Privacy Policy

Last updated: 19 August 2025
Entity: Perswayd Pty Ltd t/a Perswayd AI (“Perswayd AI”, “we”, “us”, “our”)
Website: https://www.perswaydai.com
General support: help@perswaydai.com


1) Scope & Relationship to Other Terms

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use Perswayd AI’s web application, website, and related services (the “Service”). It applies to all users and visitors.

This Policy works together with our Terms of Service and any executed Data Processing Addendum (DPA). If there is a conflict regarding the processing of Personal Data, the DPA (including applicable Standard Contractual Clauses and the UK Addendum) governs.


2) Who We Are & Our Data Protection Roles

  • Controller (GDPR/UK GDPR) / APP entity (Australia): for account, billing, website, communications, and security telemetry.

  • Processor: for workspace content and AI processing performed on behalf of an organisation (e.g., your employer).

  • Self-serve accounts (no org admin): we are the controller for account/billing data; you own your Outputs (see §4).

If you’re unsure which role applies, contact help@perswaydai.com.


3) Eligibility (Age)

The Service is intended for users 18 years and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information, contact help@perswaydai.com.


4) Key Definitions

  • Personal Data: information relating to an identified or identifiable natural person.

  • Customer Content (Inputs): content you submit to the Service (e.g., notes, files, questionnaire responses).

  • Outputs: content the Service generates from your Inputs. You own your Outputs.

  • Workspace Data: Customer Content and Outputs stored in your workspace.

  • Organisational Data (de-identified/aggregated): analytics derived from Workspace Data that we de-identify and aggregate under our de-identification process; we will not attempt to re-identify and we contractually restrict vendors from doing so.

  • Sub-processor: a third party engaged by us to process Personal Data on our behalf (see Sub-processors page referenced in Annex A).

5) What We Collect

  • Account & Profile: name, email, role, organisation, region, billing details.

  • Workspace Data: notes, files, questionnaires, influence challenges, and related artefacts you create.

  • AI Interactions: prompts you submit and the Outputs returned.

  • Usage & Device Data: IP address, timestamps, pages/features used, performance metrics, diagnostics, cookies/SDKs.

  • Support & Feedback: help-desk messages, product feedback, security reports.

5A) Prohibited Data (Special Categories & Children)

Do not submit special categories of personal data (e.g., health, biometric identifiers, union membership, religious beliefs, sexual orientation) or children’s data unless we have an executed DPA with your organisation expressly authorising such processing and setting out lawful basis and safeguards. You represent and warrant you have a lawful basis for any data you submit. We may delete or restrict content that violates this section.


6) How We Use Personal Data (Purposes & Lawful Bases)

  • Provide & operate the Service (contract/legitimate interests): authenticate users, host content, generate Outputs, maintain and secure the platform.

  • Improve & support the Service (legitimate interests/contract): analytics, troubleshooting, quality assurance, feature development.

  • Security & compliance (legal obligation/legitimate interests): detect fraud/abuse, maintain audit logs, enforce terms, respond to lawful requests.

  • Communications (consent/legitimate interests/contract): product updates, billing, service announcements, security notices. Marketing emails are opt-in where required and can be unsubscribed any time.
    We practice data minimisation and collect only what is necessary for the above purposes.


6A) GDPR/UK GDPR — Article 13 Information

Account creation & access
  • Categories: identifiers (name, email), organisation, role, password hash, billing contact
  • Lawful basis: Contract (Art. 6(1)(b))
  • Recipient categories: hosting/platform, auth/identity, payment processors
  • Retention: life of account + up to 90 days post-closure (account data); billing per law (typically 7 years)
  • Provision required? Necessary to contract; without it we cannot provide the Service
  • Legitimate interests (summary): provide secure access; operate platform
Service delivery (workspace, AI Outputs)
  • Categories: Workspace Data, AI prompts/Outputs, usage metadata
  • Lawful basis: Contract; Legitimate interests (operate/secure)
  • Recipient categories: hosting/platform, AI processing vendors, support tools under DPA
  • Retention: life of account + up to 90 days post-closure for deletion, subject to backups/legal holds
  • Provision required? Necessary to contract
  • Legitimate interests (summary): provide core features reliably and securely
Product improvement & support
  • Categories: usage/device data, diagnostics, support tickets
  • Lawful basis: Legitimate interests
  • Recipient categories: analytics, logging/monitoring, support desk
  • Retention: diagnostics/logs typically up to 12 months; support 24 months
  • Provision required? Not strictly required
  • Legitimate interests (summary): improve reliability, safety, and user experience
Security, fraud & compliance
  • Categories: IPs, logs, auth events, limited account data
  • Lawful basis: Legal obligation; Legitimate interests
  • Recipient categories: security/abuse-prevention vendors; auditors
  • Retention: typically up to 12 months; longer if required for investigations
  • Provision required? Some required by law
  • Legitimate interests (summary): protect users and the platform; comply with law
Communications & marketing
  • Categories: email, role, consent preferences
  • Lawful basis: Consent; Legitimate interests; Contract (service notices)
  • Recipient categories: email delivery providers, CRM
  • Retention: until you withdraw consent or 24 months from last interaction
  • Provision required? Not required for core service
  • Legitimate interests (summary): keep you informed about service updates


