Privacy Policy

Vanguard Tech Pty Ltd (trading as Colabyr)

Effective Date: 18 February 2026
Last Updated: 5 June 2026
Version: 1.1
Published at: colabyr.ai/privacy

1. Introduction

Vanguard Tech Pty Ltd (ACN 692 907 707), trading as Colabyr ("Colabyr", "we", "us", "our"), is committed to protecting the privacy of personal information we collect, hold, use, and disclose in connection with our software platform, services, and business operations.

This Privacy Policy explains how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we provide services to customers or individuals located outside Australia, we also seek to comply with applicable privacy and data protection laws in those jurisdictions, including the General Data Protection Regulation (GDPR) where applicable.

This Privacy Policy applies to all personal information collected through our platform (the "Platform"), our website at colabyr.ai (the "Website"), our services, and any other interactions you have with us. It should be read in conjunction with our Terms and Conditions of Use and any applicable Work Order.

By accessing or using the Colabyr Platform or Services, you acknowledge that you have read and understood this Privacy Policy.

2. Information We Collect

2.1 Information You Provide to Us

We may collect the following categories of personal information that you provide directly to us:

Account and registration information: your name, email address, job title, company name, business address, phone number, and other details you provide when registering for an account or entering into a Work Order with us.
Contact and correspondence: information you provide when you contact us for support, submit enquiries, provide feedback, or communicate with us by email, phone, or other means.
Billing information: business billing details such as company name, billing address, ABN or ACN, and purchase order numbers. We do not directly collect or store credit card numbers or bank account details; where payment processing is required, this is handled by our third-party payment processor(s).
User content and data: any data, files, code, documentation, or other content that you or your authorised users upload, enter, or transmit through the Platform ("Customer Data"). This may include source code, configuration files, project documentation, and related technical materials.
Personnel information: information about your employees, contractors, or other personnel who are authorised to access the Platform as users under your account.

2.2 Information We Collect Automatically

When you access and use the Platform or Website, we may automatically collect:

Usage data: information about how you and your users interact with the Platform, including features used, actions taken, frequency and duration of activities, and performance metrics.
Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution, and general location information derived from IP address (city/region level, not precise geolocation).
Log data: server logs that record requests made to our Platform, including timestamps, referring URLs, error logs, and system activity.
Cookies and similar technologies: we use essential cookies required for the Platform to function. We do not use advertising or tracking cookies. See Section 10 for details.

2.3 Information We Generate

In the course of providing our services, the Platform may process Customer Data to generate outputs, reports, analyses, recommendations, and other derived information ("Generated Information"). Generated Information may be produced using artificial intelligence and machine learning technologies. The handling of Generated Information is governed by our Terms and Conditions of Use.

2.4 Information from Third Parties

We may receive personal information about you from third parties, including our business partners, referral sources, publicly available sources, and identity verification services, where permitted by law.

3. How We Use Your Information

We collect, hold, use, and disclose personal information only for purposes that are reasonably necessary for, or directly related to, our functions and activities. These purposes include:

Providing and operating the Platform and Services: to set up and manage your account, deliver the services described in your Work Order, process Customer Data through the Platform, generate outputs, and provide technical support.
Communication: to respond to your enquiries, provide notices about your account or the Platform, send service-related communications, and notify you of changes to our terms or policies.
Billing and administration: to process invoices, manage payment records, and administer the commercial relationship under your Work Order.
Improvement and development: to analyse usage patterns, diagnose technical issues, improve the Platform's functionality, develop new features, and enhance the quality and security of our services.
Security and integrity: to detect, prevent, and respond to fraud, security incidents, unauthorised access, and other harmful activities, and to protect the rights and safety of Colabyr, our customers, and the public.
Compliance: to comply with applicable laws, regulations, legal processes, and enforceable governmental requests, and to enforce our Terms and Conditions of Use.
Aggregated and de-identified data: to create de-identified, aggregated data that cannot be used to identify you or any individual, for research, benchmarking, product improvement, and industry analysis purposes. See Section 7 for details.

4. Disclosure of Personal Information

We do not sell, rent, or trade your personal information to third parties. We may disclose personal information in the following circumstances:

4.1 Service Providers and Sub-processors

We engage trusted third-party service providers ("Sub-processors") to assist in delivering the Platform and Services. These Sub-processors may have access to personal information and Customer Data only to the extent necessary to perform their functions, and are contractually bound to protect such information and use it only for the purposes for which it was disclosed. Our current categories of Sub-processors include:

Category	Purpose	Data Accessed
Cloud infrastructure providers	Hosting, storage, and compute for the Platform	Customer Data, account data, usage data
AI and machine learning service providers	Processing Customer Data to generate outputs and recommendations as part of Platform functionality	Customer Data as submitted for processing (subject to data minimisation)
Payment processors	Processing payments where applicable	Billing details (not stored by Colabyr)
Communication and support tools	Customer support, email delivery	Contact details, support correspondence
Analytics providers	Platform performance monitoring and error tracking	Aggregated usage data, error logs (de-identified where practicable)

We maintain an internal register of Sub-processors and will provide details of specific Sub-processors to customers upon reasonable written request. We evaluate all Sub-processors for appropriate security and privacy practices before engagement.

