RevRadar
Last updated · 27 April 2026

Privacy Policy

RevRadar (the "Service") is operated by ASMBLR Pty Ltd ABN 74 389 390 879 ("we", "us"). We take the privacy of your data and your clients' drawings seriously. This policy explains what we collect, how we use it, and the choices you have.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. If you're in the EU/UK, we treat your data consistently with the GDPR/UK GDPR.

1. What we collect

Account information

  • Email address, name, and your password (stored as a salted hash by Supabase Auth — we never see the plaintext).
  • The organisation you belong to and your role within it.

Drawings & comparison data

  • The PDFs you upload for comparison (old + new revisions).
  • The change reports we generate from them, including rendered image crops of regions where changes were detected.
  • Drawing metadata you provide (codes, revisions, titles).

Usage data

  • Which features you use, comparison job durations, file sizes, number of changes detected.
  • AI processing cost per job, for capacity and billing limits.
  • The IP address and browser user-agent of the device that submitted each comparison and accepted the Terms (stored on the job and acceptance records).

Billing data

  • We don't store your card. Payments are processed by Stripe; we keep only the customer ID, subscription status, plan, and renewal/cancellation dates.

Operational data

  • Server logs (IP address, request paths, timestamps) for security and debugging — retention depends on the hosting provider, typically up to 30 days.
  • Error reports (stack traces, the user/org/job involved) sent to Sentry for diagnosing crashes.
  • A standard authentication cookie so you stay signed in.

We don't use third-party analytics or advertising trackers.

2. How we use your data

  • To provide the comparison service and show you your reports.
  • To send transactional email (job completion, password reset, plan status). We do not send marketing email without separate opt-in.
  • To debug failures and improve reliability.
  • To enforce usage caps and detect abuse.
  • To meet our legal and accounting obligations.

We do not sell your data, and we do not use the contents of your drawings to train any machine-learning models — ours or our sub-processors'.

3. AI processing

Comparing drawings uses large language models hosted by third-party providers, accessed via the OpenRouter gateway. The default model is Google Gemini; we may route to other providers (e.g. Anthropic, OpenAI) on the OpenRouter network where that gives better results, and we'll keep the sub-processor list below current.

When we run a comparison the following data is sent to the AI provider:

  • A rendered image of the first page of each PDF (used to extract the title block — drawing code, title, revision).
  • For each detected change cluster: rendered image crops of the old version, the new version, and an overlay highlighting the difference, plus structured text describing the change.

The contents of those images and text are processed only to produce the comparison report. Sub-processors do not train on inference content under their published terms.

If your project's data-handling rules prohibit AI sub-processing, contact us before using the Service.

4. Sub-processors

| Vendor | Purpose | Region | |---|---|---| | Supabase | Database, storage, authentication | Sydney, Australia | | Fly.io | Background workers (PDF parsing, comparison) | Sydney, Australia | | Netlify | Web hosting + edge | Global CDN | | Stripe | Subscription billing | United States | | Resend | Transactional email | Tokyo | | OpenRouter | AI gateway (routes inference to model providers) | United States | | Google (Gemini) | AI inference | United States | | Anthropic, OpenAI | AI inference (used selectively) | United States | | Sentry | Error monitoring | European Union | | UptimeRobot | Uptime monitoring | United States |

Where a sub-processor is outside Australia, your data is protected by that vendor's contractual terms and (for EU/UK users) by Standard Contractual Clauses where applicable.

5. Where your data lives

Your account data, your uploaded drawings, and the generated reports live in Australia (Supabase Sydney + Fly Sydney). Operational metadata may be processed in the regions listed above.

