fairgo
Sign inStart free
§ Company · Privacy Policy

How we handle your information.

Plain English first, formal terms underneath. We collect only what we need to run the analysis and the letter, store it in Australia, and don't sell or share your story with anyone.

Last updated · 30 April 2026

1. Who we are

This privacy policy applies to Fairgo(the “Service”), an online tool that helps Australian consumers prepare demand letters under the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010(Cth)). In this policy, “we”, “us”, and “our” refer to the operator of Fairgo. References to “you” mean any user of the Service, whether you have created an account or are using the Service as a guest.

We are bound by the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth) where they apply to our activities, and we aim to handle your information in accordance with that framework regardless.

2. Information we collect

2.1 Information you provide

  • Your situation description — the free-text story you enter at Step 1 of the wizard. This is the most sensitive item we collect; we treat it accordingly.
  • Optional context — whether the dispute concerns goods or services, an approximate incident date, the outcome you want, your state or territory.
  • Business details — the name, ABN (if provided), and contact address of the business you intend to write to.
  • Key facts — incident date, dispute amount, and a short description of what the business has refused.
  • Personal contact details (optional) — your name, street address, email, and phone, used to substitute the bracketed placeholders in the generated letter. These are optional; if omitted, the placeholders remain for you to fill in by hand after download.
  • Account details — if you choose to register, your email address and a password (handled by our authentication provider, never stored in plain text by us).
  • Contact-form messages — if you write to us via the contact form, the message and the email address you provide for our reply.

2.2 Information generated by the Service

  • Legal analysis output — the JSON result returned by Stage 1 of our AI pipeline (which provisions of the ACL apply to your situation, the case-strength assessment, suggested next steps).
  • The demand letter — the plain-text letter produced by Stage 2 of our AI pipeline.
  • Status notes — if you mark a saved matter as sent, replied to, or resolved, that status and any notes you attach.

2.3 Information collected automatically

  • Usage events — non-content metadata about how you use the wizard (which step you reached, the latency of an analysis call, whether a download was triggered). We deliberately do not log the contents of your story or letter into the analytics record.
  • Authentication and session cookies — required to keep you signed in or to remember an in-progress wizard session for up to 24 hours.
  • Standard server logs — IP address, user-agent string, and timestamps, retained briefly for security and fraud-prevention purposes.

2.4 What we deliberately do not collect

  • Bank account numbers or payment card details.
  • Government identifiers (TFN, Medicare number, passport number).
  • Health or biometric information.
  • Information about anyone other than you and the business you are writing to.

Before transmitting your story to our AI processor, we attempt to strip obvious patterns matching email addresses, Australian phone numbers, card-shaped digit runs, and ID-shaped digit runs. This is belt-and-braces; you should still avoid pasting such data into the Service.

3. How we use your information

  • To run the legal analysis and produce your demand letter.
  • To deliver the letter to you in your chosen format (on-screen, plain text for email, PDF, or Word).
  • To save matters to your account where you have requested it.
  • To enforce account security and prevent abuse of the rate limits and free-tier resources.
  • To fix bugs, improve the Service, and answer your support enquiries.
  • To meet legal obligations (e.g. responding to a lawful subpoena).

We do not use your situation description, your generated letter, or any of your account information to train or fine-tune AI models. We do not sell your information.

4. How we share your information

We share information only with the third-party processors that run components of the Service for us, and only the minimum needed for them to do their job:

  • Anthropic, PBC— provides the AI model that performs the legal analysis (Stage 1) and drafts the letter (Stage 2). Your PII-stripped story and structured inputs are transmitted to Anthropic over an encrypted connection. Anthropic processes the data in the United States. Per Anthropic's published policies at the time of writing, content sent to the API is not used to train Anthropic's models.
  • Supabase (data residency: Sydney, Australia) — provides our database, authentication, and file storage. All rows containing your situation description and generated letter are encrypted at rest using a key held by us, not by Supabase.
  • Vercel — hosts and serves the Service. May process some request metadata.
  • Resend — sends transactional and contact-form email on our behalf.

Each of these providers is bound by their own privacy and security commitments. We will only add or replace a third-party processor for an equivalent service.

5. Where your information is stored

Your account record, your saved matters, and your in-progress wizard state are stored in our Supabase project hosted in the Sydney (ap-southeast-2) region. Server logs and analytics events are likewise kept in that region.

As noted above, when we run the Stage 1 and Stage 2 AI calls, the relevant inputs are transmitted to Anthropic's infrastructure in the United States for processing. We treat this as the only cross-border disclosure required to operate the Service. By using the Service you consent to that transfer.

6. How long we keep your information

  • Guest sessions— automatically deleted after 24 hours of inactivity. If you don't register an account, your story will not survive longer than that.
  • Saved matters — kept for as long as your account exists. You may delete an individual matter at any time from the matter detail page.
  • Account deletion — when you delete your account (or ask us to delete it), we remove your account record and all associated matters, status notes, and personal contact details from our active systems within 30 days. Backup snapshots may retain a copy for a further short period until they are rotated out, after which all copies are gone.
  • Usage events — retained for up to 24 months for analytics, then aggregated or deleted.
  • Contact-form messages — kept in our inbox and ticketing tools for as long as needed to respond and to satisfy our record-keeping obligations.

7. Security

We protect your information using:

  • HTTPS (TLS) for all traffic.
  • Application-side AES-256-GCM encryption of your situation description and the generated letter before they are written to the database.
  • Database-level row-level-security policies that ensure one account cannot read another account's data.
  • Hashed and salted passwords (handled by our authentication provider).
  • Rate limiting on the AI endpoints to prevent abuse.

No system is completely secure. If we become aware of an unauthorised access or disclosure of your information that is reasonably likely to result in serious harm, we will notify the Office of the Australian Information Commissioner and the affected individuals as required by the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).

8. Cookies and similar technologies

We use a small number of strictly necessary cookies:

  • A session cookie to keep you signed in.
  • A guest-session cookie (24-hour TTL, httpOnly) to remember an in-progress wizard between page loads, even if you have not registered.
  • Cookies set by our authentication provider to manage the OAuth flow if you sign in with a third-party identity.

We do not use third-party advertising cookies, behavioural tracking, or fingerprinting technologies.

9. Your rights

Under the APPs and Australian privacy law generally, you have the right to:

  • Access the personal information we hold about you.
  • Correct any information that is inaccurate, out of date, or incomplete.
  • Delete your account and the personal information associated with it.
  • Withdraw consent to optional uses of your information (where consent is the basis for that use).
  • Complain to us, and ultimately to the Office of the Australian Information Commissioner (oaic.gov.au), if you believe we have mishandled your information.

To exercise any of these rights, write to us via the contact form. We will respond within a reasonable time, ordinarily within 30 days. We may need to verify your identity before acting on a request.

10. Children

Fairgo is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time to reflect changes in the Service, our processors, or the law. The “Last updated” date at the top of the page tells you when the current version was published. We will give reasonable notice of material changes. Your continued use of the Service after a change constitutes acceptance of the updated policy.

12. Contact

If you have any questions about this policy, want to exercise a right described above, or want to lodge a privacy complaint, write to us via our contact form.

This policy is offered as a fair-faith summary of how Fairgo handles your information. It does not create rights or obligations beyond those imposed by Australian law. Where this policy and the law differ, the law prevails.