The Papers · Privacy Policy

Privacy Policy.

Quiet with your data — no analytics trackers, no advertising, nothing sold. This page says exactly what we hold, why, where it lives, and how to have it corrected or removed.

Controller
Aphelion Engineering Pty Ltd · Perth, WA
Registry
ACN 697 870 812 · ABN 19 697 870 812
Effective
5 July 2026 · first edition
Framework
Privacy Act 1988 (Cth) · Australian Privacy Principles
§ 01 · Scope

Who this covers

This policy explains how Aphelion Engineering Pty Ltd handles personal information collected through Ampacities (ampacities.com). It covers visitors, trial users and subscribers, and the people whose details subscribers store in their practice (for example, their clients' contacts). We handle personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

§ 02 · What we collect

The information we hold

  • Account details — your name, email address, and (optionally) a mobile number used for sign-in codes. Passwords are stored only as salted cryptographic hashes; we cannot read them.
  • Practice records you enter — clients, projects, calculations and their inputs, proposals, quotes, invoices, timesheets. These belong to your practice and are visible only within it.
  • Security records — session records including IP address and browser identifier, sign-in events, and an audit trail of sensitive actions. Kept to protect your account.
  • Billing records — your subscription status and invoices. Card numbers never touch our servers; payment details go directly to Stripe.
  • Correspondence — emails you send us.

We do not collect browsing analytics, advertising identifiers, or anything from data brokers. The site sets one essential session cookie (__amp_session) when you sign in — nothing else, and no third-party trackers.

§ 03 · Why we collect it

What it is used for

  • Providing the Service — storing and displaying your practice's work, producing reports.
  • Securing accounts — verifying sign-ins, one-time codes, alerting on suspicious activity.
  • Billing and account management through Stripe.
  • Transactional email you'd expect: verification, password reset, invitations, documents you choose to send.
  • Support, and meeting our legal obligations (for example, tax record-keeping).

We do not sell personal information, and we do not use your practice data for advertising or profiling.

§ 04 · AI drafting

What AI sees — and never sees

If your practice uses the optional AI drafting features, the relevant proposal text and context is sent to Anthropic (our AI provider) to draft prose. Under our API arrangement this content is not used to train their models. AI never receives your billing details, and it never produces engineering figures or prices. Practices can disable AI features entirely, and the switch is respected server-side.

§ 05 · Who touches the data

Our processors

We use a small set of infrastructure providers, each receiving only what its job requires:

Cloudflare
Hosting, database, backups. The application and its data run on Cloudflare's platform; nightly backups are encrypted before storage.
Stripe
Payments. Card details and payment processing; PCI-DSS compliant. We hold only subscription status and invoice records.
Resend
Email delivery. Receives the address and content of each transactional email we send you.
Twilio
SMS delivery. Receives your mobile number and the one-time code, only if you use SMS sign-in.
Anthropic
AI drafting. Receives proposal text for prose drafting, only if your practice uses AI features (§ 04).

Beyond these, we disclose personal information only if the law requires it, or with your consent.

§ 06 · Where it lives

Overseas handling

Our providers operate global infrastructure, so your information may be stored or processed outside Australia — principally in the United States and on Cloudflare's worldwide edge network. We choose providers with strong, audited security practices, but by using the Service you acknowledge this overseas handling.

§ 07 · Security

How it is protected

  • Encryption in transit everywhere; passwords, session tokens and one-time codes stored only as hashes.
  • One active session per account; sessions expire automatically.
  • Strict practice isolation — every query is scoped to your practice.
  • Nightly backups, encrypted before they are written, retained for 90 days.
  • An audit trail of sensitive actions.

If a data breach occurs that is likely to result in serious harm, we will notify affected users and the OAIC as required by the Notifiable Data Breaches scheme.

§ 08 · Retention

How long we keep it

We keep your information while your account exists. After an account is closed we delete or de-identify personal information within a reasonable period, except what we must keep — for example, tax and billing records (kept as required by Australian law) and minimal audit entries. Encrypted backups age out on their 90-day cycle.

§ 09 · Your rights

Access, correction, export, deletion

Email [email protected] to access the personal information we hold about you, have it corrected, receive an export of your practice data, or ask for your account and data to be deleted. We respond within 30 days, and deletion is subject only to the legal retention noted in § 08.

Most account details can also be corrected directly in your settings.

§ 10 · Your clients' data

When you store others' details

When a practice stores its clients' contact details in Ampacities, the practice is responsible for collecting that information lawfully. We process it only to provide the Service to the practice. If someone contacts us directly about information a practice holds, we will refer the request to that practice unless the law requires otherwise.

§ 11 · Complaints

If something is wrong

Write to [email protected] — complaints are read first, and we aim to respond within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner at oaic.gov.au.

§ 12 · Changes

When this policy changes

We may update this policy as the Service evolves; the effective date above always reflects the current edition. For material changes we will give notice by email or a prominent notice in the Service.