Privacy Policy

Last updated: 4 July 2026

At Valstra, we are in the business of building intelligent solutions, not selling your data. This notice explains how we handle your information across our website, consulting services, and digital products in accordance with the Australian Privacy Act 1988 and international data protection standards.

1

Who We Are

Valstra.ai Pty Ltd is an Australian AI technology and consulting company. When we say "Valstra," "we," or "us," we are referring to Valstra.ai Pty Ltd and our associated software entities. We are the "APP Entity" responsible for your personal data.

2

The Data We Collect & How We Handle It

We collect personal information only where it is reasonably necessary for our business operations.

A. Contact / Demo Request Form

What's Collected: Name and email (required); company, phone, role, and notes (optional).

Technical Flow: Data is submitted via our website (hosted on Vercel) and recorded in our customer relationship management system, HubSpot, so we can respond to your enquiry. We may also send ourselves an instant email notification of your enquiry via our email provider. We do not sell this data or use third-party advertising networks.

B. AI Readiness Assessment

Privacy by Design: Your maturity scores and priorities are calculated locally in your browser.

Optional AI Analysis: If you choose to generate an AI-written analysis of your results, your assessment answers (your selected priorities, maturity ratings, organisation size, industry, tools, and spend range, but not your name or email) are sent to our server and processed transiently via our AI gateway to produce the analysis. These answers are not stored by us after the analysis is generated and are not used to train AI models.

Optional Contact Details: The name/email you can provide at the end of the assessment is only transmitted if you explicitly submit it, in which case it is handled the same way as the contact form above.

C. Valstra.ai Process Recorder (browser extension)

How It Works: The Process Recorder is a browser extension you install yourself. When you press Record, it captures the steps of a task on the page you choose: the buttons and links you click, the text you type into fields, a screenshot of each step, and any notes or files you add. It never captures password fields.

Local-Only by Design: Everything the recorder captures is stored only on your own device, in your browser's local storage, until you choose to export it as a file. The extension makes no network calls to Valstra and transmits nothing on its own. We do not receive, store, see, sell, or use this data, and it is never used for advertising. What you capture, and whether you ever share it, is entirely your choice.

Your Control: Because a screenshot shows whatever is on the page at that moment, you can redact any captured value before sharing, and you can pause recording at any time. To remove all locally held data, remove the extension from your browser.

Permissions: The extension requests broad site access, screenshot, scripting, tab, and storage permissions solely to capture the process on the page you are recording. The capture code runs only in the tab you are recording, only while recording, and nowhere else.

If you later choose to open or save a capture, that happens on our Viewer, described below.

D. Valstra Viewer (process captures)

Local-First by Design: When you open a Process Recorder capture file on our viewer page, the file is parsed and rendered entirely in your browser. The capture, its screenshots, and any values it contains are not uploaded to Valstra and are not stored by us. A capture only reaches Valstra if you later create an account and explicitly choose to save it to your library.

Measurement: We record content-free usage events for the viewer (for example, that a file was opened or successfully rendered) through our cookieless analytics. These events never include the capture's content, screenshots, or text.

E. Compliance & Verification (AML/CTF)

To meet anti-money laundering and counter-terrorism laws (such as Australia's AML/CTF Act 2006 and Singapore's CDSA), we verify IDs and background checks for consulting engagements. While we may verify government-issued IDs, we do not adopt them as internal Valstra account numbers.

3

Data Storage & International Transfers

Because we utilize global cloud infrastructure to host our services, your data will be transferred outside of Australia.

A. Jurisdiction & Storage

Our website is hosted on Vercel, and contact submissions are stored in HubSpot. Under these providers' policies:

  • Storage Location: Your personal data may be collected, transferred to, and stored by our providers and their affiliates outside of your country of residence, primarily in the United States.
  • Global Processing: Data may be processed in jurisdictions that do not have the same level of data protection as your home country (such as the GDPR or the Australian Privacy Act).

B. Safeguards for Cross-Border Transfers

When we or our processors engage in cross-border transfers, we rely on established legal mechanisms to ensure your protections "travel with your data":

  • Standard Contractual Clauses (SCCs): We ensure our providers use approved contractual terms to protect data rights.
  • Data Privacy Framework: For transfers to the United States, our providers adhere to the Data Privacy Framework principles.
  • Regional Compliance: For specific regulatory activities (like AML/CTF checks), some data may be processed in Singapore.

C. AI Training Protection

Content you submit through our website, including contact form details and assessment answers sent for AI analysis, is not used by us to train AI or machine learning models, and our AI processing is configured not to retain it for training purposes.

4

Technical Summary

Data SourceWhat's CollectedWhere it GoesStored?
Contact FormName, email, company, notesHubSpot (Global/USA)Yes (until deleted on request)
AI Assessment (scores)Scores, prioritiesNowhere (stays in browser)No (volatile memory only)
AI Assessment (optional AI analysis)Answers only, no name/emailOur server → AI gateway (transient)No
AnalyticsAggregate, cookieless page metrics (Vercel Web Analytics)VercelAggregated only, no cross-site tracking

Minimal Tracking: We use Vercel Web Analytics, a cookieless, privacy-first analytics service that does not track you across sites or build advertising profiles. We do not use Google Analytics, advertising pixels, or third-party ad-tech SDKs.

5

Security & Retention

Security: We use encryption and strict access controls to keep our systems fortified.

Retention: We keep your data only as long as required by law or for valid business reasons. Contact records are held in HubSpot until we delete them on request or under our retention schedule.

6

Your Rights & Complaints

You have the right to request access to your personal information or ask for corrections to inaccuracies.

Contact Us

To exercise your rights or lodge a complaint regarding a potential breach of the Australian Privacy Principles:

  • Email: Raise your request at privacy@valstra.ai.
  • Response: We will acknowledge your request within 48 hours and provide a full written response within 30 days.
  • Escalation: If you remain unsatisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.