Ubiqitum

Privacy Policy

Effective date: 20 April 2026 · Version: 1.0

In plain English: This policy explains what personal information we collect, why we collect it, how we use it, who we share it with, and the rights you have. Plain-English summaries like this appear throughout. They're a guide, not the legal text.

Ubiqitum Pty Ltd (ACN 687 452 099) ("Ubiqitum", "we", "us", or "our") is committed to protecting your personal information and being transparent about how we handle it.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you access or use our website, applications, APIs, and related services (the "Service").

This policy is designed to meet our obligations under:

the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
the EU General Data Protection Regulation (GDPR) and the UK GDPR, to the extent they apply to us;
the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), to the extent it applies; and
other applicable privacy and data protection laws.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Who we are and how to contact us #

Ubiqitum is the controller of personal information collected through the Service (or, where applicable under the GDPR, the "data controller"). You can contact us about privacy matters at:

Privacy enquiries: Company Secretary Postal address: 21-23 Stewart Street, Richmond VIC 3121 Australia Website: www.ubiqitum.com

For users in the EU, the UK, or California, our contact details above serve as the contact point for all privacy enquiries under the applicable laws. We may appoint a local representative where required by law, and if we do, we will update this policy with their details.

2. Personal information we collect #

In plain English: We collect what we need to run your account, analyse brands you ask about, process payments, and keep the Service secure. We don't sell your personal information.

We collect the following categories of personal information:

2.1 Information you provide directly

Account information: your email address, display name, password (stored hashed), company name, and any profile information you choose to add.
Authentication information: identifiers and tokens from third-party login providers (such as Google) if you choose to sign in that way.
Billing information: your name, billing address, tax identifiers, and payment method. Full payment card details are collected and stored by our payment processor, Stripe, and are not stored by us.
Communications: information contained in emails, support requests, and any other messages you send us.

2.2 Information collected automatically

Usage data: scans you run, brand URLs and filters you submit, Outputs generated for you, and timestamps of your activity.
Technical data: IP address, device type, browser type and version, operating system, language preferences, referring URLs, and approximate location derived from IP.
Cookies and similar technologies: session and persistent cookies, local storage items, and similar technologies used to authenticate you, remember your preferences, and understand how the Service is used.
Error and performance data: logs generated by the Service, including diagnostic information when errors occur.

2.3 Information we generate

Scoring outputs and derived data: the brand scores, executive summaries, and other analytical outputs we generate for you using AI. Where these outputs include or relate to an identified or reasonably identifiable individual, they are treated as personal information under the Privacy Act.
Inferences: aggregated or inferred information about usage patterns used to operate and improve the Service.

2.4 Information about brands you scan

When you scan a brand URL, we gather publicly available information about that brand (such as homepage content, public news coverage, and similar public signals). This information is primarily about companies and products. Where it incidentally includes personal information about identifiable individuals (for example, a named executive mentioned in a news article), we handle that information in accordance with this policy and applicable law.

2.5 Anonymous users

We do not attempt to re-identify anonymous users. When you use the Service anonymously, we assign a randomly generated identifier to your session to enforce rate limits and maintain a basic history. We do not treat this identifier as personal information unless it is combined with information that can reasonably identify you.

2.6 Sensitive information

We do not ask for, and we ask that you do not provide, sensitive information through the Service (such as health information, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, biometric or genetic data, or criminal history). If such information is provided, we will handle it in accordance with the additional protections required by law.

3. How we collect personal information #

We collect personal information:

directly from you, when you create an account, subscribe to a paid plan, contact us, or use the Service;
automatically, through your use of the Service, including through cookies and similar technologies;
from third parties, such as authentication providers (Google), payment processors (Stripe), analytics providers, and public sources used to gather brand signals.

4. Why we use your personal information #

In plain English: We use your information to deliver the Service, charge for paid plans, keep the Service running and secure, and to communicate with you where you've agreed. Under the GDPR, each purpose has a lawful basis.

