Privacy Policy
Custodian Labs Limited (NZBN 9429053377968) (we, us or our), understands that protecting your personal information is important. This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or collected by us, when interacting with you.
This Privacy Policy takes into account the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles. In addition to the Australian laws, individuals located in the European Union or European Economic Area (EU) may also have rights under the General Data Protection Regulation 2016/679 and individuals located in the United Kingdom (UK) may have rights under the General Data Protection Regulation (EU) 2016/679 (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (together, the GDPR). Appendix 1 outlines the details of the additional rights of individuals located in the EU and UK as well as information on how we process the personal information of individuals located in the EU and UK.
The information we collect
Personal information: is information or an opinion, whether true or not and whether recorded in a material form or not, about an individual who is identified or reasonably identifiable.
The types of personal information we may collect about you include:
- Identity Data including your name, age, profession, photographic identification, marital status, pronouns, and gender.
- Contact Data including your telephone number, address and email.
- Financial Data including bank account and payment card details (through our third party payment processor, who stores such information and we do not have access to that information).
- Transaction Data including details about payments to you from us and from you to us and other details of products and services you have purchased from us or we have purchased from you.
- Technical and Usage Data when you access any of our websites or platforms, details about your internet protocol (IP) address, login data, browser session and geo-location data, statistics on page views and sessions, device and network information, acquisition sources, search queries and/or browsing behaviour, access and use of our website (including through the use of Internet cookies and tracking pixels), and communications with our website.
- Sensitive Information including health or medical information that may be contained within documents processed through our platform. Where our platform processes documents containing sensitive or medical information, that information is subject to our data anonymisation and redaction processes prior to being submitted to any large language model. We handle all sensitive information with appropriate technical and organisational safeguards and in accordance with applicable privacy laws. We only collect sensitive information where you have consented, or where otherwise permitted by law.
- Profile Data including your username and password for Custodian Labs Limited, profile picture, purchases or orders you have made with us, content you post, send receive and share through our platform, information you have shared with our social media platforms, and support requests you have made.
- Interaction Data including information you provide to us when you participate in any interactive features, including surveys, contests, promotions, activities or events.
- Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.
- Professional data including where you are a worker of ours or applying for a role with us, your professional history such as your previous positions and professional experience, or whether you hold required authorisations or licences (if applicable).
How we collect personal information
We collect personal information in a variety of ways, including:
- when you interact directly with us, including face-to-face, over the phone, over email, or online;
- when you complete a form, such as registering for any events or newsletters, or responding to surveys;
- when you apply for a job with us;
- when you use any website or platform we operate (including from any analytics, cookie providers or marketing providers - see the "Cookies" section below for more detail on the use of cookies);
- from third parties, such as analytics providers and marketing providers; or
- from publicly available sources, such as social media or the Australian Securities and Investments Commission (ASIC).
Why we collect, hold, use and disclose personal information
We have set out below, in a table format, a description of the purposes for which we plan to collect, hold, use and disclose your personal information.
Artificial Intelligence
We use artificial intelligence and machine learning technologies in our business operations and services, including AI tools provided by third parties (AI Technologies). We only use these technologies when legally permitted and necessary for our business. Where we use service providers who provide AI Technologies to us, we will take reasonable steps to ensure that such service providers handle your personal information according to privacy law, including by ensuring that we have contracts in place requiring the service provider to protect personal information.
How we use AI Technologies
We may use automation and AI-assisted tools for the following purposes:
- to enable developers to build and deploy AI chatbots through our Python library and associated developer toolkit;
- to process and transform data by redacting or masking sensitive information - including names, medical data, and personal data - prior to it being submitted to large language models;
- to support the handling and analysis of text, Excel, Word, and PDF file formats through our platform;
- to improve and optimise our platform, services and operations;
- to automate routine tasks and communications;
- to personalise your experience with our services;
- to support quality assurance processes; and
- to assist with customer support and queries.
We will not input your personal information into any platform provided by an AI Technology service provider which then trains its model based on that information.
