Privacy Policy

1. About This Policy

This Privacy Policy describes how GG Investors Pty Ltd, trading as Iverel ("Iverel", "we", "us", "our"), collects, holds, uses, and discloses personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

This policy applies to all personal information collected through our website (iverel.com), our AI chatbot assistant, email communications, telephone conversations, client engagements, and any other interactions with Iverel.

2. Information We Collect

2.1 Information You Provide Directly

• Contact details: name, email address, phone number, company name, job title, business address.
• Enquiry details: business processes, systems, automation needs, technical requirements, project scope.
• Chatbot conversations: messages sent through our website chatbot, including any personal or business information shared.
• Contractual information: billing details, payment information (processed through secure third-party processors — we do not store credit card numbers), ABN, invoicing details.
• Communication records: emails, phone call notes, meeting notes, correspondence.
• Feedback: testimonials, survey responses.

2.2 Information Collected Automatically

• Technical data: IP address, browser type/version, OS, device type, referring URL.
• Usage data: pages visited, time on pages, click patterns, navigation paths.
• Chatbot data: session identifiers, timestamps, message counts, conversation topics (anonymised).
• Cookies: see Section 8 below.

2.3 Information from Third Parties

• Referrals: contact details and a brief description of needs from referring partners.
• Public sources: company website, LinkedIn, business directories — solely for business context.

3. How We Use Your Information

• Service delivery: providing, managing, and improving our AI automation services.
• Communication: responding to enquiries, project updates, proposals, quotes.
• Chatbot operation: processing messages and retrieving relevant information via AI.
• Business operations: contracts, invoicing, payments, record-keeping, legal compliance.
• Improvement: analysing usage to improve our website, chatbot, and services.
• Marketing: service information, industry insights, events — only with consent or existing relationship. Opt out anytime.
• Legal compliance: complying with laws, regulations, court orders, government requests.
• Security: detecting, preventing, addressing fraud and technical problems.

We will not use your information for other purposes without consent unless required by law.

4. Disclosure of Your Information

4.1 Technology Partners

4.2 Other Disclosures

• Professional advisers: legal, accounting, audit, insurance — where necessary.
• Legal requirements: where required by law, regulation, legal process, or to protect rights and safety.
• Business transfers: in event of merger, acquisition, or sale — with notification.

We do not sell, rent, or trade personal information for marketing purposes.

5. Cross-Border Data Transfers

Some technology partners are located outside Australia (primarily US, Germany). In accordance with APP 8:

• We select partners with strong privacy/security practices (SOC 2, encryption, contractual data protection).
• Information processed by AI models is used solely for real-time response generation and is not retained for model training (per provider DPAs).
• We maintain contractual arrangements requiring handling consistent with APP standards.

By using our services, you acknowledge cross-border transfers. Contact us for alternative arrangements if needed (may limit service capability).

6. Data Security

In accordance with APP 11, our measures include:

• Encryption: TLS 1.2+ in transit, AES-256 equivalent at rest.
• Access controls: role-based, need-to-know basis, multi-factor authentication.
• Infrastructure: firewalls, intrusion detection, regular security updates.
• Vendor requirements: industry-standard security certifications.
• Regular review: periodic security practice reviews and updates.

No transmission or storage method is 100% secure. We use commercially acceptable means but cannot guarantee absolute security.

7. Data Retention and Destruction

Per APP 11.2:

• Client project data: duration of relationship + 7 years (tax/record-keeping requirements).
• Enquiry/lead data: 2 years from last contact if no engagement.
• Chatbot logs: 12 months, then anonymised or deleted.
• Website analytics: anonymised/aggregated, not linked to individuals.
• Financial records: 7 years per Income Tax Assessment Act 1997.

Information no longer needed is destroyed or de-identified.

8. Cookie Policy

We use:

• Strictly necessary cookies: session management, security. Cannot be disabled.
• Analytics cookies: privacy-focused, no cross-site tracking.
• Functional cookies: chatbot session preferences.

We do NOT use: advertising cookies, cross-site tracking, profile building for ads, or sell cookie data.

Manage preferences via browser settings. Disabling necessary cookies may affect functionality.

9. AI-Specific Privacy Disclosures

9.1 Website Chatbot (Iris)

• Messages processed by Anthropic's Claude AI (US servers) for real-time responses.
• AI provider does not retain messages for training (per DPA).
• Conversation data stored in our database for service improvement and lead qualification.
• Personal information provided (name, email, company) stored separately for purposes in Section 3.
• Iris does not access external systems or personal accounts.

9.2 Client Project AI Processing

• Client data may be processed by AI models as part of agreed automation workflows.
• Specific models and arrangements documented in each service agreement.
• Data minimisation principles applied.
• Client data not used for AI training or accessible to other clients.

9.3 Automated Decision-Making

Per Privacy Act amendments (effective 10 December 2026):

• Chatbot responses are informational, not binding offers/contracts/legal/financial advice.
• Client automation may involve agreed automated decisions (scope defined per agreement).
• Right to request human review of significant automated decisions.

10. Your Rights

• Access (APP 12): request access to your information. Response within 30 days.
• Correction (APP 13): request correction of inaccurate/incomplete information. Response within 30 days.
• Erasure: request deletion where no longer needed (subject to legal retention requirements).
• Consent withdrawal: withdraw consent anytime; does not affect prior processing.
• Marketing opt-out: unsubscribe link in emails or contact [email protected].
• Data portability: structured, machine-readable format where feasible.

11. Notifiable Data Breaches

Per Part IIIC of the Privacy Act 1988:

• Assessment within 30 days of becoming aware of suspected breach.
• If likely to cause serious harm: notify OAIC and affected individuals as soon as practicable.
• Provide breach details, information types involved, recommended steps.

12. Children's Privacy

Services directed at businesses. We do not knowingly collect information from individuals under 18. If discovered, immediate deletion.

13. Third-Party Links

Our website may link to third-party services. This policy does not apply to them. Review their privacy policies.

14. Changes to This Policy

Updated periodically. Material changes posted with revised date; significant changes may be emailed. Review periodically.

15. Contact and Complaints

Complaints investigated and responded to within 30 days. If unsatisfied: