Privacy Policy

1. Introduction

MaitrixAI Pty Ltd (ABN 38 669 653 785; ACN 669 653 785), trading as SmartChatAI ("SmartChatAI," "we," "us," or "our"), respects your privacy and is committed to safeguarding your personal data. This Privacy Policy explains how we collect, use, disclose, and protect information when you access our websites, subscribe to or use our AI-powered chat services, or otherwise interact with us. We comply with the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles, the EU/UK GDPR, the CCPA/CPRA, and other applicable laws.

By using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not access our Services.

2. Scope and Role Definitions

This Policy applies to personal data processed by SmartChatAI in connection with:

• Controller activities – When we collect and determine how to process personal data of website visitors, prospective customers, customers, authorised users, and marketing contacts, we act as a data controller.
• Processor activities – When our Customers integrate our AI chat agents on their own websites or platforms, we process their end-users' data strictly under the Customers' instructions. For these "Customer end-users," our Customers are the data controllers, and we act as a data processor or "service provider."

This Policy does not cover how our Customers handle end-user data; Customers should provide their own privacy notices.

3. Definitions

• Personal data – any information relating to an identified or identifiable individual.
• Processing – any operation performed on personal data (e.g., collection, storage, use, disclosure).
• Customer – an entity that contracts with SmartChatAI for the Services.
• Authorised user – an individual authorised by a Customer to access the Services.
• Customer end-user – an individual whose information we process on behalf of a Customer.
• Sensitive information – categories of data defined by the Privacy Act (race, health, etc.), which we do not intentionally collect.
• Service(s) – our AI chat platform, APIs, websites, and related features.

4. Legal Bases for Processing

We only process personal data when a lawful basis exists, including consent, contractual necessity, legitimate interests (e.g. improving our Services, preventing fraud), and compliance with legal obligations.

5. Categories of Data Subjects

We may process personal data relating to:

1. Site visitors – individuals who browse our websites.
2. Prospective customers and marketing contacts – individuals who engage with us via web forms, downloads, emails, or events.
3. Customers and authorised users – individuals who use the Services on behalf of a Customer.
4. Customer end-users – individuals interacting with our Customers' chatbots (processed under Customers' instructions).
5. Business partners and vendors – contacts at service providers, affiliates, or partners.

6. Personal Data We Collect

6.1 Data You Provide

We collect personal data you voluntarily provide, such as:

• Contact and identity data: names, job titles, employer names, business addresses, email addresses, phone numbers.
• Account credentials: usernames, passwords, and authentication tokens.
• Payment and billing details: credit-card and banking information (handled by secure third-party processors), tax IDs, invoicing addresses.
• Communications: emails, chat transcripts, support tickets, recorded calls (when implemented) and user feedback.
• Lead capture information: data entered by users into our chatbots (e.g., names, contact details, query content), which Customers can view. This information is encrypted in transit and at rest and subject to Customer control.
• Audio data (future feature): once voice interactions are supported, we will collect voice recordings and generate transcriptions when users engage with AI via voice. Audio recordings and transcripts will be treated as personal data, encrypted during storage and transit, used solely to provide and improve Services, and retained for a limited period in accordance with this Policy. We will update this Policy and notify users when voice features go live.
• Marketing preferences: subscription and opt-in status for newsletters, SMS, and promotional content.

6.2 Automatically Collected Data

When you visit our websites or use the Services, we automatically collect:

• Usage and log data: IP addresses, device identifiers, browser type, operating system, access timestamps, pages visited, feature use, and referring URLs.
• Device configuration data: language, time-zone, and system settings.
• Approximate geolocation: country or region derived from IP address for localisation and compliance.
• Email interaction data: metrics such as email opens, clicks on links, and message bounce rates, to analyse communication effectiveness.
• Cookies and tracking data: see Section 14 for detailed information.

6.3 Data from Third Parties

We may receive personal data from:

• Social and identity providers (e.g. Google, Slack): profile and login information when you connect accounts.
• CRM and marketing platforms (e.g. HubSpot, Klaviyo): contact data and interaction history to manage relationships and communications.
• SMS providers: phone numbers and message metadata when we send SMS via Klaviyo's chosen provider. SMS communications are subject to your consent and opt-out rights.
• Marketing partners: leads generated through advertising platforms.
• Public sources: business contact information from professional networks like LinkedIn.
• Customers: lead data collected via our chatbots or integrations, processed on Customers' behalf.

We ensure our third-party sources have lawful authority to share data with us.

7. How We Collect Personal Data

We collect personal data when you:

• Create an account or sign up for services.
• Submit contact forms, request demos, or download resources.
• Communicate with us via email, chat, phone, SMS, or social media.
• Use our chatbots and provide information voluntarily.
• Participate in surveys or marketing programs.
• Interact with our websites through cookies and analytics.
• Connect third-party services (e.g. Google or Slack) to our platform.

