Privacy Policy

Alloovium handles personal information in accordance with:

• •The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) (Schedule 1 to the Privacy Act);
• •The Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act);
• •The Spam Act 2003 (Cth) in respect of electronic communications and marketing; and
• •Other mandatory Australian Commonwealth or state laws and regulatory guidance applicable to data protection and privacy.

Where Alloovium processes personal information of individuals located in the European Economic Area (EEA) or United Kingdom, the EU General Data Protection Regulation (GDPR) and applicable UK data protection law may also apply.

Depending on the Service and relationship, we may collect and process the following categories of personal information:

1. 1.Account and Contact Information: name, email, phone, job title, organisation, and login details.
2. 2.Billing and Payment Information: invoicing contact, bank details, GST/ABN data.
3. 3.Service Use Data (Usage Data): technical/telemetry data about how the Service runs and is used (e.g., feature interactions, performance, error rates, device/browser information); excludes Customer Content.
4. 4.Customer Content: files, documents, and information provided or generated through use of the Service (as defined in the Terms of Service).
5. 5.Communications Data: support requests, chat/email correspondence, and service feedback.
6. 6.Cookies and Online Identifiers: session and preference cookies used for secure access and analytics.

We do not collect sensitive information (as defined under the APPs, including health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, or biometric data) unless explicitly agreed and governed by a written data processing agreement.

Alloovium collects, uses, and discloses personal information only when it is reasonably necessary for one or more of our functions or activities, in accordance with the Australian Privacy Principles.

• •APP 3 (Collection) — we only collect personal information that is reasonably necessary for our functions or activities, by lawful and fair means, and directly from the individual where reasonably practicable.
• •APP 6 (Use and Disclosure) — we only use or disclose personal information for the primary purpose of collection, or for a secondary purpose where the individual would reasonably expect, has consented, or where required or authorised by law.
• •APP 8 (Cross-border Disclosure) — before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs. See Section 7 (International Transfers).

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable Australian law.

Financial and accounting records are retained for seven (7) years in accordance with obligations under the Corporations Act 2001 (Cth) and the Tax Administration Act 1953 (Cth). Security logs and telemetry data are retained for twelve (12) to twenty-four (24) months to ensure system integrity and detect security incidents.

Upon termination of the Service, we will delete or anonymise Customer Content within ninety (90) days, unless a longer retention period is required to comply with legal obligations or to establish, exercise, or defend legal claims.

Alloovium may engage third-party processors (e.g., hosting, analytics, email providers) under written agreements that require them to handle personal information in a manner consistent with the Australian Privacy Principles.

A current list of sub-processors is set out in Appendix 1 and is available upon request to zander@alloovium.com.

Alloovium does not sell or lease personal information to third parties.

Alloovium is based in Australia and primarily processes personal information in Australia. Some of our third-party sub-processors are located or operate outside Australia (e.g., in the USA, Singapore, or the EEA).

Before disclosing personal information to an overseas recipient, Alloovium takes reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to that information, consistent with APP 8.

Where an individual consents to the overseas disclosure, or where the disclosure is required or authorised by Australian law, we rely on those grounds in accordance with APP 8.2.

Where we process personal information of individuals in the EEA or UK, we rely on EU Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms in addition to our APP 8 obligations.

Alloovium implements appropriate technical and organisational measures consistent with ISO 27001-aligned controls to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure (APP 11). These measures include:

• •Encryption at rest and in transit;
• •Access control and least-privilege principles;
• •Audit logging and monitoring;
• •Regular vulnerability assessments; and
• •Employee confidentiality and data-protection training.

For individuals located in the EEA, we will additionally comply with GDPR breach notification requirements (including the 72-hour notification obligation) where applicable.

We verify identity and respond without undue delay, typically within 30 days. Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, individuals have the following rights:

• •Access (APP 12): obtain confirmation and a copy of the personal information we hold about you.
• •Correction (APP 13): request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information.
• •Complaint: lodge a privacy complaint with Alloovium; if not resolved to your satisfaction, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

As a matter of policy, Alloovium will also consider requests to delete personal information, restrict processing in certain circumstances, and provide a portable copy of your personal information.

For individuals located in the EEA or UK, the full suite of GDPR/UK GDPR rights apply in addition to the above.

All requests may be sent to zander@alloovium.com. We may require reasonable verification of identity before fulfilling a request.

Alloovium uses product analytics consistent with our Usage Data definition; see Section 3.1 for details of the types of cookies we use and how to manage them. We may also use third-party analytics tools that set their own cookies in accordance with their privacy policies.

We do not use Customer Content or personal information to train foundation AI models unless you have expressly opted in in writing. You retain all right, title, and interest in personal information, inputs, uploads, files, and other information you or your organisation provide to the Service ("Customer Content").

You grant Alloovium a non-exclusive, worldwide licence for the term of the Agreement to host, process, transmit, display, and create technical copies of Customer Content as reasonably necessary to provide the Service.

• •Model training. Alloovium does not use Customer Content to train foundation models unless you have expressly opted-in in writing.
• •Business-critical materials. Alloovium will not use business-critical or sensitive Customer Content for product improvement except as necessary to operate or support the Service, or where you have expressly opted in in writing.

Alloovium may create and use data that is (a) Aggregated so that no individual or Customer is identifiable, and/or (b) De-Identified so that it cannot reasonably be used to identify an individual or Customer. Alloovium may use such data for benchmarking, trend analysis, capacity planning, and product improvement.

Alloovium will not attempt to re-identify Aggregated or De-Identified Data and will contractually restrict sub-processors from doing so.

Each party will protect the other's non-public information with reasonable care and use it only to perform under the Terms of Service. Australian common law obligations of confidence and any applicable provisions of the Corporations Act 2001 (Cth) may also apply.

We may update this Privacy Policy from time to time. Material changes will be notified in advance by email or prominent notice on our platform. Continued use of the Service after the effective date of the updated Policy constitutes acceptance.

Alloovium Pty Ltd is the APP entity responsible for the personal information described in this Policy. For privacy enquiries, complaints, or to exercise your rights, please contact us at:

If your complaint is not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

This Privacy Policy is governed by the laws of Queensland, Australia. Any dispute, claim, or matter arising out of or in connection with this Policy shall first be subject to good-faith negotiation between the parties. If not resolved within 30 days, the dispute shall be finally resolved by arbitration administered by the Australian Centre for International Commercial Arbitration (ACICA) in accordance with the ACICA Arbitration Rules, seated in Brisbane, Queensland. Proceedings will be conducted in English and are confidential.

We maintain this list and note material changes. For each sub-processor, we apply the principle of least privilege — each third-party system shall only have access to the minimum personal information required to fulfil its purpose.