Privacy

Privacy Policy

Last updated: 29 June 2026

1. Who we are

This privacy policy is issued by G3 Systems (“we”, “us”, “our”), which is operated by Liam Grozdanovski as a sole trader (ABN: 57 801 499 250). We provide an online AI governance and compliance platform for Australian businesses.

We are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in how we handle personal information in Australia.

2. Our customer and end-user relationship

Our direct contractual customer is the business that subscribes to the platform. Where a business customer submits, uploads, or causes the platform to process personal information about their own staff or clients — for example staff email addresses for policy acknowledgements, or content scanned through the secure chat or browser extension — that business customer is responsible for ensuring it has the appropriate notice, consent, or legal basis to provide that information to us.

In those cases we process the information on the business customer's behalf as part of operating the service for them.

3. What information we collect

Depending on how you use our platform, we may collect:

  • Account details — such as your name and email address when you sign up or sign in through our authentication provider.
  • Business information — details you enter into questionnaires or forms (for example business name, industry, staff numbers, state, and policy-related answers).
  • Staff email addresses — when you enter or upload addresses to send policy acknowledgement requests.
  • AI prompts and related content — text you submit for policy generation, summaries, or other AI-assisted features processed through our platform.
  • Payment information — billing is handled by our payment provider (Stripe). We do not store full card numbers on our own systems; Stripe processes card data according to its terms.
  • Usage data and logs — such as access times, device and browser type, pages or features used, and technical logs needed to run and secure the service.

4. The browser extension (optional)

Our platform offers an optional browser extension that a business can choose to activate. It works differently from the in-app secure chat, so we describe it separately here:

  • If a business activates the extension, it monitors and may transmit content that a staff member types or uploads on supported third-party AI websites (such as ChatGPT, Claude, Gemini, and other supported AI tools) back to our platform for scanning and logging.
  • This is more extensive than the in-app secure chat, because it observes activity on external websites that the business does not control.
  • Activating the extension for staff is the business customer's decision. The business customer is responsible for disclosing this monitoring to its staff and obtaining appropriate consent before activation.
  • We do not control or store content on the third-party AI platforms themselves. We receive only what the extension captures and transmits to us for scanning, and we handle that content in line with this policy.

5. How we collect it

  • Directly from you — when you create an account, complete forms, upload or paste information, or contact us.
  • Automatically — when you use the platform, through cookies, session data, and server or application logs.
  • From connected third-party services — for example when you authenticate (our identity provider), pay (Stripe), or when we send email (our email provider). Those services may share limited account or transaction metadata with us as needed to operate the product.

6. Why we collect it

We use personal information to:

  • provide, operate, and improve the platform;
  • process payments and manage subscriptions;
  • send acknowledgement and operational emails (for example staff policy links and reminders);
  • generate policies, reports, and compliance-related outputs you request;
  • maintain security, prevent fraud and misuse, and meet legal obligations;
  • understand how the product is used in aggregate so we can improve reliability and features.

7. How we store it

We store data in a Supabase PostgreSQL database. Where available, we aim to use hosting in an Australian region so your data stays close to home. Exact regions can depend on your project settings and our infrastructure choices from time to time.

Data is encrypted in transit using HTTPS/TLS between your browser and our services, and between our services and providers where they support it.

Our database provider also applies encryption at rest as part of their standard platform. We use access controls (including row-level security in the database) so customer data is separated by account where the product is designed to do so.

8. Data breach response

We take reasonable steps to protect personal information, but no system is completely secure. If an eligible data breach occurs as defined under the Notifiable Data Breaches (NDB) scheme, we will take reasonable steps to contain the breach, assess the likely harm, and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where required, in accordance with Part IIIC of the Privacy Act 1988 (Cth).