Your Rights and our Commitments: We will treat information generated or inferred by the AI Technologies about individuals as personal information and you maintain all rights over your personal information as outlined in this Privacy Policy, regardless of whether AI Technologies are used in processing. When using AI Technologies with your personal information:
- Transparency and control: we will inform you when AI Technologies are being used to make decisions that may significantly affect you. We will implement processes to verify the accuracy of AI-generated outputs and we will take reasonable steps to maintain human oversight and review of significant AI-generated decisions. Our staff are trained to understand the limitations of AI systems and verify outputs before they are relied upon.
- Security: we implement appropriate technical and organisational measures to ensure that our use of AI Technologies maintains the security and integrity of your personal information. This includes regular testing and monitoring of AI outputs for accuracy and reliability.
- Risk mitigation: we regularly assess and document the risks associated with our use of AI Technologies in processing personal information and implement appropriate mitigation measures. This includes ongoing monitoring of AI Technologies and regular reviews of their performance and impact.
Our disclosures of personal information to third parties
We will only disclose your personal information to third parties where it is necessary as part of our business, where we have your consent, or where permitted by law. This means that we may disclose personal information to:
- our employees, contractors and/or related entities;
- IT service providers, data storage, web-hosting and server providers;
- marketing or advertising providers such as Google, LinkedIn, Facebook, Instagram or X (formerly Twitter);
- professional advisors, bankers, auditors, our insurers and insurance brokers;
- payment systems operators including, but not limited to, PayPal, Stripe and Shopify Payments;
- our existing or potential agents or business partners or suppliers;
- sponsors or promoters of any promotions or competition we run;
- venture capital firms, investors or potential acquirers, where we may share aggregated and anonymised data about platform usage and performance for the purposes of business development, fundraising or investment activities. Any such data shared will not identify you personally and will be subject to appropriate confidentiality obligations;
- anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred;
- courts, tribunals and regulatory authorities, in the event you fail to pay for goods or services we have provided to you;
- courts, tribunals, regulatory authorities and law enforcement officers, as required or authorised by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise or defend our legal rights;
- third parties to collect and process data, such as Google Analytics (To find out how Google uses data when you use third party websites or applications, please see www.google.com/policies/privacy/partners/ or any other URL Google may use from time to time), Meta Pixel or other relevant analytics businesses; and
- any other third parties as required or permitted by law, such as where we receive a subpoena.
Overseas disclosure
Personal Information
We store your personal information in Australia. Where we disclose your personal information to the third parties listed above, these third parties may store, transfer or access personal information outside of Australia, including but not limited to, New Zealand and United Kingdom. We will only disclose your personal information overseas in accordance with the Australian Privacy Principles.
Your rights and controlling your personal information
Your choice: Please read this Privacy Policy carefully. If you provide personal information to us, you understand we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect our ability to do business with you.
Information from third parties: If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.
Restrict and unsubscribe: To object to processing for direct marketing/unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.
Access: You may request access to the personal information that we hold about you. An administrative fee may be payable for the provision of such information. Please note, in some situations, we may be legally permitted to withhold access to your personal information. If we cannot provide access to your information, we will advise you as soon as reasonably possible and provide you with the reasons for our refusal and any mechanism available to complain about the refusal. If we can provide access to your information in another form that still meets your needs, then we will take reasonable steps to give you such access.
Correction: If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to promptly correct any information found to be inaccurate, out of date, incomplete, irrelevant or misleading. Please note, in some situations, we may be legally permitted to not correct your personal information. If we cannot correct your information, we will advise you as soon as reasonably possible and provide you with the reasons for our refusal and any mechanism available to complain about the refusal.
Complaints: If you wish to make a complaint, please contact us using the details below and provide us with full details of the complaint. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take in response to your complaint. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner. If you are based in the United Kingdom or Europe, please see the “Complaints” section of Appendix 1 for more information about how to lodge a complaint.
