Privacy Policy

1. Introduction

Brave Labs ABN 47 142 335 509 ("we", "us", "our") is committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

We are a technology services business based in Gold Coast, Queensland, providing AI solutions, web development, and mobile development services to businesses across Australia and internationally.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information. It also outlines your rights regarding your personal information and how you can exercise them.

By using our website, services, or providing us with your personal information, you consent to the practices described in this policy.

2. Information We Collect

We collect the following types of personal information:

2.1 Information You Provide Directly

When you interact with our website or services, you may provide:

• Contact Information: Name, email address, phone number
• Business Information: Company name, job title/role, industry, company size, business website URL
• Project Information: Business challenges, project requirements, project description, timeline, budget range, technology stack preferences, services interested in
• Communication Preferences: Best time to contact, preferred communication method
• Consultation Details: Appointment times, discussion topics, meeting notes
• Referral Information: How you heard about us
• Additional Information: Any other details you choose to share through forms or communications

2.2 Information Collected Automatically

When you visit our website, we automatically collect:

• Device Information: IP address, browser type and version, operating system, device type
• Usage Information: Pages viewed, time spent on pages, links clicked, navigation paths, scroll depth
• Location Information: General geographic location based on IP address
• Technical Information: Screen resolution, time zone settings, browser plug-in types
• Session Recordings: Anonymous session recordings of your interactions with our website (with form inputs masked for privacy)
• Performance Data: Core Web Vitals and page load metrics

2.3 Information from Voice Interactions

If you use our AI-powered voice assistant:

• Voice Recordings: Your voice conversations are recorded and transmitted to our voice processing provider (Vapi) for real-time transcription
• Conversation Transcripts: The text transcription of your conversation is stored temporarily
• Extracted Information: Name, email, phone number, company details, project information, and other details you provide during the conversation
• Interaction Metadata: Duration of conversation, timestamps, interaction patterns
• AI-Generated Content: Summaries and analysis of your conversation used to provide personalised follow-up communications

Voice recordings are processed in real-time and are not stored permanently by us. Conversation transcripts and extracted information may be retained for up to 90 days for service improvement purposes.

2.4 Information from Third Parties

We may receive information about you from:

• Business Partners: Referral partners or collaborators
• Public Sources: Publicly available business directories or professional networks
• Service Providers: Analytics providers, marketing platforms

2.5 Sensitive Information

We do not intentionally collect "sensitive information" as defined under the Privacy Act 1988 (Cth). Sensitive information includes health information, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, criminal record, genetic information, and biometric data.

2.6 Unsolicited Information (APP 4)

If we receive personal information that we did not solicit and that we determine is not reasonably necessary for our functions or activities, we will destroy or de-identify that information as soon as practicable (unless retention is required or authorised by law). This applies to information received through any channel, including email, post, or via third parties.

3. How We Collect Information

We collect personal information through:

• Website Forms: Contact forms, consultation booking forms, project inquiry forms
• Calendar Booking System: When scheduling consultations or meetings via our Google Calendar integration
• Voice Assistant: Through our AI-powered voice assistant (powered by Vapi)
• Email Communications: When you email us directly
• Phone Conversations: When you call us or we call you
• Analytics and Tracking: Through PostHog analytics, Vercel Analytics, and similar technologies
• Business Interactions: During meetings, consultations, or project discussions

4. How We Use Your Information

4.1 Primary Purposes

• Service Delivery: To provide our AI solutions, web development, and mobile development services
• Communication: To respond to inquiries, schedule consultations, and provide project updates
• Contract Management: To establish and manage service agreements
• Technical Support: To provide assistance and resolve technical issues
• Payment Processing: To process payments for our services

4.2 Secondary Purposes

• Service Improvement: To enhance our services and develop new offerings
• Marketing: To send relevant information about our services (with your consent)
• Analytics: To understand how our website and services are used
• Legal Compliance: To comply with legal obligations and enforce our terms
• Business Operations: For internal record-keeping and administrative purposes

4.3 AI and Automated Processing

We use AI technologies in the following ways:

• Voice Assistant (Vapi): Our AI-powered voice assistant processes voice interactions to answer questions, extract project information, and schedule consultations
• Email Personalisation (OpenAI): We use OpenAI's GPT models to generate personalised consultation preparation emails based on the information you provide
• Conversation Analysis (OpenAI): AI analyses voice conversation transcripts to create summaries and identify key discussion points for our team
• Service Optimisation: AI tools may analyse usage patterns to improve service delivery

5. Disclosure of Your Information

5.1 Service Providers

We share your information with the following categories of service providers:

• Cloud Hosting: Vercel (website hosting and serverless functions)
• Email Services: Resend (transactional email delivery)
• AI Services: OpenAI (email generation and content analysis), Vapi (voice assistant and transcription)
• Analytics: PostHog (website analytics and session recording), Vercel Analytics (performance monitoring)
• Calendar Services: Google Calendar (consultation scheduling, Google Meet video conferencing)
• Professional Advisors: Lawyers, accountants, consultants (under confidentiality)

5.2 Legal and Regulatory Disclosures

We may disclose information when required by:

• Court orders or subpoenas
• Law enforcement agencies
• Regulatory authorities
• To protect our legal rights or prevent fraud
• To protect the safety of any person

5.3 Business Transfers

If we sell, merge, or transfer any part of our business, your information may be transferred to the new owner.

5.4 With Your Consent

We may share your information with other parties when you explicitly consent to such sharing.