8. How We Use Personal Data

We may use personal data to:

1. Provide and improve Services – set up accounts, configure chatbots, process payments, and enhance performance and features.
2. Communicate with you – respond to inquiries, send service updates, transactional notifications, support messages, and surveys.
3. Marketing and CRM – send newsletters, product announcements, promotional offers, and event invitations via email or SMS through platforms such as HubSpot and Klaviyo. You can opt-out at any time.
4. Advertising – promote our Services through third-party advertising networks such as Google Ads and Meta (Facebook/Instagram). We may share hashed identifiers or allow advertising partners to collect information via cookies to show relevant ads on other websites and apps. Advertising partners use their own cookies and may recognise your device; their practices are governed by their privacy policies.
5. Analytics and research – analyse usage trends and email interactions to improve content, marketing, and product design.
6. Security and fraud prevention – detect and prevent abuse, apply rate limiting, mitigate spam, and protect against fraudulent or illegal activity.
7. Legal and compliance – meet regulatory obligations, resolve disputes, enforce our terms, and protect rights.
8. Aggregate and de-identify data – create statistical analyses that no longer identify individuals.
9. Product development – develop new features (e.g., voice interaction), improve AI models (without using personal data for training unless explicitly opted in), and test enhancements.

We do not sell personal data, nor do we use customer data to train general-purpose AI models without explicit opt-in.

9. Disclosure of Personal Data

9.1 Service Providers and Sub-processors

We share personal data with trusted third-party service providers who perform functions on our behalf, such as:

• Cloud and infrastructure providers (e.g. AWS).
• Payment processors for billing and subscription management.
• Marketing and CRM platforms (HubSpot) and email/SMS platforms (Klaviyo) for communications and analytics.
• SMS gateway providers integrated through Klaviyo to send text messages.
• Customer support and ticketing systems.
• Analytics and advertising partners for website analytics and targeted marketing.

Service providers are bound by confidentiality obligations and may only process data according to our instructions. We maintain a list of sub-processors, available through our trust centre or upon request.

9.2 Affiliates and Group Companies

We may share data within the SmartChatAI group for administrative and operational purposes consistent with this Policy.

9.3 Business Partners

We may share data with business and marketing partners for co-hosted webinars, joint promotions, or collaboration. Partners use information according to their privacy policies; we will obtain your consent where required.

9.4 Advertising Partners

We may share certain data (e.g. hashed email addresses or cookie identifiers) with advertising networks, social media platforms, and marketing vendors so they can display relevant ads on other websites or apps. You can opt out of targeted advertising through cookie settings or advertising network opt-outs.

9.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, data may be transferred subject to confidentiality obligations.

9.6 Legal and Protection of Rights

We may disclose personal data to regulators, courts, or law-enforcement when necessary to comply with laws, protect rights, prevent fraud, or respond to lawful requests.

9.7 With Consent

We may share data for other purposes with your consent.

9.8 Processor Role for Customer End-User Data

When acting as a processor for Customer end-user data, we disclose data only to our Customer or to our service providers assisting with service delivery. We do not use such data for our own purposes.

10. International Data Transfers

Our systems operate primarily on AWS servers in the EU and US. We may transfer data to other countries where we or our service providers operate. When transferring personal data outside the European Economic Area (EEA), UK, or other jurisdictions with similar laws, we apply appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) with service providers.
• Data Privacy Framework certification for transfers to the US (where applicable).
• Customer-selected data regions for certain services.

Copies of our data-transfer agreements can be provided upon request. By using our Services, you consent to international data transfers.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or as required by law. Retention periods include:

• Account data – retained for the duration of your account and a reasonable period thereafter to comply with legal obligations and allow account reactivation. We delete or anonymise inactive account information after an industry-standard period (e.g., 24 months) or as specified in our data-retention schedule.
• Lead and chatbot data – retained as long as required by the Customer and then deleted upon Customer request or termination.
• Marketing data – retained until you opt out or until it is no longer needed for the original purpose.
• Audio recordings and transcripts (when implemented) – retained for a limited period necessary to provide transcription services and improve performance, then deleted or anonymised.
• Backups – daily encrypted backups are retained for disaster recovery and expire after a defined retention period.

We may retain anonymised data indefinitely. If you request deletion of your personal data, we will comply unless retention is required by law or necessary for legitimate business purposes.

