory authorities where legally required We do not sell or rent Personal Information. We require service providers to use data only to perform services for us and to protect it appropriately.

We may process and store data in Australia and in other countries where we or our providers operate. For Australian customers, cross-border disclosures are made in line with the APPs (including APP 8), and we take reasonable steps designed to ensure overseas recipients handle Personal Information in a manner consistent with the APPs. For EU/UK-connected processing, we use appropriate transfer safeguards (e.g., SCCs/IDTA) where applicable.

We retain information for as long as necessary to deliver the Services, meet legal obligations, resolve disputes, and enforce agreements. On contract termination or your instruction, we provide export options for Customer Data and then delete or irreversibly de-identify it from active systems within defined windows. Backups are purged by rotation on a schedule. Certain records may be retained as required by law.

We implement layered administrative, technical, and physical controls appropriate to the risk, including: - Encryption in transit and at rest - Role-based access controls and MFA for privileged access - Environment segregation (production/staging) and least-privilege principles - Vulnerability management, patching, monitoring, and alerting - Secure SDLC practices, code review, and change control - Regular backups, recovery testing, and documented incident response No system is perfectly secure; we encourage strong passwords, MFA, and prudent access hygiene within your organisation.

If we become aware of unauthorised access, disclosure, or loss affecting Personal Information in our control, we will investigate, mitigate, and notify you without undue delay. Where the incident meets legal thresholds (e.g., Australia’s Notifiable Data Breaches scheme), we will support required notifications and remediation guidance.

Subject to applicable law, you may request access to and correction of Personal Information we hold about you. Where GDPR/UK GDPR applies, additional rights may include deletion, restriction, portability, and objection. California residents may have rights to know, delete, correct, and opt out of certain sharing. We will verify identity before acting on requests and respond within required timeframes.

We use cookies, SDKs, and similar technologies for core functionality, security, analytics, and (where enabled) marketing. In jurisdictions that require consent for non-essential cookies, we present consent tools with granular choices. You can change preferences at any time. Blocking certain cookies may affect functionality.

You may connect third-party services (e.g., ERPs, accounting, email providers). Their processing is governed by their own terms and privacy notices. We process data exchanged with such services under your instructions and configured scopes.

Our Services are for business use and are not directed to children. We do not knowingly collect Personal Information from individuals under the age required by local law for consent to online services.

For most tenant data, we act as a service provider processing Customer Data on your organisation’s instructions. We act as a controller for our own business operations data (e.g., billing, account administration, platform telemetry).

Privacy enquiries and requests: privacy@polinate.app (example). Mail: Polinate PTY LTD, [insert address], Australia. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) or your local regulator.

We may update this Policy to reflect legal, technical, or business changes. We will post the updated version with an effective date and, where appropriate, provide additional notice. Material changes will take effect prospectively.