Privacy Policy

We collect personal information that you voluntarily provide and information collected automatically when you use our services. This includes:

• Identity and contact data: name, email address, phone number, job title, company name, billing address.
• Commercial data: the workflow, tools, integrations and access credentials you ask us to work on; payment records (we do not store full card numbers — these are held by Stripe).
• Technical data: IP address, browser type, device identifiers, language, referring URL, pages visited and approximate location (country/region only).
• Communications data: emails, call transcripts, messages and call recordings, project notes.
• Marketing preferences: any subscription or unsubscribe choices.

We do not knowingly collect sensitive information (as defined under the Privacy Act) including health, racial, political or biometric data. If you provide such information to us in the course of an engagement, we will only use it for the purpose for which it was given.

We do not knowingly collect information from children under 16. If you believe we have done so, contact us and we will delete it.

• Directly from you — when you fill out a form, book a call, sign a proposal, send an email, or grant us access to a tool.
• Automatically — through cookies and similar technologies on our website (see Section 8).
• From third parties — payment processors (Stripe, PayPal), booking platforms (Cal.com), and tools you authorise us to integrate with on your behalf.

We use your personal information for the following purposes:

• To deliver our services — building, deploying and maintaining the automation systems you engage us for. (Legal basis: performance of contract / APP 6 — primary purpose.)
• To process payments — billing, invoicing, recovering debts. (Legal basis: contract; legitimate interests; legal obligation.)
• To communicate with you — about projects, support, account changes, and security. (Legal basis: contract; legitimate interests.)
• To improve our website and services — analytics, debugging, capacity planning. (Legal basis: legitimate interests / APP 6 secondary purpose reasonably expected.)
• To send you marketing — only with your consent or where permitted under the Spam Act 2003 (Cth) and equivalent UK/US laws. You can unsubscribe at any time.
• To comply with our legal obligations — including tax, anti-money-laundering, and responding to lawful requests.

We disclose personal information only to parties who help us deliver our services, and only to the extent necessary. These currently include:

• Payment processors — Stripe, PayPal (United States, Ireland)
• Hosting and infrastructure — Vercel (United States), Hetzner (Germany)
• Communications — Cal.com (United States), Tally (Belgium), Proton Mail (Switzerland)
• AI processing — OpenAI (United States), Anthropic (United States) — only where you have authorised AI processing of your data
• Professional advisers — accountants, lawyers, insurers (Australia)
• Government and regulators — where required by law

We do not sell, rent or trade your personal information. We do not share it for advertising purposes.

As listed above, some of our service providers are located outside Australia. Before disclosing your personal information overseas, we take reasonable steps to ensure the recipient handles it consistently with the APPs — typically through binding contractual terms (such as the EU Standard Contractual Clauses or the UK International Data Transfer Addendum, where applicable) and selecting reputable providers with established privacy frameworks.

If you are in the UK or EU, your data may be transferred to and processed in countries that do not have an "adequacy decision". We rely on Standard Contractual Clauses or your explicit consent for such transfers.

We take reasonable organisational and technical measures to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. These include:

• Encryption in transit (TLS) and at rest where supported by our providers
• Multi-factor authentication on administrative accounts
• Principle of least privilege — only people who need access have it
• Regular review of third-party tools' security posture
• Credentials and API keys stored in secret-management systems, never in plain text
• Prompt destruction or de-identification of personal information no longer needed

No internet transmission or electronic storage is 100% secure. If we become aware of a data breach likely to result in serious harm, we will comply with the Notifiable Data Breaches scheme — notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable.

In the ordinary course of our consulting work we build automation systems for clients that use AI. For our own internal use, we may use AI tools to help draft client communications, analyse meeting transcripts, and triage inbound enquiries. Where AI is used in a way that could reasonably be expected to significantly affect your rights or interests (for example, an automated decision about whether to accept your engagement), we will disclose this and provide you with a way to request human review.

We do not currently use any fully automated system to make decisions about pricing, service eligibility, or refunds without human oversight.

This disclosure is provided in line with new transparency requirements being introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth), which take full effect on 10 December 2026.

Our website uses a small number of cookies and similar technologies:

• Strictly necessary cookies — required to make the site work (e.g. remembering your language preference). Cannot be disabled.
• Analytics cookies — we may use privacy-respecting analytics (e.g. Plausible, Vercel Analytics) that do not track you across other sites or build a personal profile.

You can disable cookies in your browser settings. Disabling necessary cookies may affect site functionality.

We keep personal information only as long as necessary for the purpose it was collected, plus any period required by law. As a guide:

• Active client records: for the duration of the engagement plus 7 years (Australian tax law requires retention of financial records for 5 years; we round up to 7).
• Prospective client enquiries: up to 24 months.
• Marketing list: until you unsubscribe.
• Website analytics: aggregated data may be retained indefinitely; non-aggregated data, up to 26 months.

Subject to applicable law, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correct — ask us to correct inaccurate or incomplete information
• Delete — ask us to delete your personal information where there is no overriding legal reason to keep it (the "right to erasure" / "right to be forgotten")
• Object or restrict — object to certain processing or ask us to restrict it
• Portability — receive your data in a machine-readable format (UK/EU residents)
• Withdraw consent — where we rely on consent, you can withdraw it at any time
• Lodge a complaint — see Section 12

California residents additionally have rights under the CCPA/CPRA including the right to know what personal information we collect, to delete it, to correct it, to opt out of "sale" or "sharing" (we do neither), and the right not to be discriminated against for exercising these rights.

To exercise any right, email ra1labs@pm.me. We will respond within 30 days. We may need to verify your identity before acting on your request.

You can ask us to stop sending you marketing communications at any time by clicking "unsubscribe" in any email or by emailing ra1labs@pm.me. We will action the request without delay.

If you have a privacy complaint, please email us first at ra1labs@pm.me. We aim to respond within 7 days and resolve within 30.

If you are not satisfied with our response, you may complain to:

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au · 1300 363 992
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: the data protection authority of your country of residence
• California: California Privacy Protection Agency — cppa.ca.gov

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects when. Material changes will be communicated by email or through prominent notice on our website at least 14 days before they take effect.

RA1 Labs Pty Ltd
ABN 44 688 244 484 · ACN 688 244 484
L7, 570 St Kilda Road, Melbourne VIC 3004, Australia
Email: ra1labs@pm.me