This Privacy Policy describes how CompEye Pty Ltd (ACN [pending], "CompEye", "we", "our", or "us") collects, uses, discloses, and protects personal information when you visit compeye.com.au or use our compliance-copilot service (the "Service").
CompEye is an Australian entity. We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where you are in the European Union, United Kingdom, or other jurisdiction with applicable data-protection law, we also comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent regimes.
Plain-English summary. You give us an email and ask us compliance questions. We send your question to AI providers (Anthropic, Voyage AI) to generate an answer, log the question against your account for billing and audit, and watermark the answer to deter unauthorised redistribution. We do not sell your data and we do not use your questions to train AI models.
We process your personal information for the purposes set out below. Where the GDPR or UK GDPR applies, the lawful basis is identified.
| Purpose | Data used | Lawful basis (EU/UK) |
|---|---|---|
| Account creation & auth | Email, API key hash | Performance of a contract |
| Service delivery (answering queries) | Question text, account tier | Performance of a contract |
| Billing & subscription management | Email, Stripe customer ref | Performance of a contract |
| Abuse prevention (free-tier signup throttle) | IP address, browser fingerprint | Legitimate interests (Art. 6(1)(f)) |
| Audit logging & piracy tracing | Query record, watermark ID, IP, UA | Legitimate interests + legal obligation |
| Service security & integrity | IP, UA, magic-link metadata | Legitimate interests |
| Transactional emails | Performance of a contract | |
| Service improvement (aggregate analysis) | Anonymised usage patterns | Legitimate interests |
We do not use your data for direct marketing without your prior consent. Where we rely on legitimate interests, you have the right to object — see §7.
We use a small set of sub-processors to deliver the Service. Each is contractually bound to maintain confidentiality and to process data only on our instructions.
| Sub-processor | Role | Data sent | Location |
|---|---|---|---|
| Anthropic, PBC | AI synthesis (Claude) | Question text + retrieved regulator excerpts | United States |
| Voyage AI, Inc. | Query embeddings | Question text only | United States |
| Stripe, Inc. | Payments & tax | Email, billing address, payment method | United States / Australia |
| Resend, Inc. (when configured) | Transactional email delivery | Email, magic-link URL | United States |
| Hosting provider | Application + database hosting | All data we hold | To be confirmed at deployment |
Anthropic and Voyage AI's data-use commitments. Anthropic and Voyage AI both contractually commit not to train their models on API-submitted content. Anthropic retains submissions for up to 30 days for safety/abuse review and then deletes them, unless we opt out of trust-and-safety logging (which we currently have not).
We may also disclose personal information:
Most of our sub-processors are in the United States. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on:
For Australian users, cross-border disclosure is consistent with APP 8: we take reasonable steps to ensure overseas recipients are bound to similar standards.
| Data category | Retention period |
|---|---|
| Account record (email, hashed API key, tier) | While your account is active, plus 7 years after closure for regulatory/audit purposes |
| Query audit log (question + response refs + watermark) | Indefinite — required for piracy tracing and to honour the audit-grade promise we make to customers |
| Conversation history (your chat threads) | While your account is active — deleted on account deletion request, except where retained per the audit log |
| Billing records (invoices, payment status) | 7 years — Australian Tax Office record-keeping requirements |
| Magic-link tokens | 15 minutes (single-use; deleted on consumption or expiry) |
| Signup-attempt log (IP, fingerprint, outcome) | 180 days for abuse-pattern detection |
| Server logs | 30 days unless required for an active security investigation |
Subject to certain conditions, you have the right to:
To exercise any of these rights, email privacy@compeye.com.au. We will respond within 30 days (GDPR) or a reasonable period (Australian Privacy Act).
We take reasonable steps to protect personal information, including:
No method of transmission or storage is 100% secure. We will notify affected users and relevant regulators of any eligible data breach in accordance with the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC) and Article 33 GDPR.
Each response generated by the Service includes a watermark: a unique 32-bit identifier encoded as invisible Unicode characters (U+200B, U+200C, U+200D, U+2060) distributed across the response prose. This identifier is mapped server-side to:
The watermark cannot be detected by humans reading the response. It survives most copy-and-paste flows. The purpose is to deter unauthorised redistribution of our content and to enable us to identify the source of any leaked excerpts.
The watermark is not used for tracking your activity within other websites or for behavioural advertising.
We do not use third-party analytics or advertising cookies. The Service stores the following in your browser's localStorage for functional purposes:
You may clear this at any time via your browser settings or by using the "Sign out" button.
The Service is intended for use by adults in a professional capacity. We do not knowingly collect personal information from anyone under 18 years of age. If you believe a minor has provided us with personal information, please contact us and we will delete it.
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Where the change is material, we will notify active users by email or in-app banner at least 14 days before it takes effect.
If you have a question or concern about your privacy:
If we are unable to resolve your concern, you may also lodge a complaint with the relevant supervisory authority: