Privacy Policy

1. Introduction

Axianda Pty Ltd (ABN 11 696 938 093) ("Axianda", "we", "us", or "our") operates the Vesavo platform, an online event seating planning tool available at vesavo.com and app.vesavo.com (the "Service"). Vesavo is a registered trading name of Axianda Pty Ltd, a company registered in New South Wales, Australia. Axianda may provide other products or services under different names, which will be governed by their own respective privacy policies unless otherwise specified.

We are committed to protecting your personal information and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose your personal information when you use the Service.

We are bound by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained therein. For the purposes of the Australian Privacy Act, Axianda acts as an APP Entity. We also recognise our obligations under the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) where applicable. We take our obligations under these laws seriously and have designed our data practices with privacy by default.

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

We collect information that you provide to us directly and information that is generated automatically when you use the Service. Specifically, we may collect:

Account Information

When you create an account, we collect your name, email address, and a hashed version of your password. We never store your password in plain text. If you purchase a paid plan or subscribe, payment details are handled by Paddle.com Market Limited ("Paddle"), who acts as our Merchant of Record. Payment details are not stored by Axianda.

Event and Guest Data

When you use the Service to plan an event, you may upload or enter information about your event guests, including names, dietary requirements, seating preferences, RSVP status, and any notes you add. This data belongs to you, and we process it to provide the Service, including transmitting it to third-party AI providers as described in Section 5. With respect to uploaded Guest Data, you are the data controller (or equivalent under applicable law) and Axianda acts as a data processor.

Sensitive Information

Certain information you upload — such as dietary requirements — may constitute sensitive personal information under the Australian Privacy Act 1988, or special category data under the GDPR. Dietary requirements may reveal religious beliefs (e.g. Halal, Kosher) or health conditions (e.g. allergies). You must obtain explicit consent from your guests before uploading any such information to the Service. By uploading this data, you represent that you have a lawful basis for doing so.

Usage Data

We automatically collect certain information about how you use the Service, including pages visited, features used, time spent, and actions taken. This data is used to understand how the product is being used and to improve the Service.

Cookies and Tracking Technologies

We use privacy-friendly first-party analytics that works without cookies for most visitors. We also partner with Microsoft Clarity to capture how you use and interact with the Service through behavioural metrics, heatmaps, and session replay. Clarity runs without cookies by default; if you consent to analytics, Clarity enables cookies for richer cross-page session tracking. Essential cookies are required for the Service to function, including session management, authentication, and security tokens. With your consent, we also use local storage to measure feature usage and improve the Service. We honour the Do Not Track (DNT) browser signal. See Section 10 for details.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service, including processing your data through third-party AI providers
• To process your payments and manage billing through Paddle, our Merchant of Record
• To send you transactional emails such as account confirmations, password resets, and receipts
• To respond to your support requests and enquiries
• To improve and develop the Service based on aggregate usage analytics
• To train, improve, and develop machine learning models and artificial intelligence systems using anonymised or aggregated data (see Section 9)
• To send you product updates and feature announcements (you may opt out at any time)
• To detect, investigate, and prevent fraudulent or illegal activity
• To comply with our legal obligations under Australian law and other applicable laws

4. Disclosure of Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

Service Providers

We share information with trusted third-party service providers who assist us in operating the Service, including:

• Paddle — Merchant of Record for payment processing, invoicing, and sales tax compliance. Paddle handles payment details directly and is PCI-DSS compliant. Paddle has its own privacy policy and terms of service.
• Microsoft Azure — cloud infrastructure and data storage. Data is hosted in Azure data centres.
• xAI — AI model inference for production features of the Service.
• Google — if you consent to marketing cookies, we load Google's gtag.js script which sets cookies (such as _gcl_* and _gac_*) and sends page-view and conversion data to Google Ads for advertising measurement and campaign optimisation. No data is sent to Google unless you accept marketing cookies.
• Meta Platforms, Inc. — if you consent to marketing cookies, we load the Meta Pixel which sends page-view and conversion data to Meta for advertising measurement. No data is sent to Meta unless you accept marketing cookies.
• Microsoft Clarity — behavioural analytics including heatmaps, session replays, and usage metrics to improve and market our products and services. Clarity runs without cookies by default; if you consent to analytics, it enables cookies for persistent session tracking across pages. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. We also use this information for site optimisation, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement at https://www.microsoft.com/en-us/privacy/privacystatement.
• Analytics providers — aggregated and anonymised usage data only. No personally identifiable information is shared.

