Stamford Capital Australia

Privacy notice

How we handle your data

Last updated: 2026-05-28 · Stamford Capital Pty Ltd

Stamford Capital Pty Ltd (ABN to be confirmed — "Stamford Capital", "we", "us") operates this indicative feasibility tool at ingest.stamfordcapital.com.au. This notice explains what personal information we collect, why, how long we keep it, who we share it with, and how you can exercise your rights under the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and — for visitors from the European Union or United Kingdom — the General Data Protection Regulation (GDPR).

1. What we collect

1.1 Information you provide

  • Feasibility documents you upload (Excel, PDF, or questionnaire responses) so we can generate your indicative report. These documents typically contain financial projections, site details, and project assumptions.
  • Contact details — your email or phone number, optionally your name and company, captured either via the contact form on a generated report or by requesting a magic-link to unlock your report.
  • Chat messages you send through the interactive report assistant.

1.2 Information we collect automatically

  • Technical metadata — IP address, browser type, device type, and timestamps. Used for security (rate limiting, abuse detection) and basic analytics.
  • UTM parameters if you arrive via a tracked campaign link. Recorded so we know which channels send the most engaged users.
  • Session cookies — see Section 5.

2. Why we use it

  • To deliver the service — parsing your feasibility, generating the indicative report, sending it to you via email or SMS, and answering questions through the chat assistant. Legal basis (GDPR): performance of a contract / your request.
  • To follow up— Stamford Capital's capital advisory team may contact you to discuss financing for the deal you analysed. By submitting your contact details you consent to this follow-up under the Spam Act 2003. Legal basis (GDPR): consent + legitimate interest in offering capital advisory services to active developers.
  • To improve the tool — anonymised aggregate analytics to understand which features are used, where users drop off, and where the extraction engine struggles. Legal basis (GDPR): legitimate interest + your cookie consent for non- essential analytics.
  • To prevent abuse — rate limiting and bot-challenge data prevent fraudulent or automated use. Legal basis (GDPR): legitimate interest in service security.

3. How long we keep it

We hold different types of data for different periods, deleting or anonymising sooner when permitted:

  • Uploaded source files (Excel / PDF) stored in AWS S3 — retained for the lifetime of the generated report. Deleted immediately when you request data erasure.
  • Generated reports— retained indefinitely so you can revisit your bookmarked report URL. Deleted on request via the "Delete my data" link in the footer.
  • Contact records in our lead-management database — retained while we may reasonably contact you about capital advisory services, deleted on request.
  • Chat conversation history — retained alongside the report it was held against. Scrubbed (content overwritten with a placeholder) on report deletion.
  • Magic-link tokens — 15 minutes (auth unlock) or 7 days (privacy deletion confirmation), then automatically deleted.
  • Authentication session cookies — 30 days from issue, then expire automatically.
  • Server logs — 30 days in AWS CloudWatch. Logs never contain financial values from your feasibility or any personally identifying information beyond a request id.
  • Deletion audit records — a SHA-256 hash of your contact (irreversible) is retained indefinitely so we can prove a deletion request was honoured if challenged. The plaintext contact is erased.

4. Who we share it with (sub-processors)

We rely on the following service providers to operate the tool. Each handles only the data necessary for its function and is bound by their own terms + data processing agreements.

ProviderPurposeRegion
Amazon Web ServicesS3 storage for uploaded files + generated PDFs; Textract OCR for scanned PDFs; SNS for SMS; SES for email; EC2 compute for the workerSydney (ap-southeast-2)
SupabasePostgreSQL database — leads, reports, jobs, chat history, authentication tokensSydney
VercelFrontend hosting + CDN edge cachingGlobal (USA HQ)
OpenAILLM extraction of financial fields from your feasibility document; chat reasoningUSA
Anthropic (via OpenRouter)LLM credit-committee judges + report narrative writingUSA
ResendTransactional email — report ready, magic links, follow-upsUSA
ClickSendSMS delivery for magic-link unlock codesAustralia
CloudflareTurnstile bot challenge on form submissionsGlobal
PostHogProduct analytics + session recording (only if you accept cookies)Sydney
Google Analytics 4Aggregate marketing analytics (only if you accept cookies)USA
SentryError monitoring (no PII, financial values scrubbed before send)USA
SalesforceCustomer relationship management — your contact details are pushed here if Stamford Capital's advisory team may reach outUSA

For data sent to providers in the United States, we rely on appropriate safeguards including standard contractual clauses where applicable. We do not sell, rent, or trade your personal information to anyone.

5. Cookies

We use two categories of cookies:

  • Essential cookies (always on) — sca_session remembers your authenticated session for 30 days; Cloudflare Turnstile cookies handle bot-challenge state. These are required for the tool to work and cannot be opted out of.
  • Analytics cookies (opt-in) — PostHog and Google Analytics cookies track aggregate usage and individual session replays so we can debug and improve the tool. These only load if you click Accepton the cookie banner. You can change your mind at any time via the "Manage cookies" link in the footer.

6. Your rights

You have the right to:

  • Access the personal information we hold about you — email privacy@stamfordcapital.com.au to request a copy.
  • Correct any information that is inaccurate — same contact.
  • Erase all data we hold linked to your email or phone number — use the Delete my data page. Confirmed via a magic-link sent to the contact; cascade includes uploaded files, generated reports, chat history, and a notification to our email provider so you stop receiving messages from us.
  • Withdraw consentfor analytics cookies via "Manage cookies" in the footer.
  • Opt out of marketing by clicking the unsubscribe link in any email we send, or replying STOP to any SMS.

For EU/UK visitors, additional GDPR rights: portability (machine-readable copy of your data), restriction of processing, and objection to legitimate-interest processing. Use the email above to invoke these.

If you're unhappy with how we've handled your information you can complain to the Office of the Australian Information Commissioner (Australian users) or your local supervisory authority (EU/UK users — typically your country's data protection authority).

7. Security

We protect your data with industry-standard technical and organisational measures, including HTTPS-only transport, encrypted storage at rest, strict content-security policies, rate limiting, bot-challenge protection, per-request signature verification on third-party webhooks, and rigorous code-quality enforcement. Despite these measures, no internet-connected service can guarantee absolute security; if a breach affects your data we will notify you in accordance with the Notifiable Data Breaches scheme + GDPR Article 33 (within 72 hours where required).

8. Children

This service is intended for property developers and finance professionals. It is not directed at anyone under 18 and we don't knowingly collect data from minors.

9. Changes to this notice

We may update this notice when we change the tool or when law or sub-processors change. The "Last updated" date at the top reflects the most recent revision. Material changes will be highlighted on the home page for at least 14 days before they take effect.

10. Contact

Questions about this notice or our handling of your data: privacy@stamfordcapital.com.au.