Storage and security
We are committed to ensuring that the personal information we collect is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures, to safeguard and secure personal information and protect it from misuse, interference, loss and unauthorised access, modification and disclosure.
While we are committed to security, we cannot guarantee the security of any information that is transmitted to or by us over the Internet. The transmission and exchange of information is carried out at your own risk.
Cookies
We may use cookies and tracking pixels on our website from time to time. Cookies are text files placed in your computer's browser to store your preferences. Tracking pixels are tiny, invisible images (typically the size of one pixel) embedded in web pages or emails. Cookies and tracking pixels, by themselves, do not tell us your email address or other personally identifiable information. However, they do recognise you when you return to our online website and allow third parties to cause our advertisements to appear on your social media and online media feeds as part of our retargeting campaigns. If and when you choose to provide our online website with personal information, this information may be linked to the data stored in the cookie or collected by tracking pixels. Unlike cookies, tracking pixels do not store any information on your device, but instead send information to our servers when the pixel is loaded.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. You can block tracking pixels by using ad-blocking or privacy-focused browser extensions. Some email providers allow you to block images by default, which can prevent tracking pixels in emails from loading. However, if you use your browser settings to block all cookies (including essential cookies) and tracking pixels you may not be able to access all or parts of our website and you may not receive personalised content.
Links to other websites
Our website may contain links to other party’s websites. We do not have any control over those websites and we are not responsible for the protection and privacy of any personal information which you provide whilst visiting those websites. Those websites are not governed by this Privacy Policy.
Amendments
We may, at any time and at our discretion, vary this Privacy Policy by publishing the amended Privacy Policy on our website. We recommend you check our website regularly to ensure you are aware of our current Privacy Policy.
For any questions or notices, please contact us at:
Email: support@custodianlabs.io
Last updated: 14 July 2026
Appendix 1: Additional rights and information for individuals located in the EU or UK
Under the GDPR individuals located in the EU and the UK have extra rights which apply to their personal information. Personal information under the GDPR is often referred to as personal data and is defined as information relating to an identified or identifiable natural person (individual). This Appendix 1 sets out the additional rights we give to individuals located in the EU and UK, as well as information on how we process the personal information of individuals located in the EU and UK. Please read the Privacy Policy above and this Appendix carefully and contact us at the details at the end of the Privacy Policy if you have any questions.
What personal information is relevant?
This Appendix applies to the personal information set out in the Privacy Policy above. This includes any Sensitive Information also listed in the Privacy Policy above which is known as ‘special categories of data’ under the GDPR. Special categories of data may include:
- health information (including medical data)
Where our platform processes documents containing health or medical data or other special categories of data, we apply appropriate technical safeguards - including anonymisation and redaction - prior to any such data being processed by large language models or shared with third parties.
Purposes and legal bases for processing
Data protection law requires us to have proper legal reasons for using your personal data. We can only use your information when we have one or more of these legal bases.
- Consent - You have clearly agreed to us using your personal data for a specific purpose.
- Performance of a contract - We need to use your information to fulfil a contract with you, or because you've asked us to do something before entering into a contract.
- Legal duty - We must use your information to comply with the law.
- Vital interests - We need to use your information to protect someone's life.
- Public interest - We need to use your information to perform a task in the public interest or carry out official functions that have a clear legal basis.
- Legitimate interests - We have a genuine business reason to use your information, or a third party does, but only if this doesn't unfairly override your rights and interests. Where we rely on legitimate interests as our legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. These assessments consider:
- The nature of our legitimate interest
- The impact on you
- Any safeguards we can implement
- Your reasonable expectations
- The broader context of our relationship
We collect and process personal information about you only where we have legal bases for doing so under applicable laws. We have set out below, in a table format, a description of all the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your data. Please reach out to us if you need further details about the specific legal ground, we are relying on to process your personal information where more than one ground has been set out in the table below.
If you have consented to our use of data about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your data because we or a third party have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer doing business with us. Further information about your rights is available below.
