Privacy Policy
Privacy Policy
#Project Brain — Privacy Policy
Effective date: 26 May 2026 Last updated: 26 May 2026 Version: 1.0
This Privacy Policy explains how Project Brain Pty Ltd (ABN: TBC) (Project Brain, we, us, our) collects, uses, discloses, stores, secures, and otherwise handles personal information. We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process personal information of individuals in the European Economic Area, United Kingdom, or other jurisdictions with applicable data protection laws, we additionally comply with those laws (including the GDPR and UK GDPR).
This policy applies to:
(a) visitors to our websites and marketing properties; (b) users of the Project Brain service (the Service); (c) prospective customers, partners, and job applicants; and (d) any other individual whose personal information we collect.
If you do not agree with this policy, you should not use the Service.
#1. Our role: controller and processor
We act in two distinct capacities:
- Controller — for personal information about visitors, account administrators, billing contacts, prospects, and our own personnel. We determine the purposes and means of processing.
- Processor — for personal information uploaded to or generated within the Service by our Customers ("Customer Data") on behalf of the Customer (the controller). For that data, the Customer is responsible for the lawful basis and for responding to data subject requests; we process it under our agreement with the Customer.
References to "personal information" in this policy align with the meaning under the Privacy Act 1988 (Cth) and include "personal data" under the GDPR/UK GDPR.
#1.1 Our privacy commitments
We apply privacy-by-design principles. This means we:
- collect only the personal information we need for a specified purpose;
- limit access to personal information to personnel who need it;
- minimise the use of identifiers and pseudonymise or de-identify where practicable;
- design new features with a privacy impact assessment where the feature poses a higher risk;
- maintain internal records of our personal information handling practices, as required by APP 1; and
- review this policy at least annually.
#1.2 Scope
This policy applies globally to Project Brain's handling of personal information. Where local law mandates additional rights or stricter protections, those apply in addition to (and prevail over) this policy.
#2. Information we collect
#2.1 Information you give us
- Account information — name, work email, phone, job title, employer, password (hashed), profile photo.
- Billing information — billing contact, ABN/VAT/tax ID, business address, payment method details (stored by our payment processor, not by us).
- Content you upload — files, documents, messages, project data, photos, drawings, and other Customer Data you submit to the Service.
- Communications — emails, support tickets, survey responses, feedback, and call recordings (where notified).
- Identity verification — where required for higher-trust features, identity documents and verification metadata.
#2.2 Information we collect automatically
- Usage data — pages viewed, features used, clicks, search queries, time stamps, performance metrics, errors, and crash reports.
- Device and connection — IP address, device identifiers, browser type and version, operating system, screen size, referring URL, language preference.
- Approximate location — derived from IP address (city/country level), used for security, fraud prevention, and regional routing.
- Cookies and similar technologies — see clause 7.
#2.3 Information from third parties
- Identity providers and SSO — where you sign in via Google, Microsoft, or another SSO provider, we receive profile information they share.
- Integrations — when you connect third-party services (for example, Gmail, Microsoft 365 / Outlook / OneDrive / Teams, Dropbox, Xero, Procore), we receive information you authorise that service to share with us, scoped to the OAuth permissions you grant.
- Lead and enrichment providers — limited business contact information for sales and marketing.
- Public sources — corporate websites, professional networks, and public registers.
- Payment processors — transaction status, last four digits of card numbers, expiry, and fraud signals.
#2.4 Sensitive information
We do not seek to collect sensitive information (such as health, racial or ethnic origin, religious beliefs, sexual orientation, or biometric data). If you upload such information to the Service, you do so as the controller and warrant that you have a lawful basis. We will treat any sensitive information we hold with the additional protections required by law.
#3. How we collect personal information
We collect personal information:
(a) directly from you when you sign up, configure your Account, use the Service, contact us, or apply for a role; (b) automatically as you use the Service or our marketing properties; (c) from your authorised users, administrators, or colleagues acting on your behalf; (d) from third parties listed in clause 2.3; and (e) where required or authorised by law.
Where reasonable and practicable, we collect personal information directly from you. Where this is not the case (for example, lead enrichment), we take reasonable steps to ensure you are informed of the matters required by APP 5.