6. How long we keep things

We retain your comparison reports indefinitely while you're an active customer. After your account becomes dormant we run a short retention countdown, send you warning emails, and then auto-purge.

| Data | Retention | |---|---| | Account + organisation | While the account is active. Deleted within 30 days of account closure. | | Uploaded drawings + reports — active paying subscriber | Indefinite. Nothing auto-deletes. | | Uploaded drawings + reports — after subscription cancelled | 90 days from the end of your billing period, then permanently deleted. We email you when the countdown starts and again 7 days before purge. | | Uploaded drawings + reports — trial that didn't upgrade | 7 days from trial expiry, then permanently deleted. We email you when the countdown starts. | | Server logs | Up to 30 days (hosting-provider defaults). | | Database backups | Up to 7 days (Supabase Pro daily backups). | | Billing records | 7 years (Australian tax obligations). | | Compliance audit log (acknowledgments, detection-run metadata, report views) | 7 years, retained beyond the drawings-and-reports purge windows above for legal defensibility. Contains hashes, model and prompt versions, timestamps, and IP addresses for clickwrap acceptances — not your drawing content. See section 6.1. |

You can request earlier deletion at any time via your profile settings (Delete account) or by emailing us. Individual jobs you delete from the comparison list are purged immediately.

6.1. About the compliance audit log

When you sign up, accept our Terms of Service or AI-Assisted Use Policy, run a comparison, view a report, or download a report, we record an entry in a compliance audit log. Each entry captures:

  • The kind of event (e.g. "report viewed", "Terms accepted").
  • Stable identifiers (your user ID, your organisation ID, and the job ID where applicable).
  • For detection runs: hashes (SHA-256) of the input PDFs and the output report, plus the model version, prompt version, and library version that produced the output.
  • For acknowledgments: the policy version, your IP address, and your user-agent string.
  • A timestamp.

We do not store the content of your drawings, the AI's textual output, or any image data in this log. The audit log exists so that if a customer or regulator later disputes a finding (or absence of a finding), we can demonstrate exactly which version of the system produced which output, and which policies you had acknowledged at the time.

The audit log survives the 90-day / 7-day purge windows above — your drawings and reports are deleted on schedule, but the metadata about the run is retained for the legal-defensibility window. You can view your own audit log entries at any time from Account → Audit history in the dashboard.

7. Security

  • All traffic is served over HTTPS / TLS.
  • Stored data is encrypted at rest by our hosting providers.
  • Database access is enforced by row-level security — one organisation cannot read another's data, even with a valid authentication token.
  • Internal worker callbacks are HMAC-signed with a 60-second replay window.
  • We use industry-standard password hashing (Supabase Auth, bcrypt) and don't transmit passwords in cleartext beyond the initial TLS handshake.

No system is perfectly secure. If you believe an account has been compromised, please email us immediately. We follow the Australian Notifiable Data Breaches scheme and will notify the OAIC and affected individuals where a breach is likely to result in serious harm.

8. Your rights

You can ask us at any time to:

  • Access the personal data we hold about you.
  • Correct any data you believe is wrong.
  • Delete your account and all associated drawings — there's a self-serve "Delete account" option in your profile menu, which removes your sign-in, your jobs, and the associated PDFs and reports from storage.
  • Export your account data + your generated reports in a machine-readable form (email us to arrange).
  • Object to a particular use of your data.

Email lachie@asmblr.com.au for any request that isn't covered by the in-app controls. We aim to respond within 30 days.

If you're unhappy with how we handled your request, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).

9. Cookies

We use only the cookies that the Service strictly needs to function — your Supabase sign-in session. We don't set tracking cookies, we don't use analytics or advertising cookies, and your browser's "Do Not Track" signal is respected by default because we don't track. A small client-side preference for "stay signed in" is held in your browser's local storage, not in a cookie.

10. Children

The Service is built for professional construction and engineering use. It is not intended for anyone under 16 and we do not knowingly collect data from children.

11. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated via email and on this page. The "last updated" date at the top of the page tells you the current version.

12. Contact

Privacy questions, requests, and complaints:

ASMBLR Pty Ltd Email: lachie@asmblr.com.au

Terms · Privacy · AI Use · Support