Privacy Policy

Version 1.0 – Effective 28 April 2025

This Privacy Policy explains how Wellfounded Agency Pty Ltd (ABN 80685651825) trading as PitchMate (“PitchMate”, “we”, “us”, “our”) collects, uses and safeguards personal information when you (“you”, “your” or “user”) access or use the PitchMate service. PitchMate is presently in open beta; features and data flows may evolve quickly. By creating an account, uploading a pitch deck or otherwise using the Service you consent to the practices described below.

1. What information we collect

Account details – name, e-mail address and hashed password or OAuth token.

Deck content – any PDF pitch deck you upload and the slide text we extract for analysis.

Generated data – eight-pillar scores, feedback, timestamps and version history.

Usage data – IP address (truncated), browser type, device type and page interactions collected through Google Analytics (configured without advertising features).

Billing information (paid plans only) – cardholder name, card last-4 digits, billing address and transaction amount. Payments are handled by Stripe; we never store full card numbers.

2. Legal bases for processing

  • Contractual necessity – to provide the deck-analysis service you request.

  • Legitimate interests – to operate, secure and improve the Service.

  • Consent – for optional product-update e-mails and analytics cookies.

  • Legal obligation – to comply with tax, accounting and regulatory requirements.

3. How we use the information

  • Deliver the scorecard and related features you request.

  • Process payments and maintain your subscription.

  • Diagnose performance issues, prevent fraud and enhance security.

  • Send essential transactional messages (for example, report links or password resets).

  • Send product announcements and marketing e-mails only if you have opted-in (you may unsubscribe at any time).

4. Third-party processors

We share data only with vendors that enable us to run the Service:

  • Amazon Web Services (Sydney region) – hosting, file storage and database.

  • Amazon Bedrock – language-model analysis of extracted slide text (the raw PDF is never transmitted).

  • Stripe – payment processing and invoicing.

  • Google Analytics – anonymised usage metrics.

All subprocessors are bound by written data-processing agreements that meet GDPR and Australian Privacy-Act standards.

5. Storage, retention and deletion

Your PDF deck is stored in encrypted form for as long as your account remains active so you can rescan or review prior results. If you wish to delete the file sooner, e-mail support@pitchmate.au with the subject line “Delete My Deck” and we will permanently remove the stored PDF within one business day. Extracted text and scorecards remain in your account history until you close the account.

6. International data transfers

Primary storage is in Australia. Because the Internet is a global network, your data may transit servers outside Australia when you or authorised collaborators access the Service from abroad. By using PitchMate you consent to these transfers. Where we transfer personal data to a country that lacks adequate privacy safeguards we rely on Standard Contractual Clauses or equivalent contractual protections.

7. Security measures

At PitchMate, we take the security and privacy of your data seriously. We have implemented comprehensive technical and organisational measures to protect your information:

7.1 Infrastructure Security

  • Serverless Architecture: Our application is built on AWS serverless technologies, minimising attack surfaces and reducing infrastructure management risks.

  • Secure Cloud Provider: We leverage AWS’s enterprise-grade security infrastructure, which includes physical data centre security, network firewalls, and regular security audits.

  • Encryption: All data is encrypted both in transit (using TLS/SSL) and at rest (using AWS-managed encryption keys for DynamoDB and S3).

7.2 Application Security

  • Authentication: We use AWS Cognito for secure user authentication, implementing industry-standard authentication protocols and multi-factor authentication options.

  • Authorisation: Fine-grained access controls ensure users can only access their own pitch deck data and analysis results.

  • Secure File Handling: PDF uploads use temporary signed URLs with short expiration times to prevent unauthorised access.

  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks and other security vulnerabilities.

7.3 Data Protection

  • Minimal Data Collection: We only collect information necessary for providing our pitch deck analysis service.

  • Isolated Storage: Your pitch deck data is stored in isolated storage locations with unique identifiers.

  • Secure AI Processing: When analysing your pitch decks, data is processed through secure channels with AWS Bedrock, with no persistent storage of analysis data beyond what’s necessary for your results.

7.4 Operational Security

  • Regular Updates: Our systems are regularly updated with security patches and improvements.

  • Monitoring: We employ continuous monitoring for unusual activities or potential security incidents.

  • Access Controls: Our development team follows the principle of least privilege, with access to production systems strictly limited and audited.

  • Secure Development: We follow secure coding practices and conduct regular code reviews to identify and address potential vulnerabilities.

7.5 Compliance

  • Regular Audits: We conduct regular security assessments and vulnerability scans.

  • Incident Response: We maintain an incident response plan to quickly address any potential security issues.

We continuously evaluate and enhance our security measures to adapt to evolving threats and protect your data. While no system can guarantee absolute security, we are committed to implementing best practices and maintaining a strong security posture.
If you have specific security concerns or questions about how we protect your data, please contact our security team at support@pitchmate.au.

8. Cookies and similar technology

We set one essential session cookie to keep you logged in. Google Analytics sets first-party cookies to record page views and basic events; we disable ad-personalisation features and IP addresses are truncated. You can disable analytics cookies in your browser without affecting core functionality.

9. Your rights

Subject to local law you may:

  • Access – request a copy of personal data we hold about you.

  • Rectify – correct inaccurate or incomplete information.

  • Erase – delete your decks, scorecards or entire account.

  • Object or restrict – limit certain processing activities.

  • Port – receive your personal data in a structured, machine-readable format.

  • Withdraw consent – opt-out of marketing e-mails at any time.

To exercise any right contact support@pitchmate.app. We will respond within 30 days.

10. Children

PitchMate is not directed to persons under 16 years of age, and we do not knowingly collect personal data from minors.

11. Changes to this policy

We may update this policy to reflect new features or legal requirements. Material changes will be posted here and e-mailed to registered users at least seven (7) days before they take effect.

12. Contact us

Wellfounded Agency Pty Ltd
Suite 302/13 Wentworth Ave, Sydney NSW 2000
support@pitchmate.app

–––

By using PitchMate you acknowledge that you have read, understood and agree to this Privacy Policy.