Antlar Privacy Policy

1. Introduction

This Privacy Policy explains how Antlar Limited (ABN 30 927 693 635) ("Antlar", "we", "us", "our") collects, uses, discloses, and protects personal information.

This Privacy Policy applies to our strata operating system ("Service"), our websites at antlar.au and antlar.co, our web application at app.antlar.co, and any related services we provide.

We are committed to protecting your privacy in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and the Privacy Act 2020 (NZ) and Information Privacy Principles (IPPs) where applicable.

Antlar treats privacy as a core feature of the Service. The Service's primary database, file storage, authentication, and AI substitution data are hosted in Australia. Personal information sent to third-party AI providers overseas is identified and replaced with non-identifying placeholders before transmission, except for image content sent for text extraction, which is described in section 5. Some operational data (such as application logs and AI request metadata) is processed by overseas service providers in the course of running the Service, as described in sections 7 and 11.

2. Personal Information We Collect

Antlar collects personal information that is reasonably necessary for our business functions. This includes:

• Identity information: name, position, and role within your strata scheme or organisation
• Contact information: email address, phone number, and postal address
• Lot ownership information: contact details of lot owners, mortgagees, covenant chargees, tenants, managing agents, and other parties relevant to the ownership or occupation status of lots within your scheme
• Account information: username, password, and account preferences
• Scheme information: strata plan number, lot details, scheme correspondence, and meeting records
• Financial information: levy notices and payment records, BSB and bank account numbers used for levy collection or disbursements, and invoices and remittances exchanged with scheme suppliers
• Insurance information: policy numbers, insurer details, certificates of currency, and (where included in claims) claim narratives
• Government identifiers: where contained in documents you upload or correspondence you process (for example, ABNs and ACNs for scheme suppliers; Medicare or tax file numbers occasionally appearing in insurance or welfare correspondence)
• Dispute and tribunal records: NCAT and other tribunal case references, by-law breach notices, and related correspondence
• Voting and proxy records: how individuals voted on motions, and proxies appointed
• Maintenance and inspection records: photos and notes of common-property defects, which may incidentally include images of individuals
• Usage information: how you interact with the Service, features accessed, and queries submitted
• Technical information: IP address, browser type, device information, and access logs

Documents and correspondence you provide to the Service may contain sensitive information about individuals. Examples include health information in insurance claims, disability accommodation requests, welfare correspondence, and material relating to disputes that touches on personal matters. Antlar treats sensitive information the same as other personal information for the purposes of access controls, encryption, and AI placeholder substitution. We rely on the strata management context as a basis for collecting this information under the Privacy Act, and on your authority as the person providing the documents and correspondence to the Service. We do not maintain a separate detection or consent flow for sensitive information at the point of upload. If you are uncertain whether to provide a document containing sensitive information, contact us first.

3. How We Collect Personal Information

Antlar collects personal information:

• directly from you when you register for the Service, submit queries, or upload documents
• from your strata scheme representatives who add you as an authorised user
• from documents and correspondence you process through the Service
• automatically when you use the Service (technical and usage information)
• from third-party integrations you connect (such as Gmail)

If you provide us with personal information about other individuals (such as lot owners or committee members), you must ensure you have their consent to do so and have informed them about this Privacy Policy.

4. How We Use Personal Information

Antlar uses personal information to:

• provide, maintain, and improve the Service
• process your queries and provide support
• communicate with you about the Service, including updates and changes
• analyse usage patterns to improve functionality and user experience
• comply with legal obligations and enforce our terms
• protect the security and integrity of the Service
• send you newsletters and marketing communications you have opted in to receive
• generate AI-assisted recommendations, correspondence drafts, and compliance assessments for review and approval by authorised users. All recommendations require human confirmation before any action is taken

We may use de-identified, aggregated data for product development, research, and benchmarking purposes. This data does not identify you personally.

5. Personal Information and AI Features

The Service uses artificial intelligence to support features such as Ask Antlar, in-thread AI chat, automated classification of correspondence, document analysis, and compliance assessment.

Antlar has designed these features so that personal information you and your scheme provide is protected before it is processed by any third-party AI provider. In particular:

• Antlar applies automated detection to identify personal information in content sent to AI features and replaces it with non-identifying placeholders before that content leaves Antlar's Australian infrastructure.
• Third-party AI providers used by the Service receive only the placeholder version of the content. They do not receive names, contact details, addresses, financial identifiers, or other personal information of lot owners, committee members or other individuals.
• When the AI provider returns a response, Antlar restores the original information inside its own infrastructure so authorised users see the real names and details they expect. Restoration is never performed by a third party.
• Features that rely on searching across scheme content (for example, finding related emails or documents) are powered by Antlar-operated processing on Australian infrastructure. Personal information used to build these search capabilities is not sent to any overseas AI provider.

