Privacy Policy & GDPR

This Privacy Policy explains how Awardee Pty Ltd (ABN/ACN 653 151 074) (Awardee, we, us) collects, uses, stores and discloses Personal Information when you visit our websites or use our SaaS Service as a Customer (business subscriber). End Users (your customers) are covered under the separate End User Privacy & Use Policy below.

We comply with the Australian Privacy Act 1988 (Cth) and Australian Privacy Principles, and where applicable, the EU GDPR, UK GDPR, and other global privacy laws.

1. What is Personal Information?

Personal Information is information or an opinion that identifies, or could reasonably identify, an individual. This includes direct identifiers (name, email) and indirect identifiers (device IDs, IP address).

2. What we collect

Depending on how you use our Website and Service, we may collect the following categories of Personal Information:

2.1 Account and business contact data
Name, business name, role/title, email address, phone number, billing address, login credentials, and account settings.

2.2 Service configuration data
Staff contact details you nominate for message/feedback relay, Location and Tool setup information, logos/branding, and Customer Content you upload.

2.3 Usage and technical data
IP address, device type, browser type, operating system, time zone, log files, diagnostics, feature usage, page views, and timestamps.

2.4 Communications
Support requests, in-app chat messages, emails, surveys, and feedback you send to us.

2.5 Payment metadata
We do not store full card details. Payments are processed by Paddle as Merchant of Record. Paddle collects and stores payment data directly under its own buyer terms and privacy policy.

3. How we collect it

We collect Personal Information when you:

• register for or access an account;
• upload Customer Content or configure Staff contacts/Tools;
• contact support or communicate with us;
• browse our Websites (via cookies and similar tools);
• interact with our emails or marketing.

We may also receive limited information from third-party services that support the Service (e.g., hosting, messaging, AI, analytics, CRM, and payment support).

4. How we use it

We use Personal Information to:

• provide, operate, maintain and secure the Service;
• set up accounts, Tools and Locations;
• relay End User messages to your nominated staff;
• respond to support requests;
• monitor usage, prevent abuse, spam or fraud;
• improve and develop features;
• send service notices, product updates and marketing (opt-out available);
• comply with legal requirements and enforce our Terms.

We may also create de-identified or aggregated data for analytics and product improvement. This data does not identify you personally.

5. Lawful bases (GDPR/UK GDPR)

Where GDPR/UK GDPR applies, Awardee processes Personal Information on the following lawful bases:

• Contract: to provide and administer the Service.
• Legitimate interests: to secure the Service, detect fraud/abuse, improve products, and communicate with business customers.
• Consent: where required for optional marketing and cookie categories.
• Legal obligation: to comply with tax, accounting, fraud prevention, and other laws.

6. Disclosure to others

We may disclose Personal Information to:

• our staff and contractors who need it to provide the Service;
• Sub-processors (hosting, analytics, messaging, AI, customer support tools);
• professional advisers (lawyers, accountants, insurers);
• regulators or law enforcement where required;
• a buyer of our business/assets (subject to law).

Sub-processors are bound to handle data securely and only for Service delivery. A current list is available on request.

7. International transfers

We operate globally and may store or process data in Australia or other countries (including the USA, EU and UK) where our Sub-processors operate. Where required, we use appropriate safeguards for international transfers.

8. Data retention

We retain Personal Information only for as long as needed to provide the Service and meet legal, security, dispute or compliance requirements.

Typical retention periods include:

• Account and billing records: for the life of the subscription plus a reasonable period after, to meet legal and support obligations.
• Security/usage logs: retained for a limited period for fraud prevention, diagnostics, and product improvement.
• Customer Content: handled under the retention rules in your Terms.

9. Security

We use commercially reasonable technical and organisational safeguards. No system is perfectly secure, and we do not guarantee absolute security.

10. Access, correction, deletion

You may request access to, correction of, or deletion of your Personal Information by contacting privacy@awardee.com.au. We may need to verify identity and may refuse requests where permitted by law.

11. US state privacy rights (where applicable)

If you are located in a US state with privacy laws (e.g., California, Colorado, Virginia, Connecticut, Utah), you may have rights to request access, correction, deletion, and to opt out of certain processing.

Awardee does not sell Personal Information and does not share Personal Information for cross-context behavioural advertising.

Requests can be made to privacy@awardee.com.au. We may redirect End User requests to the relevant Customer where the Customer is the data controller.

12. Marketing

We may send service communications and product updates. You can opt out of marketing at any time using unsubscribe links or contacting us.

