Privacy Policy

1. Introduction

This Privacy Policy describes how High Country Digital (ABN 90 684 626 237) ("we", "us", or "our") collects, uses, stores, and discloses personal information in connection with the WebMap platform ("Service"), accessible at getwebmap.com.

We are committed to protecting your privacy and handling personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this policy. If you do not agree, please do not use the Service.

2. Information We Collect

We collect different types of information depending on how you interact with the Service.

Account information

When an agency registers for an account, we collect your name, email address, and password (stored as a secure hash). We may also collect your business name if provided.

Project data

When you create and manage projects through the Service, we collect and store: client names, client email addresses, website URLs added for annotation, visual annotation data (coordinates, types, and notes), site page plans (page names, descriptions, and content), uploaded images and assets (logos, photos, and other files), and messages exchanged between agency and client through the in-app chat.

AI-generated data

The Service generates AI-powered design briefs and website analysis results using your project data. These outputs are stored in association with your project and account.

Usage data

We collect data about how you use the Service, including features accessed, actions taken, and session activity. This data is used to improve the Service, monitor for abuse, and understand usage patterns.

Technical data

We may collect standard technical data including IP addresses, browser type and version, device type, operating system, and referring URLs. This data is used for security monitoring, analytics, and troubleshooting purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide the Service: Processing and storing your projects, annotations, images, and messages; enabling client access via share links; tracking project progress.
• To generate AI-powered outputs: Sending annotation data and project content to AI processing services to generate design briefs and website analysis results on your behalf.
• To communicate with you: Sending transactional notifications (such as brief completion alerts), responding to support requests, and providing service updates.
• To process payments: Managing subscription billing and related financial transactions through our payment processor.
• To improve the Service: Analysing usage patterns, identifying bugs, and developing new features. We use aggregated or de-identified data where possible for this purpose.
• To ensure security and prevent abuse: Monitoring for suspicious activity, enforcing our Terms of Service, and protecting the integrity of the Service.

We will not sell your personal information to third parties, and we will not use it for behavioural advertising.

4. Third-Party Services

We use the following third-party services to deliver the Service. Each of these providers processes data on our behalf and is subject to their own privacy policies and data processing terms.

Supabase

Supabase provides our database, authentication, file storage, and real-time messaging infrastructure. All project data, account information, and uploaded files are stored on Supabase servers located in the United States. Supabase processes data in accordance with its Privacy Policy at supabase.com/privacy.

OpenRouter / Google Gemini

AI brief generation is powered by large language models accessed via OpenRouter, which may route requests to models including Google Gemini. When you generate a design brief, annotation data and website content from your project are transmitted to OpenRouter's API for processing. We do not submit raw personal data (such as client names or contact details) to AI models — only project content relevant to brief generation is included. Please review OpenRouter's privacy policy and the applicable model provider's policies for information on how AI processing data is handled.

ScreenshotOne

For websites that cannot be loaded in an iframe, we use ScreenshotOne to capture full-page screenshots. Website URLs are transmitted to ScreenshotOne's API for this purpose. ScreenshotOne's privacy policy is available at screenshotone.com.

Vercel

The WebMap frontend application is hosted on Vercel's infrastructure. Standard HTTP request data (including IP addresses) may be processed by Vercel as part of serving the application. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

Resend

Transactional emails (such as brief completion notifications and account-related messages) are sent via Resend. Your email address is transmitted to Resend for delivery purposes. Resend's privacy policy is available at resend.com/legal/privacy-policy.

Stripe

Subscription payments are processed by Stripe. Payment card details are collected and processed directly by Stripe and are not stored on our systems. Stripe's privacy policy is available at stripe.com/privacy.

5. Data Storage and Security

Your data is stored on Supabase servers located in the United States. By using the Service, you consent to your data being transferred to and stored in the United States. We will take reasonable steps to ensure that any international transfers of personal information are handled in accordance with Australian Privacy Principle 8.

We implement reasonable technical and organisational measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. These measures include:

• Encryption of all data in transit via HTTPS/TLS.
• Row-level security (RLS) policies on the database to restrict data access to authorised users only.
• API keys and service credentials stored as server-side environment secrets — never exposed to client-side code.
• Access controls limiting who within our team can access production data.

No method of electronic storage or transmission is 100% secure. While we take these measures seriously, we cannot guarantee absolute security. If you become aware of a potential security incident, please contact us immediately at support@hcdigital.com.au.

6. Client Data

When agency users share a project link with their clients, those clients may submit annotations, images, page plans, and messages through the Service without creating an account.

Client data submitted via a share link is associated with the project, not a personal account. The agency user who created the project is the data controller for their clients' information. Agencies are responsible for ensuring they have appropriate consent from their clients to collect and share this data with us as part of using the Service.

We process client data solely to provide the Service to the agency. We do not use client data for marketing, profiling, or any purpose beyond delivering the features of the Service.

7. Data Retention

We retain personal information for as long as necessary to provide the Service and comply with our legal obligations. Specifically:

• Active accounts: Account information and all associated project data is retained while your account remains active.
• Cancelled or terminated accounts: Your data is retained for 30 days following account cancellation or termination, to allow for data export. After this period, all associated data is permanently deleted.
• Archived projects: Projects you archive within the Service are retained indefinitely until you permanently delete them or your account is closed.
• Usage and analytics data: Aggregated or de-identified usage data may be retained indefinitely for the purpose of improving the Service.

8. Your Rights

For users in Australia (Privacy Act 1988):

• Access: You may request a copy of the personal information we hold about you.
• Correction: You may request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Deletion: You may request deletion of your personal information. We will action deletion requests subject to any legal obligations that require us to retain certain data.
• Complaints: If you believe we have interfered with your privacy, you may lodge a complaint with us directly. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by calling 1300 363 992.

For users in the United States:

• California (CCPA/CPRA): California residents have the right to know what personal information is collected, request deletion, opt out of the sale of personal information (we do not sell personal data), and not be discriminated against for exercising these rights. To make a request, contact us at the email below.
• Other US States: Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) may have similar rights to access, correct, delete, and opt out. Contact us to exercise your rights.

For users in Canada (PIPEDA):

• Access & Correction: Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access your personal information and request corrections.
• Consent: We collect and use your personal information with your knowledge and consent. You may withdraw consent at any time, subject to legal or contractual restrictions.
• Complaints: You may lodge a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca. Residents of Quebec may also contact the Commission d'accès à l'information du Québec.

To exercise any of these rights, please contact us at support@hcdigital.com.au. We will respond to requests within a reasonable timeframe and no later than 30 days.

9. Cookies and Local Storage

WebMap makes minimal use of browser storage. We use localStorage for session persistence (keeping you signed in between visits) and to retain user interface preferences (such as sidebar state).

We do not use third-party tracking cookies, advertising cookies, or any cross-site behavioural tracking technology. The data stored in your browser is limited to what is strictly necessary to provide the Service.

10. Children's Privacy

The Service is intended for use by business professionals and is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted personal information through the Service, please contact us at support@hcdigital.com.au and we will take steps to remove that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify active account holders by email or through a notice within the Service.

Your continued use of the Service after any changes take effect constitutes your acceptance of the updated policy.

12. Contact Information

For privacy-related queries, requests, or complaints, please contact us:

High Country Digital Privacy Officer: Jason Townsend ABN: 90 684 626 237 Email: support@hcdigital.com.au Website: getwebmap.com

If you are unsatisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC):

Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 1042 Phone: 1300 363 992 Website: oaic.gov.au