12. Data Security

We maintain robust security measures to protect personal data:

• Infrastructure – Our platform is hosted on AWS with ISO 27001 and SOC-certified physical and environmental controls. Instances run behind firewalls with least-privilege access and regular patching.
• Encryption – All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Secrets and environment variables are secured via AWS Secrets Manager.
• Access control – We use role-based access control (RBAC), optional two-factor authentication for admin panels, and secure session tokens.
• API and session security – Token-authenticated APIs with rate limiting, input sanitisation, and XSS/CSRF/clickjacking protections.
• AI data privacy – Our AI models do not retain customer data; conversations are not used for training unless explicitly opted in. Sensitive prompts are filtered and anonymised; vector embeddings are stored in encrypted form.
• Monitoring and incident response – Continuous monitoring via AWS CloudWatch and SNS, anomaly detection, and a formal incident-response plan with breach notification within 48 hours.
• Auditing – Administrative actions are logged, and access to production systems is monitored.
• Shared responsibility – Customers must use strong passwords, manage user access, and avoid uploading unencrypted sensitive data.

No security system is infallible. We encourage users to implement their own security measures, such as enabling multi-factor authentication.

13. AI-Specific Practices

• We employ retrieval-augmented generation (RAG) and other AI techniques without storing raw user data beyond runtime.
• AI models do not learn from customer conversations unless the customer opts in.
• Audio recordings and transcripts (once implemented) are processed solely to facilitate conversation with AI and will not be used to train the AI without your consent.
• Users can opt to enable or disable AI features; opting out may affect functionality but not essential services.

14. Shared Responsibility Model

• Our responsibilities – secure the infrastructure and core Services, implement encryption, monitoring, and incident response.
• Customer responsibilities – maintain account security through strong passwords and 2FA; manage user permissions; ensure that the data uploaded into the Services is appropriate and, if sensitive, encrypted or anonymised; obtain consent from end-users where required; and comply with legal obligations when using our Services.

15. Individual Rights

15.1 Under Australian Law

• Access your personal data, request correction, and lodge complaints.

15.2 Under the GDPR (EU/UK)

Rights include being informed, accessing data, rectification, erasure, restricting processing, data portability, objecting, and opposing automated decision-making.

15.3 Under the CCPA/CPRA

California residents may request to know, access, delete, or correct their data; opt out of targeted advertising or the sale/sharing of personal data; and limit the use of sensitive information. We do not sell personal data.

15.4 Additional Rights

You may withdraw consent at any time without affecting prior processing; lodge complaints with supervisory authorities; and will not be discriminated against for exercising your rights.

15.5 Exercising Your Rights

Contact us via the details in Section 23 to submit a request. We may require identity verification. We will respond within legally required timeframes and explain any denial.

16. Cookies and Tracking Technologies

We use cookies and similar technologies to recognise your device and collect information. Categories include:

1. Strictly necessary – enable core functions (e.g. authentication, session management).
2. Functional – remember preferences and enhance features.
3. Performance/analytics – gather usage data anonymously; you can opt out by installing tools such as the Google Analytics Opt-Out Browser Add-On.
4. Advertising/targeting – used by social media and advertising partners (e.g., Meta and Google) to display relevant ads. These partners may collect hashed identifiers and device information.
5. Social media cookies – enable sharing via social networks.

You can manage cookies via browser settings or our cookie consent banner. We currently do not respond to Do Not Track (DNT) signals due to the lack of industry standard.

17. Third-Party Services and Links

Our websites may link to or integrate with third-party services. We do not control their privacy practices. When using these services (e.g. Slack, Google, or payment gateways), your data is governed by the third party's privacy policy, which we encourage you to review.

18. Marketing Communications and Advertising

We may send marketing emails and SMS notifications via HubSpot and Klaviyo. You can opt out at any time by clicking unsubscribe links or replying STOP to SMS. For online advertising, we use cookies and hashed identifiers to show relevant ads on social media and other sites. You can opt out via our cookie preferences or the ad settings on platforms like Facebook and Google.

19. Automated Decision-Making and Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects. We may use profiling for analytics and personalisation, but not for decisions that affect legal rights or eligibility.

20. Children's Privacy

Our Services are not directed at children under 16, and we do not knowingly collect their data. If you believe a child has provided information, please contact us to remove it.

21. Incident Response and Breach Notification

We monitor systems in real time and have a formal incident-response plan. In the event of a data breach, we will notify affected individuals and relevant authorities within 48 hours, as required by law.

22. Business Transactions

Personal data may be transferred during mergers, acquisitions, or reorganisations, subject to confidentiality obligations. We will provide notice if such a transfer occurs.

23. Changes to This Privacy Policy

We may update this Policy to reflect changes to our practices or legal requirements. We will post updates with a revised "Last updated" date and provide additional notice for material changes. An archive of previous versions is maintained. Continued use of our Services constitutes acceptance of the updated Policy.

24. Contact Information