Internal Access

Authorised employees, contractors, and agents of Axianda may access your data, including User Content, in the course of operating the Service. This access may occur for purposes including but not limited to: providing customer support; investigating and resolving technical issues or bugs; monitoring for and enforcing compliance with our Terms and Conditions (such as detecting spam or misuse); developing, testing, and improving the Service; ensuring the security and integrity of the Service; and any other legitimate business purpose related to the operation, maintenance, or improvement of the Service. Axianda's employees are primarily based in Australia and may access account data from Australia. Employees may also access data from other countries while travelling. Access is limited to authorised personnel on a need-to-know basis and is subject to confidentiality obligations.

Legal Requirements

We may disclose your information where required by law, such as in response to a court order, subpoena, or regulatory requirement. We will notify you of such disclosure where we are legally permitted to do so.

5. Artificial Intelligence Providers and Data Processing

The Service utilises artificial intelligence (AI) technologies provided by third-party providers to deliver features such as guest list parsing, seating suggestions, and data analysis. As part of providing these features, your personal data — including guest names, event details, and other User Content — may be transmitted to and processed by the following AI provider:

Production AI Provider

• xAI — AI model inference and processing used to deliver AI-powered features of the Service

AI Training and Development

Separately from the production Service, Axianda may use anonymised and aggregated data for internal development, analytics, and AI model training purposes. This processing occurs on systems separate from the production Service and may involve AI providers other than those listed above. Data used for these purposes is de-identified so that it cannot reasonably be used to identify any individual.

Important information about AI provider data processing:

• xAI operates under its own terms of service and privacy policy. Subject to our obligations under the Privacy Act 1988 (Cth), Axianda does not control and is not responsible for the data handling, security practices, or privacy policies of xAI beyond our contractual arrangements with them. We take reasonable steps to ensure that overseas recipients of personal data comply with the Australian Privacy Principles
• Primary data storage is located in the United States (Microsoft Azure). Data processed by AI features may be transmitted to the United States or other jurisdictions where xAI operates, which may have different data protection laws than Australia, the EU, or your home jurisdiction
• To the maximum extent permitted by applicable law, and subject to our obligations under the Privacy Act 1988 (Cth), Axianda is not liable for any data breach, data loss, unauthorised access, or other security incident that occurs within the systems of any third-party AI provider
• You acknowledge that by using AI-powered features of the Service, your personal data and User Content will be transmitted to xAI for processing

Axianda reserves the right to change, add, or remove AI providers at any time. We will update this Privacy Policy to reflect material changes to our production AI providers. We encourage you to review the privacy policies and terms of service of our AI providers directly.

6. Automated Decision-Making

The Service uses automated processing, including artificial intelligence, to assist with certain features. In accordance with the Australian Privacy Act 1988 (as amended) and the GDPR where applicable, we are transparent about the types of automated decisions that may significantly affect you:

• Automated seating assignments — the Service may use AI and algorithmic processing to suggest or generate seating arrangements based on guest relationships, preferences, and constraints you provide
• Guest list parsing — uploaded CSV or Excel files are processed by AI to identify and map columns to structured data fields
• Relationship inference — the Service may automatically infer relationships between guests (e.g., family groups, potential conflicts) based on data patterns such as shared surnames or list proximity

These automated processes are designed to assist you, not to make final decisions on your behalf. All AI-generated outputs — including seating suggestions and data mappings — are presented for your review and can be modified or overridden before being applied.

Important — Data Accuracy and Dietary Requirements: All data and outputs produced by the Service — whether generated by AI or by the system itself — may contain errors due to AI processing mistakes, software bugs, data saving issues, or rendering errors in exported materials such as PDFs. Guest names, groups, dietary requirements, and other attributes may be entered manually or extracted using AI-assisted processing. Regardless of how data is entered, you must review all data and outputs for accuracy, especially dietary requirements and allergies, as errors in this information could affect guest health and safety. Axianda is not liable for any harm arising from reliance on data or outputs produced by the Service without independent verification by you.

You have the right to request human review of any automated outcome that significantly affects you. To request a review, please contact us at hello@vesavo.com.

