tapestry
Book a demo Sign up Login
Back to Trust Center
Privacy policy · v3.2 · effective 26 May 2026

Privacy policy.

What tapestry collects, why we collect it, who we share it with, and how long we keep it. Plain English first; the formal version below.

01

In plain English

If you only read one paragraph: your data is yours. tapestry® acts as a processor on your behalf for the operational data you bring to the platform. We don't sell it. We don't repurpose it. We don't share it without your explicit, configured permission.

Four commitments
  1. Your data is yours. You own it. We process it on your behalf.
  2. We never share without consent. Marketplace sharing is opt-in, per supplier, per category, per share.
  3. Every share is logged. Audit trails are exportable.
  4. Clear off-boarding. When your contract ends, your operational data is deleted or returned in line with the timelines below.
02

Who we are

tapestry® refers to tapestry AI Pty Ltd (ABN 55 647 500 696), an Australian company headquartered in Melbourne. We operate the tapestry® platform and the products Retail+ (which includes the Hank AI assistant feature), Supply+ and Collectives, plus the data marketplace at the centre of the network.

tapestry is an APP entity governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy is written to comply with APP 1.4 and describes how we handle personal information across the platform.

For the purposes of this policy:

  • Controller means the party that decides why and how data is processed.
  • Processor means the party that processes data on the controller's behalf.
  • For the operational data you bring to tapestry®, you (or the organisation that invited you) are the controller and we are the processor.
  • For account, usage and marketing data, tapestry is the controller.
  • For the optional marketplace flows you opt into, separate roles apply under the marketplace agreement.
03

What we collect

Account information

  • Your work email, name, role, and the organisation you work for
  • Login activity (timestamp, IP, device) for security purposes
  • Authentication data, including SSO identifiers and multi-factor details
  • Communication preferences

Operational data you bring to the platform

  • Transaction records, returns, voids and price events from your POS
  • Store, department, category, supplier and product hierarchies
  • Planograms, promo events, tasks and lists created in the platform

Usage telemetry

  • Which features are used and when (no individual-shopper data)
  • Error reports and performance traces (sanitised of PII)
  • Queries submitted to Hank, the AI assistant feature in Retail+

What we don't collect: personally identifiable shopper information. tapestry processes shelf-level transactions, not loyalty profiles. Card numbers, names and addresses never enter the system.

04

Why we collect it

We collect and handle personal information in line with APP 3 (collection) and APP 6 (use and disclosure): for purposes reasonably necessary to operate the platform, for directly related secondary purposes you would reasonably expect, and otherwise with your consent or as required by law.

CategoryPurposeBasis under the APPs
Account infoOperate the service, authenticate you, send essential service emailsOperational necessity (APP 3)
Operational dataProvide the analytics, workflows and Hank features you contracted forOperational necessity (APP 3, APP 6)
TelemetryDetect bugs, improve performance, prevent abuseReasonable expectation (APP 6.2(a))
Marketing emailsTell you about updates relevant to your roleAffirmative, separate consent · opt out at any time
Marketplace dataMake your governed shares available to subscribed brandsOpt-in consent
05

Who we share it with

Sub-processors

A small, audited set of vendors who help us run the service. A current list is published below and updated when we engage new providers that materially change how your data is processed. Current list:

VendorPurposeRegion
Amazon Web ServicesPrimary cloud infrastructureAU / US / EU
SnowflakeData warehouse for analyticsAU / US / EU
DatadogObservability and APMUS
LinearEngineering issue trackingUS
NotionInternal documentationUS
HubSpotCRM and marketing communicationsUS
Google Analytics (GA4)Website analyticsUS / global
Meta PixelConversion tracking, advertisingUS / global
LinkedIn Insight TagConversion tracking, advertisingUS / global

Marketplace subscribers

Only with your explicit, configured opt-in. You set the rules: which suppliers, which categories, which aggregation level. Every share is logged.

Other recipients

  • Integration partners authorised by your organisation, including POS providers
  • Professional advisers (lawyers, auditors, accountants) where reasonably necessary
  • Government bodies, regulators and law enforcement where required by valid legal process. We push back on overbroad requests and notify you where lawful.
  • An acquirer, in the event of a merger, acquisition or business transfer. We will use reasonable efforts to ensure continuity of this policy.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. The marketplace is opt-in subscription access governed by your configured rules, not data sale.

06

De-identified and aggregated data

We may create de-identified, aggregated or statistical datasets derived from the data we collect (together, De-identified Data). We apply reasonable technical and organisational measures intended to ensure that De-identified Data cannot be used, alone or in combination with other information reasonably available to tapestry, to identify any individual or to re-identify an individual customer's commercial position.

We may use De-identified Data for:

  • Operating, securing and improving the platform
  • Benchmarking, industry research and product analytics
  • Training and refining models, including the Hank AI assistant feature
  • Preparing aggregated market insights and marketing materials

Under-18 users. De-identified Data derived from users whose recorded age is under 18 is used only for internal operational purposes. We do not use it for external benchmarking, published insights, model training or marketing materials.

We do not publish or share any dataset that would identify an individual, an individual customer, or an individual commercial counterparty, except with the express prior consent of the relevant party.

