This page is maintained by Banksia Collective. It describes the security and privacy controls we operate today. It is not a certification or an independent audit. For legal terms, see the Legal page.
Overview
This page is maintained by Banksia Collective to answer common security and privacy questions about how the site, the Private Register, and inquiry forms handle your information. It describes the controls we operate today. It is editable content written by us, not an independent certification or third-party audit.
Access & Authentication
Administrative areas of the site are restricted to named members of the Banksia Collective team. Admin access requires email and password sign-in, and every administrative action is checked server-side against a role table before any data can be read or modified. Visitors and prospective clients never need an account to browse properties, locations, services, or insights.
Platform & Hosting
The site runs on Lovable Cloud, a managed platform built on Supabase and Vercel-class infrastructure. Data is stored in a managed Postgres database with row-level security policies that default to deny. Backend functions run in isolated serverless environments and only receive the information needed to complete a single request. We rely on Lovable's platform security posture for transport encryption (HTTPS in transit), at-rest encryption of the database, and routine patching of the underlying runtime. This is a description of platform capabilities, not a certification.
Data We Collect
We collect only what is necessary to respond to you. Inquiry forms collect your name, email, optional phone, and the message or attachment you choose to send. The Private Register collects your name, email, and the interest categories you select. Anonymous analytics about page views and traffic sources may be collected to improve the editorial direction of the site. We do not collect payment information on this site, and we do not run advertising trackers or third-party retargeting pixels by default.
Subprocessors & Integrations
We use a small set of trusted service providers to operate the site: Lovable Cloud for hosting, application database, file storage, and serverless functions; Resend for transactional email (inquiry confirmations and the Private Register); and Lovable AI Gateway for AI-assisted editorial tooling used internally by our team. Each provider only receives the minimum data required for its task.
Retention & Deletion
Inquiries and Private Register entries are retained for as long as the relationship is active or while a request is being followed up. You can request deletion or correction of your information at any time by writing to ros@banksiacollective.com, and we will action the request within a reasonable period. Every email we send to the Private Register includes a one-click unsubscribe link.
File Uploads
When you attach documents or images to a private inquiry, files are stored in a private storage bucket that is not publicly browseable. Only Banksia Collective admins can read or remove those files. Uploads are limited in file type (images and PDFs) and in size to prevent abuse.
Cookies & Analytics
The site uses only the cookies required for it to function correctly and, where enabled, lightweight first-party analytics to understand which editorial content is read. No third-party advertising cookies are set by default. If we add any new tracking technology in the future, this page will be updated and, where required by law, you will be asked for consent.
Security Contact
If you believe you have found a security or privacy issue, please write to ros@banksiacollective.com with the subject line 'Security report'. We will acknowledge legitimate reports and work in good faith to investigate and remediate. Please do not test live forms, accounts, or third-party services beyond what is necessary to demonstrate the issue.
Shared Responsibility
Operating a secure experience is a shared responsibility between Banksia Collective, our platform providers, and you. We are responsible for the application logic, the access policies on the data we hold, and how we handle your inquiries. Our platform providers are responsible for the underlying infrastructure. You are responsible for protecting the email account and devices you use to communicate with us. For our standard privacy policy, terms of use, and disclaimer, please see the Legal page.