13. Complaints

Email privacy@awardee.com.au. We will investigate and respond within a reasonable time. If unresolved, you may contact your local privacy regulator.

14. Updates

We may update this Policy from time to time. The updated version applies from the effective date shown.

This GDPR / Data Processing Policy explains how Awardee processes Personal Data for Customers and how GDPR/UK GDPR concepts apply globally.

1. Roles

• Customer = Controller (or equivalent): the Customer decides what End User data is collected and the purposes for which it is used.
• Awardee = Processor / Service Provider: Awardee processes End User data only on the Customer's documented instructions and solely to provide the Service.

2. End User Personal Data processed

End Users may submit:

• messages/questions;
• optional photos/attachments;
• feedback ratings;
• device and usage metadata (IP address, browser/device type, timestamps);
• interaction context (language, tool/session identifiers).

The Service is not designed to process sensitive personal data (health, government ID, payment data, biometrics). If a Customer instructs Awardee to process such data, the Customer is solely responsible for lawful basis and compliance.

3. Processing purposes

Awardee processes End User data only to:

• generate AI chats and Outputs;
• relay messages/feedback to Customer staff;
• secure and maintain the Service;
• prevent spam, fraud, and abuse;
• improve performance using de-identified/aggregated analytics.

4. Lawful basis

Customers must ensure they have lawful basis and any notices/consents required for End Users. Awardee relies on the Customer's lawful basis and instructions.

5. Sub-processors

Awardee uses Sub-processors to deliver the Service. We maintain appropriate contracts with Sub-processors and remain responsible for them to the extent required by law. Awardee may add or replace Sub-processors. Customers may request the current list at privacy@awardee.com.au.

6. International transfers

Where GDPR/UK GDPR applies, transfers outside the EEA/UK are protected by lawful safeguards (such as SCCs or equivalent).

7. Data subject rights

Customers (as Controller) handle End User rights requests. Awardee (as Processor) will reasonably assist Customers to fulfil rights requests where required and technically feasible.

8. Automated decision-making

Awardee does not use End User data to make automated decisions that produce legal or similarly significant effects on End Users within the meaning of GDPR Article 22.

9. Security & breach notice

Awardee uses commercially reasonable safeguards. If we become aware of a material breach affecting Customer Data, we notify the Customer without undue delay and provide reasonable information to support compliance.

10. Retention and deletion

End User data is retained and deleted in line with the Terms (Section 18) and this Policy.

11. Full DPA

A full Data Processing Addendum is available on request.

This policy applies to people who use an Awardee help page, AI Assistant, QR code, or link provided by one of our business Customers (End Users).

1. Who you are interacting with

Awardee provides the software platform, but the help page and AI experience you are using belongs to the business that displayed the QR code or link (the Customer). Your relationship for goods/services is with the Customer, not Awardee.

2. Automated service

The AI Assistant provides automated answers based on information supplied by the Customer. AI answers may be incomplete or incorrect. Verify important information directly with the Customer before acting on it.

3. What data you may provide

Depending on the Customer's setup, you may submit:

• messages/questions;
• Names, email or contact information;
• optional photos/attachments;
• feedback ratings;
• basic device and usage data (IP address, browser/device type, scan/session identifiers, timestamps).

Do not submit sensitive personal information (health data, government IDs, payment data, biometrics). If you do, you do so at your own risk.

4. How your data is used

Your data is used to:

• generate AI chats and Outputs;
• send your message/feedback to Customer staff;
• prevent abuse, spam or fraud;
• improve Service quality only in de-identified or aggregated form.

5. Who controls your data

The Customer controls how this tool is deployed and is responsible for End User privacy compliance. The Customer is the data controller (or equivalent). Awardee processes End User data only to provide the software to the Customer.

If you want access to, correction of, or deletion of your data, contact the Customer directly. Awardee will redirect requests to the Customer where appropriate.

6. Children

This Service is not directed to children. Awardee does not knowingly collect Personal Information from children. If you believe a child has provided data, contact the Customer or Awardee.

7. Acceptable use

You must not use the Service to:

• break the law, harass others, or submit abusive content;
• upload illegal, infringing, pornographic, or exploitative material;
• interfere with or overload the system;
• attempt to scrape, reverse engineer, or abuse the AI.

Awardee may block access for misuse.

8. Liability

Awardee is not responsible to End Users for:

• AI accuracy or completeness;
• Customer goods/services or business practices;
• delays or failures in message delivery to Customer staff;
• device, browser, scanner, or network problems.

9. Updates

We may update this policy from time to time. The effective date will be updated above.