07

How long we keep it

Specifics vary by category and are set out in our internal Retention Schedule, a summary of which is available on request to hello@tapestry.ai. Typical category-level retention:

  • Account information: kept while your account exists; deleted within a reasonable period after account closure.
  • Operational data: kept for the duration of your contract, with off-boarding handled in line with your contract terms.
  • Usage telemetry and security logs: up to 24 months.
  • Backups: rolling 30-day retention; 1-year cold archive for disaster recovery, not accessed for any other purpose.
  • Marketing data: until you unsubscribe, plus a suppression-list period.
  • Audit logs and records we are required to keep by law: for the period required by the relevant law.
08

Security and data breaches

We maintain technical and organisational security measures, including encryption in transit and at rest, role-based access controls, logging, staff training and third-party security assessments. No system is fully secure.

In the event of an eligible data breach, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth) and any other applicable law, without undue delay.

09

Hank and AI-assisted features

Hank is the AI assistant feature inside Retail+. When you use Hank:

  • Inputs include your prompts, the platform data you have permission to access (including relevant operational data), and contextual account and usage data.
  • Third-party model providers process prompts and outputs as sub-processors under a data processing agreement. Our contractual arrangements with these providers require that your inputs and outputs are not used to train their foundation models. Current model providers are listed above in section 05 - Who we share it with.
  • Retention. Hank interaction logs are retained for a limited period for debugging, safety and quality purposes, then deleted or de-identified.
  • Human oversight. Hank surfaces, flags and answers; it supports human decision-making, not replaces it. We do not use Hank to make decisions that produce legal or similarly significant effects on individuals without meaningful human review.
  • Accuracy. Hank may produce inaccurate or incomplete outputs. Verify results before relying on them for commercial decisions.
10

Users under 18

The platform is designed for business use. We recognise that some platform users, particularly on retail shop floors, may be aged 16 or 17, and that customer organisations are responsible for ensuring any user they invite has the legal capacity to use the platform.

  • We do not knowingly provide the platform to anyone under 16. If we discover that we have collected personal information from a user under 16, we will delete it and notify the customer organisation.
  • For users aged 16 or 17, the customer organisation (not the user) is the contracting party. The user accesses the platform in their capacity as an employee or contractor of the customer.
  • We do not send marketing communications to under-18 users, and we do not use de-identified data derived from their use of the platform for external benchmarking, published insights or marketing materials. This applies even if a user under 18 has ticked a marketing or anonymised-data consent option.
  • If you are a parent, guardian or customer administrator with a question or concern about a user under 18, contact us at hello@tapestry.ai.
11

Your rights

Under the Australian Privacy Principles, and depending on your jurisdiction (GDPR, CCPA, others), you may have rights to:

  • Access the personal information we hold about you
  • Correct it if wrong
  • Delete it (subject to legal retention obligations)
  • Object to processing for marketing
  • Port your data to another provider
  • Withdraw consent for marketing or anonymised-data use at any time, via your account settings or by emailing us
  • Complain about how we have handled your personal information

Exercise any of these by emailing hello@tapestry.ai. We acknowledge requests promptly and aim to respond within 30 days. If we need more time, we will let you know and explain why.

Where you access the platform as an employee or contractor of a customer organisation, some requests (particularly deletion) may need to be directed to that organisation, which determines how the data is handled. We will help you identify the right path.

If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner at oaic.gov.au.

12

California residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete and correct personal information, the right to opt out of the sale or sharing of personal information (as noted in §05, we do not sell or share personal information), and the right to limit the use of sensitive personal information. To exercise these rights, contact us at hello@tapestry.ai. We will not discriminate against you for exercising any of these rights.

13

International transfers

Data is hosted in the region appropriate to your jurisdiction (AU, US, EU). Where cross-border processing is necessary (for example, for support engineers in another region), transfers are governed by Standard Contractual Clauses (EU), the IDTA (UK), or equivalent.

Where we disclose personal information overseas, we comply with APP 8 and take reasonable steps to ensure the recipient handles the information in a way consistent with the APPs. Our sub-processor list in Section 05 - Who we share it with identifies the jurisdictions where material processing occurs.

14

Cookies and analytics

We use cookies and similar technologies on our website for essential site functionality, analytics and, where you consent, marketing pixels. Where enabled, these include Google Analytics, HubSpot tracking, Meta Pixel and LinkedIn Insight Tag. You can manage preferences via our cookie banner and your browser settings. A detailed cookie notice is available on our Cookies page.

We do not participate in cross-context behavioural advertising. We honour recognised opt-out signals, including Global Privacy Control, where technically feasible. We do not currently respond to legacy Do Not Track browser signals.

15

Changes to this policy

We update this policy from time to time. Each version has a version number and effective date. Material changes (such as new categories of personal information collected, new purposes of use, new categories of recipients, or changes that materially reduce your rights) will be notified in advance via in-product banner and email to account administrators, at least 30 days before they take effect. Non-material changes (typos, clarifications) are published with a revised effective date. Continued use of the platform after the effective date means you accept the updated policy.

16

Contact

Privacy, security & legal: hello@tapestry.ai

Post: tapestry AI Pty Ltd, 4/255 Wellington Street, Collingwood VIC 3066, Australia

You may also complain to the Office of the Australian Information Commissioner at oaic.gov.au.