Privacy Policy

Last updated: 28 May 2026

Effective date: 21 May 2026

1. About this Policy

This Privacy Policy explains how Techlyft Pty Ltd (“Techlyft”, “we”, “us”, or “our”) collects, uses, discloses, stores, and protects personal information through the Metrifly product and the website at https://metrifly.com (together, the “Service”).

We are committed to handling your personal information in accordance with the Australian Privacy Act 1988 (Cth) (the “Privacy Act”) and the 13 Australian Privacy Principles (“APPs”).

By creating an account or otherwise using the Service, you acknowledge that your personal information will be handled in the manner described in this Policy.

2. Who We Are

The data controller for the purposes of this Policy is:

• Entity: Techlyft Pty Ltd
• Product: Metrifly
• Website: https://metrifly.com
• Jurisdiction: Australia
• Contact email: support@metrifly.com

3. The Information We Collect

We collect the following categories of information.

Account and identity information

• Name
• Email address
• Password (stored only in hashed form using industry-standard hashing)
• Account preferences and settings

Billing information

• Subscription tier and billing history
• Payment information processed by Stripe (we do not store card numbers, CVV codes, or full payment instrument details — these are collected and stored directly by Stripe under their PCI-DSS compliant environment)
• Billing address (if provided to Stripe)

Financial and portfolio data you provide to us

• Imported broker CSV files (from brokers such as CommSec, nabtrade, SelfWealth, CMC Markets, Stake, and similar)
• Individual trade records (ticker, quantity, price, date, broker, transaction type)
• Portfolio holdings and current positions
• Manually entered transactions, notes, and tags
• Watchlists and any other content you upload or create within the Service

Technical and usage information

• IP address
• Device, operating system, and browser information
• Approximate location derived from IP address
• Log data (timestamps, pages viewed, features used, error logs)
• Product analytics (clicks, navigation paths, feature usage, performance metrics)

Support information

• The contents of any messages, attachments, or feedback you send to support@metrifly.com or via in-product channels

We do not intentionally collect sensitive information (as defined in the Privacy Act) such as health, racial, religious, political, or biometric data.

4. How We Collect Your Information

We collect personal information:

• Directly from you — when you register, configure your account, import broker data, enter transactions, contact support, or otherwise interact with the Service.
• Automatically — when you use the Service, through server logs, analytics tools, and cookies (see Section 11).
• From third parties — from payment processors (Stripe) in relation to billing, and from market data providers in relation to prices and reference data (this is not personal information about you).

We do not purchase personal information about you from data brokers.

5. How We Use Your Information

We use personal information for the following purposes:

Account and service delivery

• Creating and managing your account
• Authenticating you and securing access (via AWS Amplify)
• Providing the core features of Metrifly: importing trades, tracking holdings across ASX and US equities, computing performance analytics, and visualising portfolio allocation
• Storing your portfolio data securely so it is available the next time you sign in

Billing

• Managing your subscription, processing payments via Stripe, issuing receipts, and handling refunds

Support and communication

• Responding to your questions, support tickets, and feedback
• Sending operational and transactional messages (e.g., security alerts, billing notices, material changes to the Service or this Policy)

Product analytics and improvement

• Understanding how users interact with features so we can fix bugs, improve performance, and prioritise development
• Producing aggregated and anonymised statistics about portfolio data — for example, average allocation by asset class across the user base — that may power product features
• Aggregated/anonymised data is constructed so that it cannot reasonably be re-identified to any individual user, and we do not sell this data to third parties

Legal, safety, and compliance

• Detecting and preventing fraud, abuse, and violations of our Terms of Service
• Complying with legal obligations, including Australian tax and financial record-keeping requirements
• Establishing, exercising, or defending legal claims

We will not use your personal information for purposes that are materially different from those described above without first telling you and, where required, obtaining your consent.

6. Legal Bases and the Australian Privacy Principles

We collect, hold, use, and disclose personal information in accordance with the APPs. In particular:

• APP 3 — Collection of personal information: We only collect information that is reasonably necessary for our functions and activities.
• APP 5 — Notification of collection: We notify you of collection through this Policy and at relevant collection points within the Service.
• APP 6 — Use or disclosure: We use your personal information for the primary purpose for which it was collected, or for related secondary purposes you would reasonably expect.
• APP 8 — Cross-border disclosure: Where personal information is disclosed to an overseas recipient (for example, Stripe in connection with payments), we take reasonable steps to ensure the recipient handles the data consistently with the APPs (see Section 8).
• APP 11 — Security: We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure (see Section 9).
• APP 12 and APP 13 — Access and correction: You may request access to, and correction of, your personal information (see Section 12).

7. Disclosure of Personal Information

We do not sell your personal information. We disclose personal information only in the following circumstances:

• To our sub-processors to provide the Service (see Section 8).
• To Stripe to process your payments.
• With your consent or at your direction.
• For legal reasons — to comply with applicable laws, court orders, lawful requests from regulators or law enforcement, or to protect the rights, property, or safety of Techlyft, our users, or others.
• In the context of a corporate transaction — for example, a merger, acquisition, or asset sale, in which case we will give notice before personal information is transferred and becomes subject to a different privacy policy.

