Privacy Policy

1. Who we are

Blufire ("Blufire", "we", "us", "our") provides profit analytics and paid-media services to ecommerce and service businesses. We are based in Victoria, Australia, and store the data we hold in Australia.

2. The two kinds of data we handle

It is important to distinguish two categories, because we treat them differently:

• Personal information you give us as a website visitor, prospect or customer (for example, when you book a demo, contact us, or subscribe). We are the controller of this information and this policy governs it.
• Client Datathat an existing customer connects to the platform from their own systems (for example, Shopify, Google Ads or analytics accounts). We access this on the customer's instructions and on their behalf, as a processor. Our handling of Client Data is governed by our customer agreement and Data Processing terms, not this website policy. See section 6.

3. Personal information we collect

From website visitors, prospects and customers we may collect:

• Contact information: name, business email address, phone number, and the company you represent.
• Business information: company name, size, industry, role, and the goals you describe to us.
• Account and billing information where you become a customer (managed through our payment provider; we do not store full card numbers ourselves).
• Usage and device information: IP address, browser type, pages visited, referring and exit pages, and similar analytics data, collected through cookies and similar technologies (see section 9).

We collect personal information directly from you wherever practicable. Providing it is voluntary, but if you choose not to, we may be unable to respond to you or provide a service.

4. How we use personal information

We use personal information to:

• respond to enquiries, demos, and support requests;
• provide, operate, secure and improve our services;
• manage your account and process billing;
• send service communications and, where permitted, relevant marketing (you can opt out at any time, see section 11);
• understand how our website and services are used; and
• meet our legal, regulatory and contractual obligations.

5. Client Data: how the platform connects to your systems

When you are a customer and connect a data source, our integrations are read-only: we ingest the data needed to produce your analytics and do not write back to or alter your source systems. We process Client Data only to deliver the services you have engaged us for, on your instructions. We do not sell Client Data, and we do not use it to train general-purpose AI models.

6. How we hold and protect information

Security is a precondition of our product, not an add-on. Our measures include:

• Data residency in Australia. The data we hold is stored in Australia.
• Per-tenant isolation.Customer data is kept logically separated so it is not co-mingled with other customers' data.
• Encryption of data in transit and at rest, access controls, and least-privilege access for our team.
• Read-only ingestion from connected sources, and no large-language models in the path that computes your reported numbers.
• A program of independent assurance, including SOC 2 Type 2, which is on our roadmap. Our underlying infrastructure providers are certified to recognised standards.

No method of electronic transmission or storage is completely secure, so while we work hard to protect your information we cannot guarantee absolute security. Full detail of our controls and sub-processors is available in our Trust Center.

7. Disclosure and sub-processors

We do not sell your personal information. We disclose it only as set out in this policy:

• to service providers and sub-processors who help us run our business (for example, hosting, infrastructure, email and payment providers), who may only use it to provide services to us under obligations of confidentiality and security. Our current sub-processors are listed in the Trust Center;
• where required or authorised by law (for example, a subpoena or lawful government request);
• to protect our rights, your safety, or the safety of others, or to investigate fraud;
• in connection with a merger, acquisition or sale of assets, in which case we will notify you of any change in who controls your information; and
• with your consent.

8. Overseas disclosure

Some of our sub-processors may store or process limited information outside Australia. Before disclosing personal information overseas we take reasonable steps to ensure the recipient handles it consistently with the Australian Privacy Principles. The countries involved, and the purpose, are reflected in our sub-processor list in the Trust Center.

9. Cookies and analytics

We use cookies and similar technologies to remember your preferences, keep you signed in, and understand aggregate website usage. Most of this data does not identify you personally. You can control cookies through your browser settings; disabling them may affect how the site works. Our website may contain links to, or embedded content from, third-party sites that have their own privacy practices, which we encourage you to review.

10. How long we keep information

We keep personal information for as long as your account is active or as needed to provide services, and afterwards only as required to comply with our legal obligations, resolve disputes and enforce our agreements. When information is no longer needed, we take reasonable steps to securely delete or de-identify it.

11. Your choices and rights

Under the Australian Privacy Principles, you may:

• Access the personal information we hold about you, and correct it if it is inaccurate, out of date or incomplete;
• Opt out of marketing at any time, using the unsubscribe link in our emails or by contacting us; and
• Ask us to delete your information or close your account, subject to any records we are required to retain.

To make any of these requests, email us at info@blufire.com.au. We will respond within a reasonable time and may need to verify your identity first.

12. Complaints

If you have a concern about how we have handled your personal information, please contact us first at info@blufire.com.au so we can try to resolve it. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

13. Changes to this policy

We may update this policy to reflect changes in our practices or the law. If we make a material change, we will update the date above and, where appropriate, notify you by email or a notice on our website. We encourage you to review this page periodically.