The third-party AI providers currently used by the Service for these features are Anthropic (Claude) for conversational AI, document analysis, and image-based text extraction; and OpenAI (GPT-4o and GPT-4o-mini) for in-thread chat and compliance analysis. Both receive only the placeholder version of text content described above; image content sent to Anthropic for text extraction is described in the preceding paragraphs.

Two types of AI processing work differently:

• Semantic search. When you ask a question of an AI feature (such as Ask Antlar or in-thread chat), the Service first finds relevant scheme content using semantic search. This search runs entirely on Antlar-operated Australian infrastructure. The search itself does not require placeholder substitution because the content does not leave Australia.
• Image and document scanning. Where you upload an image of a strata roll, certificate of currency, or similar document for AI-assisted data entry, the image is sent to Anthropic for text extraction. Placeholder substitution applies to text content; it does not apply to image content, because the image cannot be redacted before the AI extracts text from it. Authorised users review and confirm extracted information before it is imported into the Service.

Where you choose to connect a Microsoft 365 / Outlook mailbox or a Gmail mailbox, Microsoft or Google also processes mailbox content for the email integration itself. This is separate from AI processing and is described in section 7.

By using AI-powered features of the Service, you acknowledge that placeholder versions of content are transmitted to the AI providers named above for processing, and that the protections described in this section are applied before that transmission.

While we continually improve this detection, no automated system identifies personal information with complete accuracy, and some personal information may not be detected and substituted in every case.

The privacy practices of these providers are described in their own policies: Anthropic and OpenAI.

5A. Automated Decision-Making

Antlar uses artificial intelligence in two distinct ways:

• Operational categorisation. The Service automatically classifies incoming and outgoing correspondence by topic (such as Maintenance, Financial, Compliance, Governance, Dispute, Insurance), urgency, and the lots mentioned. These categorisations help correspondence appear in the right view and can be corrected by authorised users at any time. They do not by themselves change any individual's compliance status, financial position or correspondence record.
• Decision support. The Service uses AI to surface recommendations, drafts and analyses for authorised users. Examples include flagging potential compliance gaps, suggesting correspondence drafts, and summarising scheme financial data. Where a decision could affect the rights or interests of a lot owner, committee member or other individual, that decision is always made by an authorised human user. The AI provides input; the human decides. No change to compliance status, outbound correspondence, financial records, or any other matter affecting individuals is ever applied without human confirmation.

The kinds of personal information used by these AI features include lot ownership and contact details, levy and financial records, correspondence history, and scheme obligation data. If you have questions about how a recommendation was generated, you may contact us at privacy@antlar.co.

6. Disclosure of Personal Information

Antlar may disclose personal information to:

• our service providers who assist in operating the Service (such as cloud hosting, analytics, and email delivery)
• third-party processors as described in sections 5 and 7, which together identify the AI providers, mailbox integration providers, email delivery and marketing provider, and infrastructure and operational service providers currently used by the Service
• professional advisers (lawyers, accountants) where necessary
• law enforcement or government authorities where required by law
• a purchaser or successor entity in the event of a sale or transfer of our business

We require our service providers to protect personal information and only use it for the services they provide to us.

We do not sell personal information to third parties for marketing purposes.

7. Overseas Disclosure

Antlar's primary application database, document storage, authentication service, AI substitution data, and embedding service are hosted in Australia (Sydney). The overseas disclosures listed below relate to specific external services used for AI processing, mailbox integration, email delivery, operational hosting, and request monitoring.

Personal information held by Antlar is primarily stored and processed in Australia. Limited categories of personal information are disclosed to recipients located outside Australia, in each case subject to the protections described in this Policy:

