Privacy Policy

1. Introduction & Scope

ChatLemur Pty Ltd ABN 26 994 122 501 ("we", "us", "our") operates the chatlemur.com website and AI chat platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This policy applies to all personal information we collect, including through:

• Our website chatlemur.com
• Our AI chat platform and services
• Email and customer support communications
• Third-party integrations (GitHub OAuth, Stripe payments)

Effective Date: April 2026 | Version: 2.1

1A. Data Residency & Australian Operations

1A.1 Primary Data Storage

1A.2 Cross-Border Processing (AI Only)

To provide AI chat functionality, your chat messages only (not account details, email, or personal identifiers) may be processed by the following AI providers depending on the model selected:

• Groq Inc. (United States): Primary AI language model processing — fast inference for most conversations
• Anthropic PBC (United States): Claude AI model — used for advanced reasoning tasks when selected
• OpenAI LLC (United States): GPT models and text-to-speech (TTS) voice output

We apply the following safeguards to all cross-border AI processing:

• Data Processing Agreement (DPA) or equivalent privacy terms with each provider
• No personal identifiers (email, name, account ID, payment details) are sent to any AI provider
• Chat messages are processed transiently — AI providers do not retain input data beyond the processing window
• Encryption in transit (TLS 1.3) to all providers
• You can view which model processed your message in the chat interface

For full details on cross-border disclosure, see Section 9 (APP 8).

1A.3 Australian Business Registration

• Business Name: ChatLemur
• ABN: 26 994 122 501
• Owner: Joseph Webber
• Location: Adelaide, South Australia
• Governing Law: Privacy Act 1988 (Cth), Australian Privacy Principles

2. APP 1 – Open and Transparent Management of Personal Information

We are committed to managing your personal information in an open and transparent way. This policy is freely available on our website and clearly explains:

• What personal information we collect and hold
• How we collect, hold, use, and disclose personal information
• How you may access and correct your personal information
• How you may make a privacy complaint and how we handle complaints
• Whether we disclose personal information overseas and to which countries

Our internal privacy management framework includes:

• Documented privacy procedures and practices
• Staff training on privacy obligations
• Regular privacy impact assessments for new features
• Designated privacy contact (see Section 23)

3. APP 2 – Anonymity and Pseudonymity

You have the option of not identifying yourself, or using a pseudonym, when dealing with us where lawful and practicable.

3.1 When You Can Use a Pseudonym

• Browsing: You may browse our website without providing any personal information
• Free Tier: You may use a pseudonymous username for your account
• Chat: You may use any display name for AI conversations

3.2 When Identification is Required

• Paid Subscriptions: Legal name and billing address required for tax compliance
• Support Requests: Verification may be required for account access issues
• Legal Requests: Where required by law or court order

4. APP 3 – Collection of Solicited Personal Information

We only collect personal information that is reasonably necessary for our functions or activities as an AI chat platform.

4.1 Types of Personal Information Collected

4.2 Sensitive Information

We do not intentionally collect sensitive information as defined under the Privacy Act, including:

• Racial or ethnic origin
• Political opinions or membership
• Religious beliefs or affiliations
• Sexual orientation or practices
• Criminal record
• Health or genetic information
• Biometric data

Important: You may inadvertently share sensitive information in AI chat conversations. While we do not actively process or categorise this data, it may be stored in your conversation history. You can delete conversations at any time.

4.3 Lawful and Fair Collection

We collect personal information only by lawful and fair means, directly from you unless:

• You have consented to collection from a third party (e.g., GitHub OAuth)
• Collection is required or authorised by law

5. APP 4 – Dealing with Unsolicited Personal Information

If we receive personal information we did not solicit, we will within a reasonable period determine whether we could have collected it under APP 3. If not:

• We will destroy or de-identify the information as soon as practicable
• We will not use or disclose the information except for this purpose

This may occur when users send unsolicited personal information via email or include third-party personal information in chat messages.

6. APP 5 – Notification of Collection

At or before the time of collection (or as soon as practicable afterwards), we will notify you of:

• Our identity: ChatLemur Pty Ltd, Adelaide, South Australia
• Collection method: How and why we are collecting your information
• Legal requirement: Whether collection is required by law (it is not)
• Consequences: What happens if you don't provide information (service limitations)
• Third parties: Who we usually disclose information to
• Overseas disclosure: That data may be processed in the USA (see APP 8)
• Access & correction: How to access and correct your information
• Complaints: How to make a privacy complaint

This notification is provided through this Privacy Policy, registration forms, and in-app notices.

