Domara

Privacy Policy

Last updated: 28 March 2026

Who We Are

Domara is a renovation project management platform operated from Perth, Western Australia. For privacy-related queries, contact us at privacy@domara.com.au.

What We Collect

We collect only the data necessary to deliver our service:

  • Account information — email address and password (hashed)
  • Project data — property addresses, renovation budgets, expenses, task details, timelines, zone/room information, milestone dates
  • Financial records — expense amounts, vendor quotes, holding cost breakdowns, receipt images
  • Photos and files — before/during/after photos, receipt images, floor plans, attachments
  • Team information — invited member email addresses, project roles
  • Vendor contacts — tradie/supplier names, ABNs, phone numbers, email addresses, trade types
  • Usage data — activity logs within the application (actions taken, timestamps)

Why We Collect It

  • Service delivery — to provide renovation project tracking, cost calculations, timeline management, and reporting
  • Personalisation — to tailor the experience to your renovation type (buy-to-rent, owner-occupier, flip) and region
  • Communication — to send weekly digest emails (if enabled) and important account notifications
  • Benchmarks — if you opt in, anonymised task duration data helps improve estimates for all users

Legal Basis

We process your data on the following bases:

  • Consent — you agree to our terms and this policy when creating an account
  • Contract performance — processing is necessary to deliver the Domara service you signed up for
  • Legitimate interest — service improvement and security (e.g. activity logging)

Who We Share Data With

We do not sell your data. We share data only with the following service providers who process it on our behalf:

  • Supabase (infrastructure) — database hosting, authentication, file storage
  • Vercel (hosting) — application hosting and serverless functions
  • Anthropic (AI features) — receipt OCR processing, building inspection analysis, and AI-generated summaries. Data is sent for processing only when you explicitly use an AI feature — it is not used to train AI models.
  • Google (Places API, Cloud Run) — address autocomplete, geocoding, and PDF processing functions hosted in Australia (sydney region)
  • Sentry (error tracking) — receives error reports with scrubbed user identifiers. Personal information (emails, IP addresses) is automatically stripped before transmission. Hosted in the US.
  • Resend (email delivery) — receives email addresses and display names to deliver transactional emails (weekly digests, account notifications). Hosted in the US.
  • UptimeRobot (availability monitoring) — monitors public health endpoints only. No user data is shared. Hosted in the EU.
  • Team members — users you invite to your project can see project data according to their assigned role (owner, editor, or viewer)

Where Data Is Stored

  • Supabase — hosted on AWS in the ap-southeast-2 (Sydney) region. Your database and files are stored in Australia.
  • Vercel — serverless functions run in the syd1 (Sydney) region. Edge network is global but no user data is persisted at the edge.
  • Anthropic API — AI processing occurs on Anthropic's servers in the United States. Data is sent for processing only and is not retained by Anthropic for model training.
  • Google Places API — address lookups are processed by Google. Only the address text is sent; no account data is shared.

How Long We Keep It

  • Active account — your data is retained for as long as your account is active
  • Deleted account — when you delete your account, all your data is permanently removed immediately. Projects where you are the sole owner are deleted entirely. For shared projects, your membership is removed and your contributions are anonymised.
  • Activity logs — retained for 12 months, then anonymised

Your Rights

You have the following rights regarding your data:

  • Access — you can export all your data at any time from Settings > Account > Export My Data
  • Correction — you can edit your project data, expenses, tasks, and other records directly in the app. For corrections to data you cannot edit yourself, contact us at privacy@domara.com.au
  • Deletion — you can delete your account at any time from Settings > Account > Delete Account
  • Portability — the data export provides your information in machine-readable JSON format
  • Complaint — you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. If you are in the EU/UK, you may also contact your local data protection authority.

AI in Our Operations

We use AI tools to improve the quality and reliability of the Domara platform. This includes automated code quality checks, system health monitoring, documentation maintenance, and security scanning. These tools work on the platform's source code and system metrics — they do not access your project data, financial records, or personal information.

Separately, Domara offers AI-powered features that you can choose to use — such as receipt scanning, inspection report analysis, and text enhancement. These features process your data only when you explicitly trigger them, and that data is not retained by our AI providers for model training.

In summary: AI helps us build better software for you, but it does not read your data unless you ask it to.

How We Protect Your Data Before AI Processing

When you use AI-powered features (receipt scanning, inspection analysis, weekly digest), we minimise the personal data sent to our AI providers:

  • Text redaction— personal names, email addresses, phone numbers, tax file numbers, bank account details, and card numbers are automatically detected and replaced with placeholder labels (e.g. “[EMAIL REDACTED]”) before any text is sent to AI.
  • PDF redaction — inspection reports are scanned for personal data, which is redacted from the document before AI analysis. PDF metadata (author, title, creation date) is also stripped.
  • Image metadata stripping — EXIF data (including GPS coordinates, camera details, and timestamps) is removed from receipt and quote images before processing.
  • Digest anonymisation— weekly digest AI prompts replace your name with “you”, your partner's name with “your partner”, and your project name with “your project”. Cost figures are rounded to reduce precision. Real names appear only in the email itself, not in AI prompts.

These protections are designed to minimise cross-border personal data exposure. They work automatically — you do not need to take any action. If a redaction step encounters an error, the AI feature will still function, and we log the issue for review.

Cookies

Domara uses only essential cookies required for the service to function:

  • Authentication session cookies — managed by Supabase Auth to keep you logged in
  • Project selection cookie — remembers your currently selected project

We do not use analytics, advertising, or tracking cookies. If we introduce analytics cookies in the future, we will update this policy and provide a separate consent mechanism.

Changes to This Policy

We may update this privacy policy from time to time. For material changes, we will notify you by email and display a notice within the application. Your continued use of Domara after changes take effect constitutes acceptance of the updated policy.

Children

Domara is not designed for users under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@domara.com.au and we will delete it.

See also our Terms of Service.

  • What's New
  • Privacy Policy
  • Terms of Service