1. About This Policy
This Privacy Policy explains how Andalucia Group Pty Ltd (“Borro”, “we”, “our”, or “us”) collects, uses, stores, and shares information about you when you use our website at borro.ai and our borrowing intelligence platform (collectively, the “Service”).
We take your privacy seriously. We collect only what we need, we are transparent about why we collect it, and we do not sell your personal information to third parties.
By using the Service you acknowledge that you have read and understood this policy.
2. Who We Are
The data controller responsible for your personal information is:
If you are located in Australia, we also act as an accredited data recipient under the Consumer Data Right (CDR) framework where applicable. Our CDR policy and CDR data handling obligations are detailed separately in Section 8.
3. Information We Collect
We collect information in three main ways: information you provide directly, information collected automatically, and information from third-party sources you connect.
Information you provide
- Account details: name, email address, and password when you register.
- Profile information: any additional details you choose to add to your account.
- Financial data you enter manually: income, expenses, deposit amount, and loan preferences to power borrowing calculations.
- Documents you upload: payslips, tax returns, or bank statements stored in the Document Vault feature.
- Support communications: messages you send to our team via email or in-app chat.
- Waitlist submissions: email address if you join our early access list.
Information collected automatically
- Usage data: pages visited, features used, search queries, and interactions within the platform.
- Device and browser information: IP address, browser type, operating system, and device identifiers.
- Performance data: error logs, load times, and diagnostic information to help us improve reliability.
- Cookie and tracking data: described in detail in Section 10.
Information from third parties
- Open-banking data: transaction history, account balances, and income data shared via your bank or data holder under the CDR framework, with your explicit consent.
- Authentication providers: basic profile information (name, email, profile picture) if you sign in with Google.
- Lender data: publicly available or API-sourced rate and serviceability data from financial institutions — this data relates to lenders, not to you personally.
4. How We Use Your Information
We use your information for the following purposes:
| Purpose | Detail |
|---|---|
| Provide the Service | Calculate your borrowing capacity, compare lenders, run scenarios, and display results. |
| Account management | Create and manage your account, authenticate your identity, and communicate account-related information. |
| Personalisation | Tailor results and recommendations to your financial profile and preferences. |
| Communications | Send transactional emails (account confirmations, security alerts), product updates, and — where you have opted in — marketing emails. |
| Safety & fraud prevention | Detect, investigate, and prevent fraudulent transactions, abuse, or violations of our Terms of Service. |
| Legal compliance | Meet our obligations under applicable law, including privacy, financial services, and consumer data regulations. |
| Product improvement | Analyse usage patterns (in aggregate or pseudonymised form) to improve the Service. |
| Customer support | Respond to your enquiries and resolve issues. |
5. Legal Bases for Processing
Where we are required to identify a legal basis for processing your personal information, we rely on the following:
- Contract performance: processing necessary to provide the Service you have signed up for.
- Legitimate interests: operating and improving the Service, preventing fraud, and sending service-related communications, where these interests are not overridden by your rights.
- Consent: sending marketing communications and processing certain open-banking data — you may withdraw consent at any time.
- Legal obligation: complying with applicable laws and regulatory requirements.
If you are located in Australia, our primary legal framework is the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you are located in the European Economic Area or the United Kingdom, we additionally rely on the GDPR or UK GDPR as applicable. [Confirm applicable jurisdiction with counsel.]
6. Sharing Your Information
We do not sell, rent, or trade your personal information. We share it only in the following limited circumstances:
- Service providers: companies we engage to help operate the Service (hosting, email delivery, analytics, payment processing) — covered in Section 7.
- Open-banking data holders: your bank or authorised CDR data holder receives instructions from us when you grant or revoke consent for data sharing.
- Legal requirements: we may disclose information if required by law, court order, or government authority.
- Business transfers: if Borro is acquired or merges with another company, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
- With your consent: we share information with third parties only when you have explicitly asked us to.
7. Third-Party Service Providers
We work with carefully selected third-party providers. Each provider is bound by data processing agreements or equivalent contractual protections. Key providers currently include:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, and file storage | USA / EU (configurable) |
| Resend | Transactional email delivery | USA |
| Vercel | Application hosting and edge delivery | Global CDN |
| Cloudflare | Web analytics, DDoS protection, DNS | Global |
| Stripe | Subscription billing and payment processing | USA / global |
| OpenAI | AI-powered analysis features (where enabled) | USA |
This list is illustrative and may change as we add or remove providers. We will update this policy when we make material changes to our provider relationships.
8. Open Banking & Consumer Data Right (CDR)
Borro connects to your financial accounts using open-banking infrastructure, which in Australia operates under the Consumer Data Right (CDR) framework. If you choose to connect a financial account, the following applies:
- Consent: we only access your banking data after you provide explicit, informed consent.
- Read-only access: we never initiate payments or modify your financial accounts. Access is strictly read-only.
- Scope limitation: we request only the data necessary to calculate your borrowing capacity — primarily transaction history, account balances, and income signals.