#4. Why we collect personal information and our legal bases
We collect, hold, use, and disclose personal information for the following purposes:
| Purpose | Examples | GDPR/UK GDPR legal basis |
|---|---|---|
| Providing the Service | Authenticating, hosting Customer Data, delivering features | Contract performance |
| Account management and support | Account setup, billing, support tickets | Contract performance |
| Security and abuse prevention | Detecting fraud, abuse, intrusion; protecting users and the Service | Legitimate interests; legal obligation |
| Improving the Service | Diagnostics, analytics, feature usage research | Legitimate interests |
| Communications about the Service | Service notices, security alerts, billing emails, policy updates | Contract performance; legal obligation |
| Marketing | Newsletters, product announcements, events | Consent (where required); legitimate interests |
| Legal and compliance | Tax records, regulatory reporting, responding to lawful requests, defending claims | Legal obligation; legitimate interests |
| Corporate transactions | Due diligence and integration in mergers, acquisitions, or financings | Legitimate interests |
| Recruitment | Assessing applicants | Pre-contract steps at the data subject's request |
We do not engage in profiling that produces legal or similarly significant effects on individuals without their consent.
#5. AI and machine learning
The Service uses machine learning and generative AI to provide features such as search, summarisation, classification, and content generation. When we process Customer Data with these features:
- processing is performed within our AWS environment in Australia or under contracts that prohibit the sub-processor from using the data to train its own foundation models;
- outputs are returned only to the Customer's tenant and are subject to the same access controls as other Customer Data;
- we do not use Customer Data to train foundation models that are made available to other customers or the public;
- where we use Customer Data to train tenant-scoped models (for example, to personalise search), training is limited to that Customer's tenant and the resulting model is not shared.
Where AI-generated output is provided, we mark it as such where reasonably practicable. AI outputs may be inaccurate; Customers must review them before relying on them.
Account administrators may disable AI features for their tenant from the admin console. Where disabled, Customer Data will not be processed through AI features beyond what is strictly necessary to deliver the Service (such as full-text search indexing).
#6. Who we disclose personal information to
We disclose personal information to:
(a) Authorised Users within your organisation — collaboration is core to the Service. Account administrators may have access to other users' activity and content; (b) Our service providers and sub-processors — including Amazon Web Services (AWS), which we use to host the Service, store indexed data, and perform AI processing on Customer Data. We also use providers for email delivery, analytics, customer support, payment processing, identity verification, and security tooling. We maintain a current list of sub-processors, available on request, and notify Customers at least 30 days before engaging a new sub-processor that materially affects the processing of Customer Data. Customers may object on reasonable data-protection grounds (see the Terms); (c) Third parties you connect — when you authorise an integration, we exchange information with that service per your authorisation; (d) Professional advisors — lawyers, auditors, accountants, and insurers under confidentiality obligations; (e) Acquirers — in connection with a merger, acquisition, restructure, financing, or sale of assets, subject to confidentiality; (f) Regulators, law enforcement, and courts — where required by law, including in response to a lawful request such as a subpoena, search warrant, or court order. We assess each request and challenge those that are overbroad or unlawful where appropriate; (g) To protect rights and safety — to enforce our terms, prevent fraud, address security issues, or protect the rights, property, or safety of Project Brain, our customers, or others; and (h) With your consent — for any other purpose disclosed to you at the point of collection.
We do not sell personal information.
#7. Cookies and similar technologies
We use cookies, local storage, web beacons, and similar technologies, classified as follows:
| Category | Purpose | Consent | Examples |
|---|---|---|---|
| Strictly necessary | Sign-in, session security, CSRF protection, load balancing | Required to use the Service; cannot be disabled | Session cookie, auth cookie, CSRF token |
| Functional | Remember preferences (language, layout, recently viewed) | Implied consent through use | Preferences cookie, recently-viewed cache |
| Analytics | Measure use, diagnose errors, improve features (aggregated) | Opt-out in jurisdictions allowing implied consent; opt-in in EU/UK | First-party product analytics, error monitoring |
| Marketing | Deliver and measure advertising; attribute conversions | Opt-in everywhere | Advertising pixels (used only where consent is obtained) |
You can control cookies through:
- our cookie preferences tool;
- your browser settings (note that disabling strictly necessary cookies may prevent the Service from working); and
- platform-level controls in your operating system.