9. Who we share it with

We share personal information with service providers who help us run the product:

  • Supabase — database hosting, authentication, and related backend infrastructure.
  • Stripe — payments and billing.
  • Resend — sending transactional email (for example acknowledgement links).
  • OpenAI — processing text you submit so we can generate policies, summaries, and other AI outputs. Content you send through our platform to be processed by AI is transmitted to OpenAI and is subject to OpenAI's privacy policy and terms as well as ours. We choose providers and settings to support business use; you should still avoid putting unnecessary sensitive personal information into prompts.

We do not sell your personal information. We may disclose information if required by law or to protect our rights, users, or the security of the service.

10. Overseas disclosure of personal information

Some personal information is disclosed to recipients located outside Australia as part of using our service providers. In particular:

  • OpenAI — processes prompt content; based in the United States.
  • Stripe — processes payment data; may process and store data in the United States and other countries where Stripe operates.
  • Resend — sends transactional email; may route through infrastructure located outside Australia.

By using the platform, you consent to this disclosure of personal information to overseas recipients for the purposes described in this policy, as contemplated by Australian Privacy Principle 8 (APP 8). We select providers we reasonably believe maintain privacy and security standards consistent with the Australian Privacy Principles. However, we cannot guarantee that these overseas recipients are bound by the same laws as an Australian APP entity.

11. AI and your data

We do not use your customer data to train our own AI models. Outputs are generated using third-party models (for example OpenAI) under arrangements intended for application use, not for building a public training dataset from your account content.

Prompts are processed by OpenAI solely to generate responsesyou ask for (such as a policy or report). OpenAI's handling of that data is governed by their policies and our agreement with them.

Where we store prompt or generation logs, we do so to support your use of the product — for example an audit trail, versioning, or compliance features — not for unrelated marketing or model training on our side.

12. Data retention

  • Account and core service data — kept while your subscription or account is active, and for up to 90 days after cancellation or closure unless we need to keep it longer for legal, security, or dispute reasons.
  • Audit logs and certain compliance records — may be kept for up to 7 years where we reasonably need them for compliance, security investigations, or regulatory expectations. We keep logs no longer than necessary for those purposes.

Retention can vary if you ask us to delete data earlier; see “Your rights” below.

13. Your rights under the Australian Privacy Principles

Under the APPs you generally have the right to:

  • Access the personal information we hold about you, subject to exceptions in the Privacy Act.
  • Correct information that is inaccurate, out of date, incomplete, or misleading.
  • Request deletion of certain information where it is no longer needed or where the law allows — noting we may need to retain some records for legal, billing, or security reasons.

To make a request, contact us using the details in Contact us below. We will respond within 30 days where the APPs require it, and we may need to verify your identity first.

If you are not satisfied with how we handle a privacy complaint or request, you may contact the Office of the Australian Information Commissioner (OAIC). The OAIC can be reached at oaic.gov.au or by phone on its privacy complaint hotline, 1300 363 992.

14. Cookies

We use cookies and similar technologies that are necessary to run the site — mainly for authentication and session management (for example keeping you signed in securely).

We do not use advertising or behavioural tracking cookies for serving third-party ads on our platform. You may see cookies set by our authentication or payment providers as part of those services.

When you click Accept on our cookie notice, we record your choice in your browser's local storage so we do not show the banner again on future visits.

15. Third-party links

Our site may link to other websites (for example help documentation or provider sites). Those sites have their own privacy policies. We are not responsible for how third parties collect or use information when you leave our platform.

16. Changes to this policy

We may update this policy from time to time. If we make a material change, we will notify you by email to the address associated with your account (and/or by a notice in the product) before or when the change takes effect, where that is practical.

The “Last updated” date at the top of this page will change when we publish revisions.

17. Contact us

For privacy questions or to exercise your rights, contact G3 Systems by email at liam.grozdanovski@gmail.com.

We aim to acknowledge receipt quickly and to provide a full response within 30 days where required under the APPs. If we need more time, we will let you know and explain why.

18. Effective date

This Privacy Policy is effective from 29 June 2026.