CORA
Features How it works Client portal Pricing Security FAQ
Sign in Start free trial

Legal

Privacy Policy

Last updated: 4 May 2026

1. Who we are

CORA - the Conveyancing Operations & Risk Assistant - is operated by D&D IS Pty Ltd (ABN 92 141 367 464) ("CORA", "we", "us", "our"), an Australian company providing software-as-a-service to licensed conveyancers and property lawyers.

You can reach our privacy contact at privacy@getcorahq.com.

2. About this policy

This Privacy Policy explains how we handle personal information in connection with the CORA service. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) issued by the Office of the Australian Information Commissioner (OAIC).

This policy covers two categories of users:

  • Customers - the conveyancing firms and individual practitioners who hold a CORA account and use the platform to manage matters.
  • End clients - the buyers, sellers, and other parties whose information our customers enter into the platform or who interact with their conveyancer through the CORA client portal.

Where our customer is the controller of end-client personal information, CORA acts as a service provider on the customer's behalf. The customer's own privacy policy governs their relationship with their clients; this policy governs how CORA, as their service provider, handles that information.

3. Information we collect

3.1 Account information (from customers)

When a firm signs up for CORA we collect:

  • Firm trading name and Australian Business Number (ABN)
  • Primary administrator name, email address, and password hash
  • Phone number, where provided
  • Billing details (handled by our payments processor - we do not store full card numbers)
  • User accounts created by the firm administrator (name, email, role)

3.2 Matter and client information (from customers about end clients)

To run a conveyancing matter the customer enters or uploads:

  • Client names, contact emails, phone numbers, addresses, and dates of birth
  • Property addresses, sale prices, deposit amounts, and key dates
  • Conveyancing documents - contracts of sale, Section 32 vendor statements, rates and water notices, loan approvals, identity documents, and similar
  • Online form responses submitted by clients via the secure portal, including identity declarations, source-of-funds declarations, and ownership preferences

Some of this information is sensitive personal information (for example, photographs of identity documents). We treat sensitive information with the additional safeguards set out in section 10 below.

3.3 Information collected automatically

When you use CORA we automatically collect:

  • Log data: IP address, browser, device type, pages visited, timestamps
  • Audit-log entries linking each meaningful action to the user who performed it
  • Cookies and similar technologies (see section 8)

4. How we use information

We use personal information to:

  • Provide the CORA service - extract data from documents, run risk checks, generate checklists, calculate adjustments, host the client portal, and deliver email drafts and notifications.
  • Authenticate users and protect accounts (e.g. one-time codes, password resets, suspicious-login detection).
  • Process billing and manage subscriptions.
  • Maintain the audit log required for the legal-grade trust we promise our customers and their auditors.
  • Communicate with customers about service changes, security events, and (where opted in) product updates.
  • Detect, investigate, and prevent fraud, abuse, or unlawful activity.
  • Comply with legal obligations.
  • Improve the service - in aggregated, de-identified form. We do not train third-party AI models on customer matter data.

5. Sub-processors

To deliver CORA we use a small number of carefully chosen sub-processors. Each is bound by contractual confidentiality and security obligations. The current list:

Provider Purpose Region
OpenAI AI document classification, field extraction, and risk-flag generation United States
Stripe Subscription billing and payment processing United States / Australia
Cloud hosting provider Application hosting and document storage Australia
Email delivery provider Sending transactional and notification emails Australia / United States
Google Analytics Website analytics (marketing pages only) United States

OpenAI is contracted under terms that prohibit the use of CORA customer data to train OpenAI's models. We pass only the data needed for each request and log every AI call against the originating matter for audit purposes.

6. Disclosure to third parties

We do not sell personal information. We disclose information only in these circumstances:

  • To the customer that controls the matter, and the users they have authorised on that matter.
  • To the sub-processors listed in section 5, strictly to provide the service.
  • To comply with a court order, subpoena, or other lawful request from an Australian authority.
  • To protect the rights, property, or safety of CORA, our customers, their clients, or the public.
  • In connection with a business transaction (merger, acquisition, financing, or sale of assets), subject to confidentiality obligations.

7. International data transfers

CORA application data is hosted in Australia. Some of our sub-processors operate outside Australia (notably OpenAI in the United States). Where personal information is transferred overseas, we take reasonable steps to ensure the overseas recipient handles it in a manner consistent with the APPs.

8. Cookies & analytics

We use cookies and similar technologies on the CORA website and application:

  • Strictly necessary - session cookies for login and security. These cannot be disabled if you want to use the service.
  • Analytics - Google Analytics on the marketing pages (the cora.app application does not run Google Analytics on logged-in pages).

You can control cookies via your browser settings. We honour Do Not Track signals by not loading analytics for visitors whose browsers send them.

9. Data retention

We retain customer matter data for the lifetime of the customer's subscription and for a reasonable period afterwards to support compliance obligations and any handover to the customer's nominated archive.

Audit-log entries are retained for at least seven (7) years to satisfy professional record-keeping obligations applicable to conveyancing.

Customers can request export or deletion of their tenant data. End clients should direct access, correction, or deletion requests to the conveyancing firm that controls the matter; CORA will assist the firm to action those requests.

10. Security

We protect personal information with measures including:

  • Tenant isolation in the database, document storage, and AI search index
  • Encryption in transit (TLS) and at rest for stored documents
  • Role-based access control (Admin, Practitioner, Assistant, Client)
  • Anti-forgery protection on every state-changing form submission
  • Document storage hosted outside the public web root
  • OTP-gated client portal with single-use, per-recipient links
  • Comprehensive audit logging on every meaningful action
  • Strong password protection and session-rotation policies

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you in accordance with our obligations under the Notifiable Data Breaches scheme.

11. Your rights

Subject to the Privacy Act, you have the right to:

  • Access the personal information we hold about you
  • Request correction of information that is inaccurate or out of date
  • Withdraw consent to optional processing (e.g. marketing communications)
  • Make a complaint about how we have handled your personal information

To exercise these rights, email privacy@getcorahq.com. We will respond within 30 days.

12. Children

CORA is a B2B product for licensed professionals. The service is not directed at children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated to active customers by email at least 14 days before they take effect.

14. Complaints

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, please contact us first using the details below. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:

15. Contact us

Questions about this policy or our handling of personal information:

Privacy Officer
D&D IS Pty Ltd
Email: privacy@getcorahq.com

Looking for the Terms of Service? See our Terms of Service for the legal terms governing your use of CORA.