Privacy Policy

Awa is operated by The Ravenshield Corporation New Zealand Limited, a company incorporated in New Zealand. We build software for audit firms, which means we handle sensitive client documentation on a daily basis. We take that responsibility seriously.

This Privacy Policy applies to all users of the Awa platform, including firm team members and clients who interact with the client portal. By using Awa, you agree to the practices described here.

Account information: When you or your firm creates an account, we collect names, email addresses, and firm name. Firm administrators may also provide billing contact details.

Audit documents and engagement data: Files you upload to Awa (PDFs, spreadsheets, Word documents, images) and all associated metadata including filenames, upload timestamps, classification results, and PBC item mappings.

Usage data: We collect information about how you use Awa: which pages you visit, features you use, actions you take (uploads, classifications, comments), and session metadata such as IP address, browser type, and device information.

Payment information: Billing is handled by Stripe. We do not store card numbers or bank account details. We retain only the information Stripe provides us: subscription status, plan, and payment history.

Communications: If you contact us via email, we retain that correspondence to resolve your request and improve our support.

Providing the service: Account data, engagement data, and usage data are used to operate Awa, authenticate users, enforce access controls, and deliver features.

AI-powered document classification: Documents you upload may be sent to the Claude API (operated by Anthropic, Inc.) for AI-assisted classification. Anthropic processes this content subject to their own privacy policy and API usage terms. We send only the document content required for classification, no account identifiers are included in AI processing requests.

Email notifications: We send transactional emails via Postmark: team invitations, document notifications, client portal links, and engagement activity summaries.

Improving the service: Aggregated, de-identified usage data helps us understand how the product is used and where to improve it. We do not use client document content for model training without explicit written consent.

Security and fraud prevention: Usage patterns and access logs are monitored to detect anomalous activity, prevent unauthorised access, and maintain the integrity of the platform.

All customer data is stored in Supabase infrastructure hosted in the Sydney, Australia region (AWS ap-southeast-2). We chose this region to keep data within the ANZ jurisdiction.

Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Row Level Security (RLS) is enforced at the database level, ensuring each firm can only access its own data. Engagement-level access controls further restrict which team members can see which files.

Authentication is provided by Clerk, which maintains its own security certifications and handles password hashing, MFA, and session management.

We maintain a full audit log of data access and modifications. Security events, including blocked access attempts and sender policy violations, are logged separately and reviewed regularly.

We do not sell your data, rent it, or share it with third parties for marketing purposes. We share data only as required to provide the service:

• • Supabase: database, file storage, and real-time infrastructure (Sydney, AU)
• • Clerk: user authentication and session management
• • Anthropic / Claude API: AI document classification (document content only, no firm identifiers)
• • Postmark: transactional email delivery
• • Stripe: subscription billing and payment processing
• • Vercel: application hosting and edge network

Each sub-processor receives only the data necessary to perform their function. We maintain data processing agreements with all sub-processors.

We may disclose information if required to do so by law, court order, or regulatory authority, or to protect the rights, property, or safety of Awa, our customers, or the public.

You have the following rights regarding your personal data:

• • Access: You can request a copy of the personal data we hold about you.
• • Correction: You can update your account information directly in Awa, or contact us to correct inaccuracies.
• • Deletion: You can request deletion of your personal data. For firm accounts, the firm administrator controls engagement and document data. Account deletion requests are processed within 30 days.
• • Data export: You can export engagement data and documents from within Awa at any time. On account closure, a 30-day export window is provided.
• • Objection: You may object to certain processing activities. Contact us at privacy@tryawa.com.

Rights requests are processed within 30 days. In some cases, we may need to verify your identity before fulfilling a request.

We retain your data for as long as your account is active and for a reasonable period afterwards to allow for account recovery or dispute resolution.

When an engagement is deleted, associated documents and PBC data are purged from primary storage within 30 days. Audit logs related to that engagement are retained for 7 years in compliance with ISQM 1 requirements for engagement quality documentation.

On account closure, personal data is deleted within 30 days, except where we are required to retain it for legal or regulatory reasons (e.g. billing records, which are retained for 7 years under NZ tax law).

Awa uses a small number of cookies to operate the service:

• • Session cookies: Required for authentication. These are set by Clerk and are essential for the service to function. They expire when you log out or your session ends.
• • Portal access cookies: When clients access a portal via a unique link, a short-lived cookie stores their access token for the duration of the session.
• • Analytics cookies: We may use privacy-respecting analytics to understand usage patterns. These are optional and do not track you across third-party sites.

We do not use advertising cookies or cross-site tracking.

We will notify you of material changes to this Privacy Policy via email at least 14 days before they take effect. The date shown at the top of this page reflects the most recent revision.

Continued use of Awa after a policy change takes effect constitutes acceptance of the updated policy.

For privacy questions, data requests, or concerns about how we handle your information, contact us at:

privacy@tryawa.com

The Ravenshield Corporation New Zealand Limited, trading as AWA
Auckland, New Zealand