Privacy Policy
Last updated: 10 May 2026 · Effective from: 10 May 2026
1. About this policy
This Privacy Policy explains how Struqt (“Struqt”, “we”, “us” or “our”) collects, uses, holds, discloses and protects your personal information when you use our website, applications, reports and related services (the “Service”).
We are committed to handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We have designed this policy to comply with those principles as a matter of best practice.
By using the Service you accept the practices described in this policy. If you do not agree, please do not use the Service.
2. Personal information we collect
We collect the minimum personal information needed to operate the Service. The categories below describe what may be collected, depending on how you use Struqt.
2.1 Account information
- Email address, name, and an irreversibly hashed password (we never store your password in plain text).
- If you sign in with a third-party identity provider (such as Google), we receive your email address, name, profile image and a provider-specific identifier. We do not receive your password from the provider.
- Account creation date, email verification status, and authentication events.
- Optional onboarding preferences you provide, such as the Australian states/territories you wish to focus on and your stated reason for using Struqt (for example, “I am exploring a renovation”).
2.2 Subscription and billing information
- Subscription plan, status, plan-change history, and any team membership where applicable.
- Billing identifiers issued by our third-party payment processor. We do not see or store your full card number, CVC or bank account details — these are handled directly by the payment processor under PCI-DSS controls.
- Tax-relevant information such as country and (where supplied) ABN, retained for GST and record-keeping obligations.
2.3 Property search and report data
- Property addresses you search and the geographic coordinates returned by our geocoding providers.
- Reports you generate or save, including the address, the underlying planning attributes, and any inputs you provide (for example, financial assumptions you set within a feasibility scenario).
- Saved searches, shortlists, and any free-text notes or labels you add to them.
- Support requests and feedback you submit about a report, including any screenshot or attachment you choose to send.
Addresses can constitute personal information when linked to an identifiable individual. You are responsible for ensuring you have appropriate authority to enter any address into the Service.
2.4 Technical and usage information
- IP address, user-agent string, approximate timezone, and basic device metadata transmitted by your browser. Where we send analytics events to a third-party processor, the IP is dropped before storage.
- Server logs of requests you make to the Service, including timestamps, endpoints accessed, and the status of those requests. These logs are used for security, abuse prevention, rate limiting and debugging.
- Product analytics events (page views, button clicks, feature usage, error counts) sent to a product-analytics processor so we can measure reliability and improve the Service. Sensitive query parameters such as latitude, longitude and addresses are redacted before any event is sent. Analytics is enabled by default and you can opt out at any time from the privacy controls in your settings.
- Error and performance telemetry sent to an error-monitoring processor so we can detect and fix faults. We never include your name, email address or IP address in error reports.
- Marketing-attribution measurement (such as ad-network conversion tracking) only after you opt in to marketing cookies.
- Cookies and equivalent browser storage. See section 12 for the categories we use and how to manage them.
2.5 Communications
- Email correspondence you send us (for example, support enquiries) and our replies.
- Records of transactional and service emails we send to you, such as verification, password reset, billing and account notices.
We do not require you to provide sensitive information (as defined in the Privacy Act, including health, racial, religious or biometric information). Please do not submit such information to Struqt.
3. How we collect personal information
We collect personal information:
- Directly from you when you register, sign in, configure your account, search for a property, save a report, contact us or respond to a survey;
- Automatically when you interact with the Service (technical and usage information described above);
- From third-party identity providers when you choose to authenticate using them; and
- From our payment processor when you subscribe, change plan, or update billing details.
Where it is reasonable and practicable to do so, we collect personal information directly from you. If we collect personal information about you from a third party, we will, unless an exception applies, take reasonable steps to ensure you are or have been made aware of the matters listed in APP 5.
4. How we use personal information
We use personal information for the following primary purposes:
- Providing the Service: creating and authenticating your account, generating, saving and displaying feasibility reports, running searches, and delivering the features available on your subscription plan.
- Billing and account management:processing subscriptions, applying credits or trials, issuing receipts, and communicating about your plan.
- Security and abuse prevention:authenticating sessions, applying rate limits, detecting fraudulent or abusive behaviour, investigating incidents, and protecting our infrastructure and content.
- Service operation and improvement:monitoring uptime and performance, debugging issues, validating data quality, and improving features. We use aggregated and de-identified data for product analytics and do not use your personal information to build advertising profiles about you.
- Communicating with you: sending transactional messages (verification, password reset, receipts, expiry notices, service announcements) and responding to your enquiries.
- Marketing (with consent): if you opt in, sending occasional product updates. You can unsubscribe at any time using the link in any marketing email or by contacting us. Transactional and service-related emails are not marketing and cannot be opted out of while you maintain an account.
- Legal and compliance: meeting record-keeping, tax and other legal obligations, and responding to lawful requests by public authorities.
