Privacy Policy

Effective date: 4 April 2026

1. Introduction

This Privacy Policy describes how Tessellant Pty Ltd (ACN 696 471 691) as trustee for the Tessellant Family Trust (ABN 23 943 834 841) ("Tessellant", "we", "us") collects, uses, and protects personal information through Tessellant Engage ("the Service").

We are committed to handling personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

2. Information We Collect

Information from Microsoft Entra ID

When you sign in with your Microsoft 365 account, we receive the following from Microsoft Entra ID (Azure Active Directory):

  • Email address -- your Microsoft 365 email.
  • Display name -- your name as configured in Microsoft 365.
  • Organisation tenant identifier -- a unique identifier for your Microsoft 365 organisation.
  • User object identifier -- a unique identifier for your Microsoft 365 account.

We request only the User.Read permission scope, which provides basic profile information. We do not access your emails, files, calendar, or any other Microsoft 365 data.

Information you provide

Through your use of the Service, you may provide:

  • Notes and comments on engagement items.
  • Checklist updates and item prioritisation actions.

Information collected automatically

  • Last login timestamp -- recorded each time you sign in.
  • Activity attribution -- notes and changes are attributed to your user account.

3. How We Use Your Information

We use your personal information to:

  • Authenticate you and verify your organisation's access to the Service.
  • Provide the Service -- displaying your name on notes and comments, associating your actions with your account.
  • Enforce access controls -- ensuring you can only access your own organisation's data.

We do not use your personal information for marketing, advertising, profiling, or automated decision-making.

4. AI Processing

The Service includes AI-assisted features that analyse engagement data to provide feasibility assessments, effort estimates, and scoping recommendations. When these features are activated:

  • Engagement content (item titles, descriptions, notes, and related context) is sent to Anthropic (our AI provider) via their API for processing.
  • Anthropic does not use API data to train their models.
  • Anthropic retains API inputs for up to 30 days for trust and safety purposes, after which they are deleted.
  • AI features are activated by Tessellant administrators, not by client users directly.

5. Third-Party Services

The Service uses the following third-party services:

Service Purpose Data Shared
Microsoft Entra ID Authentication OAuth2 authorisation flow (your M365 credentials are handled entirely by Microsoft)
Anthropic (Claude API) AI enrichment Engagement item content and context
Cloudflare DNS, CDN, and security Web traffic metadata (IP addresses, request headers)
Google Fonts Typography Browser requests for font files
jsDelivr CDN JavaScript library delivery Browser requests for library files

We do not sell, rent, or trade your personal information to any third party.

6. Data Storage and Security

  • Location: All application data is stored on infrastructure hosted in Sydney, Australia (DigitalOcean SYD1 region).
  • Encryption in transit: All connections to the Service are encrypted using TLS 1.2 or higher.
  • Access controls: Data is isolated by organisation. Users can only access data belonging to their own provisioned organisation.
  • Infrastructure security: The Service is protected by Cloudflare WAF, IP allowlisting, and automated vulnerability scanner blocking.

7. Cookies and Local Storage

Cookies

The Service uses a single session cookie:

  • Name: session
  • Purpose: Maintains your authenticated session.
  • Duration: 24 hours from sign-in.
  • Type: HttpOnly, signed. Cannot be accessed by client-side scripts.

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

Local Storage

The Service stores the following preferences in your browser's local storage:

  • Theme preference -- light or dark mode selection.
  • Board tab selection -- which board view you last used.
  • Panel section states -- which sections are expanded or collapsed.

These are user interface preferences only and contain no personal information. They remain in your browser until you clear your browser data.

8. Data Retention

  • Account data (email, display name) is retained for as long as your organisation's access to the Service is active.
  • Engagement content (items, notes, checklists) is retained for the duration of the engagement and may be retained after completion for reference purposes.
  • Archived items are soft-deleted (hidden from view but retained in the database) and may be restored by Tessellant administrators.
  • Session data expires automatically after 24 hours.

9. Your Rights

You may:

  • Request access to the personal information we hold about you.
  • Request correction of inaccurate personal information. Note that your display name and email are sourced from Microsoft 365 -- changes should be made there.
  • Request deletion of your personal information, subject to any legal obligations to retain records.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

To exercise any of these rights, contact us at [email protected].

10. Data Breach Notification

In the event of an eligible data breach likely to result in serious harm, we will notify affected individuals and the OAIC as soon as practicable, in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The effective date at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related enquiries or to exercise your rights, contact:

Tessellant Pty Ltd
Email: [email protected]

Terms of Service Back to sign in