https://generativesecurity.ai
Effective date: 17th April 2025

1. Introduction & Scope

This Privacy Policy (“Policy”) describes how Generative Security Pty Ltd and its affiliated entities (“Generative Security,” “we,” “us,” or “our”) collect, use, disclose, and safeguard personal information in connection with our generative AI security assurance platform (the “Platform”), our corporate website https://www.generativesecurity.ai, our blog at https://blog.generativesecurity.ai, mailing list communications, and any related products or services we provide (collectively, the “Services” or “Sites”).

This Policy applies to the following categories of individuals:

• Visitors to our website and blog;
• Individuals who subscribe to our mailing list or otherwise engage with our communications;
• Customers and authorized users of our Platform;
• Individuals whose personal information may be processed via customer integrations or connected application environments.

By accessing or using our Sites or Services, you confirm that you have read and understood this Policy and consent to the data practices described herein, subject to your rights under applicable data protection laws.

2. Data Controller & Contact Information

For the purposes of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA/CPRA”), the data controller of your personal information is:

Generative Security Pty Ltd
Registered in Australia and the United States
Email: privacy@generativesecurity.ai

If you have any questions, concerns, or complaints regarding this Policy or our data practices, you may contact us using the information above.

3. Definitions

For the purposes of this Policy:

• “Personal Data” means any information that relates to an identified or identifiable individual, including but not limited to names, email addresses, IP addresses, and user identifiers.
• “Processing” means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, use, disclosure, or deletion.
• “Customer Environment Data” refers to data derived from a customer’s application environment, including chatbot configurations, conversational flows, and metadata submitted for security evaluation.
• “You” means the data subject—i.e., the individual whose Personal Data is processed under this Policy.

4. What Data We Collect

We collect and process several categories of information, depending on your interaction with our services:
We do not collect sensitive personal information (e.g., health data, biometric identifiers) unless explicitly and voluntarily provided in a supported use case.

• A. Personal Identifiers
  • Name, email address, phone number (optional), organization name, job title
• B. Account & Platform Usage Data
  • Login credentials, account role (admin/user), user ID, chatbot registration metadata, API key usage, plan tier, chatbot environments (e.g., Dev, Test, Prod)
• C. Customer Environment Data
  • Application prompts, AI-generated responses, session metadata, diagnostic feedback, and other environment-specific information voluntarily submitted by the customer
• D. Website & Blog Analytics
  • Browser/device information, referring URLs, IP address, pages visited, session duration, cookie identifiers
• E. Mailing List Data
  • Email engagement metrics (e.g., open and click-through rates), signup date, opt-in preferences

We do not collect sensitive personal information (e.g., health data, biometric identifiers) unless explicitly and voluntarily provided in a supported use case.

5. How We Collect Your Data

We collect data in the following ways:

• A. Directly from You
  • When you register for an account
  • When you submit chatbot data for evaluation
  • When you fill out contact forms or opt in to the mailing list
  • When you communicate with us via email or support channels
• B. Automatically Through Your Use
  • Through cookies and similar tracking technologies when visiting our website or using the Platform
  • Through logs of API calls, usage sessions, and user interactions
• C. From Third Parties
  • From payment processors, mailing list services (e.g., MailerLite), or CRM platforms integrated with our services
  • From customer administrators who register user accounts on your behalf

6. Purposes of Data Use

We use your data only for legitimate business purposes, including:

• Service Delivery: To create and maintain your account, authenticate users, and deliver Platform functionality
• Security Testing: To process Customer Environment Data for generative AI security analysis and reporting
• Customer Support: To respond to support requests and provide guidance based on your plan tier
• Product Improvement: To analyze usage trends, debug technical issues, and enhance the performance of our services
• Marketing & Communication: To send onboarding materials, service updates, product announcements, and relevant content via email (subject to consent or opt-out rights)
• Legal Compliance: To comply with applicable laws, enforce contractual rights, and respond to lawful requests from public authorities

We will not use your data for profiling or automated decision-making that produces legal or similarly significant effects, unless explicitly stated.

