🐤 CanaryQMS

Privacy Policy

Last updated: 25 May 2026

1. Introduction

Xcellent Solutions ("we", "us", "our") operates CanaryQMS. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.

We are committed to protecting your privacy and complying with the Australian Privacy Act 1988, the Australian Privacy Principles (APPs), and where applicable, the EU General Data Protection Regulation (GDPR).

2. Information We Collect

Account Information

  • Name, email address, organisation name
  • Role and permissions within your organisation
  • Login credentials (passwords are hashed, never stored in plain text)

Quality Data

  • Complaints, NCRs, CAPAs, and related quality records you create
  • Documents you upload
  • Training records
  • Audit trail entries (who did what, when)

Usage Data

  • Pages visited, features used, time spent
  • Browser type, device type, IP address
  • Error logs and performance metrics

3. How We Use Your Information

  • Provide the Service: Store and process your quality data, generate AI suggestions, produce reports
  • Improve the Service: Analyse usage patterns to improve features and performance
  • Communicate: Send transactional emails (approvals, alerts, notifications) and occasional product updates
  • Security: Detect and prevent fraud, abuse, and security incidents
  • Legal compliance: Meet regulatory obligations and respond to lawful requests

4. AI Processing

Our AI features process your quality data to provide suggestions (severity triage, root cause analysis, CAPA drafting). This processing:

  • Occurs within our infrastructure (AWS)
  • Is scoped to your organisation's data only
  • Does not use your data to train models for other customers
  • Produces suggestions that require human confirmation before becoming records

5. Data Storage and Security

  • Location: Data is stored in AWS data centres in the Asia Pacific (Sydney) region
  • Encryption: All data is encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Isolation: Each organisation's data is isolated using row-level security policies
  • Access: Only authorised personnel can access production systems, with audit logging
  • Backups: Automated daily backups with 7-day retention

6. Data Retention

  • Active accounts: Data retained for the duration of your subscription
  • Audit trail: Retained for 7 years (regulatory compliance requirement)
  • After cancellation: Data retained for 30 days then permanently deleted
  • Backups: Purged within 90 days of account deletion

7. Data Sharing

We do not sell your personal information. We may share data with:

  • Service providers: AWS (hosting), email delivery services — bound by data processing agreements
  • Legal requirements: When required by law, court order, or regulatory authority
  • Business transfers: In connection with a merger, acquisition, or sale of assets (with notice)

8. Your Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Export: Export your data in a machine-readable format
  • Objection: Object to processing for direct marketing
  • Restriction: Request restriction of processing in certain circumstances

To exercise these rights, contact [email protected].

9. Cookies

See our Cookie Policy for details on how we use cookies and similar technologies.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

11. International Transfers

Your data is processed in Australia (AWS Sydney region). If you access the Service from outside Australia, your data will be transferred to and processed in Australia. We ensure appropriate safeguards are in place for any international data transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top indicates the most recent revision.

13. Contact Us

For privacy-related enquiries or to exercise your rights:

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.