We use personal information for the following purposes:

Purpose	What this involves	GDPR lawful basis
Providing the Service	Creating and authenticating your account, running scans, producing Outputs, showing your history, and enforcing plan limits.	Performance of a contract (Art. 6(1)(b))
Billing and payments	Processing payments, managing subscriptions, issuing invoices and receipts, and handling refunds through Stripe.	Performance of a contract; legal obligation (Art. 6(1)(b) and (c))
Customer support	Responding to your questions, troubleshooting issues, and maintaining records of our communications.	Performance of a contract; legitimate interests (Art. 6(1)(b) and (f))
Security and fraud prevention	Detecting and preventing abuse, fraud, spam, and security incidents; enforcing rate limits; investigating suspected breaches.	Legitimate interests; legal obligation (Art. 6(1)(f) and (c))
Improving the Service	Analysing aggregated usage and performance data to debug, optimise, and develop new features.	Legitimate interests (Art. 6(1)(f))
Legal compliance	Complying with laws, responding to lawful requests from authorities, and enforcing our Terms and Conditions.	Legal obligation; legitimate interests (Art. 6(1)(c) and (f))
Marketing communications	Sending product updates, newsletters, and promotional messages where you have not opted out (and, where required, where you have opted in).	Consent; legitimate interests (Art. 6(1)(a) and (f))

Where we rely on legitimate interests, we have considered and balanced our interests against your rights and freedoms. You can object to processing based on legitimate interests as described in section 10.

5. Use of artificial intelligence #

In plain English: Ubiqitum's core function is AI-generated brand scoring. This section explains how AI is used, what it decides, and the role human judgment plays.

This section is provided in accordance with the transparency requirements of the Australian Privacy Principles (including APP 1.7 and APP 1.8 as in force from 10 December 2026) and equivalent transparency obligations under the GDPR (Articles 13-15 and 22).

5.1 How we use AI

We use AI models — currently provided by Anthropic, PBC ("Anthropic") via its Claude API — to analyse inputs you submit (such as a brand URL and filter selections), together with publicly available signals about the brand, and to generate:

brand health scores across dimensions such as awareness, relevance, consideration, and trust;
an overall brand index;
sector comparisons and historical estimates; and
a structured executive summary.

5.2 What the AI decides

The AI model produces estimates and analytical outputs. These are decisions about brands and their positioning — not decisions about you as an individual. The AI does not decide whether to grant you access to the Service, how much to charge you, or any other matter that has a direct legal or similarly significant effect on you.

Where an AI-generated Output incidentally includes personal information about an identified or reasonably identifiable individual (for example, commentary that references a named executive):

the Output is an estimate, not a verified statement of fact;
the Output is generated for the user who requested the scan and is intended as business analysis, not as a profile of any individual;
we do not use the Output to make automated decisions with legal or similarly significant effects about any individual.

5.3 Personal information used by the AI

The personal information used in the operation of the AI is limited to:

the inputs you submit (brand URL, filters, and any text you provide);
publicly available information about the scanned brand, which may incidentally include personal information;
metadata required to operate the Service (your user ID, plan tier, and timestamps).

We do not submit your email address, billing details, or other account profile information to the AI model as part of scan inputs.

We take reasonable steps to generate outputs based on reputable sources and current information, but outputs should not be treated as definitive.

5.4 No solely automated decisions affecting you

We do not use solely automated decision-making (including profiling) that produces legal or similarly significant effects about you within the meaning of Article 22 of the GDPR. Access to the Service, plan tier entitlements, and rate limits are determined by rule-based logic that reflects your subscription status, not by AI decisions.

5.5 Accuracy and human oversight

AI outputs can be incomplete, out of date, or incorrect. You should review Outputs critically and apply independent judgment before relying on them. If you believe an Output includes inaccurate personal information about you, you can request correction under section 10.

In plain English: We share your information only with providers who help us run the Service, with people you ask us to share with, and where the law requires. We do not sell your personal information.

