How we handle the information you trust us with.

Who this policy applies to

This policy applies to everyone who interacts with Vinci Advisory — website visitors, leads who submit a form, clients engaging us for a Blueprint Session, Build, or Ongoing Optimisation, and team members from client organisations who participate in those engagements.

We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). If you're outside Australia, we still treat your information to that standard.

What personal information we collect

From website visitors and lead forms, we collect:

• Name, email, business name, phone number where provided • Form-field answers (the problem you're trying to solve, business size, etc.) • Device, browser, IP address and page-view data via analytics

From clients during a Blueprint Session or Build, we additionally collect:

• Video recordings of the working session, with your consent at the start of the call • Screenshots of platforms and tools you walk us through • Standard operating procedures (SOPs), policies and process documents you share with us • Access credentials to integrate the platforms in scope (e.g. Xero, CRM, mail) — only when an integration is part of the agreed Build, and only for the platforms specifically scoped • Notes and architecture documents we produce from the above

We do not collect financial records unless a Xero integration is part of your Build. We do not collect health information unless you explicitly share it as part of an in-scope system (e.g. an Allied Health practice integrating a patient workflow).

How we collect it

Most personal information comes directly from you — submitted through forms on this website, exchanged over email, or shared during a Blueprint Session or Build call. Recordings and screenshots are captured during the session itself with the consent confirmed at the start. Where you connect us to a third-party platform, we receive only the data that platform exposes through the integration you've authorised.

Why we collect it

We collect this information to:

• Deliver the services you've engaged us for (Blueprint Sessions, Builds, Ongoing Optimisation) • Respond to enquiries and quote new work • Send service updates, invoices and project status notes • Send marketing communications you've opted in to, which you can unsubscribe from at any time • Improve our website and offerings through aggregated analytics • Meet our legal, tax and accounting obligations

We never sell your personal information.

Where your data is stored

Our primary database and file storage is Supabase, hosted in the Sydney (ap-southeast-2) region. Australian data stays in Australia at rest.

The website itself runs on Vercel's global edge network. Page traffic and metadata may transit through Vercel's international infrastructure.

Session recordings and Blueprint artefacts are stored in Supabase Sydney unless we have specifically agreed an alternative arrangement with you in writing.

Third parties we share data with

We share personal information only with the service providers we need to run our business. The list is short and deliberate:

• Anthropic (Claude) — used during research and architecture work; data sent is limited to what's necessary for the specific task. • OpenAI (ChatGPT) — same purpose and limits as above. • Supabase — primary database and file storage (Sydney). • Stripe — payment processing for Blueprint Sessions and Builds. We do not see or store your full card details. • Flodesk — email marketing for opted-in subscribers only. • Google Analytics and Vercel Analytics — anonymised website usage. • Accountants, auditors and legal advisers — when reasonably required to meet our obligations.

Each of these providers is bound by their own privacy and security obligations. We do not give any provider broader access than the task requires.

AI models and your content

When we use Anthropic (Claude) and OpenAI (ChatGPT) to help architect solutions, we are mindful that what we send becomes input to a model.

• We do not send raw client recordings, screenshots, credentials, or full SOPs to consumer-grade AI models. • Where we use AI to help with structured tasks (e.g. summarising a workflow you've described to us), we paraphrase or redact identifiers first. • Where you have your own AI tooling and want us to work within it, we will.

Vinci-built systems that integrate AI for your own team always run inside boundaries you control — your accounts, your data residency, your governance.

How long we keep it

• Lead enquiry data: up to 24 months after last contact, unless you ask us to remove it sooner. • Active client records, recordings, Blueprints and architecture documents: for the duration of the engagement and 7 years afterwards, in line with Australian tax and corporate record-keeping obligations. • Marketing subscriber data: until you unsubscribe, after which your email is suppressed from sends but retained on a suppression list so we don't accidentally email you again. • Backups: rolling 30-day window for disaster recovery.

Marketing communications

If you opt in (by ticking a box, downloading a resource, or asking to be added), we may send you updates from Vinci — new case studies, system breakdowns, occasional offers. Every email includes an unsubscribe link in the footer, and unsubscribing is honoured immediately.

We never share or sell your email to third parties for their own marketing.

Cookies and analytics

This site uses cookies and analytics tags for three purposes:

• Essential cookies that make the site work (e.g. remembering you're logged in to admin). • Vercel Analytics — anonymised page-view data with no personal identifiers, used to understand traffic patterns. • Google Analytics — page-view, device, country and behaviour data. We do not enable any feature that ties this back to an individual.

You can disable cookies in your browser, but parts of the site may stop working. Disabling analytics tags via a browser plugin won't break anything.

Security

We take security seriously — it's a core part of what we sell.

• All data in our control is encrypted in transit (HTTPS/TLS) and at rest. • Access to client data is restricted to the Vinci team members directly working on your engagement. • Admin accounts use strong, individual passwords and we are progressively rolling out hardware-key MFA. • We are in the process of obtaining SOC2 and HIPAA certification ourselves. In the meantime we deliberately build on platforms and databases that hold those certifications (e.g. Supabase SOC2, Stripe SOC1/SOC2/PCI DSS, Anthropic SOC2) so the underlying infrastructure already meets the relevant control standards.

No system is 100% secure. If we ever experience a breach involving personal information, we will notify affected individuals and the OAIC in line with the Notifiable Data Breaches scheme.

Cross-border transfers

While our primary storage is in Sydney, some of the providers we rely on operate globally:

• Vercel hosts the website on edge infrastructure that includes nodes outside Australia. • Stripe processes payments from servers in the United States, Ireland and Australia. • Anthropic and OpenAI process AI requests from servers primarily in the United States. • Google Analytics and Flodesk store and process data primarily in the United States.

Where your information is transferred overseas, we use only providers we reasonably believe maintain protections equivalent to the APPs.

Children

Vinci Advisory's services are aimed at established businesses and the adults who run them. We don't knowingly collect personal information from anyone under 16. If you believe we've collected information from a minor, contact us at the email below and we'll remove it.

Your rights

You can ask us at any time to:

• Tell you what personal information we hold about you • Correct any of it that's wrong • Delete it (subject to any record-keeping obligation that requires retention) • Stop using it for marketing

Email toby@vinciadvisory.com with what you need and we'll respond within 30 days.

If you're unhappy with how we've handled your information, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

Updates to this policy

We may update this policy as our practices, services and integrations evolve. The 'last updated' date at the top of the page reflects the most recent change. Material changes that affect how we handle existing client data will be communicated by email to affected clients.