Legal
Privacy Policy
Effective date: 26 April 2026 · Last updated: 26 April 2026
Summary: Augmenti collects the minimum personal information needed to operate the platform. We do not use your conversation content or artefacts to train AI models. Your data is stored in Australia (AWS ap-southeast-2) by default. You can request deletion at any time.
1. Who We Are
Augmenti Pty Ltd ("Augmenti", "we", "us", "our") operates the Augmenti platform at augmenti.io and augmenti.io/app, a multi-agent AI platform that guides teams through design thinking and strategy frameworks.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If you are located in the European Union or European Economic Area, the General Data Protection Regulation (GDPR) also applies.
Privacy enquiries and complaints: privacy@augmenti.io
2. Information We Collect
2.1 Account Information
- Full name and email address (provided at registration)
- Display name and avatar preference
- Organisation name (if you are an account holder or admin)
- Billing contact name, email, and address (account holders only)
- Password (stored as a one-way bcrypt hash; we cannot retrieve it)
2.2 Platform Usage Data
- Messages you send in team chat sessions
- Artefacts you create (sticky notes, empathy maps, concept cards, and other design tools)
- Phase progress and session timing
- AI token usage per session (input and output counts only — not content)
- Bug reports and feedback you submit via the in-app widget
2.3 Technical Data
- IP address and browser/device information (collected at login for security logging)
- Session activity timestamps
- Application error logs (stack traces do not contain personal message content)
2.4 What We Do Not Collect
- Payment card details — processed directly by Stripe; we never see raw card numbers
- Sensitive personal information (health, biometric, religious, or political information) — our platform is not designed for this data and you should not enter it
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) | APP Reference |
|---|---|---|
| Provide, operate, and maintain the platform | Contract performance | APP 3, 6 |
| Authenticate your identity and secure your account | Contract performance / Legitimate interest | APP 11 |
| Send transactional emails (verification, password reset, invites) | Contract performance | APP 7 |
| Calculate AI token usage for billing and plan enforcement | Contract performance | APP 3, 6 |
| Monitor platform health and investigate security incidents | Legitimate interest | APP 11 |
| Respond to support requests and bug reports | Legitimate interest | APP 6 |
| Comply with legal obligations (including the NDB Scheme) | Legal obligation | APP 11 |
We do not use personal information for targeted advertising, profiling, or sale to third parties.
4. AI Processing and Your Content
AI training: OFF by default for all users. Your conversation content and artefacts are never used to train, fine-tune, or improve AI models — by us or by our AI provider.
The Augmenti platform uses AWS Bedrock to serve AI responses. AWS Bedrock processes your inputs to generate responses and then discards the data — it is not stored by AWS for model training purposes. This is governed by the AWS service terms for Bedrock, which explicitly exclude customer data from model training.
Specifically regarding your content:
- Chat messages you send are transmitted to AWS Bedrock to generate the AI response and are not retained by AWS after the response is returned
- AI-generated responses are stored in our database so your team can review the conversation history
- Artefacts you create (sticky notes, concept cards, etc.) are stored in our database and used solely to provide the service to your team
- Aggregated, anonymised token usage statistics (counts only, no content) may be used to improve platform performance
If you include personal information about third parties in your design sessions (e.g., user research notes), you are responsible for ensuring you have appropriate consent or legal basis to process that information under applicable privacy law.
5. Third-Party Services
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, database, AI inference (Bedrock), file storage | All platform data; stored primarily in ap-southeast-2 (Sydney) | Australia (ap-southeast-2) |
| AWS Cognito | User authentication and identity management | Email, display name, password credential | ap-southeast-2 (Sydney) |
| Resend / SMTP | Transactional email delivery | Email address, email content (verification links, invites) | United States |
| Stripe | Payment processing (when billing is active) | Billing contact name, email, and billing address | United States |
When personal data is sent to providers located outside Australia (Resend, Stripe), we rely on those providers' privacy certifications and contractual commitments. Under APP 8, we remain accountable for how overseas recipients handle personal information we disclose to them.