4.2 AI and Machine Learning Processing

The Colabyr Platform utilises artificial intelligence and machine learning technologies, including third-party AI model providers, to deliver core Platform functionality. When Customer Data is processed through AI services:

We apply data minimisation principles, transmitting only the data necessary for the specific processing task.
We select AI service providers that offer contractual commitments not to use customer input data to train or improve their general models, except where explicitly opted in by the customer.
Customer Data processed through AI services is subject to the same confidentiality and security obligations as all other Customer Data under our Terms and Conditions of Use.
Generated Information produced by AI processing is handled in accordance with clause 13.2 of our Terms and Conditions of Use.

4.3 Other Disclosures

We may also disclose personal information:

where required or authorised by law, regulation, legal process, or enforceable governmental request;
to enforce our Terms and Conditions of Use, including investigation of potential violations;
to detect, prevent, or address fraud, security, or technical issues;
to protect the rights, property, or safety of Colabyr, our customers, or the public;
in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of our assets, in which case personal information may be transferred to the acquiring entity subject to confidentiality obligations; or
with your consent or at your direction.

5. Data Hosting and International Transfers

Colabyr takes a data residency approach that prioritises hosting Customer Data in the country or region where the customer is located. We work with customers to ensure that data hosting arrangements are appropriate for their regulatory and compliance requirements.

Where it is necessary to transfer personal information outside the country in which it was collected (for example, to a Sub-processor located in another jurisdiction), we take reasonable steps to ensure that the recipient provides a standard of protection that is comparable to the protections afforded under the APPs or, where applicable, the GDPR. Such steps may include:

entering into data processing agreements or standard contractual clauses with recipients;
verifying that the recipient is subject to laws or binding obligations that provide comparable protections; or
obtaining your informed consent to the transfer.

We will inform you if your data will be hosted outside your home jurisdiction and provide details of the applicable hosting location upon request.

6. Data Security

We take the security of personal information and Customer Data seriously. Colabyr implements and maintains administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of information in our custody and control.

6.1 Security Framework

Our security programme is designed with reference to industry-recognised frameworks, including ISO/IEC 27001 (Information Security Management) and SOC 2 Type II (Trust Services Criteria). While Colabyr is not yet formally certified against these standards as at the date of this policy, we have adopted and maintain rigorous internal controls, policies, and procedures that are aligned with the requirements of these frameworks, with the objective of achieving formal certification.

6.2 Security Measures

Our security measures include, but are not limited to:

Encryption: data is encrypted in transit (TLS 1.2 or higher) and at rest using industry-standard encryption algorithms.
Access controls: role-based access controls, multi-factor authentication, and the principle of least privilege are applied to limit access to personal information and Customer Data.
Infrastructure security: our infrastructure is hosted with leading cloud providers that maintain their own SOC 2 and ISO 27001 certifications.
Monitoring and logging: we maintain comprehensive audit logs and employ monitoring tools to detect and respond to security events.
Incident response: we maintain a documented incident response plan and will notify affected customers of any data breach in accordance with the requirements of the Privacy Act 1988 (Cth) and the Notifiable Data Breaches (NDB) scheme, as well as any contractual notification obligations.
Personnel: all Colabyr personnel with access to personal information or Customer Data are subject to confidentiality obligations and receive security awareness training.
Vendor assessment: third-party service providers and Sub-processors are assessed for security practices prior to engagement and subject to ongoing review.

While we employ commercially reasonable measures to protect your information, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security. We continuously evaluate and improve our security practices in response to evolving threats and industry developments.

7. Aggregated and De-identified Data

As described in our Terms and Conditions of Use, we may de-identify and aggregate information generated through the Platform in such a way that it cannot be used to identify you, your users, or any individual ("Aggregated Data"). Aggregated Data is not personal information.

We may use Aggregated Data for research, benchmarking, product improvement, and industry analysis purposes. We do not use Aggregated Data for advertising purposes and we will not attempt to re-identify any Aggregated Data.

8. Data Retention

We retain personal information only for as long as is reasonably necessary to fulfil the purposes for which it was collected, or as required by law. Our retention practices are as follows:

Data Type	Retention Period	Basis
Account information	Duration of the contractual relationship plus 7 years	Contractual necessity; Australian tax and corporate record-keeping requirements
Customer Data	Duration of the Work Order, subject to the data purging schedule set out in the Terms and Conditions of Use	Contractual necessity; customer-directed retention
Usage and log data	Up to 24 months from collection	Legitimate business interest in Platform improvement and security monitoring
Billing records	7 years from the end of the relevant financial year	Australian taxation law requirements
Support correspondence	Duration of the contractual relationship plus 2 years	Contractual necessity; service improvement

Upon termination or expiry of your Work Order, you are responsible for exporting any Customer Data you wish to retain prior to termination, in accordance with the Terms and Conditions of Use. Following the applicable retention period, we will securely delete or de-identify personal information and Customer Data, unless retention is required by law.

