This Privacy Policy explains how [Company legal name] ABN [ABN] (we, us, our) handles personal information in connection with Greenlight (the Service). We handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
1. What we collect
- Account information for governance-team users: name, work email, role, and authentication identifiers. We do not store passwords (sign-in is by one-time link or identity provider).
- Workspace content you enter: your organisation name, policy rules, tool register, requests, exceptions, attestations and incidents.
- Staff lookups are anonymous. When staff use a shared link to check a tool, we record that a lookup happened (for adoption metrics) but not who made it. Requests and reports carry only the name a person chooses to provide so the organisation can reply.
- Technical data: basic logs needed to run and secure the Service (e.g. timestamps, request metadata). We do not run advertising trackers.
2. How we use it
We use personal information to provide, secure, support and improve the Service; to compute governance guidance and generate documents you request; to send service and (where you have opted in) notification emails; to process payments; and to meet legal obligations.
3. Where it is hosted
Customer data is hosted in Australia (Supabase, Sydney region). Some sub-processors that support the Service (for example payment, email, identity or AI providers) may process limited data overseas; where they do, we take reasonable steps to ensure comparable protection consistent with the APPs.
4. AI processing
Verdicts are computed deterministically from your policy rules. No AI model sits in the answer path.Optional AI features (such as drafting a tool profile) only run when you enable them, produce drafts a human confirms, and never set a verdict. We do not use your workspace content to train third-party models.
5. Disclosure
We do not sell personal information. We disclose it only to sub-processors who help us run the Service (under contract), where you direct us to, or where required by law.
6. Security
We use access controls, tenant isolation, encryption in transit, and an append-only audit log of governance actions. No system is perfectly secure, but we take reasonable steps to protect personal information and to meet our obligations under the Notifiable Data Breaches scheme.
7. Retention
We keep personal information while your workspace is active and as needed for legal, audit and dispute purposes, then delete or de-identify it. You can export or request deletion of your data.
8. Access and correction
You may request access to, or correction of, the personal information we hold about you by contacting us. We will respond consistent with the APPs.
9. Complaints
If you have a privacy concern, contact us first. If you are not satisfied, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
10. Changes
We may update this Policy; material changes will be notified by email or in the Service.
11. Contact
[Company legal name], [address]. Privacy enquiries: hello@howll.ai.