7. Data Storage and Security

All primary data is stored on Microsoft Azure infrastructure in the United States. Data processed by AI features may be transmitted to the United States via xAI. We implement the following security measures to protect your information:

• Encryption in transit using TLS 1.2 or higher for all data transmitted to and from the Service
• Encryption at rest for database storage
• Hashed passwords — we never store passwords in plain text
• Access controls limiting internal staff access to personal data
• Regular security reviews and dependency updates

While we take reasonable steps to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. To the maximum extent permitted by applicable law, Axianda is not liable for any unauthorised access, data breach, data loss, or other security incident, except to the extent that such liability cannot be excluded under applicable law.

8. Your Rights

Under the Australian Privacy Act 1988 and the Australian Privacy Principles, you have the following rights regarding your personal information:

• Access — you may request a copy of the personal information we hold about you
• Correction — you may request that we correct any personal information that is inaccurate, incomplete, or outdated
• Deletion — you may request that we delete your personal information, subject to certain legal obligations and our data retention policy (see Section 9)
• Opt-out — you may opt out of receiving marketing communications from us at any time
• Portability — you may request an export of your event and guest data in a common format

To exercise any of these rights, please contact us at hello@vesavo.com. We will respond to your request within 30 days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

9. Data Retention and AI Training

We retain your personal information for as long as your account remains active or as needed to provide you with the Service. If you delete your account, we will delete or anonymise your personal information within 30 days of account deletion, except where we are required to retain information by law.

Billing records and transaction data are retained for a minimum of 7 years as required by Australian taxation and accounting legislation. Guest data that you upload is treated as user content and retained only for as long as your account is active. You may delete guest data at any time through the Service interface.

Machine Learning and AI Training: We may retain and use data provided to the Service, including User Content, in anonymised or aggregated form, for the purpose of training, improving, and developing machine learning models and artificial intelligence systems. This training and development activity occurs on systems separate from the production Service and may involve AI providers other than those used to deliver the Service. This data will be de-identified where practicable so that it cannot reasonably be used to identify any individual. Sensitive personal information — such as dietary requirements that may reveal religious beliefs or health conditions — is excluded from AI training by default. This right survives the deletion of your account. We will not sell your data to third parties for this or any other purpose.

Training Opt-out: You may opt out of having your data used for AI training purposes at any time by contacting us at hello@vesavo.com. Opting out will not affect the functionality of the Service available to you. If you have opted out, we will not use your data for training purposes after the opt-out date, though previously trained models may retain learning derived from anonymised data processed before the opt-out.

10. Cookies, Local Storage, and Analytics

We use cookies and similar browser-storage technologies sparingly. The Service operates in two analytics modes depending on your cookie-consent choice.

Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled. They include session management cookies that keep you logged in, authentication tokens, and security tokens that protect against cross-site request forgery. Without these cookies, the Service cannot operate.

Anonymous Analytics (default — no cookies required)

By default we collect privacy-friendly first-party analytics without any cookies or persistent identifiers. This includes the URL path you visited (with user and event identifiers removed), your referring site's domain, your browser family and operating system category, device class (mobile/tablet/desktop), the two-letter prefix of your language, a coarse viewport size bucket, and a timestamp. We do NOT record your IP address, full user-agent string, or any cookie when in this mode. This processing is permitted under CNIL and UK ICO guidance for first-party audience measurement.

Microsoft Clarity (cookieless by default — upgrades with consent)

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products/services. Clarity loads immediately without setting any cookies or using persistent identifiers, providing basic per-page analytics. If you click "Accept" on the cookie banner, Clarity enables cookies (such as _clck, _clsk, and CLID) for persistent session tracking across pages. If you reject cookies or do not interact with the banner, Clarity continues to run in cookieless mode. Additionally, we use this information for site optimisation, fraud/security purposes, and advertising. We honour the Do Not Track (DNT) browser signal — if your browser sends DNT, Clarity is not loaded. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

Consented Analytics (only if you accept)

If you click "Accept" on the cookie banner, we additionally store a short-lived session identifier in your browser's local storage (a 128-bit random value, expires after 30 minutes of inactivity) and, if you're signed in, a cryptographic hash of your user ID. This lets us measure feature usage and understand how visitors move through the product so we can improve it. You can withdraw consent at any time by clearing site data or re-opening the cookie banner.