For EU/EEA residents: Transfers to AWS, Stripe, and Resend are covered by Standard Contractual Clauses (SCCs) under those providers' own data processing agreements and GDPR compliance programmes. The transfer of your personal data to Augmenti in Australia for the purpose of providing the service is necessary for the performance of your contract with us (GDPR Art. 49(1)(b)). Australia does not currently hold an EU adequacy decision. If you have concerns about how your data is handled as an EU/EEA resident, contact privacy@augmenti.io.
Enterprise and institutional customers who are data controllers under GDPR may request a Data Processing Agreement (DPA) by contacting privacy@augmenti.io.
6. Data Storage and Security
All platform data is stored in AWS ap-southeast-2 (Sydney, Australia) by default. We implement the following technical controls:
- Encryption at rest (AWS-managed keys) for all database and file storage
- Encryption in transit (TLS 1.2+) for all connections
- Network isolation via AWS VPC — databases are not publicly accessible
- AWS Secrets Manager for credential management — no credentials stored in code
- Access logging and security monitoring via CloudWatch
- Invite-only account creation — no open registration
No security measure is infallible. In the event of a data breach, we will:
- Australia (NDB Scheme): Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, and no later than 30 days after becoming aware of an eligible data breach likely to result in serious harm.
- EU/EEA (GDPR Art. 33/34): Notify the relevant data protection supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to your rights and freedoms, and notify affected individuals without undue delay where the risk is high.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information (name, email, role) | Until account deletion, then deleted within 30 days |
| Chat messages and artefacts | For the duration of the organisation's active subscription. Deleted within 30 days of account or organisation termination, except where legally required to retain. |
| Free trial data | Deleted 30 days after trial expiry if not upgraded to a paid plan |
| Activity and security logs | 2 years (required for security monitoring and compliance) |
| Billing records | 7 years (required under Australian taxation law) |
| AWS RDS backups | Automated backups retained for 7 days; then permanently deleted |
8. Your Rights
8.1 Australian Privacy Principles
We take reasonable steps to ensure personal information we hold is accurate, up-to-date, and complete (APP 10). You can update your profile details at any time in your account settings.
Under the Privacy Act 1988 (Cth), you also have the right to:
- Access personal information we hold about you (APP 12)
- Correct inaccurate or outdated personal information (APP 13)
- Complain about a breach of the APPs to us, and if unresolved, to the OAIC at oaic.gov.au
8.2 GDPR Rights (EU/EEA Residents)
If you are located in the EU or EEA, you additionally have the right to:
- Erasure ("right to be forgotten") — request deletion of your personal data
- Portability — receive your data in a machine-readable format
- Restriction — limit how we process your data in certain circumstances
- Object — to processing based on legitimate interests
- Lodge a complaint with your local Data Protection Authority
To exercise any of these rights, contact us at privacy@augmenti.io. We will respond within 30 days. Identity verification may be required before we can action a request.
9. Cookies
The Augmenti web application uses the following cookies:
| Cookie | Type | Purpose | Expiry |
|---|---|---|---|
| refresh_token | Strictly necessary | Maintains your authenticated session (HttpOnly, Secure) | 7 days |
| _augmenti_theme | Functional | Remembers your dark/light theme preference | 1 year |
We do not use advertising, tracking, or third-party analytics cookies. The landing page (augmenti.io) does not set any cookies.
10. Children's Privacy
The Augmenti platform is intended for use by adults (18 years or older) or by young people under the supervision of an educational institution. We do not knowingly collect personal information from children under 16 without parental or guardian consent. If you believe a child has provided us personal information without appropriate consent, contact us at privacy@augmenti.io.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email to account holders and by a notice in the platform for at least 30 days before taking effect. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Contact and Complaints
For privacy enquiries, access or correction requests, or complaints:
- Email: privacy@augmenti.io
- General enquiries: hello@augmenti.io
If you are not satisfied with our response to a complaint, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au/privacy/privacy-complaints.