- Revocation: you can revoke our access at any time from within the Service or directly through your financial institution.
- CDR data handling: data shared under CDR is handled in accordance with our CDR policy and the CDR Rules. We do not use CDR data for purposes beyond what you have consented to.
- Retention of CDR data: we retain CDR data only as long as necessary to provide the features you have enabled, or as required by law.
Our CDR policy is available separately and is incorporated into this Privacy Policy by reference. [CDR policy to be completed and registered with the ACCC before launch.]
9. Payment Processing
Subscription payments are processed by Stripe, a PCI-DSS compliant payment provider. We do not store your full card number, CVV, or other raw payment credentials on our servers.
Stripe collects and processes your payment information under its own privacy policy. We receive only a token and limited billing metadata (last four digits, card type, expiry) sufficient to manage your subscription.
10. Analytics & Cookies
We use a small number of privacy-respecting tools to understand how the Service is used and to diagnose technical issues. We do not serve advertising or use third-party advertising trackers.
Cookies we set
| Cookie | Purpose | Duration |
|---|---|---|
| sb-auth-token | Supabase session authentication | Session / up to 1 year |
| cf_clearance | Cloudflare bot protection | Session |
| _ga (if added) | Google Analytics (not currently used) | — |
We use Cloudflare Web Analytics, a privacy-first analytics tool that does not use cookies, does not fingerprint individual users, and does not share data with advertising networks. Aggregate page-view data helps us understand overall usage patterns.
You can block cookies through your browser settings. Blocking authentication cookies will prevent you from staying logged in.
11. AI & Automation
Borro uses AI and machine learning in the following ways:
- Borrowing analysis: we apply algorithmic models to your financial data to estimate borrowing capacity across lenders. These calculations are based on publicly available lender serviceability criteria and are indicative, not definitive.
- AI-assisted features: certain features (such as natural-language summaries or scenario suggestions) may be powered by a large language model provider. Where your data is sent to an external AI provider, it is processed under a data processing agreement that restricts its use to providing the requested function — it is not used to train third-party models.
- No fully automated decisions with legal effect: we do not make binding credit decisions about you. Any output from Borro is informational and advisory. Actual credit decisions are made by lenders.
12. Data Retention
We retain your personal information for as long as your account is active and for a reasonable period afterwards to allow you to reinstate it. Specific retention periods:
| Data type | Retention |
|---|---|
| Account profile & preferences | Until account deletion, then 30 days |
| Financial data (manually entered) | Until account deletion or you delete it |
| Open-banking / CDR data | As consented — revocable at any time |
| Uploaded documents | Until you delete them or close your account |
| Payment records | 7 years (statutory requirement) |
| Server & access logs | Up to 90 days for security purposes |
| Marketing opt-in records | Until you unsubscribe or close your account |
When data is no longer required, we securely delete or anonymise it. Aggregated, de-identified data may be retained indefinitely for statistical purposes.
13. Your Rights
Depending on where you live, you may have the following rights in relation to your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: ask us to correct information that is inaccurate or incomplete.
- Deletion: ask us to delete your personal information, subject to legal retention obligations.
- Portability: receive your data in a machine-readable format (where technically feasible).
- Restriction: ask us to limit how we use your data in certain circumstances.
- Objection: object to certain types of processing, such as direct marketing.
- Withdraw consent: where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at hello@borro.ai. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.
If you are in Australia and believe we have not handled your personal information in accordance with the Australian Privacy Principles, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
14. Security
We take reasonable technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These measures include:
- Encryption in transit: all data transmitted between your browser and our servers uses TLS (HTTPS).
- Encryption at rest: sensitive data stored in our database is encrypted at the infrastructure level.
- Access controls: access to production systems and personal data is restricted to authorised personnel on a need-to-know basis.
- Authentication: we enforce strong password requirements and support multi-factor authentication.
- Open-banking: CDR connections use read-only access tokens that can be revoked at any time.
No method of transmission or storage is 100% secure. If you become aware of a security vulnerability or incident affecting your account, please notify us immediately at hello@borro.ai.
15. International Data Transfers
Borro operates globally and may transfer your personal information to countries other than Australia, including the United States, where our infrastructure and service providers are based.
When we transfer personal information internationally, we take steps to ensure it receives an adequate level of protection, including through contractual arrangements with our service providers. If you are in Australia, such transfers are conducted in accordance with Australian Privacy Principle 8.
[Confirm cross-border transfer mechanisms with counsel before launch, particularly if you expect users from the EEA or UK.]
16. Children’s Privacy
Borro is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a child, please contact us at hello@borro.ai and we will promptly delete it.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top and notify you via email or an in-app notice before the changes take effect.
Your continued use of the Service after the effective date of an updated policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you should stop using the Service and may request deletion of your account.
18. Contact
For questions, concerns, or requests relating to this Privacy Policy, please contact our privacy team:
Privacy — Andalucia Group Pty Ltd
L38 345 Queen Street
Brisbane
Email: hello@borro.ai
We aim to respond to all privacy enquiries within 30 days.