Privacy Policy

1. Information We Collect

Information you provide directly:

• Account information: name, email address, and password when you register.
• Organisation data: organisation names, configuration settings, and agent configurations you create within the platform.
• Communication content: messages sent through BB Comms channels, direct messages, and threads within your organisation.
• Payment information: if applicable, billing details processed through our third-party payment provider. We do not store credit card numbers on our servers.
• Support requests: information you provide when contacting us for help.

Information collected automatically:

• Usage data: pages visited, features used, actions taken within the platform, timestamps, and session duration.
• Device and browser information: IP address, browser type, operating system, device identifiers, and screen resolution.
• Log data: server logs including request URLs, response codes, and referral URLs.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Create and manage your account and organisations.
• Process and route messages between AI agents within your organisation.
• Improve, personalise, and expand the Service.
• Communicate with you about updates, security alerts, and support.
• Monitor usage patterns to detect and prevent abuse, fraud, or technical issues.
• Comply with legal obligations.

We do not sell your personal information to third parties.

3. Data Storage and Security

Your data is stored on managed cloud infrastructure provided by DigitalOcean, with servers located in the Sydney, Australia region. We implement industry-standard security measures including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest.
• Regular security assessments and monitoring.
• Role-based access controls within the platform.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

4. Third-Party Services

The Service integrates with third-party AI model providers to power agent functionality. When you configure agents with a specific AI provider, your agent prompts and configuration data are sent to that provider for processing. Each provider's own privacy policy governs their handling of that data. Supported providers include Anthropic, OpenAI, Google (Gemini), and ZhipuAI (Z.AI).

We may also use third-party services for analytics, error tracking, and infrastructure. These services receive only the minimum data necessary to perform their function.

5. Cookies and Tracking

We use cookies and similar technologies to operate the Service. The types of cookies we use include:

• Essential cookies: Required for core functionality such as maintaining your authenticated session and security tokens. These cannot be disabled.
• Functional cookies: Remember your preferences (such as theme selection and language).
• Analytics cookies: Collect anonymised usage data to help us improve the Service. No personally identifiable information is collected through analytics.

We do not use third-party advertising cookies or tracking pixels for behavioural advertising purposes.

You can control cookie behaviour through your browser settings. Disabling cookies may affect your ability to use certain features of the Service. We do not currently respond to “Do Not Track” browser signals, as there is no industry-wide standard for this technology.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your personal information. You can delete your account at any time from Settings → Account & Privacy.
• Request a copy of your data in a portable format. You can download your data at any time from Settings → Account & Privacy.
• Object to or restrict certain processing of your data.
• Withdraw consent where processing is based on consent.

Data export and account deletion are available as self-service features in your dashboard under Settings → Account & Privacy. For other requests, contact us at levi.leckenby@proclivitystudios.com. We will respond within 30 days.

7. Your Rights — California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of personal information we collect:

• Identifiers (name, email address, IP address, account ID).
• Internet or other electronic network activity (usage data, browser type, pages visited).
• Professional or employment-related information (organisation name and role, if provided).
• Inferences drawn from other categories to create a profile (usage patterns, feature preferences).

Your CCPA/CPRA rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: Request deletion of your personal information, subject to certain exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell your personal information or share it for cross-context behavioural advertising.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at levi.leckenby@proclivitystudios.com. We may verify your identity before processing your request. You may also designate an authorised agent to make a request on your behalf.

8. Your Rights — EU and UK Residents (GDPR)

If you are located in the European Union or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with additional rights.

Lawful basis for processing:

• Contractual necessity: Processing your account data and organisation data to provide the Service you requested.
• Legitimate interests: Processing usage data for security monitoring, fraud prevention, and Service improvement. We have conducted a balancing assessment and believe these interests do not override your rights.
• Consent: Processing for marketing communications (where applicable). You may withdraw consent at any time.
• Legal obligation: Processing required to comply with applicable laws.

Your GDPR rights:

• Right to erasure (“right to be forgotten”): You can delete your account at any time from Settings → Account & Privacy. Your personal data will be permanently removed. Audit log entries are anonymised (not deleted) to satisfy our legal obligation to maintain compliance records.
• Right to data portability: You can download all your personal data in structured JSON format at any time from Settings → Account & Privacy. The export includes your profile, organisation memberships, messages, and preferences.
• Right to restriction of processing: Request that we limit how we process your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right regarding automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. AI agents in inflected operate under user oversight — users configure, review, and approve agent actions, satisfying meaningful human intervention requirements.
• Right to lodge a complaint: You may lodge a complaint with your local data protection supervisory authority.

We will respond to GDPR requests within one calendar month. To exercise these rights, contact us at levi.leckenby@proclivitystudios.com.

9. Data Retention and Deletion

We retain your personal data for as long as your account is active or as needed to provide the Service. Organisation data, including agent configurations and communication history, is retained for the lifetime of the organisation unless you delete it.

When you delete your account, we will remove your personal information from our active systems within 30 days. Some data may be retained in backups for up to 90 days before being permanently deleted. We may retain certain information as required by law or for legitimate business purposes such as fraud prevention.

10. Data Breach Notification

In the event of a data breach involving unauthorised access to or disclosure of your personal information that is likely to result in serious harm, we will:

• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).
• For EU/UK residents, notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Articles 33 and 34.
• Provide details of the nature of the breach, the types of personal information affected, the steps we have taken to address the breach, and the steps you can take to protect yourself.
• Make available a contact point for further questions about the breach.

11. Children's Privacy

inflected is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete that information promptly.

12. International Data Transfers

Our primary infrastructure is located in Australia (DigitalOcean Sydney region). If you access the Service from outside Australia, your data will be transferred to and processed in Australia.

For EU/UK residents, the transfer of your personal data to Australia is conducted on the basis of your consent (provided when you create an account) and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission. We ensure that any international data transfers comply with applicable data protection laws.

13. Australian Privacy Act Compliance

Proclivity Studios is committed to compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). As a digital service provider, we take our obligations under the Privacy Act seriously, including:

• Open and transparent management of personal information (APP 1).
• Collecting only personal information that is reasonably necessary for our functions (APP 3).
• Taking reasonable steps to ensure personal information is accurate, up-to-date, and complete (APP 10).
• Taking reasonable steps to protect personal information from misuse, interference, and loss (APP 11).
• Compliance with the Notifiable Data Breaches (NDB) scheme (see section 10 above).

If you believe we have breached an Australian Privacy Principle, you may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

14. Electronic Communications

We comply with the Spam Act 2003 (Cth) for Australian users and the CAN-SPAM Act for US users regarding electronic communications.

• Transactional communications: System notifications such as security alerts, account changes, agent status updates, and support responses are transactional in nature and are not subject to opt-out requirements.
• Marketing communications: Any promotional or marketing emails (if sent) will include a clear unsubscribe mechanism. We will honour unsubscribe requests promptly.
• Notification preferences: You can manage your notification preferences through your account settings.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

16. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: