Privacy Policy

1. Who We Are

Osapher (ABN 18 459 403 998) ("Osapher", "we", "our", "us") operates the Osapher platform at osapher.com and app.osapher.com.au. We provide entity identity infrastructure and schema management services for businesses.

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Osapher is registered as an OAuth application with Google Cloud under the application name "Osapher". Our OAuth consent screen and privacy policy URL are verified with Google. Our application only requests the minimum required Google account scopes: email and profile.

2. Information We Collect

We collect information necessary to provide our services:

• Account information: email address, name, and organisation details provided at registration or via Google Sign-In
• Authentication provider data: name and email address received from Google when you choose to sign in with Google
• Authentication session tokens: managed by Supabase Auth and stored in our Sydney database (ap-southeast-2)
• Business identity data: ABN/NZBN, legal entity name, registered address, and related registry information you submit or authorise us to fetch from public registries
• Website data: domain names, JSON-LD schema data, and technical metadata collected during scans
• Usage data: log files, IP addresses, browser type, and interaction data collected automatically when you use our platform
• Payment information: processed by our payment provider — we do not store card details

3. Authentication & Third-Party Services

Osapher uses third-party authentication providers to allow users to sign in securely. Currently supported:

Google Sign-In

When you choose to sign in with Google, we receive your name, email address, and Google profile picture from Google LLC. We do not receive your Google password. This data is used solely to create and manage your Osapher account. Google's use of your data is governed by the Google Privacy Policy.

Supabase Auth

We use Supabase Auth to manage authentication sessions. Supabase stores your authentication tokens in our Sydney database (ap-southeast-2). Authentication data is not shared with any third parties beyond what is required to operate the authentication flow.

Disconnecting Google Sign-In

You may disconnect Google Sign-In at any time by visiting your Google Account security settings and removing Osapher from connected apps. You can also delete your Osapher account by contacting privacy@osapher.com.

4. How We Use Your Information

We use collected information to:

• Provide, maintain, and improve the Osapher platform
• Authenticate and manage your account via Supabase Auth and Google Sign-In
• Verify business identity against public registries (ABR, NZBN, and equivalents)
• Generate and serve verified JSON-LD schema payloads on your behalf
• Send transactional communications (account, billing, security alerts)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

5. Public Registry Data

Osapher queries publicly available government business registries (including the Australian Business Register) to verify entity information. This data is already in the public domain. We store the results to power your identity infrastructure and audit trail.

6. Data Sharing

We do not sell your personal information. We may share data with:

• Service providers: infrastructure partners under data processing agreements — see Third-Party Services below
• Legal requirements: when required by law, court order, or to protect our rights and safety
• Business transfers: in the event of a merger or acquisition, with appropriate notice

Your verified JSON-LD schema payload is served publicly via our edge function when accessed with your token — this is the intended function of the service.

7. Third-Party Services

Osapher uses the following third-party services to operate the platform:

• Google LLC (authentication) — policies.google.com/privacy
• Supabase Inc (database & auth, Sydney ap-southeast-2) — supabase.com/privacy
• Railway Corp (API server, Singapore asia-southeast1) — railway.com/legal/privacy
• Vercel Inc (web hosting & CDN) — vercel.com/legal/privacy-policy

8. Data Retention

We retain your data for as long as your account is active. On account deletion, personal data is removed within 30 days, subject to legal retention obligations. Anonymised audit logs may be retained longer for security and compliance purposes.

9. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest (AES-256), and role-based access controls via Supabase Row Level Security (RLS). No method of transmission over the internet is 100% secure — we cannot guarantee absolute security.

10. Your Rights

Under the Australian Privacy Act, you have the right to:

• Access personal information we hold about you
• Request correction of inaccurate information
• Complain about a breach of your privacy

To exercise these rights, contact us at privacy@osapher.com.

11. Cookies

We use essential cookies and local storage to maintain your session and preferences. We do not use third-party advertising cookies. You can disable cookies in your browser settings, though this may affect platform functionality.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a notice on the platform. Continued use of Osapher after changes constitutes acceptance of the updated policy.

13. Contact

For privacy enquiries: privacy@osapher.com
Osapher · ABN 18 459 403 998 · Melbourne, Victoria, Australia