PRIVACY POLICY
How we handle your information.
Last updated: 19 May 2026
1. About this policy
This Privacy Policy explains how Edos Solutions Pty Ltd (ACN 113 606 410, ABN 39 113 606 410) trading as InstaQuotes (“InstaQuotes”, “we”, “us”) collects, uses, discloses, and manages personal information in connection with the InstaQuotes platform.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy is also our APP 1 privacy policy as required by APP 1.3.
By using InstaQuotes, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, do not use InstaQuotes.
2. Personal information we collect
2.1 Account and identity information. When you register for InstaQuotes, we collect: name, email address, phone number (optional), business name and trading name, Australian Business Number (ABN), business address, and business logo (optional, uploaded by you).
2.2 Subscription and billing information. We collect and retain:
- Subscription plan and billing frequency
- Payment metadata (transaction IDs, charge dates, amounts). We do not store your payment card data — card data is held and processed by Stripe, Inc.
- Add-On Credit purchase history and remaining credit balance
- Monthly quote usage and allowance
2.3 Quote and job content. When you use InstaQuotes to generate quotes, we collect job descriptions and specifications you enter, photographs and images you upload, engineering drawings and documents you upload, and Quote Outputs generated by the Platform.
2.4 Support and communications. When you contact us for support, we collect in-app support messages you submit and our replies, email correspondence with our support team, and AI-generated draft replies suggested to support staff (never automatically transmitted; reviewed by a staff member before any reply is sent).
Support messages may contain personal information about third parties (such as your clients or subcontractors) that you include in your message. We use this information solely to provide the support you have requested and do not disclose it beyond the support team. We encourage you not to include more personal information about third parties than is necessary to describe your support issue.
2.5 Administrative records. We maintain internal administrative records including:
- Audit log: a record of every administrative action taken on your account, including admin access events, plan changes, role changes, and account modifications, recorded with timestamp, actor, and event metadata.
- Admin notes: free-text notes added by authorised staff to your account profile to assist with support and account management.
2.6 Technical and usage information. We automatically collect browser type, device type, and operating system; IP address; pages visited, features used, and session duration; error and performance data; and session replay and interaction data (see section 7).
3. How we collect personal information
We collect personal information:
- directly from you when you register, subscribe, upload content, or contact us;
- automatically through your use of the Platform (usage data, technical data); and
- from Stripe, Inc. in the form of payment metadata following a transaction.
We do not purchase personal information from data brokers or other third parties.
4. How we use personal information
We use personal information to:
- create and manage your Account;
- provide the InstaQuotes service, including generating AI-assisted Quote Outputs from your inputs;
- process subscription payments and Add-On Credit purchases via Stripe;
- send transactional emails (account creation, billing receipts, subscription renewals, admin access notifications);
- provide customer support, including through our in-app messaging system;
- generate AI-assisted draft replies to your support messages for staff review;
- maintain audit logs and admin notes for support, account governance, and fraud prevention;
- detect, investigate, and prevent fraud, security incidents, and breaches of our Terms of Service;
- improve the Platform through aggregated, de-identified analytics;
- comply with our legal obligations; and
- enforce our Terms of Service.
AI processing. Your job descriptions, photos, and uploaded documents are processed by our AI sub-processors (OpenAI and Anthropic) to generate Quote Outputs. AI processing may also be used to generate suggested responses to your support messages; these are reviewed by authorised staff before any reply is sent. AI-processed inputs and outputs are not used to train AI models by our sub-processors under our current agreements.
5. Disclosure to third parties
We do not sell your personal information to third parties.
We disclose personal information to:
- our sub-processors listed in the schedule at the end of this policy, to the extent necessary to deliver the service;
- legal or regulatory authorities if required by law, court order, or regulatory demand; and
- a successor entity in the event of a merger, acquisition, or sale of the business, with prior notice to subscribers.
We do not disclose personal information for direct marketing purposes without your separate consent.
6. Admin access to your account
Authorised Edos Solutions staff may access your Account for support, troubleshooting, maintenance, security investigation, and compliance with legal obligations. Access is performed using a one-time authenticated session and is limited to what is necessary for the support purpose.
You will be notified by email when an admin access event occurs, including the date, time, and reason for access. Every admin access event is recorded in our audit log.
Lawful basis: performance of the SaaS contract and our legitimate interests in providing customer support and maintaining platform integrity.
7. Cookies and tracking technologies
We use the following cookies and tracking technologies on instaquotes.com.au:
| Tool | Purpose | Location | Type |
|---|---|---|---|
| Google Tag Manager | Tag management and analytics orchestration | US | Analytics |
| Google Analytics 4 | Web analytics and usage reporting | US | Analytics |
| Microsoft Clarity | Session replay, heatmaps, and interaction recording | US | Behavioural |
| Sentry | Error monitoring and crash reporting | US | Technical |
Session replay. Microsoft Clarity records your interactions with the Platform including mouse movements, clicks, and scroll behaviour. This may include interaction with form fields. A cookie consent banner will be displayed before session replay is activated. You may opt out of session replay at any time through the consent banner.
You can manage cookie preferences through your browser settings or our consent banner. Disabling analytics cookies does not affect your ability to use the core Platform.
