Privacy Policy

1. Information We Collect

1.1 Information We Collect and Hold

The personal information we collect and hold is strictly limited to what is necessary for contract administration, client relationship management, and payment processing. We collect:

(a) Identity and contact information: name, email address, phone number, business name, ABN, and postal address — collected for the purposes of entering into and administering your service agreement;

(b) Billing information: invoicing and payment details necessary to process your subscription and hardware fees;

(c) Communications: correspondence between you and us, including support requests and feedback.

This personal information is stored and processed using the following third-party business tools:

• GoHighLevel (GHL) — customer relationship management, communications, and onboarding
• Xero — accounting and invoicing
• Stripe — payment processing (we do not directly store credit card numbers or bank account details)
• Google Workspace — business correspondence, lead management, and document storage
• Discord — internal notifications and client communication where applicable

This is the only personal information we hold. All other data associated with the Platform — including your business content, AI-generated outputs, configuration, credentials, knowledge base, and operational data — is stored exclusively on your Device at your premises.

1.2 Information Stored on Your Device (Not Held by Us)

For transparency, the Platform generates and stores the following data locally on your Device. We do not hold, access, or control this data:

• AI-generated content (video scripts, videos, images, voiceover audio, social media captions)
• Knowledge base data (business research, indexed documents, cached information)
• Operational data (task logs, agent activity, cost monitoring, system metrics)
• Configuration and credentials (API keys, OAuth tokens, preferences) stored in encrypted form
• Financial tracking data where wealth management features are enabled

This data is yours. It resides on hardware you possess. We have no visibility into it except during remote support sessions you initiate.

1.3 Information Collected via Our Website

When you visit aiwealthhub.app or submit an enquiry form, we may collect:

(a) Your name, email address, and phone number (submitted via the lead capture form);

(b) Standard web analytics data including IP address, browser type, device information, and pages visited.

1.4 Sensitive Information

We do not intentionally collect sensitive information (as defined in the Privacy Act) such as health information, racial or ethnic origin, political opinions, or biometric data.

2. How We Use Your Information

The limited personal information we hold is used solely for:

• Contract administration — entering into and managing your service agreement
• Payment processing — issuing invoices and processing payments
• Support and maintenance — providing remote support at your request and delivering software updates
• Communication — service updates, technical notices, and responding to your enquiries
• Website enquiries — responding to contact form submissions
• Legal compliance — meeting regulatory requirements, court orders, or law enforcement requests

3. How Your Data Is Stored — Local Processing Model

The AI Wealth Hub Platform operates on a fully local data model. This is a core design principle:

• All business data, AI-generated content, knowledge base, configuration, credentials, and operational data is stored exclusively on the Device at your premises
• We do not have ongoing access to any data on your Device
• You maintain full physical possession and control of the Device and all data stored on it
• All databases on the Device are stored locally and are not replicated to any system controlled by us

3.2 Catalogue Model — Your Choices, Your Responsibility

The Platform provides a catalogue of automations and integrations that you may choose to enable. You decide which automations to activate, which third-party services to connect, and how to use the Platform's capabilities. Because the Platform operates entirely on your Device and we have no visibility into your usage, you are solely responsible for which integrations you enable and what data is transmitted.

4. Third-Party Service Integrations

4.1 Client-Controlled Integrations

The Platform supports integration with a range of third-party services. You choose which services to connect. The Platform does not automatically connect to any third-party service without your action. Each integration you enable is governed by your own agreement with that third-party provider.

4.2 Cross-Border Data Transfers

Third-party services you connect to may be operated by companies based outside Australia, including in the United States. When you choose to connect a third-party service, you acknowledge that data transmitted to that service may be processed in overseas jurisdictions.

4.3 Social Media Publishing

Where you enable automated social media publishing, the Platform will transmit content to your connected social media accounts via third-party scheduling services you have configured. You are solely responsible for the content published to your accounts.

5. Remote Access to Your Device

Remote access to your Device is a support service provided for your benefit. We access your Device remotely (via secure SSH over Tailscale VPN) only when you need us to. Remote access occurs only:

• At your request — when you contact us for support, troubleshooting, or configuration assistance
• Scheduled maintenance — for software updates or maintenance, with reasonable prior notice
• Urgent circumstances — where immediate access is necessary to prevent data loss, security incidents, or critical system failure

5.2 Device Health Monitoring

Your Device transmits a periodic health status signal (“health ping”) to our licensing platform. This contains only device online/offline status, system health indicators, and licence validation data. It does not transmit any of your business data, content, files, credentials, or personal information.

6. Artificial Intelligence and Automated Processing

6.1 How AI Is Used

The Platform uses artificial intelligence systems to:

• Generate written content including video scripts, social media captions, and business research summaries
• Generate visual and audio content including images, videos, and voiceover narration
• Analyse and index business knowledge and documents
• Automate content scheduling and publishing workflows
• Provide business insights and summaries based on data you provide

6.2 AI Outputs Are Not Decisions

The Platform's AI systems generate content and suggestions, not automated decisions that have legal or significant effects on individuals. All AI-generated content is subject to your review and approval before use or publication.

6.3 Transparency

In accordance with upcoming requirements under the Privacy Act reforms, we disclose that the Platform uses automated systems (including large language models, image generation models, video generation models, and voice synthesis models) to process inputs and generate outputs. These systems are probabilistic in nature and outputs may contain inaccuracies.

7. Disclosure of Personal Information

We may disclose your personal information to:

• Third-party business tools — the platforms listed in section 1.1 for the purposes described
• Professional advisers — including lawyers and accountants, where necessary
• Law enforcement or regulatory bodies — where required by law, regulation, or court order
• Related entities — if our business is transferred, merged, or restructured

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

8. Data Security

8.1 Personal Information We Hold

The limited personal information we hold is protected through third-party platform security, secure communications, and access controls. Only authorised personnel within Serenite Group can access client contract and billing records.

8.2 Platform Security (On Your Device)

The Platform software includes encrypted credential storage, input sanitisation, secure session management, and protections against common attack vectors. Remote support access is conducted via encrypted SSH over Tailscale VPN, with no public internet exposure of your dashboard.

However, no system is completely secure. Because the Device is in your physical possession, you are responsible for the physical security of the Device, maintaining a secure network environment, and safeguarding your API keys and credentials.

9. Data Breach Notification

In accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth), if we become aware of a data breach involving personal information that is likely to result in serious harm, we will take immediate steps to contain and remediate the breach, notify you as soon as practicable, and where required, notify the Office of the Australian Information Commissioner (OAIC).

10. Your Rights

10.1 Access (APP 12)

Request access to the personal information we hold about you. Most of your data is stored on your Device and is directly accessible to you.

10.2 Correction (APP 13)

Request correction of any personal information we hold that is inaccurate, incomplete, out of date, irrelevant, or misleading. We will respond within 30 days.

10.3 Complaints

If you believe we have breached the APPs, you may lodge a complaint with us using the contact details below. We will investigate and respond within 30 days. If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

11. Data Retention

• Data on your Device: All data on your Device is yours and remains in your possession at all times
• Contract and billing records: Retained for the duration of our business relationship plus 7 years, as required for tax and accounting compliance under Australian law
• Website enquiry data: Retained for as long as necessary to respond to your enquiry, after which it is deleted or de-identified
• Third-party services: Data retention by third-party services you have connected is governed by those providers' own policies

12. Children's Privacy

The Platform is designed for use by businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via the Platform dashboard at least 14 days before the changes take effect.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights under the APPs, or want to make a complaint, please contact us: