Data & AI
How We Handle Your Data & AI
#YourCA — How We Handle Your Data & AI
Effective date: 26 May 2026 Last updated: 26 May 2026 Version: 1.0
This is a plain-English explainer. It sits alongside the Privacy Policy, the Terms of Use, and the Data Processing Addendum, which are the governing documents. Where this explainer and those documents differ, those documents govern. We have written this page so that a customer, a security reviewer, or one of our source platforms can understand exactly what YourCA does with data in a few minutes.
#The one-line version
We read and cite your data. We don't train on it. We don't rebuild the tools you already run.
YourCA is a cross-source intelligence layer for construction teams. It reads across the systems you already use — Procore, Microsoft 365, Google, Xero, Dropbox — and turns what is inside them into checked, cited, ready-to-sign work. It replaces none of them, and it never becomes training data for an AI model.
#What we do, and what we never do
We do:
- Connect to your sources read-only, with the OAuth permissions you grant.
- Index your content so we can find the relevant passage when you ask.
- Retrieve and cite that passage back to you at the moment you ask, inside your own tenant.
- Apply your firm's rules, rates, and preferences to draft work for you to review.
We never:
- Use your data — or any output, embedding, or index we build from it — to train, retrain, fine-tune, or benchmark any AI model, whether a foundation model or one scoped to your firm.
- Mix one customer's data into another customer's results.
- Use a connected platform's data to clone, reverse-engineer, or compete with that platform's own features.
- Send an email, move a dollar, or commit a position without your explicit sign-off.
#Retrieval, not training — the distinction that matters
There are two very different ways an AI product can use your data, and the difference is the whole point.
- Training means feeding your data into a model so the model's weights change and it "remembers" your data permanently, for everyone. We do not do this.
- Retrieval at inference means that, at the moment you ask a question, the system looks up the relevant passages in your indexed data and supplies them to the model as context for that one answer — then cites them. The model learns nothing and keeps nothing. This is how YourCA works. It is commonly called retrieval-augmented generation (RAG).
Your data is context for your request, not material for our models. Your index exists only to serve your own tenant, and disconnecting a source stops its use.
#What we read from each source, and how we use it
Every connection is read-only and authorised by you. None of it is ever used to train a model.
| Source | What we read (with your authorisation) | How we use it | Used to train AI? |
|---|---|---|---|
| Procore | Projects, RFIs, submittals, contacts, and related records | Cross-check, cite, and draft at inference time, in your tenant | Never |
| Microsoft 365 (Outlook, OneDrive, SharePoint, Teams) | Mail, files, and documents you authorise | Cross-check, cite, and draft at inference time, in your tenant | Never |
| Google (Gmail, Google Drive) | Mail and files within the restricted scopes you authorise | Provide the user-facing features you request | Never |
| Xero | Accounting records you authorise (for example, AR aging) | Financial cross-checks and citations | Never |
| Dropbox | Files and folders you authorise | Cross-check, cite, and draft at inference time, in your tenant | Never |
#Where your data lives
Customer Data, including the index and any data used for AI processing, is hosted in Australia (Sydney, AWS region ap-southeast-2). We do not move Customer Data outside Australia for primary processing or storage without notifying you. Some service providers operate overseas; where that involves a cross-border disclosure we apply the safeguards described in the Privacy Policy and, where the GDPR or UK GDPR applies, the EU Standard Contractual Clauses or the UK IDTA described in the DPA.
#Your controls
- Read-only. We never get write access to your sources unless a specific feature requires it and you grant it.
- Disconnect any time. Removing a connection stops further reading from that source.
- Turn AI off. Administrators can disable AI features for the tenant from the admin console.
- Sign-off gate. Nothing is sent, paid, or committed without your explicit approval; anything financial carries a second confirmation.
- Export and delete. You can export Customer Data while your account is active and request deletion as set out in the Terms and DPA.
#We complement your tools; we don't compete with them
YourCA is deliberately positioned as the layer that reads across your systems, not as a replacement for any of them. Keep Procore, your inbox, and your accounting exactly as they are. We do not use a connected source's data to build a competing replica of that source's features. Where a platform builds its own AI and agents, that is its box to build in; our value is breadth across many sources plus Australian data sovereignty, not a wrapper around any single one.
#How this maps to each platform's rules (references)
We comply with the developer, API, and marketplace terms of every source you connect. In particular:
- Procore — We honour the Procore Developer Program and Marketplace terms, which restrict using Procore data to train AI or machine-learning models. Procore data is categorically excluded from all model training and is used only to deliver the feature you request, at inference time.
- Google — We comply with the Google API Services User Data Policy, including its Limited Use requirements. We do not use Google restricted-scope data (Gmail, Google Drive) to train, develop, or improve any generalised or standalone AI/ML model, and we use it only to provide the user-facing features you request.
- Microsoft — We comply with the Microsoft APIs Terms of Use and Microsoft 365 / Graph data-handling requirements.
- Xero — We comply with the Xero Developer Platform terms.
- Dropbox — We comply with the Dropbox API terms and developer branding guidelines.
Our own governing documents put the same commitment in contract: see Privacy Policy clause 5, Terms clause 5.4, and the DPA, Annex 2 (AI-specific measures).
#Questions
- Privacy and your data rights: admin@creatoralliancegroup.com
- Security and vulnerability reports: admin@creatoralliancegroup.com
- Commercial and contract questions: admin@creatoralliancegroup.com
Creator Alliance Group Pty Ltd · Suite 302, 13/15 Wentworth Avenue, Sydney NSW 2000, Australia