Privacy Policy
How we collect, use, protect, disclose and let you control personal information — written to the Australian Privacy Principles, and written to be read.
We collect the minimum we need to answer your enquiry and deliver our work — mostly the details you type into the brief form. We do not sell your data, we do not run advertising trackers, and this website sets no cookies. You can ask to see, correct or delete what we hold at any time by emailing hi@xiphirium.com.
01 Who we are
This website, xiphirium.com, and the software services offered through it, are operated by Xirophi Pty Ltd (ACN 697 534 393, ABN 47 697 534 393), trading under the registered business name Xiphirium. We are based in Sydney, New South Wales, Australia.
In this policy, “Xiphirium”, “we”, “us” and “our” mean Xirophi Pty Ltd trading as Xiphirium. We are the entity responsible for the personal information described here.
We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where this policy refers to “personal information”, it has the meaning given in that Act — information or an opinion about an identified individual, or an individual who is reasonably identifiable.
02 What this policy covers
This policy applies to personal information we collect through:
- your use of the xiphirium.com website, including the brief form and the “Spec my project” feature;
- enquiries and correspondence with us by email or other channels; and
- the course of scoping, contracting and delivering software services.
It does not cover third-party websites or services we link to, which have their own privacy practices. Where we deliver a client project, personal information held within systems we build or operate for that client is governed by that client’s own privacy arrangements and the relevant engagement agreement — in those systems the client, not Xiphirium, is ordinarily the responsible entity.
03 Information we collect
We deliberately collect as little as possible. Depending on how you interact with us, this may include:
Information you give us
- Identity and contact details — your name and email address.
- Business details — your company or organisation name, if you choose to provide it.
- Project information — the project brief you write, and any indicative timeline or budget you enter.
- Correspondence — the content of emails and messages you send us, and our replies.
Information collected automatically
- Technical request data — our hosting provider automatically records standard server log data, including your IP address, browser and device type, the pages requested, referring page and timestamps. This is used for security, abuse prevention and reliability, and is not used to build a profile of you.
Our brief form is for general project enquiries. Please do not submit sensitive information — such as health information, government identifiers, financial account details or another person’s personal information — through this website. If a project requires that kind of information, we will handle it under a separate, written engagement agreement.
04 How we collect it
We collect personal information directly from you wherever practicable — when you complete the brief form, use the “Spec my project” feature, or contact us. Technical request data is collected automatically by our hosting infrastructure when your browser loads a page.
If we receive personal information about you that we did not ask for and do not need, we will deal with it as required by the APPs, including destroying or de-identifying it where lawful to do so.
05 Why we collect and use it
We collect and use personal information only for purposes connected with our business. Specifically, to:
- respond to your enquiry and correspond with you;
- generate an automated, indicative project estimate when you use the “Spec my project” feature;
- scope, quote, contract for and deliver software services;
- keep proper business, accounting and tax records;
- maintain the security, integrity and reliability of this website; and
- comply with our legal obligations.
We use your details to reply to you and to do the work — nothing else. We do not use your information for advertising, we do not profile you, and we will not send you marketing you did not ask for.
06 The “Spec my project” AI feature
When you click Spec my project, the project description you have typed is transmitted to Anthropic PBC (United States) and processed by the Claude API to generate an automated, indicative estimate. We do this so you get an instant response.
- The estimate is generated by an automated system. It is indicative only — not a quote, offer or commitment.
- Anthropic processes the text to return the estimate. Under Anthropic’s commercial API terms, content submitted through the API is not used to train its models.
- We do not link the spec text to your identity unless you go on to submit the full brief form.
Because the spec feature sends your text to a third-party AI provider, please keep it to a general project description. Do not paste confidential material, credentials, or personal information about other people into that field.
07 Cookies and tracking
This website does not use cookies. It sets no cookies of its own, runs no advertising or cross-site tracking technologies, and does not load third-party social or marketing scripts.
If we introduce analytics in future, we will use only privacy-preserving, cookieless analytics that count visits in aggregate and do not identify you or track you across other websites — and we will update this policy before doing so.
This website does load web fonts from Google Fonts so pages display correctly; this involves a request to Google’s servers but does not place advertising cookies on your device.