5. Automated processing and AI
Struqt produces planning feasibility outputs using rules-based algorithms applied to government open data and our proprietary architect-authored content. These outputs are general informational guidance, are not binding decisions, and do not solely or substantially determine any matter that has a legal or similarly significant effect on you.
We do not use your personal information to train generative AI models. Where any machine-learning component is used internally (for example, for data validation), it does not make decisions about individual users.
If we materially change how automated processing is used in a way that engages APP 1.7 (effective from 10 December 2026), we will update this policy before that change takes effect.
5A. Direct marketing
We do not send marketing communications by default. When you create an account you can opt in to receive product updates and tips by ticking the marketing consent box at registration. The box is unticked by default, in line with the Spam Act 2003 (Cth).
You can change your marketing preference at any time from /settings/privacy, by using the unsubscribe link in any marketing email we send you, or by emailing the address in section 14. We honour opt-outs by adding your email to a suppression list so you do not receive marketing from us again.
Transactional and service-related emails (such as email verification, password reset, receipts and important account or service notices) are not marketing and continue while you maintain an account.
6. When we share personal information
We do not sell personal information. We disclose personal information only to the limited categories below, and only to the extent necessary for the purposes for which it was collected.
6.1 Service providers
We use a small number of vetted service providers to operate Struqt. Each is bound by contractual confidentiality and data protection obligations and may only use your information to provide the relevant service to us. The categories of providers we use are:
- Payment processing and subscription management - currently Stripe Payments Australia Pty Ltd, which stores cardholder data under PCI-DSS controls. We do not see or store your full card details. Stripe is named here because the Stripe-branded checkout is visible to you when you subscribe.
- Identity provider for optional sign-in when you choose to use it.
- Product analytics processor - measures how the Service is used so we can improve it. You can opt out at any time from /settings/privacy. Hosted in the United States.
- Error and performance monitoring processor - detects and reports faults so we can fix them. We never send your name, email or IP address to this provider. Hosted in the United States.
- Marketing-attribution and advertising measurement - used only after you opt in to marketing cookies.
- Address geocoding - converts addresses you search to map coordinates. Hosted in Australia.
- Map tile and base-map provider. Hosted in Switzerland.
- Transactional email delivery - sends verification, password reset, receipts and service notices. Hosted in the United States.
- Support chat assistance - when you interact with our in-product help chat, the conversation is processed by a third-party AI provider in the United States to help answer questions about your account, subscription, billing, and how to use the product. The chat is not used for planning interpretation, and only the messages you send to the chat (plus your tier and a few account flags) are shared with that provider.
- Cloud and infrastructure hosting for the Service itself, primarily within Australia.
- Professional advisers (legal, accounting) on a need-to-know basis.
We routinely review these providers and the data they handle, and we apply the principle of least privilege. A current list of the specific sub-processors handling personal information is available on request - email [email protected] and we will respond within a reasonable time. If we add or materially change a sub- processor that handles personal information we will update the categories above and the list available on request.
6.2 Within a team or shared account
If your account is part of a team or shared subscription, the team owner or administrator may have visibility of account-level activity (for example, seat usage or saved reports created within the team workspace). Avoid placing information in a shared workspace that you do not want other members of that workspace to see.
6.3 Legal and safety
We may disclose personal information where we are required or authorised to do so by law, where it is necessary to investigate or prevent fraud, abuse or security incidents, or to establish, exercise or defend legal claims.
6.4 Business transfers
If Struqt is involved in a merger, acquisition, financing or sale of assets, your information may be transferred as part of that transaction, subject to commitments consistent with this policy. We will notify you of any such change.
7. Overseas disclosures
Some of our service providers store or process personal information outside Australia. The current countries of disclosure and the categories of provider operating from each are:
- United States - product analytics, error and performance monitoring, optional sign-in identity provider, transactional email, and (with your marketing consent) marketing-attribution measurement.
- Switzerland - map tile and base-map provider.
The specific sub-processors we use in each country are available on request - email [email protected].
Before disclosing personal information to an overseas recipient we take reasonable steps to ensure the recipient handles that information consistently with the Australian Privacy Principles, including through written contractual protections, technical controls (such as IP anonymisation and PII scrubbing), and configuration choices that minimise the personal information sent.
By using the Service, you acknowledge that your personal information may be stored and processed overseas for the purposes described in this policy.
8. How we store and secure your information
Personal information is stored on infrastructure operated on our behalf and protected by a combination of administrative, technical and physical safeguards, including encryption in transit (TLS), encryption at rest for primary data stores, access controls, secure key management, network isolation, hardened authentication, and audit logging.
Despite our efforts, no method of transmission or storage is completely secure. You also play a role in keeping your account safe: choose a strong, unique password, keep your sign-in details confidential, and notify us immediately if you suspect unauthorised access. We may require multi-factor authentication for some accounts (for example, for paid plans, or where your account is not federated through a third-party identity provider). When multi-factor authentication is required, you must enrol before continuing to access the Service. We may also require step-up verification for sensitive actions such as billing changes.