  • Consequences of not providing data: we cannot create an account or deliver core features.

  • DPO: No Data Protection Officer appointed at this time. Contact: help@perswaydai.com.

  • International transfers & safeguards: see §9. You can request a copy/summary of applicable SCCs via help@perswaydai.com.


7) Using AI Features & Vendor Disclosures

When you submit content for AI processing, we send only the minimum necessary data to fulfil your request. Vendor processing locations, retention, and training practices will be described on our forthcoming Sub-processors page.


 Enterprise options (subject to vendor capabilities and written agreement) may enable reduced/zero data retention and/or regional processing.


8) Data Sharing, Sub-processors & Change Notice

We share Personal Data with service providers under confidentiality and data-processing terms (e.g., hosting, AI processing, email delivery, analytics, observability, support tools, payments). We do not sell Personal Data and we do not share Personal Data for cross-context behavioural advertising.


Sub-processor change notice & objection. We provide at least 30 days’ prior notice of any material Sub-processor changes by notifying account administrators. You may object on reasonable data-protection grounds during that period. If we cannot reasonably address your objection, you may terminate the impacted Services without penalty.


We may disclose information if required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets (with notice of any change in control).


9) International Transfers & Data Residency

We are based in Australia. Your information may be transferred to and stored in other countries where our Sub-processors operate.


Safeguards

  • GDPR/UK GDPR: Standard Contractual Clauses (and UK Addendum), DPAs, vendor certifications. You can request a copy/summary of applicable SCCs at help@perswaydai.com.

  • Australia (APP 8): we take reasonable steps to ensure overseas recipients do not breach the APPs and obtain consent where required.

  • Other regions: comparable mechanisms as required by local law.

Enterprise customers may discuss regional processing/hosting options subject to vendor capabilities.


10) Retention

We retain Personal Data only as long as necessary for the purposes described:

  • Account/profile data: life of account + up to 90 days post-closure.

  • Billing records: 7 years (or longer per tax law).

  • Workspace Data: life of account; deleted or de-identified within ~90 days post-termination, subject to backup cycles/legal holds.

  • Operational logs & security telemetry: typically up to 12 months; longer if needed for investigations or compliance.

  • Support tickets: typically 24 months.

  • Marketing records: until you withdraw consent or 24 months from last interaction.
     We may retain Organisational Data only in de-identified, aggregated form.


You may request an export of your Workspace Data prior to termination or within 30 days thereafter (provided all fees are paid).


11) Security & Breach Notification

We implement administrative, technical, and organisational measures, including encryption in transit (TLS) and at rest, least-privilege access, logging/monitoring, and vendor risk reviews. No system is perfectly secure.


Breach notification:

  • Australia: we comply with the Notifiable Data Breaches (NDB) scheme.

  • EU/UK: where a personal data breach presents a risk to individuals’ rights and freedoms, we will notify the supervisory authority without undue delay and, where feasible, within 72 hours; and we will notify affected individuals when required.

  • United States: we provide notices consistent with applicable state and federal laws.
     We will provide you with relevant facts and steps you can take, consistent with legal requirements.

12) Your Privacy Rights & Choices

We will verify requests and respond within statutory timelines.

  • EU/UK (GDPR/UK GDPR): access, rectification, erasure, restriction, objection, portability, and withdrawal of consent (where applicable). You may contact your supervisory authority (UK: ICO; EU: local DPA).

