Privacy Policy

Sortz – Document Management Platform

Last Updated: November 2024

1. Introduction

Sortz ("we", "our", or "us") is a document management and classification platform operated by Somerson Pty Ltd as trustee for the Somerville Family Trust. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform, website, browser extension, and related services (collectively, the "Service").

By using Sortz, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and handling your data transparently and securely.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (securely hashed – we never store plain text passwords)
  • Name and organisation details
  • Multi-factor authentication settings (if enabled)

2.2 Documents and Content

When you use our Service, we process:

  • Documents you upload for classification and organisation
  • Document metadata (file names, types, sizes, upload dates)
  • Templates and placeholder configurations you create
  • AI-generated classifications and document embeddings for search functionality

2.3 Payment Information

For paid subscriptions, we collect:

  • Billing address
  • Organisation name for billing purposes
  • Payment method details are collected and processed directly by Stripe – we do not store your full credit card numbers

2.4 Usage Information

We automatically collect:

  • Log data and timestamps of your interactions with the Service
  • Device and browser information
  • IP address

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process and classify your documents using AI
  • Enable semantic search across your documents
  • Sync documents to your connected cloud storage (OneDrive/SharePoint)
  • Process payments and manage subscriptions
  • Send transactional emails (account verification, invitations, password resets)
  • Respond to your enquiries and provide customer support
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. AI and Document Processing

Sortz uses artificial intelligence to classify and organise your documents. It's important you understand how this works:

  • No AI Training on Your Data: We use Amazon Bedrock for AI processing. Your documents are NOT used to train AI models. All processing is inference-only.
  • Transient Processing: Document content is processed in real-time and not retained by our AI services after processing is complete.
  • Text Extraction: We use Amazon Textract to extract text from PDFs and images. This service does not store your document content.
  • Embeddings: We generate and store vector embeddings of your documents to enable semantic search. These embeddings are deleted when you delete the associated document.

5. Data Storage and Security

5.1 Data Location

All data is stored in Amazon Web Services (AWS) data centres located in Sydney, Australia (ap-southeast-2 region). Your data does not leave AWS infrastructure except when syncing to your configured external cloud storage.

5.2 Security Measures

We implement robust security measures including:

  • Encryption at rest using AES-256 for all stored data
  • Encryption in transit using TLS 1.2 or higher for all communications
  • Secure password hashing
  • Optional multi-factor authentication (MFA)
  • Organisation-based data isolation – users can only access data belonging to their organisation
  • OAuth tokens for third-party integrations stored securely in AWS Secrets Manager
  • Regular security assessments

5.3 Document Storage

Original documents uploaded to Sortz are deleted immediately after processing. Any backups older than 24 hours are automatically deleted. Processed documents are synced to your connected external storage (OneDrive/SharePoint) where you maintain control over retention.

6. Third-Party Services

We integrate with the following third-party services:

6.1 Stripe (Payment Processing)

We use Stripe to process payments. When you subscribe to a paid plan, Stripe collects your payment information directly. We only receive and store your Stripe customer ID and subscription status. See Stripe's Privacy Policy.

6.2 Microsoft OneDrive/SharePoint

If you connect your Microsoft account, we request permission to read and write files to your selected folder. You can disconnect at any time. See Microsoft's Privacy Statement.

6.3 Amazon Web Services

We use various AWS services to host and operate Sortz, including Cognito (authentication), DynamoDB (database), S3 (storage), and Bedrock (AI processing). See AWS Privacy Policy.

7. Data Sharing

We do not sell your personal information. We may share your information only in the following circumstances:

  • With Your Organisation: If you're part of an organisation on Sortz, other members and administrators may see your activity and documents as permitted by your organisation's settings.
  • Service Providers: With third-party services that help us operate the Service (as described in Section 6), under strict confidentiality obligations.
  • Legal Requirements: When required by law, legal process, or to protect our rights, safety, or property.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to you.

8. Data Retention

We retain your information as follows:

  • Account Data: Retained while your account is active and for a reasonable period thereafter for legal and business purposes.
  • Uploaded Documents: Deleted immediately after processing. Any backups older than 24 hours are automatically deleted.
  • Document Metadata and Embeddings: Retained until you delete the document or your organisation is deleted.
  • Logs: Retained for 30 days for operational and security purposes.

9. Your Rights

Under Australian privacy law and applicable regulations, you have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your data
  • Withdraw consent for optional data processing
  • Export your data in a portable format
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

To exercise these rights, contact your organisation administrator or reach out to us directly using the contact details below.

10. Organisation Deletion

When an organisation is deleted from Sortz, we permanently delete all associated data including: documents, templates, user associations, integrations (including OAuth tokens), invitations, and organisation settings. Any active subscriptions are cancelled. This action is irreversible.

11. Cookies and Tracking

Sortz uses essential cookies and local storage to maintain your authentication session and remember your preferences. We do not use third-party advertising or tracking cookies. The browser extension stores authentication tokens locally using Chrome's secure storage API.

12. Children's Privacy

Sortz is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we may also notify you via email. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at hello@sortz.ai