7. APP 6 – Use or Disclosure of Personal Information

We will only use or disclose your personal information for:

1. The primary purpose for which it was collected (providing AI chat services), or
2. A secondary purpose where:
   • You would reasonably expect us to use the information for that purpose and it is related to the primary purpose, or
   • You have consented, or
   • It is required or authorised by Australian law

7.1 What We Never Do

• We never sell your personal information
• We never share your data with data brokers
• We never use your chat content for advertising
• We never train AI models on your identifiable data without consent

8. APP 7 – Direct Marketing

We may use your contact information for direct marketing only where:

• You have consented to receive marketing communications, or
• You would reasonably expect to receive such communications and we provide a simple opt-out

8.1 Types of Marketing Communications

• Product updates and new features
• Subscription renewal reminders
• Service announcements

8.2 Your Opt-Out Rights

8.3 Source of Information

If you request, we will tell you the source of your contact information used for direct marketing.

9. APP 8 – Cross-border Disclosure of Personal Information

Your personal information may be disclosed to overseas recipients. Before doing so, we take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs.

9.1 Countries Where Data May Be Processed

9.2 Your Consent

By using ChatLemur, you acknowledge and consent to your personal information being transferred to these overseas recipients. We remain accountable for their handling of your information under Australian law.

9.3 Additional Protections

For all cross-border transfers, we ensure:

• Contractual obligations requiring APP-equivalent privacy protections
• Assessment of the recipient's privacy practices and local laws
• Encryption in transit and at rest
• Limitation of data shared to what is strictly necessary

10. APP 9 – Adoption, Use, or Disclosure of Government Related Identifiers

ChatLemur does not collect, use, or disclose government-related identifiers including:

• Tax File Numbers (TFN)
• Medicare numbers
• Driver's licence numbers
• Passport numbers
• Centrelink Customer Reference Numbers (CRN)
• Healthcare identifiers

Do not share government identifiers in chat conversations. If accidentally disclosed, contact us immediately to have the message deleted.

11. APP 10 – Quality of Personal Information

We take reasonable steps to ensure the personal information we collect, use, and disclose is accurate, up-to-date, complete, and relevant.

11.1 How We Maintain Data Quality

• Account Settings: You can update your email, username, and profile at any time
• Verification: Email verification ensures contact accuracy
• Correction Requests: We promptly process correction requests (see APP 13)
• Regular Audits: We periodically review data for accuracy and relevance

11.2 Your Responsibility

Please keep your account information current. Notify us of any changes to ensure continued service quality.

12. APP 11 – Security of Personal Information

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

12.1 Technical Security Measures

• Encryption in Transit: All data transmitted using TLS 1.3
• Encryption at Rest: Database encryption using AES-256
• Password Security: Passwords hashed using bcrypt with salt
• Authentication: Secure session tokens, optional OAuth
• Infrastructure: Fly.io SOC 2 compliant hosting in Sydney region
• Monitoring: Real-time intrusion detection and logging

12.2 Organisational Security Measures

• Access controls and principle of least privilege
• Security awareness training
• Regular security audits and penetration testing
• Incident response procedures
• Vendor security assessments

12.3 Destruction of Personal Information

When personal information is no longer needed for any purpose for which it may be used or disclosed, we will:

• Securely destroy the information, or
• De-identify the information so it is no longer personal information

Destruction methods include secure deletion and cryptographic erasure.

13. APP 12 – Access to Personal Information

You have the right to request access to the personal information we hold about you.

13.1 How to Request Access

13.2 Response Timeframe

• We will respond within 30 days of receiving your request
• Complex requests may take up to 45 days (we will notify you)
• We will provide information in a commonly used electronic format

13.3 Self-Service Access

You can access much of your information directly through your account:

• Account Settings: View and update profile information
• Chat History: Access all your conversation history
• Data Export: Download your data in JSON format

13.4 When We May Refuse Access

We may refuse access where:

• Giving access would pose a serious threat to life, health, or safety
• Giving access would have an unreasonable impact on others' privacy
• The request is frivolous or vexatious
• The information relates to legal proceedings and would be subject to legal privilege
• Giving access would prejudice enforcement activities or negotiations

If we refuse access, we will provide written reasons and information about how to complain.

14. APP 13 – Correction of Personal Information

You have the right to request correction of personal information we hold about you if it is inaccurate, out-of-date, incomplete, irrelevant, or misleading.

14.1 How to Request Correction

• Self-Service: Update your profile in Account Settings
• Email: Send correction requests to privacy@chatlemur.com

14.2 Response Timeframe

• We will respond within 30 days
• If corrected, we will notify third parties who received the incorrect information

14.3 When We May Refuse Correction

If we refuse to correct information, we will:

• Provide written reasons for the refusal
• Advise you of complaint mechanisms
• On request, attach a statement to the record noting your claimed correction

15. Notifiable Data Breaches Scheme

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988.

