Privacy Policy

1. Who We Are

AI Lab Australia Pty Ltd (ABN to be registered) operates the SydClaw AI Workforce Platform. We are based in Sydney, New South Wales, Australia. This policy covers how we handle personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. What Personal Information We Collect

SydClaw processes personal information on behalf of our clients (businesses). The types of personal information we may process include:

• Contact information (names, email addresses, phone numbers)
• Business information (job titles, company names, ABNs)
• Communication content (emails, calendar entries, meeting notes)
• Financial information (invoice details, payment amounts)
• Safety and compliance data (inspection results, incident reports)
• Account credentials (encrypted OAuth tokens for connected services)

We collect this information from our clients' connected systems (Gmail, Xero, SafetyCulture, etc.) only with their explicit authorization via OAuth consent flows.

3. Automated Decision-Making and AI

SydClaw uses artificial intelligence (AI) to assist with business tasks. In accordance with the Privacy and Other Legislation Amendment Act 2024, we disclose the following about our automated decision-making:

3.1 How AI Is Used

Our AI agent performs the following types of tasks using personal information:

• Email classification and prioritization — categorizes emails by urgency and type
• Email drafting — generates draft responses based on conversation context
• Invoice processing — extracts data from invoices, matches to purchase orders
• Contact enrichment — looks up professional profiles for meeting preparation
• Safety compliance monitoring — tracks inspection status and overdue items
• Report generation — compiles data into structured reports
• Calendar management — scheduling, conflict detection, meeting preparation

3.2 Human Oversight

SydClaw implements a mandatory human-in-the-loop approval system:

• All external communications (emails to external recipients) require human approval before sending
• All financial actions (invoice creation, payment processing) require human approval
• All data deletion or modification actions require human approval
• Actions are classified by risk level (low, medium, high, critical) with appropriate approval routing
• No AI-generated action that could significantly affect an individual is executed without human review

3.3 PII Tokenization (Zero-Knowledge AI)

Before any personal information is sent to external AI model providers (such as Anthropic Claude or OpenAI), all personally identifiable information (PII) is tokenized — replaced with reversible pseudonymous tokens. The AI model never sees real names, email addresses, phone numbers, or other personal identifiers. Tokenization covers 17+ PII categories including names, emails, phone numbers, ABNs, TFNs, addresses, and financial account details.

3.4 Decision Transparency

Every AI decision and action is recorded in an immutable audit log that includes: the timestamp, what action was taken, what data was used (in tokenized form), what the AI's reasoning was, and whether the action was approved or denied by a human. Clients can access their complete audit trail at any time through the admin dashboard.

3.5 Right to Contest AI Decisions

If you believe an AI-assisted decision has significantly affected your rights or interests, you may request a review. Contact your organization's SydClaw administrator, or email us at info@ailabaustralia.com. We will provide a human review of the decision within 10 business days, including an explanation of the factors that contributed to the decision.

4. Data Storage and Security

• Location: All data is stored in Australia (AWS ap-southeast-2, Sydney)
• Encryption at rest: AES-256-GCM with per-organization encryption keys derived via scrypt
• Encryption in transit: TLS 1.3 for all connections
• Access control: Row Level Security (RLS) on all database tables, role-based access control (RBAC), multi-factor authentication (MFA)
• Tenant isolation: Each client receives a logically isolated deployment with dedicated database and encryption keys
• Credential storage: OAuth tokens and API keys encrypted with AES-256-GCM, never stored in plaintext

5. Cross-Border Data Disclosure

SydClaw uses the following third-party services that may process data outside Australia:

6. Data Retention

• Operational data: Retained for the duration of the service agreement + 60 days
• Financial records: Retained for 7 years (Australian tax law)
• Safety records: Retained for 7 years (WHS Act)
• Audit logs: Retained per client agreement (minimum 2 years)
• Upon termination: All data exported to client within 30 days, deleted within 60 days, with written confirmation provided

7. Data Breach Notification

In the event of a data breach affecting personal information, we will:

• Notify the affected client within 24 hours
• Assess and notify the Office of the Australian Information Commissioner (OAIC) within 72 hours if required under the Notifiable Data Breaches scheme
• Assist in notifying affected individuals as required

8. Your Rights

Under the Australian Privacy Principles, you have the right to:

• Request access to personal information we hold about you
• Request correction of inaccurate information
• Request a review of any automated decision that affects you
• Make a complaint about our handling of your personal information

9. Contact

For privacy enquiries, data access requests, or to contest an AI decision:

Email: info@ailabaustralia.com

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.