Legal

Privacy Policy

How Keel collects, uses, and protects your personal information under the Australian Privacy Act 1988.

Last updated: July 2026

Veresco Pty Ltd (ABN 56 672 569 407), trading as Keel, (“Keel”, “we”, “us”, “our”) operates the Keel platform at app.meetkeel.com and the website at meetkeel.com.

This policy describes how we collect, use, store, and disclose personal information in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Keel voluntarily complies with the Australian Privacy Principles regardless of whether the small business exemption under the Privacy Act applies.

By creating an account or signing in to Keel, you acknowledge that you have read this policy and consent to the collection and use of your personal information as described.

Keel is designed for use by adults in a business context. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will delete it.

1. Information We Collect

We collect personal information that you provide directly when you use Keel:

  • Account information: name and email address when you create an account
  • Organisation information: business name, ABN, and the business-profile and governance information you enter through the workflows, including your industry, size, objectives, risks, controls, and governance details
  • Usage information: how you interact with the platform, including questions answered, workflows completed, and documents generated
  • Technical information: browser type, device type, IP address, and general location data collected automatically when you visit our website or use the platform

We collect only the information we reasonably need to provide the platform. We do not seek sensitive information as defined under the Privacy Act (such as health, racial or ethnic origin, or criminal history). Please keep free-text fields to business risk and governance detail, and do not enter sensitive personal information about identifiable individuals.

2. How We Use Your Information

We use your personal information to:

  • Provide and operate the Keel platform, including generating risk assessments and documents based on the context you provide
  • Send you notifications, updates, and support communications related to your account
  • Improve the platform, including analysing usage patterns to inform product development
  • Comply with legal obligations

We do not sell your personal information. We do not use your business data to train machine learning models.

3. How We Store Your Information

Your data is hosted in Australia through Supabase’s Sydney region (ap-southeast-2). Supabase provides the database, authentication, and file storage infrastructure for Keel.

We use industry-standard security measures including encryption in transit (TLS) and encryption at rest for stored data. Access to production systems is restricted to authorised personnel.

4. Third-Party Services

Sub-processors

We use the following third-party services to operate Keel:

ServicePurposeData SharedLocation
SupabaseDatabase, auth, file storageAccount and organisation dataSydney, Australia
Microsoft AzureEncrypted off-site backup storageEncrypted backup copies of transaction recordsSydney, Australia
OpenAIAI-assisted content generationBusiness context provided during workflows (structured personal identifiers redacted; organisation ABN/ACN retained)United States
Google (Gemini API)AI-assisted content generation (fallback)Business context provided during workflows (structured personal identifiers redacted; organisation ABN/ACN retained)United States
ResendTransactional emailEmail address, nameUnited States
NetlifyWebsite and application hosting (meetkeel.com and app.meetkeel.com)IP address, browser dataGlobal CDN
Cloudflare (Turnstile)Bot protection / CAPTCHA on sign-up, sign-in, and password-reset forms. See Cloudflare’s Turnstile Privacy Addendum.Technical signals only (IP address, browser and device characteristics), used solely to tell humans from bots; no account or form dataUnited States
StripeSubscription billingOrganisation billing metadata (no card numbers - payment details handled client-side by Stripe.js)United States

Where data is processed outside Australia, we review the data handling terms of each third-party provider to confirm they handle personal information consistently with the APPs. Both OpenAI and Google process Keel’s API requests under their paid service terms, which exclude customer data from model training. They process each request only to generate your result and do not keep your information once the request is complete. We also have data-handling agreements in place with our core providers.

Before business context is sent to OpenAI or Google for content generation, we redact structured personal identifiers — email address, phone number, tax file number, Medicare number, date of birth, passport number, driver-licence number, and credit-card number. Your organisation’s ABN or ACN is intentionally retained, as it is business context the platform needs to do its work. This redaction recognises common patterns but cannot guarantee it catches every identifier, so please keep free-text fields to business risk and governance detail and avoid entering personal information about identifiable individuals.

Connected Systems

Keel allows organisation administrators to connect third-party services directly from within the platform. These connections are distinct from the sub-processors listed above. The third-party services you connect are operated by your organisation under your own agreements with those providers — Keel facilitates the connection at your instruction.

When a connection is active, data may flow in the following ways depending on the integration and how your administrator has configured it:

  • Keel may push data (such as actions, tasks, or reminders) to the connected service
  • Keel may push notifications to the connected service
  • The connected service may send data into Keel, which Keel then holds under this policy

Data in transit between Keel and a connected service is encrypted and handled using the same security measures that apply across the rest of the platform. Once data has been transmitted to a connected service at your instruction, it is held by that service and is subject to its own terms and privacy practices. Data received by Keel from a connected service is then held and protected under this policy.

The services available to connect are listed in the platform’s integration settings. We do not maintain a fixed list here, as available integrations change over time. Organisation administrators can review, manage, and revoke connections at any time from within the platform.

5. Cookies and Tracking

Keel uses cookies and similar technologies for:

  • Authentication: maintaining your signed-in session
  • Preferences: remembering your settings

We do not use third-party advertising cookies. We do not run targeted advertising.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the platform.

Some information is retained longer where required by law or by our service providers:

  • Billing records held by our payment processor are retained to meet Australian tax record-keeping requirements.
  • Disconnecting a third-party integration revokes Keel’s access and stops further data transfer. It does not affect data already held in the connected service — that data remains subject to that service’s own retention and deletion practices.
  • Limited audit log entries (such as account or organisation identifier, action type, and timestamp - no full record content) are retained for up to 2 years for security audit purposes.

Organisation data (risks, documents, assessments) is retained for the duration of the organisation’s subscription and for a reasonable period afterward to allow for re-activation (unless requested to be deleted).

If your organisation is subject to regulatory record-keeping obligations (for example under the AML/CTF Act 2006, the Corporations Act 2001, ASIC financial services laws, APRA prudential standards, or tax law), you are responsible for retaining those records for the periods the law requires. The 60-day deletion schedule manages Keel’s own data; it does not reduce or override any retention obligation you have. You must export any records you are required to retain before your account is deleted. See the Terms of Service (section 3) for more.

To delete your account, email privacy@meetkeel.com or use the “Data & Privacy” page in your account settings. We will acknowledge your request within 5 business days and complete the deletion of your personal information within 30 days.

Where we identify an eligible data breach likely to result in serious harm, we will notify the Office of the Australian Information Commissioner and affected individuals in accordance with the Notifiable Data Breaches scheme under Part IIIA of the Privacy Act 1988.

7. Your Rights

Under the Australian Privacy Principles, you have the right to:

  • Access the personal information we hold about you
  • Correct information that is inaccurate, incomplete, or out of date
  • Request deletion of your personal information (subject to legal obligations)
  • Complain if you believe we have breached the APPs

To exercise any of these rights, contact us at privacy@meetkeel.com.

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

8. Changes to This Policy

We may update this policy from time to time. When we make changes, we will update the “last updated” date at the top of this page. For material changes, we will notify you via email or through the platform.

9. Contact

If you have questions about this policy or how we handle your personal information:

Email: privacy@meetkeel.com