9. Your Rights

9.1 Rights Under the Australian Privacy Principles

Under the APPs, you have the right to:

Access: request access to the personal information we hold about you. We will respond to access requests within a reasonable period (and in any event within 30 days).
Correction: request that we correct any personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
Complaint: make a complaint if you believe we have breached the APPs. We will investigate and respond to complaints within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9.2 Additional Rights for Individuals in the EU/UK (GDPR)

Where the GDPR applies, you may also have the right to:

Erasure: request the deletion of your personal data in certain circumstances.
Restriction: request that we restrict the processing of your personal data in certain circumstances.
Portability: receive your personal data in a structured, commonly used, machine-readable format.
Objection: object to the processing of your personal data on grounds relating to your particular situation.
Withdraw consent: where processing is based on consent, withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at the details set out in Section 15.

9.3 Customer Data

Where we process Customer Data on behalf of a customer (as a data processor), we will refer any individual request relating to that Customer Data to the relevant customer, as they are the data controller. We will assist the customer in responding to such requests as required by our Terms and Conditions of Use and applicable law.

10. Cookies and Similar Technologies

We use only essential cookies that are strictly necessary for the operation of the Platform and Website. These cookies enable core functionality such as authentication, session management, and security features. They cannot be disabled without affecting the functionality of the Platform.

We do not use advertising, marketing, or behavioural tracking cookies. We do not participate in third-party advertising networks or cross-site tracking.

If we introduce non-essential cookies in the future, we will update this policy and provide appropriate notice and consent mechanisms in accordance with applicable law.

11. Children's Privacy

The Platform and Services are not directed at individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take reasonable steps to delete that information promptly. If you believe that a child has provided us with personal information, please contact us at [email protected].

12. Third-Party Links and Services

The Platform or Website may contain links to third-party websites or services that are not operated by Colabyr. This Privacy Policy does not apply to such third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through or in connection with the Platform. We are not responsible for the privacy practices of third parties.

13. Google User Data and Gmail Integration

Where you choose to connect a Google account (for example, a Gmail inbox) to the Colabyr Platform, Colabyr accesses and processes Google user data in accordance with this section, the Google API Services User Data Policy, and the Limited Use requirements.

13.1 Scopes and Data Accessed

When you connect a Google account, Colabyr requests only the minimum access required to provide the connected features:

Reading email (gmail.readonly): Colabyr reads the content of email messages in the connected inbox in order to detect and extract product signals (such as customer feedback, feature requests, bug reports, and related context) and surface them within your Colabyr workspace. Reading message content is essential to, and is the sole purpose of, this access.
Sending email (gmail.send): where you initiate it, Colabyr sends email (including replies within an existing conversation) from the connected inbox so that you can contact customers directly from Colabyr. Colabyr does not use this access to send any message you have not initiated.

Colabyr does not request access to modify, organise, or permanently delete messages in the connected inbox.

13.2 How We Use, Store, and Share Google User Data

Google user data is used solely to provide and improve the user-facing features described above.
Google user data is encrypted in transit and at rest, and access is restricted under the controls described in Section 6.
We do not sell Google user data, and we do not use it for advertising.
We do not transfer Google user data to others except as necessary to provide or improve these user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to affected users.
Humans do not read Google user data except (a) with your explicit consent, (b) where necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and de-identified.
We do not use Google user data to develop, improve, or train generalised or non-personalised artificial intelligence or machine learning models. Where Google user data is processed by third-party AI service providers in order to deliver Colabyr's user-facing features, those providers are contractually prohibited from using it to train or improve their own models.

13.3 Limited Use Commitment

Colabyr's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

13.4 Retention and Revocation

You may disconnect a Google account from Colabyr at any time through your Colabyr workspace settings, and you may revoke Colabyr's access at any time from your Google Account security settings. When a Google account is disconnected, we cease accessing the associated Google user data and delete or de-identify previously stored Google user data in accordance with Section 8, except where retention is required by law.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:

update the "Last Updated" date at the top of this policy;
post the revised policy at colabyr.ai/privacy;
where the changes are material and we have your contact details, notify you by email or through the Platform; and
where required by applicable law, obtain your consent to the changes.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform or Services after any changes to this Privacy Policy constitutes your acknowledgment of and consent to the updated policy.

15. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal information, please contact us:

Privacy Contact: Vanguard Tech Pty Ltd (trading as Colabyr)
Email: [email protected]
Postal Address: 10 Pulteney Street, Adelaide 5000, South Australia
Website: colabyr.ai

If you are not satisfied with our response to a privacy complaint, you may contact the Office of the Australian Information Commissioner:

OAIC: Office of the Australian Information Commissioner
Website: www.oaic.gov.au
Phone: 1300 363 992

This Privacy Policy is effective as of the date stated above and replaces any prior privacy policies published by Colabyr.