We may disclose personal information to the following categories of recipients:

6.1 Service providers (processors)

We use trusted third-party providers to deliver the Service. They act on our instructions under written agreements that require them to protect your information:

Provider	Purpose	Primary location
Supabase	Authentication, Postgres database hosting	United States / EU (configurable)
Vercel	Application hosting and delivery	Global (primary region: Australia)
Anthropic	AI models (Claude) for scoring	United States
Upstash	Caching, rate limiting, job queues	Asia-Pacific (Singapore) / Global
Stripe	Payment processing and billing	United States / Australia
Cloudflare	DNS and content delivery	Global
Google (OAuth)	Optional sign-in	United States

The specific providers we use may change from time to time. We will update this policy to reflect material changes.

6.2 Business transfers

If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of some or all of our assets, personal information may be transferred to the relevant party, subject to this policy or a notice of material change.

6.3 Legal and safety disclosures

We may disclose personal information where we reasonably believe it is necessary to:

comply with a law, subpoena, court order, or lawful request from a government or regulatory authority;
enforce our Terms and Conditions or investigate suspected breaches;
detect, prevent, or address fraud, abuse, security, or technical issues; or
protect the rights, property, or safety of Ubiqitum, our users, or others.

We may share personal information with third parties where you have directed or agreed.

6.5 No sale of personal information

We do not sell personal information, and we do not share personal information for cross-context behavioural advertising, within the meaning of the CCPA or similar laws.

7. Overseas disclosure and cross-border transfers #

In plain English: Our providers are based in several countries, so your information may be sent overseas. When that happens, we use safeguards like contractual protections and, where relevant, standard contractual clauses.

Because we use cloud-based providers located outside Australia, your personal information is likely to be transferred to and processed in countries other than the country in which you are located, including the United States, the United Kingdom, the European Economic Area, and Singapore.

When we disclose personal information to overseas recipients, we take reasonable steps to ensure the recipient handles it in accordance with applicable privacy laws. In accordance with the 2024 reforms to the Privacy Act, we remain accountable under the APPs for personal information we disclose overseas, and we assess our providers' privacy practices accordingly.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards such as:

the European Commission's Standard Contractual Clauses (SCCs);
the UK International Data Transfer Agreement or the UK Addendum to the SCCs; and
supplementary technical and organisational measures where required.

You may request a copy of the relevant safeguards by contacting us at the address in section 1.

8. How long we keep personal information #

We keep personal information only for as long as we need it for the purposes described in this policy, or as required by law. Typical retention periods are:

Category	Retention period	Reason
Account and profile information	While your account is active, plus up to 24 months after closure	Handle disputes, comply with legal obligations
Scan history and Outputs	While your account is active, or until you delete them	Allow you to access your history
Billing records (including Stripe metadata)	7 years from the date of the transaction	Australian tax and financial record-keeping obligations
Support communications	Up to 3 years after the matter is resolved	Service quality and dispute resolution
Server and security logs	Up to 12 months	Security monitoring and incident investigation
Aggregated and de-identified data	Indefinitely	Analytics and Service improvement — cannot be linked back to you

Where we no longer need personal information, we delete or de-identify it in line with our data-handling procedures.

9. Security #

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. Our measures include:

encryption of data in transit using TLS and encryption of data at rest through our managed database and cache providers;
strong authentication for all accounts, with hashed password storage and support for social sign-in;
Row Level Security on our database, ensuring users can only access their own records;
access controls and the principle of least privilege for personnel who handle personal information;
monitoring, logging, and alerting for unusual or suspicious activity;
use of reputable cloud infrastructure providers with industry-standard certifications; and
regular review of our practices and vendors.

No system is perfectly secure. While we work hard to protect your information, we cannot guarantee that unauthorised access will not occur.

If we become aware of a data breach that is likely to result in serious harm to affected individuals, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the Notifiable Data Breaches scheme, and any other applicable regulators (such as the relevant EU supervisory authority under the GDPR) within the timeframes required by law.