6. Cross-Border Data Transfers

As we use global service providers, your information is transferred outside Australia to the following countries:

• United States:
  • Vercel (website hosting)
  • OpenAI (AI email generation and analysis)
  • Vapi (voice assistant processing)
  • PostHog (website analytics)
  • Resend (email delivery)
• Global (Google Infrastructure):
  • Google Calendar (consultation scheduling)
  • Google Meet (video conferencing)

7. Data Security

7.1 Technical and Organisational Measures

We implement appropriate technical and organisational measures including:

• Encryption: SSL/TLS encryption for all data transmission; data encrypted at rest where supported
• Access Controls: Role-based access restrictions for staff and service accounts
• Authentication: Multi-factor authentication for sensitive systems
• Input Sanitisation: All form inputs are sanitised to prevent injection attacks
• Monitoring: Regular security monitoring and audits
• Training: Staff training on privacy and security practices
• Incident Response: Procedures for detecting and responding to security incidents

7.2 Data Breach Response

In the event of a data breach that is likely to result in serious harm:

• We will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breach scheme
• We will complete our assessment within 30 days of becoming aware of the breach
• We will take immediate steps to contain and remediate the breach
• We will provide support and guidance to affected individuals

8. Data Retention

We retain your personal information for:

• Active Clients: Duration of our business relationship plus 7 years
• Prospective Clients: 3 years from last interaction
• Website Analytics (PostHog): 90 days
• Voice Conversation Transcripts: 90 days
• Voice Recordings: Not stored permanently; processed in real-time only
• Calendar Bookings: Retained in Google Calendar until deleted by you or us
• Email Records: 7 years for business records
• Legal Requirements: As required by law or court orders

After these periods, we securely delete or de-identify your information.

9. Your Rights

Under the Privacy Act 1988 and the APPs, you have the right to:

9.1 Access Your Information

You can request access to personal information we hold about you. We will respond within 30 days and provide access unless an exception applies.

9.2 Correct Your Information

You can request correction of inaccurate, incomplete, or outdated information. We will respond within 30 days.

9.3 Opt-Out Rights

You can opt-out of:

• Marketing communications (via unsubscribe link or contacting us)
• Analytics tracking (we respect Do Not Track browser signals; you can also use browser privacy settings)
• Voice assistant interactions (by choosing not to use this feature)
• Session recording (contact us to be excluded)

9.4 Data Portability

While not required under Australian law, we can provide your information in a structured format upon request.

9.5 Request Deletion

You can request deletion of your personal information. We will comply unless we are required to retain it for legal or legitimate business purposes.

9.6 Complaints

If you believe we have breached your privacy, you can:

1. Contact us first using the details in Section 15. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
2. Lodge a complaint with the OAIC if you're not satisfied with our response:
   • Website: www.oaic.gov.au
   • Phone: 1300 363 992
   • Post: GPO Box 5218, Sydney NSW 2001

10. Cookies and Tracking Technologies

10.1 Types of Cookies and Tracking We Use

• Essential Cookies: Required for website functionality (session management, security)
• Analytics (PostHog): To understand website usage, track page views, user interactions, and session recordings. Form inputs are automatically masked in recordings.
• Performance (Vercel Analytics): To monitor Core Web Vitals and page load performance
• Preference Cookies: To remember your settings (theme, font preferences)

10.2 Do Not Track

We respect Do Not Track (DNT) browser signals. If your browser sends a DNT signal, PostHog analytics will not track your activity.

10.3 Managing Cookies

You can control cookies through:

• Browser settings (blocking or deleting cookies)
• Browser Do Not Track settings
• PostHog opt-out (contact us)

11. Third-Party Services

Our website integrates with the following third-party services. We encourage you to review their privacy policies:

• Vapi: Voice assistant service - vapi.ai/privacy
• OpenAI: AI content generation - openai.com/privacy
• PostHog: Website analytics - posthog.com/privacy
• Resend: Email service - resend.com/legal/privacy-policy
• Vercel: Hosting and analytics - vercel.com/legal/privacy-policy
• Google Calendar & Meet: Scheduling and video calls - policies.google.com/privacy

Our website may contain links to other third-party websites. We are not responsible for their privacy practices.

12. Children's Privacy

Our services are business-to-business and not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, legal requirements, technology changes, or business operations.

Notification: We will notify you of material changes by:

• Posting a notice on our website
• Sending an email (for existing clients)
• Updating the "Last Updated" date at the top of this policy

Your continued use of our services after changes constitutes acceptance of the updated policy.

14. Governing Law

This Privacy Policy is governed by the laws of Queensland, Australia, and the Commonwealth of Australia, including:

• Privacy Act 1988 (Cth)
• Australian Privacy Principles (Schedule 1)
• Privacy and Other Legislation Amendment Act 2024 (Cth)

As a private business, we are subject to federal privacy law. The Queensland Information Privacy Act 2009 applies to Queensland government agencies and does not directly regulate private businesses.

15. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Response Time: We aim to acknowledge all privacy inquiries within 5 business days and resolve any issues within 30 days.

16. Additional Information for International Clients

If you are accessing our services from outside Australia:

• This Privacy Policy is governed by Australian law
• You consent to Australian privacy laws applying to your information
• Disputes will be resolved under Australian jurisdiction
• We will respect privacy rights granted under your local laws where practicable

17. Accountability

We maintain records of our privacy practices and conduct regular reviews to ensure compliance with this policy and applicable laws. Our privacy practices are subject to audit and continuous improvement.

18. Your Legal Rights

Under Australian law (effective from June 2025), you have a statutory right to take legal action for serious invasions of your privacy. This is independent of any complaint to the OAIC.

We are committed to handling your personal information responsibly to protect both your privacy and your legal rights.