Privacy Policy

Effective date: 1 April 2026

EVRA ("we", "us", or "our") is operated by KASE Group Pty Ltd (ABN [ABN]), an Australian company. We are committed to protecting the privacy and security of your personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, store and protect your personal information when you use the EVRA platform at everaa.com and related services (the "Service").

1. Information We Collect

1.1 Information You Provide

When you register for an account, subscribe to a plan, or use the Service, you may provide us with:

  • Account information: your name, email address, phone number, job title, and company name.
  • Business information: ABN/ACN, business address, trading names, and insurer or supplier details.
  • Payment information: billing address and payment card details (processed securely by Stripe; we do not store full card numbers).
  • Project and job data: claims, estimates, scope of works, invoices, compliance records, documents, photos, and any other data you upload or create within the Service.
  • Communications: messages you send to our support team or through in-platform messaging.

1.2 Information Collected Automatically

When you access the Service, we automatically collect certain technical and usage data, including:

  • Device and browser information: IP address, browser type and version, operating system, and device identifiers.
  • Usage data: pages viewed, features accessed, clicks, navigation paths, session duration, and timestamps.
  • Log data: server logs recording API requests, errors, and performance metrics.

1.3 Cookies and Similar Technologies

We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and analyse usage patterns. See Section 6 for full details.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process transactions, send invoices, and manage your subscription.
  • Authenticate your identity and enforce multi-tenant data isolation.
  • Send transactional communications such as job updates, claim status notifications, and appointment reminders via email or SMS.
  • Generate AI-assisted estimates using anonymised job parameters (via Anthropic AI).
  • Synchronise accounting data with your connected Xero account.
  • Provide customer support and respond to your enquiries.
  • Detect, investigate, and prevent fraud, abuse, or security incidents.
  • Comply with legal obligations, including tax reporting and regulatory requirements.
  • Analyse aggregated, de-identified usage trends to improve the platform.

3. Data Storage and Security

3.1 Australian Data Residency

All primary data is stored in Australia. Our production database runs on Google Cloud SQL (PostgreSQL) in the australia-southeast1 (Sydney) region. Backups are also retained within Australian Google Cloud regions.

3.2 Security Measures

We employ industry-standard security practices, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • PostgreSQL Row-Level Security (RLS) ensuring strict tenant data isolation — each organisation can only access its own data.
  • Role-based access control (RBAC) with configurable permissions per user.
  • Regular security audits, automated vulnerability scanning, and penetration testing.
  • Secure authentication via NextAuth.js with session tokens and optional multi-factor authentication.
  • Automated daily database backups with point-in-time recovery.

3.3 Incident Response

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act.

4. Third-Party Services

We share personal information with the following third-party service providers only as necessary to operate the Service. Each provider is contractually bound to protect your data:

ProviderPurposeData Shared
StripePayment processingBilling name, email, address, payment card details
TwilioSMS notificationsMobile phone number, message content
Anthropic (Claude AI)AI-assisted estimatingAnonymised job parameters (no personally identifiable information)
XeroAccounting synchronisationInvoices, bills, contacts, chart of accounts (via authenticated OAuth connection)
Google Cloud PlatformHosting and infrastructureAll service data (stored within Australian regions)
VercelApplication hosting and CDNApplication code, request logs, IP addresses

We do not sell your personal information to any third party. We will not disclose your information to third parties except as described in this policy or where required by law.

5. SMS Communications

We may send you SMS messages for transactional purposes, including job status updates, appointment reminders, claim notifications, and verification codes. By providing your mobile number and opting in to SMS notifications within the platform, you consent to receiving these messages.

  • Opt-out: You may opt out of non-essential SMS communications at any time by replying STOP to any message or by updating your notification preferences in your account settings.
  • Message frequency: Varies based on your job activity and notification settings.
  • Message and data rates: Standard messaging rates from your carrier may apply.
  • Help: Reply HELP to any SMS for assistance, or contact us at the details below.

Opting out of SMS will not affect transactional messages that are essential to the operation of your account (such as two-factor authentication codes).

6. Cookies and Tracking Technologies

6.1 Types of Cookies We Use

  • Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Functional cookies: Remember your preferences such as language, timezone, and layout settings.
  • Analytics cookies: Help us understand how the Service is used so we can improve performance and features. We use Vercel Web Analytics and Speed Insights.

6.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning correctly. We honour Do Not Track (DNT) browser signals for analytics cookies.

7. Data Retention and Deletion

  • Active accounts: We retain your data for as long as your account is active and your subscription is current.
  • After cancellation: Upon subscription cancellation, your data is retained for 90 days in case you wish to reactivate. After 90 days, project data is archived and available upon request for a further 12 months.
  • Permanent deletion: You may request permanent deletion of all your data at any time by contacting us. We will process deletion requests within 30 days, subject to any legal retention obligations.
  • Legal obligations: Certain records (such as tax invoices and financial records) must be retained for a minimum of 5 years under Australian tax law.
  • Backups: Deleted data may persist in encrypted backups for up to 30 days after deletion before being permanently purged.

8. Your Rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the right to:

  • Access: Request access to the personal information we hold about you (APP 12).
  • Correction: Request correction of any inaccurate, out-of-date, or incomplete personal information (APP 13).
  • Complaint: Lodge a complaint with us if you believe we have breached the APPs. We will respond within 30 days.
  • OAIC complaint: If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner at www.oaic.gov.au.
  • Data export: Request a copy of your data in a structured, machine-readable format (CSV or JSON).
  • Deletion: Request deletion of your personal information, subject to legal retention requirements.

To exercise any of these rights, contact us using the details in Section 12.

9. Children's Privacy

The Service is intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal information from children under the age of 18. If we become aware that we have collected information from a child, we will take steps to delete it promptly.

10. International Data Transfers

While our primary data storage is in Australia, some of our third-party service providers may process data in other jurisdictions. Where this occurs, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs, as required by APP 8. Specifically:

  • Stripe processes payment data in compliance with PCI DSS Level 1 standards.
  • Twilio and Anthropic are US-based companies with data processing agreements that meet Australian privacy standards.
  • Xero is a New Zealand company with servers in Australia and strong privacy commitments.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

  • Post the updated policy on this page with a revised effective date.
  • Notify you via email or an in-platform notification at least 14 days before the changes take effect.

Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a concern, please contact us:

  • Privacy Officer: Kurt Saunderson, Managing Director
  • Business: KASE Group Pty Ltd (ABN [ABN])
  • Email: privacy@everaa.com
  • Address: [Business Address]
  • Website: everaa.com