7. Legal Bases for Processing (GDPR)

Under the GDPR, we rely on the following legal bases to process your Personal Data:

• Performance of a Contract: Where processing is necessary to provide the Platform or perform contractual obligations
• Legitimate Interests: For analytics, security, service improvement, internal administration, or business development (provided such interests are not overridden by your rights)
• Consent: For sending marketing emails or using non-essential cookies (where required)
• Legal Obligation: Where we are required to retain or disclose data under applicable laws or regulatory mandates
• Vital Interests or Public Interest: Only where applicable, such as responding to emergency requests or legal proceedings

8. How We Use Customer Environment Data

Customer Environment Data submitted through the Platform is treated with strict confidentiality and processed solely for the purpose of performing security analysis as contractually agreed. Specifically:

• We do not retain environment data longer than necessary to deliver the service or fulfill support obligations.
• We do not use this data for marketing or resale under any circumstance.
• Access is restricted to authorized personnel under least-privilege principles.
• Data is deleted or anonymized following the retention timelines defined in Section 12 or as requested under contract.

Customers are solely responsible for ensuring that Customer Environment Data submitted does not violate applicable laws or the rights of third parties.

9. Sharing of Personal Data

We do not sell, lease, or rent your Personal Data to any third party. However, we may share your data with trusted third-party service providers who perform functions on our behalf, including:

• Cloud Infrastructure Providers (e.g., AWS, GCP)
• Analytics Tools (e.g., Plausible, or equivalent)
• CRM and Email Marketing Services (e.g., MailerLite)
• Payment Processors (e.g., Stripe, if applicable)
• Legal, Accounting, or Compliance Partners (as necessary)

All such subprocessors are contractually bound to only process Personal Data in accordance with our instructions, applicable law, and with appropriate confidentiality and security safeguards in place.

We may also disclose your Personal Data:

• To comply with legal obligations or enforce our rights;
• In connection with a merger, acquisition, or asset sale (with appropriate protections);
• Upon your explicit instruction or consent.

10. International Data Transfers

Your Personal Data and Customer Environment Data may be transferred to, and stored or processed in, countries outside of your jurisdiction, including Australia, the United States, or other jurisdictions where our service providers operate.

Where such transfers occur:

• For EU/EEA data subjects, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards;
• For Australian transfers, we comply with Australian Privacy Principles (APPs) under the Privacy Act 1988;
• Additional security measures—such as data encryption, secure transmission, and access controls—are implemented to mitigate risk.

By using our services, you acknowledge and consent to the transfer of your data across jurisdictions, subject to the protections described in this Policy.

11. Cookies and Tracking Technologies

Our website and Platform use cookies and similar technologies to enhance user experience, monitor system performance, and enable core functionalities. These may include:

• A. Types of Cookies Used
  • Essential Cookies: Required for website functionality (e.g., session management, login)
  • Analytics Cookies: Help us understand usage patterns and improve services (e.g., page visits, referral sources)
  • Preference Cookies (if enabled): Remember your preferences for language or region
• B. Cookie Consent
• Where required by applicable law, we display a cookie banner allowing you to:
  • Accept or reject non-essential cookies
  • Adjust preferences at any time
• C. From Third Parties
  • From payment processors, mailing list services (e.g., MailerLite), or CRM platforms integrated with our services
  • From customer administrators who register user accounts on your behalf

You may also configure your browser to disable or delete cookies. Please note that disabling essential cookies may affect Platform performance.

For more information, please refer to our Cookie Policy.

12. Retention of Data

We retain Personal Data and Customer Environment Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law or regulation.

