Privacy Policy

EngBlock Pty Ltd (ABN: [PLACEHOLDER]) trading as SprintFast ("we," "us," or "our") is committed to protecting your privacy and handling your personal information responsibly. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our marketing website and the SprintFast application (together, the "Services"), in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By using the Services, you agree to the collection and use of information as described in this policy.

1. Scope of This Policy

This policy covers two distinct contexts:

• Marketing Website — the publicly accessible pages at sprintfast.engblock.io, including the homepage, pricing, blog, and legal pages.
• Application — the SprintFast product, accessible to registered users and their teams, used to generate and distribute sprint and cycle summaries.

Where this policy distinguishes between these contexts, it is indicated clearly. In all other respects, the policy applies to both.

2. Information We Collect

Marketing Website

When you visit our marketing website, we may automatically collect limited technical information, including:

• Browser type and version
• Device type and operating system
• IP address (anonymised for analytics)
• Pages visited and time spent on each page
• Referring URL

If you contact us via a form or email, we collect your name, email address, and the contents of your message.

Application — Registered Users

When you create an account or use the application, we collect:

• Account details — your name, email address, and profile avatar (where provided via OAuth)
• Authentication data — credentials and tokens used to sign in via Google, GitHub, Azure, or magic link; passkey data where you choose to register one
• Integration credentials — OAuth access tokens and refresh tokens for Jira, Linear, and GitHub, stored encrypted at rest and used solely to retrieve your project and sprint data on your behalf
• Organisation and team data — your role, team memberships, and settings within SprintFast
• Usage events — actions you take within the application (e.g. connecting an integration, generating a summary, accepting an invitation), collected to improve the product
• Billing information — subscription tier and organisation identifier, passed to our payment processor; we do not store payment card details

Email Recipients (Non-Account Holders)

SprintFast allows registered users to send sprint or cycle summary emails to stakeholders who do not hold a SprintFast account (for example, a CMO or executive who receives a summary each sprint). Where an authorised user adds a stakeholder's email address to a distribution list, we hold that email address for the sole purpose of delivering those summaries. Recipients may unsubscribe at any time using the link included in each email, after which their address is removed from all active distribution lists.

If you are a recipient and have not given explicit consent to receive these emails, please contact us at [email protected] and we will remove your address promptly.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Services
• Authenticate users and secure accounts
• Retrieve sprint, cycle, and issue data from connected integrations (Jira, Linear, GitHub) to generate summaries on your behalf
• Send transactional communications — account verification, invitations, magic links, and sprint summary emails
• Process billing and manage subscriptions
• Analyse product usage to improve features and fix issues
• Respond to support requests and enquiries
• Comply with our legal obligations under Australian law

We do not use your personal information for direct marketing without your consent, and we do not sell your personal information to third parties.

4. AI-Powered Features

SprintFast uses large language models (LLMs) to generate plain-English summaries from your sprint and issue data. To do this, relevant content — including issue titles, descriptions, and metadata from your connected Jira, Linear, or GitHub account — is transmitted to our AI provider(s) for processing.

We hold Data Processing Agreements (DPAs) with our AI providers (currently Anthropic and OpenAI) that contractually prohibit them from using your data to train or improve their models. Your project data is used solely for the purpose of generating the summary you requested and is not retained by those providers beyond the processing of that request.

5. Analytics and Tracking

We use PostHog (hosted on PostHog's EU infrastructure) to collect product analytics. This includes anonymised usage events such as page views, feature interactions, and funnel steps. We do not use PostHog for cross-site tracking, behavioural advertising, or fingerprinting.

Standard session cookies are used to maintain your authenticated session within the application. These are first-party, HttpOnly cookies and are not shared with advertising networks.

We do not currently use third-party advertising trackers or retargeting pixels.

6. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We disclose information only in the following circumstances:

Service Providers (Sub-Processors)

We engage the following third-party service providers to operate the Services. Each is bound by contractual obligations to process your data only as directed by us and to implement appropriate security measures:

• OpenAI (United States) — AI summary generation
• Anthropic (United States) — AI summary generation
• PostHog (European Union) — product analytics
• Polar (United States) — subscription billing and payment processing
• Postmark / Resend (United States) — transactional email delivery
• Google, GitHub, Microsoft Azure (United States) — OAuth identity providers
• Atlassian (Jira) (United States / Australia) — issue and sprint data retrieval
• Linear (United States) — cycle and issue data retrieval
• Laravel Forge / server hosting provider (region dependent on configuration) — application hosting and infrastructure

Legal Requirements

We may disclose personal information if required to do so by law, regulation, or a valid order of a court or government authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of EngBlock Pty Ltd, our users, or the public.

Business Transfers

If EngBlock Pty Ltd is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a materially different privacy policy.

7. Cross-Border Data Transfers

In operating the Services, personal information is transferred to and processed in countries outside Australia, including the United States and the European Union (see sub-processor list above). We take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with the Australian Privacy Principles, including through contractual data processing agreements. However, by using the Services, you acknowledge that Australian Privacy Principles may not apply to the handling of your information by overseas recipients once disclosed.

8. Data Retention

We retain personal information only for as long as necessary for the purposes described in this policy:

• Account data — deleted immediately and permanently upon account closure, with deletion cascading to all associated organisations, teams, summaries, and integration tokens
• Sprint and cycle summaries — retained for the life of the associated account and deleted when the account is closed
• Integration tokens (Jira, Linear, GitHub) — deleted immediately upon disconnection of the integration or upon account closure, whichever occurs first
• Stakeholder email addresses — retained while the recipient is an active distribution list member; removed upon unsubscribe or when the associated team or account is deleted
• Support and enquiry communications — retained for a reasonable period to resolve the matter and as required by law

9. Security

We implement reasonable administrative, technical, and organisational measures to protect personal information from unauthorised access, use, disclosure, alteration, or destruction. Specific measures include:

• Encryption of integration credentials and OAuth tokens at rest
• HTTPS (TLS) for all data in transit
• Role-based access controls within the application
• Session management with HttpOnly and Secure cookie flags

No method of transmission over the internet is completely secure, and we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.

Notifiable Data Breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth). In the event of an eligible data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law, and in any event within 30 days of becoming aware of the breach.

10. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Access — request access to the personal information we hold about you (APP 12)
• Correction — request that we correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13)
• Complaints — make a complaint if you believe we have breached the APPs

To exercise any of these rights, contact us at [email protected]. We will respond within a reasonable period and in any event within 30 days. If we are unable to meet your request, we will explain why in writing.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

11. Children

The Services are designed for use by businesses and their teams. They are not directed at persons under the age of 18, and we do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected] and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or legal obligations. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email. Continued use of the Services after any update constitutes acceptance of the revised policy.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact us:

EngBlock Pty Ltd (trading as SprintFast)
ABN: [PLACEHOLDER]
Email: [email protected]