08 Who we disclose information to
We do not sell, rent or trade personal information. We disclose it only to the trusted service providers that operate parts of our infrastructure, and only as needed to run our business. Each is bound by its own contractual and privacy obligations.
| Provider | What it does for us | Location |
|---|---|---|
| Vercel Inc. | Website hosting, content delivery and server request logs | United States |
| Anthropic PBC | Automated project estimates via the Claude API (“Spec my project”) | United States |
| Resend | Transactional email delivery — sends your brief submission to us | United States |
| ImprovMX | Inbound email forwarding for @xiphirium.com addresses | European Union / United States |
| Google LLC | Business email (Workspace) and web font delivery | United States |
We may also disclose personal information where required or authorised by law, to professional advisers (such as our accountant or lawyers) under confidentiality, or to a successor entity if our business is restructured or transferred — in which case this policy will continue to apply.
09 Overseas disclosure
As the table above shows, some of our service providers store or process information outside Australia — principally in the United States, and for email forwarding potentially the European Union.
Before disclosing personal information to an overseas recipient we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, including by selecting reputable providers that offer contractual data-protection commitments. By using this website and submitting information to us, you consent to this overseas disclosure for the purposes described in this policy.
10 Storage, security and retention
We take the security of personal information seriously and apply practical, layered safeguards:
- all connections to this website are encrypted in transit using HTTPS/TLS, with HTTP Strict Transport Security enforced;
- the website applies a strict Content Security Policy and a full set of security response headers to reduce the risk of common web attacks;
- our brief and spec endpoints validate input, reject malformed requests and apply rate limiting to deter abuse;
- access to mailboxes and provider accounts is protected by strong, unique credentials and multi-factor authentication;
- we practise data minimisation — we do not collect information we do not need; and
- we work only with established providers that maintain recognised security practices.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We do, however, commit to handling your information carefully and to the safeguards above. Our broader security practices and how to report a vulnerability are described in our Security & Responsible Disclosure Policy.
How long we keep it
We keep personal information only for as long as we have a legitimate need for it:
- Enquiries that do not lead to an engagement — retained for up to 24 months, then deleted, so we have context if you return.
- Client engagement records — retained for the life of the engagement and for at least 7 years afterwards, as required for tax, accounting and legal purposes.
- Server request logs — retained only for a short period by our hosting provider for security and diagnostics.
When information is no longer needed, we destroy or de-identify it.
11 Accessing and correcting your information
You have the right to ask us:
- to confirm what personal information we hold about you and to give you access to it;
- to correct information that is inaccurate, out of date, incomplete or misleading; and
- to delete information we hold about you, where we are not required to keep it by law.
To make a request, email hi@xiphirium.com. We will respond within a reasonable time — ordinarily within 30 days — and we do not charge for making a request. We may need to verify your identity first. If we decline a request, we will explain why in writing and tell you how to seek a review.
Email us and we will tell you exactly what we hold, fix anything that is wrong, and delete it on request unless the law requires us to keep it. No charge, no friction.
12 Data breaches
We maintain procedures to detect, contain and assess security incidents. If a data breach occurs that is likely to result in serious harm to affected individuals, we will notify those individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
13 Visitors from the EU and UK
Xiphirium is an Australian business that handles a small amount of personal information. If you contact us from the European Union or United Kingdom, we process your information on the basis of our legitimate interest in responding to enquiries and operating our business, and to take steps at your request before entering a contract.
Depending on your jurisdiction, you may have additional rights — including rights of access, rectification, erasure, restriction, objection and data portability. To exercise any of these, contact us at hi@xiphirium.com and we will assist.
14 Children’s privacy
This website and our services are directed at businesses and professional clients. They are not intended for children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.
15 Complaints
If you believe we have mishandled your personal information or breached the Australian Privacy Principles, please tell us first — email hi@xiphirium.com with the details. We take complaints seriously and will acknowledge yours promptly, investigate, and respond in writing, ordinarily within 30 days.
If you are not satisfied with our response, you may refer your complaint to the Office of the Australian Information Commissioner:
- Website: www.oaic.gov.au
- Phone: 1300 363 992
16 Changes to this policy
We may update this policy from time to time to reflect changes in our practices, our service providers or the law. The current version is always published at xiphirium.com/privacy, with the effective date and version number shown at the top. Material changes will be reflected in an updated effective date; please review this page periodically.
17 How to contact us
For any privacy question, request or complaint — including to reach the person responsible for privacy at Xiphirium:
- Email: hi@xiphirium.com
- Entity: Xirophi Pty Ltd (ACN 697 534 393) trading as Xiphirium
- Location: Sydney, New South Wales, Australia