Privacy Policy

We collect personal information in a variety of ways, including:

• When you provide it directly to us, including face-to-face, over the phone, by email or online
• When you complete a form, such as registering for events or newsletters, or responding to surveys
• When you use any website or platform we operate (including from analytics providers, cookie providers or marketing providers)
• From third parties, including identity verification services, security licence registries and payment processors
• From publicly available sources
• From single sign-on providers such as Apple, Facebook or Google, where you choose to connect your account
• From your device's location services, where you have granted our mobile application permission to access location data

We have set out below the purposes for which we collect, hold, use and disclose your personal information.

Sensitive Information

We only collect, hold, use and disclose sensitive information for the following purposes:

• Any purposes you have consented to
• The primary purpose for which it was collected
• Secondary purposes that are directly related to the primary purpose
• To contact emergency services, or to speak with your family or support person, where we reasonably believe there is a serious risk to the life, health or safety of you or another person and it is impracticable for us to obtain your consent
• Where otherwise required or authorised by law

We will only disclose personal information (excluding sensitive information) to third parties where it is necessary as part of our business, where we have your consent, or where permitted by law. This includes disclosure to:

• Our employees, contractors and related entities
• IT service providers, data storage, web-hosting and server providers (including Google Cloud Platform and Cloudflare, Inc.)
• AI technology providers who power our digital twin feature (including Anthropic, PBC)
• Marketing or advertising providers
• Professional advisors, bankers, auditors, insurers and insurance brokers
• Payment systems operators or processors
• Our existing or potential agents or business partners
• Identity verification and background check service providers
• Security licence registries and regulatory bodies
• In the event of a merger, acquisition or sale of assets: our advisers and any prospective purchaser's advisers, and as part of the transferred assets
• Courts, tribunals and regulatory authorities, in the event of a failure to pay for goods or services
• Courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law
• Third parties to collect and process data, such as analytics providers and cookies (see our Cookies Policy for more detail)
• Any other third parties as required or permitted by law

Sensitive Information

We will only disclose sensitive information with your consent or where permitted by law. Sensitive information may be disclosed to our employees and contractors, IT service providers, professional advisors, and courts or regulatory authorities as required by law.

Australian Residents

We store your personal information primarily in Australia. Where we disclose your personal information to third parties, those third parties may store, transfer or access personal information outside of Australia, including in the following countries and regions:

• United States of America — Anthropic, PBC (AI model processing), Cloudflare, Inc. (content delivery and network security)
• United States of America and multiple global regions — Google Cloud Platform (cloud hosting and infrastructure)
• Other countries — where our service providers operate or maintain infrastructure, including countries in the European Union and Asia-Pacific region

We will only disclose your personal information overseas in accordance with the Australian Privacy Principles. We take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with those Principles.

New Zealand Residents

Where we disclose your personal information to third parties, those third parties may store, transfer or access personal information outside of New Zealand, which may not have equivalent data protection laws. Before disclosing any personal information to an overseas recipient, we will comply with Information Privacy Principle 12 and only disclose the information where we are satisfied that the recipient provides comparable safeguards, or where you have authorised the disclosure after being informed of the relevant risks.

We will only retain your personal information for as long as reasonably necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. When personal information is no longer needed for any purpose for which it may be used or disclosed, we will take reasonable steps to destroy or de-identify it.

The following table sets out our general retention periods by data type. Specific retention periods may vary depending on applicable legal obligations.

We may retain your personal information for longer than the periods set out above where there is a complaint, a dispute, or we have reason to believe litigation may occur in respect of our relationship with you.

Overview

We use artificial intelligence and machine learning technologies, including AI technologies provided by third parties, in our business operations and the provision of our Services. We will only use AI technologies when legally permitted and necessary for our business operations.

How We Use AI Technologies

We may use AI technologies for the following purposes:

• To conduct analysis and processing of information
• To generate and modify content
• To improve and optimise our Services and operations
• To automate certain processes and communications
• To personalise your experience with our Services
• For quality assurance purposes
• To assist with customer support and queries
• To power and improve your digital twin assistant

Digital Twin and AI Training

We use AI technologies to power your digital twin assistant. When you create a digital twin, you expressly consent to us using your Digital Twin Data (including any personal information contained within it) to train, improve and develop our AI models and the digital twin feature. This may include analysing usage patterns, improving AI response accuracy, developing new features, and creating anonymised aggregated data for research purposes.

Withdrawing Consent: You may withdraw your consent to the use of your Digital Twin Data for AI training purposes at any time by contacting us at info@getboby.ai with the subject line "AI Training Opt-Out". Upon withdrawal, we will cease using your Digital Twin Data for AI training from the date of your withdrawal. Your withdrawal will not affect the lawfulness of processing that occurred prior to withdrawal. Where data has already been incorporated into trained AI models in anonymised or aggregated form, it may not be technically feasible to remove it. We will notify you where this applies. Withdrawing AI training consent does not affect your ability to continue using your digital twin.

Data Protection and Security

Where we use service providers who provide AI technologies to us, we take reasonable steps to ensure that such service providers handle your personal information in accordance with applicable privacy law, including through contractual obligations requiring the protection of personal information.

Your Rights and Our Commitments

We treat information generated or inferred by AI technologies about individuals as personal information, and you maintain all rights over your personal information regardless of whether AI technologies are used in processing. When using AI technologies with your personal information:

• Transparency and control: We will inform you when AI technologies are used to make decisions that may significantly affect you. We implement processes to verify the accuracy of AI-generated outputs and maintain human oversight of significant AI-generated decisions.
• Security: We implement appropriate technical and organisational measures to ensure our use of AI technologies maintains the security and integrity of your personal information.
• Risk mitigation: We regularly assess and document the risks associated with our use of AI technologies and implement appropriate mitigation measures.