15.1 What is an Eligible Data Breach?

An eligible data breach occurs when:

• There is unauthorised access to, disclosure of, or loss of personal information
• A reasonable person would conclude the breach is likely to result in serious harm to affected individuals
• The breach cannot be remediated

15.2 Our Breach Response Process

1. Contain: Immediately contain the breach and prevent further compromise
2. Assess: Conduct a reasonable and expedient assessment (within 30 days)
3. Notify: If eligible, notify the OAIC and affected individuals as soon as practicable
4. Review: Review and improve security measures

15.3 What Notification Will Include

• Identity and contact details of ChatLemur
• Description of the data breach
• Types of information involved
• Recommendations for steps individuals can take

15.4 Reporting a Suspected Breach

If you suspect a data breach, immediately contact security@chatlemur.com.

16. Third-Party AI Processors & Services

We use third-party services to operate ChatLemur. These processors handle your data under strict contractual obligations.

16.1 Groq Inc. – AI Processing

16.2 GitHub – Authentication

• Data received: GitHub username, email, profile picture (if you use GitHub sign-in)
• Purpose: Authentication only
• Privacy Policy: GitHub Privacy Statement

16.3 Stripe – Payment Processing

• Data sent: Billing name, address, subscription details
• Card details: Handled directly by Stripe (we never see full card numbers)
• Compliance: PCI-DSS Level 1 certified
• Privacy Policy: Stripe Privacy Policy (Australia)

16.4 Fly.io – Hosting Infrastructure

• Data stored: All application data (database, logs)
• Region: Sydney, Australia (data residency)
• Compliance: SOC 2 Type II
• Privacy Policy: Fly.io Privacy Policy

17. Data Retention Periods

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

17.1 Your Right to Earlier Deletion

You can delete your account and request erasure of your personal information at any time, subject to legal retention requirements (e.g., tax records).

18. Cookies & Privacy Act Compliance

Cookies are small text files stored on your device. Under Australian law, cookies that collect personal information must comply with the Privacy Act.

18.1 Types of Cookies We Use

18.2 Your Cookie Choices

• Essential cookies: Required for service operation (cannot be disabled)
• Analytics cookies: Optional – manage via our cookie banner or browser settings
• Browser settings: You can configure your browser to reject non-essential cookies

18.3 We Do Not Use

• Third-party advertising cookies
• Cross-site tracking
• Fingerprinting or supercookies

For full details, see our Cookie Policy.

19. Special Categories of Information

19.1 Credit Reporting

ChatLemur is not a credit provider and does not participate in the credit reporting system. We do not:

• Collect credit information
• Report to credit reporting bodies
• Access credit reports for any purpose

19.2 Tax File Numbers

We do not collect or use Tax File Numbers (TFNs). The TFN Rule under the Privacy Act does not apply to our services.

19.3 Healthcare Identifiers

We do not collect or use Healthcare Identifiers. The Healthcare Identifiers Act 2010 does not apply to our services.

19.4 My Health Records

ChatLemur is not connected to the My Health Record system and cannot access or store My Health Record data.

19.5 Consumer Data Right (CDR)

ChatLemur does not participate in the Consumer Data Right scheme. We are not an accredited data recipient under the CDR rules for banking, energy, or telecommunications sectors.

20. Children's Privacy

ChatLemur is designed for users aged 16 years and older. We do not knowingly collect personal information from children under 16.

20.1 Parental Rights

If you are a parent or guardian and believe your child has provided personal information to us:

• Contact us immediately at privacy@chatlemur.com
• We will delete the information within 48 hours
• We will terminate any account created by the minor

20.2 Age Verification

While we do not collect date of birth, our Terms of Service require users to confirm they are 16 or older. We reserve the right to terminate accounts if we discover underage usage.

21. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements.

21.1 How We Notify You

• Minor changes: Updated "Last modified" date on this page
• Material changes: Email notification to registered users + in-app banner
• Significant changes: 30-day notice before changes take effect

21.2 Version History

• Version 2.1 (April 2026) – Added Data Residency section, April 2026 regulatory updates
• Version 2.0 (January 2026) – Comprehensive APP compliance update
• Version 1.0 (November 2025) – Initial policy

22. Complaints & OAIC Process

22.1 Internal Complaint Process

If you believe we have breached your privacy or the APPs, please lodge a complaint:

1. Contact us: Email privacy@chatlemur.com with "Privacy Complaint" in the subject line
2. Provide details: Include your contact information, description of the issue, and desired outcome
3. Acknowledgment: We will acknowledge your complaint within 5 business days
4. Investigation: We will investigate and respond within 30 days
5. Outcome: We will advise you of the outcome and any remedial action taken

22.2 External Complaint – OAIC

If you are not satisfied with our response, or if we fail to respond within 30 days, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

23. Contact Us