Privacy Policy
This policy explains what personal information Bowtie Risk Engine collects, why we collect it, where it is stored, and the choices you have. It covers the marketing website, the web application at /app, and the desktop edition.
Last updated: 13 July 2026
Who we are
Bowtie Risk Engine is operated from Australia ("we", "us"). We are bound by the Australian Privacy Principles in the Privacy Act 1988 (Cth). For privacy questions or requests, contact [email protected].
What we collect
- Account information — when a licence is issued we create an account keyed to your work email address. Passwords are handled entirely by Firebase Authentication (a Google service); we never see or store them.
- Licence records — your email address, licence tier, and licence status, kept for as long as needed to administer your licence.
- Customer content — diagrams, barrier registers, and reuse libraries you create in the web edition are stored in your private workspace in Google Cloud Firestore, isolated to your account and readable only by you. Content created in the desktop edition stays on your machine and is not transmitted to us.
- Enquiries — the contact form collects your name, email, and any details you choose to provide (organisation, discipline, licensing needs, message). Submissions are protected by Google reCAPTCHA and delivered to our team by email via Resend.
- Usage and device data — the web application records product analytics events (e.g. a diagram was created or exported) through Google Analytics for Firebase, associated with your account identifier. Standard technical data (IP address, browser type) is processed by our hosting and security services (including Firebase App Check and reCAPTCHA) to keep the service available and prevent abuse.
What we use it for
- Providing and operating the software, including storing your work in your signed-in workspace.
- Issuing, verifying, and administering licences.
- Responding to demo, quote, and support enquiries.
- Understanding how the product is used so we can improve it.
- Securing the service, preventing abuse, and meeting legal obligations.
We do not sell personal information, and we do not use your diagrams or registers for advertising or to train machine-learning models.
Who we share it with
We use a small number of service providers to run the product. They process data on our behalf and are not permitted to use it for their own purposes:
- Google LLC — Firebase Authentication (sign-in), Cloud Firestore (customer content and licence records), Firebase App Check and reCAPTCHA (abuse prevention), Google Analytics for Firebase (product analytics), and hosting infrastructure.
- Resend, Inc. — transactional email delivery for contact-form enquiries and confirmations.
We may also disclose information where required by law. We do not otherwise share personal information with third parties.
Where it is stored (overseas disclosure)
Our service providers store data on Google Cloud and Resend infrastructure located primarily in the United States. By using the service you acknowledge that your information will be processed outside Australia. We choose providers with strong, independently audited security practices.
Cookies and local storage
- Authentication — Firebase Authentication stores session tokens in your browser so you stay signed in.
- Local drafts — the editor keeps a crash-recovery copy of your current diagram in your browser's local storage, scoped to your account and removed when you sign out.
- Security & analytics — reCAPTCHA and Google Analytics for Firebase set identifiers used for abuse prevention and usage measurement.
We do not use advertising cookies.
Retention
Customer content remains in your workspace until you delete it or ask us to close your account. Licence and enquiry records are kept for as long as reasonably necessary for licence administration, our legal obligations, and legitimate business records, then deleted or de-identified.
Access, correction, and deletion
You can export your diagrams at any time from within the application (JSON, PDF, PNG, SVG), and you can permanently delete your account and cloud workspace yourself from the application's start screen. To access or correct personal information we hold, or to request deletion of anything else (such as licence or enquiry records), email [email protected]. We will respond within a reasonable period.
Security
Access to each workspace is enforced server-side and isolated to the owning account; traffic is encrypted in transit; and the application is hardened with a strict Content-Security-Policy. See Trust & security for the full picture, including what we do not yet do.
Visitors from the EEA and UK
Where the GDPR or UK GDPR applies, our legal bases are: performance of a contract (providing the software and administering licences), legitimate interests (security, abuse prevention, product improvement, responding to enquiries), and consent where required. You additionally have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to complain to your local supervisory authority. To exercise any of these, contact [email protected].
Complaints
If you believe we have mishandled your personal information, contact us first and we will investigate. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (oaic.gov.au).
Changes to this policy
We may update this policy from time to time. Material changes will be flagged on this page with a new "last updated" date. Continued use of the service after a change takes effect constitutes acceptance of the updated policy.