Privacy policy

Website visitors: We collect information you provide through our contact and enquiry forms, including your name, email address, company name, and industry. We also collect standard web analytics data (pages visited, time on site, referral source) through privacy-respecting analytics tools.

Guard platform users: When you use the Guard platform, we collect your name, email address, and role as provided by your organisation's administrator. We also collect usage data related to your interactions with the Guard dashboard.

Guard proxy data: Guard processes AI interactions on behalf of our customers. This data may contain personal information that our customers' employees send to AI models. We process this data as a service provider acting on our customer's instructions. We do not use this data for our own purposes. We do not train AI models on this data. We do not sell this data.

Guard's PII detection identifies sensitive data types (Tax File Numbers, Medicare numbers, ABNs, bank account numbers, and others) within AI interactions. When PII is detected, the finding is recorded in the audit trail (the type and location, not the PII itself). Evidence records are scrubbed of raw PII before storage.

We collect personal information directly from you (forms, account creation, email), from your organisation's administrator (account provisioning), automatically (cookies, server logs, analytics), and through the Guard proxy (AI interactions processed on your organisation's behalf).

We collect and use personal information to provide and operate Guard, respond to enquiries, manage accounts, generate compliance reports and audit evidence, send service-related communications, improve our products, and comply with our legal obligations.

We do not use personal information collected through the Guard proxy for marketing, profiling, or any purpose other than providing the Guard service.

All data is processed and stored in Australia, specifically in Google Cloud's Sydney region (australia-southeast1), with failover to Melbourne (australia-southeast2). Data never leaves Australian borders.

We protect personal information using encryption at rest (customer-managed encryption keys), encryption in transit (TLS 1.2+), VPC Service Controls, role-based access controls (Firebase Authentication), Cloud IAP for administrative access, and regular security assessments.

Our infrastructure runs on Google Cloud Platform, which is IRAP PROTECTED assessed and SOC 2 Type II certified.

Website enquiry data: 24 months, then deleted unless there is an ongoing business relationship.

Guard platform account data: Duration of the customer's subscription, plus 90 days after termination for data export.

Guard audit trail data: 7 years in a tamper-evident, immutable audit trail. This meets regulatory requirements under APRA CPS 234 and ADM transparency obligations.

Analytics data: Aggregated, non-identifiable analytics may be retained indefinitely.

We do not sell personal information. We do not disclose personal information to overseas recipients. All data remains in Australia.

We may disclose personal information to our infrastructure provider (Google Cloud Platform, under a data processing agreement in Australian data centres), your organisation's administrators (as part of the service), and law enforcement or regulators (if required by Australian law).

40 South does not transfer personal information outside Australia. Our infrastructure is in Australian data centres, our team is in Australia, and we do not use overseas sub-processors for data containing personal information.

Guard's core function includes monitoring whether our customers' AI interactions involve cross-border data flows. When a customer sends data to an overseas AI provider through Guard, Guard flags the APP 8 implications and records them in the attestation.

Our website uses cookies for essential functionality (session management, theme preference). We use privacy-respecting analytics to understand how visitors use our site. We do not use third-party advertising trackers.

You can disable cookies in your browser settings. The website will still function, but some features may not work as expected.

Under the Australian Privacy Principles, you have the right to access the personal information we hold about you, request correction of inaccurate information, request deletion (subject to legal retention obligations), and lodge a complaint if you believe we have breached the APPs.

To exercise any of these rights, contact us at privacy@40south.au. We will respond within 30 days.

Privacy enquiries: privacy@40south.au

General enquiries: hello@40south.au

40° South AI Pty Ltd, New South Wales, Australia

If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC).