Privacy Policy

1. Introduction

This Privacy Policy explains how Insight Trail Pty Ltd (ABN 46 669 343 953) ("we", "us", or "InsightTrail") collects, uses, discloses, and protects your personal information when you use our AI-powered learning platform.

Data Controller: Insight Trail Pty Ltd
Address: 25B Kendall Street, Tarrawanna, NSW 2518, Australia
Contact: privacy@insighttrail.ai

We are committed to protecting your privacy in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) where applicable.

2. Information We Collect

Information You Provide

• Account Information: Name, email address, password (encrypted), profile picture, and authentication tokens when you create an account
• Payment Information: Billing address, payment method details (processed securely by our payment provider - we do not store full card numbers)
• Learning Content: Questions you ask, notes you create, learning goals you set, and content you upload
• Communications: Support requests, feedback, and any correspondence with us

Information Collected Automatically

• Device Information: Device type, operating system, browser type, unique device identifiers
• Usage Data: Features used, learning progress, time spent, interaction patterns, and performance metrics
• Log Data: IP address, access times, pages viewed, and referring URLs
• Location Data: General geographic location based on IP address (country/region level only)

Information from Third Parties

• OAuth Providers: If you sign in with Google or Apple, we receive your name, email, and profile picture as authorized by you
• Content Creators: If you access content through a creator's platform, we may receive information about your enrollment

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (account management, content delivery, learning features)
• Legitimate Interests: Processing for our legitimate business interests (service improvement, security, fraud prevention) where not overridden by your rights
• Consent: Processing based on your explicit consent (marketing communications, optional analytics, AI personalization features)
• Legal Obligation: Processing required to comply with applicable laws and regulations

4. How We Use Your Information

We use your information to:

• Provide the Service: Create and manage your account, deliver learning content, track progress, and enable platform features
• Personalize Learning: Use AI to adapt content difficulty, suggest learning paths, and provide personalized feedback based on your progress
• Process Payments: Handle subscriptions, process transactions, and manage billing
• Communicate: Send service updates, respond to inquiries, and provide customer support
• Improve the Service: Analyze usage patterns, conduct research, and develop new features
• Ensure Security: Detect fraud, prevent abuse, and maintain platform integrity
• Comply with Law: Meet legal obligations, respond to lawful requests, and protect our rights

5. AI and Machine Learning

Important: InsightTrail uses artificial intelligence to enhance your learning experience. Here's how we handle your data in relation to AI:

How AI Processes Your Data

• Your questions and interactions are sent to AI services to generate personalized responses and recommendations
• Learning patterns are analyzed to adapt content difficulty and suggest optimal learning paths
• Voice features (if used) process audio through speech synthesis services

Third-Party AI Services

We use the following AI service providers:

• Google Gemini: For natural language processing, content generation, and learning assistance
• ElevenLabs: For voice synthesis and audio content generation

Data NOT Used for AI Training

Your personal data is NOT used to train AI models by our third-party providers. We have contractual agreements with Google and ElevenLabs that prohibit the use of your data for model training purposes. Your interactions are processed only to provide you with immediate responses and are not retained by these services for training.

AI Limitations

AI-generated content may contain errors or inaccuracies. Please refer to our Terms of Service for important disclaimers about AI-generated content.

6. Data Sub-Processors

We engage the following third-party service providers to process your data on our behalf:

We maintain Data Processing Agreements (DPAs) with all sub-processors to ensure they meet our data protection standards.

7. Information Sharing & Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: With trusted third parties who assist in operating our Service (see Sub-Processors above)
• Content Creators: Aggregated, anonymized analytics with creators whose content you access (never individual-level data without consent)
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections
• Legal Requirements: When required by law, court order, or government request
• Protection of Rights: To protect the safety, rights, or property of InsightTrail, our users, or the public
• With Your Consent: In any other circumstances where you have provided explicit consent

8. Cookies & Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Enable core functionality like authentication and security (required for the Service to function)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Understand how users interact with our Service to improve it
• Performance Cookies: Monitor and optimize Service performance

Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent the Service from functioning properly.

Do Not Track

We currently do not respond to "Do Not Track" browser signals. However, you can opt out of analytics tracking through your account settings.

9. Your Rights

All Users

You have the right to:

• Access your personal information
• Correct inaccurate data
• Delete your account and associated data
• Export your data in a portable format
• Opt out of marketing communications

GDPR Rights (EEA, UK, Switzerland)

Additional rights under GDPR include:

• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restriction: Request limitation of processing in certain circumstances
• Right to Object: Object to processing based on legitimate interests
• Right to Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Right to Lodge Complaint: File a complaint with your local data protection authority

CCPA Rights (California Residents)

California residents have additional rights:

• Right to Know: Request disclosure of personal information collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of the "sale" of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Do Not Sell My Personal Information: InsightTrail does not sell personal information as defined by the CCPA.

Australian Privacy Act Rights

Under the Australian Privacy Act 1988, you have the right to:

• Access your personal information held by us (APP 12 - Access)
• Request correction of inaccurate information (APP 13 - Correction)
• Complain about privacy breaches to the OAIC

Exercising Your Rights

To exercise any of these rights, please contact us at privacy@insighttrail.ai. We will respond within 30 days (or sooner as required by applicable law).

10. Data Retention

We retain your data only as long as necessary for the purposes described in this policy:

• Account Data: Duration of your account plus 30 days after deletion request
• Learning Progress: 3 years after last activity (anonymized for analytics thereafter)
• AI Interaction Logs: 1 year for service improvement purposes
• Voice Data: 30 days (processed and deleted, not stored long-term)
• Payment Records: 7 years as required by tax and accounting regulations
• Support Communications: 2 years after resolution

You can request early deletion of your data by contacting us, subject to legal retention requirements.

11. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication for staff
• Infrastructure: Hosted on secure cloud platforms with SOC 2 Type II certification
• Monitoring: 24/7 security monitoring and intrusion detection
• Audits: Regular security assessments and penetration testing
• Employee Training: Regular privacy and security training for all staff

While we strive to protect your data, no method of transmission over the Internet is 100% secure. Please use strong passwords and protect your account credentials.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including:

• Australia: Primary data storage (MongoDB Atlas, Sydney region)
• United States: AI processing services (Google, ElevenLabs), email delivery (Resend)
• Global Edge Locations: Content delivery (Vercel)

Transfer Safeguards

For transfers outside the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs): EU-approved contractual terms with all service providers
• Adequacy Decisions: Where available (e.g., Japan, UK)
• Supplementary Measures: Additional technical and organizational safeguards as needed

13. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify affected users within 72 hours of becoming aware of the breach
• We will notify relevant supervisory authorities as required by law (OAIC in Australia, ICO in UK, relevant DPA in EU)
• Notification will include: nature of the breach, data affected, likely consequences, and measures taken
• We maintain an incident response plan and conduct regular breach response exercises

14. Children's Privacy

InsightTrail is committed to protecting children's privacy:

• Users under 13 years old are not permitted to use the Service (COPPA compliance)
• Users aged 13-15 require verified parental consent
• Users 16 and older may create accounts independently

If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at privacy@insighttrail.ai.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

• We will provide 30 days notice for material changes via email or in-app notification
• We will update the "Last Updated" date at the top
• Previous versions will be archived and available upon request

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you disagree with changes, please stop using the Service and contact us to delete your account.

16. Contact Us

For privacy-related inquiries, to exercise your rights, or to file a complaint:

Data Protection Officer: For GDPR-related matters, you may also contact our Data Protection Officer at privacy@insighttrail.ai.

Supervisory Authority: You have the right to lodge a complaint with a supervisory authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.