Privacy Policy

This policy explains what personal information Bowtie Risk Engine collects, why we collect it, where it is stored, and the choices you have. It covers the marketing website, the web application at /app, and the desktop edition.

Last updated: 13 July 2026

Who we are

Bowtie Risk Engine is operated from Australia ("we", "us"). We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Cth). For privacy questions or requests, contact [email protected].

What we collect

What we use it for

We do not sell personal information, and we do not use your diagrams or registers for advertising or to train machine-learning models.

Who we share it with

We use a small number of service providers to run the product. They process data on our behalf and are not permitted to use it for their own purposes:

We may also disclose information where required by law. We do not otherwise share personal information with third parties.

Where it is stored (overseas disclosure)

Our service providers store data on Google Cloud and Resend infrastructure located primarily in the United States. By using the service you acknowledge that your information will be processed outside Australia. We choose providers with strong, independently audited security practices.

Cookies and local storage

We do not use advertising cookies.

Retention

Customer content remains in your workspace until you delete it or ask us to close your account. Licence and enquiry records are kept for as long as reasonably necessary for licence administration, our legal obligations, and legitimate business records, then deleted or de-identified.

Access, correction, and deletion

You can export your diagrams at any time from within the application (JSON, PDF, PNG, SVG), and you can permanently delete your account and cloud workspace yourself from the application's start screen. To access or correct personal information we hold, or to request deletion of anything else (such as licence or enquiry records), email [email protected]. We will respond within a reasonable period.

Security

Access to each workspace is enforced server-side and isolated to the owning account; traffic is encrypted in transit; and the application is hardened with a strict Content-Security-Policy. See Trust & security for the full picture, including what we do not yet do.

Visitors from the EEA and UK

Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract (providing the software and administering licences), legitimate interests (security, abuse prevention, product improvement, responding to enquiries), and consent where required. You additionally have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to complain to your local supervisory authority. To exercise any of these, contact [email protected].

Complaints

If you believe we have mishandled your personal information, contact us first and we will investigate. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au).

Changes to this policy

We may update this policy from time to time. Material changes will be flagged on this page with a new "last updated" date. Continued use of the service after a change takes effect constitutes acceptance of the updated policy.

Questions about your data?

We answer privacy questions directly — no forms, no runaround.