We honour the Global Privacy Control (GPC) signal as an opt-out request where required by law. We do not respond to "Do Not Track" browser signals, as no consistent industry standard exists.
#8. Direct marketing
We may send you marketing communications about Project Brain products, features, events, and offers. You can opt out at any time:
- by clicking "unsubscribe" in any marketing email;
- by replying STOP to any SMS marketing message;
- by adjusting in-product notification preferences; or
- by emailing privacy@projectbrain.com.au.
We comply with the Spam Act 2003 (Cth) for electronic marketing to Australian recipients. We send commercial electronic messages only where we have express or inferred consent, every message identifies us as the sender with valid contact details, and every message includes a functional unsubscribe mechanism that takes effect within 5 business days. For recipients outside Australia, we comply with applicable laws (including GDPR/UK GDPR consent requirements, CAN-SPAM, and CASL).
Opting out of marketing does not affect transactional, security, or service messages we need to send to operate the Service.
#9. International data transfers and data residency
#9.1 Data residency
Customer Data, including indexed data and data used for AI processing, is hosted in Australia (Sydney region) on Amazon Web Services (AWS). We will not transfer Customer Data outside Australia for primary processing or storage without notifying the Customer.
#9.2 Cross-border disclosure
Some service providers we use are located outside Australia (including the United States, United Kingdom, and European Union). Before disclosing personal information overseas, we take reasonable steps to ensure the recipient does not breach the APPs, including by:
(a) entering into contractual safeguards (such as Standard Contractual Clauses or the UK International Data Transfer Addendum) where applicable; (b) assessing the recipient's privacy and security practices; and (c) limiting disclosure to what is necessary.
A list of countries where our sub-processors are located is available on request.
#9.3 GDPR transfers
For transfers of personal data out of the EEA or UK, we rely on:
(a) adequacy decisions issued by the European Commission or the UK Information Commissioner (Australia does not currently have full adequacy; transfers to Australia are made under appropriate safeguards); (b) the European Commission's 2021 Standard Contractual Clauses (Module 1, 2, or 4 as applicable); (c) the UK International Data Transfer Addendum to the EU SCCs (or the UK IDTA, at our discretion); and (d) other lawful transfer mechanisms where applicable.
We perform a transfer impact assessment for material transfers where required and document supplementary measures (such as encryption with customer-controlled keys, pseudonymisation, or contractual challenge of government access requests).
#10. Security
We implement administrative, physical, and technical safeguards designed to protect personal information against loss, misuse, interference, unauthorised access, modification, and disclosure, including:
- encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- role-based access controls and least-privilege principles for personnel;
- multi-factor authentication for staff with access to production systems;
- monitoring, logging, and intrusion detection;
- regular vulnerability scanning, patching, and third-party penetration testing;
- secure software development practices including code review and dependency scanning;
- personnel background checks (where lawful), confidentiality obligations, and ongoing training; and
- formal incident response procedures.
No system is perfectly secure. You are responsible for keeping your credentials safe and using available security features (such as MFA and SSO).
#11. Data retention
We retain personal information only for as long as necessary for the purposes for which it was collected or as required by law.
| Category | Retention |
|---|---|
| Active Account information | For the life of the Account, plus 90 days after closure |
| Customer Data (in-Service) | While the Account is active; 30 days for export after termination; then deleted (subject to clause 11 below and legal hold) |
| Billing and tax records | 7 years from the end of the financial year (per Australian tax law) |
| Marketing contacts | Until you unsubscribe or after 24 months of inactivity |
| Support communications | 3 years from the date of the interaction |
| Security logs | Up to 24 months |
| Backups | Rolling 35 days |
| Recruitment data (unsuccessful applicants) | 12 months unless you consent to longer |
We may retain information for longer where required by law, for the establishment, exercise or defence of legal claims, or in anonymised form for analytics and research.
#12. Your rights
Subject to applicable law and verifying your identity, you may exercise the following rights:
#12.1 All individuals (including Australia)
- Access — request access to personal information we hold about you (APP 12).
- Correction — request correction of inaccurate or out-of-date information (APP 13).
- Complaint — complain about our handling of your personal information (see clause 16).
We will respond within 30 days. We may decline access in limited circumstances permitted by law (for example, where giving access would breach another person's privacy or reveal commercially sensitive information) and will give written reasons.