  • Australia (APPs): access and correction rights; you may complain to the OAIC if unresolved.

  • California (CPRA/CCPA): access, deletion, correction, and the right to opt-out of sale or sharing of Personal Information. We do not sell or share Personal Information for cross-context behavioural advertising. If our practices change, we will provide required notices and a “Do Not Sell or Share” mechanism.

To exercise rights, email help@perswaydai.com.


12A) California Notice at Collection (CPRA)

We collect the following categories of Personal Information (last 12 months and going forward):

Identifiers

  • Examples: name, email, IP

  • Sources: you; device/browser

  • Purposes: account creation, authentication, security

  • Disclosed to service providers: hosting, auth, email delivery, support

  • “Sharing” for cross-context ads: No

  • Typical retention: life of account + 90 days

Customer records

  • Examples: billing contact, organisation

  • Sources: you; your employer

  • Purposes: billing, account management

  • Disclosed to service providers: payment processors, invoicing tools

  • “Sharing” for cross-context ads: No

  • Typical retention: 7 years (billing)

Commercial information

  • Examples: plan, purchase history

  • Sources: you; payment provider

  • Purposes: fulfilment, support

  • Disclosed to service providers: payment processors

  • “Sharing” for cross-context ads: No

  • Typical retention: 7 years

Internet or other electronic network activity

  • Examples: log data, usage analytics

  • Sources: device/browser

  • Purposes: security, diagnostics, service improvement

  • Disclosed to service providers: analytics, logging/monitoring

  • “Sharing” for cross-context ads: No

  • Typical retention: up to 12 months

Geolocation (coarse)

  • Examples: IP-derived region

  • Sources: device/browser

  • Purposes: locale settings, security

  • Disclosed to service providers: hosting, analytics

  • “Sharing” for cross-context ads: No

  • Typical retention: up to 12 months

Professional or employment-related information

  • Examples: role, organisation

  • Sources: you; employer

  • Purposes: seat management, support

  • Disclosed to service providers: hosting, support

  • “Sharing” for cross-context ads: No

  • Typical retention: life of account + 90 days

Inferences (product usage)

  • Examples: feature adoption cohorts (de-identified/aggregated)

  • Sources: derived

  • Purposes: product improvement, research

  • Disclosed to service providers: analytics

  • “Sharing” for cross-context ads: No

  • Typical retention: de-identified aggregates retained

Sensitive personal information (SPI)

  • Status: submission prohibited unless covered by an executed organisational DPA with safeguards

  • Sources: you

  • Purposes: n/a

  • Disclosed to service providers: n/a

  • “Sharing” for cross-context ads: No

  • Typical retention: n/a



Right to Limit Sensitive PI: We do not use Sensitive PI for additional purposes; if that changes, we will provide a mechanism to limit such use.


13) Cookies & Tracking Technologies

We use essential cookies for authentication and security and may use optional analytics to improve the Service. Where required (EU/UK), we present a consent banner with granular preferences that you can change at any time. You can also manage cookies via your browser settings (some features may be impacted).


14) Account Deletion, Organisational Controls & Ownership

Ownership: you own your Outputs. In organisation-managed workspaces, the organisation generally controls Workspace Data.
Admin controls: only an organisation admin can delete user accounts.
User requests: non-admin users may request deletion or anonymisation; requests are routed to the organisation admin for approval.
Post-termination: we delete or de-identify Customer Personal Data within ~90 days, subject to backups/legal holds. De-identified, aggregated analytics may be retained as Organisational Data.


15) Automated Decision-Making

Perswayd AI provides assistive Outputs for human decision-making. We do not engage in solely automated decisions producing legal or similarly significant effects about individuals.


16) Third-Party Links

Our Service may link to third-party sites; their privacy policies govern those properties.


17) Changes to This Policy

We may update this Policy to reflect legal, technical, or business changes. For material changes, we will notify you (e.g., email or in-app) and indicate the new effective date.


18) Contact & Complaints

Questions or requests: help@perswaydai.com
 Australia: OAIC — oaic.gov.au
 UK: ICO — ico.org.uk
 EU: Your local DPA

Perswayd AI

Take the next step with Perswayd AI

Terms of service

Privacy policy

© 2025 Perswayd Pty Ltd. All rights reserved.