8. International transfers of personal information
Our primary data storage is in Australia (Supabase, Sydney region). However, some of our sub-processors are located in the United States and process personal information outside Australia. These sub-processors are listed in the schedule at the end of this policy.
We satisfy our obligations under APP 8.1 through contractual Data Processing Agreements (DPAs) with each overseas sub-processor. Each DPA binds the sub-processor to standards equivalent to or exceeding the Australian Privacy Principles. We do not rely on subscriber consent as the APP 8.1 mechanism — DPA reliance is the operative approach.
If you would like information about the specific DPAs in place with our sub-processors, contact us at support@instaquotes.com.au.
9. Data retention
| Data category | Retention period | Basis |
|---|---|---|
| Quote Outputs and job content | 7 years from creation | ATO tax record-keeping obligations |
| Account and identity data | Deleted within 30 days of account cancellation request | Contract performance |
| Billing and payment metadata | 7 years from transaction date | Corporations Act / ATO obligations |
| Audit log entries | 7 years; anonymised within 30 days of account cancellation | Legitimate interests: fraud prevention, dispute resolution |
| Admin notes | 12 months post-cancellation, then deleted | Legitimate interests: support continuity |
| Support messages | Deleted within 30 days of cancellation request | Contract performance |
| Technical / usage data | 12 months on a rolling basis | Legitimate interests: performance and security |
On receipt of an APP 13 deletion request, we will anonymise identifiable fields in the audit log within 30 days and delete all other personal information within 30 days, subject to any legal-hold requirement. Anonymised audit log records are retained for 7 years and are outside the scope of APP 13 (they no longer identify you).
10. Your privacy rights
APP 12 — Access. You have the right to request access to the personal information we hold about you. To make an access request, email support@instaquotes.com.au. We will respond within 30 days. We may charge a reasonable fee for access requests that require significant time or resources.
APP 13 — Correction. If you believe personal information we hold about you is inaccurate, incomplete, or out of date, you may request correction by emailing support@instaquotes.com.au. We will correct or note your dispute within 30 days.
Deletion. You may request deletion of your Account and associated personal information by emailing support@instaquotes.com.au. We will action deletion within 30 days, subject to our retention obligations described in section 9. Deletion of your Account does not affect InstaQuotes’ right to retain information required by law or for legitimate business purposes as described in this policy.
11. Data security
We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:
- encryption of data in transit (TLS) and at rest;
- access controls limiting staff access to personal information on a need-to-know basis;
- audit logging of all administrative access to customer accounts;
- use of sub-processors that maintain industry-standard security certifications; and
- regular security reviews.
No data transmission over the internet is completely secure. While we take reasonable precautions, we cannot guarantee the security of personal information you transmit to us.
12. Data breach notification
We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). If we become aware of a data breach that is likely to result in serious harm to you, we will notify you and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and in any event within 30 days of becoming aware of the breach.
Our data breach response plan includes containment, assessment, notification, and remediation steps.
13. Children
InstaQuotes is not intended for use by persons under the age of 18. By registering for InstaQuotes, you warrant that you are at least 18 years of age. We do not knowingly collect personal information from minors. If we discover that a minor has registered for an Account, we will terminate the Account and delete the associated personal information as soon as practicable.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to existing subscribers at least 14 days before they take effect by email to the address on your Account. The updated policy will also be posted at instaquotes.com.au/privacy. Continued use of InstaQuotes after the effective date constitutes acceptance of the updated policy.
15. Sub-processor schedule, contact and complaints
Contact and complaints. For privacy enquiries, access requests, correction requests, or complaints, contact:
Privacy Officer
Edos Solutions Pty Ltd t/a InstaQuotes
Email: support@instaquotes.com.au
Website: instaquotes.com.au
We will acknowledge your complaint within 5 business days and endeavour to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Sub-processor schedule. The following third-party sub-processors process personal information on behalf of InstaQuotes. All overseas sub-processors are bound by Data Processing Agreements consistent with APP 8.1 obligations.
| Sub-processor | Role | Location |
|---|---|---|
| Vercel, Inc. | CDN and serverless hosting | US |
| Supabase, Inc. | Database, authentication, file storage | AU (Sydney) |
| Stripe, Inc. | Payment processing | AU + Global |
| OpenAI, LLC | GPT-4o — vision/photo and PDF analysis | US |
| Anthropic, PBC | Claude Haiku — text-only generation and support draft replies | US |
| Google LLC (Tag Manager) | Tag management and analytics orchestration | US |
| Google LLC (Analytics 4) | Web analytics and usage reporting | US |
| Microsoft Corporation (Clarity) | Session replay, heatmaps, and interaction recording | US |
| Sentry, Inc. | Error monitoring and crash reporting | US |
| Google LLC (Maps Platform) | Address autocomplete | US |
Transactional email. Transactional emails are sent from infrastructure operated by Edos Solutions Pty Ltd (Linux mail relays at mail.edossolutions.com and smtp.edossolutions.com). These relays are self-hosted on Edos-operated infrastructure in Australia and are not third-party sub-processors. Delivery to recipient inboxes is subject to the recipient’s own email provider’s terms.
This sub-processor list is accurate as at the effective date of this policy. We will update this list and notify subscribers at least 14 days before adding any new sub-processor that processes personal information.