Retention Periods by Category:

• Account and Profile Data: Retained while the account is active + up to 90 days post-termination
• Customer Environment Data: Retained for the duration of the engagement or service request + up to 30 days unless otherwise agreed
• API Logs and Usage Records: Up to 12 months for operational and audit purposes
• Email Marketing Data: Retained until user unsubscribes or becomes inactive

After these periods, data is securely deleted or anonymized in accordance with our internal data retention and destruction policy.

13. Data Security Measures

We implement industry-standard technical and organizational security measures designed to protect your data from unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit (TLS) and at rest
• Network, processing, and data segregation where appropriate
• Multi-factor authentication for system access
• Role-based access control (RBAC)
• Regular vulnerability assessments and logging
• Staff privacy and security training

Despite these safeguards, no system can be guaranteed 100% secure. You are responsible for maintaining the confidentiality of your user credentials and for taking appropriate measures to protect your access credentials.

If we become aware of a data breach that affects your data, we will notify you promptly in accordance with applicable laws.

14. User Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR:

• Right to Access: Obtain a copy of your Personal Data and confirmation of how it is being processed
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your Personal Data under certain conditions
• Right to Restriction: Request limited processing where you contest accuracy or legality
• Right to Data Portability: Receive a copy of your data in a structured, machine-readable format
• Right to Object: Object to processing where we rely on legitimate interests, including for marketing purposes
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us at privacy@generativesecurity.ai. We may request verification of your identity before fulfilling your request.

15. Rights Under CCPA / CPRA

If you are a resident of California, you may have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: The categories of personal information we collect and the purposes for which it is used
• Right to Access: Specific pieces of personal information we have collected about you
• Right to Delete: Request that we delete your personal information, subject to certain exceptions
• Right to Correct: Request corrections to inaccurate information
• Right to Opt-Out: If applicable, the right to opt out of the “sale” or “sharing” of personal information (Note: We do not sell or share personal data as defined under CCPA)
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To make a verifiable consumer request under the CCPA/CPRA, please contact privacy@generativesecurity.ai.

16. Children’s Privacy

Our services are not intended for children under the age of 18, and we do not knowingly collect personal data from individuals under 18.

If we become aware that we have inadvertently collected Personal Data from a child without verified parental consent, we will take immediate steps to delete the data and disable any associated accounts.

If you believe a child’s data has been submitted to us inappropriately, please contact us at privacy@generativesecurity.ai.

17. Email Communications & Marketing Preferences

With your consent (where required), or under our legitimate interest, we may send you communications regarding:

• Platform updates
• Product announcements
• Onboarding support
• Security guidance and educational content

You can opt out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Contacting us directly at privacy@generativesecurity.ai

Transactional communications (e.g., billing confirmations, service notices) are not subject to opt-out, as they are necessary for service delivery.

We do not sell or rent your email address or other personal information to third parties for marketing purposes.

18. Automated Decision-Making or Profiling

We do not engage in automated decision-making or profiling that has a legal or significant effect on individuals.

To the extent any internal profiling occurs (e.g., for feature usage analysis), it is:

• Non-impactful to your legal rights;
• Limited to internal product improvement;
• Not used for algorithmic enforcement or account judgments.

Should this change in the future, we will update this Policy accordingly and, where required, obtain your explicit consent.

19. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time to reflect changes in legal, regulatory, or operational requirements. When we do:

• The “Last Updated” date at the top of this Policy will be revised
• For material changes, we will provide notice by email or a notice on our website or Platform

Your continued use of the Platform after such changes become effective constitutes your agreement to the updated Policy.

We encourage you to review this Policy periodically.

20. Contact & Complaints

If you have any questions, concerns, or complaints regarding our privacy practices, or would like to exercise your rights, you may contact:
Privacy Officer – Generative Security Pty Ltd
Email: privacy@generativesecurity.ai

For EU/EEA Users:
You may lodge a complaint with your local data protection authority if you believe your rights have been violated.

For Australian Users:

You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

For U.S. Users:

You may contact your state attorney general or the Federal Trade Commission (FTC).