#12.2 GDPR / UK GDPR
If GDPR or UK GDPR applies to you, you additionally have rights to:
- erasure ("right to be forgotten") in certain circumstances;
- restriction of processing;
- data portability in a structured, machine-readable format;
- object to processing based on legitimate interests, including profiling, and to processing for direct marketing;
- withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing); and
- lodge a complaint with a supervisory authority (in the UK, the ICO; in Ireland, the DPC; in your country of residence within the EEA).
#12.3 How to exercise rights
Email privacy@projectbrain.com.au with details of your request. If you are an Authorised User of a Customer's Account, we may direct your request to that Customer (as controller) and assist them in responding.
We do not charge for routine requests. We may charge a reasonable cost-based fee for manifestly unfounded or excessive requests, or refuse to act, as permitted by law.
#12.4 Identity verification
Before acting on a request, we will take reasonable steps to verify your identity. For account holders, this is usually confirming the request from the registered email and, where higher risk, requiring a second factor. For non-account holders, we may request government-issued identification or other proof. Identity documents are destroyed once verification is complete.
#12.5 Response timeframes
We will respond to:
- access and correction requests under APP 12/13: within 30 days;
- requests under GDPR/UK GDPR: within 1 month, extendable by up to 2 further months for complex requests on notice;
- erasure, restriction, portability, and objection requests under GDPR/UK GDPR: within 1 month.
We will tell you if we cannot meet a request and why.
#13. Children's privacy
The Service is intended for use by adults in business settings. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact us and we will take steps to delete it.
#14. Data breach notification
We maintain a documented incident response plan that is tested annually. On becoming aware of a suspected breach, our security team triages within 24 hours, contains within 72 hours where practicable, and conducts a written assessment.
If we determine that an eligible data breach has occurred under the Privacy Act 1988 (Cth) Notifiable Data Breaches scheme, or a personal data breach has occurred under GDPR/UK GDPR that is likely to result in risk to the rights and freedoms of natural persons, we will:
(a) notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable (and in any event within 30 days of becoming aware, per the NDB scheme); (b) notify the relevant European or UK supervisory authority within 72 hours of becoming aware, where feasible; (c) notify affected individuals without undue delay, with information about the breach, likely consequences, and steps they can take; and (d) maintain a record of the breach and our response.
Where we process Customer Data as a processor, we will notify the Customer without undue delay (and in any event within 48 hours of confirming a personal data breach affecting their data) to allow them to meet their own notification obligations under applicable Privacy Laws.
#15. Anonymised, de-identified, and aggregated data
We may create anonymised, de-identified, or aggregated data from personal information (including Customer Data) and use it for any lawful purpose, including improving the Service, benchmarking, and producing industry research.
When we de-identify data, we apply techniques such as removing direct and indirect identifiers, generalising values, aggregating records, applying differential privacy where appropriate, and assessing re-identification risk. We do not attempt to re-identify data we have de-identified, and we contractually prohibit recipients from doing so.
Once data is genuinely de-identified or aggregated, it does not identify any individual or Customer and is not subject to this Privacy Policy.
We may also pseudonymise personal information (replacing direct identifiers with tokens, with the mapping held separately and protected) where this reduces risk without preventing the intended purpose. Pseudonymised data is still personal information and remains subject to this policy.
#16. Complaints
If you have a concern or complaint, please contact us first at privacy@projectbrain.com.au. We aim to acknowledge complaints within 5 business days and resolve them within 30 days.
If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner:
Office of the Australian Information Commissioner (OAIC) GPO Box 5288, Sydney NSW 2001 1300 363 992 oaic.gov.au
EU/UK residents may complain to their local supervisory authority.
#17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date will reflect any change. Where changes are material, we will notify you by email or in-product notification at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
Prior versions are available on request.
#18. Contact us
For all privacy questions, requests, and complaints:
Project Brain Pty Ltd — Privacy Officer Suite 302, 13/15 Wentworth Avenue Sydney NSW 2000 Australia
Email: privacy@projectbrain.com.au Security: security@projectbrain.com.au
We do not currently market or offer the Service to individuals in the European Economic Area or the United Kingdom. If that changes and Article 27 of the GDPR or UK GDPR requires us to appoint a representative, we will do so and update this policy.