Your Choice

Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose it in accordance with this Privacy Policy. You are not required to provide personal information to us, however, if you do not, it may affect our ability to provide you with our Services.

Information from Third Parties

If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about someone else, you represent and warrant that you have that person's consent to provide the personal information to us.

Access

You may request access to the personal information we hold about you. An administrative fee may be payable for the provision of such information. In some circumstances, we may be legally permitted to withhold access. If we cannot provide access, we will advise you as soon as reasonably possible and provide our reasons and any available complaint mechanism.

Correction

If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us. We will take reasonable steps to promptly correct any such information. If we cannot correct your information, we will advise you as soon as reasonably possible and provide our reasons and any available complaint mechanism.

Deletion

You may request that we delete personal information we hold about you. We will consider your request and, where we are not required or permitted by law to retain the information, we will take reasonable steps to delete or de-identify it. We will advise you of the outcome of your request and, where we are unable to delete information, we will explain why.

Restrict and Unsubscribe

To object to processing for direct marketing, or to unsubscribe from our email database, please contact us using the details below or use the opt-out facilities provided in the communication.

Complaints

If you wish to make a complaint, please contact us using the details below and provide full details of the complaint. We will promptly investigate and respond to you in writing, setting out the outcome of our investigation and the steps we will take in response.

If you are not satisfied with our response, you may contact:

• Australian residents: The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
• New Zealand residents: The Office of the New Zealand Privacy Commissioner at www.privacy.org.nz
• EU and UK residents: The relevant Data Protection Authority in your jurisdiction (see Appendix 1)

We are committed to ensuring that the personal information we collect is secure. We have put in place suitable physical, electronic and managerial procedures to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.

Our security measures include:

• Encryption of data in transit using TLS
• Access controls limiting personal information to authorised personnel only
• Regular security monitoring and testing
• Contractual security obligations on third-party service providers
• Staff training on privacy and data security obligations

While we are committed to security, we cannot guarantee the security of information transmitted to or by us over the internet. The transmission and exchange of information is carried out at your own risk.

We are committed to complying with our obligations under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme. In the event of an eligible data breach that is likely to result in serious harm to one or more individuals:

• We will notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable, and no later than 30 days after we become aware of the breach
• We will notify all affected individuals whose personal information was involved in the breach
• We will take all reasonable steps to contain the breach and mitigate any resulting harm
• Notification to affected individuals will be provided directly where contact details are known, or via a prominent notice on our Platform where direct notification is not practicable

If you become aware of any actual or suspected security breach affecting your Account or personal information on our Platform, please notify us immediately at info@getboby.ai.

We may enable you to post reviews, comments, photos and other user-generated content. Any content you choose to submit will be accessible by anyone, including third parties not associated with us. We have no control over how others may use or misuse information you make publicly available. We are not responsible for the privacy, security or accuracy of any user-generated content you choose to post, or for the use or misuse of that information by any third party.

We use cookies, tracking pixels and similar technologies on our website and in our emails. For full details of the cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please see our Cookies Policy.

Google Analytics

We use Google Analytics Advertising Features. We and third-party vendors may use first-party cookies (such as the Google Analytics cookie) or other identifiers, and third-party cookies (such as Google advertising cookies) together. These may collect Technical and Usage Data about you. You can opt out of Google Analytics using the Google Analytics Opt-out Browser Add-on.

Facebook / Meta Analytics

We may use tools provided by Meta, such as the Meta Pixel and Conversions API. These allow us to measure ad performance and deliver relevant ads on Meta platforms based on your activity on our website. You can manage these preferences through Meta's settings and by adjusting your Off-Facebook Activity settings.

Managing Cookies

You can block cookies by activating the setting on your browser that allows you to refuse all or some cookies. You can block tracking pixels using ad-blocking or privacy-focused browser extensions. However, if you block all cookies (including essential cookies) you may not be able to access all or parts of our website.

Our website may contain links to other websites. We do not control those websites and we are not responsible for the protection and privacy of any personal information you provide while visiting them. Those websites are not governed by this Privacy Policy. We recommend you read the privacy policy of any third-party website you visit.

If you connect your account with us using a single sign-on service (such as Apple, Facebook or Google), we will collect your personal information from that provider in accordance with the privacy settings you have chosen with them.

The personal information we may receive includes your name, ID, username, handle, profile picture, gender, age, language, list of friends or follows, and any other personal information you choose to share.

We use the personal information received from the single sign-on provider to create a profile for you on our Platform and to provide you with our Services, including personalising your experience and enabling communication with you.

Where we have accessed your personal information through your Facebook account, you have the right to request the deletion of that personal information. To submit a deletion request, please email us at info@getboby.ai and specify which personal information you would like deleted. If we deny your request, we will explain why.

We collect your precise or approximate location via our mobile application for the following purposes:

• For security and safety, including to enable location-based security reporting
• To prevent and detect fraud
• To match Members with Security Providers in their area
• As permitted by law

We collect location data when you use our mobile application and have granted us permission to do so. If you do not want us to use your location data, you should turn off location services in your account settings or in your mobile device settings. If you do not provide geolocation data to us, it may affect our ability to provide certain location-based features of our Services.

Some browsers include a "Do Not Track" feature that signals to websites that you do not want to have your online activity tracked. Our website does not currently respond to Do Not Track signals, as there is no universally accepted standard for how websites should respond to such signals. We will continue to monitor developments in this area.

You can manage your privacy preferences and limit tracking through your browser settings and by reviewing our Cookies Policy.

We may, at any time and at our discretion, update this Privacy Policy by publishing the amended version on our website. We recommend you check our website regularly to ensure you are aware of our current Privacy Policy. Where changes are material, we will notify you by email or by a prominent notice on our Platform.