We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach involving your personal information that is likely to result in serious harm, we will notify you and the Office of the Australian Information Commissioner (OAIC) as required by law.
9. How long we keep your information
We retain personal information only for as long as necessary for the purposes described in this policy or as required by law. Indicative retention periods include:
- Account data: for as long as your account is active.
- Saved reports, searches and shortlists:for as long as your account is active. You can delete individual items at any time.
- Address geocoding cache: a cached address-to-coordinate mapping may be retained without user attribution to improve response times for repeat lookups.
- Billing records: retained for at least seven (7) years to meet Australian taxation and record-keeping obligations.
- Server and security logs: typically retained for up to 13 months, then deleted or aggregated.
- Authentication and security event logs:retained for ninety (90) days for fraud prevention and forensic purposes; IP addresses and user-agent strings are then removed, while the event itself (without network metadata) may be retained for longer-term aggregate analysis.
- Marketing preferences: retained on a suppression list after unsubscribe so we can honour your choice.
When you close your account, we will delete or de-identify your personal information within a reasonable period, except where we are required or permitted to retain it (for example, billing records, fraud prevention records, or information necessary to establish, exercise or defend legal claims).
10. Your rights and choices
Under the Australian Privacy Principles, you have the right to:
- Access the personal information we hold about you;
- Correct personal information that is inaccurate, out of date, incomplete, irrelevant or misleading;
- Withdraw consent for any processing based on your consent (such as marketing emails);
- Request deletion of your account and associated personal information, subject to our retention obligations;
- Make a complaint about how we have handled your personal information.
You can manage most of these directly from your account settings. For anything you cannot self-serve, contact us at the address in section 14 below. We do not charge for access or correction requests. We will respond to your request within a reasonable time and, where access is requested, ordinarily within 30 days.
If we cannot agree on the outcome of your complaint, you can escalate it to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.
11. Children
Struqt is intended for use by adults (18+) and is not directed to children. We do not knowingly collect personal information from a child. If you believe a child has provided us with personal information, please contact us so we can take appropriate action.
12. Cookies and similar technologies
We use cookies and equivalent browser storage in three categories. You can manage your preferences for the analytics and marketing categories from /settings/privacy at any time.
12.1 Strictly necessary (always on)
Required to operate the Service. Without these the Service will not function. These are always active and cannot be disabled while you use the Service.
- NextAuth session cookies (e.g.
next-auth.session-token,next-auth.csrf-token) - keep you signed in and prevent cross-site request forgery. Session cookie; expires per your tier’s session length. - Stripe fraud-prevention cookies set by
js.stripe.comwhen you reach the checkout or billing portal - used by Stripe to detect fraudulent payments. Necessary for payments to work. - Rate-limit and abuse-prevention storage used internally by the Service to enforce per-user request limits.
- Consent state stored under
localStoragekeystruqt-consent-v1so we remember your analytics and marketing preferences on this browser.
12.2 Analytics (on by default; opt out at any time)
Help us understand how the Service is used so we can improve features, debug issues and measure reliability. We do not use these to build a personal advertising profile about you. You can turn analytics off from /settings/privacy; doing so stops new analytics events being sent.
- Product analytics - captures page views, button clicks, and feature usage. Configured to drop your IP address before storage. Sets a first-party cookie /
localStorageentry to maintain a per-browser identifier so anonymous events can be correctly stitched into a user journey. Hosted in the United States. - Error and performance monitoring - captures error details and a small sample of performance traces. We configure this processor to not receive your IP, name or email. Hosted in the United States.
12.3 Marketing (off by default; opt in if you choose)
Used to measure the effectiveness of our marketing. Off by default. Active only after you opt in to marketing cookies, either via the consent banner or from /settings/privacy. You can withdraw consent at any time.
- Ad-network conversion tracking - only loaded when marketing consent is granted. Lets us measure which marketing campaigns led to a sign-up or subscription. Hosted in the United States.
- Acquisition attribution - when you first visit the Service we may store the campaign parameters (such as
utm_source,utm_mediumand click identifiers) from the URL intolocalStorageso that, if you sign up, we can attribute the sign-up to its source. We treat this data as marketing measurement.
Most browsers let you block or delete cookies, and many devices offer system-level controls. Blocking strictly necessary cookies will prevent you from signing in or using parts of the Service. Enabling your browser’s “Do Not Track” signal also opts you out of analytics on Struqt.
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and/or by a prominent notice in the Service before the changes take effect. The “Last updated” date at the top reflects the current version. Continuing to use the Service after the effective date of an update constitutes acceptance of the updated policy.
14. Contact us
If you have a privacy question, would like to exercise a right, or wish to make a complaint, please contact our privacy officer:
- Email: [email protected]
- General enquiries: [email protected]
Please include enough detail for us to identify your account and the matter you are raising. We will acknowledge your enquiry and respond within a reasonable time. If you require a postal address for service of legal process, contact us at the email above and we will provide one.