Automated Decision Making and Profiling
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where we use automated decision-making, we will:
- Inform you of the logic involved
- Explain the significance and envisaged consequences
- Provide you with the right to human intervention
- Allow you to express your point of view
- Enable you to contest the decision
This right applies in addition to the information about AI Technologies set out in the main Privacy Policy above.
Data Transfers
Where we store and access your information
We store your personal information in Australia. However, your information may be transferred to locations outside of Australia in these circumstances:
- When our service providers are located overseas
- When we work with overseas business partners
- When using cloud-based services or data storage solutions
- When required by law or legal proceedings
The countries to which we send data for the purposes listed above may provide less comprehensive protection than what is offered in the country in which you initially provided the information.
Our approach to overseas transfers
When we transfer your personal information outside of the UK, we ensure it receives appropriate protection by:
- Only transferring your information to countries that UK data protection law recognises as providing adequate protection for personal information; or
- Putting in place a contract with the third party that means they must protect personal information to the same standards as the UK or Australia (including through standard contractual clauses); or
- Transferring personal information to organisations that are part of specific agreements on cross-border data transfers with the UK.
What this means for you
We only transfer the minimum amount of personal information necessary and require all recipients to:
- Protect your information to the same standards required by UK law
- Use your information only for the purposes we've agreed
- Allow us to monitor how they handle your information
- Provide you with the same rights over your information that you have under UK law
The countries to which we send data for the purposes listed above may be less comprehensive that is what is offered in the country in which you initially provided the information. Where we transfer your personal information outside of the country where you are based, we will perform those transfers using appropriate safeguards in accordance with the requirements of applicable data protection laws and we will protect the transferred personal information in accordance with this Privacy Policy and Appendix 1. This includes:
- only transferring your personal information to countries that have been deemed by applicable data protection laws to provide an adequate level of protection for personal information; or
- including standard contractual clauses in our agreements with third parties that are overseas.
Data retention
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Once we no longer need your personal data, we will securely delete or destroy it in accordance with our data retention policies and legal requirements.
You can request information about retention periods for your data and ask for early deletion where legally possible.
Extra rights for EU and UK individuals
Right of Access
You may request details of the personal information that we hold about you and how we process it (commonly known as a "data subject access request"). You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.
Right to Rectification
You have the right to ask us to correct or delete personal information you think is inaccurate, out of date, incomplete, irrelevant or misleading.
Right to Erasure ("Right to be forgotten")
You can request deletion of your personal information in certain limited circumstances as set out in data protection law, such as where the data is no longer necessary or has been unlawfully processed. This right is not absolute and we may be required or entitled to retain your information for legal, regulatory or legitimate business reasons.
Right to Restrict Processing
You can ask us to suspend processing where:
- You contest the accuracy of the data
- Processing is unlawful but you don't want erasure
- We no longer need the data but you need it for legal claims
- You've objected to processing pending verification of our legitimate grounds
Right to Data Portability
Where technically feasible, you can receive your personal information in a structured, commonly used format or have it transmitted to another controller where:
- Processing is based on consent or contract
- Processing is automated
Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
Right to Withdraw Consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing. If you have consented to our use of data about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place.
How to Exercise Your Rights
To exercise any of these rights, contact us using the details set out in the Privacy Policy above. We may ask for proof of identity to protect your information. We will respond to your request within one month of receiving it, though this may be extended to three months for complex requests. We will inform you of any extension and the reasons for it.
These rights are available under data protection law, though some may not apply in every situation. We will let you know if any limitations apply when you make a request.
Making a Complaint
If you are not happy with how we are processing your personal information, you have the right to make a complaint at any time to the relevant Data Protection Authority based on where you live:
- For individuals in the EU: your local supervisory authority
- For individuals in the UK: the Information Commissioner's Office (ICO)
ICO contact details:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
We would, however, appreciate the chance to deal with your concerns before you approach the Data Protection Authority, so please contact us in the first instance using the details set out in the Privacy Policy above.
For any questions or notices, please contact us at:
Email: support@custodianlabs.io