Privacy Policy

1. Introduction

ImmiIQ ("we", "us", or "our") is operated by ANZSCO AI. We respect your privacy and are committed to protecting the personal information you share with us.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit ImmiIQ and use our platform at app.immiiq.com (collectively, the "Service"). This policy is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

Account Information

When you create an account, we collect your name and email address. If you sign in via a third-party provider (e.g. Google), we receive the profile information you authorise.

Usage Data

We automatically collect information about how you interact with the Service, including search queries, pages viewed, features used, session duration, browser type, device information, and IP address.

Payment Information

Payments are processed securely by Stripe. We do not store your credit card number, CVV, or full card details on our servers. Stripe provides us with a tokenised reference and basic billing details (last four digits, card brand, expiry) for your records.

Cookies

We use cookies for authentication, analytics, and preferences. See our Cookie Policy for full details.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Personalise your experience and deliver relevant search results
• Process payments and manage your subscription
• Send transactional emails (receipts, account notifications, security alerts)
• Improve the platform based on aggregated usage patterns
• Run anonymised product analytics to inform feature development
• Detect, prevent, and address technical issues or fraud
• Comply with legal obligations under Australian law

We do not use your information for advertising or sell it to third-party advertisers.

4. Data Sharing

We do not sell your personal data. We share information only with the following service providers, each bound by data processing agreements (DPAs):

• Stripe — payment processing and billing
• Amazon Web Services (AWS) — transactional email delivery via AWS SES
• PostHog — anonymised product analytics
• Vercel — application hosting and edge delivery

We may also disclose information if required by law, regulation, or legal process, or to protect the rights, safety, or property of ImmiIQ or others.

5. Data Storage & Security

Your data is stored in Australia on secure, managed PostgreSQL infrastructure databases hosted on AWS in the ap-southeast-2 (Sydney) region. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

We conduct regular security audits and follow industry best practices for access control, authentication, and infrastructure hardening. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Under the Australian Privacy Act 1988 and the APPs, you have the right to:

• Access the personal information we hold about you
• Correct any inaccurate or out-of-date information
• Delete your account and associated data
• Data portability — request an export of your data in a machine-readable format
• Withdraw consent for optional data processing (e.g. analytics)
• Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

7. Cookies

We use essential, analytics, and preference cookies to operate and improve the Service. For comprehensive information about the cookies we use and how to manage them, please see our Cookie Policy.

8. Third-Party Services

The Service integrates with the following third-party providers. Each has their own privacy policy governing data they process:

• Stripe — payment processing (privacy policy)
• PostHog — product analytics (privacy policy)
• Vercel — hosting (privacy policy)
• AWS SES — transactional email delivery (privacy policy)

9. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without parental consent, we will take steps to delete that information promptly.

10. Harper AI Mobile App

Harper AI (iOS / Android) collects the same data as the web experience, plus:

• Device label and app version — e.g. "iPhone 15 Pro · Harper AI 1.0.0" — used for support troubleshooting and showing you active sessions. Not linked to advertising.
• Session tokens — an opaque bearer token issued on sign-in, stored in your device's secure keychain (iOS) or EncryptedSharedPreferences (Android). Destroyed on sign-out or app uninstall.

The mobile app does not collect your location, contacts, photos, advertising ID, health data, biometrics, microphone, or camera.

Push notifications: Harper AI does not send push notifications. All product updates (weekly digest, policy-change alerts) are delivered by email.

Deleting your mobile-app data: Uninstalling the app removes the bearer token from your device. To fully delete your account, see "Deleting Your Account" below.

11. Deleting Your Account

You can request permanent deletion of your Harper AI / ImmiIQ account at any time.

How to request: Send an email to [email protected] from the address associated with your account with the subject "Delete my account". The request must come from the registered address so we can verify it's you — there is no extra verification step, no link to click.

What we delete: Your user record, all Harper chat history, saved searches, session tokens, push preferences, and profile data. Deletion is permanent and cannot be undone.

What we keep, briefly: Invoices with your email redacted (retained for 7 years per Australian tax law); server audit logs showing that the deletion happened (retained 90 days); anonymised usage metrics that can no longer be linked back to you.

How long it takes: We complete deletion within 7 days of receiving the email. We send one confirmation email when it's done.

Organisation accounts: Deleting your personal account removes your access to any migration-agency workspace you belong to — it does not delete the workspace itself. If you are the workspace admin, email us; we will help transition ownership before deleting anything.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users via email at least 14 days before the changes take effect. We will also update the "Last updated" date at the top of this page.

Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us:

Email: [email protected]