Privacy Policy

1. Introduction

WAID AI (ABN 84 575 562 496) (“we”, “us”, or “our”) provides workforce AI discovery and oversight services (including Shadow AI monitoring, audit evidence packs, and reporting) to help Australian businesses manage AI tool usage and sensitive data exposure.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you visit our website, use our products and services, or communicate with us.

We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). By using WAID, you agree to this Privacy Policy.

2. Key Definitions

Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Sensitive Information: A subset of personal information including health information and other categories defined by the Privacy Act.
Services: WAID’s website, workforce AI discovery and monitoring services, browser extension/agent components (if applicable), dashboards, evidence packs, reports, and related support.
Customer: The organisation that subscribes to WAID.
End User: An individual (e.g., an employee or contractor) whose device or account is monitored by the Customer using WAID.

3. Information We Collect

We collect only information reasonably necessary to operate our Services, deliver reporting, and meet compliance obligations.

3.1 Information you provide directly

Account & Contact Data: name, email address, business name, role, and billing/admin contact details.
Support & Communications Data: information you provide when contacting support, requesting help, or providing feedback.

3.2 Information collected through the Service (usage and technical data)

Service Usage Data: product usage events (e.g., logins, feature usage), timestamps, configuration settings, and diagnostics.
Device & Identifier Data: device identifiers, operating system, browser type/version, extension identifiers, and related technical metadata.
AI Tool Activity Metadata: metadata required to deliver Shadow AI discovery (e.g., which AI tools are being accessed, frequency of access, basic event telemetry).

Important: WAID is designed to minimise collection of content. Where possible, we collect metadata rather than the content of what is typed, pasted, or uploaded. If content capture is enabled for a Customer (e.g., for incident investigation or evidence requirements), it is controlled by the Customer’s configuration and governance settings.

3.3 Website data

When you browse our website, we may collect IP address, pages viewed, referring URLs, and cookie-based analytics data to improve site performance and security.

4. How We Collect Personal Information

We collect information:

Directly from you when you register, request a demo, subscribe, or contact support.
Automatically when you use the Services (including via browser extensions/agents and dashboards), through logs and telemetry.
From the Customer (your employer or organisation) where they provide user lists, access permissions, or deployment configuration required to operate WAID.

5. How We Use Personal Information

We use personal information to:

Provide and operate the Services, including Shadow AI discovery, monitoring, reporting, and evidence packs.
Maintain and improve the Services, including troubleshooting, security monitoring, and performance analytics.
Communicate with you about your account, service notices, security alerts, and administrative messages.
Send compliance and product updates related to privacy and AI governance (you can opt out of non-essential marketing).
Prevent fraud, misuse, or abuse of the Services and enforce our terms.
Meet legal and regulatory obligations.

6. Direct Marketing and Opt-Out

We may send updates about WAID, including product changes, compliance resources, and service announcements. You can opt out of marketing communications at any time by:

Using the unsubscribe link (where provided), or
Emailing privacy@waid.ai.

We may still send essential service communications (e.g., security alerts, billing notices).

7. Use and Disclosure of Personal Information

7.1 Internal access

Access to customer data is restricted under least-privilege access controls and is limited to authorised personnel who require access to operate, support, or secure the Services.

7.2 Disclosure to service providers

We do not sell personal information. We may disclose information to trusted service providers who help us operate WAID, such as:

Cloud hosting and infrastructure providers (Australian data centres, including Sydney/Melbourne).
Analytics, monitoring, and security tooling used to maintain service reliability and protect against threats.
Professional advisers (e.g., legal, accounting) where necessary for business operations.

These providers are required to handle personal information securely and only for permitted purposes.

7.3 Legal disclosures

We may disclose personal information where required or authorised by law, including to respond to lawful requests, protect rights and safety, or investigate suspected unlawful activity.

8. Overseas Disclosure

WAID stores customer data in Australian data centres (Sydney/Melbourne). If we engage providers that involve overseas access or processing (for example, certain support tooling or sub-processors), we take reasonable steps to ensure appropriate safeguards are in place consistent with the Privacy Act.

9. Data Storage and Security

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Measures include:

Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
Access controls, logging, and audit trails.
Multi-factor authentication (MFA) for administrative access.
Security monitoring and vulnerability management.

No system is 100% secure. If we become aware of a security incident, we respond in line with our incident response processes and applicable legal requirements.

10. Data Retention

We retain data only as long as necessary to provide the Services, meet operational requirements, and comply with legal obligations. Unless otherwise agreed with the Customer:

Browser activity metadata is retained for 30 days on a rolling basis.
Evidence packs and reports are retained for 12 months while the Customer’s subscription is active.
You (or the Customer) may request deletion of data at any time, subject to legal and operational constraints.

11. Access and Correction

You may request access to, or correction of, the personal information we hold about you by contacting privacy@waid.ai. We will respond within a reasonable timeframe.

In many cases, End User data is managed through the Customer (e.g., your employer). Where appropriate, we may direct requests through the Customer to confirm authority and ensure accurate handling.

12. Anonymity and Pseudonymity

Where practicable, you may browse our website anonymously. However, using WAID Services generally requires identification for account administration, security, and service delivery.

13. Notifiable Data Breaches

If a data breach occurs that is likely to result in serious harm, we will take steps consistent with the Notifiable Data Breaches (NDB) scheme, including notifying affected parties and the Office of the Australian Information Commissioner (OAIC) where required.

14. Complaints and Contact Details

If you have a privacy question or complaint, contact:

Privacy Officer
WAID AI (ABN 84 575 562 496)
Email: privacy@waid.ai

If you are not satisfied with our response, you may lodge a complaint with the OAIC at www.oaic.gov.au.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on our website and/or communicated to account owners or administrators. Continued use of WAID after updates indicates acceptance of the revised policy.