Privacy Policy

This privacy policy explains how Off The Ground Agency Pty Ltd (ABN 83 696 833 084) ("OTG Agency", "we", "us") handles personal information collected through GuardRail (the "Service"), available at guardrail-one.vercel.app and any successor production domain.

GuardRail is provided to organisations as a compliance tool. When your organisation uploads documents to GuardRail, that organisation is the APP entity responsible for the personal information in those documents and OTG Agency processes that information on its behalf. This policy covers personal information we collect directly from you and the limited cases where we act as the APP entity.

We collect the following categories of personal information:

• Account information: name, email address, the organisation you act for, and authentication metadata when you sign up via Supabase Auth.
• Organisation profile: business name, ABN, industry, and company size you provide during onboarding.
• NDIS provider profile: registration status, service types, and states you operate in, when you choose to create an NDIS profile.
• Uploaded documents: policies, procedures, and evidence files you upload for analysis. These may contain personal information about your staff or NDIS participants. You must have a lawful basis to upload that information and you are the controller of it.
• Lead capture: when you download a free template we record the email address, organisation name, and NDIS status you supply. We use this to follow up about GuardRail and you can unsubscribe at any time.
• Billing information: where you pay for a paid plan, billing details are collected and stored by Stripe Inc. We store only the Stripe customer and subscription identifiers.
• Communications: messages sent through our contact form or to our support inbox.
• Technical data: server logs containing timestamps, request paths, and limited error context. We do not log uploaded document content into application logs.

We do not knowingly collect sensitive information (as defined in the Privacy Act 1988 (Cth)) about you. Sensitive information may appear in documents uploaded by your organisation; we treat it with the protections described below.

We use personal information to:

• Provide the Service, including authentication and access control;
• Run AI-assisted compliance analyses you request, including scanning documents against NDIS Practice Standards and generating Privacy Act and AI Safety Standard documentation;
• Send transactional communications, including scan completion notifications and account email;
• Process payments and manage subscriptions;
• Respond to enquiries submitted through the contact form, template lead capture, or support;
• Detect and prevent abuse, fraud, and security incidents; and
• Comply with our legal and regulatory obligations under Australian law.

GuardRail uses third-party large language models from Anthropic (Claude) and Google (Gemini) to analyse documents you upload and to generate compliance text. These analyses are decision support tools. They are not legal advice and they do not, on their own, make decisions that have a legally significant effect on individuals.

You retain control over how you use GuardRail's outputs. You must apply human review before treating any GuardRail output as a formal compliance position. If you use GuardRail outputs as part of an automated decision-making process at your own organisation, your organisation is responsible for meeting the Privacy Act automated decision-making obligations applicable to that process.

Document content sent to LLM providers is not used by us to train third-party models. We rely on the providers' standard enterprise data handling commitments and we do not opt in to model training on customer data.

Customer data and uploaded documents are stored in Supabase (PostgreSQL and object storage) hosted in Australia (Sydney region). Authentication metadata is also stored in the same region.

Some processing necessarily occurs outside Australia. In particular, requests to large language model providers (Anthropic, Google) are routed to the providers' current inference regions, which may include the United States. The information sent in these requests is the relevant excerpt of the document or the data needed for generation, and the provider response is returned and stored back in the Australian Supabase region.

By using GuardRail you consent to this limited overseas processing for the purpose of producing the compliance analysis you have requested.

We rely on the following sub-processors:

• Vercel Inc. — application hosting and edge delivery.
• Supabase Inc. — database, authentication, and object storage (Sydney region).
• Anthropic, PBC — Claude inference for document analysis and document generation.
• Google LLC — Gemini Flash inference for document classification.
• Stripe, Inc. — billing and payments for paid plans.
• Mailgun Technologies Inc. — transactional email and contact form delivery.

We will give Professional and Enterprise customers reasonable notice of material changes to the sub-processor list.

We retain personal information only for as long as we need it to provide the Service or to meet our legal obligations.

• Account and organisation profile: retained for the life of your account. You can request deletion at any time.
• Uploaded scan documents and analyses: retained for the life of your account so you can revisit findings. Customers can request deletion of any uploaded document or scan, and we will action the deletion within 14 days. Enterprise customers can configure a shorter automatic retention window.
• Lead capture (template downloads): retained for 24 months from the date of capture, or until you ask us to remove your record.
• Billing records: retained for 7 years to meet tax record-keeping obligations.
• Server logs: retained for up to 90 days for operational and security purposes.

You can ask us to:

• Confirm what personal information we hold about you;
• Provide a copy of that information;
• Correct information that is wrong or out of date;
• Delete personal information we no longer need to keep;
• Stop sending you marketing communications (we will continue to send transactional messages while your account is active); and
• Explain a decision the Service supported, where you reasonably believe that decision affected you.

Send requests to our contact form and reference the right you are exercising. We will respond within 30 days.

We use Row Level Security in our database, signed upload URLs for file uploads, server-set HTTP security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), and rate-limited public endpoints. Documents uploaded to scan storage are private and signed; access is scoped to the organisation that uploaded them.

Despite these controls, no system is completely secure. If you believe your account has been compromised contact us immediately.

We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. If we become aware of a breach that is likely to result in serious harm to individuals, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

To raise a privacy question, exercise a right, or make a complaint, contact us through our contact form. We aim to acknowledge complaints within 5 business days and resolve them within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner at oaic.gov.au.

We may update this policy from time to time. The latest version is always at this URL with the "Last updated" date refreshed at the top. Material changes will be communicated to account-holders by email at least 14 days before they take effect.