8. Sub-processors and International Transfers

We use third-party providers (“sub-processors”) to help us deliver the Service. Our current sub-processors include:

• Amazon Web Services (AWS) — hosting, storage, and database services. Primary region: AWS Sydney (ap-southeast-2).
• AWS Amplify — authentication and identity management.
• Stripe — payment processing.
• Google LLC (Google Analytics 4) — product analytics (page views, navigation paths, feature usage). Data may be processed in the United States and other countries where Google operates.
• Microsoft Corporation (Microsoft Clarity) — session recording, heatmaps, and behavioural interaction analytics. Data may be processed in the United States and other countries where Microsoft operates.

We will update this list as our processors change and will provide notice of material additions or replacements.

Where information is transferred to or accessible from outside Australia (for example, Stripe operates internationally), we take reasonable steps under APP 8 to ensure that the recipient handles your personal information in a manner consistent with the APPs, including through contractual safeguards.

9. Data Storage and Security

Your account data, portfolio data, and uploaded files are stored within AWS infrastructure in the Sydney region (ap-southeast-2) by default.

No live connection to your broker accounts. Metrifly ingests only data that you upload or enter yourself — for example, broker-exported CSV files and manually entered transactions. We do not connect to your broker accounts via API, OAuth, screen-scraping, or any other live link, we do not request or store your broker login credentials, and we have no ability to read, place, or modify trades on your behalf. You remain in full control of what data is provided to the Service.

We take reasonable technical and organisational measures to protect personal information, including:

• Encryption of data in transit (TLS) and at rest
• Password hashing using industry-standard algorithms
• Access controls and the principle of least privilege for staff
• Logging, monitoring, and routine security review
• Regular backups

No method of transmission or storage is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. You are responsible for keeping your password confidential and for the security of devices you use to access the Service.

10. Data Retention

We will only retain your personal information for as long as is reasonably necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements that apply to us or to your account.

In some circumstances we may retain personal information for a longer period — for example, where there is an ongoing complaint, dispute, investigation, audit, or legal claim, or where we reasonably believe there is a prospect of one.

• Active accounts: We retain account data and portfolio data for as long as your account is active and for the period reasonably necessary thereafter.
• Closed accounts: Following account closure, we retain account and transactional records for the period reasonably required to meet our legal, regulatory, tax, accounting, and reporting obligations (which under Australian tax and financial record-keeping norms can extend for a number of years after the relevant transactions). After this period we will delete or de-identify the data in the normal course.
• Earlier deletion: You may request earlier deletion of your personal information at any time (see Section 12). We will action your request subject to any overriding legal obligations to retain certain records.
• Aggregated / anonymised data that does not identify you (or that has been irreversibly de-identified) may be retained indefinitely for analytics, product improvement, and benchmarking features.

11. Cookies and Similar Technologies

We use cookies and similar technologies on https://metrifly.com and within the Service. These fall into two categories:

• Essential cookies — required for the Service to function, including authentication (so you stay signed in), security, and basic preferences. These cannot be turned off without breaking the Service.
• Analytics scripts — we use Google Analytics 4 and Microsoft Clarity to understand how the Service is used so we can improve it. These tools collect information such as pages visited, navigation paths, and interaction patterns. They are currently active for all users.

You can limit or opt out of analytics collection through the following means:

• Browser settings — you can block third-party cookies or use a content-blocking extension (such as uBlock Origin or Privacy Badger) to prevent these scripts from loading.
• Google Analytics opt-out — Google provides a browser add-on that prevents your data from being sent to GA4.
• Microsoft Clarity — Clarity respects the browser Do Not Track (DNT) signal. You can enable DNT in your browser settings to opt out of Clarity’s session recording.

Blocking analytics scripts does not affect your ability to use the Service.

12. Your Privacy Rights

Subject to applicable law, you have the following rights in relation to your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information that is inaccurate, out of date, incomplete, irrelevant, or misleading.
• Deletion — request deletion of your personal information, subject to legal retention obligations (see Section 10).
• Export — request a copy of your portfolio data in a machine-readable format.
• Withdraw consent — where we rely on your consent (for example, for optional analytics cookies or marketing emails), you can withdraw it at any time.
• Complain — see Section 16 below.

To exercise any of these rights, please contact us at support@metrifly.com. We may need to verify your identity before actioning your request. We will respond within a reasonable time and, in any event, within the timeframes required by the Privacy Act.

13. Children and Age Restrictions

The Service is intended for users aged 18 or over, consistent with Australian financial services norms for self-directed investing. We do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us with personal information, please contact us at support@metrifly.com and we will take reasonable steps to delete it.

14. Marketing Communications

From time to time we may send you product updates, tips, or other marketing communications by email. You can opt out at any time by using the unsubscribe link in any marketing email, or by contacting support@metrifly.com. Opting out of marketing will not affect operational or transactional communications (such as billing notices and security alerts), which are necessary for us to provide the Service.

15. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least a reasonable period before the changes take effect. The “Last updated” date at the top of this Policy indicates when it was most recently revised. Your continued use of the Service after an update constitutes acceptance of the revised Policy.

16. How to Contact Us and Make a Complaint

If you have questions, requests, or complaints about this Policy or our handling of your personal information, please contact us:

• Email: support@metrifly.com
• Entity: Techlyft Pty Ltd
• Jurisdiction: Australia

We will acknowledge your complaint within a reasonable period and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: https://www.oaic.gov.au
• Phone: 1300 363 992

This Privacy Policy is governed by the laws of New South Wales, Australia.