• Anthropic (Claude), United States: receives placeholder versions of prompts for conversational AI and document analysis features, with personal information substituted before transmission as described in section 5.
• OpenAI, United States: receives placeholder versions of prompts for in-thread AI chat and compliance analysis features, with personal information substituted before transmission as described in section 5.
• Microsoft (Microsoft Graph / Outlook), United States and other Microsoft data centres: receives mailbox content where you have connected a Microsoft 365 / Outlook mailbox to the Service for email integration purposes.
• Google (Gmail API), United States: receives mailbox content where you have connected a Gmail mailbox to the Service for email integration purposes. Antlar's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We request access to your Gmail data solely to provide the email integration features within the Service, and we do not use Google user data for advertising or any purpose unrelated to the Service.
• Twilio SendGrid (Email API), United States: used to send and receive emails on behalf of, or addressed to, scheme participants. The contents of those emails (including any personal information they contain) and the email addresses of senders and recipients pass through SendGrid in the course of delivery, and are also disclosed to the email recipients themselves.
• Twilio SendGrid (Marketing Campaigns), United States: first name, last name and email address of individuals on Antlar's marketing distribution list. Recipients can unsubscribe at any time using the link included in every Antlar marketing email.
• Vercel (application hosting), United States: request routing, serverless compute, and operational logs. Personal information in transit is encrypted. The application database, document storage and other durable records remain in Australia (see Supabase entry below). Vercel's operational log infrastructure is United States-based regardless of where serverless functions execute.
• Supabase, Australia (Sydney): primary application database, authentication, file storage, and the substitution data used by AI features. Although Supabase is a US-headquartered company, the production project hosting Antlar's data is located in the Sydney (ap-southeast-2) region.
• Cloudflare (AI Gateway), United States: Antlar routes calls to overseas AI providers through Cloudflare's AI Gateway for operational monitoring of AI usage. Cloudflare receives request metadata including the AI provider, model, timing, cost, and the relevant scheme and user identifiers. Prompt content has been substituted with non-identifying placeholders before transit, so prompt content received by Cloudflare does not contain personal information; the metadata is identifying at the user and scheme level.

Before disclosing personal information overseas, Antlar takes reasonable steps to ensure the recipient handles it in accordance with the Australian Privacy Principles or is subject to a law or binding scheme substantially similar to the APPs.

8. Data Security

Antlar takes reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• encryption of personal information in transit and at rest
• access controls so that users can only see information for strata schemes they are members of, enforced at the database layer
• identification of personal information in content sent to AI features, and substitution with non-identifying placeholders before transmission to any third-party AI provider
• storage of the substitution data on Antlar's Australian infrastructure, accessible only to the Service itself
• output safeguards that re-scan AI responses for any personal information patterns and either redact unmatched placeholders or log them for review, so that personal information substituted before transmission cannot inadvertently appear in AI outputs
• automated controls in our development and release process that prevent new features from sending content to AI providers without first applying the protections described in section 5
• access controls, multi-factor authentication, and audit logging on administrative actions
• regular security assessments and dependency monitoring
• staff training on privacy and security obligations

You can help protect your information by keeping your login credentials confidential and notifying us immediately if you suspect unauthorised access to your account.

9. Data Retention

Antlar retains personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

When you terminate your use of the Service, we will, on request, delete or de-identify your personal information within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business purposes.

Substitution data used by AI features (the mapping that allows Antlar to restore real information into AI responses) is retained only as long as required to support that restoration for the relevant scheme, and is deleted alongside the underlying scheme records on account termination.

10. Your Rights

Under the Privacy Act 1988 (Cth) and the Privacy Act 2020 (NZ), you have the right to:

• access the personal information Antlar holds about you
• request correction of inaccurate, incomplete, or outdated information
• request deletion of your personal information (subject to legal requirements)
• request deletion of personal information about you held in the substitution data used by AI features, on the same terms as other personal information held by the Service
• withdraw consent where processing is based on consent
• complain about a breach of the APPs
• request an explanation of how an AI-generated recommendation affecting you was produced, noting that decisions affecting your rights or interests are made by authorised human users of the Service, with AI providing input only

To exercise these rights, contact us using the details in section 13. We will respond to your request within a reasonable time and, in any case, within 30 days.

We may refuse access or correction in certain circumstances permitted by law, in which case we will provide reasons for our decision.

11. Cookies and Analytics

Antlar uses cookies and similar technologies to:

• maintain your session and preferences
• analyse how the Service is used
• improve functionality and user experience

You can control cookies through your browser settings. Disabling cookies may affect some features of the Service.

We use the following analytics services:

• Vercel Analytics runs across the Service (app.antlar.co) and collects page-load and interaction performance data, including page views, navigation timing, and basic session metadata. IP addresses are anonymised by the platform. Vercel Analytics is loaded on every page of the Service.
• Google Analytics runs on our marketing website (antlar.au and antlar.co) and collects information about visitors to those sites, including pages visited, time on site, and traffic sources. Google Analytics is not loaded on the Service itself. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Cloudflare AI Gateway (described in section 7) records request metadata for each AI feature call, including the AI provider, model, timing, and the relevant scheme and user identifiers. Prompt content sent through the Gateway has been substituted with non-identifying placeholders before transit (see section 5).

12. Changes to This Policy

Antlar may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email.

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or want to make a complaint, please contact Antlar at privacy@antlar.co.

We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

If you are not satisfied with our response, you may lodge a complaint with:

• In Australia: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
• In New Zealand: Office of the Privacy Commissioner at privacy.org.nz