10. Your privacy rights #

In plain English: You have rights over your personal information. Exactly which rights apply depends on where you are. The section below summarises them by region.

10.1 Rights for everyone

Regardless of where you are, you can generally:

access and review personal information we hold about you through your account settings;
correct inaccurate information via your account or by contacting us;
delete your account, which will delete or de-identify associated personal information in accordance with section 8;
opt out of marketing communications at any time via the unsubscribe link in the email or by contacting us.

10.2 Rights under the Privacy Act 1988 (Australia)

Under the Australian Privacy Principles, you have the right to:

request access to personal information we hold about you (APP 12);
request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);
make a complaint about how we handle your personal information.

You can exercise these rights by contacting us at support@ubiqitum.com. If you are not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au.

If you are located in the EEA, the UK, or Switzerland, you have the right to:

access the personal data we hold about you (Article 15);
request rectification of inaccurate or incomplete data (Article 16);
request erasure ("right to be forgotten") in certain circumstances (Article 17);
request restriction of processing in certain circumstances (Article 18);
receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller (data portability, Article 20);
object to processing based on legitimate interests or for direct marketing (Article 21);
withdraw consent at any time, where processing is based on consent (Article 7); and
lodge a complaint with your local supervisory authority. In Ireland, this is the Data Protection Commission (www.dataprotection.ie); in the UK, the Information Commissioner's Office (www.ico.org.uk).

10.4 Rights under the CCPA/CPRA (California)

If you are a California resident, you have the right to:

know what categories of personal information we have collected about you and from what sources;
access the specific pieces of personal information we hold;
request deletion of personal information, subject to certain exceptions;
correct inaccurate personal information;
limit the use and disclosure of sensitive personal information (we do not use sensitive personal information for purposes that would trigger this right);
opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under the CCPA); and
not be discriminated against for exercising any of these rights.

You can exercise these rights by contacting us at support@ubiqitum.com with the subject line "California Privacy Rights Request". You can also designate an authorised agent to make a request on your behalf; we may ask for verification of your identity and the agent's authority. We will verify your identity using information we already hold or by requesting additional information if necessary.

10.5 How to make a request

To make any privacy request, email us at support@ubiqitum.com with enough detail to identify you and the request. We may need to verify your identity before responding. We will respond within the timeframe required by applicable law (typically 30 days under the GDPR and within a reasonable period under the Privacy Act).

11. Cookies and similar technologies #

We use cookies, local storage, and similar technologies to operate and improve the Service. The categories we use include:

Strictly necessary: required to authenticate you, maintain your session, and enforce security. These cannot be disabled via in-product controls without disabling the Service.
Preferences: remember your settings, such as display options.
Analytics: understand how the Service is used, on an aggregated basis.

Where required by law (including in the EEA and UK), we will request your consent before setting non-essential cookies. You can manage your cookie preferences through the in-product consent banner or your browser settings. Disabling cookies may affect the functionality of the Service.

12. Children #

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under that age. If you become aware that a child has provided personal information to us without verifiable parental consent, please contact us and we will take steps to delete that information.

The Service is not directed to children, and we do not knowingly collect personal information from children under the applicable minimum age in their jurisdiction (16 in the EEA or UK).

13. Changes to this Privacy Policy #

We may update this Privacy Policy from time to time. The "Effective date" at the top of this policy shows when it was last updated. If we make material changes, we will notify you by email or through an in-product notice before the changes take effect. Your continued use of the Service after the effective date indicates your acceptance of the updated policy.

14. Contact us #

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your personal information, please contact us:

Ubiqitum Pty Ltd Privacy contact: Company Secretary Email: support@ubiqitum.com Postal address: 21-23 Stewart Street, Richmond VIC 3121 Australia Website: www.ubiqitum.com

We will acknowledge your enquiry and aim to respond within a reasonable time, and no later than required by applicable law.

Last updated 2026-04-20