Marketing Cookies (only if you accept)

If you click "Accept" on the cookie banner, we also load third-party advertising scripts from Google and Meta. Google's gtag.js script sets cookies (such as _gcl_* and _gac_*) and sends page-view and conversion data to Google Ads. This data is used to measure the effectiveness of our advertising campaigns on Google Search and Display Network and to optimise ad targeting. The Meta (Facebook) Pixel sets first-party cookies (_fbp, _fbc) and sends page-view and conversion data to Meta Platforms, Inc. This data is used to measure the effectiveness of our advertising campaigns on Facebook and Instagram and to build audiences for future ads. Google and Meta may each combine this data with information they already hold about you under their own respective privacy policies. If you reject cookies or do not interact with the banner, neither script is loaded and no data is sent to Google or Meta. You can withdraw consent at any time by clearing site data or re-opening the cookie banner.

Do Not Track

We honour the Do Not Track (DNT) browser signal. If your browser sends DNT, we send no analytics events — anonymous or consented — and the Meta Pixel is not loaded.

Where the data lives

First-party analytics data is stored in our self-hosted log aggregation system on Microsoft Azure (United States region). Microsoft Clarity data is processed by Microsoft in the United States. If you have consented to marketing cookies, page-view and conversion data is also transmitted to Google (United States) and Meta Platforms, Inc. (United States). We do not share first-party analytics data with any other third-party advertising networks.

11. Third-Party Services

The Service may contain links to third-party websites or services that are not owned or controlled by Axianda. This Privacy Policy does not apply to those third-party sites. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services, including our AI providers. We encourage you to review the privacy policy of any third-party site you visit.

12. Children's Privacy

The Service is not intended for or directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information without parental consent, please contact us at hello@vesavo.com and we will take steps to remove that information.

13. Cross-Border Disclosure

Your personal information may be processed, stored, and accessed outside of Australia by our cloud infrastructure provider and AI providers. Specifically:

• Microsoft Azure maintains data centres in multiple regions. Primary data is stored in the United States, and data may also be processed in other Azure regions
• xAI may process your data on servers located in the United States or other jurisdictions. The specific location of processing is not guaranteed
• Paddle (our Merchant of Record) may process payment data in the United Kingdom, the United States, or other jurisdictions where Paddle operates
• Axianda's employees are primarily based in Australia and may access data from Australia or from other countries while travelling
• For AI training and development purposes, anonymised data may be processed by AI providers in various jurisdictions (see Section 5)

Before disclosing personal information to any overseas entity, we take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. However, by using AI-powered features of the Service, you acknowledge that your data may be transferred to and processed in jurisdictions that may have different data protection laws than your own, and you consent to such transfer and processing.

14. International Privacy Rights

European Economic Area (EEA) — GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you may have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation. These include the right to: access your personal data; rectify inaccurate data; erase your data (the "right to be forgotten"); restrict processing; data portability; object to processing (including profiling); and withdraw consent at any time where processing is based on consent. Our legal basis for processing your personal data includes: (a) performance of a contract (providing the Service to you); (b) legitimate interests (improving the Service, ensuring security); and (c) your consent where applicable. You have the right to lodge a complaint with your local data protection supervisory authority. To exercise your GDPR rights, please contact us at hello@vesavo.com.

California — CCPA/CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to Know — you may request details about the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information
• Right to Delete — you may request that we delete your personal information, subject to certain exceptions
• Right to Opt Out of Sale — we do not sell your personal information. We have not sold personal information in the preceding 12 months
• Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights
• Right to Correct — you may request that we correct inaccurate personal information
• Right to Limit Use of Sensitive Personal Information — you may request that we limit our use of sensitive personal information to purposes necessary to provide the Service

To submit a verifiable consumer request under the CCPA/CPRA, please contact us at hello@vesavo.com. We will verify your identity before processing your request.

15. Sub-processor List

We maintain a list of sub-processors who process personal data on our behalf. The current list is available at /sub-processors and includes:

We will update this list when sub-processors are added or removed and will notify Business Users with an executed DPA in accordance with the terms of that agreement.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes — those that significantly affect your rights or how we use your information — we will notify you by email to your registered address at least 30 days before the changes take effect. For minor changes or clarifications, we will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

17. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Privacy Officer:

If you are not satisfied with our handling of your complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are in the EEA, you may also contact your local data protection authority.