Privacy Policy

Account information. Name, email address, phone number and login credentials when you create an account or contact us.

Business data you store in our products. Our products are business-management tools. The businesses that use them store their own operational records with us — for example clients, quotes, jobs, invoices, staff details and related files. That data belongs to the business that entered it; we process it solely to provide the product.

Connected-integration data. You can optionally connect third-party services to your workspace — for example Google (Analytics, Business Profile, Google Ads, YouTube), Meta (Facebook Pages, Instagram, Meta Ads), TikTok for Business, and accounting platforms such as Xero. When you authorise a connection we receive only the data the provider's consent screen describes — for marketing integrations this is read-only performance metrics (such as impressions, clicks, reach, ad spend, sessions, calls) for the accounts you choose.

Usage and technical data. Standard server logs (IP address, browser type, pages requested) used for security and to keep the service running.

We use information only to:

• provide and operate the products you've signed up for;
• display your own connected-account data back to you (for example, a marketing attribution dashboard combining your lead records with your advertising metrics);
• provide support and respond to enquiries;
• send service and billing communications;
• meet legal obligations and keep the service secure.

We do not sell personal information. We do not share one customer's data with another. We do not use data obtained through connected integrations for advertising, profiling, or training machine-learning models.

Extrua's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google data we access (read-only analytics, business-profile, advertising and YouTube metrics) is used only to provide user-facing features visible to the account owner inside their own workspace. It is never sold, never used for advertising, never transferred except as necessary to provide those features or comply with law, and never used to train AI or machine-learning models.

Data received from Meta's APIs (Facebook Page, Instagram and ad account metrics) and from TikTok's APIs is handled the same way: read-only, displayed only to the business that connected the account, never shared across customers, never sold, and deleted when you disconnect the integration or ask us to remove it. See data deletion for how to remove it.

• Data is hosted with established cloud providers (Vercel for the application layer, Supabase/PostgreSQL for data storage).
• Integration access tokens are encrypted at rest with AES-256-GCM and decrypted only server-side at the moment of use.
• Every customer workspace is isolated by database row-level security — one business can never read another's records.
• All traffic is encrypted in transit (HTTPS/TLS).

We use a small set of processors to run the service: Vercel (hosting), Supabase (database and storage), Stripe (subscription billing — we never see full card details), Resend (email delivery), and Twilio (SMS). Where a business connects an integration (Google, Meta, TikTok, Xero), data flows directly between that provider and our servers under the authorisation the business granted.

Business data is retained while the account is active. Disconnecting an integration deletes its stored access tokens immediately. You can ask us to delete integration data, specific records, or an entire account at any time — see /data-deletion — and we action requests within 30 days, except where law requires longer retention (for example, tax records).

You may request access to, correction of, or deletion of your personal information at any time. If you believe we've mishandled your information you can complain to us first, and to the Office of the Australian Information Commissioner (OAIC) if unresolved.

Privacy questions, access requests and complaints: hello@extrua.com.au. We're based in Sydney, Australia.

We'll update this page when our practices change and bump the date at the top.